66 lines
1.5 KiB
Bash
66 lines
1.5 KiB
Bash
|
#!/bin/sh
|
||
|
set -ef
|
||
|
|
||
|
certifi_uri="https://raw.githubusercontent.com/certifi/python-certifi/${CERTIFI_COMMIT:?}/certifi/cacert.pem"
|
||
|
dst_dir=/usr/local/share/ca-certificates
|
||
|
|
||
|
w=$(mktemp -d) ; : "${w:?}"
|
||
|
curl -sSL "${certifi_uri}" > "$w/cacert.pem"
|
||
|
|
||
|
def_bundle=/etc/ssl/certs/ca-certificates.crt
|
||
|
|
||
|
bundle_offsets() {
|
||
|
grep -Fhne '-----END CERTIFICATE-----' "$1" | cut -d : -f 1 \
|
||
|
| {
|
||
|
s=1 ; while read -r e ; do
|
||
|
[ -n "$e" ] || continue
|
||
|
echo "$s,$e"
|
||
|
s=$((e+1))
|
||
|
done
|
||
|
}
|
||
|
}
|
||
|
|
||
|
set +e
|
||
|
bundle_offsets "${def_bundle}" > "$w/offsets.0"
|
||
|
bundle_offsets "$w/cacert.pem" > "$w/offsets.1"
|
||
|
set -e
|
||
|
|
||
|
bundle_fingerprints() {
|
||
|
while read -r a ; do
|
||
|
[ -n "$a" ] || continue
|
||
|
sed -ne "${a}p" "$1" | openssl x509 -noout -fingerprint
|
||
|
done < "$2"
|
||
|
}
|
||
|
|
||
|
set +e
|
||
|
bundle_fingerprints "${def_bundle}" "$w/offsets.0" > "$w/fingerprints.0"
|
||
|
bundle_fingerprints "$w/cacert.pem" "$w/offsets.1" > "$w/fingerprints.1"
|
||
|
set -e
|
||
|
|
||
|
set +e
|
||
|
grep -Fxv -f "$w/fingerprints.0" "$w/fingerprints.1" > "$w/fingerprints.diff"
|
||
|
set -e
|
||
|
|
||
|
if [ -s "$w/fingerprints.diff" ] ; then
|
||
|
set +e
|
||
|
grep -Fxn -f "$w/fingerprints.diff" "$w/fingerprints.1" | cut -d : -f 1 > "$w/records.diff"
|
||
|
set -e
|
||
|
|
||
|
terse_fingerprint() {
|
||
|
cut -d = -f 2- | tr '[:upper:]' '[:lower:]' | tr -cd '[:alnum:]'
|
||
|
}
|
||
|
|
||
|
mkdir "$w/extras"
|
||
|
|
||
|
while read -r n ; do
|
||
|
[ -n "$n" ] || continue
|
||
|
fp=$(sed -ne "${n}p" "$w/fingerprints.1" | terse_fingerprint)
|
||
|
off=$(sed -ne "${n}p" "$w/offsets.1")
|
||
|
sed -ne "${off}p" "$w/cacert.pem" | openssl x509 > "${dst_dir}/certifi-${fp}.crt"
|
||
|
done < "$w/records.diff"
|
||
|
fi
|
||
|
|
||
|
rm -rf "$w"
|
||
|
|
||
|
update-ca-certificates --fresh
|