Commit Graph

145 Commits

Author SHA1 Message Date
Bob Relyea
6d164aedd7 Update tools to pick up code signing certs from the Common CA Database:
https://www.ccadb.org/resources

Our normal root certs come from mozilla, but mozilla does not evaluate
code signing. Currently code signing is only used my Microsoft .net, so
we need to get code signing certs from Microsoft's code signing list.

The certs in this list will only show up in the code signing lists
or in the general list with only code signing set.
2021-05-24 10:49:58 -07:00
Bob Relyea
17e75b4e10 change master to rawhide in fetch.sh to match fedora's new tree arragement. 2021-03-26 15:45:22 -07:00
Fedora Release Engineering
0fa62ae95f - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-26 01:32:44 +00:00
Bob Relyea
05fc0ccfd2 remove unnecessarily divisive terms, take 1.
in ca-certificates there are 3 cases:
   1) master refering to the fedora master branch in the fetch.sh script.
      This can only be changed once fedora changes the master branch name.
   2) a reference to the 'master bundle' in this file: this has been changed
      to 'primary bundle'.
   3) a couple of blacklist directories owned by this package, but used to
      p11-kit. New 'blocklist' directories have been created, but p11-kit
      needs to be updated before the old blacklist directories can be removed
      and the man pages corrected.
2021-01-12 13:50:47 -08:00
Christian Heimes
9bd23da27f Add cross-distro compatibility symlinks
The directory /etc/ssl now contains symlinks to cert.pem bundle,
openssl.cnf, and ct_log_list.cnf to provide better cross-distribution
compatibility.

Resolves: rhbz#1895619
2020-11-10 10:59:19 +01:00
Fedora Release Engineering
5221e001cb - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-27 13:33:08 +00:00
Adam Williamson
5f1176f65b Fix up broken %post and %postinstall scriptlet changes from -2 2020-06-16 12:49:50 -07:00
Adam Williamson
a430e4124c Simplify the %post and %postinstall script stuff, it was broken
This approach had multiple problems. The most obvious is a typo -
it had `%-bindir` instead of `%_bindir`. But you also cannot mix
a %define into a %post script as was being done here, that just
doesn't work, you can't track state between scriptlets like that.
And the `%if` in %posttrans would be resolved at package build
time, not at %posttrans run time. (I think the syntax was wrong
anyway). This whole approach was irredeemably broken.

To get things back to a working state quickly, let's just do it
in a simple-but-dumb way: always run the scripts in %posttrans,
run them in %post if `ln` is available (with the typo fixed).
This means we'll often run them twice, but I don't think that
actually hurts anything. We can refine from here if desired.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2020-06-16 12:43:54 -07:00
Bob Relyea
34155d6cbe Fix unclosed if 2020-06-10 12:50:35 -07:00
Bob Relyea
9a68b05c60 Update to CKBI 2.41 from NSS 3.53.0
Removing:
    # Certificate "AddTrust Low-Value Services Root"
    # Certificate "AddTrust External Root"
    # Certificate "Staat der Nederlanden Root CA - G2"

-Updates several certificates with CKA_SERVER_DISTRUST_AFTER with a data
-Fix circular dependency issue by moving ca-legacy and upcate-ca-trust to
 %posttrans
2020-06-10 12:45:49 -07:00
Daiki Ueno
00da4d0e2a Update versioned dependency on p11-kit 2020-01-28 08:49:10 +01:00
Daiki Ueno
eaf3ef8b6b Update to CKBI 2.40 from NSS 3.48 2020-01-22 10:56:12 +01:00
Daiki Ueno
6aec97d9bd certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
This allows to follow upcoming changes in certdata.txt:
https://bugzilla.mozilla.org/show_bug.cgi?id=1465613

Signed-off-by: Daiki Ueno <dueno@redhat.com>
2019-12-04 10:53:31 +01:00
Fedora Release Engineering
8702798203 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-24 19:46:15 +00:00
Bob Relyea
605570b71e Resolves: rhbz#1722213
- Update to CKBI 2.32 from NSS 3.44
   Removing:
    # Certificate "Visa eCommerce Root"
    # Certificate "AC Raiz Certicamara S.A."
    # Certificate "Certplus Root CA G1"
    # Certificate "Certplus Root CA G2"
    # Certificate "OpenTrust Root CA G1"
    # Certificate "OpenTrust Root CA G2"
    # Certificate "OpenTrust Root CA G3"
   Adding:
    # Certificate "GTS Root R1"
    # Certificate "GTS Root R2"
    # Certificate "GTS Root R3"
    # Certificate "GTS Root R4"
    # Certificate "UCA Global G2 Root"
    # Certificate "UCA Extended Validation Root"
    # Certificate "Certigna Root CA"
    # Certificate "emSign Root CA - G1"
    # Certificate "emSign ECC Root CA - G3"
    # Certificate "emSign Root CA - C1"
    # Certificate "emSign ECC Root CA - C3"
    # Certificate "Hongkong Post Root CA 3"
2019-06-19 10:17:16 -07:00
Fedora Release Engineering
4f5bce3dc2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-01-31 15:07:07 +00:00
Igor Gnatenko
6947c0bb5e Remove obsolete Group tag
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
2019-01-28 20:23:57 +01:00
Robert Relyea
f4842fa2d8 Fix stray commit character that turned a comment into an invalid rpm directive 2018-09-24 17:53:39 -07:00
Robert Relyea
439a513c7a Update ca-certficates to 2.26 from NSS 3.39 2018-09-24 17:18:53 -07:00
Fedora Release Engineering
46d2f25804 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-12 21:28:32 +00:00
Paul Wouters
31ba2e4690 packaging: remove obsolete defattr line 2018-07-03 15:36:24 -04:00
Kai Engert
1a2c011ba4 Ported scripts to python3 2018-06-28 22:36:01 +02:00
Kai Engert
34c0da9058 edk2 requires p11-kit >= 0.23.10 2018-06-11 16:08:26 +02:00
Daiki Ueno
6220683f76 Extract certificate bundle in EDK2 format 2018-06-11 14:05:57 +02:00
Kai Engert
398639612c Adjust ghost file permissions, rhbz#1564432 2018-06-04 15:19:58 +02:00
Kai Engert
342574ec95 Update to CKBI 2.24 from NSS 3.37 2018-05-18 13:05:43 +02:00
Iryna Shcherbina
77a1f2aa46 Update Python 2 dependency declarations to new packaging standards 2018-03-15 00:20:54 +01:00
Patrick Uiterwijk
09838f0deb Add dep on coreutils for ln(1) in %post
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2018-02-23 23:02:30 +01:00
Igor Gnatenko
44ff50bbce
Remove %clean section
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 07:53:59 +01:00
Kai Engert
a77bc273de Update to CKBI 2.22 from NSS 3.35 2018-02-06 14:42:09 +01:00
Kai Engert
756b8b4c69 Depend on bash, grep, sed. Required for ca-legacy script execution.
p11-kit is already required at %%post execution time. (rhbz#1537127)
2018-01-22 15:35:38 +01:00
Kai Engert
4d1e9c779d Use the force, script! (Which sln did by default). 2018-01-19 13:14:55 +01:00
Kai Engert
201f66b36b Stop using sln in ca-legacy script. 2018-01-19 13:07:06 +01:00
Kai Engert
078e3f0b9b Use ln -s, because sln was removed from glibc. rhbz#1536349 2018-01-19 12:57:53 +01:00
Kai Engert
e3a2f67722 Update to CKBI 2.20 from NSS 3.34.1 2017-11-27 21:37:37 +01:00
Bruno Goncalves
5fae916208 Add CI tests using the standard test interface 2017-09-25 11:03:21 +02:00
Kai Engert
6b317cb305 Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/ca-certificates 2017-08-15 15:41:33 +02:00
Kai Engert
7a69d0d22f - Set P11_KIT_NO_USER_CONFIG=1 to prevent p11-kit from reading user configuration files (rhbz#1478172). 2017-08-15 15:39:45 +02:00
Fedora Release Engineering
c735381906 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-26 04:24:01 +00:00
Kai Engert
7accaab619 Update to (yet unreleased) CKBI 2.16 which is planned for NSS 3.32. Mozilla removed all trust bits for code signing. 2017-07-19 11:40:38 +02:00
Petr Písař
a2a1b6c64d perl dependency renamed to perl-interpreter <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules> 2017-07-12 14:05:20 +02:00
Kai Engert
6cea01c4b1 Update to CKBI 2.14 from NSS 3.30.2 2017-04-26 14:37:22 +02:00
Kai Engert
c1c275770a For CAs trusted by Mozilla, set attribute nss-mozilla-ca-policy: true
Set attribute modifiable: false
Require p11-kit 0.23.4
2017-02-23 19:39:46 +01:00
Kai Engert
f0b0be2c1f - Changed the packaged bundle to use the flexible p11-kit-object-v1 file format,
as a preparation to fix bugs in the interaction between p11-kit-trust and
  Mozilla applications, such as Firefox, Thunderbird etc.
- Changed update-ca-trust to add comments to extracted PEM format files.
- Added an utility to help with comparing output of the trust dump command.
2017-02-13 21:04:08 +01:00
Fedora Release Engineering
b1bece42f2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild 2017-02-10 07:11:28 +00:00
Kai Engert
1926916bb3 Update to CKBI 2.11 from NSS 3.28.1 2017-01-11 14:16:31 +01:00
Kai Engert
00af3f958b Update to CKBI 2.10 from NSS 3.27 2016-10-04 19:54:47 +02:00
Kai Engert
552fa4a6d3 Revert to the unmodified upstream CA list, changing the legacy trust to an empty list. Keeping the ca-legacy tool and existing config, however, the configuration has no effect after this change. 2016-08-18 14:11:51 +02:00
Kai Engert
02204a071d Update to CKBI 2.9 from NSS 3.26 with legacy modifications 2016-08-16 18:51:35 +02:00
Kai Engert
54fae46d1e Update to CKBI 2.8 from NSS 3.25 with legacy modifications 2016-07-15 13:44:08 +02:00