.ca-certificates.metadata

@@ -1 +0,0 @@
-adc83b19e793491b1c6ea0fd8b46cd9f32e592fc SOURCES/trust-fixes

.gitignore

@@ -1 +1,5 @@
-SOURCES/trust-fixes
+*.rpm
+noarch
+clog
+/.*build.log
+/ca-certificates

SOURCES/update-ca-trust

@@ -1,22 +0,0 @@
-#!/bin/sh
-
-#set -vx
-
-# At this time, while this script is trivial, we ignore any parameters given.
-# However, for backwards compatibility reasons, future versions of this script must 
-# support the syntax "update-ca-trust extract" trigger the generation of output 
-# files in $DEST.
-
-DEST=/etc/pki/ca-trust/extracted
-
-# Prevent p11-kit from reading user configuration files.
-export P11_KIT_NO_USER_CONFIG=1
-
-# OpenSSL PEM bundle that includes trust flags
-# (BEGIN TRUSTED CERTIFICATE)
-/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
-/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
-/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin

ca-certificates.spec

@@ -36,13 +36,11 @@ Name: ca-certificates
 # because all future versions will start with 2013 or larger.)
 
 Version: 2024.2.69_v8.0.303
-# On RHEL 8.x, please keep the release version >= 80
+# for y-stream, please always use 91 <= release  < 100 (91,92,93)
-# When rebasing on Y-Stream (8.y), use 81, 82, 83, ...
+# for z-stream release branches, please use 90 <= release  < 91 (90.0, 90.1, ...)
-# When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, ..
+Release: 91.4%{?dist}
-Release: 80.0%{?dist}
+License: MIT AND GPL-2.0-or-later
-License: Public Domain
 
-Group: System Environment/Base
 URL: https://fedoraproject.org/wiki/CA-Certificates
 
 #Please always update both certdata.txt and nssckbi.h
@@ -73,16 +71,14 @@ Requires(post): coreutils
 Requires: bash
 Requires: grep
 Requires: sed
-Requires(post): p11-kit >= 0.23.12
+Requires(post): p11-kit-trust >= 0.24
-Requires(post): p11-kit-trust >= 0.23.12
+Requires: p11-kit-trust >= 0.24
-Requires: p11-kit >= 0.23.12
-Requires: p11-kit-trust >= 0.23.12
 
 BuildRequires: perl-interpreter
-BuildRequires: python3-devel
+BuildRequires: python3
 BuildRequires: openssl
 BuildRequires: asciidoc
-BuildRequires: libxslt
+BuildRequires: xmlto
 
 %description
 This package contains the set of CA certificates chosen by the
@@ -100,7 +96,7 @@ mkdir %{name}/java
 pushd %{name}/certs
  pwd
  cp %{SOURCE0} .
- %{__python3} %{SOURCE4} >c2p.log 2>c2p.err
+ python3 %{SOURCE4} >c2p.log 2>c2p.err
 popd
 pushd %{name}
  (
@@ -171,12 +167,12 @@ popd
 
 #manpage
 cp %{SOURCE10} %{name}/update-ca-trust.8.txt
-asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
+asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
-xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
+xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml
 
 cp %{SOURCE9} %{name}/ca-legacy.8.txt
-asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
+asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt
-xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
+xmlto -v -o %{name} man %{name}/ca-legacy.8.xml
 
 
 %install
@@ -186,15 +182,16 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
-mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
+mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
+mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
-mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
+mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@@ -243,9 +240,15 @@ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 
-# /etc/ssl/certs symlink for 3rd-party tools
+# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
-ln -s ../pki/tls/certs \
+ln -s /etc/pki/tls/certs \
     $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
+ln -s /etc/pki/tls/openssl.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
+ln -s /etc/pki/tls/ct_log_list.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
 # legacy filenames
 ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
     $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
@@ -256,6 +259,49 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
 ln -s %{catrustdir}/extracted/%{java_bundle} \
     $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
 
+# Populate %%{catrustdir}/extracted/pem/directory-hash.
+#
+# First direct p11-kit-trust.so to the generated bundle (not the one
+# already present on the build system) with an overriding module
+# config. Note that we have to use a different config path based on
+# the current user: if root, ~/.config/pkcs11/modules/* are not read,
+# while if a regular user, she can't write to /etc.
+if test "$(id -u)" -eq 0; then
+   trust_module_dir=/etc/pkcs11/modules
+else
+   trust_module_dir=$HOME/.config/pkcs11/modules
+fi
+
+mkdir -p "$trust_module_dir"
+
+# It is unlikely that the directory would contain any files on a build system,
+# but let's make sure just in case.
+if [ -n "$(ls -A "$trust_module_dir")" ]; then
+        echo "Directory $trust_module_dir is not empty. Aborting build!"
+        exit 1
+fi
+
+trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
+cat >"$trust_module_config" <<EOF
+module: p11-kit-trust.so
+trust-policy: yes
+x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
+EOF
+
+trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
+      --purpose server-auth \
+      $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+
+# Create a temporary file with the list of (%ghost )files in the directory-hash.
+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
+sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
+# Clean up the temporary module config.
+rm -f "$trust_module_config"
+
+
+%clean
+/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+rm -rf $RPM_BUILD_ROOT
 
 %pre
 if [ $1 -gt 1 ] ; then
@@ -303,6 +349,7 @@ if [ $1 -gt 1 ] ; then
   fi
 fi
 
+
 %post
 #if [ $1 -gt 1 ] ; then
 #  # when upgrading or downgrading
@@ -328,9 +375,8 @@ fi
 %{_bindir}/ca-legacy install
 %{_bindir}/update-ca-trust
 
-%files
+# The file .files.txt contains the list of (%ghost )files in the directory-hash
-%defattr(-,root,root,-)
+%files -f .files.txt
-
 %dir %{_sysconfdir}/ssl
 %dir %{pkidir}/tls
 %dir %{pkidir}/tls/certs
@@ -338,7 +384,7 @@ fi
 %dir %{catrustdir}
 %dir %{catrustdir}/source
 %dir %{catrustdir}/source/anchors
-%dir %{catrustdir}/source/blacklist
+%dir %{catrustdir}/source/blocklist
 %dir %{catrustdir}/extracted
 %dir %{catrustdir}/extracted/pem
 %dir %{catrustdir}/extracted/openssl
@@ -346,8 +392,9 @@ fi
 %dir %{_datadir}/pki
 %dir %{_datadir}/pki/ca-trust-source
 %dir %{_datadir}/pki/ca-trust-source/anchors
-%dir %{_datadir}/pki/ca-trust-source/blacklist
+%dir %{_datadir}/pki/ca-trust-source/blocklist
 %dir %{_datadir}/pki/ca-trust-legacy
+%dir %{catrustdir}/extracted/pem/directory-hash
 
 %config(noreplace) %{catrustdir}/ca-legacy.conf
 
@@ -367,10 +414,13 @@ fi
 %{pkidir}/tls/certs/%{classic_tls_bundle}
 %{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 %{pkidir}/%{java_bundle}
-# symlink directory
+# symlinks to cross-distro compatibility files and directory
 %{_sysconfdir}/ssl/certs
+%{_sysconfdir}/ssl/cert.pem
+%{_sysconfdir}/ssl/openssl.cnf
+%{_sysconfdir}/ssl/ct_log_list.cnf
 
-# master bundle file with trust
+# primary bundle file with trust
 %{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
 
 %{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
@@ -386,11 +436,33 @@ fi
 %ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 %ghost %{catrustdir}/extracted/%{java_bundle}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
-
+%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
+%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
 
 %changelog
-*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0
+*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
+- update-ca-trust: return warnings on a unsupported argument instead of error
+
+*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
+- Temporarily generate the directory-hash files in %%install ...(next item)
+- Add list of ghost files from directory-hash to %%files
+
+*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
+- Remove write permissions from directory-hash
+
+*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
+- Reduce dependency on p11-kit to only the trust subpackage
+- Own the Directory-hash directory
+
+*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
+- Fix release number
+
+*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
 - Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
+-    GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
+
+*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
+- Update to CKBI 2.68_v8.0.302 from NSS 3.101
 -    Removing:
 -     # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 -     # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
@@ -437,7 +509,22 @@ fi
 -     # Certificate "SSL.com Code Signing RSA Root CA 2022"
 -     # Certificate "SSL.com Code Signing ECC Root CA 2022"
 
-*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0
+* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0
+- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
+
+* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
+- Skip %post if getopt is missing (recent change made update-ca-trust use it)
+
+* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
+- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
+
+*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
+- update License: field to SPDX
+
+*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
+- Bump release number to make CI happy
+
+*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
 - Update to CKBI 2.60_v7.0.306 from NSS 3.91
 -    Removing:
 -     # Certificate "Camerfirma Global Chambersign Root"
@@ -517,7 +604,7 @@ fi
 -     # Certificate "GlobalSign Code Signing Root R45"
 -     # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
 
-*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
+*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2
 - Update to CKBI 2.54 from NSS 3.79
 -    Removing:
 -     # Certificate "TrustCor ECA-1"
@@ -538,12 +625,29 @@ fi
 -     # Certificate "Government Root Certification Authority"
 -     # Certificate "AC Raíz Certicámara S.A."
 
-*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1
+*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1
 - Update to CKBI 2.54 from NSS 3.79
 
-*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0
+*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0
 - Update to CKBI 2.54 from NSS 3.79
+-    Removing:
+-     # Certificate "GlobalSign Root CA - R2"
+-     # Certificate "DST Root CA X3"
+-     # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
 -    Adding:
+-     # Certificate "TunTrust Root CA"
+-     # Certificate "HARICA TLS RSA Root CA 2021"
+-     # Certificate "HARICA TLS ECC Root CA 2021"
+-     # Certificate "HARICA Client RSA Root CA 2021"
+-     # Certificate "HARICA Client ECC Root CA 2021"
+-     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+-     # Certificate "vTrus ECC Root CA"
+-     # Certificate "vTrus Root CA"
+-     # Certificate "ISRG Root X2"
+-     # Certificate "HiPKI Root CA - G1"
+-     # Certificate "Telia Root CA v2"
+-     # Certificate "D-TRUST BR Root CA 1 2020"
+-     # Certificate "D-TRUST EV Root CA 1 2020"
 -     # Certificate "CAEDICOM Root"
 -     # Certificate "I.CA Root CA/RSA"
 -     # Certificate "MULTICERT Root Certification Authority 01"
@@ -685,7 +789,6 @@ fi
 -     # Certificate "Certipost E-Trust TOP Root CA"
 -     # Certificate "Certipost E-Trust Primary Qualified CA"
 -     # Certificate "Certipost E-Trust Primary Normalised CA"
--     # Certificate "Cybertrust Global Root"
 -     # Certificate "GlobalSign"
 -     # Certificate "IGC/A"
 -     # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
@@ -759,34 +862,19 @@ fi
 -     # Certificate "HARICA Code Signing ECC Root CA 2021"
 -     # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
 
-*Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81
+* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94
-- Update to CKBI 2.54 from NSS 3.79
+- remove blacklist directory and references now that p11-kit has been updated.
--    Removing:
--     # Certificate "GlobalSign Root CA - R2"
--     # Certificate "DST Root CA X3"
--     # Certificate "Cybertrust Global Root"
--     # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
--    Adding:
--     # Certificate "TunTrust Root CA"
--     # Certificate "HARICA TLS RSA Root CA 2021"
--     # Certificate "HARICA TLS ECC Root CA 2021"
--     # Certificate "HARICA Client RSA Root CA 2021"
--     # Certificate "HARICA Client ECC Root CA 2021"
--     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
--     # Certificate "vTrus ECC Root CA"
--     # Certificate "vTrus Root CA"
--     # Certificate "ISRG Root X2"
--     # Certificate "HiPKI Root CA - G1"
--     # Certificate "Telia Root CA v2"
--     # Certificate "D-TRUST BR Root CA 1 2020"
--     # Certificate "D-TRUST EV Root CA 1 2020"
 
-*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
 -   Update to CKBI 2.50 from NSS 3.67
-   - version number update only
-
-*Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82
-- Update to CKBI 2.48 from NSS 3.66
 -      Removing:
 -       # Certificate "QuoVadis Root CA"
 -       # Certificate "Sonera Class 2 Root CA"
@@ -797,91 +885,90 @@ fi
 -       # Certificate "Certum EC-384 CA"
 -       # Certificate "Certum Trusted Root CA"
 
-*Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
-- Update to CKBI 2.48 from NSS 3.64
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
--    Removing:
--     # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
--     # Certificate "GeoTrust Global CA"
--     # Certificate "GeoTrust Universal CA"
--     # Certificate "GeoTrust Universal CA 2"
--     # Certificate "Taiwan GRCA"
--     # Certificate "GeoTrust Primary Certification Authority"
--     # Certificate "thawte Primary Root CA"
--     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
--     # Certificate "GeoTrust Primary Certification Authority - G3"
--     # Certificate "thawte Primary Root CA - G2"
--     # Certificate "thawte Primary Root CA - G3"
--     # Certificate "GeoTrust Primary Certification Authority - G2"
--     # Certificate "VeriSign Universal Root Certification Authority"
--     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
--     # Certificate "EE Certification Centre Root CA"
--     # Certificate "LuxTrust Global Root 2"
--     # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
--     # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
--    Adding:
--     # Certificate "Microsoft ECC Root Certificate Authority 2017"
--     # Certificate "Microsoft RSA Root Certificate Authority 2017"
--     # Certificate "e-Szigno Root CA 2017"
--     # Certificate "certSIGN Root CA G2"
--     # Certificate "Trustwave Global Certification Authority"
--     # Certificate "Trustwave Global ECC P256 Certification Authority"
--     # Certificate "Trustwave Global ECC P384 Certification Authority"
--     # Certificate "NAVER Global Root Certification Authority"
--     # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
--     # Certificate "GlobalSign Secure Mail Root R45"
--     # Certificate "GlobalSign Secure Mail Root E45"
--     # Certificate "GlobalSign Root R46"
--     # Certificate "GlobalSign Root E46"
 
-*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
-- fix post issues
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
+* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
+- remove unnecessarily divisive terms, take 1.
+-   in ca-certificates there are 3 cases:
+-   1) master refering to the fedora master branch in the fetch.sh script.
+-      This can only be changed once fedora changes the master branch name.
+-   2) a reference to the 'master bundle' in this file: this has been changed
+-      to 'primary bundle'.
+-   3) a couple of blacklist directories owned by this package, but used to
+-      p11-kit. New 'blocklist' directories have been created, but p11-kit
+-      needs to be updated before the old blacklist directories can be removed
+-      and the man pages corrected.
+
+* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
+- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
+- Fix up broken %post and %postinstall scriptlet changes from -2
+
+* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
 - Update to CKBI 2.41 from NSS 3.53.0
 -    Removing:
 -     # Certificate "AddTrust Low-Value Services Root"
 -     # Certificate "AddTrust External Root"
+-     # Certificate "Staat der Nederlanden Root CA - G2"
+
+* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3
+- Update versioned dependency on p11-kit
+
+* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2
+- Update to CKBI 2.40 from NSS 3.48
+-    Removing:
 -     # Certificate "UTN USERFirst Email Root CA"
 -     # Certificate "Certplus Class 2 Primary CA"
 -     # Certificate "Deutsche Telekom Root CA 2"
--     # Certificate "Staat der Nederlanden Root CA - G2"
 -     # Certificate "Swisscom Root CA 2"
 -     # Certificate "Certinomis - Root CA"
 -    Adding:
 -     # Certificate "Entrust Root Certification Authority - G4"
+- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
 
-*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
  - Update to CKBI 2.32 from NSS 3.44
--  Removing:
+   Removing: 
--   # Certificate "Visa eCommerce Root"
+    # Certificate "Visa eCommerce Root"
--   # Certificate "AC Raiz Certicamara S.A."
+    # Certificate "AC Raiz Certicamara S.A."
--   # Certificate "ComSign CA"
+    # Certificate "Certplus Root CA G1"
--   # Certificate "Certplus Root CA G1"
+    # Certificate "Certplus Root CA G2"
--   # Certificate "Certplus Root CA G2"
+    # Certificate "OpenTrust Root CA G1"
--   # Certificate "OpenTrust Root CA G1"
+    # Certificate "OpenTrust Root CA G2"
--   # Certificate "OpenTrust Root CA G2"
+    # Certificate "OpenTrust Root CA G3"
--   # Certificate "OpenTrust Root CA G3"
+   Adding: 
--  Adding:
+    # Certificate "GTS Root R1"
--   # Certificate "GlobalSign Root CA - R6"
+    # Certificate "GTS Root R2"
--   # Certificate "OISTE WISeKey Global Root GC CA"
+    # Certificate "GTS Root R3"
--   # Certificate "GTS Root R1"
+    # Certificate "GTS Root R4"
--   # Certificate "GTS Root R2"
+    # Certificate "UCA Global G2 Root"
--   # Certificate "GTS Root R3"
+    # Certificate "UCA Extended Validation Root"
--   # Certificate "GTS Root R4"
+    # Certificate "Certigna Root CA"
--   # Certificate "UCA Global G2 Root"
+    # Certificate "emSign Root CA - G1"
--   # Certificate "UCA Extended Validation Root"
+    # Certificate "emSign ECC Root CA - G3"
--   # Certificate "Certigna Root CA"
+    # Certificate "emSign Root CA - C1"
--   # Certificate "emSign Root CA - G1"
+    # Certificate "emSign ECC Root CA - C3"
--   # Certificate "emSign ECC Root CA - G3"
+    # Certificate "Hongkong Post Root CA 3"
--   # Certificate "emSign Root CA - C1"
--   # Certificate "emSign ECC Root CA - C3"
--   # Certificate "Hongkong Post Root CA 3"
 
-* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
-- Test gating
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
-* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6
+* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2
-- Use __python3 macro when invoking Python
+- Update to CKBI 2.26 from NSS 3.39
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
 - Ported scripts to python3

certdata2pem.py

@@ -177,6 +177,11 @@ openssl_trust = {
   "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
 }
 
+cert_distrust_types = {
+  "CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
+  "CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
+}
+
 for tobj in objects:
     if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
         key = tobj['CKA_LABEL'] + printable_serial(tobj)
@@ -369,6 +374,16 @@ for tobj in objects:
             f.write("nss-mozilla-ca-policy: true\n")
             f.write("modifiable: false\n");
 
+            # requires p11-kit >= 0.23.19
+            for t in list(cert_distrust_types.keys()):
+                if t in obj:
+                    value = obj[t]
+                    if value == 'CK_FALSE':
+                        value = bytearray(1)
+                    f.write(cert_distrust_types[t] + ": \"")
+                    f.write(urllib.parse.quote(value));
+                    f.write("\"\n")
+
             f.write("-----BEGIN CERTIFICATE-----\n")
             temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
             temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)

check_certs.sh

@@ -0,0 +1,118 @@
+#!/bin/perl
+
+sub adjust {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+   my @pos = @{$_[2]};
+   my $found = 0;
+   my @newneg = ();
+
+   foreach my $cline (@neg) {
+	if ($cline eq $newLine) {
+	   $found = 1;
+	} else {
+            push(@newneg ,$cline );
+	}
+   }
+   if (! $found ) {
+ 	push(@pos, $newLine);
+   }
+   @neg=@newneg;
+}
+
+sub removeLine {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+   my $found = 0;
+   my @newneg = ();
+
+   foreach my $cline (@neg) {
+        if ($found) {
+            push(@newneg ,$cline );
+	} elsif ($cline eq $newLine) {
+	   $found = 1;
+	} else {
+            push(@newneg ,$cline );
+	}
+   }
+   return @newneg;
+}
+
+sub filter {
+   my @list = @{$_[0]};
+   my $string = $_[1];
+   my @filteredList = ();
+   foreach my $cline (@list) {
+	if ($cline =~ m/$string/) {
+            push(@filteredList ,$cline );
+	}
+   }
+   return @filteredList;
+}
+
+sub lineExists {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+
+   foreach my $cline (@neg) {
+	if ($cline eq $newLine) {
+           return 1;
+	}
+   }
+   return 0;
+}
+
+sub lineExists {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+
+   foreach my $cline (@neg) {
+	if ($cline eq $newLine) {
+           return 1;
+	}
+   }
+   return 0;
+}
+
+sub printeach {
+   my @args = @{$_[0]};
+   foreach my $arg (@args) {
+	chomp $arg;
+	print "    $arg\n";
+    }
+}
+
+open my $handle, "git diff certdata.txt|";
+my @diff_lines = <$handle>;
+close $handle;
+my @adds = ();
+my @subs = ();
+foreach my $line (@diff_lines) {
+    $type = substr $line,0,1;
+    $lline = substr $line,1;
+    if ($type eq "+") {
+          if (lineExists($lline, \@subs)) {
+               @subs = removeLine($lline,\@subs);
+          } else {
+               push(@adds, $lline);
+          }
+    };
+    if ($type eq "-") {
+          if (lineExists($lline, \@adds)) {
+                @adds = removeLine($lline,\@adds);
+          } else {
+                push(@subs, $lline);
+          }
+    };
+}
+
+my @tmp = filter(\@subs, "# Certificate");
+if (@tmp) {
+    print "   Removing: \n";
+    printeach(\@tmp);
+}
+my @tmp = filter(\@adds, "# Certificate");
+if (@tmp) {
+    print "   Adding: \n";
+    printeach(\@tmp);
+}

fetch.sh

@@ -0,0 +1,159 @@
+#!/bin/sh
+#
+# This script fetches the latest released certdata.txt and updates the 
+# ca-certificates.spec file
+#
+baseurl="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib"
+force=0
+release_type="RTM"
+release="3_43"
+while [ -n "$1" ]; do
+   case $1 in
+   "-d")
+	baseurl="https://hg.mozilla.org/projects/nss/raw-file/default/lib"
+	;;
+   -t*)
+	release_type=`echo $1 | sed -e 's;-t;;'`
+	if [ "${release_type}" = "" ]; then
+	   shift
+	   release_type=$1
+	fi
+	baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
+	;;
+   -n*)
+	release=`echo $1 | sed -e 's;-n;;'`
+	if [ "${release}" = "" ]; then
+	   shift
+	   release=$1
+	fi
+	release=`echo ${release} | sed -e 's;\\.;_;g'`
+	baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
+	;;
+   "-f")
+	force=1
+	;;
+    *)
+	echo "usage: $0 [-r] [-n release] [-f]"
+	echo "-d           use the development tip rather than the latest release"
+	echo "-n release   fetch a specific nss release"
+	echo "-f           skip the verify check"
+	exit 1
+	;;
+    esac
+    shift
+done
+
+# get the current certdata version number
+# nss version number
+# user making the change
+# email of user
+# 
+# versions from the latest nss code in mozilla
+echo "Getting CKBI version number"
+ckbi_version=`wget ${baseurl}/ckfw/builtins/nssckbi.h -O - | grep "NSS_BUILTINS_LIBRARY_VERSION " | awk '{print $NF}' | sed -e "s;\";;g" `
+if [ "${ckbi_version}" = "" ]; then
+    echo "Didn't find ckbi version from ${baseurl}"
+    exit 1;
+fi
+echo "Getting NSS version number"
+nss_version=`wget ${baseurl}/nss/nss.h -O - | grep "NSS_VERSION" | awk '{print $3}' | sed -e "s;\";;g" `
+if [ "${nss_version}" = "" ]; then
+    echo "Didn't find nss version from ${baseurl}"
+    exit 1;
+fi
+# date from the current system date on this machine
+echo "Creating change log"
+export LANG=C
+year=`date +%Y`
+log_date=`date +"%a %b %d %Y"`
+# user name from the environment, fallback to git, fallback to the current user
+username=`whoami`
+name=${NAME}
+if [ "${name}" = "" ]; then
+   name=`git config user.name`
+fi
+if [ "${name}" = "" ]; then
+   name=`getent passwd $username`
+fi
+email=${EMAIL}
+if [ "${email}" = "" ]; then
+   email=`git config user.email`
+fi
+if [ "${email}" = "" ]; then
+   email=$username@`hostname`
+fi
+# rawhide >=2, branches 1.x
+cwd=$(pwd)
+if [ `basename ${cwd}` = master ]; then
+    release="2"
+else
+    release="1.0"
+fi
+version=${year}.${ckbi_version}
+
+#make sure the the current version is newer than what is already there
+current_version=`grep ^Version: ca-certificates.spec | awk '{ print $NF }'`
+if [ ${current_version} \> ${version} -o ${current_version} = ${version} ]; then
+   echo "Can't downgrade current version: ${current_version} new version: ${version}"
+   exit 1;
+fi
+
+# now get our new certdata.txt
+echo "Fetching new certdata.txt"
+wget ${baseurl}/ckfw/builtins/certdata.txt -O certdata.txt
+if [ $? -ne 0 ]; then
+   echo fetching certdata.text from ${baseurl} failed!
+   echo " To restore the old certdata.txt use:"
+   echo "    git checkout -- certdata.txt"
+   exit 1;
+fi
+
+# Verify everything is good with the user
+echo -e "Upgrading ${current_version} -> ${version}:"
+echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
+./check_certs.sh
+echo ""
+
+yn=""
+if [ ! ${force} ]; then
+	echo -n "Do you want to continue (Y/N default Y)? "
+	read yn
+	echo ""
+fi
+if [ "${yn}" != "" -a "${yn}" != "y" -a "${yn}" != "Y" -a "${yn}" != "yes" -a "${yn}" != "YES" ]; then
+    echo "Skipping ca-certificate.spec upgrade."
+    echo " NOTE: certdata.txt has been upgraded."
+    echo " To restore the old certdata.txt use:"
+    echo "    git checkout -- certdata.txt"
+    exit 1;
+fi
+
+echo "Updating .spec file"
+cat ca-certificates.spec | while IFS= read -r line
+do
+    echo $line | grep "^Version: " 1>&2
+    if [ $? -eq 0 ]; then
+	echo "Version: ${version}"
+	echo "New Version: ${version}" 1>&2
+	continue
+    fi
+    echo $line | grep "^Release: " 1>&2
+    if [ $?  -eq 0 ]; then
+	echo "Release: ${release}%{?dist}"
+	echo "New Release: ${release}%{?dist}" 1>&2
+	continue
+    fi
+    echo $line | grep "^%changelog" 1>&2
+    if [ $?  -eq 0 ]; then
+	echo "$line"
+	echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
+	echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"  1>&2
+	./check_certs.sh
+       echo ""
+	continue
+    fi
+    echo "$line"
+done > /tmp/ca-certificates.spec.$$
+mv /tmp/ca-certificates.spec.$$ ca-certificates.spec
+git status
+exit 0

gating.yaml

@@ -0,0 +1,9 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
+  - !PassingTestCaseRule {test_case_name: manual.sst_security_crypto.ca-certificates.streamspreadprevent}

sort-blocks.py

@@ -0,0 +1,34 @@
+#!/usr/bin/python3
+
+# Expected input is a file, where blocks of lines are separated by newline.
+# Blocks will be sorted.
+# Intention is to prepare files for comparison, were lines inside each block are
+# in stable order, but the order of blocks is random.
+
+import sys
+import string
+
+if (len(sys.argv) != 2):
+    print("syntax: " + sys.argv[0] + " input-filename")
+    sys.exit(1)
+
+filename = sys.argv[1]
+
+block = []
+block_list = []
+with open(filename, 'r') as f:
+    for line in f:
+        if (len(line) == 1):
+            if len(block) == 0:
+                continue
+            else:
+                combined_string = string.join(block, '')
+                block_list.append(combined_string)
+                block = []
+        else:
+            block.append(line)
+
+block_list.sort()
+
+for block in block_list:
+    print(block)

tests/smoke-test/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/ca-certificates/Sanity/smoke-test
+#   Description: Check presence of Verisign root.
+#   Author: Ondrej Moris <omoris@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2010 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/ca-certificates/Sanity/smoke-test
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Ondrej Moris <omoris@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Check presence of Verisign root." >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          ca-certificates" >> $(METADATA)
+	@echo "Requires:        ca-certificates" >> $(METADATA)
+	@echo "Requires:        wget" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/smoke-test/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/ca-certificates/Sanity/smoke-test
+Description: Check presence of Verisign root.
+Author: Ondrej Moris <omoris@redhat.com>

tests/smoke-test/runtest.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/ca-certificates/Sanity/smoke-test
+#   Description: Check presence of Verisign root.
+#   Author: Ondrej Moris <omoris@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2010 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include rhts environment
+. /usr/lib/beakerlib/beakerlib.sh
+
+PACKAGE="ca-certificates"
+
+rlJournalStart
+
+    rlPhaseStartTest
+
+    rlAssertRpm "$PACKAGE"
+	rlRun "curl -sS -o /dev/null https://www.verisign.com/" 0
+	rlRun "curl -sS -o /dev/null https://www.google.com/intl/en" 0
+
+    rlPhaseEnd
+
+rlJournalPrintText
+
+rlJournalEnd

tests/tests.yml

@@ -0,0 +1,13 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - atomic
+    - classic
+    - container
+    tests:
+    - smoke-test
+    required_packages:
+    - findutils         # beakerlib needs find command

trust-fixes

@@ -0,0 +1 @@
+

update-ca-trust

@@ -0,0 +1,137 @@
+#!/bin/sh
+
+#set -vx
+set -eu
+
+# For backwards compatibility reasons, future versions of this script must
+# support the syntax "update-ca-trust extract" trigger the generation of output
+# files in $DEST.
+
+DEST=/etc/pki/ca-trust/extracted
+
+# Prevent p11-kit from reading user configuration files.
+export P11_KIT_NO_USER_CONFIG=1
+
+usage() {
+	fold -s -w 76 >&2 <<-EOF
+		Usage: $0 [extract] [-o DIR|--output=DIR]
+
+		Update the system trust store in $DEST.
+
+		COMMANDS
+		(absent/empty command): Same as the extract command without arguments.
+
+		extract: Instruct update-ca-trust to scan the source configuration in
+		/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
+		updated versions of the consolidated configuration files stored below
+		the $DEST directory hierarchy.
+
+		EXTRACT OPTIONS
+		-o DIR, --output=DIR: Write the extracted trust store into the given
+		directory instead of updating $DEST.
+	EOF
+}
+
+extract() {
+	USER_DEST=
+
+        # can't use getopt here. ca-certificates can't depend on a lot
+        # of other libraries since openssl depends on ca-certificates
+        # just fail when we hand parse
+
+        while [ $# -ne 0 ]; do
+	    case "$1" in
+	      "-o"|"--output")
+		  if [ $# -lt 2 ]; then
+			  echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
+			  echo >&2
+			  exit 1
+		  fi
+	          USER_DEST=$2
+		  shift 2
+		  continue
+		  ;;
+		"--")
+		  shift
+		  break
+		  ;;
+		*)
+		  echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
+		  exit 1
+		  ;;
+	    esac
+	done
+
+	if [ -n "$USER_DEST" ]; then
+		DEST=$USER_DEST
+	        # Attempt to create the directories if they do not exist
+                # yet (rhbz#2241240)
+	        /usr/bin/mkdir -p \
+		    "$DEST"/openssl \
+		    "$DEST"/pem \
+		    "$DEST"/java \
+		    "$DEST"/edk2
+	fi
+
+	# OpenSSL PEM bundle that includes trust flags
+	# (BEGIN TRUSTED CERTIFICATE)
+	/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
+	/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
+	/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
+	# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
+	# by GnuTLS)
+	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
+
+	# p11-kit extract will have made this directory unwritable; when run with
+	# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
+	# not be the case. See rhbz#2241240.
+	if [ -n "$USER_DEST" ]; then
+	    /usr/bin/chmod u+w "$DEST/pem/directory-hash"
+        fi
+
+	# Debian compatibility: their /etc/ssl/certs has this bundle
+	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
+	# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
+	# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
+	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
+
+	# Remove write permissions again
+	if [ -n "$USER_DEST" ]; then
+	    /usr/bin/chmod u-w "$DEST/pem/directory-hash"
+        fi
+}
+
+if [ $# -lt 1 ]; then
+    set -- extract
+fi
+
+case "$1" in
+	"extract")
+		shift
+		extract "$@"
+	;;
+	"--help")
+		usage
+		exit 0
+	;;
+	"-o"|"--output")
+		echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
+		echo >&2
+		exit 1
+	;;
+	"enable")
+		echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
+		echo >&2
+		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
+		extract
+	;;
+	*)
+		echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
+		echo >&2
+		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
+		extract
+	;;
+esac

update-ca-trust.8.txt

@@ -27,7 +27,7 @@ certificates and associated trust
 
 SYNOPSIS
 --------
-*update-ca-trust* ['COMMAND']
+*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
 
 
 DESCRIPTION
@@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
 * add it as a new file to directory /etc/pki/ca-trust/source/anchors/
 * run 'update-ca-trust extract'
 
-.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
+.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
 * add it as a new file to directory /etc/pki/ca-trust/source/
 * run 'update-ca-trust extract'
 
 .In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
 * simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
-* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
+* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
 * extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
 
 .In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
@@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
 format or in the PEM (BEGIN/END CERTIFICATE) file format.
 Each certificate will be treated as *trusted* for all purposes.
 
-In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
+In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
 you may install one or multiple certificates in either the DER file
 format or in the PEM (BEGIN/END CERTIFICATE) file format.
 Each certificate will be treated as *distrusted* for all purposes.
@@ -214,16 +214,24 @@ server authentication.
 
 COMMANDS
 --------
-(absent/empty command)::
+(absent/empty command)
-    Same as the *extract* command described below. (However, the command may
+~~~~~~~~~~~~~~~~~~~~~~
-    print fewer warnings, as this command is being run during rpm package 
+Same as the *extract* command described below. (However, the command may print
-    installation, where non-fatal status output is undesired.)
+fewer warnings, as this command is being run during rpm package installation,
+where non-fatal status output is undesired.)
 
-*extract*::
+extract
-    Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce 
+~~~~~~~
-    updated versions of the consolidated configuration files stored below
+Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
+produce updated versions of the consolidated configuration files stored below
 the /etc/pki/ca-trust/extracted directory hierarchy.
 
+EXTRACT OPTIONS
+^^^^^^^^^^^^^^^
+*-o DIR*, *--output=DIR*::
+	Write the extracted trust store into the given directory instead of
+	updating /etc/pki/ca-trust/extracted.
+
 FILES
 -----
 /etc/pki/tls/certs/ca-bundle.crt::