added debian build data

.editorconfig

@@ -9,4 +9,12 @@ indent_size = 4
 end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = true
-insert_final_newline = true
+insert_final_newline = true
+
+[debian/rules]
+indent_style = tab
+[Makefile]
+indent_style = tab
+
+[debian/source/format]
+insert_final_newline = false

.gitignore

@@ -1,2 +1,11 @@
 *.pkg.tar.*
 *.pem
+*.deb
+*.changes
+*.buildinfo
+debian/*/
+debian/debhelper-build-stamp
+debian/ca-certificates-st.substvars
+debian/files
+pkg
+src

Makefile

@@ -0,0 +1,18 @@
+INSTALL:=install
+SHELL:=/bin/bash
+.SHELLFLAGS:=-eu -o pipefail -c
+.ONESHELL:
+
+%:
+	echo Making step $@
+
+build:
+	./release_pkg.sh
+
+install: $(wildcard certs/*.pem) $(wildcard certs/secureboot/*.pem)
+	${INSTALL} -d ${DESTDIR}/usr/share/ca-certificates
+	ls -la ${DESTDIR}/usr/share/ca-certificates
+	@for cert in $^ ; do
+		newname=$$(basename $$cert)
+		${INSTALL} $$cert ${DESTDIR}/usr/share/ca-certificates/$${newname%.*}.crt
+	@done

PKGBUILD

@@ -6,14 +6,14 @@ arch=('any')
 license=('Propiertary')
 groups=()
 depends=('ca-certificates')
-makedepends=('vault' 'openssl')
+makedepends=('bao' 'openssl' 'jq')
 source=('release_pkg.sh')
-sha256sums=('4abceb71722ad6dab69107a362e5f4d5dc173881b70eb9d2486f390f51b7a623')
+sha256sums=('SKIP')
 build() {
-        ./release_pkg.sh ca
+        ./release_pkg.sh
 }
 package() {
         ls -l
         mkdir -p "$pkgdir/usr/share/ca-certificates/trust-source/anchors/"
-        install -t "$pkgdir/usr/share/ca-certificates/trust-source/anchors/" *.pem
+        install -t "$pkgdir/usr/share/ca-certificates/trust-source/" certs/*.pem
 }

build.pkg

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -eu -o pipefail
+podmanrun() {
+    podman run --pull=newer --rm -t -e VAULT_ADDR=http://vault.home.internal --secret=VAULT_TOKEN,type=env --userns keep-id:uid=1000,gid=1000 -v .:/src/build -w /src/build "$1" "/src/build/build_$2.sh"
+}
+
+podmanrun "gitea.sebastian-tobie.de/docker/debian:bookworm" "debian"
+podmanrun "gitea.sebastian-tobie.de/docker/archlinux" "archlinux"

build_archlinux.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+set -eu -o pipefail
+makepkg -s --needed --noconfirm
+mkdir -p packages
+cp ../*.pkg.* packages

build_debian.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -eu -o pipefail
+sudo apt update
+sudo mk-build-deps -iBrt 'apt -o Debug::pkgProblemResolver=yes --no-install-recommends -y'
+git config --global --add safe.directory /src
+DEBEMAIL=build@$(hostname) gbp dch
+gbp buildpackage '--diff-ignore=.*' --no-sign
+mkdir -p packages
+cp ../*.deb packages

debian/changelog

@@ -0,0 +1,7 @@
+ca-certificates-st (1.0-1) unstable; urgency=medium
+
+  [ Sebastian Tobie ]
+  * Initial release.
+  * arch package build working
+
+ -- root <build@c8e6036d866c>  Sat, 03 May 2025 20:48:30 +0000

debian/compat

@@ -0,0 +1 @@
+13

debian/control

@@ -0,0 +1,9 @@
+Source: ca-certificates-st
+Priority: optional
+Maintainer: Sebastian Tobie
+Build-Depends: jq
+
+Package: ca-certificates-st
+Depends: ca-certificates
+Architecture: all
+Description: Meine Zertifikate

debian/gbp.conf

@@ -0,0 +1,15 @@
+[DEFAULT]
+debian-branch = main
+ignore-new = True
+ignore-branch = True
+debian-tag = v%(version)s
+upstream-tag = v%(version)s
+create-orig = False
+
+[buildpackage]
+builder = debuild --preserve-envvar=VAULT_TOKEN --preserve-envvar=VAULT_ADDR -i -I
+
+[dch]
+git-author = True
+spawn-editor = never
+full = True

debian/rules

@@ -0,0 +1,3 @@
+#!/usr/bin/make -f
+%:
+	dh $@

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

release_pkg.sh

@@ -1,6 +1,27 @@
-#!/bin/sh
+#!/bin/bash
-for uuid in $(vault list -format=json "$1/issuers" | jq -r '.[]') ; do
+set -e -o pipefail
-    vault read -field=certificate "$1/issuer/$uuid" >cert.pem
+
-    newname=$(openssl x509 -noout -in cert.pem -subject_hash)
+if [ -z "$VAULT_TOKEN" -o -z "$VAULT_ADDR" ] ; then
-    mv cert.pem "${newname}.pem"
+    echo No Vault server or token set
-done
+    exit 1
+fi
+set -u
+
+download_certs() {
+    ca="$1"
+    subdir="$2"
+    trust="$3"
+    mkdir -p "${subdir}"
+    for uuid in $(bao list -format=json "${ca}/issuers" | jq -r '.[]'); do
+        name=$(bao read -field=issuer_name "${ca}/issuer/${uuid}")
+        args=
+        if [ -n "$trust" ] ; then
+            args+=" -addtrust ${trust}"
+        fi
+        bao read -field=certificate "${ca}/issuer/${uuid}" | openssl x509 -out "${subdir}/${name}.pem" -setalias "${uuid}" ${args}
+    done
+}
+
+download_certs "root_ca" "certs" "anyExtendedKeyUsage"
+download_certs "acme_ca" "certs" "anyExtendedKeyUsage"
+download_certs "secureboot_ca" "certs/secureboot" "codeSigning"