Page MenuHomeFreeBSD

freebsd-update: rehash certs as needed
Needs ReviewPublic

Authored by kevans on Sep 26 2019, 5:38 PM.

Details

Reviewers
grembo
emaste
Group Reviewers
Core Team
secteam
Summary

With the inclusion of caroot bits, we'll need to also rehash on update as we do in mergemaster/etcupdate. It's not clear to me if this is sufficient and it hasn't been tested, so may eat your grapes, etc. etc...

Diff Detail

Repository
rS FreeBSD src repository
Lint
Lint Skipped
Unit
Unit Tests Skipped
Build Status
Buildable 26834

Event Timeline

kevans created this revision.Sep 26 2019, 5:38 PM
delphij added inline comments.
usr.sbin/freebsd-update/freebsd-update.sh
2978

Not sure if I followed -- why do we need to search INDEX-OLD here?

kevans added inline comments.Sep 26 2019, 9:28 PM
usr.sbin/freebsd-update/freebsd-update.sh
2978

I'll have to re-read again to see if I can follow my logic, but it was likely a bad misunderstanding on my part

kevans added inline comments.Sep 30 2019, 1:42 PM
usr.sbin/freebsd-update/freebsd-update.sh
2978

Sorry, this took a little longer to circle back to than I'd like -- it looks like what I really wanted to do was rehash if /usr/local/certs/* files either disappeared between INDEX-OLD and INDEX-NEW or just appeared in INDEX-NEW.

I think this should probably use the logic from install_delete, then check killfiles and INDEX-NEW for cert changes.

kevans updated this revision to Diff 62846.Oct 2 2019, 5:32 PM

Take #2; still know very little about freebsd-update. =-)

Refactored the check for whether we need to rehash out into another function. First we check INDEX-NEW because this will trivially tell us if we've had any new certs or cert modifications (as far as I understand what the index is composed of), then we check if any certs have been removed.