ca-certificates: match /usr/share/ca-certificates to /etc/ssl/certs

It is a common pattern to bind mount /etc/ssl/certs from the host system into a container. This doesn't work on CoreOS because /etc/ssl/certs is just a pile of symlinks to /usr. If the applications in the container use Go then binding /usr/share/ca-certificates to /etc/ssl/certs does happen to work because Go only needs ca-certificates.crt which is in that top level directory. This however does not work for OpenSSL applications because it needs a whole directory of hashed certificates. To fix this change two things: - Remove the `mozilla` directory left over from when certs came from multiple sources. Install certs in ca-certificates directory instead. - Include the OpenSSL hash symlinks in ca-certificates.
2025-08-21 22:41:09 +02:00 · 2015-06-12 18:59:10 -07:00 · 2015-06-12 18:59:10 -07:00 · 6751326e80
commit 6751326e80
parent 68dbba9661
1 changed files with 43 additions and 17 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild
@ -26,40 +26,62 @@ RDEPEND="dev-libs/openssl
 DEPEND="${RDEPEND}
 	${PYTHON_DEPS}"

-sym_to_usr() {
-	local l="/etc/ssl/certs/${1##*/}"
-	local p="../../../usr/share/${PN}/${1}"
-	echo "L	${l}	-	-	-	-	${p}"
+pkg_setup() {
+	python-any-r1_pkg_setup
+
+	# Deal with the case where older ca-certificates installed a
+	# dir here, but newer one installs symlinks.  Portage will
+	# barf when you try to transition file types.
+	# This trick is stolen from sys-libs/timezone-data
+	if cd "${EROOT}"/usr/share/${PN} 2>/dev/null ; then
+		# In case of a failed upgrade, clean up the symlinks #506570
+		if [ -L .gentoo-upgrade ] ; then
+			rm -rf mozilla .gentoo-upgrade
+		fi
+		if [ -d mozilla ] ; then
+			rm -rf .gentoo-upgrade #487192
+			mv mozilla .gentoo-upgrade || die
+			ln -s .gentoo-upgrade mozilla || die
+		fi
+	fi
+}
+
+gen_hash_links() {
+	local certfile certhash
+	for certfile in "$@"; do
+		certhash=$(openssl x509 -hash -noout -in "${certfile}") || die
+		# This assumes the hashes have no collisions
+		ln -s "${certfile}" "${certhash}.0" || die
+	done
 }

 gen_tmpfiles() {
 	local certfile
 	echo "d	/etc/ssl		-	-	-	-	-"
 	echo "d	/etc/ssl/certs	-	-	-	-	-"
-	sym_to_usr ca-certificates.crt
 	for certfile in "$@"; do
-		sym_to_usr "${certfile}"
-	done
-	for certfile in "$@"; do
-		local certhash=$(openssl x509 -hash -noout -in "${certfile}")
-		# This assumes the hashes have no collisions
-		local l="/etc/ssl/certs/${certhash}.0"
-		local p="${certfile##*/}"
+		local l="/etc/ssl/certs/${certfile}"
+		local p="../../../usr/share/${PN}/${certfile}"
 		echo "L	${l}	-	-	-	-	${p}"
 	done
 }

 src_compile() {
 	local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt"
-	${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die
-	cat mozilla/*.pem > ca-certificates.crt || die
-	gen_tmpfiles mozilla/*.pem > ${PN}.conf || die
+	${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" certs || die
+
+	cd certs || die
+	gen_hash_links *.pem
+	cat *.pem > ca-certificates.crt || die
+	gen_tmpfiles * > "${S}/${PN}.conf" || die
 }

 src_install() {
 	insinto /usr/share/${PN}
-	doins ca-certificates.crt
-	doins -r mozilla
+	doins certs/*
+
+	# for compatibility with older directory structure
+	dosym . /usr/share/${PN}/mozilla

 	dosbin "${FILESDIR}/update-ca-certificates"
 	systemd_dounit "${FILESDIR}/clean-ca-certificates.service"
@ -72,3 +94,7 @@ src_install() {
 	dodir /etc/ssl/certs
 	systemd-tmpfiles --root="${D}" --create
 }
+
+pkg_postinst() {
+	rm -rf "${EROOT}"/usr/share/${PN}/.gentoo-upgrade
+}