Reproducible: ca-certificates-java

This makes the postinst file from ca-certificates-java
(/etc/ssl/certs/java/cacerts) reproducible.
It contains embedded timestamps for 'now'.
Debian-Junior includes ca-certificates-java and is now reproducible.

examples/hooks/reproducible/2011-reproducible-ca-certificates-java.hook.chroot

@@ -0,0 +1,38 @@
+#!/bin/sh
+set -e
+
+# /etc/ssl/certs/java/cacerts is a keystore
+# When (re)generated, it embeds 'now' timestamps
+
+# Don't run if ca-certificates-java is not installed
+if [ ! -e /etc/ssl/certs/java/cacerts ];
+then
+  exit 0
+fi
+
+# Use faketime to enforce a timestamp
+# NB: hooks don't know about the apt/aptitude selection, so use 'apt-get'
+export FAKETIME_ALREADY_INSTALLED=1
+if [ ! -e /usr/bin/faketime ];
+then
+  FAKETIME_ALREADY_INSTALLED=0
+  apt-get install faketime --yes -o Acquire::Check-Valid-Until=false
+fi
+
+# Remove the file
+rm -f /etc/ssl/certs/java/cacerts
+
+# Generate it again
+touch /var/lib/ca-certificates-java/fresh
+# Java uses timestamps with millisecond resolution
+# -f is required, otherwise the milliseconds are non-zero (due to relative timestamps)
+faketime -f "$(date --utc -d@${SOURCE_DATE_EPOCH} +'%Y-%m-%d %H:%M:%SZ')" dpkg-reconfigure ca-certificates-java
+
+if [ ${FAKETIME_ALREADY_INSTALLED} -eq 0 ];
+then
+  apt-get remove --purge --yes faketime
+  apt-get autoremove --yes
+fi
+
+echo "P: $(basename $0) Reproducible hook has been applied"
+