diff --git a/.editorconfig b/.editorconfig index bb53136..bb85cd0 100644 --- a/.editorconfig +++ b/.editorconfig @@ -9,4 +9,12 @@ indent_size = 4 end_of_line = lf charset = utf-8 trim_trailing_whitespace = true -insert_final_newline = true \ No newline at end of file +insert_final_newline = true + +[debian/rules] +indent_style = tab +[Makefile] +indent_style = tab + +[debian/source/format] +insert_final_newline = false diff --git a/.gitignore b/.gitignore index 064bcd8..38c8360 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,11 @@ *.pkg.tar.* *.pem +*.deb +*.changes +*.buildinfo +debian/*/ +debian/debhelper-build-stamp +debian/ca-certificates-st.substvars +debian/files +pkg +src diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..9fc796e --- /dev/null +++ b/Makefile @@ -0,0 +1,18 @@ +INSTALL:=install +SHELL:=/bin/bash +.SHELLFLAGS:=-eu -o pipefail -c +.ONESHELL: + +%: + echo Making step $@ + +build: + ./release_pkg.sh + +install: $(wildcard certs/*.pem) $(wildcard certs/secureboot/*.pem) + ${INSTALL} -d ${DESTDIR}/usr/share/ca-certificates + ls -la ${DESTDIR}/usr/share/ca-certificates + @for cert in $^ ; do + newname=$$(basename $$cert) + ${INSTALL} $$cert ${DESTDIR}/usr/share/ca-certificates/$${newname%.*}.crt + @done diff --git a/PKGBUILD b/PKGBUILD index 79aaa4b..1423650 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -6,14 +6,14 @@ arch=('any') license=('Propiertary') groups=() depends=('ca-certificates') -makedepends=('vault' 'openssl') +makedepends=('bao' 'openssl' 'jq') source=('release_pkg.sh') -sha256sums=('4abceb71722ad6dab69107a362e5f4d5dc173881b70eb9d2486f390f51b7a623') +sha256sums=('SKIP') build() { - ./release_pkg.sh ca + ./release_pkg.sh } package() { ls -l mkdir -p "$pkgdir/usr/share/ca-certificates/trust-source/anchors/" - install -t "$pkgdir/usr/share/ca-certificates/trust-source/anchors/" *.pem + install -t "$pkgdir/usr/share/ca-certificates/trust-source/" certs/*.pem } diff --git a/build.pkg b/build.pkg new file mode 100755 index 0000000..3dedced --- /dev/null +++ b/build.pkg @@ -0,0 +1,8 @@ +#!/bin/bash +set -eu -o pipefail +podmanrun() { + podman run --pull=newer --rm -t -e VAULT_ADDR=http://vault.home.internal --secret=VAULT_TOKEN,type=env --userns keep-id:uid=1000,gid=1000 -v .:/src/build -w /src/build "$1" "/src/build/build_$2.sh" +} + +podmanrun "gitea.sebastian-tobie.de/docker/debian:bookworm" "debian" +podmanrun "gitea.sebastian-tobie.de/docker/archlinux" "archlinux" diff --git a/build_archlinux.sh b/build_archlinux.sh new file mode 100644 index 0000000..b4aa319 --- /dev/null +++ b/build_archlinux.sh @@ -0,0 +1,5 @@ +#!/bin/bash +set -eu -o pipefail +makepkg -s --needed --noconfirm +mkdir -p packages +cp ../*.pkg.* packages diff --git a/build_debian.sh b/build_debian.sh new file mode 100755 index 0000000..a6e7c47 --- /dev/null +++ b/build_debian.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -eu -o pipefail +sudo apt update +sudo mk-build-deps -iBrt 'apt -o Debug::pkgProblemResolver=yes --no-install-recommends -y' +git config --global --add safe.directory /src +DEBEMAIL=build@$(hostname) gbp dch +gbp buildpackage '--diff-ignore=.*' --no-sign +mkdir -p packages +cp ../*.deb packages diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..b5a8664 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,7 @@ +ca-certificates-st (1.0-1) unstable; urgency=medium + + [ Sebastian Tobie ] + * Initial release. + * arch package build working + + -- root Sat, 03 May 2025 20:48:30 +0000 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..b1bd38b --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +13 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..2824a37 --- /dev/null +++ b/debian/control @@ -0,0 +1,9 @@ +Source: ca-certificates-st +Priority: optional +Maintainer: Sebastian Tobie +Build-Depends: jq + +Package: ca-certificates-st +Depends: ca-certificates +Architecture: all +Description: Meine Zertifikate diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..e69de29 diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..64e2231 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,15 @@ +[DEFAULT] +debian-branch = main +ignore-new = True +ignore-branch = True +debian-tag = v%(version)s +upstream-tag = v%(version)s +create-orig = False + +[buildpackage] +builder = debuild --preserve-envvar=VAULT_TOKEN --preserve-envvar=VAULT_ADDR -i -I + +[dch] +git-author = True +spawn-editor = never +full = True diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..cbe925d --- /dev/null +++ b/debian/rules @@ -0,0 +1,3 @@ +#!/usr/bin/make -f +%: + dh $@ diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..46ebe02 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) \ No newline at end of file diff --git a/release_pkg.sh b/release_pkg.sh index fe5d58a..74e62f3 100755 --- a/release_pkg.sh +++ b/release_pkg.sh @@ -1,6 +1,27 @@ -#!/bin/sh -for uuid in $(vault list -format=json "$1/issuers" | jq -r '.[]') ; do - vault read -field=certificate "$1/issuer/$uuid" >cert.pem - newname=$(openssl x509 -noout -in cert.pem -subject_hash) - mv cert.pem "${newname}.pem" -done +#!/bin/bash +set -e -o pipefail + +if [ -z "$VAULT_TOKEN" -o -z "$VAULT_ADDR" ] ; then + echo No Vault server or token set + exit 1 +fi +set -u + +download_certs() { + ca="$1" + subdir="$2" + trust="$3" + mkdir -p "${subdir}" + for uuid in $(bao list -format=json "${ca}/issuers" | jq -r '.[]'); do + name=$(bao read -field=issuer_name "${ca}/issuer/${uuid}") + args= + if [ -n "$trust" ] ; then + args+=" -addtrust ${trust}" + fi + bao read -field=certificate "${ca}/issuer/${uuid}" | openssl x509 -out "${subdir}/${name}.pem" -setalias "${uuid}" ${args} + done +} + +download_certs "root_ca" "certs" "anyExtendedKeyUsage" +download_certs "acme_ca" "certs" "anyExtendedKeyUsage" +download_certs "secureboot_ca" "certs/secureboot" "codeSigning"