|
|
|
@ -1,7 +1,6 @@
|
|
|
|
|
%define pkidir %{_sysconfdir}/pki
|
|
|
|
|
%define catrustdir %{_sysconfdir}/pki/ca-trust
|
|
|
|
|
%define classic_tls_bundle ca-bundle.crt
|
|
|
|
|
%define openssl_format_trust_bundle ca-bundle.trust.crt
|
|
|
|
|
%define p11_format_bundle ca-bundle.trust.p11-kit
|
|
|
|
|
%define legacy_default_bundle ca-bundle.legacy.default.crt
|
|
|
|
|
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
|
|
|
|
@ -36,9 +35,9 @@ Name: ca-certificates
|
|
|
|
|
# because all future versions will start with 2013 or larger.)
|
|
|
|
|
|
|
|
|
|
Version: 2024.2.69_v8.0.303
|
|
|
|
|
# for y-stream, please always use 91 <= release < 100 (91,92,93)
|
|
|
|
|
# for z-stream release branches, please use 90 <= release < 91 (90.0, 90.1, ...)
|
|
|
|
|
Release: 91.4%{?dist}
|
|
|
|
|
# for Rawhide, please always use release >= 2
|
|
|
|
|
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
|
|
|
|
Release: 101.3%{?dist}
|
|
|
|
|
License: MIT AND GPL-2.0-or-later
|
|
|
|
|
|
|
|
|
|
URL: https://fedoraproject.org/wiki/CA-Certificates
|
|
|
|
@ -61,10 +60,12 @@ Source15: README.openssl
|
|
|
|
|
Source16: README.pem
|
|
|
|
|
Source17: README.edk2
|
|
|
|
|
Source18: README.src
|
|
|
|
|
Source19: README.etcssl
|
|
|
|
|
|
|
|
|
|
BuildArch: noarch
|
|
|
|
|
|
|
|
|
|
Requires(post): bash
|
|
|
|
|
Requires(post): findutils
|
|
|
|
|
Requires(post): grep
|
|
|
|
|
Requires(post): sed
|
|
|
|
|
Requires(post): coreutils
|
|
|
|
@ -206,6 +207,7 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/REA
|
|
|
|
|
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
|
|
|
|
|
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
|
|
|
|
|
install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
|
|
|
|
|
install -p -m 644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysconfdir}/ssl/README
|
|
|
|
|
|
|
|
|
|
install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
|
|
|
|
|
|
|
|
|
@ -233,32 +235,11 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
|
|
|
|
|
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
|
|
|
|
|
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
|
|
|
|
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
|
|
|
|
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
|
|
|
|
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
|
|
|
|
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
|
|
|
|
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
|
|
|
|
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
|
|
|
|
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
|
|
|
|
|
|
|
|
|
# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
|
|
|
|
|
ln -s /etc/pki/tls/certs \
|
|
|
|
|
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
|
|
|
|
|
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
|
|
|
|
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
|
|
|
|
|
ln -s /etc/pki/tls/openssl.cnf \
|
|
|
|
|
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
|
|
|
|
|
ln -s /etc/pki/tls/ct_log_list.cnf \
|
|
|
|
|
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
|
|
|
|
|
# legacy filenames
|
|
|
|
|
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
|
|
|
|
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
|
|
|
|
|
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
|
|
|
|
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
|
|
|
|
|
ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
|
|
|
|
|
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
|
|
|
|
ln -s %{catrustdir}/extracted/%{java_bundle} \
|
|
|
|
|
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
|
|
|
|
|
|
|
|
|
|
# Populate %%{catrustdir}/extracted/pem/directory-hash.
|
|
|
|
|
#
|
|
|
|
|
# First direct p11-kit-trust.so to the generated bundle (not the one
|
|
|
|
@ -288,16 +269,39 @@ trust-policy: yes
|
|
|
|
|
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
|
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
# Extract the trust anchors to the directory-hash format.
|
|
|
|
|
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
|
|
|
|
|
--purpose server-auth \
|
|
|
|
|
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
|
|
|
|
--purpose server-auth \
|
|
|
|
|
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
|
|
|
|
|
|
|
|
|
# Create a temporary file with the list of (%ghost )files in the directory-hash.
|
|
|
|
|
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
|
|
|
|
|
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
|
|
|
|
|
# Clean up the temporary module config.
|
|
|
|
|
rm -f "$trust_module_config"
|
|
|
|
|
|
|
|
|
|
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \
|
|
|
|
|
-regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \
|
|
|
|
|
-exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \;
|
|
|
|
|
# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies
|
|
|
|
|
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
|
|
|
|
|
find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \
|
|
|
|
|
-regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt
|
|
|
|
|
|
|
|
|
|
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
|
|
|
|
|
|
|
|
|
|
# /etc/ssl is provided in a Debian compatible form for (bad) code that
|
|
|
|
|
# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
|
|
|
|
|
ln -s %{pkidir}/tls/certs \
|
|
|
|
|
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
|
|
|
|
|
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
|
|
|
|
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
|
|
|
|
|
ln -s /etc/pki/tls/openssl.cnf \
|
|
|
|
|
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
|
|
|
|
|
ln -s /etc/pki/tls/ct_log_list.cnf \
|
|
|
|
|
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
|
|
|
|
|
# legacy filenames
|
|
|
|
|
ln -s %{catrustdir}/extracted/%{java_bundle} \
|
|
|
|
|
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
|
|
|
|
|
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
|
|
|
|
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
|
|
|
|
|
|
|
|
|
|
%clean
|
|
|
|
|
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
|
|
|
@ -305,6 +309,10 @@ rm -rf $RPM_BUILD_ROOT
|
|
|
|
|
|
|
|
|
|
%pre
|
|
|
|
|
if [ $1 -gt 1 ] ; then
|
|
|
|
|
# Remove the old symlinks
|
|
|
|
|
rm -f %{pkidir}/tls/cert.pem
|
|
|
|
|
rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
|
|
|
|
|
|
|
|
|
|
# Upgrade or Downgrade.
|
|
|
|
|
# If the classic filename is a regular file, then we are upgrading
|
|
|
|
|
# from an old package and we will move it to an .rpmsave backup file.
|
|
|
|
@ -336,17 +344,6 @@ if [ $1 -gt 1 ] ; then
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
|
|
|
|
|
# no backup yet
|
|
|
|
|
if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
|
|
|
|
|
# a file exists
|
|
|
|
|
if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
|
|
|
|
|
# it's an old regular file, not a link
|
|
|
|
|
mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -410,12 +407,12 @@ fi
|
|
|
|
|
%{catrustdir}/source/README
|
|
|
|
|
|
|
|
|
|
# symlinks for old locations
|
|
|
|
|
%{pkidir}/tls/cert.pem
|
|
|
|
|
%{pkidir}/tls/certs/%{classic_tls_bundle}
|
|
|
|
|
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
|
|
|
|
%{pkidir}/%{java_bundle}
|
|
|
|
|
# symlinks to cross-distro compatibility files and directory
|
|
|
|
|
# Hybrid hash directory with bundle file for Debian compatibility
|
|
|
|
|
# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
|
|
|
|
|
%{_sysconfdir}/ssl/certs
|
|
|
|
|
%{_sysconfdir}/ssl/README
|
|
|
|
|
%{_sysconfdir}/ssl/cert.pem
|
|
|
|
|
%{_sysconfdir}/ssl/openssl.cnf
|
|
|
|
|
%{_sysconfdir}/ssl/ct_log_list.cnf
|
|
|
|
@ -433,63 +430,49 @@ fi
|
|
|
|
|
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
|
|
|
|
|
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
|
|
|
|
|
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
|
|
|
|
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
|
|
|
|
%ghost %{catrustdir}/extracted/%{java_bundle}
|
|
|
|
|
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
|
|
|
|
|
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
|
|
|
|
|
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
|
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
|
|
*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
|
|
|
|
|
*Fri Sep 27 2024 Michel Lind <salimma@centosproject.org> - 2024.2.69_v8.0.303-101.3
|
|
|
|
|
- Add missing Requires(post) on findutils for update-ca-trust
|
|
|
|
|
- Resolves: RHEL-60723
|
|
|
|
|
|
|
|
|
|
*Wed Aug 28 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.2
|
|
|
|
|
- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
|
|
|
|
|
- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
|
|
|
|
|
|
|
|
|
|
*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
|
|
|
|
|
- update-ca-trust: return warnings on a unsupported argument instead of error
|
|
|
|
|
|
|
|
|
|
*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
|
|
|
|
|
*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
|
|
|
|
|
- Temporarily generate the directory-hash files in %%install ...(next item)
|
|
|
|
|
- Add list of ghost files from directory-hash to %%files
|
|
|
|
|
|
|
|
|
|
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
|
|
|
|
|
- Remove write permissions from directory-hash
|
|
|
|
|
*Mon Aug 19 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
|
|
|
|
|
- remove base-ci.* tests from gating.yaml
|
|
|
|
|
|
|
|
|
|
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
|
|
|
|
|
- Reduce dependency on p11-kit to only the trust subpackage
|
|
|
|
|
- Own the Directory-hash directory
|
|
|
|
|
*Thu Jul 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
|
|
|
|
|
- Remove blacklist use blocklist-only.
|
|
|
|
|
- add gating.yaml
|
|
|
|
|
|
|
|
|
|
*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
|
|
|
|
|
- Fix release number
|
|
|
|
|
|
|
|
|
|
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
|
|
|
|
|
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101
|
|
|
|
|
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
|
|
|
|
|
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
|
|
|
|
|
|
|
|
|
|
*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
|
|
|
|
|
Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-101
|
|
|
|
|
- Update to CKBI 2.68_v8.0.302 from NSS 3.101
|
|
|
|
|
- Removing:
|
|
|
|
|
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
|
|
|
|
|
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
|
|
|
|
|
- # Certificate "Security Communication Root CA"
|
|
|
|
|
- # Certificate "Camerfirma Chambers of Commerce Root"
|
|
|
|
|
- # Certificate "Hongkong Post Root CA 1"
|
|
|
|
|
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
|
|
|
|
|
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
|
|
|
|
|
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
|
|
|
|
|
- # Certificate "TrustCor RootCert CA-1"
|
|
|
|
|
- # Certificate "TrustCor RootCert CA-2"
|
|
|
|
|
- # Certificate "TrustCor ECA-1"
|
|
|
|
|
- # Certificate "FNMT-RCM"
|
|
|
|
|
- Adding:
|
|
|
|
|
- # Certificate "LAWtrust Root CA2 (4096)"
|
|
|
|
|
- # Certificate "Sectigo Public Email Protection Root E46"
|
|
|
|
|
- # Certificate "Sectigo Public Email Protection Root R46"
|
|
|
|
|
- # Certificate "Sectigo Public Server Authentication Root E46"
|
|
|
|
|
- # Certificate "Sectigo Public Server Authentication Root R46"
|
|
|
|
|
- # Certificate "SSL.com TLS RSA Root CA 2022"
|
|
|
|
|
- # Certificate "SSL.com TLS ECC Root CA 2022"
|
|
|
|
|
- # Certificate "SSL.com Client ECC Root CA 2022"
|
|
|
|
|
- # Certificate "SSL.com Client RSA Root CA 2022"
|
|
|
|
|
- # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
|
|
|
|
|
- # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
|
|
|
|
|
- # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
|
|
|
|
|
- # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
|
|
|
|
|
- # Certificate "TrustAsia Global Root CA G3"
|
|
|
|
|
- # Certificate "TrustAsia Global Root CA G4"
|
|
|
|
|
- # Certificate "CommScope Public Trust ECC Root-01"
|
|
|
|
@ -504,31 +487,56 @@ fi
|
|
|
|
|
- # Certificate "Telekom Security TLS RSA Root 2023"
|
|
|
|
|
- # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
|
|
|
|
|
- # Certificate "SECOM Trust.net"
|
|
|
|
|
- # Certificate "Chambers of Commerce Root"
|
|
|
|
|
- # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
|
|
|
|
|
- # Certificate "SSL.com Code Signing RSA Root CA 2022"
|
|
|
|
|
- # Certificate "SSL.com Code Signing ECC Root CA 2022"
|
|
|
|
|
|
|
|
|
|
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0
|
|
|
|
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2023.2.62_v7.0.401-7
|
|
|
|
|
- Bump release for June 2024 mass rebuild
|
|
|
|
|
|
|
|
|
|
* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-6
|
|
|
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
|
|
|
|
|
|
|
|
|
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-5
|
|
|
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
|
|
|
|
|
|
|
|
|
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-4
|
|
|
|
|
- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
|
|
|
|
|
|
|
|
|
|
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
|
|
|
|
|
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2023.2.62_v7.0.401-3
|
|
|
|
|
- Skip %post if getopt is missing (recent change made update-ca-trust use it)
|
|
|
|
|
|
|
|
|
|
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
|
|
|
|
|
*Wed Oct 04 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-2
|
|
|
|
|
- Update to CKBI 2.62_v7.0.401 from NSS 3.93
|
|
|
|
|
Removing:
|
|
|
|
|
# Certificate "Camerfirma Chambers of Commerce Root"
|
|
|
|
|
# Certificate "Hongkong Post Root CA 1"
|
|
|
|
|
# Certificate "FNMT-RCM"
|
|
|
|
|
Adding:
|
|
|
|
|
# Certificate "LAWtrust Root CA2 (4096)"
|
|
|
|
|
# Certificate "Sectigo Public Email Protection Root E46"
|
|
|
|
|
# Certificate "Sectigo Public Email Protection Root R46"
|
|
|
|
|
# Certificate "Sectigo Public Server Authentication Root E46"
|
|
|
|
|
# Certificate "Sectigo Public Server Authentication Root R46"
|
|
|
|
|
# Certificate "SSL.com TLS RSA Root CA 2022"
|
|
|
|
|
# Certificate "SSL.com TLS ECC Root CA 2022"
|
|
|
|
|
# Certificate "SSL.com Client ECC Root CA 2022"
|
|
|
|
|
# Certificate "SSL.com Client RSA Root CA 2022"
|
|
|
|
|
# Certificate "Atos TrustedRoot Root CA ECC G2 2020"
|
|
|
|
|
# Certificate "Atos TrustedRoot Root CA RSA G2 2020"
|
|
|
|
|
# Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
|
|
|
|
|
# Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
|
|
|
|
|
# Certificate "Chambers of Commerce Root"
|
|
|
|
|
|
|
|
|
|
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2023.2.60_v7.0.306-4
|
|
|
|
|
- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
|
|
|
|
|
|
|
|
|
|
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
|
|
|
|
|
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-3
|
|
|
|
|
- update License: field to SPDX
|
|
|
|
|
|
|
|
|
|
*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
|
|
|
|
|
- Bump release number to make CI happy
|
|
|
|
|
|
|
|
|
|
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
|
|
|
|
|
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-2
|
|
|
|
|
- Update to CKBI 2.60_v7.0.306 from NSS 3.91
|
|
|
|
|
- Removing:
|
|
|
|
|
- # Certificate "Camerfirma Global Chambersign Root"
|
|
|
|
|
- # Certificate "Staat der Nederlanden EV Root CA"
|
|
|
|
|
- # Certificate "OpenTrust Root CA G1"
|
|
|
|
|
- # Certificate "Swedish Government Root Authority v1"
|
|
|
|
|
- # Certificate "DigiNotar Root CA G2"
|
|
|
|
@ -563,16 +571,6 @@ fi
|
|
|
|
|
- # Certificate "Entrust.net Secure Server Certification Authority"
|
|
|
|
|
- # Certificate "ePKI EV SSL Certification Authority - G1"
|
|
|
|
|
- Adding:
|
|
|
|
|
- # Certificate "DigiCert TLS ECC P384 Root G5"
|
|
|
|
|
- # Certificate "DigiCert TLS RSA4096 Root G5"
|
|
|
|
|
- # Certificate "DigiCert SMIME ECC P384 Root G5"
|
|
|
|
|
- # Certificate "DigiCert SMIME RSA4096 Root G5"
|
|
|
|
|
- # Certificate "Certainly Root R1"
|
|
|
|
|
- # Certificate "Certainly Root E1"
|
|
|
|
|
- # Certificate "E-Tugra Global Root CA RSA v3"
|
|
|
|
|
- # Certificate "E-Tugra Global Root CA ECC v3"
|
|
|
|
|
- # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
|
|
|
|
|
- # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
|
|
|
|
|
- # Certificate "BJCA Global Root CA1"
|
|
|
|
|
- # Certificate "BJCA Global Root CA2"
|
|
|
|
|
- # Certificate "Symantec Enterprise Mobile Root for Microsoft"
|
|
|
|
@ -589,7 +587,6 @@ fi
|
|
|
|
|
- # Certificate "ComSign CA"
|
|
|
|
|
- # Certificate "ComSign Secured CA"
|
|
|
|
|
- # Certificate "ComSign Advanced Security CA"
|
|
|
|
|
- # Certificate "Global Chambersign Root"
|
|
|
|
|
- # Certificate "Sonera Class2 CA"
|
|
|
|
|
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
|
|
|
|
|
- # Certificate "VeriSign, Inc."
|
|
|
|
@ -604,7 +601,31 @@ fi
|
|
|
|
|
- # Certificate "GlobalSign Code Signing Root R45"
|
|
|
|
|
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
|
|
|
|
|
|
|
|
|
|
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2
|
|
|
|
|
*Tue Jul 25 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60-3
|
|
|
|
|
- Fedora mass rebuild
|
|
|
|
|
|
|
|
|
|
*Fri Jan 20 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 2023.2.60-2
|
|
|
|
|
- Update to CKBI 2.60 from NSS 3.86
|
|
|
|
|
- Removing:
|
|
|
|
|
- # Certificate "Camerfirma Global Chambersign Root"
|
|
|
|
|
- # Certificate "Staat der Nederlanden EV Root CA"
|
|
|
|
|
- Adding:
|
|
|
|
|
- # Certificate "DigiCert TLS ECC P384 Root G5"
|
|
|
|
|
- # Certificate "DigiCert TLS RSA4096 Root G5"
|
|
|
|
|
- # Certificate "DigiCert SMIME ECC P384 Root G5"
|
|
|
|
|
- # Certificate "DigiCert SMIME RSA4096 Root G5"
|
|
|
|
|
- # Certificate "Certainly Root R1"
|
|
|
|
|
- # Certificate "Certainly Root E1"
|
|
|
|
|
- # Certificate "E-Tugra Global Root CA RSA v3"
|
|
|
|
|
- # Certificate "E-Tugra Global Root CA ECC v3"
|
|
|
|
|
- # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
|
|
|
|
|
- # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
|
|
|
|
|
- # Certificate "Global Chambersign Root"
|
|
|
|
|
|
|
|
|
|
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-6
|
|
|
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
|
|
|
|
|
|
|
|
|
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-5
|
|
|
|
|
- Update to CKBI 2.54 from NSS 3.79
|
|
|
|
|
- Removing:
|
|
|
|
|
- # Certificate "TrustCor ECA-1"
|
|
|
|
@ -625,21 +646,19 @@ fi
|
|
|
|
|
- # Certificate "Government Root Certification Authority"
|
|
|
|
|
- # Certificate "AC Raíz Certicámara S.A."
|
|
|
|
|
|
|
|
|
|
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1
|
|
|
|
|
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-4
|
|
|
|
|
- Update to CKBI 2.54 from NSS 3.79
|
|
|
|
|
|
|
|
|
|
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0
|
|
|
|
|
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-3
|
|
|
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
|
|
|
|
|
|
|
|
|
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-2
|
|
|
|
|
- Update to CKBI 2.54 from NSS 3.79
|
|
|
|
|
- Removing:
|
|
|
|
|
- # Certificate "GlobalSign Root CA - R2"
|
|
|
|
|
- # Certificate "DST Root CA X3"
|
|
|
|
|
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
|
|
|
|
- Adding:
|
|
|
|
|
- # Certificate "TunTrust Root CA"
|
|
|
|
|
- # Certificate "HARICA TLS RSA Root CA 2021"
|
|
|
|
|
- # Certificate "HARICA TLS ECC Root CA 2021"
|
|
|
|
|
- # Certificate "HARICA Client RSA Root CA 2021"
|
|
|
|
|
- # Certificate "HARICA Client ECC Root CA 2021"
|
|
|
|
|
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
|
|
|
|
|
- # Certificate "vTrus ECC Root CA"
|
|
|
|
|
- # Certificate "vTrus Root CA"
|
|
|
|
@ -862,31 +881,111 @@ fi
|
|
|
|
|
- # Certificate "HARICA Code Signing ECC Root CA 2021"
|
|
|
|
|
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
|
|
|
|
|
|
|
|
|
|
* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94
|
|
|
|
|
- remove blacklist directory and references now that p11-kit has been updated.
|
|
|
|
|
|
|
|
|
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
|
|
|
|
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
|
|
|
|
Related: rhbz#1991688
|
|
|
|
|
|
|
|
|
|
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
|
|
|
|
|
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
|
|
|
|
Related: rhbz#1971065
|
|
|
|
|
|
|
|
|
|
* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
|
|
|
|
|
- Update to CKBI 2.50 from NSS 3.67
|
|
|
|
|
- Removing:
|
|
|
|
|
- # Certificate "QuoVadis Root CA"
|
|
|
|
|
- # Certificate "Sonera Class 2 Root CA"
|
|
|
|
|
- # Certificate "Trustis FPS Root CA"
|
|
|
|
|
- Adding:
|
|
|
|
|
- # Certificate "GLOBALTRUST 2020"
|
|
|
|
|
- # Certificate "ANF Secure Server Root CA"
|
|
|
|
|
- # Certificate "Certum EC-384 CA"
|
|
|
|
|
- # Certificate "Certum Trusted Root CA"
|
|
|
|
|
|
|
|
|
|
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
|
|
|
|
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
|
|
|
|
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.52-3
|
|
|
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
|
|
|
|
|
|
|
|
|
*Mon Dec 13 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.52-2
|
|
|
|
|
- Update to CKBI 2.52 from NSS 3.72
|
|
|
|
|
- Adding:
|
|
|
|
|
- # Certificate "TunTrust Root CA"
|
|
|
|
|
- # Certificate "HARICA TLS RSA Root CA 2021"
|
|
|
|
|
- # Certificate "HARICA TLS ECC Root CA 2021"
|
|
|
|
|
- # Certificate "HARICA Client RSA Root CA 2021"
|
|
|
|
|
- # Certificate "HARICA Client ECC Root CA 2021"
|
|
|
|
|
|
|
|
|
|
*Mon Dec 6 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-5
|
|
|
|
|
- integrate Adam William's /etc/ssl/certs with Debian-compatibility
|
|
|
|
|
- back out blocklist change since p11-kit .24 is not yet available on rawhide
|
|
|
|
|
|
|
|
|
|
*Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-4
|
|
|
|
|
- remove blacklist directory now that pk11-kit is using blocklist
|
|
|
|
|
|
|
|
|
|
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.50-3
|
|
|
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
|
|
|
|
|
|
|
|
|
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-2
|
|
|
|
|
- Update to CKBI 2.50 from NSS 3.67
|
|
|
|
|
- Removing:
|
|
|
|
|
- # Certificate "Trustis FPS Root CA"
|
|
|
|
|
- # Certificate "GlobalSign Code Signing Root R45"
|
|
|
|
|
- # Certificate "GlobalSign Code Signing Root E45"
|
|
|
|
|
- # Certificate "Halcom Root Certificate Authority"
|
|
|
|
|
- # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
|
|
|
|
|
- # Certificate "GLOBALTRUST"
|
|
|
|
|
- # Certificate "MULTICERT Root Certification Authority 01"
|
|
|
|
|
- # Certificate "Verizon Global Root CA"
|
|
|
|
|
- # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
|
|
|
|
|
- # Certificate "CAEDICOM Root"
|
|
|
|
|
- # Certificate "COMODO Certification Authority"
|
|
|
|
|
- # Certificate "Security Communication ECC RootCA1"
|
|
|
|
|
- # Certificate "Security Communication RootCA3"
|
|
|
|
|
- # Certificate "AC RAIZ DNIE"
|
|
|
|
|
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
|
|
|
|
|
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
|
|
|
|
|
- # Certificate "VeriSign Universal Root Certification Authority"
|
|
|
|
|
- # Certificate "GeoTrust Global CA"
|
|
|
|
|
- # Certificate "GeoTrust Primary Certification Authority"
|
|
|
|
|
- # Certificate "thawte Primary Root CA"
|
|
|
|
|
- # Certificate "thawte Primary Root CA - G2"
|
|
|
|
|
- # Certificate "thawte Primary Root CA - G3"
|
|
|
|
|
- # Certificate "GeoTrust Primary Certification Authority - G3"
|
|
|
|
|
- # Certificate "GeoTrust Primary Certification Authority - G2"
|
|
|
|
|
- # Certificate "GeoTrust Universal CA"
|
|
|
|
|
- # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
|
|
|
|
|
- # Certificate "GLOBALTRUST 2015"
|
|
|
|
|
- # Certificate "emSign Root CA - G2"
|
|
|
|
|
- # Certificate "emSign Root CA - C2"
|
|
|
|
|
- Adding:
|
|
|
|
|
- # Certificate "GLOBALTRUST 2020"
|
|
|
|
|
- # Certificate "ANF Secure Server Root CA"
|
|
|
|
|
|
|
|
|
|
*Tue May 25 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-2
|
|
|
|
|
- Update to CKBI 2.48 from NSS 3.64
|
|
|
|
|
- Removing:
|
|
|
|
|
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
|
|
|
|
|
- # Certificate "GeoTrust Universal CA 2"
|
|
|
|
|
- # Certificate "QuoVadis Root CA"
|
|
|
|
|
- # Certificate "Sonera Class 2 Root CA"
|
|
|
|
|
- # Certificate "Taiwan GRCA"
|
|
|
|
|
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
|
|
|
|
|
- # Certificate "EE Certification Centre Root CA"
|
|
|
|
|
- # Certificate "LuxTrust Global Root 2"
|
|
|
|
|
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
|
|
|
|
|
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
|
|
|
|
|
- Adding:
|
|
|
|
|
- # Certificate "Microsoft ECC Root Certificate Authority 2017"
|
|
|
|
|
- # Certificate "Microsoft RSA Root Certificate Authority 2017"
|
|
|
|
|
- # Certificate "e-Szigno Root CA 2017"
|
|
|
|
|
- # Certificate "certSIGN Root CA G2"
|
|
|
|
|
- # Certificate "Trustwave Global Certification Authority"
|
|
|
|
|
- # Certificate "Trustwave Global ECC P256 Certification Authority"
|
|
|
|
|
- # Certificate "Trustwave Global ECC P384 Certification Authority"
|
|
|
|
|
- # Certificate "NAVER Global Root Certification Authority"
|
|
|
|
|
- # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
|
|
|
|
|
- # Certificate "GlobalSign Secure Mail Root R45"
|
|
|
|
|
- # Certificate "GlobalSign Secure Mail Root E45"
|
|
|
|
|
- # Certificate "GlobalSign Root R46"
|
|
|
|
|
- # Certificate "GlobalSign Root E46"
|
|
|
|
|
- # Certificate "Certum EC-384 CA"
|
|
|
|
|
- # Certificate "Certum Trusted Root CA"
|
|
|
|
|
- # Certificate "GlobalSign Code Signing Root R45"
|
|
|
|
|
- # Certificate "GlobalSign Code Signing Root E45"
|
|
|
|
|
- # Certificate "Halcom Root Certificate Authority"
|
|
|
|
|
- # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
|
|
|
|
|
- # Certificate "GLOBALTRUST"
|
|
|
|
|
- # Certificate "MULTICERT Root Certification Authority 01"
|
|
|
|
|
- # Certificate "Verizon Global Root CA"
|
|
|
|
|
- # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
|
|
|
|
|
- # Certificate "CAEDICOM Root"
|
|
|
|
|
- # Certificate "COMODO Certification Authority"
|
|
|
|
|
- # Certificate "Security Communication ECC RootCA1"
|
|
|
|
|
- # Certificate "Security Communication RootCA3"
|
|
|
|
|
- # Certificate "AC RAIZ DNIE"
|
|
|
|
|
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
|
|
|
|
|
- # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
|
|
|
|
|
- # Certificate "GLOBALTRUST 2015"
|
|
|
|
|
- # Certificate "emSign Root CA - G2"
|
|
|
|
|
- # Certificate "emSign Root CA - C2"
|
|
|
|
|
|
|
|
|
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
|
|
|
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
|
|
|
|