summaryrefslogtreecommitdiffstats
path: root/debian/ca-certificates.postinst
blob: 68501cf4160822e5f20c45948ded9ec54fdbb74d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
#! /bin/sh
# postinst script for ca-certificates
#
# see: dh_installdeb(1)

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
#
# quoting from the policy:
#     Any necessary prompting should almost always be confined to the
#     post-installation script, and should be protected with a conditional
#     so that unnecessary prompting doesn't happen if a package's
#     installation fails and the `postinst' is called with `abort-upgrade',
#     `abort-remove' or `abort-deconfigure'.

set -e

each_value() {
 echo "$1" |tr ',' '\n' | sed -e 's/^[[:space:]]*//' 
}

memberp() {
 m="$1"
 l="$2"
 each_value "$l" | grep -q "^$m\$"
}

delca() {
 m="$1"
 l="$2"
 echo "$l" |sed -e 's|'"$m"', ||' -e 's|'"$m"'$||' -e 's/,[[:space:]]*,/, /' -e 's/^[[:space:]]*//' -e 's/,[[:space:]]*$//'
}

case "$1" in
    configure)
        if [ ! -e /usr/local/share/ca-certificates ]; then
            if mkdir -m $(stat -L -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then
                chgrp $(stat -L -c %g /usr/local) /usr/local/share/ca-certificates
            fi
        # Handle upgrades and allow local admin to override:
        # e.g. dpkg-statoverride --add root staff 2775 /usr/local/share/ca-certificates
        elif ! dpkg-statoverride --list /usr/local/share/ca-certificates >/dev/null; then
            chmod $(stat -L -c %a /usr/local) /usr/local/share/ca-certificates || true
            chown $(stat -L -c %u /usr/local):$(stat -L -c %g /usr/local) /usr/local/share/ca-certificates || true
        fi

        . /usr/share/debconf/confmodule
	db_version 2.0
	db_capb multiselect
	db_metaget ca-certificates/enable_crts choices
	CERTS_AVAILABLE="$RET"
	db_get ca-certificates/enable_crts
	CERTS_ENABLED="$RET"
	# XXX unmark seen for next configuration
	db_fset ca-certificates/new_crts seen false
	db_stop || true
	if test -f /etc/ca-certificates.conf; then
	  # XXX: while in subshell?
	  while read line
	  do
	    if echo "$line" | grep -q '^#'; then
	     echo "$line"
	    else
	     case "$line" in
	     !*) ca=$(echo "$line" | sed -e 's/^!//');;
	     *)   ca="$line";;
	     esac
	     if memberp "$ca" "$CERTS_ENABLED"; then
	       echo "$ca"
	       # CERTS_ENABLED=$(delca "$ca" "$CERTS_ENABLED")
         elif memberp "$ca" "$CERTS_AVAILABLE" ||
              echo "$line" | grep -q '^!'; then
           echo "!$ca"
         elif [ -f /usr/share/ca-certificates/"$ca" ] || \
              [ -f /usr/local/share/ca-certificates/"$ca" ]; then
           echo "$ca"
	     else
	       echo "!$ca"
	     fi
	     # CERTS_AVAILABLE=$(delca "$ca" "$CERTS_AVAILABLE")
	    fi
	  done < /etc/ca-certificates.conf > /etc/ca-certificates.conf.dpkg-new
	  if echo "$CERTS_ENABLED" | egrep -q "^([[:space:]]*,)*[[:space:]]*$"; then
	      :
	  else
	    each_value "$CERTS_ENABLED" | while read ca
 	    do
	      if grep -q "^$ca" /etc/ca-certificates.conf.dpkg-new; then
		  :
	      else
		  echo "$ca" >> /etc/ca-certificates.conf.dpkg-new
	      fi
            done
	  fi
	  each_value "$CERTS_AVAILABLE" | while read ca
	  do
	    if memberp "$ca" "$CERTS_ENABLED"; then
		:
	    elif grep -q "^!$ca" /etc/ca-certificates.conf.dpkg-new; then
	        :
	    else
		echo "!$ca" >> /etc/ca-certificates.conf.dpkg-new
	    fi
	  done
	  if cmp -s /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-new; then
	    rm -f /etc/ca-certificates.conf.dpkg-new
	  else
	    mv -f /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-old
	    mv /etc/ca-certificates.conf.dpkg-new /etc/ca-certificates.conf
	  fi
	else
	  # new file
	  cat > /etc/ca-certificates.conf <<EOF
# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
EOF
	  (echo $CERTS_ENABLED | tr ',' '\n'; \
	   echo $CERTS_AVAILABLE | tr ',' '\n') | \
	    sed -e 's/^[[:space:]]*//' | \
	    sort | uniq -c | \
	    sed -e 's/^[[:space:]]*2[[:space:]]*//' \
	        -e 's/^[[:space:]]*1[[:space:]]*/!/' \
	    >> /etc/ca-certificates.conf
	fi
	# update /etc/ssl/certs without running the hooks
	# fix bogus symlink to ca-certificates.crt on upgrades; see
	# Debian #643667; drop after wheezy
	if dpkg --compare-versions "$2" lt-nl 20111025; then
	    update-ca-certificates --hooksdir "" --fresh
	else
	    update-ca-certificates --hooksdir ""
	fi
	# deferred update of /etc/ssl/certs including running the hooks
	dpkg-trigger --no-await update-ca-certificates
    ;;

    triggered)
	for trigger in $2; do
	    case "$trigger" in
		update-ca-certificates)
		    update-ca-certificates
		    ;;
		update-ca-certificates-fresh)
		    update-ca-certificates --fresh
		    ;;
		*)
		    echo "postinst called with unknown trigger \`$2'">&2
		    exit 1
		    ;;
	    esac;
	done;
	;;

    abort-upgrade|abort-remove|abort-deconfigure)

    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0