From 7a69d0d22f938bbda43ea50389254fe47cb0eb1e Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Tue, 15 Aug 2017 15:39:45 +0200 Subject: [PATCH] - Set P11_KIT_NO_USER_CONFIG=1 to prevent p11-kit from reading user configuration files (rhbz#1478172). --- ca-certificates.spec | 6 +++++- update-ca-trust | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ca-certificates.spec b/ca-certificates.spec index 5b00e6b..40b8fe1 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -38,7 +38,7 @@ Name: ca-certificates Version: 2017.2.16 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 2%{?dist} +Release: 3%{?dist} License: Public Domain Group: System Environment/Base @@ -352,6 +352,10 @@ fi %changelog +* Tue Aug 15 2017 Kai Engert - 2017.2.16-3 +- Set P11_KIT_NO_USER_CONFIG=1 to prevent p11-kit from reading user + configuration files (rhbz#1478172). + * Wed Jul 19 2017 Kai Engert - 2017.2.16-2 - Update to (yet unreleased) CKBI 2.16 which is planned for NSS 3.32. Mozilla removed all trust bits for code signing. diff --git a/update-ca-trust b/update-ca-trust index d65f248..087aa92 100644 --- a/update-ca-trust +++ b/update-ca-trust @@ -9,6 +9,9 @@ DEST=/etc/pki/ca-trust/extracted +# Prevent p11-kit from reading user configuration files. +export P11_KIT_NO_USER_CONFIG=1 + # OpenSSL PEM bundle that includes trust flags # (BEGIN TRUSTED CERTIFICATE) /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt