Package: ssl-cert Version: 1.1.0+nmu1 Severity: minor Tags: patch Dear Maintainer, The installed make-ssl-cert depends on bash, but doesn't really need to. See patch based on current Salsa HEAD, below; it's shellcheck-clean. The same could trivially be done for the tests, since pretty much the only extension shellcheck picks up is local. Best, наб -- System Information: Debian Release: 11.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-16-amd64 (SMP w/24 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ssl-cert depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.77 ii openssl 1.1.1n-0+deb11u3 ssl-cert recommends no packages. ssl-cert suggests no packages. -- debconf information excluded
diff --git a/make-ssl-cert b/make-ssl-cert index c0b0764..7223906 100755 --- a/make-ssl-cert +++ b/make-ssl-cert @@ -1,4 +1,4 @@ -#!/bin/bash -e +#!/bin/sh -e # This is a mockup of a script to produce a snakeoil cert # The aim is to have a debconfisable ssl-certificate script @@ -7,7 +7,7 @@ db_version 2.0 db_capb backup -progname=$(basename "${0}") +progname="${0##*/}" usage() { cat <<EOF @@ -26,16 +26,14 @@ EOF ask_via_debconf() { RET="" - if db_settitle make-ssl-cert/title ; then - : # OK - else + if ! db_settitle make-ssl-cert/title ; then echo "Debconf failed with error code $? $RET" >&2 echo "Maybe your debconf database is corrupt." >&2 echo "Try re-installing ssl-cert." >&2 fi RET="" - while [ "x$RET" = "x" ]; do + while [ -z "$RET" ]; do db_fset make-ssl-cert/hostname seen false db_input high make-ssl-cert/hostname || true db_go @@ -77,9 +75,8 @@ create_temporary_cnf() { } create_hash_link() { - local file="$1" - local cryptfile filename i - filename=$(basename "$file") + file="$1" + filename="${file##*/}" cryptfile=$(dirname "$file")/$(openssl x509 -hash -noout -in "$file") i=0 while [ -L "${cryptfile}.$i" ] ; do @@ -92,8 +89,7 @@ create_hash_link() { } check_min_algo() { - local file="$1" - local bits + file="$1" if ! openssl x509 -text -in "$file" | grep -q 'Signature Algorithm:.*sha256' ; then echo "Signature algorithm of $file is not sha256. Recreating." >&2 return 1 @@ -125,27 +121,37 @@ opt_no_overwrite="false" opt_expiration_days="3650" # Transform long options to short ones -newargs=() -for arg in "${@}"; do +newargs= +for arg; do case "${arg}" in - --help) newargs+=(-h) ;; + --help) newargs="${newargs} +-h" ;; --force-overwrite) # Move to front so that we accept --force-overwrite at the end, for # compatibility with 1.0.x. - newargs=("-f" "${newargs[@]}") ;; - --no-overwrite) newargs+=(-n) ;; - --expiration-days) newargs+=(-x) ;; + newargs="-f +${newargs}" ;; + --no-overwrite) newargs="${newargs} +-h" ;; + --expiration-days) newargs="${newargs} +-x" ;; --*) printf "Unrecognized option %s\n\n" "${arg}" usage 1 ;; - *) newargs+=("$arg") ;; + *) newargs="${newargs} +$arg" ;; esac done -set -- "${newargs[@]}" +OIFS="$IFS" +IFS=" +" +# shellcheck disable=SC2086 +set -- $newargs +IFS="$OIFS" # Parse short options -while getopts "hfnx:" opt "${@}"; do +while getopts "hfnx:" opt; do case "${opt}" in h) usage 0 ;; f) opt_force_overwrite="true" ;; @@ -211,7 +217,7 @@ fi TMPFILE="$(mktemp)" || exit 1 TMPOUT="$(mktemp)" || exit 1 -trap 'rm -f ${TMPFILE} ${TMPOUT}' EXIT +trap 'rm -f "${TMPFILE}" "${TMPOUT}"' EXIT create_temporary_cnf
Attachment:
signature.asc
Description: PGP signature