osbuild-run: generate SSL certificates also on Debian-based systems

Call update-ca-certificates if the binary is found, generating SSL certificates in /etc in i similar way on Debian-based systems as is being done on RedHat-based ones. Signed-off-by: Tom Gundersen <teg@jklm.no>
2019-07-29 16:58:47 +02:00 · 2019-07-29 16:58:47 +02:00 · fd72ed80ba
commit fd72ed80ba
parent d08aed8f12
1 changed files with 25 additions and 0 deletions
--- a/25
+++ b/25
@ -31,15 +31,40 @@ def update_ca_trust():
    subprocess.run(["update-ca-trust"])


+def append_certs(cert_conf, dir_fd, parents=b""):
+    for entry in os.scandir(f"/proc/self/fd/{dir_fd}".encode()):
+        if entry.is_file():
+            line = os.path.join(parents, entry.name)
+            cert_conf.write(line)
+            cert_conf.write(b"\n")
+        elif entry.is_dir():
+            append_certs(cert_conf,
+                         os.open(entry.name, os.O_DIRECTORY, dir_fd=dir_fd),
+                         os.path.join(parents, entry.name))
+
+
+def update_ca_certificates():
+    if not shutil.which("update-ca-certificates"):
+        return
+
+    # generate /etc/ssl/certs/ca-certificates.crt
+    os.makedirs("/etc/ssl/certs")
+    with open("/etc/ca-certificates.conf", "wb") as f:
+        append_certs(f, os.open("/usr/share/ca-certificates", os.O_DIRECTORY))
+    subprocess.run(["update-ca-certificates"])
+
+
 def tmpfiles():
    # Allow systemd-tmpfiles to return non-0. Some packages want to create
    # directories owned by users that are not set up with systemd-sysusers.
    subprocess.run(["systemd-tmpfiles", "--create"])

+
 if __name__ == "__main__":
    ldconfig()
    sysusers()
    update_ca_trust()
+    update_ca_certificates()
    tmpfiles()

    r = subprocess.run(sys.argv[1:])