Compare commits

...

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

8 changed files with 9330 additions and 12190 deletions

View File

@ -1 +0,0 @@
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc SOURCES/trust-fixes

1
.gitignore vendored
View File

@ -1 +0,0 @@
SOURCES/trust-fixes

File diff suppressed because it is too large Load Diff

View File

@ -177,6 +177,11 @@ openssl_trust = {
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection", "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
} }
cert_distrust_types = {
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
}
for tobj in objects: for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST': if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
key = tobj['CKA_LABEL'] + printable_serial(tobj) key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -369,6 +374,16 @@ for tobj in objects:
f.write("nss-mozilla-ca-policy: true\n") f.write("nss-mozilla-ca-policy: true\n")
f.write("modifiable: false\n"); f.write("modifiable: false\n");
# requires p11-kit >= 0.23.19
for t in list(cert_distrust_types.keys()):
if t in obj:
value = obj[t]
if value == 'CK_FALSE':
value = bytearray(1)
f.write(cert_distrust_types[t] + ": \"")
f.write(urllib.parse.quote(value));
f.write("\"\n")
f.write("-----BEGIN CERTIFICATE-----\n") f.write("-----BEGIN CERTIFICATE-----\n")
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE']) temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64) temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)

View File

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99. * It's recommend to switch back to 0 after having reached version 98/99.
*/ */
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 69 #define NSS_BUILTINS_LIBRARY_VERSION_MINOR 54
#define NSS_BUILTINS_LIBRARY_VERSION "2.69" #define NSS_BUILTINS_LIBRARY_VERSION "2.54"
/* These version numbers detail the semantic changes to the ckfw engine. */ /* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

1
SOURCES/trust-fixes Normal file
View File

@ -0,0 +1 @@

View File

@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/ * add it as a new file to directory /etc/pki/ca-trust/source/anchors/
* run 'update-ca-trust extract' * run 'update-ca-trust extract'
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then: .*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
* add it as a new file to directory /etc/pki/ca-trust/source/ * add it as a new file to directory /etc/pki/ca-trust/source/
* run 'update-ca-trust extract' * run 'update-ca-trust extract'
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to. .In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ * simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/ * simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ * extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats: .In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format. format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes. Each certificate will be treated as *trusted* for all purposes.
In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/ In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
you may install one or multiple certificates in either the DER file you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format. format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes. Each certificate will be treated as *distrusted* for all purposes.

View File

@ -35,14 +35,12 @@ Name: ca-certificates
# to have increasing version numbers. However, the new scheme will work, # to have increasing version numbers. However, the new scheme will work,
# because all future versions will start with 2013 or larger.) # because all future versions will start with 2013 or larger.)
Version: 2024.2.69_v8.0.303 Version: 2022.2.54
# On RHEL 8.x, please keep the release version >= 80 # for y-stream, please always use 91 <= release < 100 (91,92,93)
# When rebasing on Y-Stream (8.y), use 81, 82, 83, ... # for z-stream release branches, please use 90 <= release < 91 (90.0, 90.1, ...)
# When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, .. Release: 90.2%{?dist}
Release: 80.0%{?dist}
License: Public Domain License: Public Domain
Group: System Environment/Base
URL: https://fedoraproject.org/wiki/CA-Certificates URL: https://fedoraproject.org/wiki/CA-Certificates
#Please always update both certdata.txt and nssckbi.h #Please always update both certdata.txt and nssckbi.h
@ -73,13 +71,13 @@ Requires(post): coreutils
Requires: bash Requires: bash
Requires: grep Requires: grep
Requires: sed Requires: sed
Requires(post): p11-kit >= 0.23.12 Requires(post): p11-kit >= 0.24
Requires(post): p11-kit-trust >= 0.23.12 Requires(post): p11-kit-trust >= 0.24
Requires: p11-kit >= 0.23.12 Requires: p11-kit >= 0.24
Requires: p11-kit-trust >= 0.23.12 Requires: p11-kit-trust >= 0.24
BuildRequires: perl-interpreter BuildRequires: perl-interpreter
BuildRequires: python3-devel BuildRequires: python3
BuildRequires: openssl BuildRequires: openssl
BuildRequires: asciidoc BuildRequires: asciidoc
BuildRequires: libxslt BuildRequires: libxslt
@ -100,7 +98,7 @@ mkdir %{name}/java
pushd %{name}/certs pushd %{name}/certs
pwd pwd
cp %{SOURCE0} . cp %{SOURCE0} .
%{__python3} %{SOURCE4} >c2p.log 2>c2p.err python3 %{SOURCE4} >c2p.log 2>c2p.err
popd popd
pushd %{name} pushd %{name}
( (
@ -186,7 +184,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
@ -194,7 +192,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir} mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8 mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@ -243,9 +241,15 @@ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
# /etc/ssl/certs symlink for 3rd-party tools # /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
ln -s ../pki/tls/certs \ ln -s /etc/pki/tls/certs \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
ln -s /etc/pki/tls/openssl.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
ln -s /etc/pki/tls/ct_log_list.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
# legacy filenames # legacy filenames
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
@ -303,6 +307,7 @@ if [ $1 -gt 1 ] ; then
fi fi
fi fi
%post %post
#if [ $1 -gt 1 ] ; then #if [ $1 -gt 1 ] ; then
# # when upgrading or downgrading # # when upgrading or downgrading
@ -329,8 +334,6 @@ fi
%{_bindir}/update-ca-trust %{_bindir}/update-ca-trust
%files %files
%defattr(-,root,root,-)
%dir %{_sysconfdir}/ssl %dir %{_sysconfdir}/ssl
%dir %{pkidir}/tls %dir %{pkidir}/tls
%dir %{pkidir}/tls/certs %dir %{pkidir}/tls/certs
@ -338,7 +341,7 @@ fi
%dir %{catrustdir} %dir %{catrustdir}
%dir %{catrustdir}/source %dir %{catrustdir}/source
%dir %{catrustdir}/source/anchors %dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/blacklist %dir %{catrustdir}/source/blocklist
%dir %{catrustdir}/extracted %dir %{catrustdir}/extracted
%dir %{catrustdir}/extracted/pem %dir %{catrustdir}/extracted/pem
%dir %{catrustdir}/extracted/openssl %dir %{catrustdir}/extracted/openssl
@ -346,7 +349,7 @@ fi
%dir %{_datadir}/pki %dir %{_datadir}/pki
%dir %{_datadir}/pki/ca-trust-source %dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source/anchors %dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/blacklist %dir %{_datadir}/pki/ca-trust-source/blocklist
%dir %{_datadir}/pki/ca-trust-legacy %dir %{_datadir}/pki/ca-trust-legacy
%config(noreplace) %{catrustdir}/ca-legacy.conf %config(noreplace) %{catrustdir}/ca-legacy.conf
@ -367,10 +370,13 @@ fi
%{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{pkidir}/%{java_bundle} %{pkidir}/%{java_bundle}
# symlink directory # symlinks to cross-distro compatibility files and directory
%{_sysconfdir}/ssl/certs %{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/cert.pem
%{_sysconfdir}/ssl/openssl.cnf
%{_sysconfdir}/ssl/ct_log_list.cnf
# master bundle file with trust # primary bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle} %{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle} %{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
@ -389,135 +395,7 @@ fi
%changelog %changelog
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0 *Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
- Removing:
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
- # Certificate "Security Communication Root CA"
- # Certificate "Camerfirma Chambers of Commerce Root"
- # Certificate "Hongkong Post Root CA 1"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
- # Certificate "TrustCor RootCert CA-1"
- # Certificate "TrustCor RootCert CA-2"
- # Certificate "TrustCor ECA-1"
- # Certificate "FNMT-RCM"
- Adding:
- # Certificate "LAWtrust Root CA2 (4096)"
- # Certificate "Sectigo Public Email Protection Root E46"
- # Certificate "Sectigo Public Email Protection Root R46"
- # Certificate "Sectigo Public Server Authentication Root E46"
- # Certificate "Sectigo Public Server Authentication Root R46"
- # Certificate "SSL.com TLS RSA Root CA 2022"
- # Certificate "SSL.com TLS ECC Root CA 2022"
- # Certificate "SSL.com Client ECC Root CA 2022"
- # Certificate "SSL.com Client RSA Root CA 2022"
- # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
- # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
- # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
- # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
- # Certificate "TrustAsia Global Root CA G3"
- # Certificate "TrustAsia Global Root CA G4"
- # Certificate "CommScope Public Trust ECC Root-01"
- # Certificate "CommScope Public Trust ECC Root-02"
- # Certificate "CommScope Public Trust RSA Root-01"
- # Certificate "CommScope Public Trust RSA Root-02"
- # Certificate "D-Trust SBR Root CA 1 2022"
- # Certificate "D-Trust SBR Root CA 2 2022"
- # Certificate "Telekom Security SMIME ECC Root 2021"
- # Certificate "Telekom Security TLS ECC Root 2020"
- # Certificate "Telekom Security SMIME RSA Root 2023"
- # Certificate "Telekom Security TLS RSA Root 2023"
- # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
- # Certificate "SECOM Trust.net"
- # Certificate "Chambers of Commerce Root"
- # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
- # Certificate "SSL.com Code Signing RSA Root CA 2022"
- # Certificate "SSL.com Code Signing ECC Root CA 2022"
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0
- Update to CKBI 2.60_v7.0.306 from NSS 3.91
- Removing:
- # Certificate "Camerfirma Global Chambersign Root"
- # Certificate "Staat der Nederlanden EV Root CA"
- # Certificate "OpenTrust Root CA G1"
- # Certificate "Swedish Government Root Authority v1"
- # Certificate "DigiNotar Root CA G2"
- # Certificate "Federal Common Policy CA"
- # Certificate "TC TrustCenter Universal CA III"
- # Certificate "CCA India 2007"
- # Certificate "ipsCA Global CA Root"
- # Certificate "ipsCA Main CA Root"
- # Certificate "Macao Post eSignTrust Root Certification Authority"
- # Certificate "InfoNotary CSP Root"
- # Certificate "DigiNotar Root CA"
- # Certificate "Root CA"
- # Certificate "GPKIRootCA"
- # Certificate "D-TRUST Qualified Root CA 1 2007:PN"
- # Certificate "TC TrustCenter Universal CA I"
- # Certificate "TC TrustCenter Universal CA II"
- # Certificate "TC TrustCenter Class 2 CA II"
- # Certificate "TC TrustCenter Class 4 CA II"
- # Certificate "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı"
- # Certificate "CertRSA01"
- # Certificate "KISA RootCA 3"
- # Certificate "A-CERT ADVANCED"
- # Certificate "A-Trust-Qual-01"
- # Certificate "A-Trust-nQual-01"
- # Certificate "Serasa Certificate Authority II"
- # Certificate "TDC Internet"
- # Certificate "America Online Root Certification Authority 2"
- # Certificate "RSA Security Inc"
- # Certificate "Public Notary Root"
- # Certificate "Autoridade Certificadora Raiz Brasileira"
- # Certificate "Post.Trust Root CA"
- # Certificate "Entrust.net Secure Server Certification Authority"
- # Certificate "ePKI EV SSL Certification Authority - G1"
- Adding:
- # Certificate "DigiCert TLS ECC P384 Root G5"
- # Certificate "DigiCert TLS RSA4096 Root G5"
- # Certificate "DigiCert SMIME ECC P384 Root G5"
- # Certificate "DigiCert SMIME RSA4096 Root G5"
- # Certificate "Certainly Root R1"
- # Certificate "Certainly Root E1"
- # Certificate "E-Tugra Global Root CA RSA v3"
- # Certificate "E-Tugra Global Root CA ECC v3"
- # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
- # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
- # Certificate "BJCA Global Root CA1"
- # Certificate "BJCA Global Root CA2"
- # Certificate "Symantec Enterprise Mobile Root for Microsoft"
- # Certificate "A-Trust-Root-05"
- # Certificate "ADOCA02"
- # Certificate "StartCom Certification Authority G2"
- # Certificate "ATHEX Root CA"
- # Certificate "EBG Elektronik Sertifika Hizmet Sağlayıcısı"
- # Certificate "GeoTrust Primary Certification Authority"
- # Certificate "thawte Primary Root CA"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
- # Certificate "America Online Root Certification Authority 1"
- # Certificate "Juur-SK"
- # Certificate "ComSign CA"
- # Certificate "ComSign Secured CA"
- # Certificate "ComSign Advanced Security CA"
- # Certificate "Global Chambersign Root"
- # Certificate "Sonera Class2 CA"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
- # Certificate "VeriSign, Inc."
- # Certificate "GTE CyberTrust Global Root"
- # Certificate "Equifax Secure Global eBusiness CA-1"
- # Certificate "Equifax"
- # Certificate "Class 1 Primary CA"
- # Certificate "Swiss Government Root CA III"
- # Certificate "Application CA G4 Root"
- # Certificate "SSC GDL CA Root A"
- # Certificate "GlobalSign Code Signing Root E45"
- # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing: - Removing:
- # Certificate "TrustCor ECA-1" - # Certificate "TrustCor ECA-1"
@ -538,12 +416,29 @@ fi
- # Certificate "Government Root Certification Authority" - # Certificate "Government Root Certification Authority"
- # Certificate "AC Raíz Certicámara S.A." - # Certificate "AC Raíz Certicámara S.A."
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1 *Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0 *Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding: - Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
- # Certificate "CAEDICOM Root" - # Certificate "CAEDICOM Root"
- # Certificate "I.CA Root CA/RSA" - # Certificate "I.CA Root CA/RSA"
- # Certificate "MULTICERT Root Certification Authority 01" - # Certificate "MULTICERT Root Certification Authority 01"
@ -685,7 +580,6 @@ fi
- # Certificate "Certipost E-Trust TOP Root CA" - # Certificate "Certipost E-Trust TOP Root CA"
- # Certificate "Certipost E-Trust Primary Qualified CA" - # Certificate "Certipost E-Trust Primary Qualified CA"
- # Certificate "Certipost E-Trust Primary Normalised CA" - # Certificate "Certipost E-Trust Primary Normalised CA"
- # Certificate "Cybertrust Global Root"
- # Certificate "GlobalSign" - # Certificate "GlobalSign"
- # Certificate "IGC/A" - # Certificate "IGC/A"
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN" - # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
@ -759,129 +653,113 @@ fi
- # Certificate "HARICA Code Signing ECC Root CA 2021" - # Certificate "HARICA Code Signing ECC Root CA 2021"
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020" - # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
*Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81 * Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94
- Update to CKBI 2.54 from NSS 3.79 - remove blacklist directory and references now that p11-kit has been updated.
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Cybertrust Global Root"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
- Update to CKBI 2.50 from NSS 3.67 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
- version number update only Related: rhbz#1991688
*Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82 * Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
- Update to CKBI 2.48 from NSS 3.66 - Rebuilt for RHEL 9 BETA for openssl 3.0
- Removing: Related: rhbz#1971065
- # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA"
- # Certificate "Trustis FPS Root CA"
- Adding:
- # Certificate "GLOBALTRUST 2020"
- # Certificate "ANF Secure Server Root CA"
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
*Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81 * Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
- Update to CKBI 2.48 from NSS 3.64 - Update to CKBI 2.50 from NSS 3.67
- Removing: - Removing:
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" - # Certificate "QuoVadis Root CA"
- # Certificate "GeoTrust Global CA" - # Certificate "Sonera Class 2 Root CA"
- # Certificate "GeoTrust Universal CA" - # Certificate "Trustis FPS Root CA"
- # Certificate "GeoTrust Universal CA 2" - Adding:
- # Certificate "Taiwan GRCA" - # Certificate "GLOBALTRUST 2020"
- # Certificate "GeoTrust Primary Certification Authority" - # Certificate "ANF Secure Server Root CA"
- # Certificate "thawte Primary Root CA" - # Certificate "Certum EC-384 CA"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5" - # Certificate "Certum Trusted Root CA"
- # Certificate "GeoTrust Primary Certification Authority - G3"
- # Certificate "thawte Primary Root CA - G2"
- # Certificate "thawte Primary Root CA - G3"
- # Certificate "GeoTrust Primary Certification Authority - G2"
- # Certificate "VeriSign Universal Root Certification Authority"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
- # Certificate "EE Certification Centre Root CA"
- # Certificate "LuxTrust Global Root 2"
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
- Adding:
- # Certificate "Microsoft ECC Root Certificate Authority 2017"
- # Certificate "Microsoft RSA Root Certificate Authority 2017"
- # Certificate "e-Szigno Root CA 2017"
- # Certificate "certSIGN Root CA G2"
- # Certificate "Trustwave Global Certification Authority"
- # Certificate "Trustwave Global ECC P256 Certification Authority"
- # Certificate "Trustwave Global ECC P384 Certification Authority"
- # Certificate "NAVER Global Root Certification Authority"
- # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
- # Certificate "GlobalSign Secure Mail Root R45"
- # Certificate "GlobalSign Secure Mail Root E45"
- # Certificate "GlobalSign Root R46"
- # Certificate "GlobalSign Root E46"
*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
- fix post issues - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
- remove unnecessarily divisive terms, take 1.
- in ca-certificates there are 3 cases:
- 1) master refering to the fedora master branch in the fetch.sh script.
- This can only be changed once fedora changes the master branch name.
- 2) a reference to the 'master bundle' in this file: this has been changed
- to 'primary bundle'.
- 3) a couple of blacklist directories owned by this package, but used to
- p11-kit. New 'blocklist' directories have been created, but p11-kit
- needs to be updated before the old blacklist directories can be removed
- and the man pages corrected.
* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
- Fix up broken %post and %postinstall scriptlet changes from -2
* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
- Update to CKBI 2.41 from NSS 3.53.0 - Update to CKBI 2.41 from NSS 3.53.0
- Removing: - Removing:
- # Certificate "AddTrust Low-Value Services Root" - # Certificate "AddTrust Low-Value Services Root"
- # Certificate "AddTrust External Root" - # Certificate "AddTrust External Root"
- # Certificate "Staat der Nederlanden Root CA - G2"
* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3
- Update versioned dependency on p11-kit
* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2
- Update to CKBI 2.40 from NSS 3.48
- Removing:
- # Certificate "UTN USERFirst Email Root CA" - # Certificate "UTN USERFirst Email Root CA"
- # Certificate "Certplus Class 2 Primary CA" - # Certificate "Certplus Class 2 Primary CA"
- # Certificate "Deutsche Telekom Root CA 2" - # Certificate "Deutsche Telekom Root CA 2"
- # Certificate "Staat der Nederlanden Root CA - G2"
- # Certificate "Swisscom Root CA 2" - # Certificate "Swisscom Root CA 2"
- # Certificate "Certinomis - Root CA" - # Certificate "Certinomis - Root CA"
- Adding: - Adding:
- # Certificate "Entrust Root Certification Authority - G4" - # Certificate "Entrust Root Certification Authority - G4"
- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3
- Update to CKBI 2.32 from NSS 3.44 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
- Removing:
- # Certificate "Visa eCommerce Root"
- # Certificate "AC Raiz Certicamara S.A."
- # Certificate "ComSign CA"
- # Certificate "Certplus Root CA G1"
- # Certificate "Certplus Root CA G2"
- # Certificate "OpenTrust Root CA G1"
- # Certificate "OpenTrust Root CA G2"
- # Certificate "OpenTrust Root CA G3"
- Adding:
- # Certificate "GlobalSign Root CA - R6"
- # Certificate "OISTE WISeKey Global Root GC CA"
- # Certificate "GTS Root R1"
- # Certificate "GTS Root R2"
- # Certificate "GTS Root R3"
- # Certificate "GTS Root R4"
- # Certificate "UCA Global G2 Root"
- # Certificate "UCA Extended Validation Root"
- # Certificate "Certigna Root CA"
- # Certificate "emSign Root CA - G1"
- # Certificate "emSign ECC Root CA - G3"
- # Certificate "emSign Root CA - C1"
- # Certificate "emSign ECC Root CA - C3"
- # Certificate "Hongkong Post Root CA 3"
* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1 * Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
- Test gating - Update to CKBI 2.32 from NSS 3.44
Removing:
# Certificate "Visa eCommerce Root"
# Certificate "AC Raiz Certicamara S.A."
# Certificate "Certplus Root CA G1"
# Certificate "Certplus Root CA G2"
# Certificate "OpenTrust Root CA G1"
# Certificate "OpenTrust Root CA G2"
# Certificate "OpenTrust Root CA G3"
Adding:
# Certificate "GTS Root R1"
# Certificate "GTS Root R2"
# Certificate "GTS Root R3"
# Certificate "GTS Root R4"
# Certificate "UCA Global G2 Root"
# Certificate "UCA Extended Validation Root"
# Certificate "Certigna Root CA"
# Certificate "emSign Root CA - G1"
# Certificate "emSign ECC Root CA - G3"
# Certificate "emSign Root CA - C1"
# Certificate "emSign ECC Root CA - C3"
# Certificate "Hongkong Post Root CA 3"
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
- Use __python3 macro when invoking Python - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2
- Update to CKBI 2.26 from NSS 3.39
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5 * Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
- Ported scripts to python3 - Ported scripts to python3