#!/bin/sh set -ef certifi_uri="https://raw.githubusercontent.com/certifi/python-certifi/${CERTIFI_COMMIT:?}/certifi/cacert.pem" dst_dir=/usr/local/share/ca-certificates w=$(mktemp -d) ; : "${w:?}" curl -sSL "${certifi_uri}" > "$w/cacert.pem" def_bundle=/etc/ssl/certs/ca-certificates.crt bundle_offsets() { grep -Fhne '-----END CERTIFICATE-----' "$1" | cut -d : -f 1 \ | { s=1 ; while read -r e ; do [ -n "$e" ] || continue echo "$s,$e" s=$((e+1)) done } } set +e bundle_offsets "${def_bundle}" > "$w/offsets.0" bundle_offsets "$w/cacert.pem" > "$w/offsets.1" set -e bundle_fingerprints() { while read -r a ; do [ -n "$a" ] || continue sed -ne "${a}p" "$1" | openssl x509 -noout -fingerprint done < "$2" } set +e bundle_fingerprints "${def_bundle}" "$w/offsets.0" > "$w/fingerprints.0" bundle_fingerprints "$w/cacert.pem" "$w/offsets.1" > "$w/fingerprints.1" set -e set +e grep -Fxv -f "$w/fingerprints.0" "$w/fingerprints.1" > "$w/fingerprints.diff" set -e if [ -s "$w/fingerprints.diff" ] ; then set +e grep -Fxn -f "$w/fingerprints.diff" "$w/fingerprints.1" | cut -d : -f 1 > "$w/records.diff" set -e terse_fingerprint() { cut -d = -f 2- | tr '[:upper:]' '[:lower:]' | tr -cd '[:alnum:]' } mkdir "$w/extras" while read -r n ; do [ -n "$n" ] || continue fp=$(sed -ne "${n}p" "$w/fingerprints.1" | terse_fingerprint) off=$(sed -ne "${n}p" "$w/offsets.1") sed -ne "${off}p" "$w/cacert.pem" | openssl x509 > "${dst_dir}/certifi-${fp}.crt" done < "$w/records.diff" fi rm -rf "$w" update-ca-certificates --fresh