Compare commits

...

No commits in common. 'c9' and 'c8' have entirely different histories.
c9 ... c8

@ -177,11 +177,6 @@ openssl_trust = {
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection", "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
} }
cert_distrust_types = {
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
}
for tobj in objects: for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST': if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
key = tobj['CKA_LABEL'] + printable_serial(tobj) key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -374,16 +369,6 @@ for tobj in objects:
f.write("nss-mozilla-ca-policy: true\n") f.write("nss-mozilla-ca-policy: true\n")
f.write("modifiable: false\n"); f.write("modifiable: false\n");
# requires p11-kit >= 0.23.19
for t in list(cert_distrust_types.keys()):
if t in obj:
value = obj[t]
if value == 'CK_FALSE':
value = bytearray(1)
f.write(cert_distrust_types[t] + ": \"")
f.write(urllib.parse.quote(value));
f.write("\"\n")
f.write("-----BEGIN CERTIFICATE-----\n") f.write("-----BEGIN CERTIFICATE-----\n")
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE']) temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64) temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)

@ -1,9 +1,9 @@
#!/bin/sh #!/bin/sh
#set -vx #set -vx
set -eu
# For backwards compatibility reasons, future versions of this script must # At this time, while this script is trivial, we ignore any parameters given.
# However, for backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output # support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST. # files in $DEST.
@ -12,126 +12,11 @@ DEST=/etc/pki/ca-trust/extracted
# Prevent p11-kit from reading user configuration files. # Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1 export P11_KIT_NO_USER_CONFIG=1
usage() {
fold -s -w 76 >&2 <<-EOF
Usage: $0 [extract] [-o DIR|--output=DIR]
Update the system trust store in $DEST.
COMMANDS
(absent/empty command): Same as the extract command without arguments.
extract: Instruct update-ca-trust to scan the source configuration in
/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
updated versions of the consolidated configuration files stored below
the $DEST directory hierarchy.
EXTRACT OPTIONS
-o DIR, --output=DIR: Write the extracted trust store into the given
directory instead of updating $DEST.
EOF
}
extract() {
USER_DEST=
# can't use getopt here. ca-certificates can't depend on a lot
# of other libraries since openssl depends on ca-certificates
# just fail when we hand parse
while [ $# -ne 0 ]; do
case "$1" in
"-o"|"--output")
if [ $# -lt 2 ]; then
echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
fi
USER_DEST=$2
shift 2
continue
;;
"--")
shift
break
;;
*)
echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
exit 1
;;
esac
done
if [ -n "$USER_DEST" ]; then
DEST=$USER_DEST
# Attempt to create the directories if they do not exist
# yet (rhbz#2241240)
/usr/bin/mkdir -p \
"$DEST"/openssl \
"$DEST"/pem \
"$DEST"/java \
"$DEST"/edk2
fi
# OpenSSL PEM bundle that includes trust flags # OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE) # (BEGIN TRUSTED CERTIFICATE)
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt" /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem" /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem" /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem" /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts" /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin" /usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
# by GnuTLS)
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
# p11-kit extract will have made this directory unwritable; when run with
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
# not be the case. See rhbz#2241240.
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u+w "$DEST/pem/directory-hash"
fi
# Debian compatibility: their /etc/ssl/certs has this bundle
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
# Remove write permissions again
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u-w "$DEST/pem/directory-hash"
fi
}
if [ $# -lt 1 ]; then
set -- extract
fi
case "$1" in
"extract")
shift
extract "$@"
;;
"--help")
usage
exit 0
;;
"-o"|"--output")
echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
;;
"enable")
echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
*)
echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
esac

@ -27,7 +27,7 @@ certificates and associated trust
SYNOPSIS SYNOPSIS
-------- --------
*update-ca-trust* [extract] [-o 'DIR'|--output='DIR'] *update-ca-trust* ['COMMAND']
DESCRIPTION DESCRIPTION
@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/ * add it as a new file to directory /etc/pki/ca-trust/source/anchors/
* run 'update-ca-trust extract' * run 'update-ca-trust extract'
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then: .*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
* add it as a new file to directory /etc/pki/ca-trust/source/ * add it as a new file to directory /etc/pki/ca-trust/source/
* run 'update-ca-trust extract' * run 'update-ca-trust extract'
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to. .In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ * simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/ * simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ * extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats: .In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format. format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes. Each certificate will be treated as *trusted* for all purposes.
In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/ In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
you may install one or multiple certificates in either the DER file you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format. format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes. Each certificate will be treated as *distrusted* for all purposes.
@ -214,24 +214,16 @@ server authentication.
COMMANDS COMMANDS
-------- --------
(absent/empty command) (absent/empty command)::
~~~~~~~~~~~~~~~~~~~~~~ Same as the *extract* command described below. (However, the command may
Same as the *extract* command described below. (However, the command may print print fewer warnings, as this command is being run during rpm package
fewer warnings, as this command is being run during rpm package installation, installation, where non-fatal status output is undesired.)
where non-fatal status output is undesired.)
*extract*::
extract Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
~~~~~~~ updated versions of the consolidated configuration files stored below
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
produce updated versions of the consolidated configuration files stored below
the /etc/pki/ca-trust/extracted directory hierarchy. the /etc/pki/ca-trust/extracted directory hierarchy.
EXTRACT OPTIONS
^^^^^^^^^^^^^^^
*-o DIR*, *--output=DIR*::
Write the extracted trust store into the given directory instead of
updating /etc/pki/ca-trust/extracted.
FILES FILES
----- -----
/etc/pki/tls/certs/ca-bundle.crt:: /etc/pki/tls/certs/ca-bundle.crt::

@ -36,11 +36,13 @@ Name: ca-certificates
# because all future versions will start with 2013 or larger.) # because all future versions will start with 2013 or larger.)
Version: 2024.2.69_v8.0.303 Version: 2024.2.69_v8.0.303
# for y-stream, please always use 91 <= release < 100 (91,92,93) # On RHEL 8.x, please keep the release version >= 80
# for z-stream release branches, please use 90 <= release < 91 (90.0, 90.1, ...) # When rebasing on Y-Stream (8.y), use 81, 82, 83, ...
Release: 91.4%{?dist} # When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, ..
License: MIT AND GPL-2.0-or-later Release: 80.0%{?dist}
License: Public Domain
Group: System Environment/Base
URL: https://fedoraproject.org/wiki/CA-Certificates URL: https://fedoraproject.org/wiki/CA-Certificates
#Please always update both certdata.txt and nssckbi.h #Please always update both certdata.txt and nssckbi.h
@ -71,14 +73,16 @@ Requires(post): coreutils
Requires: bash Requires: bash
Requires: grep Requires: grep
Requires: sed Requires: sed
Requires(post): p11-kit-trust >= 0.24 Requires(post): p11-kit >= 0.23.12
Requires: p11-kit-trust >= 0.24 Requires(post): p11-kit-trust >= 0.23.12
Requires: p11-kit >= 0.23.12
Requires: p11-kit-trust >= 0.23.12
BuildRequires: perl-interpreter BuildRequires: perl-interpreter
BuildRequires: python3 BuildRequires: python3-devel
BuildRequires: openssl BuildRequires: openssl
BuildRequires: asciidoc BuildRequires: asciidoc
BuildRequires: xmlto BuildRequires: libxslt
%description %description
This package contains the set of CA certificates chosen by the This package contains the set of CA certificates chosen by the
@ -96,7 +100,7 @@ mkdir %{name}/java
pushd %{name}/certs pushd %{name}/certs
pwd pwd
cp %{SOURCE0} . cp %{SOURCE0} .
python3 %{SOURCE4} >c2p.log 2>c2p.err %{__python3} %{SOURCE4} >c2p.log 2>c2p.err
popd popd
pushd %{name} pushd %{name}
( (
@ -167,12 +171,12 @@ popd
#manpage #manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt cp %{SOURCE10} %{name}/update-ca-trust.8.txt
asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
cp %{SOURCE9} %{name}/ca-legacy.8.txt cp %{SOURCE9} %{name}/ca-legacy.8.txt
asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xmlto -v -o %{name} man %{name}/ca-legacy.8.xml xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
%install %install
@ -182,16 +186,15 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir} mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8 mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@ -240,15 +243,9 @@ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility # /etc/ssl/certs symlink for 3rd-party tools
ln -s /etc/pki/tls/certs \ ln -s ../pki/tls/certs \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
ln -s /etc/pki/tls/openssl.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
ln -s /etc/pki/tls/ct_log_list.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
# legacy filenames # legacy filenames
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
@ -259,49 +256,6 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
ln -s %{catrustdir}/extracted/%{java_bundle} \ ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle} $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
# Populate %%{catrustdir}/extracted/pem/directory-hash.
#
# First direct p11-kit-trust.so to the generated bundle (not the one
# already present on the build system) with an overriding module
# config. Note that we have to use a different config path based on
# the current user: if root, ~/.config/pkcs11/modules/* are not read,
# while if a regular user, she can't write to /etc.
if test "$(id -u)" -eq 0; then
trust_module_dir=/etc/pkcs11/modules
else
trust_module_dir=$HOME/.config/pkcs11/modules
fi
mkdir -p "$trust_module_dir"
# It is unlikely that the directory would contain any files on a build system,
# but let's make sure just in case.
if [ -n "$(ls -A "$trust_module_dir")" ]; then
echo "Directory $trust_module_dir is not empty. Aborting build!"
exit 1
fi
trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
cat >"$trust_module_config" <<EOF
module: p11-kit-trust.so
trust-policy: yes
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
EOF
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
--purpose server-auth \
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
# Create a temporary file with the list of (%ghost )files in the directory-hash.
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
# Clean up the temporary module config.
rm -f "$trust_module_config"
%clean
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
rm -rf $RPM_BUILD_ROOT
%pre %pre
if [ $1 -gt 1 ] ; then if [ $1 -gt 1 ] ; then
@ -349,7 +303,6 @@ if [ $1 -gt 1 ] ; then
fi fi
fi fi
%post %post
#if [ $1 -gt 1 ] ; then #if [ $1 -gt 1 ] ; then
# # when upgrading or downgrading # # when upgrading or downgrading
@ -375,8 +328,9 @@ fi
%{_bindir}/ca-legacy install %{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust %{_bindir}/update-ca-trust
# The file .files.txt contains the list of (%ghost )files in the directory-hash %files
%files -f .files.txt %defattr(-,root,root,-)
%dir %{_sysconfdir}/ssl %dir %{_sysconfdir}/ssl
%dir %{pkidir}/tls %dir %{pkidir}/tls
%dir %{pkidir}/tls/certs %dir %{pkidir}/tls/certs
@ -384,7 +338,7 @@ fi
%dir %{catrustdir} %dir %{catrustdir}
%dir %{catrustdir}/source %dir %{catrustdir}/source
%dir %{catrustdir}/source/anchors %dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/blocklist %dir %{catrustdir}/source/blacklist
%dir %{catrustdir}/extracted %dir %{catrustdir}/extracted
%dir %{catrustdir}/extracted/pem %dir %{catrustdir}/extracted/pem
%dir %{catrustdir}/extracted/openssl %dir %{catrustdir}/extracted/openssl
@ -392,9 +346,8 @@ fi
%dir %{_datadir}/pki %dir %{_datadir}/pki
%dir %{_datadir}/pki/ca-trust-source %dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source/anchors %dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/blocklist %dir %{_datadir}/pki/ca-trust-source/blacklist
%dir %{_datadir}/pki/ca-trust-legacy %dir %{_datadir}/pki/ca-trust-legacy
%dir %{catrustdir}/extracted/pem/directory-hash
%config(noreplace) %{catrustdir}/ca-legacy.conf %config(noreplace) %{catrustdir}/ca-legacy.conf
@ -414,13 +367,10 @@ fi
%{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{pkidir}/%{java_bundle} %{pkidir}/%{java_bundle}
# symlinks to cross-distro compatibility files and directory # symlink directory
%{_sysconfdir}/ssl/certs %{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/cert.pem
%{_sysconfdir}/ssl/openssl.cnf
%{_sysconfdir}/ssl/ct_log_list.cnf
# primary bundle file with trust # master bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle} %{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle} %{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
@ -436,33 +386,11 @@ fi
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} %ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin %ghost %{catrustdir}/extracted/edk2/cacerts.bin
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
%changelog
*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
- update-ca-trust: return warnings on a unsupported argument instead of error
*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
- Temporarily generate the directory-hash files in %%install ...(next item)
- Add list of ghost files from directory-hash to %%files
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
- Remove write permissions from directory-hash
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
- Reduce dependency on p11-kit to only the trust subpackage
- Own the Directory-hash directory
*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
- Fix release number
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91 %changelog
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1 - Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
- Update to CKBI 2.68_v8.0.302 from NSS 3.101
- Removing: - Removing:
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3" - # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3" - # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
@ -509,22 +437,7 @@ fi
- # Certificate "SSL.com Code Signing RSA Root CA 2022" - # Certificate "SSL.com Code Signing RSA Root CA 2022"
- # Certificate "SSL.com Code Signing ECC Root CA 2022" - # Certificate "SSL.com Code Signing ECC Root CA 2022"
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0 *Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0
- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
- Skip %post if getopt is missing (recent change made update-ca-trust use it)
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
- update License: field to SPDX
*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
- Bump release number to make CI happy
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
- Update to CKBI 2.60_v7.0.306 from NSS 3.91 - Update to CKBI 2.60_v7.0.306 from NSS 3.91
- Removing: - Removing:
- # Certificate "Camerfirma Global Chambersign Root" - # Certificate "Camerfirma Global Chambersign Root"
@ -604,7 +517,7 @@ fi
- # Certificate "GlobalSign Code Signing Root R45" - # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1" - # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2 *Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing: - Removing:
- # Certificate "TrustCor ECA-1" - # Certificate "TrustCor ECA-1"
@ -625,29 +538,12 @@ fi
- # Certificate "Government Root Certification Authority" - # Certificate "Government Root Certification Authority"
- # Certificate "AC Raíz Certicámara S.A." - # Certificate "AC Raíz Certicámara S.A."
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1 *Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0 *Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding: - Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
- # Certificate "CAEDICOM Root" - # Certificate "CAEDICOM Root"
- # Certificate "I.CA Root CA/RSA" - # Certificate "I.CA Root CA/RSA"
- # Certificate "MULTICERT Root Certification Authority 01" - # Certificate "MULTICERT Root Certification Authority 01"
@ -789,6 +685,7 @@ fi
- # Certificate "Certipost E-Trust TOP Root CA" - # Certificate "Certipost E-Trust TOP Root CA"
- # Certificate "Certipost E-Trust Primary Qualified CA" - # Certificate "Certipost E-Trust Primary Qualified CA"
- # Certificate "Certipost E-Trust Primary Normalised CA" - # Certificate "Certipost E-Trust Primary Normalised CA"
- # Certificate "Cybertrust Global Root"
- # Certificate "GlobalSign" - # Certificate "GlobalSign"
- # Certificate "IGC/A" - # Certificate "IGC/A"
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN" - # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
@ -862,19 +759,34 @@ fi
- # Certificate "HARICA Code Signing ECC Root CA 2021" - # Certificate "HARICA Code Signing ECC Root CA 2021"
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020" - # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94 *Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81
- remove blacklist directory and references now that p11-kit has been updated. - Update to CKBI 2.54 from NSS 3.79
- Removing:
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93 - # Certificate "GlobalSign Root CA - R2"
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - # Certificate "DST Root CA X3"
Related: rhbz#1991688 - # Certificate "Cybertrust Global Root"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92 - Adding:
- Rebuilt for RHEL 9 BETA for openssl 3.0 - # Certificate "TunTrust Root CA"
Related: rhbz#1971065 - # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90 *Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
- Update to CKBI 2.50 from NSS 3.67 - Update to CKBI 2.50 from NSS 3.67
- version number update only
*Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82
- Update to CKBI 2.48 from NSS 3.66
- Removing: - Removing:
- # Certificate "QuoVadis Root CA" - # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA" - # Certificate "Sonera Class 2 Root CA"
@ -885,90 +797,91 @@ fi
- # Certificate "Certum EC-384 CA" - # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA" - # Certificate "Certum Trusted Root CA"
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8 *Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - Update to CKBI 2.48 from NSS 3.64
- Removing:
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7 - # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - # Certificate "GeoTrust Global CA"
- # Certificate "GeoTrust Universal CA"
* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6 - # Certificate "GeoTrust Universal CA 2"
- remove unnecessarily divisive terms, take 1. - # Certificate "Taiwan GRCA"
- in ca-certificates there are 3 cases: - # Certificate "GeoTrust Primary Certification Authority"
- 1) master refering to the fedora master branch in the fetch.sh script. - # Certificate "thawte Primary Root CA"
- This can only be changed once fedora changes the master branch name. - # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
- 2) a reference to the 'master bundle' in this file: this has been changed - # Certificate "GeoTrust Primary Certification Authority - G3"
- to 'primary bundle'. - # Certificate "thawte Primary Root CA - G2"
- 3) a couple of blacklist directories owned by this package, but used to - # Certificate "thawte Primary Root CA - G3"
- p11-kit. New 'blocklist' directories have been created, but p11-kit - # Certificate "GeoTrust Primary Certification Authority - G2"
- needs to be updated before the old blacklist directories can be removed - # Certificate "VeriSign Universal Root Certification Authority"
- and the man pages corrected. - # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
- # Certificate "EE Certification Centre Root CA"
* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5 - # Certificate "LuxTrust Global Root 2"
- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619) - # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4 - Adding:
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - # Certificate "Microsoft ECC Root Certificate Authority 2017"
- # Certificate "Microsoft RSA Root Certificate Authority 2017"
* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3 - # Certificate "e-Szigno Root CA 2017"
- Fix up broken %post and %postinstall scriptlet changes from -2 - # Certificate "certSIGN Root CA G2"
- # Certificate "Trustwave Global Certification Authority"
* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2 - # Certificate "Trustwave Global ECC P256 Certification Authority"
- # Certificate "Trustwave Global ECC P384 Certification Authority"
- # Certificate "NAVER Global Root Certification Authority"
- # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
- # Certificate "GlobalSign Secure Mail Root R45"
- # Certificate "GlobalSign Secure Mail Root E45"
- # Certificate "GlobalSign Root R46"
- # Certificate "GlobalSign Root E46"
*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
- fix post issues
*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
- Update to CKBI 2.41 from NSS 3.53.0 - Update to CKBI 2.41 from NSS 3.53.0
- Removing: - Removing:
- # Certificate "AddTrust Low-Value Services Root" - # Certificate "AddTrust Low-Value Services Root"
- # Certificate "AddTrust External Root" - # Certificate "AddTrust External Root"
- # Certificate "Staat der Nederlanden Root CA - G2"
* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3
- Update versioned dependency on p11-kit
* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2
- Update to CKBI 2.40 from NSS 3.48
- Removing:
- # Certificate "UTN USERFirst Email Root CA" - # Certificate "UTN USERFirst Email Root CA"
- # Certificate "Certplus Class 2 Primary CA" - # Certificate "Certplus Class 2 Primary CA"
- # Certificate "Deutsche Telekom Root CA 2" - # Certificate "Deutsche Telekom Root CA 2"
- # Certificate "Staat der Nederlanden Root CA - G2"
- # Certificate "Swisscom Root CA 2" - # Certificate "Swisscom Root CA 2"
- # Certificate "Certinomis - Root CA" - # Certificate "Certinomis - Root CA"
- Adding: - Adding:
- # Certificate "Entrust Root Certification Authority - G4" - # Certificate "Entrust Root Certification Authority - G4"
- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3 *Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
- Update to CKBI 2.32 from NSS 3.44 - Update to CKBI 2.32 from NSS 3.44
Removing: - Removing:
# Certificate "Visa eCommerce Root" - # Certificate "Visa eCommerce Root"
# Certificate "AC Raiz Certicamara S.A." - # Certificate "AC Raiz Certicamara S.A."
# Certificate "Certplus Root CA G1" - # Certificate "ComSign CA"
# Certificate "Certplus Root CA G2" - # Certificate "Certplus Root CA G1"
# Certificate "OpenTrust Root CA G1" - # Certificate "Certplus Root CA G2"
# Certificate "OpenTrust Root CA G2" - # Certificate "OpenTrust Root CA G1"
# Certificate "OpenTrust Root CA G3" - # Certificate "OpenTrust Root CA G2"
Adding: - # Certificate "OpenTrust Root CA G3"
# Certificate "GTS Root R1" - Adding:
# Certificate "GTS Root R2" - # Certificate "GlobalSign Root CA - R6"
# Certificate "GTS Root R3" - # Certificate "OISTE WISeKey Global Root GC CA"
# Certificate "GTS Root R4" - # Certificate "GTS Root R1"
# Certificate "UCA Global G2 Root" - # Certificate "GTS Root R2"
# Certificate "UCA Extended Validation Root" - # Certificate "GTS Root R3"
# Certificate "Certigna Root CA" - # Certificate "GTS Root R4"
# Certificate "emSign Root CA - G1" - # Certificate "UCA Global G2 Root"
# Certificate "emSign ECC Root CA - G3" - # Certificate "UCA Extended Validation Root"
# Certificate "emSign Root CA - C1" - # Certificate "Certigna Root CA"
# Certificate "emSign ECC Root CA - C3" - # Certificate "emSign Root CA - G1"
# Certificate "Hongkong Post Root CA 3" - # Certificate "emSign ECC Root CA - G3"
- # Certificate "emSign Root CA - C1"
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3 - # Certificate "emSign ECC Root CA - C3"
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - # Certificate "Hongkong Post Root CA 3"
* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2 * Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
- Update to CKBI 2.26 from NSS 3.39 - Test gating
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6 * Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - Use __python3 macro when invoking Python
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5 * Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
- Ported scripts to python3 - Ported scripts to python3

Loading…
Cancel
Save