dev-libs/openssl: Apply Flatcar modifications

- drop `pkg_postint` - create `/etc/ssl` with tmpfiles - continue shipping app-misc/c_rehash - mark as stable
flatcar · Feb 21, 2024 · 0d6ca4f · 0d6ca4f
1 parent c554db0
commit 0d6ca4f
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 16 deletions.
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
@@ -0,0 +1,3 @@
+d      /etc/ssl                -       -       -       -       -
+d      /etc/ssl/private        0700    -       -       -       -
+L      /etc/ssl/openssl.cnf    -       -       -       -       ../../usr/share/ssl/openssl.cnf
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.2.1-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.2.1-r1.ebuild
@@ -4,8 +4,9 @@
 EAPI=8
 
 VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+TMPFILES_OPTIONAL=1
 inherit edo flag-o-matic linux-info toolchain-funcs
-inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig tmpfiles
 
 DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
 HOMEPAGE="https://www.openssl.org/"
@@ -23,7 +24,7 @@ else
 	"
 
 	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+		KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 	fi
 fi
 
@@ -34,8 +35,12 @@ SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
 IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
 RESTRICT="!test? ( test )"
 
+# Flatcar: Gentoo dropped dependency on c_rehash, a required tool for
+# generating certs, and does not provide a built-in tool either.
+# Continue shipping it.
 COMMON_DEPEND="
 	!<net-misc/openssh-9.2_p1-r3
+	>=app-misc/c_rehash-1.7-r1
 	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
 "
 BDEPEND="
@@ -269,15 +274,21 @@ multilib_src_install_all() {
 
 	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
 
-	# Create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
 	# bug #254521
 	dodir /etc/sandbox.d
 	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
 
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
+	# flatcar changes: do not keep the sample CA files in `/etc`
+	rm -rf "${ED}"${SSL_CNF_DIR}
+
+	# flatcar changes: save the default `openssl.cnf` in `/usr`
+	dodir /usr/share/ssl
+	insinto /usr/share/ssl
+	doins "${S}"/apps/openssl.cnf
+	dotmpfiles "${FILESDIR}"/openssl.conf
+
+	# flatcar changes: package `tmpfiles.d` setup for SDK bootstrapping.
+	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf
 }
 
 pkg_preinst() {
@@ -293,12 +304,3 @@ pkg_preinst() {
 	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
 		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
 }
-
-pkg_postinst() {
-	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
-	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
-	eend $?
-
-	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
-		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
-}