Commit Graph

86 Commits

Author SHA1 Message Date
Kai Engert
b2076a019e Update to CKBI 2.4 from NSS 3.18.1 with legacy modifications 2015-05-05 20:18:08 +02:00
Kai Engert
41111200ad Fixed a typo in the ca-legacy manual page. 2015-05-05 17:27:27 +02:00
Kai Engert
40d3667f3c rename legacy=enable to legacy=default and related changes; add ca-legacy man page; handle absent configuration in ca-legacy 2015-03-31 23:02:57 +02:00
Kai Engert
b18dd49764 Update to CKBI 2.3 from NSS 3.18 with legacy modifications 2015-03-20 22:12:01 +01:00
Kai Engert
ca86efd661 Update the documented differences from upstream 2.2 2015-03-20 21:49:48 +01:00
Kai Engert
b1d00ef388 Fix mistakes in the legacy handling of the upstream 2.1 and 2.2 releases 2015-03-20 21:23:05 +01:00
Kai Engert
053dde8a2f - Update to CKBI 2.2 from NSS 3.17.3 with legacy modifications 2014-12-16 22:09:03 +01:00
Kai Engert
3837ff2e4e Add a patch to document the changes from upstream version 2.1 2014-12-16 19:42:43 +01:00
Kai Engert
a1c2aece67 update project URL 2014-11-21 16:29:39 +01:00
Kai Engert
99c1a4b448 remove the obsolete blacklist.txt file 2014-11-20 17:24:17 +01:00
Kai Engert
f9355b7943 remove the unnecessary entry in trust-fixes, because we no longer ship the old entrust root (it got replaced with one that contains the basic constraints extension) 2014-11-20 17:22:39 +01:00
Peter Lemenkov
0c19add667 Restore Requires: coreutils
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
2014-11-15 08:11:39 +03:00
Peter Lemenkov
d8e353c1d2 A proper fix for #1158343
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
2014-11-14 18:33:00 +03:00
Kai Engert
d7defefea7 add Requires: coreutils (rhbz#1158343) 2014-10-29 12:14:57 +01:00
Kai Engert
e24bfeb6b0 - Introduce the ca-legacy utility and a ca-legacy.conf configuration file.
By default, legacy roots required for OpenSSL/GnuTLS compatibility
  are kept enabled. Using the ca-legacy utility, the legacy roots can be
  disabled. If disabled, the system will use the trust set as provided
  by the upstream Mozilla CA list. (See also: rhbz#1158197)
2014-10-28 20:54:15 +01:00
Kai Engert
f81c301d27 - Temporarily re-enable several legacy root CA certificates because of
compatibility issues with software based on OpenSSL/GnuTLS,
  see rhbz#1144808
2014-09-21 10:33:16 +02:00
Kai Engert
18eedda612 - Update to CKBI 2.1 from NSS 3.16.4
- Fix rhbz#1130226
2014-08-14 17:06:04 +02:00
Dennis Gilmore
b0943c5cc0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-06 22:50:54 -05:00
Kai Engert
f176bca921 Update to CKBI 1.97 from NSS 3.16 2014-03-19 11:30:07 +01:00
Kai Engert
4a1396fc65 Merge branch 'master' of ssh://pkgs.fedoraproject.org/ca-certificates
Conflicts:
	ca-certificates.spec
2014-02-10 20:15:14 +01:00
Kai Engert
278ac24070 remove openjdk build requirement 2014-02-10 20:13:22 +01:00
Ville Skyttä
a14dcb43a0 Own the %{_datadir}/pki dir. 2014-01-25 20:39:23 +02:00
Kai Engert
5df4185c4d * Thu Jan 09 2014 Kai Engert <kaie@redhat.com> - 2013.1.96-1
- Update to CKBI 1.96 from NSS 3.15.4
2014-01-09 17:38:04 +01:00
Kai Engert
9a4d41a78e * Tue Dec 17 2013 Kai Engert <kaie@redhat.com> - 2013.1.95-1
- Update to CKBI 1.95 from NSS 3.15.3.1
2013-12-17 18:51:16 +01:00
Kai Engert
10e748b11e The PKCS#11 attributes of a stapled extension changed slightly
during the 0.19.x releases. This was due to specification work on
the 'Storing Trust Policy' document. Patch by Stef Walter.
Resolves: rhbz#988745
2013-09-06 17:22:25 +02:00
Kai Engert
e3e96c2ad9 - merge manual improvement from f19 2013-09-03 13:32:18 +02:00
Kai Engert
ec67e63d7a Merge branch 'master' of ssh://pkgs.fedoraproject.org/ca-certificates
Conflicts:
	ca-certificates.spec
2013-09-03 13:07:33 +02:00
Dennis Gilmore
04d3dc5036 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild 2013-08-02 23:13:50 -05:00
Kai Engert
ed9b40a653 - improve manpage 2013-07-17 15:39:41 +02:00
Kai Engert
540618e93b - clarification updates to manual page 2013-07-09 12:50:17 +02:00
Kai Engert
9ac574b7ef - added a manual page and related build requirements
- simplify the README files now that we have a manual page
- set a certificate alias in trusted bundle (thanks to Ludwig Nussel)
2013-07-09 00:59:15 +02:00
Kai Engert
6c5dbfb646 * Mon May 27 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-13
- use correct command in README files, rhbz#961809
2013-05-27 15:28:11 +02:00
Kai Engert
2dc4526741 - update to version 1.94 provided by NSS 3.15 (beta) 2013-05-27 14:57:04 +02:00
Kai Engert
b2e71a9f9a * Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 2012.87-12
- Use both label and serial to identify cert during conversion, rhbz#927601
- Add myself as contributor to certdata2.pem.py and remove use of rcs/ident.
  (thanks to Michael Shuler for suggesting to do so)
- Update source URLs and comments, add source file for version information.
2013-04-22 14:58:59 +02:00
Kai Engert
34f352da5f * Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11
- adjust to changed and new functionality provided by p11-kit 0.17.3
- updated READMEs to describe the new directory-specific treatment of files
- ship a new file that contains certificates with neutral trust
- ship a new file that contains distrust objects, and also staple a
  basic constraint extension to one legacy root contained in the
  Mozilla CA list
- adjust the build script to dynamically produce most of above files
- add and own the anchors and blacklist subdirectories
- file generate-cacerts.pl is no longer required
2013-03-24 00:36:13 +01:00
Kai Engert
d538ada99c * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9
- Major rework for the Fedora SharedSystemCertificates feature.
- Only ship a PEM bundle file using the BEGIN TRUSTED CERTIFICATE file format.
- Require the p11-kit package that contains tools to automatically create
  other file format bundles.
- Convert old file locations to symbolic links that point to dynamically
  generated files.
- Old files, which might have been locally modified, will be saved in backup
  files with .rpmsave extension.
- Added a update-ca-certificates script which can be used to regenerate
  the merged trusted output.
- Refer to the various README files that have been added for more detailed
  explanation of the new system.
- No longer require rsc for building.
- Add explanation for the future version numbering scheme,
  because the old numbering scheme was based on upstream using cvs,
  which is no longer true, and therefore can no longer be used.
- Includes changes from rhbz#873369.
2013-03-09 00:09:26 +01:00
Kai Engert
0ecb427592 * Thu Mar 07 2013 Kai Engert <kaie@redhat.com> - 2012.87-2.fc19.1
- Ship trust bundle file in /usr/share/pki/ca-trust-source/, temporarily in addition.
  This location will soon become the only place containing this file.
2013-03-08 00:03:25 +01:00
Dennis Gilmore
dc139972f7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild 2013-02-13 12:10:59 -06:00
Paul Wouters
73800e131b * Fri Jan 04 2013 Paul Wouters <pwouters@redhat.com> - 2012.87-1
- Updated to r1.87 to blacklist mis-issued turktrust CA certs
2013-01-04 12:50:54 -05:00
Paul Wouters
3f84976ebe Merge branch 'f18'
Conflicts:
	ca-certificates.spec
2012-10-24 14:19:30 -04:00
Paul Wouters
b695953124 Merge branch 'f17' into f18
Conflicts:
	ca-certificates.spec
2012-10-24 14:19:08 -04:00
Paul Wouters
829cbef0ba * Wed Oct 24 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-2
- Updated blacklist with 20 entries (Diginotar, Trustwave, Comodo(?)
- Fix to certdata2pem.py to also check for CKT_NSS_NOT_TRUSTED

Also updated pointer to certdata.txt explaining that's a pointer to
an unstable version.
2012-10-24 14:17:36 -04:00
Paul Wouters
0d3a176f72 * blacklist.txt: updated blacklist with 20 entries
These contain bogus issues from Comodo(?), Diginotar and Trustwave
2012-10-24 13:59:21 -04:00
Paul Wouters
d5bb2887a4 * certdata2pem.py was checking an obsoleted variable CKT_NSS_UNTRUSTED
This was recently changed to CKT_NSS_NOT_TRUSTED, so I've changed the
python code to check for both.
2012-10-24 13:55:29 -04:00
Paul Wouters
4ced2b6694 * Added real source url for certdata.txt on hg.mozilla.org 2012-10-23 21:38:13 -04:00
Paul Wouters
1e5066520f * Added real source url for certdata.txt on hg.mozilla.org 2012-10-23 21:35:11 -04:00
Paul Wouters
0a930f04ef * Added real source url for certdata.txt on hg.mozilla.org 2012-10-23 21:34:15 -04:00
Paul Wouters
b65d8a87f1 * Tue Oct 23 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-1
- update to r1.86
2012-10-23 16:04:09 -04:00
Joe Orton
bc18e50165 add openssl to BuildRequires 2012-07-23 12:49:30 +01:00
Joe Orton
df639e3f3e update to r1.85 2012-07-23 11:50:51 +01:00