import UBI ca-certificates-2024.2.69_v8.0.303-102.3.el10
This commit is contained in:
parent
82a5822d4a
commit
88946447c1
@ -1 +0,0 @@
|
||||
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc SOURCES/trust-fixes
|
||||
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/trust-fixes
|
||||
trust-fixes
|
||||
|
||||
20
README.etcssl
Normal file
20
README.etcssl
Normal file
@ -0,0 +1,20 @@
|
||||
This directory (/etc/ssl) is provided as a courtesy attempt to provide
|
||||
compatibility with software which assumes its existence. It is not a
|
||||
supported or canonical location. Software which assumes and relies on
|
||||
the existence and layout of this directory is making a wrong assumption
|
||||
(this directory is not any kind of 'standard', it is a configuration
|
||||
detail of Debian and its derivatives) and should be improved. No
|
||||
software packaged in this distribution should use this directory.
|
||||
|
||||
An attempt is made to make the layout of /etc/ssl/certs match that
|
||||
provided by Debian: it is an OpenSSL 'CApath'-style hashed directory
|
||||
of individual certificate files, and also contains a certificate bundle
|
||||
file named ca-certificates.crt, as Debian does. It also contains a
|
||||
bundle named ca-bundle.crt, as this distribution has long provided
|
||||
such a file, and it is possible some software has come to expect its
|
||||
existence.
|
||||
|
||||
/etc/ssl/certs itself and the bundle files are in fact symlinks to
|
||||
some of the output of the 'update-ca-trust' script which forms a part
|
||||
of a system of consolidated CA certificates. Please refer to the
|
||||
update-ca-trust(8) manual page for additional information.
|
||||
@ -1,22 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#set -vx
|
||||
|
||||
# At this time, while this script is trivial, we ignore any parameters given.
|
||||
# However, for backwards compatibility reasons, future versions of this script must
|
||||
# support the syntax "update-ca-trust extract" trigger the generation of output
|
||||
# files in $DEST.
|
||||
|
||||
DEST=/etc/pki/ca-trust/extracted
|
||||
|
||||
# Prevent p11-kit from reading user configuration files.
|
||||
export P11_KIT_NO_USER_CONFIG=1
|
||||
|
||||
# OpenSSL PEM bundle that includes trust flags
|
||||
# (BEGIN TRUSTED CERTIFICATE)
|
||||
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
|
||||
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
|
||||
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
|
||||
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
|
||||
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
|
||||
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
|
||||
@ -1,7 +1,6 @@
|
||||
%define pkidir %{_sysconfdir}/pki
|
||||
%define catrustdir %{_sysconfdir}/pki/ca-trust
|
||||
%define classic_tls_bundle ca-bundle.crt
|
||||
%define openssl_format_trust_bundle ca-bundle.trust.crt
|
||||
%define p11_format_bundle ca-bundle.trust.p11-kit
|
||||
%define legacy_default_bundle ca-bundle.legacy.default.crt
|
||||
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
|
||||
@ -36,13 +35,11 @@ Name: ca-certificates
|
||||
# because all future versions will start with 2013 or larger.)
|
||||
|
||||
Version: 2024.2.69_v8.0.303
|
||||
# On RHEL 8.x, please keep the release version >= 80
|
||||
# When rebasing on Y-Stream (8.y), use 81, 82, 83, ...
|
||||
# When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, ..
|
||||
Release: 80.0%{?dist}
|
||||
License: Public Domain
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 102.3%{?dist}
|
||||
License: MIT AND GPL-2.0-or-later
|
||||
|
||||
Group: System Environment/Base
|
||||
URL: https://fedoraproject.org/wiki/CA-Certificates
|
||||
|
||||
#Please always update both certdata.txt and nssckbi.h
|
||||
@ -63,26 +60,26 @@ Source15: README.openssl
|
||||
Source16: README.pem
|
||||
Source17: README.edk2
|
||||
Source18: README.src
|
||||
Source19: README.etcssl
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
Requires(post): bash
|
||||
Requires(post): findutils
|
||||
Requires(post): grep
|
||||
Requires(post): sed
|
||||
Requires(post): coreutils
|
||||
Requires: bash
|
||||
Requires: grep
|
||||
Requires: sed
|
||||
Requires(post): p11-kit >= 0.23.12
|
||||
Requires(post): p11-kit-trust >= 0.23.12
|
||||
Requires: p11-kit >= 0.23.12
|
||||
Requires: p11-kit-trust >= 0.23.12
|
||||
Requires(post): p11-kit-trust >= 0.24
|
||||
Requires: p11-kit-trust >= 0.24
|
||||
|
||||
BuildRequires: perl-interpreter
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: python3
|
||||
BuildRequires: openssl
|
||||
BuildRequires: asciidoc
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: xmlto
|
||||
|
||||
%description
|
||||
This package contains the set of CA certificates chosen by the
|
||||
@ -100,7 +97,7 @@ mkdir %{name}/java
|
||||
pushd %{name}/certs
|
||||
pwd
|
||||
cp %{SOURCE0} .
|
||||
%{__python3} %{SOURCE4} >c2p.log 2>c2p.err
|
||||
python3 %{SOURCE4} >c2p.log 2>c2p.err
|
||||
popd
|
||||
pushd %{name}
|
||||
(
|
||||
@ -171,12 +168,12 @@ popd
|
||||
|
||||
#manpage
|
||||
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
|
||||
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
|
||||
xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
|
||||
asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
|
||||
xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml
|
||||
|
||||
cp %{SOURCE9} %{name}/ca-legacy.8.txt
|
||||
asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
|
||||
xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
|
||||
asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt
|
||||
xmlto -v -o %{name} man %{name}/ca-legacy.8.xml
|
||||
|
||||
|
||||
%install
|
||||
@ -186,15 +183,16 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
|
||||
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
|
||||
@ -209,6 +207,7 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/REA
|
||||
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
|
||||
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
|
||||
install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
|
||||
install -p -m 644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysconfdir}/ssl/README
|
||||
|
||||
install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
|
||||
|
||||
@ -236,29 +235,84 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||
|
||||
# /etc/ssl/certs symlink for 3rd-party tools
|
||||
ln -s ../pki/tls/certs \
|
||||
# Populate %%{catrustdir}/extracted/pem/directory-hash.
|
||||
#
|
||||
# First direct p11-kit-trust.so to the generated bundle (not the one
|
||||
# already present on the build system) with an overriding module
|
||||
# config. Note that we have to use a different config path based on
|
||||
# the current user: if root, ~/.config/pkcs11/modules/* are not read,
|
||||
# while if a regular user, she can't write to /etc.
|
||||
if test "$(id -u)" -eq 0; then
|
||||
trust_module_dir=/etc/pkcs11/modules
|
||||
else
|
||||
trust_module_dir=$HOME/.config/pkcs11/modules
|
||||
fi
|
||||
|
||||
mkdir -p "$trust_module_dir"
|
||||
|
||||
# It is unlikely that the directory would contain any files on a build system,
|
||||
# but let's make sure just in case.
|
||||
if [ -n "$(ls -A "$trust_module_dir")" ]; then
|
||||
echo "Directory $trust_module_dir is not empty. Aborting build!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
|
||||
cat >"$trust_module_config" <<EOF
|
||||
module: p11-kit-trust.so
|
||||
trust-policy: yes
|
||||
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
|
||||
EOF
|
||||
|
||||
# Extract the trust anchors to the directory-hash format.
|
||||
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
|
||||
--purpose server-auth \
|
||||
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
||||
|
||||
# Clean up the temporary module config.
|
||||
rm -f "$trust_module_config"
|
||||
|
||||
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \
|
||||
-regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \
|
||||
-exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \;
|
||||
# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies
|
||||
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
|
||||
find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \
|
||||
-regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt
|
||||
|
||||
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
|
||||
|
||||
# /etc/ssl is provided in a Debian compatible form for (bad) code that
|
||||
# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
|
||||
ln -s %{pkidir}/tls/certs \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
|
||||
ln -s /etc/pki/tls/openssl.cnf \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
|
||||
ln -s /etc/pki/tls/ct_log_list.cnf \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
|
||||
# legacy filenames
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
|
||||
ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
||||
ln -s %{catrustdir}/extracted/%{java_bundle} \
|
||||
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
|
||||
|
||||
%clean
|
||||
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%pre
|
||||
if [ $1 -gt 1 ] ; then
|
||||
# Remove the old symlinks
|
||||
rm -f %{pkidir}/tls/cert.pem
|
||||
rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
|
||||
|
||||
# Upgrade or Downgrade.
|
||||
# If the classic filename is a regular file, then we are upgrading
|
||||
# from an old package and we will move it to an .rpmsave backup file.
|
||||
@ -290,19 +344,9 @@ if [ $1 -gt 1 ] ; then
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
|
||||
# no backup yet
|
||||
if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
|
||||
# a file exists
|
||||
if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
|
||||
# it's an old regular file, not a link
|
||||
mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
%post
|
||||
#if [ $1 -gt 1 ] ; then
|
||||
# # when upgrading or downgrading
|
||||
@ -328,9 +372,8 @@ fi
|
||||
%{_bindir}/ca-legacy install
|
||||
%{_bindir}/update-ca-trust
|
||||
|
||||
%files
|
||||
%defattr(-,root,root,-)
|
||||
|
||||
# The file .files.txt contains the list of (%ghost )files in the directory-hash
|
||||
%files -f .files.txt
|
||||
%dir %{_sysconfdir}/ssl
|
||||
%dir %{pkidir}/tls
|
||||
%dir %{pkidir}/tls/certs
|
||||
@ -338,7 +381,7 @@ fi
|
||||
%dir %{catrustdir}
|
||||
%dir %{catrustdir}/source
|
||||
%dir %{catrustdir}/source/anchors
|
||||
%dir %{catrustdir}/source/blacklist
|
||||
%dir %{catrustdir}/source/blocklist
|
||||
%dir %{catrustdir}/extracted
|
||||
%dir %{catrustdir}/extracted/pem
|
||||
%dir %{catrustdir}/extracted/openssl
|
||||
@ -346,8 +389,9 @@ fi
|
||||
%dir %{_datadir}/pki
|
||||
%dir %{_datadir}/pki/ca-trust-source
|
||||
%dir %{_datadir}/pki/ca-trust-source/anchors
|
||||
%dir %{_datadir}/pki/ca-trust-source/blacklist
|
||||
%dir %{_datadir}/pki/ca-trust-source/blocklist
|
||||
%dir %{_datadir}/pki/ca-trust-legacy
|
||||
%dir %{catrustdir}/extracted/pem/directory-hash
|
||||
|
||||
%config(noreplace) %{catrustdir}/ca-legacy.conf
|
||||
|
||||
@ -363,14 +407,17 @@ fi
|
||||
%{catrustdir}/source/README
|
||||
|
||||
# symlinks for old locations
|
||||
%{pkidir}/tls/cert.pem
|
||||
%{pkidir}/tls/certs/%{classic_tls_bundle}
|
||||
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
||||
%{pkidir}/%{java_bundle}
|
||||
# symlink directory
|
||||
# Hybrid hash directory with bundle file for Debian compatibility
|
||||
# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
|
||||
%{_sysconfdir}/ssl/certs
|
||||
%{_sysconfdir}/ssl/README
|
||||
%{_sysconfdir}/ssl/cert.pem
|
||||
%{_sysconfdir}/ssl/openssl.cnf
|
||||
%{_sysconfdir}/ssl/ct_log_list.cnf
|
||||
|
||||
# master bundle file with trust
|
||||
# primary bundle file with trust
|
||||
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
|
||||
|
||||
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
|
||||
@ -383,41 +430,53 @@ fi
|
||||
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
|
||||
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
|
||||
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
||||
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||
%ghost %{catrustdir}/extracted/%{java_bundle}
|
||||
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
|
||||
|
||||
|
||||
%changelog
|
||||
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2024.2.69_v8.0.303-102.3
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
Resolves: RHEL-64018
|
||||
|
||||
*Fri Sep 27 2024 Michel Lind <salimma@centosproject.org> - 2024.2.69_v8.0.303-101.3
|
||||
- Add missing Requires(post) on findutils for update-ca-trust
|
||||
- Resolves: RHEL-60723
|
||||
|
||||
*Wed Aug 28 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.2
|
||||
- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
|
||||
- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
|
||||
|
||||
*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
|
||||
- update-ca-trust: return warnings on a unsupported argument instead of error
|
||||
|
||||
*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
|
||||
- Temporarily generate the directory-hash files in %%install ...(next item)
|
||||
- Add list of ghost files from directory-hash to %%files
|
||||
|
||||
*Mon Aug 19 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
|
||||
- remove base-ci.* tests from gating.yaml
|
||||
|
||||
*Thu Jul 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
|
||||
- Remove blacklist use blocklist-only.
|
||||
- add gating.yaml
|
||||
|
||||
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101
|
||||
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
|
||||
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
|
||||
|
||||
Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-101
|
||||
- Update to CKBI 2.68_v8.0.302 from NSS 3.101
|
||||
- Removing:
|
||||
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
|
||||
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
|
||||
- # Certificate "Security Communication Root CA"
|
||||
- # Certificate "Camerfirma Chambers of Commerce Root"
|
||||
- # Certificate "Hongkong Post Root CA 1"
|
||||
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
|
||||
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
|
||||
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
|
||||
- # Certificate "TrustCor RootCert CA-1"
|
||||
- # Certificate "TrustCor RootCert CA-2"
|
||||
- # Certificate "TrustCor ECA-1"
|
||||
- # Certificate "FNMT-RCM"
|
||||
- Adding:
|
||||
- # Certificate "LAWtrust Root CA2 (4096)"
|
||||
- # Certificate "Sectigo Public Email Protection Root E46"
|
||||
- # Certificate "Sectigo Public Email Protection Root R46"
|
||||
- # Certificate "Sectigo Public Server Authentication Root E46"
|
||||
- # Certificate "Sectigo Public Server Authentication Root R46"
|
||||
- # Certificate "SSL.com TLS RSA Root CA 2022"
|
||||
- # Certificate "SSL.com TLS ECC Root CA 2022"
|
||||
- # Certificate "SSL.com Client ECC Root CA 2022"
|
||||
- # Certificate "SSL.com Client RSA Root CA 2022"
|
||||
- # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
|
||||
- # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
|
||||
- # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
|
||||
- # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
|
||||
- # Certificate "TrustAsia Global Root CA G3"
|
||||
- # Certificate "TrustAsia Global Root CA G4"
|
||||
- # Certificate "CommScope Public Trust ECC Root-01"
|
||||
@ -432,16 +491,56 @@ fi
|
||||
- # Certificate "Telekom Security TLS RSA Root 2023"
|
||||
- # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
|
||||
- # Certificate "SECOM Trust.net"
|
||||
- # Certificate "Chambers of Commerce Root"
|
||||
- # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
|
||||
- # Certificate "SSL.com Code Signing RSA Root CA 2022"
|
||||
- # Certificate "SSL.com Code Signing ECC Root CA 2022"
|
||||
|
||||
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0
|
||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2023.2.62_v7.0.401-7
|
||||
- Bump release for June 2024 mass rebuild
|
||||
|
||||
* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-4
|
||||
- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
|
||||
|
||||
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2023.2.62_v7.0.401-3
|
||||
- Skip %post if getopt is missing (recent change made update-ca-trust use it)
|
||||
|
||||
*Wed Oct 04 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-2
|
||||
- Update to CKBI 2.62_v7.0.401 from NSS 3.93
|
||||
Removing:
|
||||
# Certificate "Camerfirma Chambers of Commerce Root"
|
||||
# Certificate "Hongkong Post Root CA 1"
|
||||
# Certificate "FNMT-RCM"
|
||||
Adding:
|
||||
# Certificate "LAWtrust Root CA2 (4096)"
|
||||
# Certificate "Sectigo Public Email Protection Root E46"
|
||||
# Certificate "Sectigo Public Email Protection Root R46"
|
||||
# Certificate "Sectigo Public Server Authentication Root E46"
|
||||
# Certificate "Sectigo Public Server Authentication Root R46"
|
||||
# Certificate "SSL.com TLS RSA Root CA 2022"
|
||||
# Certificate "SSL.com TLS ECC Root CA 2022"
|
||||
# Certificate "SSL.com Client ECC Root CA 2022"
|
||||
# Certificate "SSL.com Client RSA Root CA 2022"
|
||||
# Certificate "Atos TrustedRoot Root CA ECC G2 2020"
|
||||
# Certificate "Atos TrustedRoot Root CA RSA G2 2020"
|
||||
# Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
|
||||
# Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
|
||||
# Certificate "Chambers of Commerce Root"
|
||||
|
||||
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2023.2.60_v7.0.306-4
|
||||
- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
|
||||
|
||||
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-3
|
||||
- update License: field to SPDX
|
||||
|
||||
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-2
|
||||
- Update to CKBI 2.60_v7.0.306 from NSS 3.91
|
||||
- Removing:
|
||||
- # Certificate "Camerfirma Global Chambersign Root"
|
||||
- # Certificate "Staat der Nederlanden EV Root CA"
|
||||
- # Certificate "OpenTrust Root CA G1"
|
||||
- # Certificate "Swedish Government Root Authority v1"
|
||||
- # Certificate "DigiNotar Root CA G2"
|
||||
@ -476,16 +575,6 @@ fi
|
||||
- # Certificate "Entrust.net Secure Server Certification Authority"
|
||||
- # Certificate "ePKI EV SSL Certification Authority - G1"
|
||||
- Adding:
|
||||
- # Certificate "DigiCert TLS ECC P384 Root G5"
|
||||
- # Certificate "DigiCert TLS RSA4096 Root G5"
|
||||
- # Certificate "DigiCert SMIME ECC P384 Root G5"
|
||||
- # Certificate "DigiCert SMIME RSA4096 Root G5"
|
||||
- # Certificate "Certainly Root R1"
|
||||
- # Certificate "Certainly Root E1"
|
||||
- # Certificate "E-Tugra Global Root CA RSA v3"
|
||||
- # Certificate "E-Tugra Global Root CA ECC v3"
|
||||
- # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
|
||||
- # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
|
||||
- # Certificate "BJCA Global Root CA1"
|
||||
- # Certificate "BJCA Global Root CA2"
|
||||
- # Certificate "Symantec Enterprise Mobile Root for Microsoft"
|
||||
@ -502,7 +591,6 @@ fi
|
||||
- # Certificate "ComSign CA"
|
||||
- # Certificate "ComSign Secured CA"
|
||||
- # Certificate "ComSign Advanced Security CA"
|
||||
- # Certificate "Global Chambersign Root"
|
||||
- # Certificate "Sonera Class2 CA"
|
||||
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
|
||||
- # Certificate "VeriSign, Inc."
|
||||
@ -517,7 +605,31 @@ fi
|
||||
- # Certificate "GlobalSign Code Signing Root R45"
|
||||
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
|
||||
|
||||
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
|
||||
*Tue Jul 25 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60-3
|
||||
- Fedora mass rebuild
|
||||
|
||||
*Fri Jan 20 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 2023.2.60-2
|
||||
- Update to CKBI 2.60 from NSS 3.86
|
||||
- Removing:
|
||||
- # Certificate "Camerfirma Global Chambersign Root"
|
||||
- # Certificate "Staat der Nederlanden EV Root CA"
|
||||
- Adding:
|
||||
- # Certificate "DigiCert TLS ECC P384 Root G5"
|
||||
- # Certificate "DigiCert TLS RSA4096 Root G5"
|
||||
- # Certificate "DigiCert SMIME ECC P384 Root G5"
|
||||
- # Certificate "DigiCert SMIME RSA4096 Root G5"
|
||||
- # Certificate "Certainly Root R1"
|
||||
- # Certificate "Certainly Root E1"
|
||||
- # Certificate "E-Tugra Global Root CA RSA v3"
|
||||
- # Certificate "E-Tugra Global Root CA ECC v3"
|
||||
- # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
|
||||
- # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
|
||||
- # Certificate "Global Chambersign Root"
|
||||
|
||||
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-5
|
||||
- Update to CKBI 2.54 from NSS 3.79
|
||||
- Removing:
|
||||
- # Certificate "TrustCor ECA-1"
|
||||
@ -538,12 +650,27 @@ fi
|
||||
- # Certificate "Government Root Certification Authority"
|
||||
- # Certificate "AC Raíz Certicámara S.A."
|
||||
|
||||
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1
|
||||
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-4
|
||||
- Update to CKBI 2.54 from NSS 3.79
|
||||
|
||||
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0
|
||||
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-2
|
||||
- Update to CKBI 2.54 from NSS 3.79
|
||||
- Removing:
|
||||
- # Certificate "GlobalSign Root CA - R2"
|
||||
- # Certificate "DST Root CA X3"
|
||||
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
- Adding:
|
||||
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
|
||||
- # Certificate "vTrus ECC Root CA"
|
||||
- # Certificate "vTrus Root CA"
|
||||
- # Certificate "ISRG Root X2"
|
||||
- # Certificate "HiPKI Root CA - G1"
|
||||
- # Certificate "Telia Root CA v2"
|
||||
- # Certificate "D-TRUST BR Root CA 1 2020"
|
||||
- # Certificate "D-TRUST EV Root CA 1 2020"
|
||||
- # Certificate "CAEDICOM Root"
|
||||
- # Certificate "I.CA Root CA/RSA"
|
||||
- # Certificate "MULTICERT Root Certification Authority 01"
|
||||
@ -685,7 +812,6 @@ fi
|
||||
- # Certificate "Certipost E-Trust TOP Root CA"
|
||||
- # Certificate "Certipost E-Trust Primary Qualified CA"
|
||||
- # Certificate "Certipost E-Trust Primary Normalised CA"
|
||||
- # Certificate "Cybertrust Global Root"
|
||||
- # Certificate "GlobalSign"
|
||||
- # Certificate "IGC/A"
|
||||
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
|
||||
@ -759,60 +885,72 @@ fi
|
||||
- # Certificate "HARICA Code Signing ECC Root CA 2021"
|
||||
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
|
||||
|
||||
*Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81
|
||||
- Update to CKBI 2.54 from NSS 3.79
|
||||
- Removing:
|
||||
- # Certificate "GlobalSign Root CA - R2"
|
||||
- # Certificate "DST Root CA X3"
|
||||
- # Certificate "Cybertrust Global Root"
|
||||
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.52-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
*Mon Dec 13 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.52-2
|
||||
- Update to CKBI 2.52 from NSS 3.72
|
||||
- Adding:
|
||||
- # Certificate "TunTrust Root CA"
|
||||
- # Certificate "HARICA TLS RSA Root CA 2021"
|
||||
- # Certificate "HARICA TLS ECC Root CA 2021"
|
||||
- # Certificate "HARICA Client RSA Root CA 2021"
|
||||
- # Certificate "HARICA Client ECC Root CA 2021"
|
||||
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
|
||||
- # Certificate "vTrus ECC Root CA"
|
||||
- # Certificate "vTrus Root CA"
|
||||
- # Certificate "ISRG Root X2"
|
||||
- # Certificate "HiPKI Root CA - G1"
|
||||
- # Certificate "Telia Root CA v2"
|
||||
- # Certificate "D-TRUST BR Root CA 1 2020"
|
||||
- # Certificate "D-TRUST EV Root CA 1 2020"
|
||||
|
||||
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
|
||||
*Mon Dec 6 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-5
|
||||
- integrate Adam William's /etc/ssl/certs with Debian-compatibility
|
||||
- back out blocklist change since p11-kit .24 is not yet available on rawhide
|
||||
|
||||
*Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-4
|
||||
- remove blacklist directory now that pk11-kit is using blocklist
|
||||
|
||||
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.50-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-2
|
||||
- Update to CKBI 2.50 from NSS 3.67
|
||||
- version number update only
|
||||
|
||||
*Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82
|
||||
- Update to CKBI 2.48 from NSS 3.66
|
||||
- Removing:
|
||||
- # Certificate "QuoVadis Root CA"
|
||||
- # Certificate "Sonera Class 2 Root CA"
|
||||
- # Certificate "Trustis FPS Root CA"
|
||||
- # Certificate "GlobalSign Code Signing Root R45"
|
||||
- # Certificate "GlobalSign Code Signing Root E45"
|
||||
- # Certificate "Halcom Root Certificate Authority"
|
||||
- # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
|
||||
- # Certificate "GLOBALTRUST"
|
||||
- # Certificate "MULTICERT Root Certification Authority 01"
|
||||
- # Certificate "Verizon Global Root CA"
|
||||
- # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
|
||||
- # Certificate "CAEDICOM Root"
|
||||
- # Certificate "COMODO Certification Authority"
|
||||
- # Certificate "Security Communication ECC RootCA1"
|
||||
- # Certificate "Security Communication RootCA3"
|
||||
- # Certificate "AC RAIZ DNIE"
|
||||
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
|
||||
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
|
||||
- # Certificate "VeriSign Universal Root Certification Authority"
|
||||
- # Certificate "GeoTrust Global CA"
|
||||
- # Certificate "GeoTrust Primary Certification Authority"
|
||||
- # Certificate "thawte Primary Root CA"
|
||||
- # Certificate "thawte Primary Root CA - G2"
|
||||
- # Certificate "thawte Primary Root CA - G3"
|
||||
- # Certificate "GeoTrust Primary Certification Authority - G3"
|
||||
- # Certificate "GeoTrust Primary Certification Authority - G2"
|
||||
- # Certificate "GeoTrust Universal CA"
|
||||
- # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
|
||||
- # Certificate "GLOBALTRUST 2015"
|
||||
- # Certificate "emSign Root CA - G2"
|
||||
- # Certificate "emSign Root CA - C2"
|
||||
- Adding:
|
||||
- # Certificate "GLOBALTRUST 2020"
|
||||
- # Certificate "ANF Secure Server Root CA"
|
||||
- # Certificate "Certum EC-384 CA"
|
||||
- # Certificate "Certum Trusted Root CA"
|
||||
|
||||
*Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81
|
||||
*Tue May 25 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-2
|
||||
- Update to CKBI 2.48 from NSS 3.64
|
||||
- Removing:
|
||||
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
|
||||
- # Certificate "GeoTrust Global CA"
|
||||
- # Certificate "GeoTrust Universal CA"
|
||||
- # Certificate "GeoTrust Universal CA 2"
|
||||
- # Certificate "QuoVadis Root CA"
|
||||
- # Certificate "Sonera Class 2 Root CA"
|
||||
- # Certificate "Taiwan GRCA"
|
||||
- # Certificate "GeoTrust Primary Certification Authority"
|
||||
- # Certificate "thawte Primary Root CA"
|
||||
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
|
||||
- # Certificate "GeoTrust Primary Certification Authority - G3"
|
||||
- # Certificate "thawte Primary Root CA - G2"
|
||||
- # Certificate "thawte Primary Root CA - G3"
|
||||
- # Certificate "GeoTrust Primary Certification Authority - G2"
|
||||
- # Certificate "VeriSign Universal Root Certification Authority"
|
||||
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
|
||||
- # Certificate "EE Certification Centre Root CA"
|
||||
- # Certificate "LuxTrust Global Root 2"
|
||||
@ -832,56 +970,108 @@ fi
|
||||
- # Certificate "GlobalSign Secure Mail Root E45"
|
||||
- # Certificate "GlobalSign Root R46"
|
||||
- # Certificate "GlobalSign Root E46"
|
||||
- # Certificate "Certum EC-384 CA"
|
||||
- # Certificate "Certum Trusted Root CA"
|
||||
- # Certificate "GlobalSign Code Signing Root R45"
|
||||
- # Certificate "GlobalSign Code Signing Root E45"
|
||||
- # Certificate "Halcom Root Certificate Authority"
|
||||
- # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
|
||||
- # Certificate "GLOBALTRUST"
|
||||
- # Certificate "MULTICERT Root Certification Authority 01"
|
||||
- # Certificate "Verizon Global Root CA"
|
||||
- # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
|
||||
- # Certificate "CAEDICOM Root"
|
||||
- # Certificate "COMODO Certification Authority"
|
||||
- # Certificate "Security Communication ECC RootCA1"
|
||||
- # Certificate "Security Communication RootCA3"
|
||||
- # Certificate "AC RAIZ DNIE"
|
||||
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
|
||||
- # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
|
||||
- # Certificate "GLOBALTRUST 2015"
|
||||
- # Certificate "emSign Root CA - G2"
|
||||
- # Certificate "emSign Root CA - C2"
|
||||
|
||||
*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
|
||||
- fix post issues
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
|
||||
* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
|
||||
- remove unnecessarily divisive terms, take 1.
|
||||
- in ca-certificates there are 3 cases:
|
||||
- 1) master refering to the fedora master branch in the fetch.sh script.
|
||||
- This can only be changed once fedora changes the master branch name.
|
||||
- 2) a reference to the 'master bundle' in this file: this has been changed
|
||||
- to 'primary bundle'.
|
||||
- 3) a couple of blacklist directories owned by this package, but used to
|
||||
- p11-kit. New 'blocklist' directories have been created, but p11-kit
|
||||
- needs to be updated before the old blacklist directories can be removed
|
||||
- and the man pages corrected.
|
||||
|
||||
* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
|
||||
- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
|
||||
|
||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
|
||||
- Fix up broken %post and %postinstall scriptlet changes from -2
|
||||
|
||||
* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
|
||||
- Update to CKBI 2.41 from NSS 3.53.0
|
||||
- Removing:
|
||||
- # Certificate "AddTrust Low-Value Services Root"
|
||||
- # Certificate "AddTrust External Root"
|
||||
- # Certificate "Staat der Nederlanden Root CA - G2"
|
||||
|
||||
* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3
|
||||
- Update versioned dependency on p11-kit
|
||||
|
||||
* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2
|
||||
- Update to CKBI 2.40 from NSS 3.48
|
||||
- Removing:
|
||||
- # Certificate "UTN USERFirst Email Root CA"
|
||||
- # Certificate "Certplus Class 2 Primary CA"
|
||||
- # Certificate "Deutsche Telekom Root CA 2"
|
||||
- # Certificate "Staat der Nederlanden Root CA - G2"
|
||||
- # Certificate "Swisscom Root CA 2"
|
||||
- # Certificate "Certinomis - Root CA"
|
||||
- Adding:
|
||||
- # Certificate "Entrust Root Certification Authority - G4"
|
||||
- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
|
||||
|
||||
*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
|
||||
- Update to CKBI 2.32 from NSS 3.44
|
||||
- Removing:
|
||||
- # Certificate "Visa eCommerce Root"
|
||||
- # Certificate "AC Raiz Certicamara S.A."
|
||||
- # Certificate "ComSign CA"
|
||||
- # Certificate "Certplus Root CA G1"
|
||||
- # Certificate "Certplus Root CA G2"
|
||||
- # Certificate "OpenTrust Root CA G1"
|
||||
- # Certificate "OpenTrust Root CA G2"
|
||||
- # Certificate "OpenTrust Root CA G3"
|
||||
- Adding:
|
||||
- # Certificate "GlobalSign Root CA - R6"
|
||||
- # Certificate "OISTE WISeKey Global Root GC CA"
|
||||
- # Certificate "GTS Root R1"
|
||||
- # Certificate "GTS Root R2"
|
||||
- # Certificate "GTS Root R3"
|
||||
- # Certificate "GTS Root R4"
|
||||
- # Certificate "UCA Global G2 Root"
|
||||
- # Certificate "UCA Extended Validation Root"
|
||||
- # Certificate "Certigna Root CA"
|
||||
- # Certificate "emSign Root CA - G1"
|
||||
- # Certificate "emSign ECC Root CA - G3"
|
||||
- # Certificate "emSign Root CA - C1"
|
||||
- # Certificate "emSign ECC Root CA - C3"
|
||||
- # Certificate "Hongkong Post Root CA 3"
|
||||
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
|
||||
- Test gating
|
||||
* Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
|
||||
- Update to CKBI 2.32 from NSS 3.44
|
||||
Removing:
|
||||
# Certificate "Visa eCommerce Root"
|
||||
# Certificate "AC Raiz Certicamara S.A."
|
||||
# Certificate "Certplus Root CA G1"
|
||||
# Certificate "Certplus Root CA G2"
|
||||
# Certificate "OpenTrust Root CA G1"
|
||||
# Certificate "OpenTrust Root CA G2"
|
||||
# Certificate "OpenTrust Root CA G3"
|
||||
Adding:
|
||||
# Certificate "GTS Root R1"
|
||||
# Certificate "GTS Root R2"
|
||||
# Certificate "GTS Root R3"
|
||||
# Certificate "GTS Root R4"
|
||||
# Certificate "UCA Global G2 Root"
|
||||
# Certificate "UCA Extended Validation Root"
|
||||
# Certificate "Certigna Root CA"
|
||||
# Certificate "emSign Root CA - G1"
|
||||
# Certificate "emSign ECC Root CA - G3"
|
||||
# Certificate "emSign Root CA - C1"
|
||||
# Certificate "emSign ECC Root CA - C3"
|
||||
# Certificate "Hongkong Post Root CA 3"
|
||||
|
||||
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6
|
||||
- Use __python3 macro when invoking Python
|
||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2
|
||||
- Update to CKBI 2.26 from NSS 3.39
|
||||
|
||||
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
|
||||
- Ported scripts to python3
|
||||
@ -177,6 +177,11 @@ openssl_trust = {
|
||||
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
|
||||
}
|
||||
|
||||
cert_distrust_types = {
|
||||
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
|
||||
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
|
||||
}
|
||||
|
||||
for tobj in objects:
|
||||
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
|
||||
key = tobj['CKA_LABEL'] + printable_serial(tobj)
|
||||
@ -369,6 +374,16 @@ for tobj in objects:
|
||||
f.write("nss-mozilla-ca-policy: true\n")
|
||||
f.write("modifiable: false\n");
|
||||
|
||||
# requires p11-kit >= 0.23.19
|
||||
for t in list(cert_distrust_types.keys()):
|
||||
if t in obj:
|
||||
value = obj[t]
|
||||
if value == 'CK_FALSE':
|
||||
value = bytearray(1)
|
||||
f.write(cert_distrust_types[t] + ": \"")
|
||||
f.write(urllib.parse.quote(value));
|
||||
f.write("\"\n")
|
||||
|
||||
f.write("-----BEGIN CERTIFICATE-----\n")
|
||||
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
|
||||
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
|
||||
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
||||
SHA512 (trust-fixes) = be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
|
||||
123
update-ca-trust
Executable file
123
update-ca-trust
Executable file
@ -0,0 +1,123 @@
|
||||
#!/bin/sh
|
||||
|
||||
#set -vx
|
||||
set -eu
|
||||
|
||||
# For backwards compatibility reasons, future versions of this script must
|
||||
# support the syntax "update-ca-trust extract" trigger the generation of output
|
||||
# files in $DEST.
|
||||
|
||||
DEST=/etc/pki/ca-trust/extracted
|
||||
DEST_CERTS=/etc/pki/tls/certs
|
||||
|
||||
# Prevent p11-kit from reading user configuration files.
|
||||
export P11_KIT_NO_USER_CONFIG=1
|
||||
|
||||
usage() {
|
||||
fold -s -w 76 >&2 <<-EOF
|
||||
Usage: $0 [extract] [-o DIR|--output=DIR]
|
||||
|
||||
Update the system trust store in $DEST.
|
||||
|
||||
COMMANDS
|
||||
(absent/empty command): Same as the extract command without arguments.
|
||||
|
||||
extract: Instruct update-ca-trust to scan the source configuration in
|
||||
/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
|
||||
updated versions of the consolidated configuration files stored below
|
||||
the $DEST directory hierarchy.
|
||||
|
||||
EXTRACT OPTIONS
|
||||
-o DIR, --output=DIR: Write the extracted trust store into the given
|
||||
directory instead of updating $DEST. (Note: This option will not
|
||||
populate the ../pki/tls/certs with the directory-hash symbolic links.)
|
||||
EOF
|
||||
}
|
||||
|
||||
extract() {
|
||||
USER_DEST=
|
||||
|
||||
# can't use getopt here. ca-certificates can't depend on a lot
|
||||
# of other libraries since openssl depends on ca-certificates
|
||||
# just fail when we hand parse
|
||||
|
||||
while [ $# -ne 0 ]; do
|
||||
case "$1" in
|
||||
"-o"|"--output")
|
||||
if [ $# -lt 2 ]; then
|
||||
echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
|
||||
echo >&2
|
||||
exit 1
|
||||
fi
|
||||
USER_DEST=$2
|
||||
shift 2
|
||||
continue
|
||||
;;
|
||||
"--")
|
||||
shift
|
||||
break
|
||||
;;
|
||||
*)
|
||||
echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -n "$USER_DEST" ]; then
|
||||
DEST=$USER_DEST
|
||||
# Attempt to create the directories if they do not exist
|
||||
# yet (rhbz#2241240)
|
||||
/usr/bin/mkdir -p \
|
||||
"$DEST"/openssl \
|
||||
"$DEST"/pem \
|
||||
"$DEST"/java \
|
||||
"$DEST"/edk2
|
||||
fi
|
||||
|
||||
|
||||
# Delete all directory hash symlinks from the cert directory
|
||||
if [ -z "$USER_DEST" ]; then
|
||||
find "$DEST_CERTS" -type l -regextype posix-extended \
|
||||
-regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \;
|
||||
fi
|
||||
|
||||
# OpenSSL PEM bundle that includes trust flags
|
||||
# (BEGIN TRUSTED CERTIFICATE)
|
||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
|
||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
|
||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
|
||||
/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
|
||||
/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
|
||||
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
|
||||
# by GnuTLS)
|
||||
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
|
||||
|
||||
|
||||
if [ -z "$USER_DEST" ]; then
|
||||
find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
|
||||
-regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do
|
||||
target=$(readlink -f "$link")
|
||||
new_link="$DEST_CERTS/$(basename "$link")"
|
||||
ln -s "$target" "$new_link"
|
||||
done
|
||||
fi
|
||||
}
|
||||
if [ $# -lt 1 ]; then
|
||||
set -- extract
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
"extract")
|
||||
shift
|
||||
extract "$@"
|
||||
;;
|
||||
"--help")
|
||||
usage
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
echo >&2 "Error: unknown command: '$1', see 'update-ca-trust --help' for usage."
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
@ -27,7 +27,7 @@ certificates and associated trust
|
||||
|
||||
SYNOPSIS
|
||||
--------
|
||||
*update-ca-trust* ['COMMAND']
|
||||
*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
|
||||
|
||||
|
||||
DESCRIPTION
|
||||
@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
|
||||
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/
|
||||
* run 'update-ca-trust extract'
|
||||
|
||||
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
|
||||
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
|
||||
* add it as a new file to directory /etc/pki/ca-trust/source/
|
||||
* run 'update-ca-trust extract'
|
||||
|
||||
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
|
||||
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
|
||||
* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
|
||||
* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
|
||||
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
||||
|
||||
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
|
||||
@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
|
||||
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
||||
Each certificate will be treated as *trusted* for all purposes.
|
||||
|
||||
In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
|
||||
In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
|
||||
you may install one or multiple certificates in either the DER file
|
||||
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
||||
Each certificate will be treated as *distrusted* for all purposes.
|
||||
@ -214,15 +214,24 @@ server authentication.
|
||||
|
||||
COMMANDS
|
||||
--------
|
||||
(absent/empty command)::
|
||||
Same as the *extract* command described below. (However, the command may
|
||||
print fewer warnings, as this command is being run during rpm package
|
||||
installation, where non-fatal status output is undesired.)
|
||||
(absent/empty command)
|
||||
~~~~~~~~~~~~~~~~~~~~~~
|
||||
Same as the *extract* command described below. (However, the command may print
|
||||
fewer warnings, as this command is being run during rpm package installation,
|
||||
where non-fatal status output is undesired.)
|
||||
|
||||
*extract*::
|
||||
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
|
||||
updated versions of the consolidated configuration files stored below
|
||||
the /etc/pki/ca-trust/extracted directory hierarchy.
|
||||
extract
|
||||
~~~~~~~
|
||||
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
|
||||
produce updated versions of the consolidated configuration files stored below
|
||||
the /etc/pki/ca-trust/extracted directory hierarchy.
|
||||
|
||||
EXTRACT OPTIONS
|
||||
^^^^^^^^^^^^^^^
|
||||
*-o DIR*, *--output=DIR*::
|
||||
Write the extracted trust store into the given directory instead of
|
||||
updating /etc/pki/ca-trust/extracted. (Note: This option will not
|
||||
populate the ../pki/tls/certs with the directory-hash symbolic links.)
|
||||
|
||||
FILES
|
||||
-----
|
||||
@ -249,6 +258,9 @@ FILES
|
||||
which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
|
||||
See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
|
||||
|
||||
/etc/pki/tls/certs::
|
||||
Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command.
|
||||
|
||||
AUTHOR
|
||||
------
|
||||
Written by Kai Engert and Stef Walter.
|
||||
Loading…
Reference in New Issue
Block a user