Compare commits
No commits in common. "c9s" and "c8" have entirely different histories.
1
.ca-certificates.metadata
Normal file
1
.ca-certificates.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc SOURCES/trust-fixes
|
6
.gitignore
vendored
6
.gitignore
vendored
@ -1,5 +1 @@
|
|||||||
*.rpm
|
SOURCES/trust-fixes
|
||||||
noarch
|
|
||||||
clog
|
|
||||||
/.*build.log
|
|
||||||
/ca-certificates
|
|
||||||
|
@ -177,11 +177,6 @@ openssl_trust = {
|
|||||||
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
|
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
|
||||||
}
|
}
|
||||||
|
|
||||||
cert_distrust_types = {
|
|
||||||
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
|
|
||||||
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
|
|
||||||
}
|
|
||||||
|
|
||||||
for tobj in objects:
|
for tobj in objects:
|
||||||
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
|
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
|
||||||
key = tobj['CKA_LABEL'] + printable_serial(tobj)
|
key = tobj['CKA_LABEL'] + printable_serial(tobj)
|
||||||
@ -374,16 +369,6 @@ for tobj in objects:
|
|||||||
f.write("nss-mozilla-ca-policy: true\n")
|
f.write("nss-mozilla-ca-policy: true\n")
|
||||||
f.write("modifiable: false\n");
|
f.write("modifiable: false\n");
|
||||||
|
|
||||||
# requires p11-kit >= 0.23.19
|
|
||||||
for t in list(cert_distrust_types.keys()):
|
|
||||||
if t in obj:
|
|
||||||
value = obj[t]
|
|
||||||
if value == 'CK_FALSE':
|
|
||||||
value = bytearray(1)
|
|
||||||
f.write(cert_distrust_types[t] + ": \"")
|
|
||||||
f.write(urllib.parse.quote(value));
|
|
||||||
f.write("\"\n")
|
|
||||||
|
|
||||||
f.write("-----BEGIN CERTIFICATE-----\n")
|
f.write("-----BEGIN CERTIFICATE-----\n")
|
||||||
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
|
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
|
||||||
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
|
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
|
22
SOURCES/update-ca-trust
Normal file
22
SOURCES/update-ca-trust
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
#set -vx
|
||||||
|
|
||||||
|
# At this time, while this script is trivial, we ignore any parameters given.
|
||||||
|
# However, for backwards compatibility reasons, future versions of this script must
|
||||||
|
# support the syntax "update-ca-trust extract" trigger the generation of output
|
||||||
|
# files in $DEST.
|
||||||
|
|
||||||
|
DEST=/etc/pki/ca-trust/extracted
|
||||||
|
|
||||||
|
# Prevent p11-kit from reading user configuration files.
|
||||||
|
export P11_KIT_NO_USER_CONFIG=1
|
||||||
|
|
||||||
|
# OpenSSL PEM bundle that includes trust flags
|
||||||
|
# (BEGIN TRUSTED CERTIFICATE)
|
||||||
|
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
|
||||||
|
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
|
||||||
|
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
|
||||||
|
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
|
||||||
|
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
|
||||||
|
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
|
@ -27,7 +27,7 @@ certificates and associated trust
|
|||||||
|
|
||||||
SYNOPSIS
|
SYNOPSIS
|
||||||
--------
|
--------
|
||||||
*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
|
*update-ca-trust* ['COMMAND']
|
||||||
|
|
||||||
|
|
||||||
DESCRIPTION
|
DESCRIPTION
|
||||||
@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
|
|||||||
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/
|
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/
|
||||||
* run 'update-ca-trust extract'
|
* run 'update-ca-trust extract'
|
||||||
|
|
||||||
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
|
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
|
||||||
* add it as a new file to directory /etc/pki/ca-trust/source/
|
* add it as a new file to directory /etc/pki/ca-trust/source/
|
||||||
* run 'update-ca-trust extract'
|
* run 'update-ca-trust extract'
|
||||||
|
|
||||||
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
|
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
|
||||||
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
|
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
|
||||||
* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
|
* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
|
||||||
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
||||||
|
|
||||||
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
|
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
|
||||||
@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
|
|||||||
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
||||||
Each certificate will be treated as *trusted* for all purposes.
|
Each certificate will be treated as *trusted* for all purposes.
|
||||||
|
|
||||||
In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
|
In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
|
||||||
you may install one or multiple certificates in either the DER file
|
you may install one or multiple certificates in either the DER file
|
||||||
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
||||||
Each certificate will be treated as *distrusted* for all purposes.
|
Each certificate will be treated as *distrusted* for all purposes.
|
||||||
@ -214,23 +214,15 @@ server authentication.
|
|||||||
|
|
||||||
COMMANDS
|
COMMANDS
|
||||||
--------
|
--------
|
||||||
(absent/empty command)
|
(absent/empty command)::
|
||||||
~~~~~~~~~~~~~~~~~~~~~~
|
Same as the *extract* command described below. (However, the command may
|
||||||
Same as the *extract* command described below. (However, the command may print
|
print fewer warnings, as this command is being run during rpm package
|
||||||
fewer warnings, as this command is being run during rpm package installation,
|
installation, where non-fatal status output is undesired.)
|
||||||
where non-fatal status output is undesired.)
|
|
||||||
|
|
||||||
extract
|
*extract*::
|
||||||
~~~~~~~
|
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
|
||||||
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
|
updated versions of the consolidated configuration files stored below
|
||||||
produce updated versions of the consolidated configuration files stored below
|
the /etc/pki/ca-trust/extracted directory hierarchy.
|
||||||
the /etc/pki/ca-trust/extracted directory hierarchy.
|
|
||||||
|
|
||||||
EXTRACT OPTIONS
|
|
||||||
^^^^^^^^^^^^^^^
|
|
||||||
*-o DIR*, *--output=DIR*::
|
|
||||||
Write the extracted trust store into the given directory instead of
|
|
||||||
updating /etc/pki/ca-trust/extracted.
|
|
||||||
|
|
||||||
FILES
|
FILES
|
||||||
-----
|
-----
|
@ -36,11 +36,13 @@ Name: ca-certificates
|
|||||||
# because all future versions will start with 2013 or larger.)
|
# because all future versions will start with 2013 or larger.)
|
||||||
|
|
||||||
Version: 2024.2.69_v8.0.303
|
Version: 2024.2.69_v8.0.303
|
||||||
# for y-stream, please always use 91 <= release < 100 (91,92,93)
|
# On RHEL 8.x, please keep the release version >= 80
|
||||||
# for z-stream release branches, please use 90 <= release < 91 (90.0, 90.1, ...)
|
# When rebasing on Y-Stream (8.y), use 81, 82, 83, ...
|
||||||
Release: 91.4%{?dist}
|
# When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, ..
|
||||||
License: MIT AND GPL-2.0-or-later
|
Release: 80.0%{?dist}
|
||||||
|
License: Public Domain
|
||||||
|
|
||||||
|
Group: System Environment/Base
|
||||||
URL: https://fedoraproject.org/wiki/CA-Certificates
|
URL: https://fedoraproject.org/wiki/CA-Certificates
|
||||||
|
|
||||||
#Please always update both certdata.txt and nssckbi.h
|
#Please always update both certdata.txt and nssckbi.h
|
||||||
@ -71,14 +73,16 @@ Requires(post): coreutils
|
|||||||
Requires: bash
|
Requires: bash
|
||||||
Requires: grep
|
Requires: grep
|
||||||
Requires: sed
|
Requires: sed
|
||||||
Requires(post): p11-kit-trust >= 0.24
|
Requires(post): p11-kit >= 0.23.12
|
||||||
Requires: p11-kit-trust >= 0.24
|
Requires(post): p11-kit-trust >= 0.23.12
|
||||||
|
Requires: p11-kit >= 0.23.12
|
||||||
|
Requires: p11-kit-trust >= 0.23.12
|
||||||
|
|
||||||
BuildRequires: perl-interpreter
|
BuildRequires: perl-interpreter
|
||||||
BuildRequires: python3
|
BuildRequires: python3-devel
|
||||||
BuildRequires: openssl
|
BuildRequires: openssl
|
||||||
BuildRequires: asciidoc
|
BuildRequires: asciidoc
|
||||||
BuildRequires: xmlto
|
BuildRequires: libxslt
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This package contains the set of CA certificates chosen by the
|
This package contains the set of CA certificates chosen by the
|
||||||
@ -96,7 +100,7 @@ mkdir %{name}/java
|
|||||||
pushd %{name}/certs
|
pushd %{name}/certs
|
||||||
pwd
|
pwd
|
||||||
cp %{SOURCE0} .
|
cp %{SOURCE0} .
|
||||||
python3 %{SOURCE4} >c2p.log 2>c2p.err
|
%{__python3} %{SOURCE4} >c2p.log 2>c2p.err
|
||||||
popd
|
popd
|
||||||
pushd %{name}
|
pushd %{name}
|
||||||
(
|
(
|
||||||
@ -167,12 +171,12 @@ popd
|
|||||||
|
|
||||||
#manpage
|
#manpage
|
||||||
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
|
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
|
||||||
asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
|
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
|
||||||
xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml
|
xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
|
||||||
|
|
||||||
cp %{SOURCE9} %{name}/ca-legacy.8.txt
|
cp %{SOURCE9} %{name}/ca-legacy.8.txt
|
||||||
asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt
|
asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
|
||||||
xmlto -v -o %{name} man %{name}/ca-legacy.8.xml
|
xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
@ -182,16 +186,15 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
|
|||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
|
||||||
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
|
||||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
|
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
|
||||||
@ -240,15 +243,9 @@ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
|||||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||||
|
|
||||||
# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
|
# /etc/ssl/certs symlink for 3rd-party tools
|
||||||
ln -s /etc/pki/tls/certs \
|
ln -s ../pki/tls/certs \
|
||||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
|
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
|
||||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
|
||||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
|
|
||||||
ln -s /etc/pki/tls/openssl.cnf \
|
|
||||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
|
|
||||||
ln -s /etc/pki/tls/ct_log_list.cnf \
|
|
||||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
|
|
||||||
# legacy filenames
|
# legacy filenames
|
||||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||||
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
|
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
|
||||||
@ -259,49 +256,6 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
|
|||||||
ln -s %{catrustdir}/extracted/%{java_bundle} \
|
ln -s %{catrustdir}/extracted/%{java_bundle} \
|
||||||
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
|
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
|
||||||
|
|
||||||
# Populate %%{catrustdir}/extracted/pem/directory-hash.
|
|
||||||
#
|
|
||||||
# First direct p11-kit-trust.so to the generated bundle (not the one
|
|
||||||
# already present on the build system) with an overriding module
|
|
||||||
# config. Note that we have to use a different config path based on
|
|
||||||
# the current user: if root, ~/.config/pkcs11/modules/* are not read,
|
|
||||||
# while if a regular user, she can't write to /etc.
|
|
||||||
if test "$(id -u)" -eq 0; then
|
|
||||||
trust_module_dir=/etc/pkcs11/modules
|
|
||||||
else
|
|
||||||
trust_module_dir=$HOME/.config/pkcs11/modules
|
|
||||||
fi
|
|
||||||
|
|
||||||
mkdir -p "$trust_module_dir"
|
|
||||||
|
|
||||||
# It is unlikely that the directory would contain any files on a build system,
|
|
||||||
# but let's make sure just in case.
|
|
||||||
if [ -n "$(ls -A "$trust_module_dir")" ]; then
|
|
||||||
echo "Directory $trust_module_dir is not empty. Aborting build!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
|
|
||||||
cat >"$trust_module_config" <<EOF
|
|
||||||
module: p11-kit-trust.so
|
|
||||||
trust-policy: yes
|
|
||||||
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
|
|
||||||
EOF
|
|
||||||
|
|
||||||
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
|
|
||||||
--purpose server-auth \
|
|
||||||
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
|
||||||
|
|
||||||
# Create a temporary file with the list of (%ghost )files in the directory-hash.
|
|
||||||
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
|
|
||||||
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
|
|
||||||
# Clean up the temporary module config.
|
|
||||||
rm -f "$trust_module_config"
|
|
||||||
|
|
||||||
|
|
||||||
%clean
|
|
||||||
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
|
||||||
rm -rf $RPM_BUILD_ROOT
|
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
if [ $1 -gt 1 ] ; then
|
if [ $1 -gt 1 ] ; then
|
||||||
@ -349,7 +303,6 @@ if [ $1 -gt 1 ] ; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
%post
|
%post
|
||||||
#if [ $1 -gt 1 ] ; then
|
#if [ $1 -gt 1 ] ; then
|
||||||
# # when upgrading or downgrading
|
# # when upgrading or downgrading
|
||||||
@ -375,8 +328,9 @@ fi
|
|||||||
%{_bindir}/ca-legacy install
|
%{_bindir}/ca-legacy install
|
||||||
%{_bindir}/update-ca-trust
|
%{_bindir}/update-ca-trust
|
||||||
|
|
||||||
# The file .files.txt contains the list of (%ghost )files in the directory-hash
|
%files
|
||||||
%files -f .files.txt
|
%defattr(-,root,root,-)
|
||||||
|
|
||||||
%dir %{_sysconfdir}/ssl
|
%dir %{_sysconfdir}/ssl
|
||||||
%dir %{pkidir}/tls
|
%dir %{pkidir}/tls
|
||||||
%dir %{pkidir}/tls/certs
|
%dir %{pkidir}/tls/certs
|
||||||
@ -384,7 +338,7 @@ fi
|
|||||||
%dir %{catrustdir}
|
%dir %{catrustdir}
|
||||||
%dir %{catrustdir}/source
|
%dir %{catrustdir}/source
|
||||||
%dir %{catrustdir}/source/anchors
|
%dir %{catrustdir}/source/anchors
|
||||||
%dir %{catrustdir}/source/blocklist
|
%dir %{catrustdir}/source/blacklist
|
||||||
%dir %{catrustdir}/extracted
|
%dir %{catrustdir}/extracted
|
||||||
%dir %{catrustdir}/extracted/pem
|
%dir %{catrustdir}/extracted/pem
|
||||||
%dir %{catrustdir}/extracted/openssl
|
%dir %{catrustdir}/extracted/openssl
|
||||||
@ -392,9 +346,8 @@ fi
|
|||||||
%dir %{_datadir}/pki
|
%dir %{_datadir}/pki
|
||||||
%dir %{_datadir}/pki/ca-trust-source
|
%dir %{_datadir}/pki/ca-trust-source
|
||||||
%dir %{_datadir}/pki/ca-trust-source/anchors
|
%dir %{_datadir}/pki/ca-trust-source/anchors
|
||||||
%dir %{_datadir}/pki/ca-trust-source/blocklist
|
%dir %{_datadir}/pki/ca-trust-source/blacklist
|
||||||
%dir %{_datadir}/pki/ca-trust-legacy
|
%dir %{_datadir}/pki/ca-trust-legacy
|
||||||
%dir %{catrustdir}/extracted/pem/directory-hash
|
|
||||||
|
|
||||||
%config(noreplace) %{catrustdir}/ca-legacy.conf
|
%config(noreplace) %{catrustdir}/ca-legacy.conf
|
||||||
|
|
||||||
@ -414,13 +367,10 @@ fi
|
|||||||
%{pkidir}/tls/certs/%{classic_tls_bundle}
|
%{pkidir}/tls/certs/%{classic_tls_bundle}
|
||||||
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
||||||
%{pkidir}/%{java_bundle}
|
%{pkidir}/%{java_bundle}
|
||||||
# symlinks to cross-distro compatibility files and directory
|
# symlink directory
|
||||||
%{_sysconfdir}/ssl/certs
|
%{_sysconfdir}/ssl/certs
|
||||||
%{_sysconfdir}/ssl/cert.pem
|
|
||||||
%{_sysconfdir}/ssl/openssl.cnf
|
|
||||||
%{_sysconfdir}/ssl/ct_log_list.cnf
|
|
||||||
|
|
||||||
# primary bundle file with trust
|
# master bundle file with trust
|
||||||
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
|
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
|
||||||
|
|
||||||
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
|
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
|
||||||
@ -436,33 +386,11 @@ fi
|
|||||||
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||||
%ghost %{catrustdir}/extracted/%{java_bundle}
|
%ghost %{catrustdir}/extracted/%{java_bundle}
|
||||||
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
|
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
|
||||||
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
|
|
||||||
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
|
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0
|
||||||
- update-ca-trust: return warnings on a unsupported argument instead of error
|
|
||||||
|
|
||||||
*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
|
|
||||||
- Temporarily generate the directory-hash files in %%install ...(next item)
|
|
||||||
- Add list of ghost files from directory-hash to %%files
|
|
||||||
|
|
||||||
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
|
|
||||||
- Remove write permissions from directory-hash
|
|
||||||
|
|
||||||
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
|
|
||||||
- Reduce dependency on p11-kit to only the trust subpackage
|
|
||||||
- Own the Directory-hash directory
|
|
||||||
|
|
||||||
*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
|
|
||||||
- Fix release number
|
|
||||||
|
|
||||||
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
|
|
||||||
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
|
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
|
||||||
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
|
|
||||||
|
|
||||||
*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
|
|
||||||
- Update to CKBI 2.68_v8.0.302 from NSS 3.101
|
|
||||||
- Removing:
|
- Removing:
|
||||||
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
|
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
|
||||||
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
|
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
|
||||||
@ -509,22 +437,7 @@ fi
|
|||||||
- # Certificate "SSL.com Code Signing RSA Root CA 2022"
|
- # Certificate "SSL.com Code Signing RSA Root CA 2022"
|
||||||
- # Certificate "SSL.com Code Signing ECC Root CA 2022"
|
- # Certificate "SSL.com Code Signing ECC Root CA 2022"
|
||||||
|
|
||||||
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0
|
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0
|
||||||
- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
|
|
||||||
|
|
||||||
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
|
|
||||||
- Skip %post if getopt is missing (recent change made update-ca-trust use it)
|
|
||||||
|
|
||||||
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
|
|
||||||
- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
|
|
||||||
|
|
||||||
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
|
|
||||||
- update License: field to SPDX
|
|
||||||
|
|
||||||
*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
|
|
||||||
- Bump release number to make CI happy
|
|
||||||
|
|
||||||
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
|
|
||||||
- Update to CKBI 2.60_v7.0.306 from NSS 3.91
|
- Update to CKBI 2.60_v7.0.306 from NSS 3.91
|
||||||
- Removing:
|
- Removing:
|
||||||
- # Certificate "Camerfirma Global Chambersign Root"
|
- # Certificate "Camerfirma Global Chambersign Root"
|
||||||
@ -604,7 +517,7 @@ fi
|
|||||||
- # Certificate "GlobalSign Code Signing Root R45"
|
- # Certificate "GlobalSign Code Signing Root R45"
|
||||||
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
|
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
|
||||||
|
|
||||||
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2
|
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
|
||||||
- Update to CKBI 2.54 from NSS 3.79
|
- Update to CKBI 2.54 from NSS 3.79
|
||||||
- Removing:
|
- Removing:
|
||||||
- # Certificate "TrustCor ECA-1"
|
- # Certificate "TrustCor ECA-1"
|
||||||
@ -625,29 +538,12 @@ fi
|
|||||||
- # Certificate "Government Root Certification Authority"
|
- # Certificate "Government Root Certification Authority"
|
||||||
- # Certificate "AC Raíz Certicámara S.A."
|
- # Certificate "AC Raíz Certicámara S.A."
|
||||||
|
|
||||||
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1
|
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1
|
||||||
- Update to CKBI 2.54 from NSS 3.79
|
- Update to CKBI 2.54 from NSS 3.79
|
||||||
|
|
||||||
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0
|
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0
|
||||||
- Update to CKBI 2.54 from NSS 3.79
|
- Update to CKBI 2.54 from NSS 3.79
|
||||||
- Removing:
|
|
||||||
- # Certificate "GlobalSign Root CA - R2"
|
|
||||||
- # Certificate "DST Root CA X3"
|
|
||||||
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
|
||||||
- Adding:
|
- Adding:
|
||||||
- # Certificate "TunTrust Root CA"
|
|
||||||
- # Certificate "HARICA TLS RSA Root CA 2021"
|
|
||||||
- # Certificate "HARICA TLS ECC Root CA 2021"
|
|
||||||
- # Certificate "HARICA Client RSA Root CA 2021"
|
|
||||||
- # Certificate "HARICA Client ECC Root CA 2021"
|
|
||||||
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
|
|
||||||
- # Certificate "vTrus ECC Root CA"
|
|
||||||
- # Certificate "vTrus Root CA"
|
|
||||||
- # Certificate "ISRG Root X2"
|
|
||||||
- # Certificate "HiPKI Root CA - G1"
|
|
||||||
- # Certificate "Telia Root CA v2"
|
|
||||||
- # Certificate "D-TRUST BR Root CA 1 2020"
|
|
||||||
- # Certificate "D-TRUST EV Root CA 1 2020"
|
|
||||||
- # Certificate "CAEDICOM Root"
|
- # Certificate "CAEDICOM Root"
|
||||||
- # Certificate "I.CA Root CA/RSA"
|
- # Certificate "I.CA Root CA/RSA"
|
||||||
- # Certificate "MULTICERT Root Certification Authority 01"
|
- # Certificate "MULTICERT Root Certification Authority 01"
|
||||||
@ -789,6 +685,7 @@ fi
|
|||||||
- # Certificate "Certipost E-Trust TOP Root CA"
|
- # Certificate "Certipost E-Trust TOP Root CA"
|
||||||
- # Certificate "Certipost E-Trust Primary Qualified CA"
|
- # Certificate "Certipost E-Trust Primary Qualified CA"
|
||||||
- # Certificate "Certipost E-Trust Primary Normalised CA"
|
- # Certificate "Certipost E-Trust Primary Normalised CA"
|
||||||
|
- # Certificate "Cybertrust Global Root"
|
||||||
- # Certificate "GlobalSign"
|
- # Certificate "GlobalSign"
|
||||||
- # Certificate "IGC/A"
|
- # Certificate "IGC/A"
|
||||||
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
|
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
|
||||||
@ -862,113 +759,129 @@ fi
|
|||||||
- # Certificate "HARICA Code Signing ECC Root CA 2021"
|
- # Certificate "HARICA Code Signing ECC Root CA 2021"
|
||||||
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
|
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
|
||||||
|
|
||||||
* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94
|
*Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81
|
||||||
- remove blacklist directory and references now that p11-kit has been updated.
|
- Update to CKBI 2.54 from NSS 3.79
|
||||||
|
- Removing:
|
||||||
|
- # Certificate "GlobalSign Root CA - R2"
|
||||||
|
- # Certificate "DST Root CA X3"
|
||||||
|
- # Certificate "Cybertrust Global Root"
|
||||||
|
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||||
|
- Adding:
|
||||||
|
- # Certificate "TunTrust Root CA"
|
||||||
|
- # Certificate "HARICA TLS RSA Root CA 2021"
|
||||||
|
- # Certificate "HARICA TLS ECC Root CA 2021"
|
||||||
|
- # Certificate "HARICA Client RSA Root CA 2021"
|
||||||
|
- # Certificate "HARICA Client ECC Root CA 2021"
|
||||||
|
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
|
||||||
|
- # Certificate "vTrus ECC Root CA"
|
||||||
|
- # Certificate "vTrus Root CA"
|
||||||
|
- # Certificate "ISRG Root X2"
|
||||||
|
- # Certificate "HiPKI Root CA - G1"
|
||||||
|
- # Certificate "Telia Root CA v2"
|
||||||
|
- # Certificate "D-TRUST BR Root CA 1 2020"
|
||||||
|
- # Certificate "D-TRUST EV Root CA 1 2020"
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
|
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Update to CKBI 2.50 from NSS 3.67
|
||||||
Related: rhbz#1991688
|
- version number update only
|
||||||
|
|
||||||
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
|
*Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82
|
||||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
- Update to CKBI 2.48 from NSS 3.66
|
||||||
Related: rhbz#1971065
|
- Removing:
|
||||||
|
- # Certificate "QuoVadis Root CA"
|
||||||
|
- # Certificate "Sonera Class 2 Root CA"
|
||||||
|
- # Certificate "Trustis FPS Root CA"
|
||||||
|
- Adding:
|
||||||
|
- # Certificate "GLOBALTRUST 2020"
|
||||||
|
- # Certificate "ANF Secure Server Root CA"
|
||||||
|
- # Certificate "Certum EC-384 CA"
|
||||||
|
- # Certificate "Certum Trusted Root CA"
|
||||||
|
|
||||||
* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
|
*Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81
|
||||||
- Update to CKBI 2.50 from NSS 3.67
|
- Update to CKBI 2.48 from NSS 3.64
|
||||||
- Removing:
|
- Removing:
|
||||||
- # Certificate "QuoVadis Root CA"
|
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
|
||||||
- # Certificate "Sonera Class 2 Root CA"
|
- # Certificate "GeoTrust Global CA"
|
||||||
- # Certificate "Trustis FPS Root CA"
|
- # Certificate "GeoTrust Universal CA"
|
||||||
- Adding:
|
- # Certificate "GeoTrust Universal CA 2"
|
||||||
- # Certificate "GLOBALTRUST 2020"
|
- # Certificate "Taiwan GRCA"
|
||||||
- # Certificate "ANF Secure Server Root CA"
|
- # Certificate "GeoTrust Primary Certification Authority"
|
||||||
- # Certificate "Certum EC-384 CA"
|
- # Certificate "thawte Primary Root CA"
|
||||||
- # Certificate "Certum Trusted Root CA"
|
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
|
||||||
|
- # Certificate "GeoTrust Primary Certification Authority - G3"
|
||||||
|
- # Certificate "thawte Primary Root CA - G2"
|
||||||
|
- # Certificate "thawte Primary Root CA - G3"
|
||||||
|
- # Certificate "GeoTrust Primary Certification Authority - G2"
|
||||||
|
- # Certificate "VeriSign Universal Root Certification Authority"
|
||||||
|
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
|
||||||
|
- # Certificate "EE Certification Centre Root CA"
|
||||||
|
- # Certificate "LuxTrust Global Root 2"
|
||||||
|
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
|
||||||
|
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
|
||||||
|
- Adding:
|
||||||
|
- # Certificate "Microsoft ECC Root Certificate Authority 2017"
|
||||||
|
- # Certificate "Microsoft RSA Root Certificate Authority 2017"
|
||||||
|
- # Certificate "e-Szigno Root CA 2017"
|
||||||
|
- # Certificate "certSIGN Root CA G2"
|
||||||
|
- # Certificate "Trustwave Global Certification Authority"
|
||||||
|
- # Certificate "Trustwave Global ECC P256 Certification Authority"
|
||||||
|
- # Certificate "Trustwave Global ECC P384 Certification Authority"
|
||||||
|
- # Certificate "NAVER Global Root Certification Authority"
|
||||||
|
- # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
|
||||||
|
- # Certificate "GlobalSign Secure Mail Root R45"
|
||||||
|
- # Certificate "GlobalSign Secure Mail Root E45"
|
||||||
|
- # Certificate "GlobalSign Root R46"
|
||||||
|
- # Certificate "GlobalSign Root E46"
|
||||||
|
|
||||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
|
*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
- fix post issues
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
|
*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
|
|
||||||
- remove unnecessarily divisive terms, take 1.
|
|
||||||
- in ca-certificates there are 3 cases:
|
|
||||||
- 1) master refering to the fedora master branch in the fetch.sh script.
|
|
||||||
- This can only be changed once fedora changes the master branch name.
|
|
||||||
- 2) a reference to the 'master bundle' in this file: this has been changed
|
|
||||||
- to 'primary bundle'.
|
|
||||||
- 3) a couple of blacklist directories owned by this package, but used to
|
|
||||||
- p11-kit. New 'blocklist' directories have been created, but p11-kit
|
|
||||||
- needs to be updated before the old blacklist directories can be removed
|
|
||||||
- and the man pages corrected.
|
|
||||||
|
|
||||||
* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
|
|
||||||
- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
|
|
||||||
|
|
||||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
|
|
||||||
- Fix up broken %post and %postinstall scriptlet changes from -2
|
|
||||||
|
|
||||||
* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
|
|
||||||
- Update to CKBI 2.41 from NSS 3.53.0
|
- Update to CKBI 2.41 from NSS 3.53.0
|
||||||
- Removing:
|
- Removing:
|
||||||
- # Certificate "AddTrust Low-Value Services Root"
|
- # Certificate "AddTrust Low-Value Services Root"
|
||||||
- # Certificate "AddTrust External Root"
|
- # Certificate "AddTrust External Root"
|
||||||
- # Certificate "Staat der Nederlanden Root CA - G2"
|
|
||||||
|
|
||||||
* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3
|
|
||||||
- Update versioned dependency on p11-kit
|
|
||||||
|
|
||||||
* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2
|
|
||||||
- Update to CKBI 2.40 from NSS 3.48
|
|
||||||
- Removing:
|
|
||||||
- # Certificate "UTN USERFirst Email Root CA"
|
- # Certificate "UTN USERFirst Email Root CA"
|
||||||
- # Certificate "Certplus Class 2 Primary CA"
|
- # Certificate "Certplus Class 2 Primary CA"
|
||||||
- # Certificate "Deutsche Telekom Root CA 2"
|
- # Certificate "Deutsche Telekom Root CA 2"
|
||||||
|
- # Certificate "Staat der Nederlanden Root CA - G2"
|
||||||
- # Certificate "Swisscom Root CA 2"
|
- # Certificate "Swisscom Root CA 2"
|
||||||
- # Certificate "Certinomis - Root CA"
|
- # Certificate "Certinomis - Root CA"
|
||||||
- Adding:
|
- Adding:
|
||||||
- # Certificate "Entrust Root Certification Authority - G4"
|
- # Certificate "Entrust Root Certification Authority - G4"
|
||||||
- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
|
|
||||||
|
|
||||||
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3
|
*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
- Update to CKBI 2.32 from NSS 3.44
|
||||||
|
- Removing:
|
||||||
|
- # Certificate "Visa eCommerce Root"
|
||||||
|
- # Certificate "AC Raiz Certicamara S.A."
|
||||||
|
- # Certificate "ComSign CA"
|
||||||
|
- # Certificate "Certplus Root CA G1"
|
||||||
|
- # Certificate "Certplus Root CA G2"
|
||||||
|
- # Certificate "OpenTrust Root CA G1"
|
||||||
|
- # Certificate "OpenTrust Root CA G2"
|
||||||
|
- # Certificate "OpenTrust Root CA G3"
|
||||||
|
- Adding:
|
||||||
|
- # Certificate "GlobalSign Root CA - R6"
|
||||||
|
- # Certificate "OISTE WISeKey Global Root GC CA"
|
||||||
|
- # Certificate "GTS Root R1"
|
||||||
|
- # Certificate "GTS Root R2"
|
||||||
|
- # Certificate "GTS Root R3"
|
||||||
|
- # Certificate "GTS Root R4"
|
||||||
|
- # Certificate "UCA Global G2 Root"
|
||||||
|
- # Certificate "UCA Extended Validation Root"
|
||||||
|
- # Certificate "Certigna Root CA"
|
||||||
|
- # Certificate "emSign Root CA - G1"
|
||||||
|
- # Certificate "emSign ECC Root CA - G3"
|
||||||
|
- # Certificate "emSign Root CA - C1"
|
||||||
|
- # Certificate "emSign ECC Root CA - C3"
|
||||||
|
- # Certificate "Hongkong Post Root CA 3"
|
||||||
|
|
||||||
* Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
|
* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
|
||||||
- Update to CKBI 2.32 from NSS 3.44
|
- Test gating
|
||||||
Removing:
|
|
||||||
# Certificate "Visa eCommerce Root"
|
|
||||||
# Certificate "AC Raiz Certicamara S.A."
|
|
||||||
# Certificate "Certplus Root CA G1"
|
|
||||||
# Certificate "Certplus Root CA G2"
|
|
||||||
# Certificate "OpenTrust Root CA G1"
|
|
||||||
# Certificate "OpenTrust Root CA G2"
|
|
||||||
# Certificate "OpenTrust Root CA G3"
|
|
||||||
Adding:
|
|
||||||
# Certificate "GTS Root R1"
|
|
||||||
# Certificate "GTS Root R2"
|
|
||||||
# Certificate "GTS Root R3"
|
|
||||||
# Certificate "GTS Root R4"
|
|
||||||
# Certificate "UCA Global G2 Root"
|
|
||||||
# Certificate "UCA Extended Validation Root"
|
|
||||||
# Certificate "Certigna Root CA"
|
|
||||||
# Certificate "emSign Root CA - G1"
|
|
||||||
# Certificate "emSign ECC Root CA - G3"
|
|
||||||
# Certificate "emSign Root CA - C1"
|
|
||||||
# Certificate "emSign ECC Root CA - C3"
|
|
||||||
# Certificate "Hongkong Post Root CA 3"
|
|
||||||
|
|
||||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
|
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
- Use __python3 macro when invoking Python
|
||||||
|
|
||||||
* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2
|
|
||||||
- Update to CKBI 2.26 from NSS 3.39
|
|
||||||
|
|
||||||
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
|
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
|
||||||
- Ported scripts to python3
|
- Ported scripts to python3
|
118
check_certs.sh
118
check_certs.sh
@ -1,118 +0,0 @@
|
|||||||
#!/bin/perl
|
|
||||||
|
|
||||||
sub adjust {
|
|
||||||
my $newLine = $_[0];
|
|
||||||
my @neg = @{$_[1]};
|
|
||||||
my @pos = @{$_[2]};
|
|
||||||
my $found = 0;
|
|
||||||
my @newneg = ();
|
|
||||||
|
|
||||||
foreach my $cline (@neg) {
|
|
||||||
if ($cline eq $newLine) {
|
|
||||||
$found = 1;
|
|
||||||
} else {
|
|
||||||
push(@newneg ,$cline );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (! $found ) {
|
|
||||||
push(@pos, $newLine);
|
|
||||||
}
|
|
||||||
@neg=@newneg;
|
|
||||||
}
|
|
||||||
|
|
||||||
sub removeLine {
|
|
||||||
my $newLine = $_[0];
|
|
||||||
my @neg = @{$_[1]};
|
|
||||||
my $found = 0;
|
|
||||||
my @newneg = ();
|
|
||||||
|
|
||||||
foreach my $cline (@neg) {
|
|
||||||
if ($found) {
|
|
||||||
push(@newneg ,$cline );
|
|
||||||
} elsif ($cline eq $newLine) {
|
|
||||||
$found = 1;
|
|
||||||
} else {
|
|
||||||
push(@newneg ,$cline );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return @newneg;
|
|
||||||
}
|
|
||||||
|
|
||||||
sub filter {
|
|
||||||
my @list = @{$_[0]};
|
|
||||||
my $string = $_[1];
|
|
||||||
my @filteredList = ();
|
|
||||||
foreach my $cline (@list) {
|
|
||||||
if ($cline =~ m/$string/) {
|
|
||||||
push(@filteredList ,$cline );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return @filteredList;
|
|
||||||
}
|
|
||||||
|
|
||||||
sub lineExists {
|
|
||||||
my $newLine = $_[0];
|
|
||||||
my @neg = @{$_[1]};
|
|
||||||
|
|
||||||
foreach my $cline (@neg) {
|
|
||||||
if ($cline eq $newLine) {
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
sub lineExists {
|
|
||||||
my $newLine = $_[0];
|
|
||||||
my @neg = @{$_[1]};
|
|
||||||
|
|
||||||
foreach my $cline (@neg) {
|
|
||||||
if ($cline eq $newLine) {
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
sub printeach {
|
|
||||||
my @args = @{$_[0]};
|
|
||||||
foreach my $arg (@args) {
|
|
||||||
chomp $arg;
|
|
||||||
print " $arg\n";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
open my $handle, "git diff certdata.txt|";
|
|
||||||
my @diff_lines = <$handle>;
|
|
||||||
close $handle;
|
|
||||||
my @adds = ();
|
|
||||||
my @subs = ();
|
|
||||||
foreach my $line (@diff_lines) {
|
|
||||||
$type = substr $line,0,1;
|
|
||||||
$lline = substr $line,1;
|
|
||||||
if ($type eq "+") {
|
|
||||||
if (lineExists($lline, \@subs)) {
|
|
||||||
@subs = removeLine($lline,\@subs);
|
|
||||||
} else {
|
|
||||||
push(@adds, $lline);
|
|
||||||
}
|
|
||||||
};
|
|
||||||
if ($type eq "-") {
|
|
||||||
if (lineExists($lline, \@adds)) {
|
|
||||||
@adds = removeLine($lline,\@adds);
|
|
||||||
} else {
|
|
||||||
push(@subs, $lline);
|
|
||||||
}
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
my @tmp = filter(\@subs, "# Certificate");
|
|
||||||
if (@tmp) {
|
|
||||||
print " Removing: \n";
|
|
||||||
printeach(\@tmp);
|
|
||||||
}
|
|
||||||
my @tmp = filter(\@adds, "# Certificate");
|
|
||||||
if (@tmp) {
|
|
||||||
print " Adding: \n";
|
|
||||||
printeach(\@tmp);
|
|
||||||
}
|
|
159
fetch.sh
159
fetch.sh
@ -1,159 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# This script fetches the latest released certdata.txt and updates the
|
|
||||||
# ca-certificates.spec file
|
|
||||||
#
|
|
||||||
baseurl="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib"
|
|
||||||
force=0
|
|
||||||
release_type="RTM"
|
|
||||||
release="3_43"
|
|
||||||
while [ -n "$1" ]; do
|
|
||||||
case $1 in
|
|
||||||
"-d")
|
|
||||||
baseurl="https://hg.mozilla.org/projects/nss/raw-file/default/lib"
|
|
||||||
;;
|
|
||||||
-t*)
|
|
||||||
release_type=`echo $1 | sed -e 's;-t;;'`
|
|
||||||
if [ "${release_type}" = "" ]; then
|
|
||||||
shift
|
|
||||||
release_type=$1
|
|
||||||
fi
|
|
||||||
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
|
|
||||||
;;
|
|
||||||
-n*)
|
|
||||||
release=`echo $1 | sed -e 's;-n;;'`
|
|
||||||
if [ "${release}" = "" ]; then
|
|
||||||
shift
|
|
||||||
release=$1
|
|
||||||
fi
|
|
||||||
release=`echo ${release} | sed -e 's;\\.;_;g'`
|
|
||||||
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
|
|
||||||
;;
|
|
||||||
"-f")
|
|
||||||
force=1
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "usage: $0 [-r] [-n release] [-f]"
|
|
||||||
echo "-d use the development tip rather than the latest release"
|
|
||||||
echo "-n release fetch a specific nss release"
|
|
||||||
echo "-f skip the verify check"
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
shift
|
|
||||||
done
|
|
||||||
|
|
||||||
# get the current certdata version number
|
|
||||||
# nss version number
|
|
||||||
# user making the change
|
|
||||||
# email of user
|
|
||||||
#
|
|
||||||
# versions from the latest nss code in mozilla
|
|
||||||
echo "Getting CKBI version number"
|
|
||||||
ckbi_version=`wget ${baseurl}/ckfw/builtins/nssckbi.h -O - | grep "NSS_BUILTINS_LIBRARY_VERSION " | awk '{print $NF}' | sed -e "s;\";;g" `
|
|
||||||
if [ "${ckbi_version}" = "" ]; then
|
|
||||||
echo "Didn't find ckbi version from ${baseurl}"
|
|
||||||
exit 1;
|
|
||||||
fi
|
|
||||||
echo "Getting NSS version number"
|
|
||||||
nss_version=`wget ${baseurl}/nss/nss.h -O - | grep "NSS_VERSION" | awk '{print $3}' | sed -e "s;\";;g" `
|
|
||||||
if [ "${nss_version}" = "" ]; then
|
|
||||||
echo "Didn't find nss version from ${baseurl}"
|
|
||||||
exit 1;
|
|
||||||
fi
|
|
||||||
# date from the current system date on this machine
|
|
||||||
echo "Creating change log"
|
|
||||||
export LANG=C
|
|
||||||
year=`date +%Y`
|
|
||||||
log_date=`date +"%a %b %d %Y"`
|
|
||||||
# user name from the environment, fallback to git, fallback to the current user
|
|
||||||
username=`whoami`
|
|
||||||
name=${NAME}
|
|
||||||
if [ "${name}" = "" ]; then
|
|
||||||
name=`git config user.name`
|
|
||||||
fi
|
|
||||||
if [ "${name}" = "" ]; then
|
|
||||||
name=`getent passwd $username`
|
|
||||||
fi
|
|
||||||
email=${EMAIL}
|
|
||||||
if [ "${email}" = "" ]; then
|
|
||||||
email=`git config user.email`
|
|
||||||
fi
|
|
||||||
if [ "${email}" = "" ]; then
|
|
||||||
email=$username@`hostname`
|
|
||||||
fi
|
|
||||||
# rawhide >=2, branches 1.x
|
|
||||||
cwd=$(pwd)
|
|
||||||
if [ `basename ${cwd}` = master ]; then
|
|
||||||
release="2"
|
|
||||||
else
|
|
||||||
release="1.0"
|
|
||||||
fi
|
|
||||||
version=${year}.${ckbi_version}
|
|
||||||
|
|
||||||
#make sure the the current version is newer than what is already there
|
|
||||||
current_version=`grep ^Version: ca-certificates.spec | awk '{ print $NF }'`
|
|
||||||
if [ ${current_version} \> ${version} -o ${current_version} = ${version} ]; then
|
|
||||||
echo "Can't downgrade current version: ${current_version} new version: ${version}"
|
|
||||||
exit 1;
|
|
||||||
fi
|
|
||||||
|
|
||||||
# now get our new certdata.txt
|
|
||||||
echo "Fetching new certdata.txt"
|
|
||||||
wget ${baseurl}/ckfw/builtins/certdata.txt -O certdata.txt
|
|
||||||
if [ $? -ne 0 ]; then
|
|
||||||
echo fetching certdata.text from ${baseurl} failed!
|
|
||||||
echo " To restore the old certdata.txt use:"
|
|
||||||
echo " git checkout -- certdata.txt"
|
|
||||||
exit 1;
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Verify everything is good with the user
|
|
||||||
echo -e "Upgrading ${current_version} -> ${version}:"
|
|
||||||
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
|
|
||||||
./check_certs.sh
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
yn=""
|
|
||||||
if [ ! ${force} ]; then
|
|
||||||
echo -n "Do you want to continue (Y/N default Y)? "
|
|
||||||
read yn
|
|
||||||
echo ""
|
|
||||||
fi
|
|
||||||
if [ "${yn}" != "" -a "${yn}" != "y" -a "${yn}" != "Y" -a "${yn}" != "yes" -a "${yn}" != "YES" ]; then
|
|
||||||
echo "Skipping ca-certificate.spec upgrade."
|
|
||||||
echo " NOTE: certdata.txt has been upgraded."
|
|
||||||
echo " To restore the old certdata.txt use:"
|
|
||||||
echo " git checkout -- certdata.txt"
|
|
||||||
exit 1;
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Updating .spec file"
|
|
||||||
cat ca-certificates.spec | while IFS= read -r line
|
|
||||||
do
|
|
||||||
echo $line | grep "^Version: " 1>&2
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
echo "Version: ${version}"
|
|
||||||
echo "New Version: ${version}" 1>&2
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
echo $line | grep "^Release: " 1>&2
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
echo "Release: ${release}%{?dist}"
|
|
||||||
echo "New Release: ${release}%{?dist}" 1>&2
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
echo $line | grep "^%changelog" 1>&2
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
echo "$line"
|
|
||||||
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
|
|
||||||
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}" 1>&2
|
|
||||||
./check_certs.sh
|
|
||||||
echo ""
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
echo "$line"
|
|
||||||
done > /tmp/ca-certificates.spec.$$
|
|
||||||
mv /tmp/ca-certificates.spec.$$ ca-certificates.spec
|
|
||||||
git status
|
|
||||||
exit 0
|
|
@ -1,9 +0,0 @@
|
|||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- rhel-9
|
|
||||||
decision_context: osci_compose_gate
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
|
||||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
|
||||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
|
|
||||||
- !PassingTestCaseRule {test_case_name: manual.sst_security_crypto.ca-certificates.streamspreadprevent}
|
|
@ -1,34 +0,0 @@
|
|||||||
#!/usr/bin/python3
|
|
||||||
|
|
||||||
# Expected input is a file, where blocks of lines are separated by newline.
|
|
||||||
# Blocks will be sorted.
|
|
||||||
# Intention is to prepare files for comparison, were lines inside each block are
|
|
||||||
# in stable order, but the order of blocks is random.
|
|
||||||
|
|
||||||
import sys
|
|
||||||
import string
|
|
||||||
|
|
||||||
if (len(sys.argv) != 2):
|
|
||||||
print("syntax: " + sys.argv[0] + " input-filename")
|
|
||||||
sys.exit(1)
|
|
||||||
|
|
||||||
filename = sys.argv[1]
|
|
||||||
|
|
||||||
block = []
|
|
||||||
block_list = []
|
|
||||||
with open(filename, 'r') as f:
|
|
||||||
for line in f:
|
|
||||||
if (len(line) == 1):
|
|
||||||
if len(block) == 0:
|
|
||||||
continue
|
|
||||||
else:
|
|
||||||
combined_string = string.join(block, '')
|
|
||||||
block_list.append(combined_string)
|
|
||||||
block = []
|
|
||||||
else:
|
|
||||||
block.append(line)
|
|
||||||
|
|
||||||
block_list.sort()
|
|
||||||
|
|
||||||
for block in block_list:
|
|
||||||
print(block)
|
|
@ -1,64 +0,0 @@
|
|||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/ca-certificates/Sanity/smoke-test
|
|
||||||
# Description: Check presence of Verisign root.
|
|
||||||
# Author: Ondrej Moris <omoris@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2010 Red Hat, Inc. All rights reserved.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
export TEST=/CoreOS/ca-certificates/Sanity/smoke-test
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
|
|
||||||
BUILT_FILES=
|
|
||||||
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
||||||
|
|
||||||
.PHONY: all install download clean
|
|
||||||
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
chmod a+x runtest.sh
|
|
||||||
|
|
||||||
clean:
|
|
||||||
rm -f *~ $(BUILT_FILES)
|
|
||||||
|
|
||||||
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Ondrej Moris <omoris@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: Check presence of Verisign root." >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 5m" >> $(METADATA)
|
|
||||||
@echo "RunFor: ca-certificates" >> $(METADATA)
|
|
||||||
@echo "Requires: ca-certificates" >> $(METADATA)
|
|
||||||
@echo "Requires: wget" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,3 +0,0 @@
|
|||||||
PURPOSE of /CoreOS/ca-certificates/Sanity/smoke-test
|
|
||||||
Description: Check presence of Verisign root.
|
|
||||||
Author: Ondrej Moris <omoris@redhat.com>
|
|
@ -1,46 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# runtest.sh of /CoreOS/ca-certificates/Sanity/smoke-test
|
|
||||||
# Description: Check presence of Verisign root.
|
|
||||||
# Author: Ondrej Moris <omoris@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2010 Red Hat, Inc. All rights reserved.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
# Include rhts environment
|
|
||||||
. /usr/lib/beakerlib/beakerlib.sh
|
|
||||||
|
|
||||||
PACKAGE="ca-certificates"
|
|
||||||
|
|
||||||
rlJournalStart
|
|
||||||
|
|
||||||
rlPhaseStartTest
|
|
||||||
|
|
||||||
rlAssertRpm "$PACKAGE"
|
|
||||||
rlRun "curl -sS -o /dev/null https://www.verisign.com/" 0
|
|
||||||
rlRun "curl -sS -o /dev/null https://www.google.com/intl/en" 0
|
|
||||||
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlJournalPrintText
|
|
||||||
|
|
||||||
rlJournalEnd
|
|
@ -1,13 +0,0 @@
|
|||||||
---
|
|
||||||
# This first play always runs on the local staging system
|
|
||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- role: standard-test-beakerlib
|
|
||||||
tags:
|
|
||||||
- atomic
|
|
||||||
- classic
|
|
||||||
- container
|
|
||||||
tests:
|
|
||||||
- smoke-test
|
|
||||||
required_packages:
|
|
||||||
- findutils # beakerlib needs find command
|
|
@ -1 +0,0 @@
|
|||||||
|
|
137
update-ca-trust
137
update-ca-trust
@ -1,137 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
#set -vx
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
# For backwards compatibility reasons, future versions of this script must
|
|
||||||
# support the syntax "update-ca-trust extract" trigger the generation of output
|
|
||||||
# files in $DEST.
|
|
||||||
|
|
||||||
DEST=/etc/pki/ca-trust/extracted
|
|
||||||
|
|
||||||
# Prevent p11-kit from reading user configuration files.
|
|
||||||
export P11_KIT_NO_USER_CONFIG=1
|
|
||||||
|
|
||||||
usage() {
|
|
||||||
fold -s -w 76 >&2 <<-EOF
|
|
||||||
Usage: $0 [extract] [-o DIR|--output=DIR]
|
|
||||||
|
|
||||||
Update the system trust store in $DEST.
|
|
||||||
|
|
||||||
COMMANDS
|
|
||||||
(absent/empty command): Same as the extract command without arguments.
|
|
||||||
|
|
||||||
extract: Instruct update-ca-trust to scan the source configuration in
|
|
||||||
/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
|
|
||||||
updated versions of the consolidated configuration files stored below
|
|
||||||
the $DEST directory hierarchy.
|
|
||||||
|
|
||||||
EXTRACT OPTIONS
|
|
||||||
-o DIR, --output=DIR: Write the extracted trust store into the given
|
|
||||||
directory instead of updating $DEST.
|
|
||||||
EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
extract() {
|
|
||||||
USER_DEST=
|
|
||||||
|
|
||||||
# can't use getopt here. ca-certificates can't depend on a lot
|
|
||||||
# of other libraries since openssl depends on ca-certificates
|
|
||||||
# just fail when we hand parse
|
|
||||||
|
|
||||||
while [ $# -ne 0 ]; do
|
|
||||||
case "$1" in
|
|
||||||
"-o"|"--output")
|
|
||||||
if [ $# -lt 2 ]; then
|
|
||||||
echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
|
|
||||||
echo >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
USER_DEST=$2
|
|
||||||
shift 2
|
|
||||||
continue
|
|
||||||
;;
|
|
||||||
"--")
|
|
||||||
shift
|
|
||||||
break
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ -n "$USER_DEST" ]; then
|
|
||||||
DEST=$USER_DEST
|
|
||||||
# Attempt to create the directories if they do not exist
|
|
||||||
# yet (rhbz#2241240)
|
|
||||||
/usr/bin/mkdir -p \
|
|
||||||
"$DEST"/openssl \
|
|
||||||
"$DEST"/pem \
|
|
||||||
"$DEST"/java \
|
|
||||||
"$DEST"/edk2
|
|
||||||
fi
|
|
||||||
|
|
||||||
# OpenSSL PEM bundle that includes trust flags
|
|
||||||
# (BEGIN TRUSTED CERTIFICATE)
|
|
||||||
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
|
|
||||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
|
|
||||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
|
|
||||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
|
|
||||||
/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
|
|
||||||
/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
|
|
||||||
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
|
|
||||||
# by GnuTLS)
|
|
||||||
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
|
|
||||||
|
|
||||||
# p11-kit extract will have made this directory unwritable; when run with
|
|
||||||
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
|
|
||||||
# not be the case. See rhbz#2241240.
|
|
||||||
if [ -n "$USER_DEST" ]; then
|
|
||||||
/usr/bin/chmod u+w "$DEST/pem/directory-hash"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Debian compatibility: their /etc/ssl/certs has this bundle
|
|
||||||
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
|
|
||||||
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
|
|
||||||
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
|
|
||||||
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
|
|
||||||
|
|
||||||
# Remove write permissions again
|
|
||||||
if [ -n "$USER_DEST" ]; then
|
|
||||||
/usr/bin/chmod u-w "$DEST/pem/directory-hash"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
if [ $# -lt 1 ]; then
|
|
||||||
set -- extract
|
|
||||||
fi
|
|
||||||
|
|
||||||
case "$1" in
|
|
||||||
"extract")
|
|
||||||
shift
|
|
||||||
extract "$@"
|
|
||||||
;;
|
|
||||||
"--help")
|
|
||||||
usage
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
"-o"|"--output")
|
|
||||||
echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
|
|
||||||
echo >&2
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
"enable")
|
|
||||||
echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
|
|
||||||
echo >&2
|
|
||||||
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
|
|
||||||
extract
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
|
|
||||||
echo >&2
|
|
||||||
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
|
|
||||||
extract
|
|
||||||
;;
|
|
||||||
esac
|
|
Loading…
Reference in New Issue
Block a user