summaryrefslogtreecommitdiffstats
path: root/debian/config
blob: 8885f3044eb5107bc260d3218aa57543aff1b140 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
#!/bin/sh
# $1 = action ('configure' or 'reconfigure')
# $2 = current-installed-version
set -e

action="$1"

if test -f /etc/ca-certificates.conf; then
  CERTSCONF=/etc/ca-certificates.conf
else
  CERTSCONF=/dev/null
fi

# CERTS_DISABLED: certs that user dont trust
CERTS_DISABLED=$(sed -ne 's/^!\(.*\)/\1/p' $CERTSCONF)

# CERTS_TRUST: certs that user already trust
CERTS_TRUST=$(sed -e '/^#/d' -e '/^!/d' $CERTSCONF)


# CERTS_AVAILABLE: certs that user can choices
CERTS_AVAILABLE=""

# CERTS_ENABLED: certs that user already trusted
CERTS_ENABLED=""

# CERTS_LIST: certs that will be installed
CERTS_LIST="#INITIAL_CERTS#"

# CERTS_NEW: new certificates that will be installed
CERTS_NEW=""

members()
{
  echo "$1" | tr ',' '\n' | sed -e 's/^[[:space:]]*//' | while read ca
  do
    if echo "$2" | grep -q "$ca" > /dev/null 2>&1; then
      echo match
    fi
  done | grep -q match
}

. /usr/share/debconf/confmodule || exit
db_version 2.0
db_capb multiselect

db_settitle ca-certificates/title
db_input medium ca-certificates/trust_new_crts || true
db_go

trust_new="yes"
if db_get ca-certificates/trust_new_crts; then
  trust_new="$RET"
fi

seen=false
if db_fget ca-certificates/enable_crts seen; then
  seen="$RET"
fi
# XXX: in case reconfigure, force to select all available certificates
if test "$action" = "reconfigure" || test "$DEBCONF_RECONFIGURE" = "1"; then
  seen=false
  trust_new=no
fi

if test -d /usr/share/ca-certificates; then
  cd /usr/share/ca-certificates
  crts=$( (find . -type f -name '*.crt' -print | sed -e 's/^\.\///'; \
           echo "$CERTS_LIST" | tr ',' '\n' | sed -e 's/^[[:space:]]*//') | \
           sort | uniq)
  for crt in $crts
  do
   if test "$CERTS_AVAILABLE" = ""; then
     CERTS_AVAILABLE="$crt"
   else
     CERTS_AVAILABLE="$CERTS_AVAILABLE, $crt"
   fi
   if (echo "$CERTS_DISABLED" | grep -F -q -x "$crt") > /dev/null 2>&1; then
     : # echo "I: ignore $crt"
   elif (echo "$CERTS_TRUST" | grep -F -q -x "$crt") > /dev/null 2>&1; then
     # already trusted
     if test "$CERTS_ENABLED" = ""; then
       CERTS_ENABLED="$crt"
     else
       CERTS_ENABLED="$CERTS_ENABLED, $crt"
     fi
   else
     # new certs?
     if test "$trust_new" = "yes"; then
       if test "$CERTS_ENABLED" = ""; then
          CERTS_ENABLED="$crt"
       else
          CERTS_ENABLED="$CERTS_ENABLED, $crt"
       fi
     elif test "$trust_new" = "ask"; then
       if test "$CERTS_NEW" = ""; then
          CERTS_NEW="$crt"
       else
          CERTS_NEW="$CERTS_NEW, $crt"
       fi
     else
	 : # trust_new=no, default disabled
     fi
   fi
  done
else
  # initial installation
  CERTS_AVAILABLE="$CERTS_LIST"
  CERTS_ENABLED="$CERTS_AVAILABLE"
  # XXX: ca-certificates/enable_crts should be used, so no need to ask new
  #     in this session
  trust_new="yes"
  CERTS_NEW=""
fi

enable_crts=""
if db_get ca-certificates/enable_crts; then
 enable_crts="$RET"
fi

new_seen=false
if db_fget ca-certificates/new_crts seen; then
  new_seen="$RET"
fi
if members "$CERTS_NEW" "$enable_crts"; then
    # already selected new_crts?
    new_seen=true
fi
db_subst ca-certificates/new_crts new_crts "$CERTS_NEW"

if test "$trust_new" = "ask" && test "$new_seen" = "true"; then
 # XXX: run this again in postinst
 CERTS_ENABLED="$enable_crts"
fi

if test "$trust_new" = "ask" && test "$CERTS_NEW" != "" && test "$new_seen" = "false"; then
  # New certificates added
  db_fset ca-certificates/new_crts seen false
  db_input critical ca-certificates/new_crts || true
  db_go
  
  if db_get ca-certificates/new_crts; then
     if test "$CERTS_ENABLED" = ""; then
        CERTS_ENABLED="$RET"
     else
        CERTS_ENABLED="$CERTS_ENABLED, $RET"
     fi
  fi
  # XXX: old certificates keep current state?
  seen=true
fi
# mark seen true, so that dont ask again while postinst 
db_fset ca-certificates/new_crts seen true

db_set ca-certificates/enable_crts "$CERTS_ENABLED"
db_subst ca-certificates/enable_crts enable_crts "$CERTS_AVAILABLE"
if test "$seen" != true; then
  db_fset ca-certificates/enable_crts seen false
fi
db_input low ca-certificates/enable_crts || true
db_go

exit 0