security/ca_root_nss: Use certctl instead of a symlink.

MFH: 2023Q4 Reviewed by: fluffy, sunpoet Differential Revision: https://reviews.freebsd.org/D42045

security/ca_root_nss: Use certctl instead of a symlink.
483e74f4 · Dag-Erling Smørgrav · e77844cb · 483e74f4 · 483e74f4 · 483e74f4
Commit 483e74f4 authored 1 year ago by Dag-Erling Smørgrav
--- a/security/ca_root_nss/Makefile
+++ b/security/ca_root_nss/Makefile
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}
@@ -17,14 +17,8 @@ USE_PERL5=	build
 NO_ARCH=	yes
 WRKSRC_SUBDIR=	nss

-OPTIONS_DEFINE=		ETCSYMLINK
-OPTIONS_DEFAULT=	ETCSYMLINK
-
 OPTIONS_SUB=		yes

-ETCSYMLINK_DESC=	Add symlink to /etc/ssl/cert.pem
-ETCSYMLINK_CONFLICTS_INSTALL=	ca-roots-[0-9]*
-
 CERTDIR?=	share/certs
 PLIST_SUB+=	CERTDIR=${CERTDIR}

@@ -49,8 +43,4 @@ do-install:
 	${MKDIR} ${STAGEDIR}${PREFIX}/openssl
 	${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample

-do-install-ETCSYMLINK-on:
-	${MKDIR} ${STAGEDIR}/etc/ssl
-	${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
-
 .include <bsd.port.mk>
--- a/security/ca_root_nss/files/pkg-message.in
+++ b/security/ca_root_nss/files/pkg-message.in
@@ -7,20 +7,6 @@ audited for trustworthiness or RFC 3647 compliance.

 Assessment and verification of trust is the complete responsibility of the
 system administrator.
-
-
-This package installs symlinks to support root certificates discovery by
-default for software that uses OpenSSL.
-
-This enables SSL Certificate Verification by client software without manual
-intervention.
-
-If you prefer to do this manually, replace the following symlinks with
-either an empty file or your site-local certificate bundle.
-
-  * /etc/ssl/cert.pem
-  * %%PREFIX%%/etc/ssl/cert.pem
-  * %%PREFIX%%/openssl/cert.pem
 EOM
 }
 ]
--- a/security/ca_root_nss/pkg-plist
+++ b/security/ca_root_nss/pkg-plist
 %%CERTDIR%%/ca-root-nss.crt
-@sample etc/ssl/cert.pem.sample
-@sample openssl/cert.pem.sample
-%%ETCSYMLINK%%/etc/ssl/cert.pem
-%%ETCSYMLINK%%@dir /etc/ssl
+@postexec certctl rehash
+@postunexec certctl rehash
 @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt