diff --git a/.ca-certificates.metadata b/.ca-certificates.metadata deleted file mode 100644 index ff4bae1..0000000 --- a/.ca-certificates.metadata +++ /dev/null @@ -1 +0,0 @@ -adc83b19e793491b1c6ea0fd8b46cd9f32e592fc SOURCES/trust-fixes diff --git a/.gitignore b/.gitignore index 0d8e86d..b5dfd4e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/trust-fixes +trust-fixes diff --git a/SOURCES/README.edk2 b/README.edk2 similarity index 100% rename from SOURCES/README.edk2 rename to README.edk2 diff --git a/SOURCES/README.etc b/README.etc similarity index 100% rename from SOURCES/README.etc rename to README.etc diff --git a/README.etcssl b/README.etcssl new file mode 100644 index 0000000..e7d9f8c --- /dev/null +++ b/README.etcssl @@ -0,0 +1,20 @@ +This directory (/etc/ssl) is provided as a courtesy attempt to provide +compatibility with software which assumes its existence. It is not a +supported or canonical location. Software which assumes and relies on +the existence and layout of this directory is making a wrong assumption +(this directory is not any kind of 'standard', it is a configuration +detail of Debian and its derivatives) and should be improved. No +software packaged in this distribution should use this directory. + +An attempt is made to make the layout of /etc/ssl/certs match that +provided by Debian: it is an OpenSSL 'CApath'-style hashed directory +of individual certificate files, and also contains a certificate bundle +file named ca-certificates.crt, as Debian does. It also contains a +bundle named ca-bundle.crt, as this distribution has long provided +such a file, and it is possible some software has come to expect its +existence. + +/etc/ssl/certs itself and the bundle files are in fact symlinks to +some of the output of the 'update-ca-trust' script which forms a part +of a system of consolidated CA certificates. Please refer to the +update-ca-trust(8) manual page for additional information. diff --git a/SOURCES/README.extr b/README.extr similarity index 100% rename from SOURCES/README.extr rename to README.extr diff --git a/SOURCES/README.java b/README.java similarity index 100% rename from SOURCES/README.java rename to README.java diff --git a/SOURCES/README.openssl b/README.openssl similarity index 100% rename from SOURCES/README.openssl rename to README.openssl diff --git a/SOURCES/README.pem b/README.pem similarity index 100% rename from SOURCES/README.pem rename to README.pem diff --git a/SOURCES/README.src b/README.src similarity index 100% rename from SOURCES/README.src rename to README.src diff --git a/SOURCES/README.usr b/README.usr similarity index 100% rename from SOURCES/README.usr rename to README.usr diff --git a/SOURCES/update-ca-trust b/SOURCES/update-ca-trust deleted file mode 100644 index fe03ed2..0000000 --- a/SOURCES/update-ca-trust +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh - -#set -vx - -# At this time, while this script is trivial, we ignore any parameters given. -# However, for backwards compatibility reasons, future versions of this script must -# support the syntax "update-ca-trust extract" trigger the generation of output -# files in $DEST. - -DEST=/etc/pki/ca-trust/extracted - -# Prevent p11-kit from reading user configuration files. -export P11_KIT_NO_USER_CONFIG=1 - -# OpenSSL PEM bundle that includes trust flags -# (BEGIN TRUSTED CERTIFICATE) -/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt -/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem -/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem -/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem -/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts -/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin diff --git a/SPECS/ca-certificates.spec b/ca-certificates.spec similarity index 77% rename from SPECS/ca-certificates.spec rename to ca-certificates.spec index a91676d..0e9bfd8 100644 --- a/SPECS/ca-certificates.spec +++ b/ca-certificates.spec @@ -1,7 +1,6 @@ %define pkidir %{_sysconfdir}/pki %define catrustdir %{_sysconfdir}/pki/ca-trust %define classic_tls_bundle ca-bundle.crt -%define openssl_format_trust_bundle ca-bundle.trust.crt %define p11_format_bundle ca-bundle.trust.p11-kit %define legacy_default_bundle ca-bundle.legacy.default.crt %define legacy_disable_bundle ca-bundle.legacy.disable.crt @@ -36,13 +35,11 @@ Name: ca-certificates # because all future versions will start with 2013 or larger.) Version: 2024.2.69_v8.0.303 -# On RHEL 8.x, please keep the release version >= 80 -# When rebasing on Y-Stream (8.y), use 81, 82, 83, ... -# When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, .. -Release: 80.0%{?dist} -License: Public Domain +# for Rawhide, please always use release >= 2 +# for Fedora release branches, please use release < 2 (1.0, 1.1, ...) +Release: 102.3%{?dist} +License: MIT AND GPL-2.0-or-later -Group: System Environment/Base URL: https://fedoraproject.org/wiki/CA-Certificates #Please always update both certdata.txt and nssckbi.h @@ -63,26 +60,26 @@ Source15: README.openssl Source16: README.pem Source17: README.edk2 Source18: README.src +Source19: README.etcssl BuildArch: noarch Requires(post): bash +Requires(post): findutils Requires(post): grep Requires(post): sed Requires(post): coreutils Requires: bash Requires: grep Requires: sed -Requires(post): p11-kit >= 0.23.12 -Requires(post): p11-kit-trust >= 0.23.12 -Requires: p11-kit >= 0.23.12 -Requires: p11-kit-trust >= 0.23.12 +Requires(post): p11-kit-trust >= 0.24 +Requires: p11-kit-trust >= 0.24 BuildRequires: perl-interpreter -BuildRequires: python3-devel +BuildRequires: python3 BuildRequires: openssl BuildRequires: asciidoc -BuildRequires: libxslt +BuildRequires: xmlto %description This package contains the set of CA certificates chosen by the @@ -100,7 +97,7 @@ mkdir %{name}/java pushd %{name}/certs pwd cp %{SOURCE0} . - %{__python3} %{SOURCE4} >c2p.log 2>c2p.err + python3 %{SOURCE4} >c2p.log 2>c2p.err popd pushd %{name} ( @@ -171,12 +168,12 @@ popd #manpage cp %{SOURCE10} %{name}/update-ca-trust.8.txt -asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt -xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml +asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt +xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml cp %{SOURCE9} %{name}/ca-legacy.8.txt -asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt -xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml +asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt +xmlto -v -o %{name} man %{name}/ca-legacy.8.xml %install @@ -186,15 +183,16 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors -mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist +mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem +mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors -mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist +mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir} mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8 @@ -209,6 +207,7 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/REA install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README +install -p -m 644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysconfdir}/ssl/README install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle} @@ -236,29 +235,84 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem -touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} -chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin -# /etc/ssl/certs symlink for 3rd-party tools -ln -s ../pki/tls/certs \ +# Populate %%{catrustdir}/extracted/pem/directory-hash. +# +# First direct p11-kit-trust.so to the generated bundle (not the one +# already present on the build system) with an overriding module +# config. Note that we have to use a different config path based on +# the current user: if root, ~/.config/pkcs11/modules/* are not read, +# while if a regular user, she can't write to /etc. +if test "$(id -u)" -eq 0; then + trust_module_dir=/etc/pkcs11/modules +else + trust_module_dir=$HOME/.config/pkcs11/modules +fi + +mkdir -p "$trust_module_dir" + +# It is unlikely that the directory would contain any files on a build system, +# but let's make sure just in case. +if [ -n "$(ls -A "$trust_module_dir")" ]; then + echo "Directory $trust_module_dir is not empty. Aborting build!" + exit 1 +fi + +trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module +cat >"$trust_module_config" < .files.txt +find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \ + -regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt + +sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt + +# /etc/ssl is provided in a Debian compatible form for (bad) code that +# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882 +ln -s %{pkidir}/tls/certs \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs +ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ + $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem +ln -s /etc/pki/tls/openssl.cnf \ + $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf +ln -s /etc/pki/tls/ct_log_list.cnf \ + $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf # legacy filenames -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle} -ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \ - $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle} ln -s %{catrustdir}/extracted/%{java_bundle} \ $RPM_BUILD_ROOT%{pkidir}/%{java_bundle} +ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ + $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle} +%clean +/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash +rm -rf $RPM_BUILD_ROOT %pre if [ $1 -gt 1 ] ; then + # Remove the old symlinks + rm -f %{pkidir}/tls/cert.pem + rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt + # Upgrade or Downgrade. # If the classic filename is a regular file, then we are upgrading # from an old package and we will move it to an .rpmsave backup file. @@ -290,19 +344,9 @@ if [ $1 -gt 1 ] ; then fi fi fi - - if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then - # no backup yet - if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then - # a file exists - if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then - # it's an old regular file, not a link - mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave - fi - fi - fi fi + %post #if [ $1 -gt 1 ] ; then # # when upgrading or downgrading @@ -328,9 +372,8 @@ fi %{_bindir}/ca-legacy install %{_bindir}/update-ca-trust -%files -%defattr(-,root,root,-) - +# The file .files.txt contains the list of (%ghost )files in the directory-hash +%files -f .files.txt %dir %{_sysconfdir}/ssl %dir %{pkidir}/tls %dir %{pkidir}/tls/certs @@ -338,7 +381,7 @@ fi %dir %{catrustdir} %dir %{catrustdir}/source %dir %{catrustdir}/source/anchors -%dir %{catrustdir}/source/blacklist +%dir %{catrustdir}/source/blocklist %dir %{catrustdir}/extracted %dir %{catrustdir}/extracted/pem %dir %{catrustdir}/extracted/openssl @@ -346,8 +389,9 @@ fi %dir %{_datadir}/pki %dir %{_datadir}/pki/ca-trust-source %dir %{_datadir}/pki/ca-trust-source/anchors -%dir %{_datadir}/pki/ca-trust-source/blacklist +%dir %{_datadir}/pki/ca-trust-source/blocklist %dir %{_datadir}/pki/ca-trust-legacy +%dir %{catrustdir}/extracted/pem/directory-hash %config(noreplace) %{catrustdir}/ca-legacy.conf @@ -363,14 +407,17 @@ fi %{catrustdir}/source/README # symlinks for old locations -%{pkidir}/tls/cert.pem %{pkidir}/tls/certs/%{classic_tls_bundle} -%{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/%{java_bundle} -# symlink directory +# Hybrid hash directory with bundle file for Debian compatibility +# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882 %{_sysconfdir}/ssl/certs +%{_sysconfdir}/ssl/README +%{_sysconfdir}/ssl/cert.pem +%{_sysconfdir}/ssl/openssl.cnf +%{_sysconfdir}/ssl/ct_log_list.cnf -# master bundle file with trust +# primary bundle file with trust %{_datadir}/pki/ca-trust-source/%{p11_format_bundle} %{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle} @@ -383,41 +430,53 @@ fi %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem -%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} %ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/edk2/cacerts.bin - %changelog -*Thu Jul 11 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-80.0 +* Tue Oct 29 2024 Troy Dawson - 2024.2.69_v8.0.303-102.3 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +*Fri Sep 27 2024 Michel Lind - 2024.2.69_v8.0.303-101.3 +- Add missing Requires(post) on findutils for update-ca-trust +- Resolves: RHEL-60723 + +*Wed Aug 28 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-101.2 +- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs +- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default + +*Tue Aug 27 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-101.1 +- update-ca-trust: return warnings on a unsupported argument instead of error + +*Tue Aug 27 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-101.1 +- Temporarily generate the directory-hash files in %%install ...(next item) +- Add list of ghost files from directory-hash to %%files + +*Mon Aug 19 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-101.1 +- remove base-ci.* tests from gating.yaml + +*Thu Jul 18 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-101.1 +- Remove blacklist use blocklist-only. +- add gating.yaml + +*Thu Jul 11 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-101 - Update to CKBI 2.69_v8.0.303 from NSS 3.101.1 +- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER + +Wed Jul 03 2024 Frantisek Krenzelok - 2024.2.68_v8.0.302-101 +- Update to CKBI 2.68_v8.0.302 from NSS 3.101 - Removing: - # Certificate "Verisign Class 1 Public Primary Certification Authority - G3" - # Certificate "Verisign Class 2 Public Primary Certification Authority - G3" - # Certificate "Security Communication Root CA" -- # Certificate "Camerfirma Chambers of Commerce Root" -- # Certificate "Hongkong Post Root CA 1" - # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068" - # Certificate "Symantec Class 1 Public Primary Certification Authority - G6" - # Certificate "Symantec Class 2 Public Primary Certification Authority - G6" - # Certificate "TrustCor RootCert CA-1" - # Certificate "TrustCor RootCert CA-2" - # Certificate "TrustCor ECA-1" -- # Certificate "FNMT-RCM" - Adding: -- # Certificate "LAWtrust Root CA2 (4096)" -- # Certificate "Sectigo Public Email Protection Root E46" -- # Certificate "Sectigo Public Email Protection Root R46" -- # Certificate "Sectigo Public Server Authentication Root E46" -- # Certificate "Sectigo Public Server Authentication Root R46" -- # Certificate "SSL.com TLS RSA Root CA 2022" -- # Certificate "SSL.com TLS ECC Root CA 2022" -- # Certificate "SSL.com Client ECC Root CA 2022" -- # Certificate "SSL.com Client RSA Root CA 2022" -- # Certificate "Atos TrustedRoot Root CA ECC G2 2020" -- # Certificate "Atos TrustedRoot Root CA RSA G2 2020" -- # Certificate "Atos TrustedRoot Root CA ECC TLS 2021" -- # Certificate "Atos TrustedRoot Root CA RSA TLS 2021" - # Certificate "TrustAsia Global Root CA G3" - # Certificate "TrustAsia Global Root CA G4" - # Certificate "CommScope Public Trust ECC Root-01" @@ -432,16 +491,56 @@ fi - # Certificate "Telekom Security TLS RSA Root 2023" - # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB" - # Certificate "SECOM Trust.net" -- # Certificate "Chambers of Commerce Root" - # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3" - # Certificate "SSL.com Code Signing RSA Root CA 2022" - # Certificate "SSL.com Code Signing ECC Root CA 2022" -*Tue Aug 01 2023 Robert Relyea - 2023.2.60_v7.0.306-80.0 +* Mon Jun 24 2024 Troy Dawson - 2023.2.62_v7.0.401-7 +- Bump release for June 2024 mass rebuild + +* Tue Jan 23 2024 Fedora Release Engineering - 2023.2.62_v7.0.401-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 2023.2.62_v7.0.401-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Oct 09 2023 Robert Relyea 2023.2.62_v7.0.401-4 +- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix + +* Sat Oct 07 2023 Adam Williamson - 2023.2.62_v7.0.401-3 +- Skip %post if getopt is missing (recent change made update-ca-trust use it) + +*Wed Oct 04 2023 Robert Relyea 2023.2.62_v7.0.401-2 + - Update to CKBI 2.62_v7.0.401 from NSS 3.93 + Removing: + # Certificate "Camerfirma Chambers of Commerce Root" + # Certificate "Hongkong Post Root CA 1" + # Certificate "FNMT-RCM" + Adding: + # Certificate "LAWtrust Root CA2 (4096)" + # Certificate "Sectigo Public Email Protection Root E46" + # Certificate "Sectigo Public Email Protection Root R46" + # Certificate "Sectigo Public Server Authentication Root E46" + # Certificate "Sectigo Public Server Authentication Root R46" + # Certificate "SSL.com TLS RSA Root CA 2022" + # Certificate "SSL.com TLS ECC Root CA 2022" + # Certificate "SSL.com Client ECC Root CA 2022" + # Certificate "SSL.com Client RSA Root CA 2022" + # Certificate "Atos TrustedRoot Root CA ECC G2 2020" + # Certificate "Atos TrustedRoot Root CA RSA G2 2020" + # Certificate "Atos TrustedRoot Root CA ECC TLS 2021" + # Certificate "Atos TrustedRoot Root CA RSA TLS 2021" + # Certificate "Chambers of Commerce Root" + +* Fri Sep 29 2023 Clemens Lang - 2023.2.60_v7.0.306-4 +- update-ca-trust: Support --output and non-root operation (rhbz#2241240) + +*Thu Sep 07 2023 Robert Relyea - 2023.2.60_v7.0.306-3 +- update License: field to SPDX + +*Tue Aug 01 2023 Robert Relyea - 2023.2.60_v7.0.306-2 - Update to CKBI 2.60_v7.0.306 from NSS 3.91 - Removing: -- # Certificate "Camerfirma Global Chambersign Root" -- # Certificate "Staat der Nederlanden EV Root CA" - # Certificate "OpenTrust Root CA G1" - # Certificate "Swedish Government Root Authority v1" - # Certificate "DigiNotar Root CA G2" @@ -476,16 +575,6 @@ fi - # Certificate "Entrust.net Secure Server Certification Authority" - # Certificate "ePKI EV SSL Certification Authority - G1" - Adding: -- # Certificate "DigiCert TLS ECC P384 Root G5" -- # Certificate "DigiCert TLS RSA4096 Root G5" -- # Certificate "DigiCert SMIME ECC P384 Root G5" -- # Certificate "DigiCert SMIME RSA4096 Root G5" -- # Certificate "Certainly Root R1" -- # Certificate "Certainly Root E1" -- # Certificate "E-Tugra Global Root CA RSA v3" -- # Certificate "E-Tugra Global Root CA ECC v3" -- # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA" -- # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA" - # Certificate "BJCA Global Root CA1" - # Certificate "BJCA Global Root CA2" - # Certificate "Symantec Enterprise Mobile Root for Microsoft" @@ -502,7 +591,6 @@ fi - # Certificate "ComSign CA" - # Certificate "ComSign Secured CA" - # Certificate "ComSign Advanced Security CA" -- # Certificate "Global Chambersign Root" - # Certificate "Sonera Class2 CA" - # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" - # Certificate "VeriSign, Inc." @@ -517,7 +605,31 @@ fi - # Certificate "GlobalSign Code Signing Root R45" - # Certificate "Entrust Code Signing Root Certification Authority - CSBR1" -*Thu Jul 28 2022 Bob Relyea - 2022.2.54-80.2 +*Tue Jul 25 2023 Robert Relyea - 2023.2.60-3 +- Fedora mass rebuild + +*Fri Jan 20 2023 Frantisek Krenzelok - 2023.2.60-2 +- Update to CKBI 2.60 from NSS 3.86 +- Removing: +- # Certificate "Camerfirma Global Chambersign Root" +- # Certificate "Staat der Nederlanden EV Root CA" +- Adding: +- # Certificate "DigiCert TLS ECC P384 Root G5" +- # Certificate "DigiCert TLS RSA4096 Root G5" +- # Certificate "DigiCert SMIME ECC P384 Root G5" +- # Certificate "DigiCert SMIME RSA4096 Root G5" +- # Certificate "Certainly Root R1" +- # Certificate "Certainly Root E1" +- # Certificate "E-Tugra Global Root CA RSA v3" +- # Certificate "E-Tugra Global Root CA ECC v3" +- # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA" +- # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA" +- # Certificate "Global Chambersign Root" + +* Wed Jan 18 2023 Fedora Release Engineering - 2022.2.54-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +*Thu Jul 28 2022 Bob Relyea - 2022.2.54-5 - Update to CKBI 2.54 from NSS 3.79 - Removing: - # Certificate "TrustCor ECA-1" @@ -538,12 +650,27 @@ fi - # Certificate "Government Root Certification Authority" - # Certificate "AC Raíz Certicámara S.A." -*Wed Jul 27 2022 Bob Relyea - 2022.2.54-80.1 +*Wed Jul 27 2022 Bob Relyea - 2022.2.54-4 - Update to CKBI 2.54 from NSS 3.79 -*Fri Jul 15 2022 Bob Relyea - 2022.2.54-80.0 +* Wed Jul 20 2022 Fedora Release Engineering - 2022.2.54-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +*Fri Jul 15 2022 Bob Relyea - 2022.2.54-2 - Update to CKBI 2.54 from NSS 3.79 +- Removing: +- # Certificate "GlobalSign Root CA - R2" +- # Certificate "DST Root CA X3" +- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" - Adding: +- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068" +- # Certificate "vTrus ECC Root CA" +- # Certificate "vTrus Root CA" +- # Certificate "ISRG Root X2" +- # Certificate "HiPKI Root CA - G1" +- # Certificate "Telia Root CA v2" +- # Certificate "D-TRUST BR Root CA 1 2020" +- # Certificate "D-TRUST EV Root CA 1 2020" - # Certificate "CAEDICOM Root" - # Certificate "I.CA Root CA/RSA" - # Certificate "MULTICERT Root Certification Authority 01" @@ -685,7 +812,6 @@ fi - # Certificate "Certipost E-Trust TOP Root CA" - # Certificate "Certipost E-Trust Primary Qualified CA" - # Certificate "Certipost E-Trust Primary Normalised CA" -- # Certificate "Cybertrust Global Root" - # Certificate "GlobalSign" - # Certificate "IGC/A" - # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN" @@ -759,60 +885,72 @@ fi - # Certificate "HARICA Code Signing ECC Root CA 2021" - # Certificate "Microsoft Identity Verification Root Certificate Authority 2020" -*Mon Jul 11 2022 Bob Relyea - 2022.2.54-81 -- Update to CKBI 2.54 from NSS 3.79 -- Removing: -- # Certificate "GlobalSign Root CA - R2" -- # Certificate "DST Root CA X3" -- # Certificate "Cybertrust Global Root" -- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" +* Wed Jan 19 2022 Fedora Release Engineering - 2021.2.52-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +*Mon Dec 13 2021 Bob Relyea - 2021.2.52-2 +- Update to CKBI 2.52 from NSS 3.72 - Adding: - # Certificate "TunTrust Root CA" - # Certificate "HARICA TLS RSA Root CA 2021" - # Certificate "HARICA TLS ECC Root CA 2021" - # Certificate "HARICA Client RSA Root CA 2021" - # Certificate "HARICA Client ECC Root CA 2021" -- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068" -- # Certificate "vTrus ECC Root CA" -- # Certificate "vTrus Root CA" -- # Certificate "ISRG Root X2" -- # Certificate "HiPKI Root CA - G1" -- # Certificate "Telia Root CA v2" -- # Certificate "D-TRUST BR Root CA 1 2020" -- # Certificate "D-TRUST EV Root CA 1 2020" -*Wed Jun 16 2021 Bob Relyea - 2021.2.50-82 +*Mon Dec 6 2021 Bob Relyea - 2021.2.50-5 +- integrate Adam William's /etc/ssl/certs with Debian-compatibility +- back out blocklist change since p11-kit .24 is not yet available on rawhide + +*Mon Nov 1 2021 Bob Relyea - 2021.2.50-4 +- remove blacklist directory now that pk11-kit is using blocklist + +* Wed Jul 21 2021 Fedora Release Engineering - 2021.2.50-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +*Wed Jun 16 2021 Bob Relyea - 2021.2.50-2 - Update to CKBI 2.50 from NSS 3.67 - - version number update only - -*Fri Jun 11 2021 Bob Relyea - 2021.2.48-82 -- Update to CKBI 2.48 from NSS 3.66 - Removing: -- # Certificate "QuoVadis Root CA" -- # Certificate "Sonera Class 2 Root CA" - # Certificate "Trustis FPS Root CA" +- # Certificate "GlobalSign Code Signing Root R45" +- # Certificate "GlobalSign Code Signing Root E45" +- # Certificate "Halcom Root Certificate Authority" +- # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" +- # Certificate "GLOBALTRUST" +- # Certificate "MULTICERT Root Certification Authority 01" +- # Certificate "Verizon Global Root CA" +- # Certificate "Tunisian Root Certificate Authority - TunRootCA2" +- # Certificate "CAEDICOM Root" +- # Certificate "COMODO Certification Authority" +- # Certificate "Security Communication ECC RootCA1" +- # Certificate "Security Communication RootCA3" +- # Certificate "AC RAIZ DNIE" +- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" +- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5" +- # Certificate "VeriSign Universal Root Certification Authority" +- # Certificate "GeoTrust Global CA" +- # Certificate "GeoTrust Primary Certification Authority" +- # Certificate "thawte Primary Root CA" +- # Certificate "thawte Primary Root CA - G2" +- # Certificate "thawte Primary Root CA - G3" +- # Certificate "GeoTrust Primary Certification Authority - G3" +- # Certificate "GeoTrust Primary Certification Authority - G2" +- # Certificate "GeoTrust Universal CA" +- # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" +- # Certificate "GLOBALTRUST 2015" +- # Certificate "emSign Root CA - G2" +- # Certificate "emSign Root CA - C2" - Adding: - # Certificate "GLOBALTRUST 2020" - # Certificate "ANF Secure Server Root CA" -- # Certificate "Certum EC-384 CA" -- # Certificate "Certum Trusted Root CA" -*Tue Jun 08 2021 Bob Relyea - 2021.2.48-81 +*Tue May 25 2021 Bob Relyea - 2021.2.48-2 - Update to CKBI 2.48 from NSS 3.64 - Removing: - # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" -- # Certificate "GeoTrust Global CA" -- # Certificate "GeoTrust Universal CA" - # Certificate "GeoTrust Universal CA 2" +- # Certificate "QuoVadis Root CA" +- # Certificate "Sonera Class 2 Root CA" - # Certificate "Taiwan GRCA" -- # Certificate "GeoTrust Primary Certification Authority" -- # Certificate "thawte Primary Root CA" -- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5" -- # Certificate "GeoTrust Primary Certification Authority - G3" -- # Certificate "thawte Primary Root CA - G2" -- # Certificate "thawte Primary Root CA - G3" -- # Certificate "GeoTrust Primary Certification Authority - G2" -- # Certificate "VeriSign Universal Root Certification Authority" - # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" - # Certificate "EE Certification Centre Root CA" - # Certificate "LuxTrust Global Root 2" @@ -832,56 +970,108 @@ fi - # Certificate "GlobalSign Secure Mail Root E45" - # Certificate "GlobalSign Root R46" - # Certificate "GlobalSign Root E46" +- # Certificate "Certum EC-384 CA" +- # Certificate "Certum Trusted Root CA" +- # Certificate "GlobalSign Code Signing Root R45" +- # Certificate "GlobalSign Code Signing Root E45" +- # Certificate "Halcom Root Certificate Authority" +- # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" +- # Certificate "GLOBALTRUST" +- # Certificate "MULTICERT Root Certification Authority 01" +- # Certificate "Verizon Global Root CA" +- # Certificate "Tunisian Root Certificate Authority - TunRootCA2" +- # Certificate "CAEDICOM Root" +- # Certificate "COMODO Certification Authority" +- # Certificate "Security Communication ECC RootCA1" +- # Certificate "Security Communication RootCA3" +- # Certificate "AC RAIZ DNIE" +- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" +- # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" +- # Certificate "GLOBALTRUST 2015" +- # Certificate "emSign Root CA - G2" +- # Certificate "emSign Root CA - C2" -*Wed Jun 17 2020 Bob Relyea - 2020.2.41-82 -- fix post issues +* Tue Jan 26 2021 Fedora Release Engineering - 2020.2.41-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild -*Wed Jun 10 2020 Bob Relyea - 2020.2.41-81 +* Wed Jan 13 2021 Bob Relyea - 2020.2.41-6 +- remove unnecessarily divisive terms, take 1. +- in ca-certificates there are 3 cases: +- 1) master refering to the fedora master branch in the fetch.sh script. +- This can only be changed once fedora changes the master branch name. +- 2) a reference to the 'master bundle' in this file: this has been changed +- to 'primary bundle'. +- 3) a couple of blacklist directories owned by this package, but used to +- p11-kit. New 'blocklist' directories have been created, but p11-kit +- needs to be updated before the old blacklist directories can be removed +- and the man pages corrected. + +* Mon Nov 09 2020 Christian Heimes - 2020.2.41-5 +- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619) + +* Mon Jul 27 2020 Fedora Release Engineering - 2020.2.41-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jun 16 2020 Adam Williamson - 2020.2.41-3 +- Fix up broken %post and %postinstall scriptlet changes from -2 + +* Wed Jun 10 2020 Bob Relyea - 2020.2.41-2 - Update to CKBI 2.41 from NSS 3.53.0 - Removing: - # Certificate "AddTrust Low-Value Services Root" - # Certificate "AddTrust External Root" +- # Certificate "Staat der Nederlanden Root CA - G2" + +* Tue Jan 28 2020 Daiki Ueno - 2020.2.40-3 +- Update versioned dependency on p11-kit + +* Wed Jan 22 2020 Daiki Ueno - 2020.2.40-2 +- Update to CKBI 2.40 from NSS 3.48 +- Removing: - # Certificate "UTN USERFirst Email Root CA" - # Certificate "Certplus Class 2 Primary CA" - # Certificate "Deutsche Telekom Root CA 2" -- # Certificate "Staat der Nederlanden Root CA - G2" - # Certificate "Swisscom Root CA 2" - # Certificate "Certinomis - Root CA" - Adding: - # Certificate "Entrust Root Certification Authority - G4" +- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER -*Fri Jun 21 2019 Bob Relyea - 2019.2.32-1 -- Update to CKBI 2.32 from NSS 3.44 -- Removing: -- # Certificate "Visa eCommerce Root" -- # Certificate "AC Raiz Certicamara S.A." -- # Certificate "ComSign CA" -- # Certificate "Certplus Root CA G1" -- # Certificate "Certplus Root CA G2" -- # Certificate "OpenTrust Root CA G1" -- # Certificate "OpenTrust Root CA G2" -- # Certificate "OpenTrust Root CA G3" -- Adding: -- # Certificate "GlobalSign Root CA - R6" -- # Certificate "OISTE WISeKey Global Root GC CA" -- # Certificate "GTS Root R1" -- # Certificate "GTS Root R2" -- # Certificate "GTS Root R3" -- # Certificate "GTS Root R4" -- # Certificate "UCA Global G2 Root" -- # Certificate "UCA Extended Validation Root" -- # Certificate "Certigna Root CA" -- # Certificate "emSign Root CA - G1" -- # Certificate "emSign ECC Root CA - G3" -- # Certificate "emSign Root CA - C1" -- # Certificate "emSign ECC Root CA - C3" -- # Certificate "Hongkong Post Root CA 3" +* Wed Jul 24 2019 Fedora Release Engineering - 2019.2.32-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild -* Fri May 10 2019 Robert Relyea - 2018.2.24-6.1 -- Test gating +* Wed Jun 19 2019 Bob Relyea 2019.2.32-2 + - Update to CKBI 2.32 from NSS 3.44 + Removing: + # Certificate "Visa eCommerce Root" + # Certificate "AC Raiz Certicamara S.A." + # Certificate "Certplus Root CA G1" + # Certificate "Certplus Root CA G2" + # Certificate "OpenTrust Root CA G1" + # Certificate "OpenTrust Root CA G2" + # Certificate "OpenTrust Root CA G3" + Adding: + # Certificate "GTS Root R1" + # Certificate "GTS Root R2" + # Certificate "GTS Root R3" + # Certificate "GTS Root R4" + # Certificate "UCA Global G2 Root" + # Certificate "UCA Extended Validation Root" + # Certificate "Certigna Root CA" + # Certificate "emSign Root CA - G1" + # Certificate "emSign ECC Root CA - G3" + # Certificate "emSign Root CA - C1" + # Certificate "emSign ECC Root CA - C3" + # Certificate "Hongkong Post Root CA 3" -* Mon Aug 13 2018 Tomáš Mráz - 2018.2.24-6 -- Use __python3 macro when invoking Python +* Thu Jan 31 2019 Fedora Release Engineering - 2018.2.26-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Sep 24 2018 Bob Relyea - 2018.2.26-2 +- Update to CKBI 2.26 from NSS 3.39 + +* Thu Jul 12 2018 Fedora Release Engineering - 2018.2.24-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Thu Jun 28 2018 Kai Engert - 2018.2.24-5 - Ported scripts to python3 diff --git a/SOURCES/ca-legacy b/ca-legacy similarity index 100% rename from SOURCES/ca-legacy rename to ca-legacy diff --git a/SOURCES/ca-legacy.8.txt b/ca-legacy.8.txt similarity index 100% rename from SOURCES/ca-legacy.8.txt rename to ca-legacy.8.txt diff --git a/SOURCES/ca-legacy.conf b/ca-legacy.conf similarity index 100% rename from SOURCES/ca-legacy.conf rename to ca-legacy.conf diff --git a/SOURCES/certdata.txt b/certdata.txt similarity index 100% rename from SOURCES/certdata.txt rename to certdata.txt diff --git a/SOURCES/certdata2pem.py b/certdata2pem.py similarity index 96% rename from SOURCES/certdata2pem.py rename to certdata2pem.py index a4f38c2..a52ce9c 100644 --- a/SOURCES/certdata2pem.py +++ b/certdata2pem.py @@ -177,6 +177,11 @@ openssl_trust = { "CKA_TRUST_EMAIL_PROTECTION": "emailProtection", } +cert_distrust_types = { + "CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after", + "CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after", +} + for tobj in objects: if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST': key = tobj['CKA_LABEL'] + printable_serial(tobj) @@ -369,6 +374,16 @@ for tobj in objects: f.write("nss-mozilla-ca-policy: true\n") f.write("modifiable: false\n"); + # requires p11-kit >= 0.23.19 + for t in list(cert_distrust_types.keys()): + if t in obj: + value = obj[t] + if value == 'CK_FALSE': + value = bytearray(1) + f.write(cert_distrust_types[t] + ": \"") + f.write(urllib.parse.quote(value)); + f.write("\"\n") + f.write("-----BEGIN CERTIFICATE-----\n") temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE']) temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64) diff --git a/SOURCES/nssckbi.h b/nssckbi.h similarity index 100% rename from SOURCES/nssckbi.h rename to nssckbi.h diff --git a/sources b/sources new file mode 100644 index 0000000..6982c3c --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (trust-fixes) = be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 diff --git a/update-ca-trust b/update-ca-trust new file mode 100755 index 0000000..fffd2c9 --- /dev/null +++ b/update-ca-trust @@ -0,0 +1,123 @@ +#!/bin/sh + +#set -vx +set -eu + +# For backwards compatibility reasons, future versions of this script must +# support the syntax "update-ca-trust extract" trigger the generation of output +# files in $DEST. + +DEST=/etc/pki/ca-trust/extracted +DEST_CERTS=/etc/pki/tls/certs + +# Prevent p11-kit from reading user configuration files. +export P11_KIT_NO_USER_CONFIG=1 + +usage() { + fold -s -w 76 >&2 <<-EOF + Usage: $0 [extract] [-o DIR|--output=DIR] + + Update the system trust store in $DEST. + + COMMANDS + (absent/empty command): Same as the extract command without arguments. + + extract: Instruct update-ca-trust to scan the source configuration in + /usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce + updated versions of the consolidated configuration files stored below + the $DEST directory hierarchy. + + EXTRACT OPTIONS + -o DIR, --output=DIR: Write the extracted trust store into the given + directory instead of updating $DEST. (Note: This option will not + populate the ../pki/tls/certs with the directory-hash symbolic links.) + EOF +} + +extract() { + USER_DEST= + + # can't use getopt here. ca-certificates can't depend on a lot + # of other libraries since openssl depends on ca-certificates + # just fail when we hand parse + + while [ $# -ne 0 ]; do + case "$1" in + "-o"|"--output") + if [ $# -lt 2 ]; then + echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage." + echo >&2 + exit 1 + fi + USER_DEST=$2 + shift 2 + continue + ;; + "--") + shift + break + ;; + *) + echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage." + exit 1 + ;; + esac + done + + if [ -n "$USER_DEST" ]; then + DEST=$USER_DEST + # Attempt to create the directories if they do not exist + # yet (rhbz#2241240) + /usr/bin/mkdir -p \ + "$DEST"/openssl \ + "$DEST"/pem \ + "$DEST"/java \ + "$DEST"/edk2 + fi + + + # Delete all directory hash symlinks from the cert directory + if [ -z "$USER_DEST" ]; then + find "$DEST_CERTS" -type l -regextype posix-extended \ + -regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \; + fi + + # OpenSSL PEM bundle that includes trust flags + # (BEGIN TRUSTED CERTIFICATE) + /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem" + /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem" + /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem" + /usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts" + /usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin" + # Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and + # by GnuTLS) + /usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash" + + + if [ -z "$USER_DEST" ]; then + find "$DEST/pem/directory-hash" -type l -regextype posix-extended \ + -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do + target=$(readlink -f "$link") + new_link="$DEST_CERTS/$(basename "$link")" + ln -s "$target" "$new_link" + done + fi +} +if [ $# -lt 1 ]; then + set -- extract +fi + +case "$1" in + "extract") + shift + extract "$@" + ;; + "--help") + usage + exit 0 + ;; + *) + echo >&2 "Error: unknown command: '$1', see 'update-ca-trust --help' for usage." + exit 1 + ;; +esac diff --git a/SOURCES/update-ca-trust.8.txt b/update-ca-trust.8.txt similarity index 90% rename from SOURCES/update-ca-trust.8.txt rename to update-ca-trust.8.txt index 93143da..a8c381c 100644 --- a/SOURCES/update-ca-trust.8.txt +++ b/update-ca-trust.8.txt @@ -27,7 +27,7 @@ certificates and associated trust SYNOPSIS -------- -*update-ca-trust* ['COMMAND'] +*update-ca-trust* [extract] [-o 'DIR'|--output='DIR'] DESCRIPTION @@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy. * add it as a new file to directory /etc/pki/ca-trust/source/anchors/ * run 'update-ca-trust extract' -.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then: +.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then: * add it as a new file to directory /etc/pki/ca-trust/source/ * run 'update-ca-trust extract' .In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to. * simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ -* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/ +* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/ * extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ .In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats: @@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format. Each certificate will be treated as *trusted* for all purposes. -In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/ +In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/ you may install one or multiple certificates in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format. Each certificate will be treated as *distrusted* for all purposes. @@ -214,15 +214,24 @@ server authentication. COMMANDS -------- -(absent/empty command):: - Same as the *extract* command described below. (However, the command may - print fewer warnings, as this command is being run during rpm package - installation, where non-fatal status output is undesired.) +(absent/empty command) +~~~~~~~~~~~~~~~~~~~~~~ +Same as the *extract* command described below. (However, the command may print +fewer warnings, as this command is being run during rpm package installation, +where non-fatal status output is undesired.) -*extract*:: - Instruct update-ca-trust to scan the <> and produce - updated versions of the consolidated configuration files stored below - the /etc/pki/ca-trust/extracted directory hierarchy. +extract +~~~~~~~ +Instruct update-ca-trust to scan the <> and +produce updated versions of the consolidated configuration files stored below +the /etc/pki/ca-trust/extracted directory hierarchy. + +EXTRACT OPTIONS +^^^^^^^^^^^^^^^ +*-o DIR*, *--output=DIR*:: + Write the extracted trust store into the given directory instead of + updating /etc/pki/ca-trust/extracted. (Note: This option will not + populate the ../pki/tls/certs with the directory-hash symbolic links.) FILES ----- @@ -249,6 +258,9 @@ FILES which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten. See section <> for additional details. +/etc/pki/tls/certs:: + Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command. + AUTHOR ------ Written by Kai Engert and Stef Walter.