release: Don't install caroot in OCI images.

Instead, use certctl to install certificates directly from the source tree into the image. Reviewed by: dfr Differential Revision: https://reviews.freebsd.org/D51404
2026-06-12 18:20:49 -04:00 · 2025-07-22 21:06:51 +02:00 · 2025-07-22 21:06:51 +02:00 · 5fe15d7cf3
commit 5fe15d7cf3
parent 0e1665ae61
1 changed files with 5 additions and 2 deletions
--- a/release/tools/oci-image-static.conf
+++ b/release/tools/oci-image-static.conf
@ -14,7 +14,7 @@ oci_image_build() {
 	mtree -deU -p $m/usr -f ${srcdir}/etc/mtree/BSD.usr.dist > /dev/null
 	mtree -deU -p $m/usr/include -f ${srcdir}/etc/mtree/BSD.include.dist > /dev/null
 	mtree -deU -p $m/usr/lib -f ${srcdir}/etc/mtree/BSD.debug.dist > /dev/null
-	install_packages ${abi} ${workdir} FreeBSD-caroot FreeBSD-zoneinfo
+	install_packages ${abi} ${workdir} FreeBSD-zoneinfo
 	cp ${srcdir}/etc/master.passwd $m/etc
 	pwd_mkdb -p -d $m/etc $m/etc/master.passwd || return $?
 	cp ${srcdir}/etc/group $m/etc || return $?
@ -22,7 +22,10 @@ oci_image_build() {
 	# working directory to OBJDIR/release
 	cp ../etc/termcap/termcap.small $m/etc/termcap.small || return $?
 	cp ../etc/termcap/termcap.small $m/usr/share/misc/termcap || return $?
-	env DESTDIR=$m /usr/sbin/certctl rehash
+	env DESTDIR=$m \
+	    TRUSTPATH=${srcdir}/secure/caroot/trusted \
+	    UNTRUSTPATH=${srcdir}/secure/caroot/untrusted \
+	    certctl -c rehash
 	# Generate a suitable repo config for pkgbase
 	case ${branch} in
 		CURRENT|STABLE|BETA*)