Date: Tue, 30 Sep 2025 08:50:00 GMT From: Dima Panov <fluffy@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 56c71d0816dc - main - security/ca_root_nss: Make unprivileged installation possible Message-ID: <202509300850.58U8o0O5082507@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by fluffy: URL: https://cgit.FreeBSD.org/ports/commit/?id=56c71d0816dc8b4e53bb2a286cc798cfd33d3491 commit 56c71d0816dc8b4e53bb2a286cc798cfd33d3491 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2025-07-14 21:44:57 +0000 Commit: Dima Panov <fluffy@FreeBSD.org> CommitDate: 2025-09-30 08:48:54 +0000 security/ca_root_nss: Make unprivileged installation possible The post-install and post-deinstall scripts simply invoke "certctl rehash", which of course requires root privileges. Modify them to enable unprivileged installation, useful for building VM images. For instance, FreeBSD's EC2 image builder wants to install amazon-ssm-agent, which depends on ca_root_nss. Modify the scripts to: 1. Use PKG_ROOTDIR as the root instead of assuming the default. 2. When installing, and PKG_METALOG is set, assume we're doing an unprivileged build and tell certctl to write updates to the configured METALOG. Note, the use of PKG_METALOG depends on a new pkg feature: https://github.com/freebsd/pkg/pull/2476 If an updated ca_root_nss is installed using an old pkg(8), then the PKG_METALOG variable will not be set, so there are no compatibility issues. Sponsored by: The FreeBSD Foundation Sponsored by: Klara, Inc. PR: 288243 --- security/ca_root_nss/Makefile | 4 ++-- security/ca_root_nss/files/pkg-deinstall.in | 6 ++++++ security/ca_root_nss/files/pkg-install.in | 12 ++++++++++++ security/ca_root_nss/pkg-plist | 3 --- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile index 8824436587be..1214762865cf 100644 --- a/security/ca_root_nss/Makefile +++ b/security/ca_root_nss/Makefile @@ -1,6 +1,6 @@ PORTNAME= ca_root_nss PORTVERSION= ${VERSION_NSS} -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} @@ -34,7 +34,7 @@ VERSION_NSS= 3.115 CERTDATA_TXT_PATH= lib/ckfw/builtins/certdata.txt BUNDLE_PROCESSOR= MAca-bundle.pl -SUB_FILES= MAca-bundle.pl pkg-message +SUB_FILES= MAca-bundle.pl pkg-deinstall pkg-install pkg-message SUB_LIST= VERSION_NSS=${VERSION_NSS} do-build: diff --git a/security/ca_root_nss/files/pkg-deinstall.in b/security/ca_root_nss/files/pkg-deinstall.in new file mode 100644 index 000000000000..8e5138c10c22 --- /dev/null +++ b/security/ca_root_nss/files/pkg-deinstall.in @@ -0,0 +1,6 @@ +#!/bin/sh + +if [ "$2" = POST-DEINSTALL ]; then + CERTCTL_ARGS="-D ${PKG_ROOTDIR}" + certctl ${CERTCTL_ARGS} rehash +fi diff --git a/security/ca_root_nss/files/pkg-install.in b/security/ca_root_nss/files/pkg-install.in new file mode 100644 index 000000000000..6f05ab7e72ed --- /dev/null +++ b/security/ca_root_nss/files/pkg-install.in @@ -0,0 +1,12 @@ +#!/bin/sh + +if [ "$2" = POST-INSTALL ]; then + CERTCTL_ARGS="-D ${PKG_ROOTDIR}" + if [ -n "${PKG_METALOG}" ]; then + CERTCTL_ARGS="${CERTCTL_ARGS} -U -M ${PKG_METALOG}" + fi + certctl ${CERTCTL_ARGS} rehash + + [ ! -e %%LOCALBASE%%/bin/cert-sync ] || \ + %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt +fi diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist index 7899413567aa..79f18017fea6 100644 --- a/security/ca_root_nss/pkg-plist +++ b/security/ca_root_nss/pkg-plist @@ -2,6 +2,3 @@ @sample etc/ssl/cert.pem.sample %%ETCSYMLINK%%openssl/cert.pem %%ETCSYMLINK%%/etc/ssl/cert.pem -@postexec certctl rehash -@postunexec certctl rehash -@postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crthome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202509300850.58U8o0O5082507>