How do I distribute a CA certificate using a Debian package?
Solution 1:
It seems the_Seppi and bodhi.zazen are correct: the only clean way to do this is using a maintainer script to do the deed. From /usr/share/doc/ca-certificates/README.Debian
:
How to install local CA certificates
------------------------------------------------------------------
... If you want to prepare a local
package of your certificates, you should depend on ca-certificates,
install the PEM files into /usr/local/share/ca-certificates/ as above
and call 'update-ca-certificates' in the package's postinst, and should
call 'update-ca-certificates --fresh' in the package's postrm.
An example source package for building a local CA certificate package,
using ca-certificates (>= 20130119) (since it uses triggers) can be
found in /usr/share/doc/ca-certificates/examples/ca-certificates-local/.
The README file in the above directory has step-by-step instructions for
building a local CA certificate package.
The example package has a Makefile
which directly installs the file to /usr/local/share/ca-certificates
.
However, the Debian policy on installing files in /usr/local
is to not do so at all (see section 1.2, chapter 9), either by directly or using a maintainer script.
The compromise that I find acceptable is to use the scripts, and place links instead of copying them. This way an end user can still trace where the stuff in /usr/local/
is coming from.
Instead of calling update-ca-certificates
with varying arguments, one should add update-ca-certificates-fresh
to the triggers list (as noted in the last paragraph quoted above), allowing the certificates to be processed along with any other pending certificate updates:
echo 'activate update-ca-certificates-fresh' >> debian/package-name.triggers