security: transfer certificates from intiramfs to root in dracut

Resolves: INSTALLER-4089
rhinstaller · Jan 23, 2025 · e8033e4 · e8033e4
1 parent 6d62247
commit e8033e4
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 0 deletions.
diff --git a/dracut/Makefile.am b/dracut/Makefile.am
@@ -37,6 +37,7 @@ dist_dracut_SCRIPTS = module-setup.sh \
                       anaconda-copy-cmdline.sh \
                       anaconda-copy-dhclient.sh \
                       anaconda-copy-prefixdevname.sh \
+                      anaconda-copy-certs.sh
                       anaconda-ifcfg.sh \
                       anaconda-set-kernel-hung-timeout.sh \
                       anaconda-error-reporting.sh \

diff --git a/dracut/anaconda-copy-certs.sh b/dracut/anaconda-copy-certs.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Transfer CA certificates imported in initramfs via kickstart
+# to anaconda environment
+
+./lib/anaconda-lib.sh
+
+[ -d /run/install/certificates/path ] && copytree /run/install/certificates/path /sysroot || true
diff --git a/dracut/module-setup.sh b/dracut/module-setup.sh
@@ -50,6 +50,7 @@ install() {
     inst_hook pre-pivot 50 "$moddir/anaconda-copy-cmdline.sh"
     inst_hook pre-pivot 90 "$moddir/anaconda-copy-dhclient.sh"
     inst_hook pre-pivot 91 "$moddir/anaconda-copy-prefixdevname.sh"
+    inst_hook pre-pivot 92 "$moddir/anaconda-copy-certs.sh"
     inst_hook pre-pivot 95 "$moddir/anaconda-set-kernel-hung-timeout.sh"
     inst_hook pre-pivot 99 "$moddir/save-initramfs.sh"
     inst_hook cleanup 98 "$moddir/anaconda-nfsrepo-cleanup.sh"