Skip to content

Commit

Permalink
ca-certificates: update 2024-07-02 bottle.
Browse files Browse the repository at this point in the history
  • Loading branch information
@gromgit
gromgit committed Sep 3, 2024
1 parent d6e9229 commit 4bf8e48
Showing 1 changed file with 135 additions and 0 deletions.
135 changes: 135 additions & 0 deletions Formula/c/ca-certificates.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
class CaCertificates < Formula
desc "Mozilla CA certificate store"
homepage "https://curl.se/docs/caextract.html"
url "https://curl.se/ca/cacert-2024-07-02.pem"
sha256 "1bf458412568e134a4514f5e170a328d11091e071c7110955c9884ed87972ac9"
license "MPL-2.0"

livecheck do
url :homepage
regex(/href=.*?cacert[._-](\d{4}-\d{2}-\d{2})\.pem/i)
end

bottle do
root_url "https://github.com/gromgit/homebrew-core-aarch64_linux/releases/download/ca-certificates-2024-07-02"
sha256 cellar: :any_skip_relocation, aarch64_linux: "242b4df0d9160ecc027c7d0519b3d6c6e67699c0e6c3eb417ad87f44421b8e8f"
end

def install
pkgshare.install "cacert-#{version}.pem" => "cacert.pem"
end

def post_install
if OS.mac?
macos_post_install
else
linux_post_install
end
end

def macos_post_install
ohai "Regenerating CA certificate bundle from keychain, this may take a while..."

keychains = %w[
/Library/Keychains/System.keychain
/System/Library/Keychains/SystemRootCertificates.keychain
]

certs_list = Utils.safe_popen_read("/usr/bin/security", "find-certificate", "-a", "-p", *keychains)
certs = certs_list.scan(
/-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m,
)

# Check that the certificate has not expired
valid_certs = certs.select do |cert|
begin
Utils.safe_popen_write("/usr/bin/openssl", "x509", "-inform", "pem",
"-checkend", "0",
"-noout") do |openssl_io|
openssl_io.write(cert)
end
rescue ErrorDuringExecution
# Expired likely.
next
end

# Only include certs that have are designed to act as a SSL root.
purpose = Utils.safe_popen_write("/usr/bin/openssl", "x509", "-inform", "pem",
"-purpose",
"-noout") do |openssl_io|
openssl_io.write(cert)
end
purpose.include?("SSL server CA : Yes")
end

# Check that the certificate is trusted in keychain
trusted_certs = begin
tmpfile = Tempfile.new

verify_args = %W[
-l -L
-c #{tmpfile.path}
-p ssl
]
on_high_sierra :or_newer do
verify_args << "-R" << "offline"
end

valid_certs.select do |cert|
tmpfile.rewind
tmpfile.write cert
tmpfile.truncate cert.size
tmpfile.flush
Utils.safe_popen_read("/usr/bin/security", "verify-cert", *verify_args)
true
rescue ErrorDuringExecution
# Invalid.
false
end
ensure
tmpfile&.close!
end

# Get SHA256 fingerprints for all trusted certs
fingerprints = trusted_certs.to_set do |cert|
Utils.safe_popen_write("/usr/bin/openssl", "x509", "-inform", "pem",
"-fingerprint",
"-sha256",
"-noout") do |openssl_io|
openssl_io.write(cert)
end
end

# Now process Mozilla certs we downloaded.
pem_certs_list = File.read(pkgshare/"cacert.pem")
pem_certs = pem_certs_list.scan(
/-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m,
)

# Append anything new.
trusted_certs += pem_certs.select do |cert|
fingerprint = Utils.safe_popen_write("/usr/bin/openssl", "x509", "-inform", "pem",
"-fingerprint",
"-sha256",
"-noout") do |openssl_io|
openssl_io.write(cert)
end
fingerprints.add?(fingerprint)
end

pkgetc.mkpath
(pkgetc/"cert.pem").atomic_write(trusted_certs.join("\n") << "\n")
end

def linux_post_install
rm(pkgetc/"cert.pem") if (pkgetc/"cert.pem").exist?
pkgetc.mkpath
cp pkgshare/"cacert.pem", pkgetc/"cert.pem"
end

test do
assert_path_exists pkgshare/"cacert.pem"
assert_path_exists pkgetc/"cert.pem"
assert compare_file(pkgshare/"cacert.pem", pkgetc/"cert.pem") if OS.linux?
end
end

0 comments on commit 4bf8e48

Please sign in to comment.