import UBI ca-certificates-2024.2.69_v8.0.303-91.4.el9_4

2024-08-21 14:17:03 +00:00 · 2024-08-21 14:17:03 +00:00 · 131f2f2b6e
commit 131f2f2b6e
parent dd04df7073
5 changed files with 5816 additions and 3045 deletions
--- a/SOURCES/certdata.txt
+++ b/SOURCES/certdata.txt
--- a/SOURCES/nssckbi.h
+++ b/SOURCES/nssckbi.h
@ -46,8 +46,8 @@
 * It's recommend to switch back to 0 after having reached version 98/99.
 */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 69
-#define NSS_BUILTINS_LIBRARY_VERSION "2.60"
+#define NSS_BUILTINS_LIBRARY_VERSION "2.69"
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
--- a/SOURCES/update-ca-trust
+++ b/SOURCES/update-ca-trust
@ -1,10 +1,10 @@
 #!/bin/sh
 #set -vx
 set -eu
-# At this time, while this script is trivial, we ignore any parameters given.
+# For backwards compatibility reasons, future versions of this script must
-# However, for backwards compatibility reasons, future versions of this script must 
+# support the syntax "update-ca-trust extract" trigger the generation of output
 # support the syntax "update-ca-trust extract" trigger the generation of output 
 # files in $DEST.
 DEST=/etc/pki/ca-trust/extracted
@ -12,11 +12,126 @@ DEST=/etc/pki/ca-trust/extracted
 # Prevent p11-kit from reading user configuration files.
 export P11_KIT_NO_USER_CONFIG=1
-# OpenSSL PEM bundle that includes trust flags
+usage() {
-# (BEGIN TRUSTED CERTIFICATE)
+	fold -s -w 76 >&2 <<-EOF
-/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
+		Usage: $0 [extract] [-o DIR|--output=DIR]
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
+
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
+		Update the system trust store in $DEST.
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
+
-/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
+		COMMANDS
-/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
+		(absent/empty command): Same as the extract command without arguments.
 		extract: Instruct update-ca-trust to scan the source configuration in
 		/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
 		updated versions of the consolidated configuration files stored below
 		the $DEST directory hierarchy.
 		EXTRACT OPTIONS
 		-o DIR, --output=DIR: Write the extracted trust store into the given
 		directory instead of updating $DEST.
 	EOF
 }
 extract() {
 	USER_DEST=
        # can't use getopt here. ca-certificates can't depend on a lot
        # of other libraries since openssl depends on ca-certificates
        # just fail when we hand parse
        while [ $# -ne 0 ]; do
 	    case "$1" in
 	      "-o"|"--output")
 		  if [ $# -lt 2 ]; then
 			  echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
 			  echo >&2
 			  exit 1
 		  fi
 	          USER_DEST=$2
 		  shift 2
 		  continue
 		  ;;
 		"--")
 		  shift
 		  break
 		  ;;
 		*)
 		  echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
 		  exit 1
 		  ;;
 	    esac
 	done
 	if [ -n "$USER_DEST" ]; then
 		DEST=$USER_DEST
 	        # Attempt to create the directories if they do not exist
                # yet (rhbz#2241240)
 	        /usr/bin/mkdir -p \
 		    "$DEST"/openssl \
 		    "$DEST"/pem \
 		    "$DEST"/java \
 		    "$DEST"/edk2
 	fi
 	# OpenSSL PEM bundle that includes trust flags
 	# (BEGIN TRUSTED CERTIFICATE)
 	/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
 	/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
 	/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
 	# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
 	# by GnuTLS)
 	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
 	# p11-kit extract will have made this directory unwritable; when run with
 	# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
 	# not be the case. See rhbz#2241240.
 	if [ -n "$USER_DEST" ]; then
 	    /usr/bin/chmod u+w "$DEST/pem/directory-hash"
        fi
 	# Debian compatibility: their /etc/ssl/certs has this bundle
 	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
 	# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
 	# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
 	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
 	# Remove write permissions again
 	if [ -n "$USER_DEST" ]; then
 	    /usr/bin/chmod u-w "$DEST/pem/directory-hash"
        fi
 }
 if [ $# -lt 1 ]; then
    set -- extract
 fi
 case "$1" in
 	"extract")
 		shift
 		extract "$@"
 	;;
 	"--help")
 		usage
 		exit 0
 	;;
 	"-o"|"--output")
 		echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
 		echo >&2
 		exit 1
 	;;
 	"enable")
 		echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
 		echo >&2
 		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
 		extract
 	;;
 	*)
 		echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
 		echo >&2
 		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
 		extract
 	;;
 esac
--- a/SOURCES/update-ca-trust.8.txt
+++ b/SOURCES/update-ca-trust.8.txt
@ -27,7 +27,7 @@ certificates and associated trust
 SYNOPSIS
 --------
-*update-ca-trust* ['COMMAND']
+*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
 DESCRIPTION
@ -214,15 +214,23 @@ server authentication.
 COMMANDS
 --------
-(absent/empty command)::
+(absent/empty command)
-    Same as the *extract* command described below. (However, the command may
+~~~~~~~~~~~~~~~~~~~~~~
-    print fewer warnings, as this command is being run during rpm package 
+Same as the *extract* command described below. (However, the command may print
-    installation, where non-fatal status output is undesired.)
+fewer warnings, as this command is being run during rpm package installation,
 where non-fatal status output is undesired.)
-*extract*::
+extract
-    Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce 
+~~~~~~~
-    updated versions of the consolidated configuration files stored below
+Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
-    the /etc/pki/ca-trust/extracted directory hierarchy.
+produce updated versions of the consolidated configuration files stored below
 the /etc/pki/ca-trust/extracted directory hierarchy.
 EXTRACT OPTIONS
 ^^^^^^^^^^^^^^^
 *-o DIR*, *--output=DIR*::
 	Write the extracted trust store into the given directory instead of
 	updating /etc/pki/ca-trust/extracted.
 FILES
 -----
--- a/SPECS/ca-certificates.spec
+++ b/SPECS/ca-certificates.spec
@ -35,11 +35,11 @@ Name: ca-certificates
 # to have increasing version numbers. However, the new scheme will work, 
 # because all future versions will start with 2013 or larger.)
-Version: 2023.2.60_v7.0.306
+Version: 2024.2.69_v8.0.303
 # for y-stream, please always use 91 <= release  < 100 (91,92,93)
 # for z-stream release branches, please use 90 <= release  < 91 (90.0, 90.1, ...)
-Release: 90.1%{?dist}
+Release: 91.4%{?dist}
-License: Public Domain
+License: MIT AND GPL-2.0-or-later
 URL: https://fedoraproject.org/wiki/CA-Certificates
@ -71,16 +71,14 @@ Requires(post): coreutils
 Requires: bash
 Requires: grep
 Requires: sed
 Requires(post): p11-kit >= 0.24
 Requires(post): p11-kit-trust >= 0.24
 Requires: p11-kit >= 0.24
 Requires: p11-kit-trust >= 0.24
 BuildRequires: perl-interpreter
 BuildRequires: python3
 BuildRequires: openssl
 BuildRequires: asciidoc
-BuildRequires: libxslt
+BuildRequires: xmlto
 %description
 This package contains the set of CA certificates chosen by the
@ -169,12 +167,12 @@ popd
 #manpage
 cp %{SOURCE10} %{name}/update-ca-trust.8.txt
-asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
+asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
-xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
+xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml
 cp %{SOURCE9} %{name}/ca-legacy.8.txt
-asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
+asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt
-xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
+xmlto -v -o %{name} man %{name}/ca-legacy.8.xml
 %install
@ -187,6 +185,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
 mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
@ -260,6 +259,49 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
 ln -s %{catrustdir}/extracted/%{java_bundle} \
    $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
 # Populate %%{catrustdir}/extracted/pem/directory-hash.
 #
 # First direct p11-kit-trust.so to the generated bundle (not the one
 # already present on the build system) with an overriding module
 # config. Note that we have to use a different config path based on
 # the current user: if root, ~/.config/pkcs11/modules/* are not read,
 # while if a regular user, she can't write to /etc.
 if test "$(id -u)" -eq 0; then
   trust_module_dir=/etc/pkcs11/modules
 else
   trust_module_dir=$HOME/.config/pkcs11/modules
 fi
 mkdir -p "$trust_module_dir"
 # It is unlikely that the directory would contain any files on a build system,
 # but let's make sure just in case.
 if [ -n "$(ls -A "$trust_module_dir")" ]; then
        echo "Directory $trust_module_dir is not empty. Aborting build!"
        exit 1
 fi
 trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
 cat >"$trust_module_config" <<EOF
 module: p11-kit-trust.so
 trust-policy: yes
 x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
 EOF
 trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
      --purpose server-auth \
      $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
 # Create a temporary file with the list of (%ghost )files in the directory-hash.
 find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
 sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
 # Clean up the temporary module config.
 rm -f "$trust_module_config"
 %clean
 /usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
 rm -rf $RPM_BUILD_ROOT
 %pre
 if [ $1 -gt 1 ] ; then
@ -333,7 +375,8 @@ fi
 %{_bindir}/ca-legacy install
 %{_bindir}/update-ca-trust
-%files
+# The file .files.txt contains the list of (%ghost )files in the directory-hash
 %files -f .files.txt
 %dir %{_sysconfdir}/ssl
 %dir %{pkidir}/tls
 %dir %{pkidir}/tls/certs
@ -351,6 +394,7 @@ fi
 %dir %{_datadir}/pki/ca-trust-source/anchors
 %dir %{_datadir}/pki/ca-trust-source/blocklist
 %dir %{_datadir}/pki/ca-trust-legacy
 %dir %{catrustdir}/extracted/pem/directory-hash
 %config(noreplace) %{catrustdir}/ca-legacy.conf
@ -392,9 +436,91 @@ fi
 %ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 %ghost %{catrustdir}/extracted/%{java_bundle}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
-
+%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
 %ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
 %changelog
 *Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
 - update-ca-trust: return warnings on a unsupported argument instead of error
 *Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
 - Temporarily generate the directory-hash files in %%install ...(next item)
 - Add list of ghost files from directory-hash to %%files
 *Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
 - Remove write permissions from directory-hash
 *Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
 - Reduce dependency on p11-kit to only the trust subpackage
 - Own the Directory-hash directory
 *Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
 - Fix release number
 *Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
 - Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
 -    GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
 *Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
 - Update to CKBI 2.68_v8.0.302 from NSS 3.101
 -    Removing:
 -     # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 -     # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
 -     # Certificate "Security Communication Root CA"
 -     # Certificate "Camerfirma Chambers of Commerce Root"
 -     # Certificate "Hongkong Post Root CA 1"
 -     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
 -     # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
 -     # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
 -     # Certificate "TrustCor RootCert CA-1"
 -     # Certificate "TrustCor RootCert CA-2"
 -     # Certificate "TrustCor ECA-1"
 -     # Certificate "FNMT-RCM"
 -    Adding:
 -     # Certificate "LAWtrust Root CA2 (4096)"
 -     # Certificate "Sectigo Public Email Protection Root E46"
 -     # Certificate "Sectigo Public Email Protection Root R46"
 -     # Certificate "Sectigo Public Server Authentication Root E46"
 -     # Certificate "Sectigo Public Server Authentication Root R46"
 -     # Certificate "SSL.com TLS RSA Root CA 2022"
 -     # Certificate "SSL.com TLS ECC Root CA 2022"
 -     # Certificate "SSL.com Client ECC Root CA 2022"
 -     # Certificate "SSL.com Client RSA Root CA 2022"
 -     # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
 -     # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
 -     # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
 -     # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
 -     # Certificate "TrustAsia Global Root CA G3"
 -     # Certificate "TrustAsia Global Root CA G4"
 -     # Certificate "CommScope Public Trust ECC Root-01"
 -     # Certificate "CommScope Public Trust ECC Root-02"
 -     # Certificate "CommScope Public Trust RSA Root-01"
 -     # Certificate "CommScope Public Trust RSA Root-02"
 -     # Certificate "D-Trust SBR Root CA 1 2022"
 -     # Certificate "D-Trust SBR Root CA 2 2022"
 -     # Certificate "Telekom Security SMIME ECC Root 2021"
 -     # Certificate "Telekom Security TLS ECC Root 2020"
 -     # Certificate "Telekom Security SMIME RSA Root 2023"
 -     # Certificate "Telekom Security TLS RSA Root 2023"
 -     # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
 -     # Certificate "SECOM Trust.net"
 -     # Certificate "Chambers of Commerce Root"
 -     # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
 -     # Certificate "SSL.com Code Signing RSA Root CA 2022"
 -     # Certificate "SSL.com Code Signing ECC Root CA 2022"
 * Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0
 - update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
 * Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
 - Skip %post if getopt is missing (recent change made update-ca-trust use it)
 * Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
 - update-ca-trust: Support --output and non-root operation (rhbz#2241240)
 *Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
 - update License: field to SPDX
 *Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
 - Bump release number to make CI happy