Package: ca-certificates
Version: 20230311
Tags: sid
Hi Everyone,
Adding local certificates to Debian's store came up recently on the
debian-users mailing list. I needed to look up some options in the
update-ca-certificates script, and a couple of things caught my eye.
Investigating further with ShellCheck, it looks like there are some
opportunities for improvement in the script.
In the past, I've had problems with the way `read` was used when I
created subdirectories under /usr/local/share/ca-certificates and
placed certificates in them (re: SC2162 below).
-----
# shellcheck $(command -v update-ca-certificates)
In /usr/sbin/update-ca-certificates line 101:
sed -e '$a\' "$CERT" >> "$TEMPBUNDLE"
^-- SC1003 (info): Want to escape a single quote? echo
'This is how it'\''s done'.
In /usr/sbin/update-ca-certificates line 117:
find . -type l -print | while read symlink
^--^ SC2162 (info): read without -r
will mangle backslashes.
In /usr/sbin/update-ca-certificates line 120:
$CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;;
^------^ SC2086 (info): Double
quote to prevent globbing and word splitting.
Did you mean:
$CERTSDIR*|$LOCALCERTSDIR*) rm -f "$symlink";;
In /usr/sbin/update-ca-certificates line 123:
find . -type l -print | while read symlink
^--^ SC2162 (info): read without -r
will mangle backslashes.
In /usr/sbin/update-ca-certificates line 134:
find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read crt
^--^ SC2162
(info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 142:
sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read crt
^--^ SC2162
(info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 147:
sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read crt
^--^ SC2162
(info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 161:
find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read crt
^--^
SC2162 (info): read without -r will mangle backslashes.
In /usr/sbin/update-ca-certificates line 175:
find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan
^----------^ SC2086 (info): Double quote to prevent globbing
and word splitting.
^--^
SC2162 (info): read without -r will mangle backslashes.
Did you mean:
find "$ETCCERTSDIR" -type l ! -exec test -e {} \; -print | while read orphan
In /usr/sbin/update-ca-certificates line 207:
eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
^--^
SC2162 (info): read without -r will mangle backslashes.
For more information:
https://www.shellcheck.net/wiki/SC1003 -- Want to escape a single quote? ec...
https://www.shellcheck.net/wiki/SC2086 -- Double quote to prevent globbing ...
https://www.shellcheck.net/wiki/SC2162 -- read without -r will mangle backs...
-----
# dpkg -S /usr/sbin/update-ca-certificates
ca-certificates: /usr/sbin/update-ca-certificates
-----
# apt show ca-certificates
Package: ca-certificates
Version: 20230311
Priority: standard
Section: misc
Maintainer: Julien Cristau <jcris...@debian.org>
Installed-Size: 393 kB
Depends: openssl (>= 1.1.1), debconf (>= 0.5) | debconf-2.0
Breaks: ca-certificates-java (<< 20121112+nmu1)
Enhances: openssl
Tag: protocol::ssl, role::app-data, security::authentication
Download-Size: 153 kB
APT-Manual-Installed: yes
APT-Sources: http://deb.debian.org/debian unstable/main amd64 Packages
Description: Common CA certificates
...
