Bob Relyea
6d222498e8
Update to CKBI 2.50 from NSS 3.67
...
Removing:
# Certificate "Trustis FPS Root CA"
# Certificate "GlobalSign Code Signing Root R45"
# Certificate "GlobalSign Code Signing Root E45"
# Certificate "Halcom Root Certificate Authority"
# Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
# Certificate "GLOBALTRUST"
# Certificate "MULTICERT Root Certification Authority 01"
# Certificate "Verizon Global Root CA"
# Certificate "Tunisian Root Certificate Authority - TunRootCA2"
# Certificate "CAEDICOM Root"
# Certificate "COMODO Certification Authority"
# Certificate "Security Communication ECC RootCA1"
# Certificate "Security Communication RootCA3"
# Certificate "AC RAIZ DNIE"
# Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
# Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
# Certificate "VeriSign Universal Root Certification Authority"
# Certificate "GeoTrust Global CA"
# Certificate "GeoTrust Primary Certification Authority"
# Certificate "thawte Primary Root CA"
# Certificate "thawte Primary Root CA - G2"
# Certificate "thawte Primary Root CA - G3"
# Certificate "GeoTrust Primary Certification Authority - G3"
# Certificate "GeoTrust Primary Certification Authority - G2"
# Certificate "GeoTrust Universal CA"
# Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
# Certificate "GLOBALTRUST 2015"
# Certificate "emSign Root CA - G2"
# Certificate "emSign Root CA - C2"
Adding:
# Certificate "GLOBALTRUST 2020"
# Certificate "ANF Secure Server Root CA"
2021-06-16 13:32:35 -07:00
Bob Relyea
c4c1a32e95
Add code to pull in object signing certs from Common CA Database (ccadb.org).
...
Fix the updated merge scripts to handle this.
Prune Expired certificates from certdata.txt and the object signing cert list
Update to CKBI 2.48 from NSS 3.64
Removing:
# Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
# Certificate "GeoTrust Universal CA 2"
# Certificate "QuoVadis Root CA"
# Certificate "Sonera Class 2 Root CA"
# Certificate "Taiwan GRCA"
# Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
# Certificate "EE Certification Centre Root CA"
# Certificate "LuxTrust Global Root 2"
# Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
# Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
Adding:
# Certificate "Microsoft ECC Root Certificate Authority 2017"
# Certificate "Microsoft RSA Root Certificate Authority 2017"
# Certificate "e-Szigno Root CA 2017"
# Certificate "certSIGN Root CA G2"
# Certificate "Trustwave Global Certification Authority"
# Certificate "Trustwave Global ECC P256 Certification Authority"
# Certificate "Trustwave Global ECC P384 Certification Authority"
# Certificate "NAVER Global Root Certification Authority"
# Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
# Certificate "GlobalSign Secure Mail Root R45"
# Certificate "GlobalSign Secure Mail Root E45"
# Certificate "GlobalSign Root R46"
# Certificate "GlobalSign Root E46"
# Certificate "Certum EC-384 CA"
# Certificate "Certum Trusted Root CA"
# Certificate "GlobalSign Code Signing Root R45"
# Certificate "GlobalSign Code Signing Root E45"
# Certificate "Halcom Root Certificate Authority"
# Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
# Certificate "GLOBALTRUST"
# Certificate "MULTICERT Root Certification Authority 01"
# Certificate "Verizon Global Root CA"
# Certificate "Tunisian Root Certificate Authority - TunRootCA2"
# Certificate "CAEDICOM Root"
# Certificate "COMODO Certification Authority"
# Certificate "Security Communication ECC RootCA1"
# Certificate "Security Communication RootCA3"
# Certificate "AC RAIZ DNIE"
# Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
# Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
# Certificate "GLOBALTRUST 2015"
# Certificate "emSign Root CA - G2"
# Certificate "emSign Root CA - C2"
2021-05-25 16:48:57 -07:00
Bob Relyea
6d164aedd7
Update tools to pick up code signing certs from the Common CA Database:
...
https://www.ccadb.org/resources
Our normal root certs come from mozilla, but mozilla does not evaluate
code signing. Currently code signing is only used my Microsoft .net, so
we need to get code signing certs from Microsoft's code signing list.
The certs in this list will only show up in the code signing lists
or in the general list with only code signing set.
2021-05-24 10:49:58 -07:00
Bob Relyea
17e75b4e10
change master to rawhide in fetch.sh to match fedora's new tree arragement.
2021-03-26 15:45:22 -07:00
Fedora Release Engineering
0fa62ae95f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-26 01:32:44 +00:00
Bob Relyea
05fc0ccfd2
remove unnecessarily divisive terms, take 1.
...
in ca-certificates there are 3 cases:
1) master refering to the fedora master branch in the fetch.sh script.
This can only be changed once fedora changes the master branch name.
2) a reference to the 'master bundle' in this file: this has been changed
to 'primary bundle'.
3) a couple of blacklist directories owned by this package, but used to
p11-kit. New 'blocklist' directories have been created, but p11-kit
needs to be updated before the old blacklist directories can be removed
and the man pages corrected.
2021-01-12 13:50:47 -08:00
Christian Heimes
9bd23da27f
Add cross-distro compatibility symlinks
...
The directory /etc/ssl now contains symlinks to cert.pem bundle,
openssl.cnf, and ct_log_list.cnf to provide better cross-distribution
compatibility.
Resolves: rhbz#1895619
2020-11-10 10:59:19 +01:00
Fedora Release Engineering
5221e001cb
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-27 13:33:08 +00:00
Adam Williamson
5f1176f65b
Fix up broken %post and %postinstall scriptlet changes from -2
2020-06-16 12:49:50 -07:00
Adam Williamson
a430e4124c
Simplify the %post and %postinstall script stuff, it was broken
...
This approach had multiple problems. The most obvious is a typo -
it had `%-bindir` instead of `%_bindir`. But you also cannot mix
a %define into a %post script as was being done here, that just
doesn't work, you can't track state between scriptlets like that.
And the `%if` in %posttrans would be resolved at package build
time, not at %posttrans run time. (I think the syntax was wrong
anyway). This whole approach was irredeemably broken.
To get things back to a working state quickly, let's just do it
in a simple-but-dumb way: always run the scripts in %posttrans,
run them in %post if `ln` is available (with the typo fixed).
This means we'll often run them twice, but I don't think that
actually hurts anything. We can refine from here if desired.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
2020-06-16 12:43:54 -07:00
Bob Relyea
34155d6cbe
Fix unclosed if
2020-06-10 12:50:35 -07:00
Bob Relyea
9a68b05c60
Update to CKBI 2.41 from NSS 3.53.0
...
Removing:
# Certificate "AddTrust Low-Value Services Root"
# Certificate "AddTrust External Root"
# Certificate "Staat der Nederlanden Root CA - G2"
-Updates several certificates with CKA_SERVER_DISTRUST_AFTER with a data
-Fix circular dependency issue by moving ca-legacy and upcate-ca-trust to
%posttrans
2020-06-10 12:45:49 -07:00
Daiki Ueno
00da4d0e2a
Update versioned dependency on p11-kit
2020-01-28 08:49:10 +01:00
Daiki Ueno
eaf3ef8b6b
Update to CKBI 2.40 from NSS 3.48
2020-01-22 10:56:12 +01:00
Daiki Ueno
6aec97d9bd
certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
...
This allows to follow upcoming changes in certdata.txt:
https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
Signed-off-by: Daiki Ueno <dueno@redhat.com>
2019-12-04 10:53:31 +01:00
Fedora Release Engineering
8702798203
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-24 19:46:15 +00:00
Bob Relyea
605570b71e
Resolves: rhbz#1722213
...
- Update to CKBI 2.32 from NSS 3.44
Removing:
# Certificate "Visa eCommerce Root"
# Certificate "AC Raiz Certicamara S.A."
# Certificate "Certplus Root CA G1"
# Certificate "Certplus Root CA G2"
# Certificate "OpenTrust Root CA G1"
# Certificate "OpenTrust Root CA G2"
# Certificate "OpenTrust Root CA G3"
Adding:
# Certificate "GTS Root R1"
# Certificate "GTS Root R2"
# Certificate "GTS Root R3"
# Certificate "GTS Root R4"
# Certificate "UCA Global G2 Root"
# Certificate "UCA Extended Validation Root"
# Certificate "Certigna Root CA"
# Certificate "emSign Root CA - G1"
# Certificate "emSign ECC Root CA - G3"
# Certificate "emSign Root CA - C1"
# Certificate "emSign ECC Root CA - C3"
# Certificate "Hongkong Post Root CA 3"
2019-06-19 10:17:16 -07:00
Fedora Release Engineering
4f5bce3dc2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-01-31 15:07:07 +00:00
Igor Gnatenko
6947c0bb5e
Remove obsolete Group tag
...
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
2019-01-28 20:23:57 +01:00
Robert Relyea
f4842fa2d8
Fix stray commit character that turned a comment into an invalid rpm directive
2018-09-24 17:53:39 -07:00
Robert Relyea
439a513c7a
Update ca-certficates to 2.26 from NSS 3.39
2018-09-24 17:18:53 -07:00
Fedora Release Engineering
46d2f25804
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-12 21:28:32 +00:00
Paul Wouters
31ba2e4690
packaging: remove obsolete defattr line
2018-07-03 15:36:24 -04:00
Kai Engert
1a2c011ba4
Ported scripts to python3
2018-06-28 22:36:01 +02:00
Kai Engert
34c0da9058
edk2 requires p11-kit >= 0.23.10
2018-06-11 16:08:26 +02:00
Daiki Ueno
6220683f76
Extract certificate bundle in EDK2 format
2018-06-11 14:05:57 +02:00
Kai Engert
398639612c
Adjust ghost file permissions, rhbz#1564432
2018-06-04 15:19:58 +02:00
Kai Engert
342574ec95
Update to CKBI 2.24 from NSS 3.37
2018-05-18 13:05:43 +02:00
Iryna Shcherbina
77a1f2aa46
Update Python 2 dependency declarations to new packaging standards
2018-03-15 00:20:54 +01:00
Patrick Uiterwijk
09838f0deb
Add dep on coreutils for ln(1) in %post
...
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2018-02-23 23:02:30 +01:00
Igor Gnatenko
44ff50bbce
Remove %clean section
...
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 07:53:59 +01:00
Kai Engert
a77bc273de
Update to CKBI 2.22 from NSS 3.35
2018-02-06 14:42:09 +01:00
Kai Engert
756b8b4c69
Depend on bash, grep, sed. Required for ca-legacy script execution.
...
p11-kit is already required at %%post execution time. (rhbz#1537127)
2018-01-22 15:35:38 +01:00
Kai Engert
4d1e9c779d
Use the force, script! (Which sln did by default).
2018-01-19 13:14:55 +01:00
Kai Engert
201f66b36b
Stop using sln in ca-legacy script.
2018-01-19 13:07:06 +01:00
Kai Engert
078e3f0b9b
Use ln -s, because sln was removed from glibc. rhbz#1536349
2018-01-19 12:57:53 +01:00
Kai Engert
e3a2f67722
Update to CKBI 2.20 from NSS 3.34.1
2017-11-27 21:37:37 +01:00
Bruno Goncalves
5fae916208
Add CI tests using the standard test interface
2017-09-25 11:03:21 +02:00
Kai Engert
6b317cb305
Merge branch 'master' of ssh://pkgs.fedoraproject.org/rpms/ca-certificates
2017-08-15 15:41:33 +02:00
Kai Engert
7a69d0d22f
- Set P11_KIT_NO_USER_CONFIG=1 to prevent p11-kit from reading user configuration files (rhbz#1478172).
2017-08-15 15:39:45 +02:00
Fedora Release Engineering
c735381906
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
2017-07-26 04:24:01 +00:00
Kai Engert
7accaab619
Update to (yet unreleased) CKBI 2.16 which is planned for NSS 3.32. Mozilla removed all trust bits for code signing.
2017-07-19 11:40:38 +02:00
Petr Písař
a2a1b6c64d
perl dependency renamed to perl-interpreter < https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules >
2017-07-12 14:05:20 +02:00
Kai Engert
6cea01c4b1
Update to CKBI 2.14 from NSS 3.30.2
2017-04-26 14:37:22 +02:00
Kai Engert
c1c275770a
For CAs trusted by Mozilla, set attribute nss-mozilla-ca-policy: true
...
Set attribute modifiable: false
Require p11-kit 0.23.4
2017-02-23 19:39:46 +01:00
Kai Engert
f0b0be2c1f
- Changed the packaged bundle to use the flexible p11-kit-object-v1 file format,
...
as a preparation to fix bugs in the interaction between p11-kit-trust and
Mozilla applications, such as Firefox, Thunderbird etc.
- Changed update-ca-trust to add comments to extracted PEM format files.
- Added an utility to help with comparing output of the trust dump command.
2017-02-13 21:04:08 +01:00
Fedora Release Engineering
b1bece42f2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
2017-02-10 07:11:28 +00:00
Kai Engert
1926916bb3
Update to CKBI 2.11 from NSS 3.28.1
2017-01-11 14:16:31 +01:00
Kai Engert
00af3f958b
Update to CKBI 2.10 from NSS 3.27
2016-10-04 19:54:47 +02:00
Kai Engert
552fa4a6d3
Revert to the unmodified upstream CA list, changing the legacy trust to an empty list. Keeping the ca-legacy tool and existing config, however, the configuration has no effect after this change.
2016-08-18 14:11:51 +02:00