Package: ssl-cert Version: 1.1.0+nmu1 Severity: minor Tags: patch Dear Maintainer, The installed make-ssl-cert depends on bash, but doesn't really need to. See patch based on current Salsa HEAD, below; it's shellcheck-clean. The same could trivially be done for the tests, since pretty much the only extension shellcheck picks up is local. Best, наб -- System Information: Debian Release: 11.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-16-amd64 (SMP w/24 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ssl-cert depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.77 ii openssl 1.1.1n-0+deb11u3 ssl-cert recommends no packages. ssl-cert suggests no packages. -- debconf information excluded
diff --git a/make-ssl-cert b/make-ssl-cert
index c0b0764..7223906 100755
--- a/make-ssl-cert
+++ b/make-ssl-cert
@@ -1,4 +1,4 @@
-#!/bin/bash -e
+#!/bin/sh -e
# This is a mockup of a script to produce a snakeoil cert
# The aim is to have a debconfisable ssl-certificate script
@@ -7,7 +7,7 @@
db_version 2.0
db_capb backup
-progname=$(basename "${0}")
+progname="${0##*/}"
usage() {
cat <<EOF
@@ -26,16 +26,14 @@ EOF
ask_via_debconf() {
RET=""
- if db_settitle make-ssl-cert/title ; then
- : # OK
- else
+ if ! db_settitle make-ssl-cert/title ; then
echo "Debconf failed with error code $? $RET" >&2
echo "Maybe your debconf database is corrupt." >&2
echo "Try re-installing ssl-cert." >&2
fi
RET=""
- while [ "x$RET" = "x" ]; do
+ while [ -z "$RET" ]; do
db_fset make-ssl-cert/hostname seen false
db_input high make-ssl-cert/hostname || true
db_go
@@ -77,9 +75,8 @@ create_temporary_cnf() {
}
create_hash_link() {
- local file="$1"
- local cryptfile filename i
- filename=$(basename "$file")
+ file="$1"
+ filename="${file##*/}"
cryptfile=$(dirname "$file")/$(openssl x509 -hash -noout -in "$file")
i=0
while [ -L "${cryptfile}.$i" ] ; do
@@ -92,8 +89,7 @@ create_hash_link() {
}
check_min_algo() {
- local file="$1"
- local bits
+ file="$1"
if ! openssl x509 -text -in "$file" | grep -q 'Signature Algorithm:.*sha256' ; then
echo "Signature algorithm of $file is not sha256. Recreating." >&2
return 1
@@ -125,27 +121,37 @@ opt_no_overwrite="false"
opt_expiration_days="3650"
# Transform long options to short ones
-newargs=()
-for arg in "${@}"; do
+newargs=
+for arg; do
case "${arg}" in
- --help) newargs+=(-h) ;;
+ --help) newargs="${newargs}
+-h" ;;
--force-overwrite)
# Move to front so that we accept --force-overwrite at the end, for
# compatibility with 1.0.x.
- newargs=("-f" "${newargs[@]}") ;;
- --no-overwrite) newargs+=(-n) ;;
- --expiration-days) newargs+=(-x) ;;
+ newargs="-f
+${newargs}" ;;
+ --no-overwrite) newargs="${newargs}
+-h" ;;
+ --expiration-days) newargs="${newargs}
+-x" ;;
--*)
printf "Unrecognized option %s\n\n" "${arg}"
usage 1
;;
- *) newargs+=("$arg") ;;
+ *) newargs="${newargs}
+$arg" ;;
esac
done
-set -- "${newargs[@]}"
+OIFS="$IFS"
+IFS="
+"
+# shellcheck disable=SC2086
+set -- $newargs
+IFS="$OIFS"
# Parse short options
-while getopts "hfnx:" opt "${@}"; do
+while getopts "hfnx:" opt; do
case "${opt}" in
h) usage 0 ;;
f) opt_force_overwrite="true" ;;
@@ -211,7 +217,7 @@ fi
TMPFILE="$(mktemp)" || exit 1
TMPOUT="$(mktemp)" || exit 1
-trap 'rm -f ${TMPFILE} ${TMPOUT}' EXIT
+trap 'rm -f "${TMPFILE}" "${TMPOUT}"' EXIT
create_temporary_cnf
Attachment:
signature.asc
Description: PGP signature