josephbolus/install-doi-rootca.sh

## install-doi-rootca.sh
#!/usr/bin/env sh
# Installs the DOI Root CA 2 certificate system-wide on common Linux distros.
# Supports: RHEL/CentOS/Rocky/Alma/Fedora, Ubuntu/Debian, SUSE, Alpine.
# Idempotent: only updates trust if the cert changed or is missing.
#
# Use in a Dockerfile:
#   RUN curl -fsSL https://gist.githubusercontent.com/josephbolus/57aa8c2521cdf8d16e64739a07dfabe8/raw/474a78889ad1bdf400ec397090a4fd206ea07432/install-doi-rootca.sh | sh

set -eu

CERT_URL="https://code.usgs.gov/wma/national-iwaas/nhm/prms-bmi/bmi-prms6-surface/-/raw/main/DOIRootCA2.crt"
CERT_NAME="DOIRootCA2.crt"

info() { printf "==> %s\n" "$*"; }
die()  { printf "!!  %s\n" "$*" >&2; exit 1; }

need_bin() { command -v "$1" >/dev/null 2>&1 || die "Missing required tool: $1"; }

# Choose downloader
DL=""
if command -v curl >/dev/null 2>&1; then
  DL="curl -fsSL"
elif command -v wget >/dev/null 2>&1; then
  DL="wget -qO-"
else
  die "Need curl or wget to download the certificate."
fi

# Privilege helper
as_root() {
  if [ "$(id -u)" -eq 0 ]; then
    sh -c "$*"
  elif command -v sudo >/dev/null 2>&1; then
    sudo sh -c "$*"
  elif command -v doas >/dev/null 2>&1; then
    doas sh -c "$*"
  else
    die "This installer needs root privileges. Re-run with: sudo sh -c '<curl|wget> ... | sh'"
  fi
}

# Detect OS family
OS_RELEASE="/etc/os-release"
[ -r "$OS_RELEASE" ] || die "Cannot read $OS_RELEASE to detect OS."
# shellcheck disable=SC1091
. "$OS_RELEASE"
ID_LIKE_LOWER=$(printf "%s" "${ID_LIKE:-}" | tr '[:upper:]' '[:lower:]')
ID_LOWER=$(printf "%s" "${ID:-}" | tr '[:upper:]' '[:lower:]')
FINGERPRINT="$ID_LIKE_LOWER $ID_LOWER"

case "$FINGERPRINT" in
  *rhel*|*centos*|*fedora*|*rocky*|*almalinux*)
    DEST_DIR="/etc/pki/ca-trust/source/anchors"
    UPDATE_CMD="update-ca-trust"
    ;;
  *debian*|*ubuntu*)
    DEST_DIR="/usr/local/share/ca-certificates"
    UPDATE_CMD="update-ca-certificates"
    ;;
  *suse*|*sles*|*opensuse*)
    # On modern SUSE, update-ca-certificates manages /etc/pki/trust/anchors
    DEST_DIR="/etc/pki/trust/anchors"
    UPDATE_CMD="update-ca-certificates"
    ;;
  *alpine*)
    DEST_DIR="/usr/local/share/ca-certificates"
    UPDATE_CMD="update-ca-certificates"
    ;;
  *)
    # Fallback: try Debian-style first, else RHEL-style.
    if [ -d /usr/local/share/ca-certificates ]; then
      DEST_DIR="/usr/local/share/ca-certificates"
      UPDATE_CMD="update-ca-certificates"
    elif [ -d /etc/pki/ca-trust/source/anchors ]; then
      DEST_DIR="/etc/pki/ca-trust/source/anchors"
      UPDATE_CMD="update-ca-trust"
    else
      die "Unsupported distro. Create CA dir and trust command manually."
    fi
    ;;
esac

# Ensure the updater exists (strip any args, though we set none)
need_bin "${UPDATE_CMD%% *}"

# Download cert to a temp file
TMP_CERT="$(mktemp)"
trap 'rm -f "$TMP_CERT"' EXIT

info "Downloading $CERT_NAME from $CERT_URL"
# shellcheck disable=SC2086
$DL "$CERT_URL" > "$TMP_CERT" || die "Failed to download certificate."

# Ensure destination exists
as_root "mkdir -p '$DEST_DIR'"

DEST="$DEST_DIR/$CERT_NAME"

# Install if different or missing
INSTALL=1
if [ -f "$DEST" ]; then
  # cmp needs root if DEST isn't readable; run whole cmp via as_root
  if as_root "cmp -s '$TMP_CERT' '$DEST'"; then
    INSTALL=0
    info "Certificate already installed and up-to-date at $DEST"
  fi
fi

if [ "$INSTALL" -eq 1 ]; then
  info "Installing certificate to $DEST"
  as_root "cp '$TMP_CERT' '$DEST'"
else
  info "No changes to certificate file."
fi

# Update trust store (skip redundant run on Debian-like if unchanged)
RUN_UPDATE=1
if [ "$INSTALL" -eq 0 ] && [ "$UPDATE_CMD" = "update-ca-certificates" ]; then
  RUN_UPDATE=0
fi

if [ "$RUN_UPDATE" -eq 1 ]; then
  info "Updating system trust store ($UPDATE_CMD)"
  case "$UPDATE_CMD" in
    update-ca-certificates) as_root "$UPDATE_CMD" ;;
    update-ca-trust)        as_root "$UPDATE_CMD" ;;
    *)                      die "Unknown trust updater: $UPDATE_CMD" ;;
  esac
else
  info "Trust store already up-to-date."
fi

info "Done. System CA store now includes $CERT_NAME"
	#!/usr/bin/env sh
	# Installs the DOI Root CA 2 certificate system-wide on common Linux distros.
	# Supports: RHEL/CentOS/Rocky/Alma/Fedora, Ubuntu/Debian, SUSE, Alpine.
	# Idempotent: only updates trust if the cert changed or is missing.
	#
	# Use in a Dockerfile:
	# RUN curl -fsSL https://gist.githubusercontent.com/josephbolus/57aa8c2521cdf8d16e64739a07dfabe8/raw/474a78889ad1bdf400ec397090a4fd206ea07432/install-doi-rootca.sh \| sh

	set -eu

	CERT_URL="https://code.usgs.gov/wma/national-iwaas/nhm/prms-bmi/bmi-prms6-surface/-/raw/main/DOIRootCA2.crt"
	CERT_NAME="DOIRootCA2.crt"

	info() { printf "==> %s\n" "$*"; }
	die() { printf "!! %s\n" "$*" >&2; exit 1; }

	need_bin() { command -v "$1" >/dev/null 2>&1 \|\| die "Missing required tool: $1"; }

	# Choose downloader
	DL=""
	if command -v curl >/dev/null 2>&1; then
	DL="curl -fsSL"
	elif command -v wget >/dev/null 2>&1; then
	DL="wget -qO-"
	else
	die "Need curl or wget to download the certificate."
	fi

	# Privilege helper
	as_root() {
	if [ "$(id -u)" -eq 0 ]; then
	sh -c "$*"
	elif command -v sudo >/dev/null 2>&1; then
	sudo sh -c "$*"
	elif command -v doas >/dev/null 2>&1; then
	doas sh -c "$*"
	else
	die "This installer needs root privileges. Re-run with: sudo sh -c '<curl\|wget> ... \| sh'"
	fi
	}

	# Detect OS family
	OS_RELEASE="/etc/os-release"
	[ -r "$OS_RELEASE" ] \|\| die "Cannot read $OS_RELEASE to detect OS."
	# shellcheck disable=SC1091
	. "$OS_RELEASE"
	ID_LIKE_LOWER=$(printf "%s" "${ID_LIKE:-}" \| tr '[:upper:]' '[:lower:]')
	ID_LOWER=$(printf "%s" "${ID:-}" \| tr '[:upper:]' '[:lower:]')
	FINGERPRINT="$ID_LIKE_LOWER $ID_LOWER"

	case "$FINGERPRINT" in
	rhel\|centos\|fedora\|rocky\|almalinux)
	DEST_DIR="/etc/pki/ca-trust/source/anchors"
	UPDATE_CMD="update-ca-trust"
	;;
	debian\|ubuntu)
	DEST_DIR="/usr/local/share/ca-certificates"
	UPDATE_CMD="update-ca-certificates"
	;;
	suse\|sles\|opensuse)
	# On modern SUSE, update-ca-certificates manages /etc/pki/trust/anchors
	DEST_DIR="/etc/pki/trust/anchors"
	UPDATE_CMD="update-ca-certificates"
	;;
	alpine)
	DEST_DIR="/usr/local/share/ca-certificates"
	UPDATE_CMD="update-ca-certificates"
	;;
	*)
	# Fallback: try Debian-style first, else RHEL-style.
	if [ -d /usr/local/share/ca-certificates ]; then
	DEST_DIR="/usr/local/share/ca-certificates"
	UPDATE_CMD="update-ca-certificates"
	elif [ -d /etc/pki/ca-trust/source/anchors ]; then
	DEST_DIR="/etc/pki/ca-trust/source/anchors"
	UPDATE_CMD="update-ca-trust"
	else
	die "Unsupported distro. Create CA dir and trust command manually."
	fi
	;;
	esac

	# Ensure the updater exists (strip any args, though we set none)
	need_bin "${UPDATE_CMD%% *}"

	# Download cert to a temp file
	TMP_CERT="$(mktemp)"
	trap 'rm -f "$TMP_CERT"' EXIT

	info "Downloading $CERT_NAME from $CERT_URL"
	# shellcheck disable=SC2086
	$DL "$CERT_URL" > "$TMP_CERT" \|\| die "Failed to download certificate."

	# Ensure destination exists
	as_root "mkdir -p '$DEST_DIR'"

	DEST="$DEST_DIR/$CERT_NAME"

	# Install if different or missing
	INSTALL=1
	if [ -f "$DEST" ]; then
	# cmp needs root if DEST isn't readable; run whole cmp via as_root
	if as_root "cmp -s '$TMP_CERT' '$DEST'"; then
	INSTALL=0
	info "Certificate already installed and up-to-date at $DEST"
	fi
	fi

	if [ "$INSTALL" -eq 1 ]; then
	info "Installing certificate to $DEST"
	as_root "cp '$TMP_CERT' '$DEST'"
	else
	info "No changes to certificate file."
	fi

	# Update trust store (skip redundant run on Debian-like if unchanged)
	RUN_UPDATE=1
	if [ "$INSTALL" -eq 0 ] && [ "$UPDATE_CMD" = "update-ca-certificates" ]; then
	RUN_UPDATE=0
	fi

	if [ "$RUN_UPDATE" -eq 1 ]; then
	info "Updating system trust store ($UPDATE_CMD)"
	case "$UPDATE_CMD" in
	update-ca-certificates) as_root "$UPDATE_CMD" ;;
	update-ca-trust) as_root "$UPDATE_CMD" ;;
	*) die "Unknown trust updater: $UPDATE_CMD" ;;
	esac
	else
	info "Trust store already up-to-date."
	fi

	info "Done. System CA store now includes $CERT_NAME"
No results found