File gh-pr-28_posix.patch of Package ca-certificates

From dec3f69c55da98871d5392cbd1fbed082c76f604 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Sat, 1 Mar 2025 19:53:54 +0100
Subject: [PATCH] Refactor to POSIX sh and cleanup

Allow operation in environments without Bash, for example minimal
containers.
Whilst at it, align indentations to use uniform tabs to make future
editing easier, add missing quotes to avoid unexpected splitting and
reduce duplicated slashes.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 certbundle.run                 |  39 ++++++------
 etc_ssl.run                    |  28 ++++-----
 java.run                       |  20 +++---
 openssl.run                    |  16 ++---
 test_update_ca_certificates.py |   8 +--
 update-ca-certificates         | 107 +++++++++++++++++----------------
 6 files changed, 114 insertions(+), 104 deletions(-)

diff --git a/certbundle.run b/certbundle.run
index f48f022..4ce4db7 100755
--- a/certbundle.run
+++ b/certbundle.run
@@ -1,26 +1,31 @@
-#!/bin/bash
+#!/bin/sh
 # vim: syntax=sh
 
 set -e
 
 [ -d "$statedir" ]
-cafile="$destdir/$statedir/ca-bundle.pem"
-cadir="$destdir/$statedir/pem"
+cafile="${destdir}${statedir}/ca-bundle.pem"
+cadir="${destdir}${statedir}/pem"
 
 for i in "$@"; do
-    if [ "$i" = "-f" ]; then
-	fresh=1
-    elif [ "$i" = "-v" ]; then
-	verbose=1
-    fi
+	if [ "$i" = "-f" ]; then
+		fresh=1
+	elif [ "$i" = "-v" ]; then
+		verbose=1
+	fi
 done
 
-if [ -z "$fresh" -a "$cafile" -nt "$cadir" ]; then
-    exit 0
+last_modified ()
+{
+	stat --printf '%Y' "$1"
+}
+
+if [ -z "$fresh" ] && [ "$(last_modified "$cafile")" -gt "$(last_modified "$cadir")" ]; then
+	exit 0
 fi
 [ -z "$verbose" ] || echo "creating $cafile ..."
-trust extract --format=pem-bundle --purpose=server-auth --filter=ca-anchors --overwrite $cafile.tmp
-cat - $cafile.tmp > "$cafile.new" <<EOF
+trust extract --format=pem-bundle --purpose=server-auth --filter=ca-anchors --overwrite "$cafile.tmp"
+cat - "$cafile.tmp" > "$cafile.new" <<EOF
 #
 # automatically created by $0. Do not edit!
 #
@@ -33,10 +38,10 @@ cat - $cafile.tmp > "$cafile.new" <<EOF
 # - gnutls: gnutls_certificate_set_x509_system_trust(cred)
 #
 EOF
-rm -f $cafile.tmp
+rm -f "$cafile.tmp"
 mv -f "$cafile.new" "$cafile"
-if ! test -e $destdir/etc/ssl/ca-bundle.pem && ! test -L $destdir/etc/ssl/ca-bundle.pem; then
-    [ -z "$verbose" ] || echo "restoring $destdir/etc/ssl/ca-bundle.pem ..."
-    install -d -m 0755 $destdir/etc/ssl
-    ln -s ../../var/lib/ca-certificates/ca-bundle.pem $destdir/etc/ssl/ca-bundle.pem
+if ! test -e "$destdir/etc/ssl/ca-bundle.pem" && ! test -L "$destdir/etc/ssl/ca-bundle.pem"; then
+	[ -z "$verbose" ] || echo "restoring $destdir/etc/ssl/ca-bundle.pem ..."
+	install -d -m 0755 "$destdir/etc/ssl"
+	ln -s ../../var/lib/ca-certificates/ca-bundle.pem "$destdir/etc/ssl/ca-bundle.pem"
 fi
diff --git a/etc_ssl.run b/etc_ssl.run
index e5a5dd3..07eead5 100755
--- a/etc_ssl.run
+++ b/etc_ssl.run
@@ -1,4 +1,4 @@
-#!/bin/bash -e
+#!/bin/sh -e
 # vim:syntax=sh
 #
 # Copyright (c) 2010,2013 SUSE Linux Products GmbH
@@ -29,32 +29,32 @@ pemdir="$statedir/pem"
 
 help_and_exit()
 {
-    cat <<-EOF
+	cat <<-EOF
 	USAGE: $0 [OPTIONS]
 	OPTIIONS:
 	  --verbose, -v     verbose output
 	  --fresh, -f       start from scratch
 	  --help, -h        this screen
 EOF
-    exit 0
+	exit 0
 }
 
 case "$1" in
-    -v|--verbose) verbose='-v'; shift ;;
-    -f|--fresh) fresh='-f'; shift ;;
-    -h|--help) help_and_exit ;;
-    -*) echo "invalid option: $1" >&2; exit 1 ;;
+	-v|--verbose) verbose='-v'; shift ;;
+	-f|--fresh) fresh='-f'; shift ;;
+	-h|--help) help_and_exit ;;
+	-*) echo "invalid option: $1" >&2; exit 1 ;;
 esac
 
 install -d -m 0755 "${destdir}$pemdir"
 trust extract --purpose=server-auth --filter=ca-anchors --format=pem-directory-hash -f "${destdir}$pemdir"
 
 # fix up /etc/ssl/certs if it's not a link pointing to /var/lib/ca-certificates/pem
-if ! [ -L "$etccertsdir" -a "`readlink $etccertsdir`" = "../..$pemdir" ]; then
-    echo "Warning: $etccertsdir needs to be a link to ../..$pemdir, fixing" >&2
-    if [ -d "$etccertsdir" ]; then
-	mv -Tv --backup=numbered "$etccertsdir" "$etccertsdir.old"
-    fi
-    install -d -m 0755 "${etccertsdir%/*}"
-    ln -Tsv --backup=numbered "../..$pemdir" "$etccertsdir"
+if ! [ -L "$etccertsdir" ] && [ "$(readlink "$etccertsdir")" = "../..$pemdir" ]; then
+	echo "Warning: $etccertsdir needs to be a link to ../..$pemdir, fixing" >&2
+	if [ -d "$etccertsdir" ]; then
+		mv -Tv --backup=numbered "$etccertsdir" "$etccertsdir.old"
+	fi
+	install -d -m 0755 "${etccertsdir%/*}"
+	ln -Tsv --backup=numbered "../..$pemdir" "$etccertsdir"
 fi
diff --git a/java.run b/java.run
index 3a0627e..c6f307c 100755
--- a/java.run
+++ b/java.run
@@ -1,22 +1,22 @@
-#!/bin/bash
+#!/bin/sh
 
 set -e
 
 [ -d "$statedir" ]
-cafile="$destdir/$statedir/java-cacerts"
-cafile_gcj="$destdir/$statedir/gcj-cacerts"
+cafile="${destdir}${statedir}/java-cacerts"
+cafile_gcj="${destdir}${statedir}/gcj-cacerts"
 
 
 for i in "$@"; do
-    if [ "$i" = "-f" ]; then
-	fresh=1
-    elif [ "$i" = "-v" ]; then
-	verbose=1
-    fi
+	if [ "$i" = "-f" ]; then
+		fresh=1
+	elif [ "$i" = "-v" ]; then
+		verbose=1
+	fi
 done
 
 [ -z "$verbose" ] || echo "creating $cafile ..."
-trust extract --format=java-cacerts --purpose=server-auth --filter=ca-anchors --overwrite $cafile.new
-mv $cafile.new $cafile
+trust extract --format=java-cacerts --purpose=server-auth --filter=ca-anchors --overwrite "$cafile.new"
+mv "$cafile.new" "$cafile"
 
 # vim: syntax=sh
diff --git a/openssl.run b/openssl.run
index 59ab262..1f96cb1 100755
--- a/openssl.run
+++ b/openssl.run
@@ -1,21 +1,21 @@
-#!/bin/bash
+#!/bin/sh
 
 set -e
 
 [ -d "$statedir" ]
-cadir="$destdir/$statedir/openssl"
+cadir="${destdir}${statedir}/openssl"
 
 
 for i in "$@"; do
-    if [ "$i" = "-f" ]; then
-	fresh=1
-    elif [ "$i" = "-v" ]; then
-	verbose=1
-    fi
+	if [ "$i" = "-f" ]; then
+		fresh=1
+	elif [ "$i" = "-v" ]; then
+		verbose=1
+	fi
 done
 
 [ -z "$verbose" ] || echo "creating $cadir ..."
 install -d -m 0755 -p "$cadir"
-trust extract --format=openssl-directory --filter=ca-anchors --overwrite $cadir
+trust extract --format=openssl-directory --filter=ca-anchors --overwrite "$cadir"
 
 # vim: syntax=sh
diff --git a/test_update_ca_certificates.py b/test_update_ca_certificates.py
index 166f853..410048e 100644
--- a/test_update_ca_certificates.py
+++ b/test_update_ca_certificates.py
@@ -8,7 +8,7 @@
 LISTENER_SCRIPT_DEST = HOOKSDIR2 + "/foo.run"
 
 LISTENER_SCRIPT = (
-    r"""#!/bin/bash
+    r"""#!/bin/sh
 echo "\$@" > """
     + HOOK_ARGS_PATH
 )
@@ -94,7 +94,7 @@ def test_runs_the_hooks_in_hookdirs(container, flag):
 def test_prefers_hooks_in_etc(container):
     for hookdir in (HOOKSDIR1, HOOKSDIR2):
         dest = hookdir + "/" + BAR_HOOK
-        container.run_expect([0], 'echo "#!/bin/bash" >' + dest)
+        container.run_expect([0], 'echo "#!/bin/sh" >' + dest)
         container.run_expect([0], "chmod +x " + dest)
 
     res = container.run_expect([0], "/bin/update-ca-certificates -v")
@@ -132,7 +132,7 @@ def test_ignores_hooks_in_subdirectories(container, hookdir):
     subdir = hookdir + "/" + "test"
     dest = subdir + "/" + BAR_HOOK
     container.run_expect([0], "mkdir " + subdir)
-    container.run_expect([0], 'echo "#!/bin/bash" >' + dest)
+    container.run_expect([0], 'echo "#!/bin/sh" >' + dest)
     container.run_expect([0], "chmod +x " + dest)
     container.run_expect([0], dest)
 
@@ -145,7 +145,7 @@ def test_ignores_hooks_in_subdirectories(container, hookdir):
 def test_runs_hooks_in_sorted_order(container):
     hooks = [HOOKSDIR1 + "/" + hook for hook in ("10foo.run", "20bar.run")]
     for hook in hooks:
-        container.run_expect([0], 'echo "#!/bin/bash" >' + hook)
+        container.run_expect([0], 'echo "#!/bin/sh" >' + hook)
         container.run_expect([0], "chmod +x " + hook)
         container.run_expect([0], hook)
 
diff --git a/update-ca-certificates b/update-ca-certificates
index cde3e5b..c02ffc8 100755
--- a/update-ca-certificates
+++ b/update-ca-certificates
@@ -1,9 +1,10 @@
-#!/bin/bash
+#!/bin/sh
 #
 # update-ca-certificates
 #
 # Copyright (c) 2010,2013 SUSE Linux Products GmbH
 # Copyright (c) 2020,2021 SUSE LLC
+# Copyright (c) 2025 Georg Pfuetzenreuter
 # Author: Ludwig Nussel
 #
 # Inspired by Debian's update-ca-certificates
@@ -35,7 +36,7 @@ export statedir
 
 help_and_exit()
 {
-    cat <<-EOF
+	cat <<-EOF
 	USAGE: $0 [OPTIONS]
 	OPTIONS:
 	  --verbose, -v       verbose output
@@ -43,71 +44,75 @@ help_and_exit()
 	  --fresh, -f         start from scratch
 	  --help, -h          this screen
 EOF
-    exit 0
+	exit 0
 }
 
-args=("$@")
+args="$*"
+
 while [ $# -gt 0 ]; do
-    param="$1"
-    arg="$2"
-    test "$arg" = "${arg#-}" || arg=
-    shift
-    case "$param" in
-	-v|--verbose) verbose='-v' ;;
-	-f|--fresh) fresh='-f' ;;
-	-r|--root) destdir="$arg"; shift
-	    if [ -z "$destdir" ]; then
-		echo "-r option requires parameter <directory>"
-		exit 1
-	    fi
-	;;
-	-h|--help) help_and_exit ;;
-	-*) echo "invalid option: $param" >&2; exit 1 ;;
-    esac
+	param="$1"
+	arg="$2"
+	test "$arg" = "${arg#-}" || arg=
+	shift
+	case "$param" in
+		-v|--verbose) verbose='-v' ;;
+		-f|--fresh) fresh='-f' ;;
+		-r|--root) destdir="$arg"; shift
+			if [ -z "$destdir" ]; then
+				echo "-r option requires parameter <directory>"
+				exit 1
+			fi
+			;;
+		-h|--help) help_and_exit ;;
+		-*) echo "invalid option: $param" >&2; exit 1 ;;
+	esac
 done
 
 # set sane umask
-umask 0222;
+umask 0222
 
-case "${TRANSACTIONAL_UPDATE,,*}" in
-    true|yes|1)
-	[ -z "$verbose" ] || echo "transactional update in progress, not running any scripts" >&2
-	> /etc/pki/trust/.updated
-	exit 0
+case "${TRANSACTIONAL_UPDATE}" in
+	true|TRUE|yes|YES|1)
+		[ -z "$verbose" ] || echo "transactional update in progress, not running any scripts" >&2
+		true > /etc/pki/trust/.updated
+		exit 0
 	;;
 esac
 rm -f /etc/pki/trust/.updated
 
 export destdir
 
-install -d -m 0755 "$destdir/$statedir"
+install -d -m 0755 "${destdir}${statedir}"
 # serialize calls if we can
-if [ -z "$_CA_CERTIFICATES_LOCKED" -a -x /usr/bin/flock ]; then
-    export _CA_CERTIFICATES_LOCKED="1"
-    set -- "${args[@]}"
-    exec /usr/bin/flock "$destdir/$statedir" "$0" "$@"
-    echo "failed to lock $destdir/$statedir\n" >&2
-    exit 1
+if [ -z "$_CA_CERTIFICATES_LOCKED" ] && [ -x /usr/bin/flock ]; then
+	export _CA_CERTIFICATES_LOCKED="1"
+	# shellcheck disable=SC2086 # expected splitting
+	set -- $args
+	exec /usr/bin/flock "${destdir}${statedir}" "$0" "$@"
+	printf 'failed to lock %s/%s\n\n' "$destdir" "$statedir" >&2
+	exit 1
 fi
 
-function find_hooks {
-    shopt -s nullglob
-    for hooksdir in $hooksdir1 $hooksdir2; do
-	for f in "$hooksdir"/*.run; do
-	    if [ -L "$f" ] || [ -f "$f" ]; then
-		echo "${f##*/}" "$f"
-	    fi
+find_hooks()
+{
+	for hooksdir in $hooksdir1 $hooksdir2; do
+		for f in "$hooksdir"/*.run; do
+			if [ -L "$f" ] || [ -f "$f" ]; then
+				echo "${f##*/}" "$f"
+			fi
+		done
 	done
-    done
 }
 
-while read s f; do
-    if [ -L "$f" -a "`readlink "$f"`" = "/dev/null" ]; then
-	[ -z "$verbose" ] || echo "skipping $f"
-	continue
-    else
-	[ -z "$verbose" ] || echo "running $f .."
-    fi
-    "$f" $fresh $verbose
-done < <(find_hooks|sort -k 1,1 -u)
-chmod 0555 "$destdir/$statedir"
+
+find_hooks | sort -k 1,1 -u | while read _ f; do
+	if [ -L "$f" ] && [ "$(readlink "$f")" = '/dev/null' ]; then
+		[ -z "$verbose" ] || echo "skipping $f"
+		continue
+	else
+		[ -z "$verbose" ] || echo "running $f .."
+	fi
+	"$f" $fresh $verbose
+done
+
+chmod 0555 "${destdir}${statedir}"