From b6bd008824f7965004e56fe632efdc904f680ff9 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Feb 13 2024 14:48:07 +0000
Subject: upcate-ca-trust: Use "trust" command instead of "p11-kit extract"


The main motivation behind this is to allow the p11-kit utilities to
be split into a subpackage (p11-kit-tools).  As ca-certificates only
uses "p11-kit extract" command invocation, which can be replaced with
"trust" command, we only need the p11-kit-trust package at
installation time.

Signed-off-by: Daiki Ueno <dueno@redhat.com>

---

diff --git a/ca-certificates.spec b/ca-certificates.spec
index 55c37ca..ff4b905 100644
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@@ -72,9 +72,7 @@ Requires(post): coreutils
 Requires: bash
 Requires: grep
 Requires: sed
-Requires(post): p11-kit >= 0.23
 Requires(post): p11-kit-trust >= 0.23
-Requires: p11-kit >= 0.23
 Requires: p11-kit-trust >= 0.23
 
 BuildRequires: perl-interpreter
diff --git a/update-ca-trust b/update-ca-trust
index 473fa8f..a93f496 100644
--- a/update-ca-trust
+++ b/update-ca-trust
@@ -70,15 +70,15 @@ extract() {
 
 	# OpenSSL PEM bundle that includes trust flags
 	# (BEGIN TRUSTED CERTIFICATE)
-	/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
-	/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
-	/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
-	/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
-	/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
-	/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
+	/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
+	/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
+	/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
 	# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
 	# by GnuTLS)
-	/usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
+	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
 
 	# p11-kit extract will have made this directory unwritable; when run with
 	# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may