refactor

extra-scripts/certifi-extras.sh

@@ -0,0 +1,91 @@
+#!/bin/sh
+set -ef
+
+certifi_uri="https://raw.githubusercontent.com/certifi/python-certifi/${CERTIFI_COMMIT:?}/certifi/cacert.pem"
+dst_dir=/usr/local/share/ca-certificates
+
+w=$(mktemp -d) ; : "${w:?}"
+w_cleanup() {
+	[ -z "$w" ] || ls -lA "$w/"
+	[ -z "$w" ] || rm -rf "$w"
+	unset w
+	exit "${1:-0}"
+}
+
+curl -sSL "${certifi_uri}" > "$w/certifi.crt"
+
+def_bundle='/etc/ssl/certs/ca-certificates.crt'
+
+openssl-cert-auto-pem.sh "${def_bundle}"  > "$w/cacert.pem"
+openssl-cert-auto-pem.sh "$w/certifi.crt" > "$w/certifi.pem"
+[ -s "$w/cacert.pem" ]  || w_cleanup 1
+[ -s "$w/certifi.pem" ] || w_cleanup 1
+
+bundle_offsets() {
+	awk '
+	BEGIN {
+	    OFS = ","
+	    m_begin="-----BEGIN CERTIFICATE-----"
+	    m_end="-----END CERTIFICATE-----"
+	    i_begin = 0
+	}
+	$0 == m_begin { i_begin = NR ; }
+	$0 == m_end {
+	    if (i_begin > 0) {
+	        print i_begin,NR
+	        i_begin = 0
+	    }
+	}
+	' "$1"
+}
+
+bundle_offsets "$w/cacert.pem"  > "$w/cacert.off"
+bundle_offsets "$w/certifi.pem" > "$w/certifi.off"
+[ -s "$w/cacert.off" ]  || w_cleanup 1
+[ -s "$w/certifi.off" ] || w_cleanup 1
+
+bundle_fingerprints() {
+	local a
+	while read -r a ; do
+		[ -n "$a" ] || continue
+
+		{
+			sed -ne "${a}p" "$1" | openssl x509 -noout -fingerprint -sha256 \
+			|| \
+			sed -ne "${a}p" "$1" | openssl x509 -noout -fingerprint
+		} | tr '[:upper:]' '[:lower:]'
+	done < "$2"
+}
+
+bundle_fingerprints "$w/cacert.pem"  "$w/cacert.off"  | sort -uV > "$w/cacert.fp"
+bundle_fingerprints "$w/certifi.pem" "$w/certifi.off" | sort -uV > "$w/certifi.fp"
+[ -s "$w/cacert.fp" ]  || w_cleanup 1
+[ -s "$w/certifi.fp" ] || w_cleanup 1
+
+set +e
+grep -Fxv -f "$w/cacert.fp" "$w/certifi.fp" > "$w/diff.fp"
+set -e
+
+if [ -s "$w/diff.fp" ] ; then
+	set +e
+	grep -Fxn -f "$w/diff.fp" "$w/certifi.fp" | cut -d : -f 1 > "$w/records.diff"
+	set -e
+
+	terse_fingerprint() {
+		cut -d = -f 2- | tr -cd '[:alnum:]'
+	}
+
+	mkdir "$w/extras"
+
+	while read -r n ; do
+		[ -n "$n" ] || continue
+
+		fp=$(sed -ne "${n}p" "$w/certifi.fp" | terse_fingerprint)
+		off=$(sed -ne "${n}p" "$w/certifi.off")
+		sed -ne "${off}p" "$w/certifi.pem" | openssl x509 > "${dst_dir}/certifi-${fp}.crt"
+	done < "$w/records.diff"
+fi
+
+rm -rf "$w" ; unset w
+
+exec update-ca-certificates --fresh

extra-scripts/gpg-batch.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+set -ef
+
+: "${GPG_KEYSERVER:=hkps://keyserver.ubuntu.com}"
+
+[ $# != 0 ] || exit 1
+
+case "$1" in
+1 | start )
+	[ -n "${GNUPGHOME}" ] || exit 1
+	[ -d "${GNUPGHOME}" ] || exit 1
+
+	cd "${GNUPGHOME}"
+	cat > gpg.conf <<-EOF
+		quiet
+		batch
+		trust-model always
+		no-auto-check-trustdb
+		ignore-time-conflict
+		keyid-format 0xlong
+		keyserver ${GPG_KEYSERVER}
+	EOF
+	cat > dirmngr.conf <<-EOF
+		quiet
+		batch
+		keyserver ${GPG_KEYSERVER}
+	EOF
+	gpg --update-trustdb >/dev/null 2>&1
+	gpg --list-keys >/dev/null 2>&1
+	dirmngr >/dev/null 2>&1
+;;
+0 | stop )
+	[ -n "${GNUPGHOME}" ] || exit 0
+	[ -d "${GNUPGHOME}" ] || exit 1
+
+	cd "${GNUPGHOME}"
+	gpgconf --kill all
+	cd /
+	rm -rf "${GNUPGHOME}"
+;;
+* )
+	exit 1
+;;
+esac
+exit 0

extra-scripts/gpg-export.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+set -ef
+
+: "${1:?}" "${2:?}"
+
+w=$(mktemp -d) ; : "${w:?}"
+
+gpg_on() { gpg-batch.sh start ; }
+gpg_off() {
+	cd /
+	gpg-batch.sh stop
+	unset GNUPGHOME
+	rm -rf "$w"
+	exit "${1:-0}"
+}
+
+(
+	export GNUPGHOME="$w/.gnupg"
+	mkdir -m 0700 "${GNUPGHOME}"
+	gpg_on
+
+	gpg --import "$1"
+	gpg --armor --export > "$w/export"
+	cat < "$w/export" > "$2"
+	gpg --show-keys "$2"
+
+	gpg_off
+) || gpg_off 1