refactor

scripts/apt-clean.sh

@@ -15,6 +15,9 @@ find "${DPKG_ADMINDIR}/" ! -type d -wholename "${DPKG_ADMINDIR}/*-old" -delete
 find /var/log/ ! -type d -wholename '/var/log/alternatives.log' -delete
 find /var/log/ ! -type d -wholename '/var/log/dpkg.log' -delete
 
+## DONT DO THIS AT HOME!
+find "${DPKG_ADMINDIR}/" ! -type d -wholename "${DPKG_ADMINDIR}/info/*.symbols" -delete
+
 ## debconf
 find /var/cache/debconf/ ! -type d -wholename '/var/cache/debconf/*-old' -delete
 

scripts/apt-install.sh

@@ -1,4 +1,44 @@
 #!/bin/sh
 set -ef
-apt-env.sh apt-get update
-exec apt-env.sh apt-get install -y --no-install-recommends "$@"
+
+find_fresh_ts() {
+	{
+		find "$@" -exec stat -c '%Y' '{}' '+' 2>/dev/null || :
+		# duck and cover!
+		echo 1
+	} | sort -rn | head -n 1
+}
+
+_apt_update() {
+	# update package lists; may fail sometimes,
+	# e.g. soon-to-release channels like Debian "bullseye" @ 22.04.2021
+
+	# (wannabe) smart package list update
+	ts_sources=$(find_fresh_ts /etc/apt/ -follow -regextype egrep -regex '.+\.(list|sources)$' -type f)
+	ts_lists=$(find_fresh_ts /var/lib/apt/lists/ -maxdepth 1 -regextype egrep -regex '.+_Packages(\.(bz2|gz|lz[4o]|xz|zstd?))?$' -type f)
+	if [ ${ts_sources} -gt ${ts_lists} ] ; then
+		apt-env.sh apt-get update
+	fi
+}
+
+_dpkg_avail_hack() {
+	VERSION_CODENAME=$(. /etc/os-release ; printf '%s' "${VERSION_CODENAME}") || :
+	f="${DPKG_ADMINDIR:-/var/lib/dpkg}/available"
+	# if ${VERSION_CODENAME} is empty then we're on Debian sid or so :)
+	case "${VERSION_CODENAME}" in
+	stretch | buster | bionic | focal )
+		# ref: https://unix.stackexchange.com/a/271387/49297
+		if [ -s "$f" ] ; then
+			return
+		fi
+		/usr/lib/dpkg/methods/apt/update "${DPKG_ADMINDIR:-/var/lib/dpkg}" apt apt
+	;;
+	* )
+		touch "$f"
+	;;
+	esac
+}
+
+_apt_update
+_dpkg_avail_hack
+exec apt-env.sh apt-get install -y --no-install-recommends --no-install-suggests "$@"

scripts/apt-remove.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+set -ef
+
+apt-env.sh apt-get purge -y --allow-remove-essential "$@"
+exec apt-env.sh apt-get autopurge -y

scripts/divert-rm.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+set -ef
+: "${1:?}"
+d=$(printf '%s' "/run/postgresql/divert/$1" | tr -s '/')
+mkdir -p "${d%/*}"
+dpkg-divert --divert "$d" --rename "$1" 2>/dev/null
+rm -f "$d"

scripts/gpg-batch.sh

@@ -1,45 +0,0 @@
-#!/bin/sh
-set -ef
-
-: "${GPG_KEYSERVER:=hkps://keyserver.ubuntu.com}"
-
-[ $# != 0 ] || exit 1
-
-case "$1" in
-1 | start )
-	[ -n "${GNUPGHOME}" ] || exit 1
-	[ -d "${GNUPGHOME}" ] || exit 1
-
-	cd "${GNUPGHOME}"
-	cat > gpg.conf <<-EOF
-		quiet
-		batch
-		trust-model always
-		no-auto-check-trustdb
-		ignore-time-conflict
-		keyid-format 0xlong
-		keyserver ${GPG_KEYSERVER}
-	EOF
-	cat > dirmngr.conf <<-EOF
-		quiet
-		batch
-		keyserver ${GPG_KEYSERVER}
-	EOF
-	gpg --update-trustdb >/dev/null 2>&1
-	gpg --list-keys >/dev/null 2>&1
-	dirmngr >/dev/null 2>&1
-;;
-0 | stop )
-	[ -n "${GNUPGHOME}" ] || exit 0
-	[ -d "${GNUPGHOME}" ] || exit 1
-
-	cd "${GNUPGHOME}"
-	gpgconf --kill all
-	cd /
-	rm -rf "${GNUPGHOME}"
-;;
-* )
-	exit 1
-;;
-esac
-exit 0

scripts/gpg-export.sh

@@ -1,28 +0,0 @@
-#!/bin/sh
-set -ef
-
-: "${1:?}" "${2:?}"
-
-w=$(mktemp -d) ; : "${w:?}"
-
-gpg_on() { gpg-batch.sh start ; }
-gpg_off() {
-    cd /
-    gpg-batch.sh stop
-    unset GNUPGHOME
-    rm -rf "$w"
-    exit "${1:-0}"
-}
-
-(
-    export GNUPGHOME="$w/.gnupg"
-    mkdir -m 0700 "${GNUPGHOME}"
-    gpg_on
-
-    gpg --import "$1"
-    gpg --armor --export > "$w/export"
-    cat < "$w/export" > "$2"
-    gpg --show-keys "$2"
-
-    gpg_off
-) || gpg_off 1

scripts/openssl-cert-auto-pem.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+set -f
+
+[ $# -gt 0 ] || exit 0
+me=${0##*/}
+
+[ -n "$1" ] || exit 1
+[ -f "$1" ] || {
+	env printf '%s: not a file or does not exist: %q\n' "${me}" "$1" >&2
+	exit 1
+}
+[ -s "$1" ] || exit 0
+
+w=$(mktemp -d) || exit 1
+w_cleanup() {
+	[ -z "$w" ] || ls -lA "$w/"
+	[ -z "$w" ] || rm -rf "$w"
+	unset w
+	exit "${1:-0}"
+}
+
+openssl storeutl -certs "$1" > "$w/cert.pem" || w_cleanup 1
+[ -s "$w/cert.pem" ] || w_cleanup 1
+tr -s '\r\n' '\n' < "$w/cert.pem" > "$w/cert.txt"
+[ -s "$w/cert.txt" ] || w_cleanup 1
+
+awk '
+BEGIN {
+    OFS = ","
+    m_begin="-----BEGIN CERTIFICATE-----"
+    m_end="-----END CERTIFICATE-----"
+    i_begin = 0
+}
+$0 == m_begin { i_begin = NR ; }
+$0 == m_end {
+    if (i_begin > 0) {
+        print i_begin,NR
+        i_begin = 0
+    }
+}
+' "$w/cert.txt" > "$w/cert.offsets"
+[ -s "$w/cert.offsets" ] || w_cleanup 1
+
+while read -r a ; do
+	[ -n "$a" ] || continue
+
+	sed -ne "${a}p" "$w/cert.txt"
+done < "$w/cert.offsets"
+
+rm -rf "$w" ; unset w

scripts/openssl-cert-fingerprint.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+set -f
+
+[ $# -gt 0 ] || exit 0
+me=${0##*/}
+
+[ -n "$1" ] || exit 1
+[ -f "$1" ] || {
+	env printf '%s: not a file or does not exist: %q\n' "${me}" "$1" >&2
+	exit 1
+}
+[ -s "$1" ] || exit 0
+
+w=$(mktemp -d) || exit 1
+w_cleanup() {
+	[ -z "$w" ] || ls -lA "$w/"
+	[ -z "$w" ] || rm -rf "$w"
+	unset w
+	exit "${1:-0}"
+}
+
+openssl-cert-auto-pem.sh "$1" > "$w/cert.pem" || w_cleanup 1
+[ -s "$w/cert.pem" ] || w_cleanup 1
+
+awk '
+BEGIN {
+    OFS = ","
+    m_begin="-----BEGIN CERTIFICATE-----"
+    m_end="-----END CERTIFICATE-----"
+    i_begin = 0
+}
+$0 == m_begin { i_begin = NR ; }
+$0 == m_end {
+    if (i_begin > 0) {
+        print i_begin,NR
+        i_begin = 0
+    }
+}
+' "$w/cert.pem" > "$w/cert.off"
+[ -s "$w/cert.off" ] || w_cleanup 1
+
+while read -r a ; do
+	[ -n "$a" ] || continue
+
+	{
+		sed -ne "${a}p" "$w/cert.pem" | openssl x509 -noout -fingerprint -sha256 \
+		|| \
+		sed -ne "${a}p" "$w/cert.pem" | openssl x509 -noout -fingerprint
+	} | tr '[:upper:]' '[:lower:]'
+done < "$w/cert.off"
+
+w_cleanup 0