From nobody Thu Jul 17 18:15:01 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bjh0j4sBsz624vQ; Thu, 17 Jul 2025 18:15:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bjh0j2fljz41ST; Thu, 17 Jul 2025 18:15:01 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752776101; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=G4aQNUGFnV4LjvC3xOvbPfCAHZmMoAtJc2kMMgOq7Z0=; b=LaG2FUrEbjYr8gi3UFWYVp4Ns3iy82f9dHaiCGPb8Vq33RwdRlydOsOEIbxJp8ZdIIRPHH oSjR5Ujjr6r6QfAsKYv34Vm7W05GtObm83Tor0WgMrNzNWLgzC16/uQ1UQ2tkt+eIMJwxq UgxTJVfF2manaHJCyolSg2ifyuTibF7uowc+UUi7YJsf0WVPlb6b47uSiEOtZxJjAb+sQd xKLiX1IzdLcswvgNKUnFqRd4AKHnoo3yC0SAsPtnvkzS7kR/TPyTrhFvZ15M5KYgzksAtP EpnZM9b0Vh6SmdeS1dcZxFfpM/C5+CnIqWszX0Tb5Y8fOye93uZnco8kJ5p76g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752776101; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=G4aQNUGFnV4LjvC3xOvbPfCAHZmMoAtJc2kMMgOq7Z0=; b=tTSTdf/OqGMqWFpdzScJ1Q4AvDjGR/eYBe1f/Hwqgv+pin5fay5riySgPgAZl7ysUTqw5e VztBzdnRqY+oL0aC9gZdMR7/2dEcV0q3xqia+Fq7dcRLL5YFyjtnbkdH7O/7QC2/OM12Sb o4KYd//lE06sswv9bzl4FxPh1uxUASc0qXbfcg1GQrxhRfVTvJKRcDA0/vvj7wJyZ3NmFb LWI+Tuw2eJxToY5wOZ8V9EKwoNRdSms9TFO9tr5N8HQsPt4tsfDU6hAwNYvWQi/EUOlIiN C2Cm7boZ1cQb/F59SNheL9xYrf3iJyTqYODuWxJrJH/X8J+j8yT4R//EbJcWSA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752776101; a=rsa-sha256; cv=none; b=Rta9ox0x+YQcsXAZYsBD7lhvUQ6EPC95nXLbIqhBIRVNc1X+95XDaAFo7n7Zp31ZgbxawZ YpYeGEyIBNzwNn7cjqeRORs+MFsLFRbXixgkntg2siYPc2bmw5cYs41/2zjI/oKz8/+zBv F/HkNw62cFCr4dXr59CtbID2LHTwJ60+qLI2aQwvZ68bQmK/2TelzumXgf+HEbuMwcRXOc 6HsYGGVm7NyxwBypPrXMmgl2QeMs2UP2SpueJ3L1kuR8v8/Peg6JGaug9lBwfAKNThEDHh 3i5PEpTTTUs0iXviZF9TYECzKtX/9GhjRpzTjqiLvapO71BrTM1ibn+0U0SEvg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bjh0j1clNz15md; Thu, 17 Jul 2025 18:15:01 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56HIF1ao082111; Thu, 17 Jul 2025 18:15:01 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56HIF18c082108; Thu, 17 Jul 2025 18:15:01 GMT (envelope-from git) Date: Thu, 17 Jul 2025 18:15:01 GMT Message-Id: <202507171815.56HIF18c082108@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: 92b9f43c788d - main - certctl: Add an option to copy files. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 92b9f43c788da24d2d8376a50953ef67c2303ba7 Auto-Submitted: auto-generated The branch main has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=92b9f43c788da24d2d8376a50953ef67c2303ba7 commit 92b9f43c788da24d2d8376a50953ef67c2303ba7 Author: Dag-Erling Smørgrav AuthorDate: 2025-07-17 18:10:56 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2025-07-17 18:13:56 +0000 certctl: Add an option to copy files. This is slower than linking but is the only method that works for all cases, including running certctl from outside a jail that does not contain the raw certificate data. While here, fix a bug that occurs in unprivileged mode if DESTDIR is unset or the root directory. MFC after: 1 week Reviewed by: dfr Differential Revision: https://reviews.freebsd.org/D51373 --- usr.sbin/certctl/certctl.8 | 10 ++++++---- usr.sbin/certctl/certctl.sh | 22 +++++++++++----------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8 index 286072c1b4d6..7e49bb89e2ac 100644 --- a/usr.sbin/certctl/certctl.8 +++ b/usr.sbin/certctl/certctl.8 @@ -24,7 +24,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd October 10, 2023 +.Dd July 17, 2025 .Dt CERTCTL 8 .Os .Sh NAME @@ -38,15 +38,15 @@ .Op Fl v .Ic untrusted .Nm -.Op Fl nUv +.Op Fl cnUv .Op Fl D Ar destdir .Op Fl M Ar metalog .Ic rehash .Nm -.Op Fl nv +.Op Fl cnv .Ic untrust Ar file .Nm -.Op Fl nv +.Op Fl cnv .Ic trust Ar file .Sh DESCRIPTION The @@ -56,6 +56,8 @@ applications that use OpenSSL. .Pp Flags: .Bl -tag -width 4n +.It Fl c +Copy certificates instead of linking to them. .It Fl D Ar destdir Specify the DESTDIR (overriding values from the environment). .It Fl d Ar distbase diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh index 458f5c53682f..2bde651de126 100755 --- a/usr.sbin/certctl/certctl.sh +++ b/usr.sbin/certctl/certctl.sh @@ -36,6 +36,7 @@ set -u ############################################################ GLOBALS SCRIPTNAME="${0##*/}" +LINK=-lrs ERRORS=0 NOOP=false UNPRIV=false @@ -110,7 +111,6 @@ create_trusted() { local hash certhash otherfile otherhash local suffix - local link=${2:+-lrs} hash=$(do_hash "$1") || return certhash=$(openssl x509 -sha1 -in "$1" -noout -fingerprint) @@ -130,7 +130,7 @@ create_trusted() done suffix=$(get_decimal "$CERTDESTDIR" "$hash") verbose "Adding $hash.$suffix to trust store" - perform install ${INSTALLFLAGS} -m 0444 ${link} \ + perform install ${INSTALLFLAGS} -m 0444 ${LINK} \ "$(realpath "$1")" "$CERTDESTDIR/$hash.$suffix" } @@ -159,7 +159,6 @@ resolve_certname() create_untrusted() { local srcfile filename - local link=${2:+-lrs} set -- $(resolve_certname "$1") srcfile=$1 @@ -170,7 +169,7 @@ create_untrusted() fi verbose "Adding $filename to untrusted list" - perform install ${INSTALLFLAGS} -m 0444 ${link} \ + perform install ${INSTALLFLAGS} -m 0444 ${LINK} \ "$srcfile" "$UNTRUSTDESTDIR/$filename" } @@ -190,7 +189,7 @@ do_scan() 0) ;; 1) - "$CFUNC" "$CFILE" link + "$CFUNC" "$CFILE" ;; *) verbose "Multiple certificates found, splitting..." @@ -303,19 +302,20 @@ usage() echo " List trusted certificates" echo " $SCRIPTNAME [-v] untrusted" echo " List untrusted certificates" - echo " $SCRIPTNAME [-nUv] [-D ] [-d ] [-M ] rehash" - echo " Generate hash links for all certificates" - echo " $SCRIPTNAME [-nv] untrust " + echo " $SCRIPTNAME [-cnUv] [-D ] [-d ] [-M ] rehash" + echo " Rehash all trusted and untrusted certificates" + echo " $SCRIPTNAME [-cnv] untrust " echo " Add to the list of untrusted certificates" - echo " $SCRIPTNAME [-nv] trust " + echo " $SCRIPTNAME [-cnv] trust " echo " Remove from the list of untrusted certificates" exit 64 } ############################################################ MAIN -while getopts D:d:M:nUv flag; do +while getopts cD:d:M:nUv flag; do case "$flag" in + c) LINK=-c ;; D) DESTDIR=${OPTARG} ;; d) DISTBASE=${OPTARG} ;; M) METALOG=${OPTARG} ;; @@ -334,7 +334,7 @@ fi : ${METALOG:=${DESTDIR}/METALOG} INSTALLFLAGS= if "$UNPRIV" ; then - INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR} -o root -g wheel" + INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR:-/} -o root -g wheel" fi : ${LOCALBASE:=$(sysctl -n user.localbase)} : ${TRUSTPATH:=${DESTDIR}${DISTBASE}/usr/share/certs/trusted:${DESTDIR}${LOCALBASE}/share/certs:${DESTDIR}${LOCALBASE}/etc/ssl/certs}