rpms/ca-certificates
7
0
Fork 0
Code Issues Pull Requests Releases Activity
9bf988861b
ca-certificates/fetch_objsign.sh

124 lines
2.6 KiB
Bash
Raw Normal View History

Update tools to pick up code signing certs from the Common CA Database: https://www.ccadb.org/resources Our normal root certs come from mozilla, but mozilla does not evaluate code signing. Currently code signing is only used my Microsoft .net, so we need to get code signing certs from Microsoft's code signing list. The certs in this list will only show up in the code signing lists or in the general list with only code signing set.
2021-05-24 17:49:58 +00:00
#!/bin/sh
#
# This script fetches the object signing list from the Microsoft list. It then
# mergest that list into the fetched certdata.txt.
#
- Update fetch to handle merging microsoft code signing certs. - Update fetchobjsign.sh and merge2certdata.py to their ca-certificate-scripts equivalent. - Update to CKBI 2.62-v7.0.401 from NSS 3.93 Removing: # Certificate "Camerfirma Chambers of Commerce Root" # Certificate "Hongkong Post Root CA 1" # Certificate "FNMT-RCM" Adding: # Certificate "LAWtrust Root CA2 (4096)" # Certificate "Sectigo Public Email Protection Root E46" # Certificate "Sectigo Public Email Protection Root R46" # Certificate "Sectigo Public Server Authentication Root E46" # Certificate "Sectigo Public Server Authentication Root R46" # Certificate "SSL.com TLS RSA Root CA 2022" # Certificate "SSL.com TLS ECC Root CA 2022" # Certificate "SSL.com Client ECC Root CA 2022" # Certificate "SSL.com Client RSA Root CA 2022" # Certificate "Atos TrustedRoot Root CA ECC G2 2020" # Certificate "Atos TrustedRoot Root CA RSA G2 2020" # Certificate "Atos TrustedRoot Root CA ECC TLS 2021" # Certificate "Atos TrustedRoot Root CA RSA TLS 2021" # Certificate "Chambers of Commerce Root"
2023-10-04 21:31:59 +00:00
giturl="https://github.com/dotnet/sdk"
gitrawurl="https://raw.githubusercontent.com/dotnet/sdk"
release="latest"
treedir="src/Layout/redist/trustedroots/codesignctl.pem"
target="microsoft_sign_obj_ca.pem"
Update tools to pick up code signing certs from the Common CA Database: https://www.ccadb.org/resources Our normal root certs come from mozilla, but mozilla does not evaluate code signing. Currently code signing is only used my Microsoft .net, so we need to get code signing certs from Microsoft's code signing list. The certs in this list will only show up in the code signing lists or in the general list with only code signing set.
2021-05-24 17:49:58 +00:00
certdata="./certdata.txt"
- Update fetch to handle merging microsoft code signing certs. - Update fetchobjsign.sh and merge2certdata.py to their ca-certificate-scripts equivalent. - Update to CKBI 2.62-v7.0.401 from NSS 3.93 Removing: # Certificate "Camerfirma Chambers of Commerce Root" # Certificate "Hongkong Post Root CA 1" # Certificate "FNMT-RCM" Adding: # Certificate "LAWtrust Root CA2 (4096)" # Certificate "Sectigo Public Email Protection Root E46" # Certificate "Sectigo Public Email Protection Root R46" # Certificate "Sectigo Public Server Authentication Root E46" # Certificate "Sectigo Public Server Authentication Root R46" # Certificate "SSL.com TLS RSA Root CA 2022" # Certificate "SSL.com TLS ECC Root CA 2022" # Certificate "SSL.com Client ECC Root CA 2022" # Certificate "SSL.com Client RSA Root CA 2022" # Certificate "Atos TrustedRoot Root CA ECC G2 2020" # Certificate "Atos TrustedRoot Root CA RSA G2 2020" # Certificate "Atos TrustedRoot Root CA ECC TLS 2021" # Certificate "Atos TrustedRoot Root CA RSA TLS 2021" # Certificate "Chambers of Commerce Root"
2023-10-04 21:31:59 +00:00
baseurl=""
Update tools to pick up code signing certs from the Common CA Database: https://www.ccadb.org/resources Our normal root certs come from mozilla, but mozilla does not evaluate code signing. Currently code signing is only used my Microsoft .net, so we need to get code signing certs from Microsoft's code signing list. The certs in this list will only show up in the code signing lists or in the general list with only code signing set.
2021-05-24 17:49:58 +00:00
merge=1
diff=0
- Update fetch to handle merging microsoft code signing certs. - Update fetchobjsign.sh and merge2certdata.py to their ca-certificate-scripts equivalent. - Update to CKBI 2.62-v7.0.401 from NSS 3.93 Removing: # Certificate "Camerfirma Chambers of Commerce Root" # Certificate "Hongkong Post Root CA 1" # Certificate "FNMT-RCM" Adding: # Certificate "LAWtrust Root CA2 (4096)" # Certificate "Sectigo Public Email Protection Root E46" # Certificate "Sectigo Public Email Protection Root R46" # Certificate "Sectigo Public Server Authentication Root E46" # Certificate "Sectigo Public Server Authentication Root R46" # Certificate "SSL.com TLS RSA Root CA 2022" # Certificate "SSL.com TLS ECC Root CA 2022" # Certificate "SSL.com Client ECC Root CA 2022" # Certificate "SSL.com Client RSA Root CA 2022" # Certificate "Atos TrustedRoot Root CA ECC G2 2020" # Certificate "Atos TrustedRoot Root CA RSA G2 2020" # Certificate "Atos TrustedRoot Root CA ECC TLS 2021" # Certificate "Atos TrustedRoot Root CA RSA TLS 2021" # Certificate "Chambers of Commerce Root"
2023-10-04 21:31:59 +00:00
function getlatest
{
local url=$1
local latest="0"
local tags=($(git ls-remote --tags ${url}))
for tag in "${tags[@]}"
do
if [[ ! ${tag} =~ refs/.* ]]; then
continue # skip hashes
fi
if [[ ${tag} =~ .*preview.* ]]; then
continue # skip preview tags, we only want release tags
fi
if [[ ${tag} =~ .*rc.* ]]; then
continue # skip release candidate tags, we only want release tags
fi
if [[ ${latest} < ${tag} ]]; then
latest=$tag
fi
done
latest=${latest##refs/tags/}
echo $latest
}
Update tools to pick up code signing certs from the Common CA Database: https://www.ccadb.org/resources Our normal root certs come from mozilla, but mozilla does not evaluate code signing. Currently code signing is only used my Microsoft .net, so we need to get code signing certs from Microsoft's code signing list. The certs in this list will only show up in the code signing lists or in the general list with only code signing set.
2021-05-24 17:49:58 +00:00
while [ -n "$1" ]; do
case $1 in
- Update fetch to handle merging microsoft code signing certs. - Update fetchobjsign.sh and merge2certdata.py to their ca-certificate-scripts equivalent. - Update to CKBI 2.62-v7.0.401 from NSS 3.93 Removing: # Certificate "Camerfirma Chambers of Commerce Root" # Certificate "Hongkong Post Root CA 1" # Certificate "FNMT-RCM" Adding: # Certificate "LAWtrust Root CA2 (4096)" # Certificate "Sectigo Public Email Protection Root E46" # Certificate "Sectigo Public Email Protection Root R46" # Certificate "Sectigo Public Server Authentication Root E46" # Certificate "Sectigo Public Server Authentication Root R46" # Certificate "SSL.com TLS RSA Root CA 2022" # Certificate "SSL.com TLS ECC Root CA 2022" # Certificate "SSL.com Client ECC Root CA 2022" # Certificate "SSL.com Client RSA Root CA 2022" # Certificate "Atos TrustedRoot Root CA ECC G2 2020" # Certificate "Atos TrustedRoot Root CA RSA G2 2020" # Certificate "Atos TrustedRoot Root CA ECC TLS 2021" # Certificate "Atos TrustedRoot Root CA RSA TLS 2021" # Certificate "Chambers of Commerce Root"
2023-10-04 21:31:59 +00:00
"-g")
shift
giturl=$1
;;
"-r")
shift
gitrawurl=$1
;;
"-t")
shift
treedir=$1
;;
"-r")
shift
release=$1
;;
Update tools to pick up code signing certs from the Common CA Database: https://www.ccadb.org/resources Our normal root certs come from mozilla, but mozilla does not evaluate code signing. Currently code signing is only used my Microsoft .net, so we need to get code signing certs from Microsoft's code signing list. The certs in this list will only show up in the code signing lists or in the general list with only code signing set.
2021-05-24 17:49:58 +00:00
"-u")
shift
baseurl=$1
- Update fetch to handle merging microsoft code signing certs. - Update fetchobjsign.sh and merge2certdata.py to their ca-certificate-scripts equivalent. - Update to CKBI 2.62-v7.0.401 from NSS 3.93 Removing: # Certificate "Camerfirma Chambers of Commerce Root" # Certificate "Hongkong Post Root CA 1" # Certificate "FNMT-RCM" Adding: # Certificate "LAWtrust Root CA2 (4096)" # Certificate "Sectigo Public Email Protection Root E46" # Certificate "Sectigo Public Email Protection Root R46" # Certificate "Sectigo Public Server Authentication Root E46" # Certificate "Sectigo Public Server Authentication Root R46" # Certificate "SSL.com TLS RSA Root CA 2022" # Certificate "SSL.com TLS ECC Root CA 2022" # Certificate "SSL.com Client ECC Root CA 2022" # Certificate "SSL.com Client RSA Root CA 2022" # Certificate "Atos TrustedRoot Root CA ECC G2 2020" # Certificate "Atos TrustedRoot Root CA RSA G2 2020" # Certificate "Atos TrustedRoot Root CA ECC TLS 2021" # Certificate "Atos TrustedRoot Root CA RSA TLS 2021" # Certificate "Chambers of Commerce Root"
2023-10-04 21:31:59 +00:00
release="unknown"
Update tools to pick up code signing certs from the Common CA Database: https://www.ccadb.org/resources Our normal root certs come from mozilla, but mozilla does not evaluate code signing. Currently code signing is only used my Microsoft .net, so we need to get code signing certs from Microsoft's code signing list. The certs in this list will only show up in the code signing lists or in the general list with only code signing set.
2021-05-24 17:49:58 +00:00
;;
"-o")
shift
target=$1
;;
"-c")
shift
certdata=$1
;;
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
"-n")
Update tools to pick up code signing certs from the Common CA Database: https://www.ccadb.org/resources Our normal root certs come from mozilla, but mozilla does not evaluate code signing. Currently code signing is only used my Microsoft .net, so we need to get code signing certs from Microsoft's code signing list. The certs in this list will only show up in the code signing lists or in the general list with only code signing set.
2021-05-24 17:49:58 +00:00
merge=0
;;
"-d")
- Update fetch to handle merging microsoft code signing certs. - Update fetchobjsign.sh and merge2certdata.py to their ca-certificate-scripts equivalent. - Update to CKBI 2.62-v7.0.401 from NSS 3.93 Removing: # Certificate "Camerfirma Chambers of Commerce Root" # Certificate "Hongkong Post Root CA 1" # Certificate "FNMT-RCM" Adding: # Certificate "LAWtrust Root CA2 (4096)" # Certificate "Sectigo Public Email Protection Root E46" # Certificate "Sectigo Public Email Protection Root R46" # Certificate "Sectigo Public Server Authentication Root E46" # Certificate "Sectigo Public Server Authentication Root R46" # Certificate "SSL.com TLS RSA Root CA 2022" # Certificate "SSL.com TLS ECC Root CA 2022" # Certificate "SSL.com Client ECC Root CA 2022" # Certificate "SSL.com Client RSA Root CA 2022" # Certificate "Atos TrustedRoot Root CA ECC G2 2020" # Certificate "Atos TrustedRoot Root CA RSA G2 2020" # Certificate "Atos TrustedRoot Root CA ECC TLS 2021" # Certificate "Atos TrustedRoot Root CA RSA TLS 2021" # Certificate "Chambers of Commerce Root"
2023-10-04 21:31:59 +00:00
shift
Update tools to pick up code signing certs from the Common CA Database: https://www.ccadb.org/resources Our normal root certs come from mozilla, but mozilla does not evaluate code signing. Currently code signing is only used my Microsoft .net, so we need to get code signing certs from Microsoft's code signing list. The certs in this list will only show up in the code signing lists or in the general list with only code signing set.
2021-05-24 17:49:58 +00:00
diff=1
difffile=$1
;;
*)
echo "usage: $0 [-u URL] [-o target] [-c certdata] [-n]"
- Update fetch to handle merging microsoft code signing certs. - Update fetchobjsign.sh and merge2certdata.py to their ca-certificate-scripts equivalent. - Update to CKBI 2.62-v7.0.401 from NSS 3.93 Removing: # Certificate "Camerfirma Chambers of Commerce Root" # Certificate "Hongkong Post Root CA 1" # Certificate "FNMT-RCM" Adding: # Certificate "LAWtrust Root CA2 (4096)" # Certificate "Sectigo Public Email Protection Root E46" # Certificate "Sectigo Public Email Protection Root R46" # Certificate "Sectigo Public Server Authentication Root E46" # Certificate "Sectigo Public Server Authentication Root R46" # Certificate "SSL.com TLS RSA Root CA 2022" # Certificate "SSL.com TLS ECC Root CA 2022" # Certificate "SSL.com Client ECC Root CA 2022" # Certificate "SSL.com Client RSA Root CA 2022" # Certificate "Atos TrustedRoot Root CA ECC G2 2020" # Certificate "Atos TrustedRoot Root CA RSA G2 2020" # Certificate "Atos TrustedRoot Root CA ECC TLS 2021" # Certificate "Atos TrustedRoot Root CA RSA TLS 2021" # Certificate "Chambers of Commerce Root"
2023-10-04 21:31:59 +00:00
echo "-g URL git URL to fetch code signing list"
echo "-r URL raw git URL to fetch code signing list"
echo "-t URL git tree directory to fetch code signing list"
echo "-r release code signing list release version"
Update tools to pick up code signing certs from the Common CA Database: https://www.ccadb.org/resources Our normal root certs come from mozilla, but mozilla does not evaluate code signing. Currently code signing is only used my Microsoft .net, so we need to get code signing certs from Microsoft's code signing list. The certs in this list will only show up in the code signing lists or in the general list with only code signing set.
2021-05-24 17:49:58 +00:00
echo "-u URL base URL to fetch code signing list"
echo "-o target name of the codesigning target"
echo "-c certdata patch to certdata.txt to merge with"
echo "-d diff optional diff file"
echo "-n don't merge"
exit 1
;;
esac
shift
done
- Update fetch to handle merging microsoft code signing certs. - Update fetchobjsign.sh and merge2certdata.py to their ca-certificate-scripts equivalent. - Update to CKBI 2.62-v7.0.401 from NSS 3.93 Removing: # Certificate "Camerfirma Chambers of Commerce Root" # Certificate "Hongkong Post Root CA 1" # Certificate "FNMT-RCM" Adding: # Certificate "LAWtrust Root CA2 (4096)" # Certificate "Sectigo Public Email Protection Root E46" # Certificate "Sectigo Public Email Protection Root R46" # Certificate "Sectigo Public Server Authentication Root E46" # Certificate "Sectigo Public Server Authentication Root R46" # Certificate "SSL.com TLS RSA Root CA 2022" # Certificate "SSL.com TLS ECC Root CA 2022" # Certificate "SSL.com Client ECC Root CA 2022" # Certificate "SSL.com Client RSA Root CA 2022" # Certificate "Atos TrustedRoot Root CA ECC G2 2020" # Certificate "Atos TrustedRoot Root CA RSA G2 2020" # Certificate "Atos TrustedRoot Root CA ECC TLS 2021" # Certificate "Atos TrustedRoot Root CA RSA TLS 2021" # Certificate "Chambers of Commerce Root"
2023-10-04 21:31:59 +00:00
if [ "${release}" = "latest" ]; then
release=$(getlatest ${giturl} )
fi
if [ "${baseurl}" = "" ]; then
baseurl="${gitrawurl}/${release}/${treedir}"
fi
echo $release > "./codesign-release.txt"
echo "Fetching release=${release}, ${target} from ${baseurl}"
Update tools to pick up code signing certs from the Common CA Database: https://www.ccadb.org/resources Our normal root certs come from mozilla, but mozilla does not evaluate code signing. Currently code signing is only used my Microsoft .net, so we need to get code signing certs from Microsoft's code signing list. The certs in this list will only show up in the code signing lists or in the general list with only code signing set.
2021-05-24 17:49:58 +00:00
wget ${baseurl} -O ${target}
if [ ${merge} -eq 0 ]; then
exit 0;
fi
out=${certdata}
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
if [ ${diff} -eq 1 ]; then
Update tools to pick up code signing certs from the Common CA Database: https://www.ccadb.org/resources Our normal root certs come from mozilla, but mozilla does not evaluate code signing. Currently code signing is only used my Microsoft .net, so we need to get code signing certs from Microsoft's code signing list. The certs in this list will only show up in the code signing lists or in the general list with only code signing set.
2021-05-24 17:49:58 +00:00
out=${certdata}.out
fi
python3 ./mergepem2certdata.py -c "${certdata}" -p "${target}" -o "${out}" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate"
if [ ${diff} -eq 1 ]; then
diff -u ${certdata} ${out} > ${difffile}
mv ${out} ${certdata}
fi
Reference in New Issue Copy Permalink