security/ca_root_nss: Make unprivileged installation possible

The post-install and post-deinstall scripts simply invoke "certctl
rehash", which of course requires root privileges.  Modify them to
enable unprivileged installation, useful for building VM images.  For
instance, FreeBSD's EC2 image builder wants to install amazon-ssm-agent,
which depends on ca_root_nss.

Modify the scripts to:
1. Use PKG_ROOTDIR as the root instead of assuming the default.
2. When installing, and PKG_METALOG is set, assume we're doing an
   unprivileged build and tell certctl to write updates to the
   configured METALOG.

Note, the use of PKG_METALOG depends on a new pkg feature:
freebsd/pkg#2476

If an updated ca_root_nss is installed using an old pkg(8), then the
PKG_METALOG variable will not be set, so there are no compatibility
issues.

Sponsored by:	The FreeBSD Foundation
Sponsored by:	Klara, Inc.
PR:		288243

Author: markjdb

security/ca_root_nss/Makefile

@@ -1,6 +1,6 @@
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}
@@ -34,7 +34,7 @@ VERSION_NSS=	3.115
 CERTDATA_TXT_PATH=	lib/ckfw/builtins/certdata.txt
 BUNDLE_PROCESSOR=	MAca-bundle.pl
 
-SUB_FILES=	MAca-bundle.pl pkg-message
+SUB_FILES=	MAca-bundle.pl pkg-deinstall pkg-install pkg-message
 SUB_LIST=	VERSION_NSS=${VERSION_NSS}
 
 do-build:

security/ca_root_nss/files/pkg-deinstall.in

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+if [ "$2" = POST-DEINSTALL ]; then
+	CERTCTL_ARGS="-D ${PKG_ROOTDIR}"
+	certctl ${CERTCTL_ARGS} rehash
+fi

security/ca_root_nss/files/pkg-install.in

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+if [ "$2" = POST-INSTALL ]; then
+	CERTCTL_ARGS="-D ${PKG_ROOTDIR}"
+	if [ -n "${PKG_METALOG}" ]; then
+		CERTCTL_ARGS="${CERTCTL_ARGS} -U -M ${PKG_METALOG}"
+	fi
+	certctl ${CERTCTL_ARGS} rehash
+
+	[ ! -e %%LOCALBASE%%/bin/cert-sync ] || \
+	    %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt
+fi

security/ca_root_nss/pkg-plist

@@ -2,6 +2,3 @@
 @sample etc/ssl/cert.pem.sample
 %%ETCSYMLINK%%openssl/cert.pem
 %%ETCSYMLINK%%/etc/ssl/cert.pem
-@postexec certctl rehash
-@postunexec certctl rehash
-@postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt