stages: add org.osbuild.pki.update-ca-trust

Adds a new stage that calls update-ca-trust tool with extract argument to extract CA certificates. It is expected that one or more CAs are placed in the /etc/pki/ca-trust/source/anchors directory in PEM format. Filenames do not matter but must be unique enough. See the update-ca-trust man page for more details on what it does.
2024-08-16 11:26:19 +02:00 · 2024-08-16 11:26:19 +02:00 · 09da4fff7b
commit 09da4fff7b
parent 88474fd4d9
7 changed files with 2361 additions and 0 deletions
--- a/stages/org.osbuild.pki.update-ca-trust
+++ b/stages/org.osbuild.pki.update-ca-trust
@ -0,0 +1,11 @@
+#!/usr/bin/python3
+import sys
+
+import osbuild.api
+from osbuild.util.chroot import Chroot
+
+if __name__ == '__main__':
+    args = osbuild.api.arguments()
+    with Chroot(args["tree"]) as chroot:
+        ret = chroot.run(["/usr/bin/update-ca-trust", "extract"])
+        sys.exit(ret.returncode)
--- a/stages/org.osbuild.pki.update-ca-trust.meta.json
+++ b/stages/org.osbuild.pki.update-ca-trust.meta.json
@ -0,0 +1,10 @@
+{
+  "summary": "Extract CA trust store",
+  "description": [
+    "Extract PEM/DER CA files from /etc/pki/ca-trust/source/ by calling ",
+    "the 'update-ca-trust extract' command."
+  ],
+  "schema": {
+    "additionalProperties": false
+  }
+}
--- a/test/data/stages/pki.update-ca-trust/a.json
+++ b/test/data/stages/pki.update-ca-trust/a.json
--- a/test/data/stages/pki.update-ca-trust/a.mpp.yaml
+++ b/test/data/stages/pki.update-ca-trust/a.mpp.yaml
@ -0,0 +1,31 @@
+---
+version: '2'
+pipelines:
+  - mpp-import-pipelines:
+      path: ../manifests/fedora-vars.ipp.yaml
+  - mpp-import-pipeline:
+      path: ../manifests/fedora-build-v2.ipp.yaml
+      id: build
+    runner:
+      mpp-format-string: org.osbuild.fedora{release}
+  - name: tree
+    build: name:build
+    stages:
+      - type: org.osbuild.rpm
+        inputs:
+          packages:
+            type: org.osbuild.files
+            origin: org.osbuild.source
+            mpp-depsolve:
+              architecture: $arch
+              module-platform-id: $module_platform_id
+              repos:
+                mpp-eval: repos
+              packages:
+                - systemd
+                - dogtag-pki-base
+        options:
+          gpgkeys:
+            mpp-eval: gpgkeys
+          exclude:
+            docs: true
--- a/test/data/stages/pki.update-ca-trust/b.json
+++ b/test/data/stages/pki.update-ca-trust/b.json
--- a/test/data/stages/pki.update-ca-trust/b.mpp.yaml
+++ b/test/data/stages/pki.update-ca-trust/b.mpp.yaml
@ -0,0 +1,73 @@
+---
+version: '2'
+sources:
+  org.osbuild.inline:
+    items:
+      sha256:4c4e8c734e4ee3a117ca8f9363ba7b706d02bfc8f297c00b02ce02babddef51c:
+        encoding: base64
+        data: >
+          LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzekNDQXB1Z0F3SUJBZ0lVSjRsSytKZmRK
+          Q05nY0VWeFpEaW5KZktLYlFzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNW
+          Vk14RnpBVkJnTlZCQWdNRGs1dmNuUm9JRU5oY205c2FXNWhNUkF3RGdZRApWUVFIREFkU1lXeGxh
+          V2RvTVJBd0RnWURWUVFLREFkU1pXUWdTR0YwTVJ3d0dnWURWUVFEREJOVVpYTjBJRU5CCklHWnZj
+          aUJ2YzJKMWFXeGtNQ0FYRFRJME1Ea3dNekV6TWpreU1Gb1lEekl5T1Rnd05qRTRNVE15T1RJd1dq
+          Qm8KTVFzd0NRWURWUVFHRXdKVlV6RVhNQlVHQTFVRUNBd09UbTl5ZEdnZ1EyRnliMnhwYm1FeEVE
+          QU9CZ05WQkFjTQpCMUpoYkdWcFoyZ3hFREFPQmdOVkJBb01CMUpsWkNCSVlYUXhIREFhQmdOVkJB
+          TU1FMVJsYzNRZ1EwRWdabTl5CklHOXpZblZwYkdRd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0
+          SUJEd0F3Z2dFS0FvSUJBUURlQTdPY1dUclYKZ3N0b0JzVWFlSkttOG5lbGc3TGMwV05YSDZ5T1RM
+          c3I0dGQ0eUhzMFlPdkZHd2dTZitmZlYzUkFHMW1ncW5NRwpNZ2tEMit6KzdRaEhiSEhzM3kwZDB6
+          ZmhBMmJnMEtWdmZDV2s3Zk5SUEhZMFVPZVBwWGsyNDVCZnczRDBWVHBsCkY3bmVQazFJN1pZMDlz
+          blBXVWViMnJqS1h6WWpLanpNMGgyNyt5a1Y4STgrRmJkeVBrL3BSOHdoeURxdEhMVWEKWGZGeTJU
+          RmxvRFNZTWtIS1ZkMzhCbkwwYmo5MXg1RitLc1prTjRIemZiWXd4TGJDUWZPU2d5N3E2VFdjZTlr
+          cQpMbzZ0eWE5dnV2cFdGbTFkeWU3TCtCb2RBUUFxL2RJL0pNZUNmeVRiMGVGYit0eXpmcjVhVklv
+          cXFETitwOWZ0CmN3NE9lZnBIYmh0TkFnTUJBQUdqVXpCUk1CMEdBMVVkRGdRV0JCUlYyQTlZbXVz
+          ZWtQenU1WWYwOGNWMG9QTDEKd2pBZkJnTlZIU01FR0RBV2dCUlYyQTlZbXVzZWtQenU1WWYwOGNW
+          MG9QTDF3akFQQmdOVkhSTUJBZjhFQlRBRApBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFD
+          Z1FaMlhmaitOeGFLQlpnbjJLTnhTME1UYmh6SFJ6NlJuCnFKcytoOE9VejJDcm1hZjZOK1JIbG1E
+          UlpYVXJEalNIcHhWVDJMeEZ5N29mUnJMWUllekZEVVlmYjkyMFZra1YKU1ZjeGgxWURGUk9KYWxm
+          TW9FNndkeVIvTG5LNE1KWlM5ZlVwZUNKSmMvQTBKKzlGSzlDd2N5VXJIZ0o4WGJKaApNS1l5UStj
+          ZjZPN3d6dXR1QnBNeVJxU0tTK2hWTTdCUVRtU0Z2djFlQUpsbzZrbEdBbW1LaVltQUV2Y1FhZEgx
+          CmRqcnVqc0EzQ241dlgyTCsweXVpTEI1L3pveHF4NWNFeTk3VHVLVVlCOE9xTU11akFYTnpGNEwz
+          SEpEVU5iYTIKQWhFa0Zvek1Yd1lYNzNUR2JHWjBtYXdQUzVEM3YzdFlURW1KRmY2U25WQ21VVzFm
+          czU3ZwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+pipelines:
+  - mpp-import-pipelines:
+      path: ../manifests/fedora-vars.ipp.yaml
+  - mpp-import-pipeline:
+      path: ../manifests/fedora-build-v2.ipp.yaml
+      id: build
+    runner:
+      mpp-format-string: org.osbuild.fedora{release}
+  - name: tree
+    build: name:build
+    stages:
+      - type: org.osbuild.rpm
+        inputs:
+          packages:
+            type: org.osbuild.files
+            origin: org.osbuild.source
+            mpp-depsolve:
+              architecture: $arch
+              module-platform-id: $module_platform_id
+              repos:
+                mpp-eval: repos
+              packages:
+                - systemd
+                - dogtag-pki-base
+        options:
+          gpgkeys:
+            mpp-eval: gpgkeys
+          exclude:
+            docs: true
+      - type: org.osbuild.copy
+        inputs:
+          inlinefile:
+            type: org.osbuild.files
+            origin: org.osbuild.source
+            references:
+              sha256:4c4e8c734e4ee3a117ca8f9363ba7b706d02bfc8f297c00b02ce02babddef51c: {}
+        options:
+          paths:
+            - from: input://inlinefile/sha256:4c4e8c734e4ee3a117ca8f9363ba7b706d02bfc8f297c00b02ce02babddef51c
+              to: tree:///etc/pki/ca-trust/source/anchors
+      - type: org.osbuild.pki.update-ca-trust
--- a/test/data/stages/pki.update-ca-trust/diff.json
+++ b/test/data/stages/pki.update-ca-trust/diff.json
@ -0,0 +1,47 @@
+{
+  "added_files": [
+    "/etc/pki/ca-trust/extracted/pem/directory-hash/7cf11c08.0",
+    "/etc/pki/ca-trust/extracted/pem/directory-hash/Test_CA_for_osbuild.pem",
+    "/etc/pki/ca-trust/extracted/pem/directory-hash/a521c9ed.0",
+    "/etc/pki/ca-trust/source/anchors/sha256:4c4e8c734e4ee3a117ca8f9363ba7b706d02bfc8f297c00b02ce02babddef51c"
+  ],
+  "deleted_files": [],
+  "differences": {
+    "/etc/pki/ca-trust/extracted/edk2/cacerts.bin": {
+      "content": [
+        "sha256:1fc7201640e13d1261decb498479b6fa748ebf8a72121c3f59464c493aea72a9",
+        "sha256:13fe6d3e78cfa0c9b31d9c7836a09c45ae1c9c8b847fb69a43b95555de9cf535"
+      ]
+    },
+    "/etc/pki/ca-trust/extracted/java/cacerts": {
+      "content": [
+        null,
+        null
+      ]
+    },
+    "/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt": {
+      "content": [
+        "sha256:830ae1c02ea63c5fa2198b50fb33d55011a391b0c7ace14a29f8d83daf30128f",
+        "sha256:306cf348061be12d41ce03f0c861bd64568f2416149ac51928a60b02ddeb3317"
+      ]
+    },
+    "/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem": {
+      "content": [
+        "sha256:fbf592932627ddb0c244dd2441f6a56231cfacb892c1163d4f372d1b949b5807",
+        "sha256:077b9d7020b4303a72ef8530481faa461fc926608094a17475474b8c9dcef5fa"
+      ]
+    },
+    "/etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem": {
+      "content": [
+        "sha256:67ea06a3b7d7d39345b36161d947a15c378fb5faab80db372fa1bc4c4e346e14",
+        "sha256:4a11fade0941e6b6c483b7522296629e454e676851baf9e1b60e486a35c26209"
+      ]
+    },
+    "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem": {
+      "content": [
+        "sha256:a0a9885edfce047620854ee7bb4214dfc2a19d666b7fc2c9def6f439c69e7739",
+        "sha256:ea196b22fd7609a20c51fd091c51b268a64579dd1dab29b16163262ba861db0f"
+      ]
+    }
+  }
+}