new file mode 100644
@@ -0,0 +1,36 @@
+From d6bb773745c2e95fd1a414e916fbed64e0d8df66 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Mon, 31 Mar 2025 17:42:25 +0200
+Subject: [PATCH] sbin/update-ca-certificates: add a --sysroot option
+
+This allows using the script in cross-compilation environments
+where the script needs to prefix the sysroot to every other
+directory it operates on. There are individual options
+to set those directories, but using a common prefix option
+instead is a lot less clutter and more robust.
+
+Upstream-Status: Submitted [https://salsa.debian.org/debian/ca-certificates/-/merge_requests/13]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ sbin/update-ca-certificates | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
+index 4bb77a0..1e737b9 100755
+--- a/sbin/update-ca-certificates
++++ b/sbin/update-ca-certificates
+@@ -59,6 +59,14 @@ do
+ --hooksdir)
+ shift
+ HOOKSDIR="$1";;
++ --sysroot)
++ shift
++ SYSROOT="$1"
++ CERTSCONF="$1/${CERTSCONF}"
++ CERTSDIR="$1/${CERTSDIR}"
++ LOCALCERTSDIR="$1/${LOCALCERTSDIR}"
++ ETCCERTSDIR="$1/${ETCCERTSDIR}"
++ HOOKSDIR="$1/${HOOKSDIR}";;
+ --help|-h|*)
+ echo "$0: [--verbose] [--fresh]"
+ exit;;
deleted file mode 100644
@@ -1,46 +0,0 @@
-From cdb53438bae194c1281c31374a901ad7ee460408 Mon Sep 17 00:00:00 2001
-From: Andreas Oberritter <obi@opendreambox.org>
-Date: Tue, 19 Mar 2013 17:14:33 +0100
-Subject: [PATCH] update-ca-certificates: use $SYSROOT
-
-Upstream-Status: Pending
-
-Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
----
- sbin/update-ca-certificates | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index 5a0a1da..36cdd9a 100755
---- a/sbin/update-ca-certificates
-+++ b/sbin/update-ca-certificates
-@@ -24,12 +24,12 @@
- verbose=0
- fresh=0
- default=0
--CERTSCONF=/etc/ca-certificates.conf
--CERTSDIR=/usr/share/ca-certificates
--LOCALCERTSDIR=/usr/local/share/ca-certificates
-+CERTSCONF=$SYSROOT/etc/ca-certificates.conf
-+CERTSDIR=$SYSROOT/usr/share/ca-certificates
-+LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
- CERTBUNDLE=ca-certificates.crt
--ETCCERTSDIR=/etc/ssl/certs
--HOOKSDIR=/etc/ca-certificates/update.d
-+ETCCERTSDIR=$SYSROOT/etc/ssl/certs
-+HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
-
- while [ $# -gt 0 ];
- do
-@@ -92,9 +92,9 @@ add() {
- PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
- -e 's/[()]/=/g' \
- -e 's/,/_/g').pem"
-- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
-+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
- then
-- ln -sf "$CERT" "$PEM"
-+ ln -sf "${CERT##$SYSROOT}" "$PEM"
- echo "+$PEM" >> "$ADDED"
- fi
- # Add trailing newline to certificate, if it is missing (#635570)
@@ -1,4 +1,4 @@
-From 38d47c53749c6f16d5d7993410b256116e0ee0b8 Mon Sep 17 00:00:00 2001
+From a69933f96a8675369de702bdb55e57dc21f65e7f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <andre.draszik@jci.com>
Date: Wed, 28 Mar 2018 16:45:05 +0100
Subject: [PATCH] update-ca-certificates: use relative symlinks from
@@ -45,26 +45,26 @@ Signed-off-by: André Draszik <andre.draszik@jci.com>
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index f7d0dbf..97a589c 100755
+index 1e737b9..8510082 100755
--- a/sbin/update-ca-certificates
+++ b/sbin/update-ca-certificates
-@@ -29,6 +29,7 @@ CERTSDIR=$SYSROOT/usr/share/ca-certificates
- LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
+@@ -30,6 +30,7 @@ LOCALCERTSDIR=/usr/local/share/ca-certificates
CERTBUNDLE=ca-certificates.crt
- ETCCERTSDIR=$SYSROOT/etc/ssl/certs
+ ETCCERTSDIR=/etc/ssl/certs
+ HOOKSDIR=/etc/ca-certificates/update.d
+FSROOT=../../../ # to get from $ETCCERTSDIR to the root of the file system
- HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d
while [ $# -gt 0 ];
-@@ -125,9 +126,10 @@ add() {
+ do
+@@ -100,9 +101,10 @@ add() {
PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
-e 's/[()]/=/g' \
-e 's/,/_/g').pem"
-- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${CERT##$SYSROOT}" ]
+- if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
+ DST="$(echo ${CERT} | sed -e "s|^$SYSROOT||" -e "s|^/|$FSROOT|" )"
+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${DST}" ]
then
-- ln -sf "${CERT##$SYSROOT}" "$PEM"
+- ln -sf "$CERT" "$PEM"
+ ln -sf "${DST}" "$PEM"
echo "+$PEM" >> "$ADDED"
fi
deleted file mode 100644
@@ -1,58 +0,0 @@
-From 50aadd3eb1c4be43d3decdeb60cede2de5a687be Mon Sep 17 00:00:00 2001
-From: Christopher Larson <chris_larson@mentor.com>
-Date: Fri, 23 Aug 2013 12:26:14 -0700
-Subject: [PATCH] ca-certificates: add recipe (version 20130610)
-
-Upstream-Status: Pending
-
-update-ca-certificates: find SYSROOT relative to its own location
-
-This makes the script relocatable.
----
- sbin/update-ca-certificates | 33 +++++++++++++++++++++++++++++++++
- 1 file changed, 33 insertions(+)
-
-diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
-index 2d3e1fe..f7d0dbf 100755
---- a/sbin/update-ca-certificates
-+++ b/sbin/update-ca-certificates
-@@ -66,6 +66,39 @@ do
- shift
- done
-
-+if [ -z "$SYSROOT" ]; then
-+ local_which () {
-+ if [ $# -lt 1 ]; then
-+ return 1
-+ fi
-+
-+ (
-+ IFS=:
-+ for entry in $PATH; do
-+ if [ -x "$entry/$1" ]; then
-+ echo "$entry/$1"
-+ exit 0
-+ fi
-+ done
-+ exit 1
-+ )
-+ }
-+
-+ case "$0" in
-+ */*)
-+ sbindir=$(cd ${0%/*} && pwd)
-+ ;;
-+ *)
-+ sbindir=$(cd $(dirname $(local_which $0)) && pwd)
-+ ;;
-+ esac
-+ prefix=${sbindir%/*}
-+ SYSROOT=${prefix%/*}
-+ if [ ! -d "$SYSROOT/usr/share/ca-certificates" ]; then
-+ SYSROOT=
-+ fi
-+fi
-+
- if [ ! -s "$CERTSCONF" ]
- then
- fresh=1
@@ -16,9 +16,8 @@ PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
SRC_URI[sha256sum] = "dd8286d0a9dd35c756fea5f1df3fed1510fb891f376903891b003cd9b1ad7e03"
SRC_URI = "${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz \
- file://0002-update-ca-certificates-use-SYSROOT.patch \
file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
- file://default-sysroot.patch \
+ file://0002-sbin-update-ca-certificates-add-a-sysroot-option.patch \
file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \
file://0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch \
"
@@ -62,7 +61,7 @@ do_install:append:class-target () {
}
pkg_postinst:${PN}:class-target () {
- SYSROOT="$D" $D${sbindir}/update-ca-certificates
+ $D${sbindir}/update-ca-certificates --sysroot $D
}
CONFFILES:${PN} += "${sysconfdir}/ca-certificates.conf"
@@ -71,11 +70,11 @@ CONFFILES:${PN} += "${sysconfdir}/ca-certificates.conf"
# we just run update-ca-certificate from do_install() for nativesdk.
CONFFILES:${PN}:append:class-nativesdk = " ${sysconfdir}/ssl/certs/ca-certificates.crt"
do_install:append:class-nativesdk () {
- SYSROOT="${D}${SDKPATHNATIVE}" ${D}${sbindir}/update-ca-certificates
+ ${D}${sbindir}/update-ca-certificates --sysroot ${D}${SDKPATHNATIVE}
}
do_install:append:class-native () {
- SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates
+ ${D}${sbindir}/update-ca-certificates --sysroot ${D}${base_prefix}
}
RDEPENDS:${PN}:append:class-target = " openssl-bin openssl"