ca-certificates/trunk/update-ca-trust

   1 #!/bin/bash
   2
   3 # At this time, while this script is trivial, we ignore any parameters given.
   4 # However, for backwards compatibility reasons, future versions of this script must
   5 # support the syntax "update-ca-trust extract" trigger the generation of output
   6 # files in $DEST.
   7
   8 DEST=/etc/ca-certificates/extracted
   9
  10 # Prevent p11-kit from reading user configuration files.
  11 export P11_KIT_NO_USER_CONFIG=1
  12
  13 extract() {
  14   trust extract --overwrite "$@"
  15 }
  16
  17 ## Simple PEM bundles
  18 extract --comment --format=pem-bundle --filter=ca-anchors --purpose=server-auth  $DEST/tls-ca-bundle.pem
  19 extract --comment --format=pem-bundle --filter=ca-anchors --purpose=email        $DEST/email-ca-bundle.pem
  20 extract --comment --format=pem-bundle --filter=ca-anchors --purpose=code-signing $DEST/objsign-ca-bundle.pem
  21
  22 ## OpenSSL PEM bundle that includes trust flags
  23 extract --comment --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt
  24
  25 ## TianoCore EDK II bundle
  26 extract --format=edk2-cacerts --filter=ca-anchors --purpose=server-auth $DEST/edk2-cacerts.bin
  27
  28 ## Java bundle
  29 extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts
  30
  31 ## OpenSSL-style directory with individual PEM files and hash links
  32 # The directory-format extractors remove all files in the target directory, but not directories or files therein
  33 extract --format=pem-directory-hash --filter=ca-anchors --purpose=server-auth $DEST/cadir
  34
  35 # We don't want to have to remove everything from the certs directory but neither
  36 # do we want to leave stale certs around, so only place symlinks in the real cadir
  37 for f in $DEST/cadir/*; do
  38   ln -fsr -t /etc/ssl/certs "$f"
  39 done
  40
  41 # Now find and remove all broken symlinks
  42 find -L /etc/ssl/certs -maxdepth 1 -type l -delete