ports: Rework ssl certificates

ca-certificates: - update to 2026.03.19 - install to /etc/cacert - extract individual ceritificates from the bundle openssl: - depend on ca-certificates - install hashed symlinks to individual certs curl: - don't depend on ca-certificates; openssl handles this - set both ca-bundle and ca-path
2026-04-28 02:19:57 +03:00
parent 1486ad7aa5
commit 1602b195c5
3 changed files with 27 additions and 9 deletions
--- a/ports/ca-certificates/build.sh
+++ b/ports/ca-certificates/build.sh
@@ -1,8 +1,8 @@
 #!/bin/bash ../install.sh

 NAME='ca-certificates'
-VERSION='2025-12-02'
-DOWNLOAD_URL="https://curl.se/ca/cacert-$VERSION.pem#f1407d974c5ed87d544bd931a278232e13925177e239fca370619aba63c757b4"
+VERSION='2026.03.19'
+DOWNLOAD_URL="https://curl.se/ca/cacert-${VERSION//./-}.pem#b6e66569cc3d438dd5abe514d0df50005d570bfc96c14dca8f768d020cb96171"

 configure() {
 	:
@@ -13,7 +13,10 @@ build() {
 }

 install() {
-	mkdir -p "$BANAN_SYSROOT/etc/ssl/certs"
-	cp -v "../cacert-$VERSION.pem" "$BANAN_SYSROOT/etc/ssl/certs/ca-certificates.crt"
-	ln -svf "certs/ca-certificates.crt" "$BANAN_SYSROOT/etc/ssl/cert.pem"
+	rm -rf "$BANAN_SYSROOT/etc/cacert/extracted"
+	mkdir -p "$BANAN_SYSROOT/etc/cacert/extracted"
+
+	cp -vf "../cacert-${VERSION//./-}.pem" "$BANAN_SYSROOT/etc/cacert/cacert.pem"
+	awk '/-----BEGIN CERTIFICATE-----/ {c=1;n++} c {print > sprintf("cert%03d.pem", n)} /-----END CERTIFICATE-----/ {c=0}' "../cacert-${VERSION//./-}.pem"
+	mv cert*.pem "$BANAN_SYSROOT/etc/cacert/extracted/"
 }
--- a/ports/curl/build.sh
+++ b/ports/curl/build.sh
@@ -3,7 +3,7 @@
 NAME='curl'
 VERSION='8.17.0'
 DOWNLOAD_URL="https://curl.se/download/curl-$VERSION.tar.xz#955f6e729ad6b3566260e8fef68620e76ba3c31acf0a18524416a185acf77992"
-DEPENDENCIES=('ca-certificates' 'openssl' 'zlib' 'zstd')
+DEPENDENCIES=('openssl' 'zlib' 'zstd')
 CONFIG_SUB=('config.sub')
 CONFIGURE_OPTIONS=(
 	'--disable-threaded-resolver'
@@ -16,6 +16,6 @@ CONFIGURE_OPTIONS=(
 	'--with-zlib'
 	'--with-zstd'
 	'--without-libpsl'
-	'--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt'
-	'--without-ca-path'
+	'--with-ca-path=/etc/ssl/certs'
+	'--with-ca-bundle=/etc/ssl/certs/ca-bundle.crt'
 )
--- a/ports/openssl/build.sh
+++ b/ports/openssl/build.sh
@@ -3,9 +3,24 @@
 NAME='openssl'
 VERSION='3.6.0'
 DOWNLOAD_URL="https://github.com/openssl/openssl/releases/download/openssl-$VERSION/openssl-$VERSION.tar.gz#b6a5f44b7eb69e3fa35dbf15524405b44837a481d43d81daddde3ff21fcbb8e9"
-DEPENDENCIES=('zlib')
+DEPENDENCIES=('ca-certificates' 'zlib')
 MAKE_INSTALL_TARGETS=('install_sw' 'install_ssldirs')

 configure() {
 	./Configure --prefix=/usr --openssldir=/etc/ssl -DOPENSSL_USE_IPV6=0 no-asm no-tests banan_os-generic threads zlib
 }
+
+post_install() {
+	rm -f "$BANAN_SYSROOT/etc/ssl/certs"/*
+
+	ln -svf "../cacert/cacert.pem" "$BANAN_SYSROOT/etc/ssl/cert.pem"
+	ln -svf "../../cacert/cacert.pem" "$BANAN_SYSROOT/etc/ssl/certs/ca-certificates.crt"
+	ln -svf "../../cacert/cacert.pem" "$BANAN_SYSROOT/etc/ssl/certs/ca-bundle.crt"
+
+	openssl rehash "$BANAN_SYSROOT/etc/cacert/extracted"
+	find "$BANAN_SYSROOT/etc/cacert/extracted" -type l -print0 |
+	while IFS= read -r -d '' link; do
+		ln -s "../../cacert/extracted/$(readlink "$link")" "$BANAN_SYSROOT/etc/ssl/certs/${link##*/}"
+		rm "$link"
+	done
+}