Merge branch 'i9c' with 2024.2.69_v8.0.303-91.4 into 'i9'

i9 changed/i9/ca-certificates-2024.2.69_v8.0.303-91.4.el9_4.inferit
Sergey Cherevko 4 months ago
commit 06967d6b4a
Signed by: scherevko
GPG Key ID: D87CBBC16D2E4A72

File diff suppressed because it is too large Load Diff

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60
#define NSS_BUILTINS_LIBRARY_VERSION "2.60"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 69
#define NSS_BUILTINS_LIBRARY_VERSION "2.69"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

@ -1,9 +1,9 @@
#!/bin/sh
#set -vx
set -eu
# At this time, while this script is trivial, we ignore any parameters given.
# However, for backwards compatibility reasons, future versions of this script must
# For backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST.
@ -12,11 +12,126 @@ DEST=/etc/pki/ca-trust/extracted
# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
usage() {
fold -s -w 76 >&2 <<-EOF
Usage: $0 [extract] [-o DIR|--output=DIR]
Update the system trust store in $DEST.
COMMANDS
(absent/empty command): Same as the extract command without arguments.
extract: Instruct update-ca-trust to scan the source configuration in
/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
updated versions of the consolidated configuration files stored below
the $DEST directory hierarchy.
EXTRACT OPTIONS
-o DIR, --output=DIR: Write the extracted trust store into the given
directory instead of updating $DEST.
EOF
}
extract() {
USER_DEST=
# can't use getopt here. ca-certificates can't depend on a lot
# of other libraries since openssl depends on ca-certificates
# just fail when we hand parse
while [ $# -ne 0 ]; do
case "$1" in
"-o"|"--output")
if [ $# -lt 2 ]; then
echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
fi
USER_DEST=$2
shift 2
continue
;;
"--")
shift
break
;;
*)
echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
exit 1
;;
esac
done
if [ -n "$USER_DEST" ]; then
DEST=$USER_DEST
# Attempt to create the directories if they do not exist
# yet (rhbz#2241240)
/usr/bin/mkdir -p \
"$DEST"/openssl \
"$DEST"/pem \
"$DEST"/java \
"$DEST"/edk2
fi
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
# by GnuTLS)
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
# p11-kit extract will have made this directory unwritable; when run with
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
# not be the case. See rhbz#2241240.
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u+w "$DEST/pem/directory-hash"
fi
# Debian compatibility: their /etc/ssl/certs has this bundle
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
# Remove write permissions again
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u-w "$DEST/pem/directory-hash"
fi
}
if [ $# -lt 1 ]; then
set -- extract
fi
case "$1" in
"extract")
shift
extract "$@"
;;
"--help")
usage
exit 0
;;
"-o"|"--output")
echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
;;
"enable")
echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
*)
echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
esac

@ -27,7 +27,7 @@ certificates and associated trust
SYNOPSIS
--------
*update-ca-trust* ['COMMAND']
*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
DESCRIPTION
@ -214,15 +214,23 @@ server authentication.
COMMANDS
--------
(absent/empty command)::
Same as the *extract* command described below. (However, the command may
print fewer warnings, as this command is being run during rpm package
installation, where non-fatal status output is undesired.)
*extract*::
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
updated versions of the consolidated configuration files stored below
the /etc/pki/ca-trust/extracted directory hierarchy.
(absent/empty command)
~~~~~~~~~~~~~~~~~~~~~~
Same as the *extract* command described below. (However, the command may print
fewer warnings, as this command is being run during rpm package installation,
where non-fatal status output is undesired.)
extract
~~~~~~~
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
produce updated versions of the consolidated configuration files stored below
the /etc/pki/ca-trust/extracted directory hierarchy.
EXTRACT OPTIONS
^^^^^^^^^^^^^^^
*-o DIR*, *--output=DIR*::
Write the extracted trust store into the given directory instead of
updating /etc/pki/ca-trust/extracted.
FILES
-----

@ -35,11 +35,11 @@ Name: ca-certificates
# to have increasing version numbers. However, the new scheme will work,
# because all future versions will start with 2013 or larger.)
Version: 2023.2.60_v7.0.306
Version: 2024.2.69_v8.0.303
# for y-stream, please always use 91 <= release < 100 (91,92,93)
# for z-stream release branches, please use 90 <= release < 91 (90.0, 90.1, ...)
Release: 90.1%{?dist}.inferit.3
License: Public Domain
Release: 91.4%{?dist}.inferit
License: MIT AND GPL-2.0-or-later
URL: https://fedoraproject.org/wiki/CA-Certificates
@ -79,16 +79,14 @@ Requires(post): coreutils
Requires: bash
Requires: grep
Requires: sed
Requires(post): p11-kit >= 0.24
Requires(post): p11-kit-trust >= 0.24
Requires: p11-kit >= 0.24
Requires: p11-kit-trust >= 0.24
BuildRequires: perl-interpreter
BuildRequires: python3
BuildRequires: openssl
BuildRequires: asciidoc
BuildRequires: libxslt
BuildRequires: xmlto
%description
This package contains the set of CA certificates chosen by the
@ -177,12 +175,12 @@ popd
#manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml
cp %{SOURCE9} %{name}/ca-legacy.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xmlto -v -o %{name} man %{name}/ca-legacy.8.xml
%install
@ -195,6 +193,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
@ -268,6 +267,45 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
# Populate %%{catrustdir}/extracted/pem/directory-hash.
#
# First direct p11-kit-trust.so to the generated bundle (not the one
# already present on the build system) with an overriding module
# config. Note that we have to use a different config path based on
# the current user: if root, ~/.config/pkcs11/modules/* are not read,
# while if a regular user, she can't write to /etc.
if test "$(id -u)" -eq 0; then
trust_module_dir=/etc/pkcs11/modules
else
trust_module_dir=$HOME/.config/pkcs11/modules
fi
mkdir -p "$trust_module_dir"
# It is unlikely that the directory would contain any files on a build system,
# but let's make sure just in case.
if [ -n "$(ls -A "$trust_module_dir")" ]; then
echo "Directory $trust_module_dir is not empty. Aborting build!"
exit 1
fi
trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
cat >"$trust_module_config" <<EOF
module: p11-kit-trust.so
trust-policy: yes
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
EOF
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
--purpose server-auth \
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
# Create a temporary file with the list of (%ghost )files in the directory-hash.
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
# Clean up the temporary module config.
rm -f "$trust_module_config"
# Russian Ministry of Digital Development and Communications
install -m 644 %{SOURCE90} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
install -m 644 %{SOURCE91} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
@ -275,6 +313,11 @@ install -m 644 %{SOURCE91} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
install -m 644 %{SOURCE92} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
install -m 644 %{SOURCE93} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
%clean
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
rm -rf $RPM_BUILD_ROOT
%pre
if [ $1 -gt 1 ] ; then
# Upgrade or Downgrade.
@ -347,7 +390,8 @@ fi
%{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust
%files
# The file .files.txt contains the list of (%ghost )files in the directory-hash
%files -f .files.txt
%dir %{_sysconfdir}/ssl
%dir %{pkidir}/tls
%dir %{pkidir}/tls/certs
@ -365,6 +409,7 @@ fi
%dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/blocklist
%dir %{_datadir}/pki/ca-trust-legacy
%dir %{catrustdir}/extracted/pem/directory-hash
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer.detached.sig
@ -411,9 +456,34 @@ fi
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
%changelog
* Thu Aug 22 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-91.4.inferit
- Update to 2024.2.69_v8.0.303-91.4
*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
- update-ca-trust: return warnings on a unsupported argument instead of error
*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
- Temporarily generate the directory-hash files in %%install ...(next item)
- Add list of ghost files from directory-hash to %%files
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
- Remove write permissions from directory-hash
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
- Reduce dependency on p11-kit to only the trust subpackage
- Own the Directory-hash directory
*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
- Fix release number
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
* Wed Jul 10 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-90.1.inferit.3
- Fixed addition TCI GOST certificate
- Bump version
@ -421,10 +491,70 @@ fi
* Tue Jul 09 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-90.1.inferit.2
- Added TCI ECDSA and GOST root certificates
*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
- Update to CKBI 2.68_v8.0.302 from NSS 3.101
- Removing:
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
- # Certificate "Security Communication Root CA"
- # Certificate "Camerfirma Chambers of Commerce Root"
- # Certificate "Hongkong Post Root CA 1"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
- # Certificate "TrustCor RootCert CA-1"
- # Certificate "TrustCor RootCert CA-2"
- # Certificate "TrustCor ECA-1"
- # Certificate "FNMT-RCM"
- Adding:
- # Certificate "LAWtrust Root CA2 (4096)"
- # Certificate "Sectigo Public Email Protection Root E46"
- # Certificate "Sectigo Public Email Protection Root R46"
- # Certificate "Sectigo Public Server Authentication Root E46"
- # Certificate "Sectigo Public Server Authentication Root R46"
- # Certificate "SSL.com TLS RSA Root CA 2022"
- # Certificate "SSL.com TLS ECC Root CA 2022"
- # Certificate "SSL.com Client ECC Root CA 2022"
- # Certificate "SSL.com Client RSA Root CA 2022"
- # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
- # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
- # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
- # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
- # Certificate "TrustAsia Global Root CA G3"
- # Certificate "TrustAsia Global Root CA G4"
- # Certificate "CommScope Public Trust ECC Root-01"
- # Certificate "CommScope Public Trust ECC Root-02"
- # Certificate "CommScope Public Trust RSA Root-01"
- # Certificate "CommScope Public Trust RSA Root-02"
- # Certificate "D-Trust SBR Root CA 1 2022"
- # Certificate "D-Trust SBR Root CA 2 2022"
- # Certificate "Telekom Security SMIME ECC Root 2021"
- # Certificate "Telekom Security TLS ECC Root 2020"
- # Certificate "Telekom Security SMIME RSA Root 2023"
- # Certificate "Telekom Security TLS RSA Root 2023"
- # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
- # Certificate "SECOM Trust.net"
- # Certificate "Chambers of Commerce Root"
- # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
- # Certificate "SSL.com Code Signing RSA Root CA 2022"
- # Certificate "SSL.com Code Signing ECC Root CA 2022"
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0
- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
- Skip %post if getopt is missing (recent change made update-ca-trust use it)
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
* Thu Sep 21 2023 Arkady L. Shane <tigro@msvsphere.ru> - 2023.2.60_v7.0.306-90.1.inferit.1
- place MDDC certificates to /etc/pki/ca-trust/source/anchors
*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1.inferit
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
- update License: field to SPDX
*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
- Bump release number to make CI happy
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
@ -507,11 +637,6 @@ fi
- # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
* Wed Apr 05 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 2022.2.54-90.2.inferit
- Added:
- # Certificate "Russian Trusted Root CA"
- # Certificate "Russian Trusted Sub CA"
* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2022.2.54-90.2
- Rebuilt for MSVSphere 9.1.

Loading…
Cancel
Save