From eae13f14bc173e25f89316687afcc60dbd1fc5b0 Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Thu, 12 Jul 2018 11:38:48 +0800
Subject: [PATCH] Disable cert verification for pkg-bootstrap when no cert.pem

Our site uses HTTPs and fetch(1) requires /etc/ssl/cert.pem or
/usr/local/etc/ssl/cert.pem to verify the server's certificate.
However, when one needs to bootstrap the 'pkg', that cert.pem
generally doesn't exist since it is installed by the ca_root_nss
package.  So disable certificate verification for fetch(1) in
such a case.

Split out 'pkg-bootstrap-{fetch,install}' targets to get rid of
some duplicate codes.
---
 etc/Makefile.usr | 41 ++++++++++++++++++++++++-----------------
 1 file changed, 24 insertions(+), 17 deletions(-)

diff --git a/etc/Makefile.usr b/etc/Makefile.usr
index 6802c6ec1c..e29423aa6b 100644
--- a/etc/Makefile.usr
+++ b/etc/Makefile.usr
@@ -158,18 +158,23 @@ dports-replace:
 	rm -f ${DPTBALL}
 .endif
 
-# NOTE: In force mode we also have to remove any old pkg.conf
-#	which might interfere with the newer pkg bootstrap.
-#
-pkg-bootstrap-force:
-	@rm -f /usr/local/etc/pkg.conf
-	@fetch -o ${PKGBALL} ${PKGBOOT}
-	@tar -xJf ${PKGBALL} -C ${.CURDIR}/local
+pkg-bootstrap-fetch:
+.if exists(/etc/ssl/cert.pem) || exists(/usr/local/etc/ssl/cert.pem)
+	fetch -o ${PKGBALL} ${PKGBOOT}
+.else
+	@echo "Warning: /etc/ssl/cert.pem and /usr/local/etc/ssl/cert.pem do not exist."
+	@echo "Disable certificate verification for fetch(1)."
+	fetch --no-verify-peer -o ${PKGBALL} ${PKGBOOT}
+.endif
+	tar -xJf ${PKGBALL} -C ${.CURDIR}/local
 	@rm -f ${PKGBALL}
+
+pkg-bootstrap-install:
 .if defined(ABIVERS)
-	ABI=${ABIVERS} ${.CURDIR}/local/sbin/pkg-static install -y -f pkg
+	ABI=${ABIVERS} ${.CURDIR}/local/sbin/pkg-static \
+	    install -y ${PKG_FLAGS} pkg
 .else
-	${.CURDIR}/local/sbin/pkg-static install -y -f pkg
+	${.CURDIR}/local/sbin/pkg-static install -y ${PKG_FLAGS} pkg
 .endif
 
 pkg-bootstrap:
@@ -181,12 +186,14 @@ pkg-bootstrap:
 	@echo "Please move this file and rerun 'make pkg-bootstrap'"
 	@/usr/bin/false
 .else
-	@fetch -o ${PKGBALL} ${PKGBOOT}
-	@tar -xJf ${PKGBALL} -C ${.CURDIR}/local
-	@rm -f ${PKGBALL}
-.if defined(ABIVERS)
-	ABI=${ABIVERS} ${.CURDIR}/local/sbin/pkg-static install -y pkg
-.else
-	${.CURDIR}/local/sbin/pkg-static install -y pkg
-.endif
+	@(cd ${.CURDIR} && make pkg-bootstrap-fetch)
+	@(cd ${.CURDIR} && make pkg-bootstrap-install)
 .endif
+
+# NOTE: In force mode we also have to remove any old pkg.conf
+#	which might interfere with the newer pkg bootstrap.
+#
+pkg-bootstrap-force:
+	rm -f ${.CURDIR}/local/etc/pkg.conf
+	@(cd ${.CURDIR} && make pkg-bootstrap-fetch)
+	@(cd ${.CURDIR} && make pkg-bootstrap-install PKG_FLAGS="-f")
-- 
2.41.0