From d88d1b46fb7aea6cb3ea2636a2b815a42a342746 Mon Sep 17 00:00:00 2001
From: kevans <kevans@FreeBSD.org>
Date: Wed, 2 Oct 2019 01:06:37 +0000
Subject: [PATCH] [3/3] etcupdate and mergemaster support for certctl

This commit add support for certctl in mergemaster and etcupdate. Both will
either rehash or prompt for rehash as new certificates are
trusted/blacklisted.

This work was done primarily by allanjude@, with minor contributions by
myself.

No objection from:	secteam
Differential Revision:	https://reviews.freebsd.org/D17389
---
 usr.sbin/etcupdate/etcupdate.sh     |  7 +++++++
 usr.sbin/mergemaster/mergemaster.sh | 21 +++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/usr.sbin/etcupdate/etcupdate.sh b/usr.sbin/etcupdate/etcupdate.sh
index 7b379105714..1ff991d5b6c 100755
--- a/usr.sbin/etcupdate/etcupdate.sh
+++ b/usr.sbin/etcupdate/etcupdate.sh
@@ -595,6 +595,13 @@ post_install_file()
 				NEWALIAS_WARN=yes
 			fi
 			;;
+		/usr/share/certs/trusted/*)
+		/usr/share/certs/blacklisted/*)
+			log "certctl rehash"
+			if [ -z "$dryrun" ]; then
+				env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1
+			fi
+			;;
 		/etc/login.conf)
 			log "cap_mkdb ${DESTDIR}$1"
 			if [ -z "$dryrun" ]; then
diff --git a/usr.sbin/mergemaster/mergemaster.sh b/usr.sbin/mergemaster/mergemaster.sh
index b6106f60bff..d3163fa592c 100755
--- a/usr.sbin/mergemaster/mergemaster.sh
+++ b/usr.sbin/mergemaster/mergemaster.sh
@@ -883,6 +883,10 @@ mm_install () {
     /etc/mail/aliases)
       NEED_NEWALIASES=yes
       ;;
+    /usr/share/certs/trusted/*)
+    /usr/share/certs/blacklisted/*)
+      NEED_CERTCTL=yes
+      ;;
     /etc/login.conf)
       NEED_CAP_MKDB=yes
       ;;
@@ -1355,6 +1359,23 @@ case "${NEED_PWD_MKDB}" in
   ;;
 esac
 
+case "${NEED_CERTCTL}" in
+'') ;;
+*)
+  echo ''
+  echo "*** You installed files in /etc/ssl/certs, so make sure that you run"
+  if [ -n "${DESTDIR}" ]; then
+    echo "    'env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash'"
+    echo "     to rebuild your certificate authority database"
+    run_it_now "env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash"
+  else
+    echo "    '/usr/sbin/certctl rehash'"
+    echo "     to rebuild your certificate authority database"
+    run_it_now "/usr/sbin/certctl rehash"
+  fi
+  ;;
+esac
+
 if [ -e "${DESTDIR}/etc/localtime" -a ! -L "${DESTDIR}/etc/localtime" -a -z "${PRE_WORLD}" ]; then	# Ignore if TZ == UTC
   echo ''
   [ -n "${DESTDIR}" ] && tzs_args="-C ${DESTDIR}"
-- 
2.45.2