From owner-svn-src-releng@freebsd.org  Thu Sep 24 18:36:32 2020
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id A52D7424B85;
 Thu, 24 Sep 2020 18:36:32 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4By3fS3wrcz40r4;
 Thu, 24 Sep 2020 18:36:32 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6A11B2681C;
 Thu, 24 Sep 2020 18:36:32 +0000 (UTC)
 (envelope-from kevans@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08OIaW9e012696;
 Thu, 24 Sep 2020 18:36:32 GMT (envelope-from kevans@FreeBSD.org)
Received: (from kevans@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08OIaWwW012695;
 Thu, 24 Sep 2020 18:36:32 GMT (envelope-from kevans@FreeBSD.org)
Message-Id: <202009241836.08OIaWwW012695@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: kevans set sender to
 kevans@FreeBSD.org using -f
From: Kyle Evans <kevans@FreeBSD.org>
Date: Thu, 24 Sep 2020 18:36:32 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r366125 - in releng/12.2: . usr.sbin/bsdinstall/scripts
X-SVN-Group: releng
X-SVN-Commit-Author: kevans
X-SVN-Commit-Paths: in releng/12.2: . usr.sbin/bsdinstall/scripts
X-SVN-Commit-Revision: 366125
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 18:36:32 -0000

Author: kevans
Date: Thu Sep 24 18:36:31 2020
New Revision: 366125
URL: https://svnweb.freebsd.org/changeset/base/366125

Log:
  MFS r365987: certctl rehash upon install/distribute
  
  r365829:
  installworld: run `certctl rehash` after installation completes
  
  This was originally introduced back in r360833, and subsequently reverted
  because it was broken for -DNO_ROOT builds and it may not have been the
  correct place for it.
  
  While debatably this may still not be 'the correct place,' it's much cleaner
  than scattering rehashes all throughout the tree. brooks has fixed the issue
  with -DNO_ROOT by properly writing to the METALOG in r361397.
  
  Do note that this is different than what was originally committed; brooks
  had revisions in D24932 that made it actually use the revised unprivileged
  mode and write to METALOG, along with being a little more friendly to
  foreign crossbuilds and just using the certctl in-tree.
  
  With this change, I believe we should now have a populated /etc/ssl/certs in
  the VM images.
  
  r365837:
  Promote the installworld `certctl rehash` to distributeworld
  
  Contrary to my belief, installworld is not sufficient for getting certs
  installed into VM images. Promote the rehash to both installworld and
  distributeworld (notably: not stageworld) and rehash the base distdir so we
  end up with /etc/ssl/certs populated in the base dist archive. A future
  commit will remove the rehash from bsdinstall, which doesn't really need to
  happen if they're installed into base.txz.
  
  While here, fix a minor typo: s/CERTCLTFLAGS/CERTCTLFLAGS/
  
  r365852:
  Revert r361257: bsdinstall: do a `certctl rehash` upon installation [...]
  
  As of r365829, any given base distribution set will now include the /etc/ssl
  symlinks that this rehash would've otherwise installed. This extra step is
  no longer required.
  
  Approved by:	re (gjb)

Modified:
  releng/12.2/Makefile.inc1
  releng/12.2/usr.sbin/bsdinstall/scripts/config
Directory Properties:
  releng/12.2/   (props changed)

Modified: releng/12.2/Makefile.inc1
==============================================================================
--- releng/12.2/Makefile.inc1	Thu Sep 24 18:22:46 2020	(r366124)
+++ releng/12.2/Makefile.inc1	Thu Sep 24 18:36:31 2020	(r366125)
@@ -849,7 +849,9 @@ INSTALL_DDIR=	${_INSTALL_DDIR:S://:/:g:C:/$::}
 METALOG?=	${DESTDIR}/${DISTDIR}/METALOG
 METALOG:=	${METALOG:C,//+,/,g}
 IMAKE+=		-DNO_ROOT METALOG=${METALOG}
-INSTALLFLAGS+=	-U -M ${METALOG} -D ${INSTALL_DDIR}
+METALOG_INSTALLFLAGS=	-U -M ${METALOG} -D ${INSTALL_DDIR}
+INSTALLFLAGS+=	${METALOG_INSTALLFLAGS}
+CERTCTLFLAGS=	${METALOG_INSTALLFLAGS}
 MTREEFLAGS+=	-W
 .endif
 .if defined(BUILD_PKGS)
@@ -859,6 +861,11 @@ INSTALLFLAGS+=	-h sha256
 IMAKE_INSTALL=	INSTALL="install ${INSTALLFLAGS}"
 IMAKE_MTREE=	MTREE_CMD="mtree ${MTREEFLAGS}"
 .endif
+.if make(distributeworld)
+CERTCTLDESTDIR=	${DESTDIR}/${DISTDIR}/base
+.else
+CERTCTLDESTDIR=	${DESTDIR}
+.endif
 
 DESTDIR_MTREEFLAGS=	-deU
 # When creating worldtmp we don't need to set the directories as owned by root
@@ -1419,6 +1426,14 @@ distributeworld installworld stageworld: _installcheck
 	${DESTDIR}/${DISTDIR}/${dist}.debug.meta
 .endfor
 .endif
+.endif # make(distributeworld)
+.if !make(packageworld) && ${MK_CAROOT} != "no"
+	@if which openssl>/dev/null; then \
+		DESTDIR=${CERTCTLDESTDIR} \
+		    sh ${SRCTOP}/usr.sbin/certctl/certctl.sh ${CERTCTLFLAGS} rehash \
+	else \
+		echo "No openssl on the host, not rehashing certificates target -- /etc/ssl may not be populated."; \
+	fi
 .endif
 
 packageworld: .PHONY

Modified: releng/12.2/usr.sbin/bsdinstall/scripts/config
==============================================================================
--- releng/12.2/usr.sbin/bsdinstall/scripts/config	Thu Sep 24 18:22:46 2020	(r366124)
+++ releng/12.2/usr.sbin/bsdinstall/scripts/config	Thu Sep 24 18:36:31 2020	(r366125)
@@ -55,9 +55,6 @@ cp $BSDINSTALL_TMPBOOT/* $BSDINSTALL_CHROOT/boot
 
 # Set up other things from installed config
 chroot $BSDINSTALL_CHROOT /usr/bin/newaliases > /dev/null 2>&1
-if [ -x $BSDINSTALL_CHROOT/usr/sbin/certctl ]; then
-	chroot $BSDINSTALL_CHROOT /usr/sbin/certctl rehash
-fi
 
 exit 0