Merge branch 'i9c' with 2024.2.69_v8.0.303-91.4 into 'i9'

3 months ago · 06967d6b4a
parent 42cd1e69fc 3076ea6f9f
commit 06967d6b4a
5 changed files with 6206 additions and 3347 deletions
--- a/SOURCES/certdata.txt
+++ b/SOURCES/certdata.txt
--- a/SOURCES/nssckbi.h
+++ b/SOURCES/nssckbi.h
@ -46,8 +46,8 @@
 * It's recommend to switch back to 0 after having reached version 98/99.
 */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60
-#define NSS_BUILTINS_LIBRARY_VERSION "2.60"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 69
+#define NSS_BUILTINS_LIBRARY_VERSION "2.69"

 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
--- a/SOURCES/update-ca-trust
+++ b/SOURCES/update-ca-trust
@ -1,9 +1,9 @@
 #!/bin/sh

 #set -vx
+set -eu

-# At this time, while this script is trivial, we ignore any parameters given.
-# However, for backwards compatibility reasons, future versions of this script must 
+# For backwards compatibility reasons, future versions of this script must
 # support the syntax "update-ca-trust extract" trigger the generation of output
 # files in $DEST.

@ -12,11 +12,126 @@ DEST=/etc/pki/ca-trust/extracted
 # Prevent p11-kit from reading user configuration files.
 export P11_KIT_NO_USER_CONFIG=1

-# OpenSSL PEM bundle that includes trust flags
-# (BEGIN TRUSTED CERTIFICATE)
-/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
-/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
-/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
+usage() {
+	fold -s -w 76 >&2 <<-EOF
+		Usage: $0 [extract] [-o DIR|--output=DIR]
+
+		Update the system trust store in $DEST.
+
+		COMMANDS
+		(absent/empty command): Same as the extract command without arguments.
+
+		extract: Instruct update-ca-trust to scan the source configuration in
+		/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
+		updated versions of the consolidated configuration files stored below
+		the $DEST directory hierarchy.
+
+		EXTRACT OPTIONS
+		-o DIR, --output=DIR: Write the extracted trust store into the given
+		directory instead of updating $DEST.
+	EOF
+}
+
+extract() {
+	USER_DEST=
+
+        # can't use getopt here. ca-certificates can't depend on a lot
+        # of other libraries since openssl depends on ca-certificates
+        # just fail when we hand parse
+
+        while [ $# -ne 0 ]; do
+	    case "$1" in
+	      "-o"|"--output")
+		  if [ $# -lt 2 ]; then
+			  echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
+			  echo >&2
+			  exit 1
+		  fi
+	          USER_DEST=$2
+		  shift 2
+		  continue
+		  ;;
+		"--")
+		  shift
+		  break
+		  ;;
+		*)
+		  echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
+		  exit 1
+		  ;;
+	    esac
+	done
+
+	if [ -n "$USER_DEST" ]; then
+		DEST=$USER_DEST
+	        # Attempt to create the directories if they do not exist
+                # yet (rhbz#2241240)
+	        /usr/bin/mkdir -p \
+		    "$DEST"/openssl \
+		    "$DEST"/pem \
+		    "$DEST"/java \
+		    "$DEST"/edk2
+	fi
+
+	# OpenSSL PEM bundle that includes trust flags
+	# (BEGIN TRUSTED CERTIFICATE)
+	/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
+	/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
+	/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
+	# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
+	# by GnuTLS)
+	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
+
+	# p11-kit extract will have made this directory unwritable; when run with
+	# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
+	# not be the case. See rhbz#2241240.
+	if [ -n "$USER_DEST" ]; then
+	    /usr/bin/chmod u+w "$DEST/pem/directory-hash"
+        fi
+
+	# Debian compatibility: their /etc/ssl/certs has this bundle
+	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
+	# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
+	# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
+	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
+
+	# Remove write permissions again
+	if [ -n "$USER_DEST" ]; then
+	    /usr/bin/chmod u-w "$DEST/pem/directory-hash"
+        fi
+}
+
+if [ $# -lt 1 ]; then
+    set -- extract
+fi
+
+case "$1" in
+	"extract")
+		shift
+		extract "$@"
+	;;
+	"--help")
+		usage
+		exit 0
+	;;
+	"-o"|"--output")
+		echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
+		echo >&2
+		exit 1
+	;;
+	"enable")
+		echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
+		echo >&2
+		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
+		extract
+	;;
+	*)
+		echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
+		echo >&2
+		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
+		extract
+	;;
+esac
--- a/SOURCES/update-ca-trust.8.txt
+++ b/SOURCES/update-ca-trust.8.txt
@ -27,7 +27,7 @@ certificates and associated trust

 SYNOPSIS
 --------
-*update-ca-trust* ['COMMAND']
+*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']


 DESCRIPTION
@ -214,15 +214,23 @@ server authentication.

 COMMANDS
 --------
-(absent/empty command)::
-    Same as the *extract* command described below. (However, the command may
-    print fewer warnings, as this command is being run during rpm package 
-    installation, where non-fatal status output is undesired.)
-
-*extract*::
-    Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce 
-    updated versions of the consolidated configuration files stored below
-    the /etc/pki/ca-trust/extracted directory hierarchy.
+(absent/empty command)
+~~~~~~~~~~~~~~~~~~~~~~
+Same as the *extract* command described below. (However, the command may print
+fewer warnings, as this command is being run during rpm package installation,
+where non-fatal status output is undesired.)
+
+extract
+~~~~~~~
+Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
+produce updated versions of the consolidated configuration files stored below
+the /etc/pki/ca-trust/extracted directory hierarchy.
+
+EXTRACT OPTIONS
+^^^^^^^^^^^^^^^
+*-o DIR*, *--output=DIR*::
+	Write the extracted trust store into the given directory instead of
+	updating /etc/pki/ca-trust/extracted.

 FILES
 -----
--- a/SPECS/ca-certificates.spec
+++ b/SPECS/ca-certificates.spec
@ -35,11 +35,11 @@ Name: ca-certificates
 # to have increasing version numbers. However, the new scheme will work, 
 # because all future versions will start with 2013 or larger.)

-Version: 2023.2.60_v7.0.306
+Version: 2024.2.69_v8.0.303
 # for y-stream, please always use 91 <= release  < 100 (91,92,93)
 # for z-stream release branches, please use 90 <= release  < 91 (90.0, 90.1, ...)
-Release: 90.1%{?dist}.inferit.3
-License: Public Domain
+Release: 91.4%{?dist}.inferit
+License: MIT AND GPL-2.0-or-later

 URL: https://fedoraproject.org/wiki/CA-Certificates

@ -79,16 +79,14 @@ Requires(post): coreutils
 Requires: bash
 Requires: grep
 Requires: sed
-Requires(post): p11-kit >= 0.24
 Requires(post): p11-kit-trust >= 0.24
-Requires: p11-kit >= 0.24
 Requires: p11-kit-trust >= 0.24

 BuildRequires: perl-interpreter
 BuildRequires: python3
 BuildRequires: openssl
 BuildRequires: asciidoc
-BuildRequires: libxslt
+BuildRequires: xmlto

 %description
 This package contains the set of CA certificates chosen by the
@ -177,12 +175,12 @@ popd

 #manpage
 cp %{SOURCE10} %{name}/update-ca-trust.8.txt
-asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
-xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
+asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
+xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml

 cp %{SOURCE9} %{name}/ca-legacy.8.txt
-asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
-xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
+asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt
+xmlto -v -o %{name} man %{name}/ca-legacy.8.xml


 %install
@ -195,6 +193,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
+mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
@ -268,6 +267,45 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
 ln -s %{catrustdir}/extracted/%{java_bundle} \
    $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}

+# Populate %%{catrustdir}/extracted/pem/directory-hash.
+#
+# First direct p11-kit-trust.so to the generated bundle (not the one
+# already present on the build system) with an overriding module
+# config. Note that we have to use a different config path based on
+# the current user: if root, ~/.config/pkcs11/modules/* are not read,
+# while if a regular user, she can't write to /etc.
+if test "$(id -u)" -eq 0; then
+   trust_module_dir=/etc/pkcs11/modules
+else
+   trust_module_dir=$HOME/.config/pkcs11/modules
+fi
+
+mkdir -p "$trust_module_dir"
+
+# It is unlikely that the directory would contain any files on a build system,
+# but let's make sure just in case.
+if [ -n "$(ls -A "$trust_module_dir")" ]; then
+        echo "Directory $trust_module_dir is not empty. Aborting build!"
+        exit 1
+fi
+
+trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
+cat >"$trust_module_config" <<EOF
+module: p11-kit-trust.so
+trust-policy: yes
+x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
+EOF
+
+trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
+      --purpose server-auth \
+      $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+
+# Create a temporary file with the list of (%ghost )files in the directory-hash.
+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
+sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
+# Clean up the temporary module config.
+rm -f "$trust_module_config"
+
 # Russian Ministry of Digital Development and Communications
 install -m 644 %{SOURCE90} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
 install -m 644 %{SOURCE91} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
@ -275,6 +313,11 @@ install -m 644 %{SOURCE91} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
 install -m 644 %{SOURCE92} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
 install -m 644 %{SOURCE93} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/

+
+%clean
+/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+rm -rf $RPM_BUILD_ROOT
+
 %pre
 if [ $1 -gt 1 ] ; then
  # Upgrade or Downgrade.
@ -347,7 +390,8 @@ fi
 %{_bindir}/ca-legacy install
 %{_bindir}/update-ca-trust

-%files
+# The file .files.txt contains the list of (%ghost )files in the directory-hash
+%files -f .files.txt
 %dir %{_sysconfdir}/ssl
 %dir %{pkidir}/tls
 %dir %{pkidir}/tls/certs
@ -365,6 +409,7 @@ fi
 %dir %{_datadir}/pki/ca-trust-source/anchors
 %dir %{_datadir}/pki/ca-trust-source/blocklist
 %dir %{_datadir}/pki/ca-trust-legacy
+%dir %{catrustdir}/extracted/pem/directory-hash

 %{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer
 %{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer.detached.sig
@ -411,9 +456,34 @@ fi
 %ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 %ghost %{catrustdir}/extracted/%{java_bundle}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
-
+%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
+%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt

 %changelog
+* Thu Aug 22 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-91.4.inferit
+- Update to 2024.2.69_v8.0.303-91.4
+
+*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
+- update-ca-trust: return warnings on a unsupported argument instead of error
+
+*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
+- Temporarily generate the directory-hash files in %%install ...(next item)
+- Add list of ghost files from directory-hash to %%files
+
+*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
+- Remove write permissions from directory-hash
+
+*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
+- Reduce dependency on p11-kit to only the trust subpackage
+- Own the Directory-hash directory
+
+*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
+- Fix release number
+
+*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
+- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
+-    GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
+
 * Wed Jul 10 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-90.1.inferit.3
 - Fixed addition TCI GOST certificate
 - Bump version
@ -421,10 +491,70 @@ fi
 * Tue Jul 09 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-90.1.inferit.2
 - Added TCI ECDSA and GOST root certificates

+*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
+- Update to CKBI 2.68_v8.0.302 from NSS 3.101
+-    Removing:
+-     # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
+-     # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
+-     # Certificate "Security Communication Root CA"
+-     # Certificate "Camerfirma Chambers of Commerce Root"
+-     # Certificate "Hongkong Post Root CA 1"
+-     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+-     # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
+-     # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
+-     # Certificate "TrustCor RootCert CA-1"
+-     # Certificate "TrustCor RootCert CA-2"
+-     # Certificate "TrustCor ECA-1"
+-     # Certificate "FNMT-RCM"
+-    Adding:
+-     # Certificate "LAWtrust Root CA2 (4096)"
+-     # Certificate "Sectigo Public Email Protection Root E46"
+-     # Certificate "Sectigo Public Email Protection Root R46"
+-     # Certificate "Sectigo Public Server Authentication Root E46"
+-     # Certificate "Sectigo Public Server Authentication Root R46"
+-     # Certificate "SSL.com TLS RSA Root CA 2022"
+-     # Certificate "SSL.com TLS ECC Root CA 2022"
+-     # Certificate "SSL.com Client ECC Root CA 2022"
+-     # Certificate "SSL.com Client RSA Root CA 2022"
+-     # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
+-     # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
+-     # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
+-     # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
+-     # Certificate "TrustAsia Global Root CA G3"
+-     # Certificate "TrustAsia Global Root CA G4"
+-     # Certificate "CommScope Public Trust ECC Root-01"
+-     # Certificate "CommScope Public Trust ECC Root-02"
+-     # Certificate "CommScope Public Trust RSA Root-01"
+-     # Certificate "CommScope Public Trust RSA Root-02"
+-     # Certificate "D-Trust SBR Root CA 1 2022"
+-     # Certificate "D-Trust SBR Root CA 2 2022"
+-     # Certificate "Telekom Security SMIME ECC Root 2021"
+-     # Certificate "Telekom Security TLS ECC Root 2020"
+-     # Certificate "Telekom Security SMIME RSA Root 2023"
+-     # Certificate "Telekom Security TLS RSA Root 2023"
+-     # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
+-     # Certificate "SECOM Trust.net"
+-     # Certificate "Chambers of Commerce Root"
+-     # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
+-     # Certificate "SSL.com Code Signing RSA Root CA 2022"
+-     # Certificate "SSL.com Code Signing ECC Root CA 2022"
+
+* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0
+- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
+
+* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
+- Skip %post if getopt is missing (recent change made update-ca-trust use it)
+
+* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
+- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
+
 * Thu Sep 21 2023 Arkady L. Shane <tigro@msvsphere.ru> - 2023.2.60_v7.0.306-90.1.inferit.1
 - place MDDC certificates to /etc/pki/ca-trust/source/anchors

-*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1.inferit
+*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
+- update License: field to SPDX
+
+*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
 - Bump release number to make CI happy

 *Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
@ -507,11 +637,6 @@ fi
 -     # Certificate "GlobalSign Code Signing Root R45"
 -     # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"

-* Wed Apr 05 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 2022.2.54-90.2.inferit
- Added:
-     # Certificate "Russian Trusted Root CA"
-     # Certificate "Russian Trusted Sub CA"
-
 * Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2022.2.54-90.2
 - Rebuilt for MSVSphere 9.1.