From nobody Thu Jul 24 13:03:01 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bnrlT5mwhz62VHs;
	Thu, 24 Jul 2025 13:03:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bnrlT3t0rz3TtC;
	Thu, 24 Jul 2025 13:03:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1753362181;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Cg7y99x7isL3D2HZ6LDulP22lRO9ZAtDUfdtkMiAQFM=;
	b=ADx0rGFaUY37l7s3nkN4F832R40AoYXthuU/bJ0o8Yn4Rwit4Idf+BlAc7pNmfSLFLoXoy
	qcryuN0fqDdX/GgXPo/FOPmY3cqLwnwmoip8dd/DqPejhc30pG6RJ0E0KoLWnW14eeCiDI
	oHntG63umO8WkqldgMEtIaY/dF6CjNT5ggC/1WXvboiRrfJkpTxwi5vUbTyoBL6gSxG7lZ
	5F6af8YmDl7QIKBjg3XFoPnQKYYSo9thLRjGPBV9gvnNqP1a4D92+zqvTIul7sjoG7et3N
	OTu/xiinuWWzod9nmaaTdKZATYCpmxlX3XyWqDuvipvOnuMusRVHHFc4V1/8gA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1753362181;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Cg7y99x7isL3D2HZ6LDulP22lRO9ZAtDUfdtkMiAQFM=;
	b=TKVVNY97tXgv5B0kQYUz1NZ0+MBXVaCKJt1OItSZWjqKkE2dAynK81Rvxjjr+NEfA5TOIi
	3WyDpoNZRW72I+NZ8fJlYVf5uyEet4W8C+Lnkhnn2lbxe9SEO58WSKmfO1f0v30CS4gz24
	WPTg1mnk0ngASbxBW76fhNRkPlBXEWj9rV97BHl7Oa7tOaAgmkp2F+IXYBb7A7/1Be8C26
	GJhS+kXFttX3d+zl2pU1WzemZMNFNlOifKyqN5C1lH9f1duswkBnEEtk1U3I/lsm3Qvrb6
	JGgLPQAEiumv/5gm6+/wHz1dDVDRwOYX24iWKqQihsoR44hpuOcr0P8o1lO2Gw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1753362181; a=rsa-sha256; cv=none;
	b=sEvphE2w/6g1shSGdLEeFAZEMK7/r2FYKLprU1trU73hiZANU/fTeyYiPaQjBNr9KW3ogk
	NccP5g4i4JqBff6Tt4yYY+FdSoAzbJ/QKMux/XDlryEo6I6rlr02SupYUlCsjmJGqGjrlA
	iaetQPadQloNYafufPdZPF1Q9QtMqG/HlBXNjNRySO0ecQCYowM3QSc4+Sm3fo9s07rlXP
	LLJ93XuQe0cXLMPJ6F5Dm8viVTNMh0l+Ri7QRgPbrdUAAWEyEdT8vQVqMBo+EbgNwxz6Uu
	VudXRGd2bXI1HVO2dQsBa6Ohtodpd/gh5DZ0vIYpMLtX9ZZyNOWgc13RI03evA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bnrlT3LJwz10Cf;
	Thu, 24 Jul 2025 13:03:01 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56OD31C1002092;
	Thu, 24 Jul 2025 13:03:01 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56OD3110002089;
	Thu, 24 Jul 2025 13:03:01 GMT
	(envelope-from git)
Date: Thu, 24 Jul 2025 13:03:01 GMT
Message-Id: <202507241303.56OD3110002089@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= <des@FreeBSD.org>
Subject: git: 986c43bd80e7 - stable/14 - certctl: Add an option to
  copy files.
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: des
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 986c43bd80e750937d02966883b3182ded828c97
Auto-Submitted: auto-generated

The branch stable/14 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=986c43bd80e750937d02966883b3182ded828c97

commit 986c43bd80e750937d02966883b3182ded828c97
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2025-07-17 18:10:56 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2025-07-24 13:02:45 +0000

    certctl: Add an option to copy files.
    
    This is slower than linking but is the only method that works for all
    cases, including running certctl from outside a jail that does not
    contain the raw certificate data.
    
    While here, fix a bug that occurs in unprivileged mode if DESTDIR
    is unset or the root directory.
    
    MFC after:      1 week
    Reviewed by:    dfr
    Differential Revision:  https://reviews.freebsd.org/D51373
    
    (cherry picked from commit 92b9f43c788da24d2d8376a50953ef67c2303ba7)
---
 usr.sbin/certctl/certctl.8  | 10 ++++++----
 usr.sbin/certctl/certctl.sh | 22 +++++++++++-----------
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8
index 4ce61916d79a..569bd0f85d55 100644
--- a/usr.sbin/certctl/certctl.8
+++ b/usr.sbin/certctl/certctl.8
@@ -24,7 +24,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd July 13, 2022
+.Dd July 17, 2025
 .Dt CERTCTL 8
 .Os
 .Sh NAME
@@ -38,15 +38,15 @@
 .Op Fl v
 .Ic untrusted
 .Nm
-.Op Fl nUv
+.Op Fl cnUv
 .Op Fl D Ar destdir
 .Op Fl M Ar metalog
 .Ic rehash
 .Nm
-.Op Fl nv
+.Op Fl cnv
 .Ic untrust Ar file
 .Nm
-.Op Fl nv
+.Op Fl cnv
 .Ic trust Ar file
 .Sh DESCRIPTION
 The
@@ -56,6 +56,8 @@ applications that use OpenSSL.
 .Pp
 Flags:
 .Bl -tag -width 4n
+.It Fl c
+Copy certificates instead of linking to them.
 .It Fl D Ar destdir
 Specify the DESTDIR (overriding values from the environment).
 .It Fl d Ar distbase
diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh
index 458f5c53682f..2bde651de126 100755
--- a/usr.sbin/certctl/certctl.sh
+++ b/usr.sbin/certctl/certctl.sh
@@ -36,6 +36,7 @@ set -u
 ############################################################ GLOBALS
 
 SCRIPTNAME="${0##*/}"
+LINK=-lrs
 ERRORS=0
 NOOP=false
 UNPRIV=false
@@ -110,7 +111,6 @@ create_trusted()
 {
 	local hash certhash otherfile otherhash
 	local suffix
-	local link=${2:+-lrs}
 
 	hash=$(do_hash "$1") || return
 	certhash=$(openssl x509 -sha1 -in "$1" -noout -fingerprint)
@@ -130,7 +130,7 @@ create_trusted()
 	done
 	suffix=$(get_decimal "$CERTDESTDIR" "$hash")
 	verbose "Adding $hash.$suffix to trust store"
-	perform install ${INSTALLFLAGS} -m 0444 ${link} \
+	perform install ${INSTALLFLAGS} -m 0444 ${LINK} \
 		"$(realpath "$1")" "$CERTDESTDIR/$hash.$suffix"
 }
 
@@ -159,7 +159,6 @@ resolve_certname()
 create_untrusted()
 {
 	local srcfile filename
-	local link=${2:+-lrs}
 
 	set -- $(resolve_certname "$1")
 	srcfile=$1
@@ -170,7 +169,7 @@ create_untrusted()
 	fi
 
 	verbose "Adding $filename to untrusted list"
-	perform install ${INSTALLFLAGS} -m 0444 ${link} \
+	perform install ${INSTALLFLAGS} -m 0444 ${LINK} \
 		"$srcfile" "$UNTRUSTDESTDIR/$filename"
 }
 
@@ -190,7 +189,7 @@ do_scan()
 		0)
 			;;
 		1)
-			"$CFUNC" "$CFILE" link
+			"$CFUNC" "$CFILE"
 			;;
 		*)
 			verbose "Multiple certificates found, splitting..."
@@ -303,19 +302,20 @@ usage()
 	echo "		List trusted certificates"
 	echo "	$SCRIPTNAME [-v] untrusted"
 	echo "		List untrusted certificates"
-	echo "	$SCRIPTNAME [-nUv] [-D <destdir>] [-d <distbase>] [-M <metalog>] rehash"
-	echo "		Generate hash links for all certificates"
-	echo "	$SCRIPTNAME [-nv] untrust <file>"
+	echo "	$SCRIPTNAME [-cnUv] [-D <destdir>] [-d <distbase>] [-M <metalog>] rehash"
+	echo "		Rehash all trusted and untrusted certificates"
+	echo "	$SCRIPTNAME [-cnv] untrust <file>"
 	echo "		Add <file> to the list of untrusted certificates"
-	echo "	$SCRIPTNAME [-nv] trust <file>"
+	echo "	$SCRIPTNAME [-cnv] trust <file>"
 	echo "		Remove <file> from the list of untrusted certificates"
 	exit 64
 }
 
 ############################################################ MAIN
 
-while getopts D:d:M:nUv flag; do
+while getopts cD:d:M:nUv flag; do
 	case "$flag" in
+	c) LINK=-c ;;
 	D) DESTDIR=${OPTARG} ;;
 	d) DISTBASE=${OPTARG} ;;
 	M) METALOG=${OPTARG} ;;
@@ -334,7 +334,7 @@ fi
 : ${METALOG:=${DESTDIR}/METALOG}
 INSTALLFLAGS=
 if "$UNPRIV" ; then
-	INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR} -o root -g wheel"
+	INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR:-/} -o root -g wheel"
 fi
 : ${LOCALBASE:=$(sysctl -n user.localbase)}
 : ${TRUSTPATH:=${DESTDIR}${DISTBASE}/usr/share/certs/trusted:${DESTDIR}${LOCALBASE}/share/certs:${DESTDIR}${LOCALBASE}/etc/ssl/certs}