java-cacerts.yaml

package:
  name: java-cacerts
  # Update this when ca-certificates is updated.
  version: "20241121"
  epoch: 2
  description: "default certificate authorities for Java"
  copyright:
    - license: MIT
  dependencies:
    runtime:
      - ca-certificates
      - p11-kit-trust

environment:
  contents:
    packages:
      - ca-certificates=${{package.full-version}}
      - p11-kit-trust
      - wolfi-base

pipeline:
  - runs: |
      EPOCH=$SOURCE_DATE_EPOCH
      unset SOURCE_DATE_EPOCH
      mkdir -p "${{targets.destdir}}"/etc/ssl/certs/java
      trust extract --overwrite --format=java-cacerts --filter=ca-anchors \
        --purpose server-auth "${{targets.destdir}}"/etc/ssl/certs/java/cacerts
      touch -d @$EPOCH "${{targets.destdir}}"/etc/ssl/certs/java/cacerts

  - runs: |
      mkdir -p "${{targets.destdir}}"/etc/ca-certificates/update.d
      cat > "${{targets.destdir}}"/etc/ca-certificates/update.d/java-cacerts <<EOF
      exec trust extract --overwrite --format=java-cacerts --filter=ca-anchors \
        --purpose server-auth /etc/ssl/certs/java/cacerts
      EOF
      chmod +x "${{targets.destdir}}"/etc/ca-certificates/update.d/java-cacerts

update:
  enabled: true
  release-monitor:
    identifier: 332224

test:
  environment:
    contents:
      packages:
        - openssl
  pipeline:
    - runs: |
        /etc/ca-certificates/update.d/java-cacerts
        openssl pkey -pubin -in /etc/ssl/certs/java/cacerts -pubout
        openssl pkey -pubin -in /etc/ssl/certs/java/cacerts -pubout | grep -q "^-----BEGIN PUBLIC KEY-----$"
        openssl pkey -pubin -in /etc/ssl/certs/java/cacerts -pubout | grep -q "^-----END PUBLIC KEY-----$"