Accepting request 504646 from home:kukuk:branches:Base:System

- Run update-ca-certificate by systemd unit when the content of one of the paths changes. Needed for read-only root and/or transactional updates. OBS-URL: https://build.opensuse.org/request/show/504646 OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates?expand=0&rev=69
2017-06-20 08:55:50 +00:00 · 2017-06-20 08:55:50 +00:00 · bd3751f1c6
commit bd3751f1c6
parent 1885a0253e
4 changed files with 49 additions and 2 deletions
--- a/ca-certificates.changes
+++ b/ca-certificates.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jun 19 13:31:02 CEST 2017 - kukuk@suse.de
+
+- Run update-ca-certificate by systemd unit when the content of
+  one of the paths changes. Needed for read-only root and/or
+  transactional updates.
+
 -------------------------------------------------------------------
 Wed Nov 11 08:18:47 UTC 2015 - lnussel@suse.de

--- a/ca-certificates.path
+++ b/ca-certificates.path
@ -0,0 +1,16 @@
+[Unit]
+Description=Watch for changes in CA certificates
+After=local-fs.target
+
+[Path]
+Unit=ca-certificates.service
+PathChanged=/usr/share/pki/trust
+PathChanged=/usr/share/pki/trust/anchors
+PathChanged=/usr/share/pki/trust/blacklist
+PathChanged=/etc/pki/trust
+PathChanged=/etc/pki/trust/anchors
+PathChanged=/etc/pki/trust/blacklist
+
+[Install]
+WantedBy=default.target
+
--- a/ca-certificates.service
+++ b/ca-certificates.service
@ -0,0 +1,11 @@
+[Unit]
+Description=Update system wide CA certificates
+Wants=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/update-ca-certificates
+
+[Install]
+WantedBy=default.target
+
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@ -1,7 +1,7 @@
 #
 # spec file for package ca-certificates
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -35,6 +35,8 @@ Summary:        Utilities for system wide CA certificate installation
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security
 Source0:        ca-certificates-%{version}.tar.xz
+Source1:        ca-certificates.path
+Source2:        ca-certificates.service
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Url:            https://github.com/openSUSE/ca-certificates
 #
@ -53,6 +55,7 @@ Obsoletes:      openssl-certs
 Obsoletes:      java-ca-certificates = 1
 Provides:       java-ca-certificates = %version-%release
 BuildArch:      noarch
+%{?systemd_requires}

 %description
 Utilities for system wide CA certificate installation
@ -74,12 +77,15 @@ install -d -m 755 %{buildroot}/etc/ca-certificates/update.d
 install -d -m 755 %{buildroot}%{_prefix}/lib/ca-certificates/update.d
 install -d -m 555 %{buildroot}/var/lib/ca-certificates/pem
 install -d -m 555 %{buildroot}/var/lib/ca-certificates/openssl
+install -d -m 755 %{buildroot}/%{_prefix}/lib/systemd/system
 ln -s /var/lib/ca-certificates/pem %{buildroot}%{sslcerts}
 %if %{with cabundle}
 install -D -m 644 /dev/null %{buildroot}/%{cabundle}
 ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem
 %endif
 install -D -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts
+install -m 644 %{SOURCE1}  %{buildroot}/%{_prefix}/lib/systemd/system/
+install -m 644 %{SOURCE2}  %{buildroot}/%{_prefix}/lib/systemd/system/

 # should be done in git.
 mv %{buildroot}/%{_prefix}/lib/ca-certificates/update.d/{,50}java.run
@ -119,6 +125,7 @@ if [ "$1" -ne 0 -a -d %{sslcerts} -a ! -L %{sslcerts} ]; then
 	done
 	mv -T --backup=numbered %{sslcerts} %{sslcerts}.rpmsave && ln -s /var/lib/ca-certificates/pem %{sslcerts}
 fi
+%service_add_pre ca-certificates.path ca-certificates.service

 %post
 if [ -s /etc/ca-certificates.conf ]; then
@ -133,12 +140,17 @@ fi
 # force rebuilding all certificate stores.
 # This also makes sure we update the hash links in /etc/ssl/certs
 # as openssl changed the hash format between 0.9.8 and 1.0
-update-ca-certificates -f || true
+#update-ca-certificates -f || true
+%service_add_post ca-certificates.path ca-certificates.service
+
+%preun
+%service_del_preun ca-certificates.path ca-certificates.service

 %postun
 if [ "$1" -eq 0 ]; then
 	rm -rf /var/lib/ca-certificates/pem /var/lib/ca-certificates/openssl
 fi
+%service_del_postun ca-certificates.path ca-certificates.service

 %clean
 rm -rf %{buildroot}
@ -160,6 +172,7 @@ rm -rf %{buildroot}
 %dir /etc/ca-certificates/update.d
 %dir %{_prefix}/lib/ca-certificates
 %dir %{_prefix}/lib/ca-certificates/update.d
+ %{_prefix}/lib/systemd/system/*
 %dir /var/lib/ca-certificates
 %dir /var/lib/ca-certificates/pem
 %dir /var/lib/ca-certificates/openssl