git: 56c71d0816dc - main - security/ca_root_nss: Make unprivileged installation possible
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 30 Sep 2025 08:50:00 UTC
The branch main has been updated by fluffy:
URL: https://cgit.FreeBSD.org/ports/commit/?id=56c71d0816dc8b4e53bb2a286cc798cfd33d3491
commit 56c71d0816dc8b4e53bb2a286cc798cfd33d3491
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-07-14 21:44:57 +0000
Commit: Dima Panov <fluffy@FreeBSD.org>
CommitDate: 2025-09-30 08:48:54 +0000
security/ca_root_nss: Make unprivileged installation possible
The post-install and post-deinstall scripts simply invoke "certctl
rehash", which of course requires root privileges. Modify them to
enable unprivileged installation, useful for building VM images. For
instance, FreeBSD's EC2 image builder wants to install amazon-ssm-agent,
which depends on ca_root_nss.
Modify the scripts to:
1. Use PKG_ROOTDIR as the root instead of assuming the default.
2. When installing, and PKG_METALOG is set, assume we're doing an
unprivileged build and tell certctl to write updates to the
configured METALOG.
Note, the use of PKG_METALOG depends on a new pkg feature:
https://github.com/freebsd/pkg/pull/2476
If an updated ca_root_nss is installed using an old pkg(8), then the
PKG_METALOG variable will not be set, so there are no compatibility
issues.
Sponsored by: The FreeBSD Foundation
Sponsored by: Klara, Inc.
PR: 288243
---
security/ca_root_nss/Makefile | 4 ++--
security/ca_root_nss/files/pkg-deinstall.in | 6 ++++++
security/ca_root_nss/files/pkg-install.in | 12 ++++++++++++
security/ca_root_nss/pkg-plist | 3 ---
4 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile
index 8824436587be..1214762865cf 100644
--- a/security/ca_root_nss/Makefile
+++ b/security/ca_root_nss/Makefile
@@ -1,6 +1,6 @@
PORTNAME= ca_root_nss
PORTVERSION= ${VERSION_NSS}
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= security
MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX}
@@ -34,7 +34,7 @@ VERSION_NSS= 3.115
CERTDATA_TXT_PATH= lib/ckfw/builtins/certdata.txt
BUNDLE_PROCESSOR= MAca-bundle.pl
-SUB_FILES= MAca-bundle.pl pkg-message
+SUB_FILES= MAca-bundle.pl pkg-deinstall pkg-install pkg-message
SUB_LIST= VERSION_NSS=${VERSION_NSS}
do-build:
diff --git a/security/ca_root_nss/files/pkg-deinstall.in b/security/ca_root_nss/files/pkg-deinstall.in
new file mode 100644
index 000000000000..8e5138c10c22
--- /dev/null
+++ b/security/ca_root_nss/files/pkg-deinstall.in
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+if [ "$2" = POST-DEINSTALL ]; then
+ CERTCTL_ARGS="-D ${PKG_ROOTDIR}"
+ certctl ${CERTCTL_ARGS} rehash
+fi
diff --git a/security/ca_root_nss/files/pkg-install.in b/security/ca_root_nss/files/pkg-install.in
new file mode 100644
index 000000000000..6f05ab7e72ed
--- /dev/null
+++ b/security/ca_root_nss/files/pkg-install.in
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+if [ "$2" = POST-INSTALL ]; then
+ CERTCTL_ARGS="-D ${PKG_ROOTDIR}"
+ if [ -n "${PKG_METALOG}" ]; then
+ CERTCTL_ARGS="${CERTCTL_ARGS} -U -M ${PKG_METALOG}"
+ fi
+ certctl ${CERTCTL_ARGS} rehash
+
+ [ ! -e %%LOCALBASE%%/bin/cert-sync ] || \
+ %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt
+fi
diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist
index 7899413567aa..79f18017fea6 100644
--- a/security/ca_root_nss/pkg-plist
+++ b/security/ca_root_nss/pkg-plist
@@ -2,6 +2,3 @@
@sample etc/ssl/cert.pem.sample
%%ETCSYMLINK%%openssl/cert.pem
%%ETCSYMLINK%%/etc/ssl/cert.pem
-@postexec certctl rehash
-@postunexec certctl rehash
-@postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt