- Set P11_KIT_NO_USER_CONFIG=1 to prevent p11-kit from reading user configuration files (rhbz#1478172).

This commit is contained in:
Kai Engert 2017-08-15 15:39:45 +02:00
parent 7accaab619
commit 7a69d0d22f
2 changed files with 8 additions and 1 deletions

View File

@ -38,7 +38,7 @@ Name: ca-certificates
Version: 2017.2.16 Version: 2017.2.16
# for Rawhide, please always use release >= 2 # for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...) # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 2%{?dist} Release: 3%{?dist}
License: Public Domain License: Public Domain
Group: System Environment/Base Group: System Environment/Base
@ -352,6 +352,10 @@ fi
%changelog %changelog
* Tue Aug 15 2017 Kai Engert <kaie@redhat.com> - 2017.2.16-3
- Set P11_KIT_NO_USER_CONFIG=1 to prevent p11-kit from reading user
configuration files (rhbz#1478172).
* Wed Jul 19 2017 Kai Engert <kaie@redhat.com> - 2017.2.16-2 * Wed Jul 19 2017 Kai Engert <kaie@redhat.com> - 2017.2.16-2
- Update to (yet unreleased) CKBI 2.16 which is planned for NSS 3.32. - Update to (yet unreleased) CKBI 2.16 which is planned for NSS 3.32.
Mozilla removed all trust bits for code signing. Mozilla removed all trust bits for code signing.

View File

@ -9,6 +9,9 @@
DEST=/etc/pki/ca-trust/extracted DEST=/etc/pki/ca-trust/extracted
# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1
# OpenSSL PEM bundle that includes trust flags # OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE) # (BEGIN TRUSTED CERTIFICATE)
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt