Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1058658: ca-certificates and update-ca-certificates script
9 views
Skip to first unread message
Jeffrey Walton
Dec 14, 2023, 1:50:06 AM12/14/23
to
Package: ca-certificates
Version: 20230311
Tags: sid
Hi Everyone,
Adding local certificates to Debian's store came up recently on the
debian-users mailing list. I needed to look up some options in the
update-ca-certificates script, and a couple of things caught my eye.
Investigating further with ShellCheck, it looks like there are some
opportunities for improvement in the script.
In the past, I've had problems with the way `read` was used when I
created subdirectories under /usr/local/share/ca-certificates and
placed certificates in them (re: SC2162 below).
-----
# shellcheck $(command -v update-ca-certificates)
In /usr/sbin/update-ca-certificates line 101:
sed -e '$a\' "$CERT" >> "$TEMPBUNDLE"
^-- SC1003 (info): Want to escape a single quote? echo
'This is how it'\''s done'.
In /usr/sbin/update-ca-certificates line 117:
find . -type l -print | while read symlink
^--^ SC2162 (info): read without -r
will mangle backslashes.
In /usr/sbin/update-ca-certificates line 120:
$CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;;
^------^ SC2086 (info): Double
quote to prevent globbing and word splitting.
Did you mean:
$CERTSDIR*|$LOCALCERTSDIR*) rm -f "$symlink";;
In /usr/sbin/update-ca-certificates line 123:
find . -type l -print | while read symlink
^--^ SC2162 (info): read without -r
will mangle backslashes.
In /usr/sbin/update-ca-certificates line 134:
find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read crt
^--^ SC2162
(info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 142:
sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read crt
^--^ SC2162
(info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 147:
sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read crt
^--^ SC2162
(info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 161:
find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read crt
^--^
SC2162 (info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 175:
find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan
^----------^ SC2086 (info): Double quote to prevent globbing
and word splitting.
^--^
SC2162 (info): read without -r will mangle backslashes.
Did you mean:
find "$ETCCERTSDIR" -type l ! -exec test -e {} \; -print | while read orphan
In /usr/sbin/update-ca-certificates line 207:
eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
^--^
SC2162 (info): read without -r will mangle backslashes.
For more information:
https://www.shellcheck.net/wiki/SC1003 -- Want to escape a single quote? ec...
https://www.shellcheck.net/wiki/SC2086 -- Double quote to prevent globbing ...
https://www.shellcheck.net/wiki/SC2162 -- read without -r will mangle backs...
-----
# dpkg -S /usr/sbin/update-ca-certificates
ca-certificates: /usr/sbin/update-ca-certificates
-----
# apt show ca-certificates
Package: ca-certificates
Version: 20230311
Priority: standard
Section: misc
Maintainer: Julien Cristau <jcri...@debian.org>
Installed-Size: 393 kB
Depends: openssl (>= 1.1.1), debconf (>= 0.5) | debconf-2.0
Breaks: ca-certificates-java (<< 20121112+nmu1)
Enhances: openssl
Tag: protocol::ssl, role::app-data, security::authentication
Download-Size: 153 kB
APT-Manual-Installed: yes
APT-Sources: http://deb.debian.org/debian unstable/main amd64 Packages
Description: Common CA certificates
...
Version: 20230311
Tags: sid
Hi Everyone,
Adding local certificates to Debian's store came up recently on the
debian-users mailing list. I needed to look up some options in the
update-ca-certificates script, and a couple of things caught my eye.
Investigating further with ShellCheck, it looks like there are some
opportunities for improvement in the script.
In the past, I've had problems with the way `read` was used when I
created subdirectories under /usr/local/share/ca-certificates and
placed certificates in them (re: SC2162 below).
-----
# shellcheck $(command -v update-ca-certificates)
In /usr/sbin/update-ca-certificates line 101:
sed -e '$a\' "$CERT" >> "$TEMPBUNDLE"
^-- SC1003 (info): Want to escape a single quote? echo
'This is how it'\''s done'.
In /usr/sbin/update-ca-certificates line 117:
find . -type l -print | while read symlink
^--^ SC2162 (info): read without -r
will mangle backslashes.
In /usr/sbin/update-ca-certificates line 120:
$CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;;
^------^ SC2086 (info): Double
quote to prevent globbing and word splitting.
Did you mean:
$CERTSDIR*|$LOCALCERTSDIR*) rm -f "$symlink";;
In /usr/sbin/update-ca-certificates line 123:
find . -type l -print | while read symlink
^--^ SC2162 (info): read without -r
will mangle backslashes.
In /usr/sbin/update-ca-certificates line 134:
find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read crt
^--^ SC2162
(info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 142:
sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read crt
^--^ SC2162
(info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 147:
sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read crt
^--^ SC2162
(info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 161:
find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read crt
^--^
SC2162 (info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 175:
find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan
^----------^ SC2086 (info): Double quote to prevent globbing
and word splitting.
^--^
SC2162 (info): read without -r will mangle backslashes.
Did you mean:
find "$ETCCERTSDIR" -type l ! -exec test -e {} \; -print | while read orphan
In /usr/sbin/update-ca-certificates line 207:
eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
^--^
SC2162 (info): read without -r will mangle backslashes.
For more information:
https://www.shellcheck.net/wiki/SC1003 -- Want to escape a single quote? ec...
https://www.shellcheck.net/wiki/SC2086 -- Double quote to prevent globbing ...
https://www.shellcheck.net/wiki/SC2162 -- read without -r will mangle backs...
-----
# dpkg -S /usr/sbin/update-ca-certificates
ca-certificates: /usr/sbin/update-ca-certificates
-----
# apt show ca-certificates
Package: ca-certificates
Version: 20230311
Priority: standard
Section: misc
Maintainer: Julien Cristau <jcri...@debian.org>
Installed-Size: 393 kB
Depends: openssl (>= 1.1.1), debconf (>= 0.5) | debconf-2.0
Breaks: ca-certificates-java (<< 20121112+nmu1)
Enhances: openssl
Tag: protocol::ssl, role::app-data, security::authentication
Download-Size: 153 kB
APT-Manual-Installed: yes
APT-Sources: http://deb.debian.org/debian unstable/main amd64 Packages
Description: Common CA certificates
...
Jeffrey Walton
Dec 14, 2023, 2:00:04 AM12/14/23
to
My bad, I should have included this:
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux trixie/sid
Release: n/a
Codename: trixie
I suspect the ShellCheck findings apply to other Debian distros, too.
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux trixie/sid
Release: n/a
Codename: trixie
I suspect the ShellCheck findings apply to other Debian distros, too.
Jeffrey Walton
Dec 14, 2023, 5:40:05 AM12/14/23
to
It looks like the `read -r` fix was already proposed at
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981663>.
Perhaps it is a good time to make the change?
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981663>.
Perhaps it is a good time to make the change?
Jeffrey Walton
Dec 14, 2023, 6:30:05 AM12/14/23
to
Merge request at
<https://salsa.debian.org/debian/ca-certificates/-/merge_requests/11>
and <https://salsa.debian.org/debian/ca-certificates/-/merge_requests/12>.
The first pull request updates documentation for the existing version
of the script. The second pull request updates the script, and clears
most (not all) of the ShellCheck warnings.
<https://salsa.debian.org/debian/ca-certificates/-/merge_requests/11>
and <https://salsa.debian.org/debian/ca-certificates/-/merge_requests/12>.
The first pull request updates documentation for the existing version
of the script. The second pull request updates the script, and clears
most (not all) of the ShellCheck warnings.
0 new messages