https://www.ccadb.org/resources
Our normal root certs come from mozilla, but mozilla does not evaluate
code signing. Currently code signing is only used my Microsoft .net, so
we need to get code signing certs from Microsoft's code signing list.
The certs in this list will only show up in the code signing lists
or in the general list with only code signing set.
in ca-certificates there are 3 cases:
1) master refering to the fedora master branch in the fetch.sh script.
This can only be changed once fedora changes the master branch name.
2) a reference to the 'master bundle' in this file: this has been changed
to 'primary bundle'.
3) a couple of blacklist directories owned by this package, but used to
p11-kit. New 'blocklist' directories have been created, but p11-kit
needs to be updated before the old blacklist directories can be removed
and the man pages corrected.
The directory /etc/ssl now contains symlinks to cert.pem bundle,
openssl.cnf, and ct_log_list.cnf to provide better cross-distribution
compatibility.
Resolves: rhbz#1895619
This approach had multiple problems. The most obvious is a typo -
it had `%-bindir` instead of `%_bindir`. But you also cannot mix
a %define into a %post script as was being done here, that just
doesn't work, you can't track state between scriptlets like that.
And the `%if` in %posttrans would be resolved at package build
time, not at %posttrans run time. (I think the syntax was wrong
anyway). This whole approach was irredeemably broken.
To get things back to a working state quickly, let's just do it
in a simple-but-dumb way: always run the scripts in %posttrans,
run them in %post if `ln` is available (with the typo fixed).
This means we'll often run them twice, but I don't think that
actually hurts anything. We can refine from here if desired.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Removing:
# Certificate "AddTrust Low-Value Services Root"
# Certificate "AddTrust External Root"
# Certificate "Staat der Nederlanden Root CA - G2"
-Updates several certificates with CKA_SERVER_DISTRUST_AFTER with a data
-Fix circular dependency issue by moving ca-legacy and upcate-ca-trust to
%posttrans
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
as a preparation to fix bugs in the interaction between p11-kit-trust and
Mozilla applications, such as Firefox, Thunderbird etc.
- Changed update-ca-trust to add comments to extracted PEM format files.
- Added an utility to help with comparing output of the trust dump command.