diff --git a/ca-certificates.changes b/ca-certificates.changes index a56c286..fd51429 100644 --- a/ca-certificates.changes +++ b/ca-certificates.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Jun 19 13:31:02 CEST 2017 - kukuk@suse.de + +- Run update-ca-certificate by systemd unit when the content of + one of the paths changes. Needed for read-only root and/or + transactional updates. + ------------------------------------------------------------------- Wed Nov 11 08:18:47 UTC 2015 - lnussel@suse.de diff --git a/ca-certificates.path b/ca-certificates.path new file mode 100644 index 0000000..d96f8e3 --- /dev/null +++ b/ca-certificates.path @@ -0,0 +1,16 @@ +[Unit] +Description=Watch for changes in CA certificates +After=local-fs.target + +[Path] +Unit=ca-certificates.service +PathChanged=/usr/share/pki/trust +PathChanged=/usr/share/pki/trust/anchors +PathChanged=/usr/share/pki/trust/blacklist +PathChanged=/etc/pki/trust +PathChanged=/etc/pki/trust/anchors +PathChanged=/etc/pki/trust/blacklist + +[Install] +WantedBy=default.target + diff --git a/ca-certificates.service b/ca-certificates.service new file mode 100644 index 0000000..6696e45 --- /dev/null +++ b/ca-certificates.service @@ -0,0 +1,11 @@ +[Unit] +Description=Update system wide CA certificates +Wants=local-fs.target + +[Service] +Type=oneshot +ExecStart=/usr/sbin/update-ca-certificates + +[Install] +WantedBy=default.target + diff --git a/ca-certificates.spec b/ca-certificates.spec index 89538d6..4551c32 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -1,7 +1,7 @@ # # spec file for package ca-certificates # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -35,6 +35,8 @@ Summary: Utilities for system wide CA certificate installation License: GPL-2.0+ Group: Productivity/Networking/Security Source0: ca-certificates-%{version}.tar.xz +Source1: ca-certificates.path +Source2: ca-certificates.service BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: https://github.com/openSUSE/ca-certificates # @@ -53,6 +55,7 @@ Obsoletes: openssl-certs Obsoletes: java-ca-certificates = 1 Provides: java-ca-certificates = %version-%release BuildArch: noarch +%{?systemd_requires} %description Utilities for system wide CA certificate installation @@ -74,12 +77,15 @@ install -d -m 755 %{buildroot}/etc/ca-certificates/update.d install -d -m 755 %{buildroot}%{_prefix}/lib/ca-certificates/update.d install -d -m 555 %{buildroot}/var/lib/ca-certificates/pem install -d -m 555 %{buildroot}/var/lib/ca-certificates/openssl +install -d -m 755 %{buildroot}/%{_prefix}/lib/systemd/system ln -s /var/lib/ca-certificates/pem %{buildroot}%{sslcerts} %if %{with cabundle} install -D -m 644 /dev/null %{buildroot}/%{cabundle} ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem %endif install -D -m 644 /dev/null %{buildroot}/var/lib/ca-certificates/java-cacerts +install -m 644 %{SOURCE1} %{buildroot}/%{_prefix}/lib/systemd/system/ +install -m 644 %{SOURCE2} %{buildroot}/%{_prefix}/lib/systemd/system/ # should be done in git. mv %{buildroot}/%{_prefix}/lib/ca-certificates/update.d/{,50}java.run @@ -119,6 +125,7 @@ if [ "$1" -ne 0 -a -d %{sslcerts} -a ! -L %{sslcerts} ]; then done mv -T --backup=numbered %{sslcerts} %{sslcerts}.rpmsave && ln -s /var/lib/ca-certificates/pem %{sslcerts} fi +%service_add_pre ca-certificates.path ca-certificates.service %post if [ -s /etc/ca-certificates.conf ]; then @@ -133,12 +140,17 @@ fi # force rebuilding all certificate stores. # This also makes sure we update the hash links in /etc/ssl/certs # as openssl changed the hash format between 0.9.8 and 1.0 -update-ca-certificates -f || true +#update-ca-certificates -f || true +%service_add_post ca-certificates.path ca-certificates.service + +%preun +%service_del_preun ca-certificates.path ca-certificates.service %postun if [ "$1" -eq 0 ]; then rm -rf /var/lib/ca-certificates/pem /var/lib/ca-certificates/openssl fi +%service_del_postun ca-certificates.path ca-certificates.service %clean rm -rf %{buildroot} @@ -160,6 +172,7 @@ rm -rf %{buildroot} %dir /etc/ca-certificates/update.d %dir %{_prefix}/lib/ca-certificates %dir %{_prefix}/lib/ca-certificates/update.d + %{_prefix}/lib/systemd/system/* %dir /var/lib/ca-certificates %dir /var/lib/ca-certificates/pem %dir /var/lib/ca-certificates/openssl