8 changed files with 9330 additions and 12190 deletions
--- a/.ca-certificates.metadata
+++ b/.ca-certificates.metadata
@ -1 +0,0 @@
-adc83b19e793491b1c6ea0fd8b46cd9f32e592fc SOURCES/trust-fixes
--- a/.gitignore
+++ b/.gitignore
@ -1 +0,0 @@
-SOURCES/trust-fixes
--- a/SOURCES/certdata.txt
+++ b/SOURCES/certdata.txt
--- a/SOURCES/certdata2pem.py
+++ b/SOURCES/certdata2pem.py
@ -177,6 +177,11 @@ openssl_trust = {
  "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
 }

+cert_distrust_types = {
+  "CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
+  "CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
+}
+
 for tobj in objects:
    if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
        key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -369,6 +374,16 @@ for tobj in objects:
            f.write("nss-mozilla-ca-policy: true\n")
            f.write("modifiable: false\n");

+            # requires p11-kit >= 0.23.19
+            for t in list(cert_distrust_types.keys()):
+                if t in obj:
+                    value = obj[t]
+                    if value == 'CK_FALSE':
+                        value = bytearray(1)
+                    f.write(cert_distrust_types[t] + ": \"")
+                    f.write(urllib.parse.quote(value));
+                    f.write("\"\n")
+
            f.write("-----BEGIN CERTIFICATE-----\n")
            temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
            temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
--- a/SOURCES/nssckbi.h
+++ b/SOURCES/nssckbi.h
@ -46,8 +46,8 @@
 * It's recommend to switch back to 0 after having reached version 98/99.
 */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 69
-#define NSS_BUILTINS_LIBRARY_VERSION "2.69"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 54
+#define NSS_BUILTINS_LIBRARY_VERSION "2.54"

 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
--- a/SOURCES/trust-fixes
+++ b/SOURCES/trust-fixes
@ -0,0 +1 @@
+
--- a/SOURCES/update-ca-trust.8.txt
+++ b/SOURCES/update-ca-trust.8.txt
@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
 * add it as a new file to directory /etc/pki/ca-trust/source/anchors/
 * run 'update-ca-trust extract'

-.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
+.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
 * add it as a new file to directory /etc/pki/ca-trust/source/
 * run 'update-ca-trust extract'

 .In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
 * simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
-* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
+* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
 * extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/

 .In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
 format or in the PEM (BEGIN/END CERTIFICATE) file format.
 Each certificate will be treated as *trusted* for all purposes.

-In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
+In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
 you may install one or multiple certificates in either the DER file
 format or in the PEM (BEGIN/END CERTIFICATE) file format.
 Each certificate will be treated as *distrusted* for all purposes.
--- a/SPECS/ca-certificates.spec
+++ b/SPECS/ca-certificates.spec
@ -35,14 +35,12 @@ Name: ca-certificates
 # to have increasing version numbers. However, the new scheme will work, 
 # because all future versions will start with 2013 or larger.)

-Version: 2024.2.69_v8.0.303
-# On RHEL 8.x, please keep the release version >= 80
-# When rebasing on Y-Stream (8.y), use 81, 82, 83, ...
-# When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, ..
-Release: 80.0%{?dist}
+Version: 2022.2.54
+# for y-stream, please always use 91 <= release  < 100 (91,92,93)
+# for z-stream release branches, please use 90 <= release  < 91 (90.0, 90.1, ...)
+Release: 90.2%{?dist}
 License: Public Domain

-Group: System Environment/Base
 URL: https://fedoraproject.org/wiki/CA-Certificates

 #Please always update both certdata.txt and nssckbi.h
@ -73,13 +71,13 @@ Requires(post): coreutils
 Requires: bash
 Requires: grep
 Requires: sed
-Requires(post): p11-kit >= 0.23.12
-Requires(post): p11-kit-trust >= 0.23.12
-Requires: p11-kit >= 0.23.12
-Requires: p11-kit-trust >= 0.23.12
+Requires(post): p11-kit >= 0.24
+Requires(post): p11-kit-trust >= 0.24
+Requires: p11-kit >= 0.24
+Requires: p11-kit-trust >= 0.24

 BuildRequires: perl-interpreter
-BuildRequires: python3-devel
+BuildRequires: python3
 BuildRequires: openssl
 BuildRequires: asciidoc
 BuildRequires: libxslt
@ -100,7 +98,7 @@ mkdir %{name}/java
 pushd %{name}/certs
 pwd
 cp %{SOURCE0} .
- %{__python3} %{SOURCE4} >c2p.log 2>c2p.err
+ python3 %{SOURCE4} >c2p.log 2>c2p.err
 popd
 pushd %{name}
 (
@ -186,7 +184,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
-mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
+mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
@ -194,7 +192,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
-mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
+mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@ -243,9 +241,15 @@ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin

-# /etc/ssl/certs symlink for 3rd-party tools
-ln -s ../pki/tls/certs \
+# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
+ln -s /etc/pki/tls/certs \
    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
+ln -s /etc/pki/tls/openssl.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
+ln -s /etc/pki/tls/ct_log_list.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
 # legacy filenames
 ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
    $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
@ -303,6 +307,7 @@ if [ $1 -gt 1 ] ; then
  fi
 fi

+
 %post
 #if [ $1 -gt 1 ] ; then
 #  # when upgrading or downgrading
@ -329,8 +334,6 @@ fi
 %{_bindir}/update-ca-trust

 %files
-%defattr(-,root,root,-)
-
 %dir %{_sysconfdir}/ssl
 %dir %{pkidir}/tls
 %dir %{pkidir}/tls/certs
@ -338,7 +341,7 @@ fi
 %dir %{catrustdir}
 %dir %{catrustdir}/source
 %dir %{catrustdir}/source/anchors
-%dir %{catrustdir}/source/blacklist
+%dir %{catrustdir}/source/blocklist
 %dir %{catrustdir}/extracted
 %dir %{catrustdir}/extracted/pem
 %dir %{catrustdir}/extracted/openssl
@ -346,7 +349,7 @@ fi
 %dir %{_datadir}/pki
 %dir %{_datadir}/pki/ca-trust-source
 %dir %{_datadir}/pki/ca-trust-source/anchors
-%dir %{_datadir}/pki/ca-trust-source/blacklist
+%dir %{_datadir}/pki/ca-trust-source/blocklist
 %dir %{_datadir}/pki/ca-trust-legacy

 %config(noreplace) %{catrustdir}/ca-legacy.conf
@ -367,10 +370,13 @@ fi
 %{pkidir}/tls/certs/%{classic_tls_bundle}
 %{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 %{pkidir}/%{java_bundle}
-# symlink directory
+# symlinks to cross-distro compatibility files and directory
 %{_sysconfdir}/ssl/certs
+%{_sysconfdir}/ssl/cert.pem
+%{_sysconfdir}/ssl/openssl.cnf
+%{_sysconfdir}/ssl/ct_log_list.cnf

-# master bundle file with trust
+# primary bundle file with trust
 %{_datadir}/pki/ca-trust-source/%{p11_format_bundle}

 %{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
@ -389,135 +395,7 @@ fi


 %changelog
-*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
-    Removing:
-     # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
-     # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
-     # Certificate "Security Communication Root CA"
-     # Certificate "Camerfirma Chambers of Commerce Root"
-     # Certificate "Hongkong Post Root CA 1"
-     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
-     # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
-     # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
-     # Certificate "TrustCor RootCert CA-1"
-     # Certificate "TrustCor RootCert CA-2"
-     # Certificate "TrustCor ECA-1"
-     # Certificate "FNMT-RCM"
-    Adding:
-     # Certificate "LAWtrust Root CA2 (4096)"
-     # Certificate "Sectigo Public Email Protection Root E46"
-     # Certificate "Sectigo Public Email Protection Root R46"
-     # Certificate "Sectigo Public Server Authentication Root E46"
-     # Certificate "Sectigo Public Server Authentication Root R46"
-     # Certificate "SSL.com TLS RSA Root CA 2022"
-     # Certificate "SSL.com TLS ECC Root CA 2022"
-     # Certificate "SSL.com Client ECC Root CA 2022"
-     # Certificate "SSL.com Client RSA Root CA 2022"
-     # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
-     # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
-     # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
-     # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
-     # Certificate "TrustAsia Global Root CA G3"
-     # Certificate "TrustAsia Global Root CA G4"
-     # Certificate "CommScope Public Trust ECC Root-01"
-     # Certificate "CommScope Public Trust ECC Root-02"
-     # Certificate "CommScope Public Trust RSA Root-01"
-     # Certificate "CommScope Public Trust RSA Root-02"
-     # Certificate "D-Trust SBR Root CA 1 2022"
-     # Certificate "D-Trust SBR Root CA 2 2022"
-     # Certificate "Telekom Security SMIME ECC Root 2021"
-     # Certificate "Telekom Security TLS ECC Root 2020"
-     # Certificate "Telekom Security SMIME RSA Root 2023"
-     # Certificate "Telekom Security TLS RSA Root 2023"
-     # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
-     # Certificate "SECOM Trust.net"
-     # Certificate "Chambers of Commerce Root"
-     # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
-     # Certificate "SSL.com Code Signing RSA Root CA 2022"
-     # Certificate "SSL.com Code Signing ECC Root CA 2022"
-
-*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0
- Update to CKBI 2.60_v7.0.306 from NSS 3.91
-    Removing:
-     # Certificate "Camerfirma Global Chambersign Root"
-     # Certificate "Staat der Nederlanden EV Root CA"
-     # Certificate "OpenTrust Root CA G1"
-     # Certificate "Swedish Government Root Authority v1"
-     # Certificate "DigiNotar Root CA G2"
-     # Certificate "Federal Common Policy CA"
-     # Certificate "TC TrustCenter Universal CA III"
-     # Certificate "CCA India 2007"
-     # Certificate "ipsCA Global CA Root"
-     # Certificate "ipsCA Main CA Root"
-     # Certificate "Macao Post eSignTrust Root Certification Authority"
-     # Certificate "InfoNotary CSP Root"
-     # Certificate "DigiNotar Root CA"
-     # Certificate "Root CA"
-     # Certificate "GPKIRootCA"
-     # Certificate "D-TRUST Qualified Root CA 1 2007:PN"
-     # Certificate "TC TrustCenter Universal CA I"
-     # Certificate "TC TrustCenter Universal CA II"
-     # Certificate "TC TrustCenter Class 2 CA II"
-     # Certificate "TC TrustCenter Class 4 CA II"
-     # Certificate "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı"
-     # Certificate "CertRSA01"
-     # Certificate "KISA RootCA 3"
-     # Certificate "A-CERT ADVANCED"
-     # Certificate "A-Trust-Qual-01"
-     # Certificate "A-Trust-nQual-01"
-     # Certificate "Serasa Certificate Authority II"
-     # Certificate "TDC Internet"
-     # Certificate "America Online Root Certification Authority 2"
-     # Certificate "RSA Security Inc"
-     # Certificate "Public Notary Root"
-     # Certificate "Autoridade Certificadora Raiz Brasileira"
-     # Certificate "Post.Trust Root CA"
-     # Certificate "Entrust.net Secure Server Certification Authority"
-     # Certificate "ePKI EV SSL Certification Authority - G1"
-    Adding:
-     # Certificate "DigiCert TLS ECC P384 Root G5"
-     # Certificate "DigiCert TLS RSA4096 Root G5"
-     # Certificate "DigiCert SMIME ECC P384 Root G5"
-     # Certificate "DigiCert SMIME RSA4096 Root G5"
-     # Certificate "Certainly Root R1"
-     # Certificate "Certainly Root E1"
-     # Certificate "E-Tugra Global Root CA RSA v3"
-     # Certificate "E-Tugra Global Root CA ECC v3"
-     # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
-     # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
-     # Certificate "BJCA Global Root CA1"
-     # Certificate "BJCA Global Root CA2"
-     # Certificate "Symantec Enterprise Mobile Root for Microsoft"
-     # Certificate "A-Trust-Root-05"
-     # Certificate "ADOCA02"
-     # Certificate "StartCom Certification Authority G2"
-     # Certificate "ATHEX Root CA"
-     # Certificate "EBG Elektronik Sertifika Hizmet Sağlayıcısı"
-     # Certificate "GeoTrust Primary Certification Authority"
-     # Certificate "thawte Primary Root CA"
-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
-     # Certificate "America Online Root Certification Authority 1"
-     # Certificate "Juur-SK"
-     # Certificate "ComSign CA"
-     # Certificate "ComSign Secured CA"
-     # Certificate "ComSign Advanced Security CA"
-     # Certificate "Global Chambersign Root"
-     # Certificate "Sonera Class2 CA"
-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
-     # Certificate "VeriSign, Inc."
-     # Certificate "GTE CyberTrust Global Root"
-     # Certificate "Equifax Secure Global eBusiness CA-1"
-     # Certificate "Equifax"
-     # Certificate "Class 1 Primary CA"
-     # Certificate "Swiss Government Root CA III"
-     # Certificate "Application CA G4 Root"
-     # Certificate "SSC GDL CA Root A"
-     # Certificate "GlobalSign Code Signing Root E45"
-     # Certificate "GlobalSign Code Signing Root R45"
-     # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
-
-*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
+*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2
 - Update to CKBI 2.54 from NSS 3.79
 -    Removing:
 -     # Certificate "TrustCor ECA-1"
@ -538,12 +416,29 @@ fi
 -     # Certificate "Government Root Certification Authority"
 -     # Certificate "AC Raíz Certicámara S.A."

-*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1
+*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1
 - Update to CKBI 2.54 from NSS 3.79

-*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0
+*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0
 - Update to CKBI 2.54 from NSS 3.79
+-    Removing:
+-     # Certificate "GlobalSign Root CA - R2"
+-     # Certificate "DST Root CA X3"
+-     # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
 -    Adding:
+-     # Certificate "TunTrust Root CA"
+-     # Certificate "HARICA TLS RSA Root CA 2021"
+-     # Certificate "HARICA TLS ECC Root CA 2021"
+-     # Certificate "HARICA Client RSA Root CA 2021"
+-     # Certificate "HARICA Client ECC Root CA 2021"
+-     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+-     # Certificate "vTrus ECC Root CA"
+-     # Certificate "vTrus Root CA"
+-     # Certificate "ISRG Root X2"
+-     # Certificate "HiPKI Root CA - G1"
+-     # Certificate "Telia Root CA v2"
+-     # Certificate "D-TRUST BR Root CA 1 2020"
+-     # Certificate "D-TRUST EV Root CA 1 2020"
 -     # Certificate "CAEDICOM Root"
 -     # Certificate "I.CA Root CA/RSA"
 -     # Certificate "MULTICERT Root Certification Authority 01"
@ -685,7 +580,6 @@ fi
 -     # Certificate "Certipost E-Trust TOP Root CA"
 -     # Certificate "Certipost E-Trust Primary Qualified CA"
 -     # Certificate "Certipost E-Trust Primary Normalised CA"
-     # Certificate "Cybertrust Global Root"
 -     # Certificate "GlobalSign"
 -     # Certificate "IGC/A"
 -     # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
@ -759,129 +653,113 @@ fi
 -     # Certificate "HARICA Code Signing ECC Root CA 2021"
 -     # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"

-*Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81
- Update to CKBI 2.54 from NSS 3.79
-    Removing:
-     # Certificate "GlobalSign Root CA - R2"
-     # Certificate "DST Root CA X3"
-     # Certificate "Cybertrust Global Root"
-     # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
-    Adding:
-     # Certificate "TunTrust Root CA"
-     # Certificate "HARICA TLS RSA Root CA 2021"
-     # Certificate "HARICA TLS ECC Root CA 2021"
-     # Certificate "HARICA Client RSA Root CA 2021"
-     # Certificate "HARICA Client ECC Root CA 2021"
-     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
-     # Certificate "vTrus ECC Root CA"
-     # Certificate "vTrus Root CA"
-     # Certificate "ISRG Root X2"
-     # Certificate "HiPKI Root CA - G1"
-     # Certificate "Telia Root CA v2"
-     # Certificate "D-TRUST BR Root CA 1 2020"
-     # Certificate "D-TRUST EV Root CA 1 2020"
+* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94
+- remove blacklist directory and references now that p11-kit has been updated.

-*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
- Update to CKBI 2.50 from NSS 3.67
-   - version number update only
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688

-*Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82
- Update to CKBI 2.48 from NSS 3.66
-    Removing:
-     # Certificate "QuoVadis Root CA"
-     # Certificate "Sonera Class 2 Root CA"
-     # Certificate "Trustis FPS Root CA"
-    Adding:
-     # Certificate "GLOBALTRUST 2020"
-     # Certificate "ANF Secure Server Root CA"
-     # Certificate "Certum EC-384 CA"
-     # Certificate "Certum Trusted Root CA"
+* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065

-*Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81
- Update to CKBI 2.48 from NSS 3.64
-    Removing:
-     # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
-     # Certificate "GeoTrust Global CA"
-     # Certificate "GeoTrust Universal CA"
-     # Certificate "GeoTrust Universal CA 2"
-     # Certificate "Taiwan GRCA"
-     # Certificate "GeoTrust Primary Certification Authority"
-     # Certificate "thawte Primary Root CA"
-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
-     # Certificate "GeoTrust Primary Certification Authority - G3"
-     # Certificate "thawte Primary Root CA - G2"
-     # Certificate "thawte Primary Root CA - G3"
-     # Certificate "GeoTrust Primary Certification Authority - G2"
-     # Certificate "VeriSign Universal Root Certification Authority"
-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
-     # Certificate "EE Certification Centre Root CA"
-     # Certificate "LuxTrust Global Root 2"
-     # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
-     # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
-    Adding:
-     # Certificate "Microsoft ECC Root Certificate Authority 2017"
-     # Certificate "Microsoft RSA Root Certificate Authority 2017"
-     # Certificate "e-Szigno Root CA 2017"
-     # Certificate "certSIGN Root CA G2"
-     # Certificate "Trustwave Global Certification Authority"
-     # Certificate "Trustwave Global ECC P256 Certification Authority"
-     # Certificate "Trustwave Global ECC P384 Certification Authority"
-     # Certificate "NAVER Global Root Certification Authority"
-     # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
-     # Certificate "GlobalSign Secure Mail Root R45"
-     # Certificate "GlobalSign Secure Mail Root E45"
-     # Certificate "GlobalSign Root R46"
-     # Certificate "GlobalSign Root E46"
+* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
+-   Update to CKBI 2.50 from NSS 3.67
+-      Removing:
+-       # Certificate "QuoVadis Root CA"
+-       # Certificate "Sonera Class 2 Root CA"
+-       # Certificate "Trustis FPS Root CA"
+-      Adding:
+-       # Certificate "GLOBALTRUST 2020"
+-       # Certificate "ANF Secure Server Root CA"
+-       # Certificate "Certum EC-384 CA"
+-       # Certificate "Certum Trusted Root CA"

-*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
- fix post issues
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

-*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
+- remove unnecessarily divisive terms, take 1.
+-   in ca-certificates there are 3 cases:
+-   1) master refering to the fedora master branch in the fetch.sh script.
+-      This can only be changed once fedora changes the master branch name.
+-   2) a reference to the 'master bundle' in this file: this has been changed
+-      to 'primary bundle'.
+-   3) a couple of blacklist directories owned by this package, but used to
+-      p11-kit. New 'blocklist' directories have been created, but p11-kit
+-      needs to be updated before the old blacklist directories can be removed
+-      and the man pages corrected.
+
+* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
+- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
+- Fix up broken %post and %postinstall scriptlet changes from -2
+
+* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
 - Update to CKBI 2.41 from NSS 3.53.0
 -    Removing:
 -     # Certificate "AddTrust Low-Value Services Root"
 -     # Certificate "AddTrust External Root"
+-     # Certificate "Staat der Nederlanden Root CA - G2"
+
+* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3
+- Update versioned dependency on p11-kit
+
+* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2
+- Update to CKBI 2.40 from NSS 3.48
+-    Removing:
 -     # Certificate "UTN USERFirst Email Root CA"
 -     # Certificate "Certplus Class 2 Primary CA"
 -     # Certificate "Deutsche Telekom Root CA 2"
-     # Certificate "Staat der Nederlanden Root CA - G2"
 -     # Certificate "Swisscom Root CA 2"
 -     # Certificate "Certinomis - Root CA"
 -    Adding:
 -     # Certificate "Entrust Root Certification Authority - G4"
+- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER

-*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
- Update to CKBI 2.32 from NSS 3.44
-  Removing:
-   # Certificate "Visa eCommerce Root"
-   # Certificate "AC Raiz Certicamara S.A."
-   # Certificate "ComSign CA"
-   # Certificate "Certplus Root CA G1"
-   # Certificate "Certplus Root CA G2"
-   # Certificate "OpenTrust Root CA G1"
-   # Certificate "OpenTrust Root CA G2"
-   # Certificate "OpenTrust Root CA G3"
-  Adding:
-   # Certificate "GlobalSign Root CA - R6"
-   # Certificate "OISTE WISeKey Global Root GC CA"
-   # Certificate "GTS Root R1"
-   # Certificate "GTS Root R2"
-   # Certificate "GTS Root R3"
-   # Certificate "GTS Root R4"
-   # Certificate "UCA Global G2 Root"
-   # Certificate "UCA Extended Validation Root"
-   # Certificate "Certigna Root CA"
-   # Certificate "emSign Root CA - G1"
-   # Certificate "emSign ECC Root CA - G3"
-   # Certificate "emSign Root CA - C1"
-   # Certificate "emSign ECC Root CA - C3"
-   # Certificate "Hongkong Post Root CA 3"
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

-* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
- Test gating
+* Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
+ - Update to CKBI 2.32 from NSS 3.44
+   Removing: 
+    # Certificate "Visa eCommerce Root"
+    # Certificate "AC Raiz Certicamara S.A."
+    # Certificate "Certplus Root CA G1"
+    # Certificate "Certplus Root CA G2"
+    # Certificate "OpenTrust Root CA G1"
+    # Certificate "OpenTrust Root CA G2"
+    # Certificate "OpenTrust Root CA G3"
+   Adding: 
+    # Certificate "GTS Root R1"
+    # Certificate "GTS Root R2"
+    # Certificate "GTS Root R3"
+    # Certificate "GTS Root R4"
+    # Certificate "UCA Global G2 Root"
+    # Certificate "UCA Extended Validation Root"
+    # Certificate "Certigna Root CA"
+    # Certificate "emSign Root CA - G1"
+    # Certificate "emSign ECC Root CA - G3"
+    # Certificate "emSign Root CA - C1"
+    # Certificate "emSign ECC Root CA - C3"
+    # Certificate "Hongkong Post Root CA 3"

-* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6
- Use __python3 macro when invoking Python
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2
+- Update to CKBI 2.26 from NSS 3.39
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

 * Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
 - Ported scripts to python3
				`@ -1 +0,0 @@`
				`adc83b19e793491b1c6ea0fd8b46cd9f32e592fc SOURCES/trust-fixes`