From 70868d48e8f364c0d0620d2314c9a431699fa538 Mon Sep 17 00:00:00 2001
From: Kyle Evans <kevans@FreeBSD.org>
Date: Sat, 9 May 2020 02:01:29 +0000
Subject: [PATCH] installworld: attempt a certctl rehash at the tail end

This can be run as root or normal user with no problem; if they hadn't
twisted the WITHOUT_CAROOT knob, we'll attempt to use the host certctl to
rehash the DESTDIR. This would allow one to build systems WITHOUT_OPENSSL +
WITH_CAROOT with a populated /etc/ssl that they can then use with an
appropriate *ssl from somewhere else.

Cross-builds are fine because this will always use the host certctl, or just
nag if it's missing and it wasn't a WITHOUT_CAROOT build.

MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D24641
---
 Makefile.inc1 | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Makefile.inc1 b/Makefile.inc1
index a303bc9d4aa..e1a8ce883fd 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -1403,6 +1403,16 @@ distributeworld installworld stageworld: _installcheck_world .PHONY
 	${DESTDIR}/${DISTDIR}/${dist}.debug.meta
 .endfor
 .endif
+.elif make(installworld) && ${MK_CAROOT} != "no"
+	# We could make certctl a bootstrap tool, but it requires OpenSSL and
+	# friends, which we likely don't want.  We'll rehash on a best-effort
+	# basis, otherwise we'll just mention that we're not doing it to raise
+	# awareness.
+	@if which certctl>/dev/null; then \
+		certctl rehash \
+	else \
+		echo "No certctl on the host, not rehashing target -- /etc/ssl may not be populated."; \
+	fi
 .endif
 
 packageworld: .PHONY
-- 
2.45.0