$ git diff --patch-with-stat --summary 52b244b007abb47296983254977822b9f1a16f86..ea5107df0d786669968ef6616a9d26a641154c70

 rootcerts.spec | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/rootcerts.spec b/rootcerts.spec
index 165eba1..e1eca99 100644
--- a/rootcerts.spec
+++ b/rootcerts.spec
@@ -25,7 +25,7 @@ Name:           rootcerts
 # - NEVER specifying the %%{release}
 Epoch:          1
 Version:        20200704.00
-Release:        1
+Release:        3
 License:        GPL
 Group:          System/Servers
 URL:            %{disturl}
@@ -64,10 +64,17 @@ BuildRequires:  javapackages-tools
 BuildRequires:	docbook-xsl
 BuildRequires:	asciidoc
 BuildRequires:	xsltproc 
-
+Requires(post):	coreutils
+Requires(post):	p11-kit
+Requires(post):	p11-kit-trust
 BuildArch:      noarch
 Provides:       ca-certificates
 
+# update-ca-trust (provided by rootcerts, called by %%post script)
+# calls /usr/bin/p11-kit, which in turn calls /usr/bin/trust
+Requires(post):	p11-kit p11-kit-trust
+Requires:	p11-kit p11-kit-trust
+
 %description
 This is a bundle of X.509 certificates of public Certificate
 Authorities (CA). These were automatically extracted from Mozilla's
@@ -115,12 +122,12 @@ EOF
  ) > %{p11_format_bundle}
 
  touch %{legacy_default_bundle}
- NUM_LEGACY_DEFAULT=`find certs/legacy-default -type f | wc -l`
+ NUM_LEGACY_DEFAULT=$(find certs/legacy-default -type f | wc -l)
  if [ $NUM_LEGACY_DEFAULT -ne 0 ]; then
      for f in certs/legacy-default/*.crt; do 
        echo "processing $f"
-       tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
-       alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
+       tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f)
+       alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g')
        targs=""
        if [ -n "$tbits" ]; then
           for t in $tbits; do
@@ -135,12 +142,12 @@ EOF
  fi
 
  touch %{legacy_disable_bundle}
- NUM_LEGACY_DISABLE=`find certs/legacy-disable -type f | wc -l`
+ NUM_LEGACY_DISABLE=$(find certs/legacy-disable -type f | wc -l)
  if [ $NUM_LEGACY_DISABLE -ne 0 ]; then
      for f in certs/legacy-disable/*.crt; do 
        echo "processing $f"
-       tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
-       alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
+       tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f)
+       alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g')
        targs=""
        if [ -n "$tbits" ]; then
           for t in $tbits; do
@@ -154,7 +161,7 @@ EOF
      done
  fi
 
- P11FILES=`find certs -name \*.tmp-p11-kit | wc -l`
+ P11FILES=$(find certs -name \*.tmp-p11-kit | wc -l)
  if [ $P11FILES -ne 0 ]; then
    for p in certs/*.tmp-p11-kit; do 
      cat "$p" >> %{p11_format_bundle}
@@ -173,7 +180,6 @@ cp %{SOURCE9} %{name}/ca-legacy.8.txt
 asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
 xsltproc --nonet -o %{name}/ca-legacy.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
 
-
 %install
 mkdir -p -m 755 %{buildroot}%{pkidir}/java
 mkdir -p -m 755 %{buildroot}%{catrustdir}/source
@@ -230,7 +236,6 @@ for d in certs private; do
     ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
 done
 
-
 # touch ghosted files that will be extracted dynamically
 # Set chmod 444 to use identical permission
 touch %{buildroot}%{catrustdir}/extracted/pem/tls-ca-bundle.pem