security/ca_root_nss: Make unprivileged installation possible
The post-install and post-deinstall scripts simply invoke "certctl
rehash", which of course requires root privileges. Modify them to
enable unprivileged installation, useful for building VM images. For
instance, FreeBSD's EC2 image builder wants to install amazon-ssm-agent,
which depends on ca_root_nss.
Modify the scripts to:
- Use PKG_ROOTDIR as the root instead of assuming the default.
- When installing, and PKG_METALOG is set, assume we're doing an unprivileged build and tell certctl to write updates to the configured METALOG.
Note, the use of PKG_METALOG depends on a new pkg feature:
https://github.com/freebsd/pkg/pull/2476
If an updated ca_root_nss is installed using an old pkg(8), then the
PKG_METALOG variable will not be set, so there are no compatibility
issues.
Sponsored by: The FreeBSD Foundation
Sponsored by: Klara, Inc.
PR: 288243