f1d9144b77
+ on openSUSE, use the (new) upstream ca_certs_locater mechanism
and don't ship a private copy of Mozilla's CA certs file
+ on SLES, regenerate cacerts.txt from /etc/ssl/certs when
httplib2 is installed and/or openssl-certs is installed/updated
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-httplib2?expand=0&rev=38
44 lines
1018 B
Bash
44 lines
1018 B
Bash
#!/bin/bash
|
|
# vim: syntax=sh
|
|
|
|
shopt -s nullglob
|
|
|
|
cafile=${1:-/etc/ssl/ca-bundle.pem}
|
|
cadir="/etc/ssl/certs"
|
|
|
|
for i in "$@"; do
|
|
if [ "$i" = "-f" ]; then
|
|
fresh=1
|
|
elif [ "$i" = "-v" ]; then
|
|
verbose=1
|
|
fi
|
|
done
|
|
|
|
if [ -z "$fresh" -a "$cafile" -nt "$cadir" ]; then
|
|
exit 0
|
|
fi
|
|
echo "creating $cafile ..."
|
|
cat > "$cafile.new" <<EOF
|
|
#
|
|
# automatically created by $0. Do not edit!
|
|
#
|
|
# Use of this file is deprecated and should only be used as last
|
|
# resort by applications that cannot parse the $cadir directory.
|
|
# You should avoid hardcoding any paths in applications anyways though.
|
|
# Use e.g.
|
|
# SSL_CTX_set_default_verify_paths() instead.
|
|
#
|
|
EOF
|
|
for i in "$cadir"/*.pem; do
|
|
# only include certificates trusted for server auth
|
|
if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
|
|
trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
|
|
case "$trust" in
|
|
*serverAuth*) ;;
|
|
*) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;;
|
|
esac
|
|
fi
|
|
openssl x509 -in "$i"
|
|
done >> "$cafile.new"
|
|
mv "$cafile.new" "$cafile"
|