pkg/58464: sysutils/sandboxctl can't create sandbox if /usr/sbin/certctl is absent

[fstd%pr0.tips@localhost]

>Number:         58464
>Category:       pkg
>Synopsis:       sysutils/sandboxctl can't create sandbox if /usr/sbin/certctl is absent
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jul 25 01:10:00 +0000 2024
>Originator:     Timo Buhrmester
>Release:        2024Q2
>Organization:
>Environment:
NetBSD kiwi.pr0.tips 9.4_STABLE NetBSD 9.4_STABLE (KIWIKERN) #0: Mon Jul 22 14:15:25 CEST 2024  build%kiwi.pr0.tips@localhost:/stor/netbsd/obj/sys/arch/amd64/compile/KIWIKERN amd64
>Description:
sysutils/sandboxctl fails to create the sandbox if the certctl program isn't available.  A recent commit (https://github.com/NetBSD/pkgsrc/commit/1c1a80da5944fa48162f413dab502ebacac70197) added a check for this binary, to be run if available:

+chroot "${root}" /bin/sh -c "[ -x /usr/sbin/certctl ] && /usr/sbin/certctl rehash"

but didn't consider that absence of certctl will make the overall command return a non-zero exit status, and being the last command in the function, will cause the function itself to return that.  Ultimately, sandbox creation fails due to this.
>How-To-Repeat:
don't have /usr/sbin/certctl in the sets that will be used to create the sandbox, and run sandboxctl create with a sandbox type "netbsd-release"
>Fix:
adding a || true to that chroot command is one way