SOURCES/README.etcssl

@@ -0,0 +1,20 @@
+This directory (/etc/ssl) is provided as a courtesy attempt to provide
+compatibility with software which assumes its existence. It is not a
+supported or canonical location. Software which assumes and relies on
+the existence and layout of this directory is making a wrong assumption
+(this directory is not any kind of 'standard', it is a configuration
+detail of Debian and its derivatives) and should be improved. No
+software packaged in this distribution should use this directory.
+
+An attempt is made to make the layout of /etc/ssl/certs match that
+provided by Debian: it is an OpenSSL 'CApath'-style hashed directory
+of individual certificate files, and also contains a certificate bundle
+file named ca-certificates.crt, as Debian does. It also contains a
+bundle named ca-bundle.crt, as this distribution has long provided
+such a file, and it is possible some software has come to expect its
+existence.
+
+/etc/ssl/certs itself and the bundle files are in fact symlinks to
+some of the output of the 'update-ca-trust' script which forms a part
+of a system of consolidated CA certificates. Please refer to the
+update-ca-trust(8) manual page for additional information.

SOURCES/certdata.txt

@@ -58327,3 +58327,381 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
+
+#
+# Certificate "Russian Trusted Root CA"
+#
+# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
+# Serial Number: 4096 (0x1000)
+# Subject: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
+# Not Valid Before: Tue Mar 01 21:04:15 2022
+# Not Valid After : Fri Feb 27 21:04:15 2032
+# Fingerprint (SHA-256): D2:6D:2D:02:31:B7:C3:9F:92:CC:73:85:12:BA:54:10:35:19:E4:40:5D:68:B5:BD:70:3E:97:88:CA:8E:CF:31
+# Fingerprint (SHA1): 8F:F9:15:CC:AB:7B:C1:6F:8C:5C:80:99:D5:3E:0E:11:5B:3A:EC:2F
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Russian Trusted Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
+\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
+\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
+\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
+\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
+\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
+\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
+\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
+\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
+\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
+\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
+\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
+\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
+\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
+\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\020\000
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\302\060\202\003\252\240\003\002\001\002\002\002\020
+\000\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
+\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
+\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
+\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
+\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
+\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
+\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
+\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
+\103\101\060\036\027\015\062\062\060\063\060\061\062\061\060\064
+\061\065\132\027\015\063\062\060\062\062\067\062\061\060\064\061
+\065\132\060\160\061\013\060\011\006\003\125\004\006\023\002\122
+\125\061\077\060\075\006\003\125\004\012\014\066\124\150\145\040
+\115\151\156\151\163\164\162\171\040\157\146\040\104\151\147\151
+\164\141\154\040\104\145\166\145\154\157\160\155\145\156\164\040
+\141\156\144\040\103\157\155\155\165\156\151\143\141\164\151\157
+\156\163\061\040\060\036\006\003\125\004\003\014\027\122\165\163
+\163\151\141\156\040\124\162\165\163\164\145\144\040\122\157\157
+\164\040\103\101\060\202\002\042\060\015\006\011\052\206\110\206
+\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
+\002\202\002\001\000\307\305\071\237\051\120\002\367\372\275\247
+\252\241\064\146\236\166\261\351\127\260\241\205\142\201\264\030
+\316\133\303\075\133\110\133\102\267\340\031\100\310\144\131\010
+\136\043\172\150\144\004\350\140\233\272\366\221\313\051\056\220
+\134\030\260\004\055\134\277\066\046\121\202\214\141\220\273\214
+\116\130\204\105\066\155\042\364\231\176\315\150\314\114\016\141
+\366\374\334\056\071\124\143\360\342\046\125\256\154\324\136\024
+\316\176\012\277\163\305\224\060\143\215\050\327\051\126\075\222
+\150\324\006\305\320\254\201\336\152\251\224\042\303\310\224\325
+\224\236\051\227\113\102\064\151\261\061\252\106\335\255\166\327
+\143\000\216\136\023\216\332\220\324\307\167\044\230\231\102\061
+\101\232\161\104\347\312\134\220\133\145\154\044\214\210\030\017
+\025\323\034\335\151\345\027\203\105\131\351\231\215\122\276\130
+\005\352\377\020\003\213\075\277\015\142\233\000\204\227\266\231
+\170\314\007\362\175\034\333\050\024\300\105\047\111\113\071\077
+\376\165\013\343\155\324\131\240\344\374\172\242\151\132\165\103
+\123\344\013\376\241\031\237\076\173\067\317\016\130\315\353\151
+\262\144\104\327\124\375\236\361\345\041\110\063\321\153\252\323
+\174\305\354\054\210\025\201\043\102\272\134\133\216\004\344\303
+\341\135\074\243\204\363\047\317\202\162\256\127\224\045\026\330
+\276\074\245\223\102\142\340\103\174\030\173\027\031\001\356\240
+\340\030\070\232\176\321\044\145\227\300\245\030\066\023\343\075
+\033\314\044\064\244\317\054\067\070\300\175\005\015\070\243\206
+\014\121\335\216\017\211\055\107\057\146\141\303\266\303\334\046
+\354\226\141\006\201\371\347\146\210\315\220\233\134\055\340\107
+\004\266\271\333\367\122\300\325\070\131\142\356\155\246\022\210
+\011\200\364\205\014\137\137\321\245\372\161\073\027\170\142\111
+\241\317\336\350\025\265\032\014\221\142\244\210\040\307\233\027
+\170\360\045\221\067\126\236\377\221\130\034\145\047\003\020\333
+\232\004\036\144\140\270\326\037\341\232\377\107\032\375\161\057
+\167\143\351\235\134\206\132\004\101\064\051\055\242\055\032\232
+\072\045\201\222\057\110\061\005\070\246\032\217\070\020\032\033
+\260\076\170\377\017\002\003\001\000\001\243\146\060\144\060\035
+\006\003\125\035\016\004\026\004\024\341\321\201\345\316\132\137
+\004\252\322\351\266\235\146\261\305\372\254\054\207\060\037\006
+\003\125\035\043\004\030\060\026\200\024\341\321\201\345\316\132
+\137\004\252\322\351\266\235\146\261\305\372\254\054\207\060\022
+\006\003\125\035\023\001\001\377\004\010\060\006\001\001\377\002
+\001\004\060\016\006\003\125\035\017\001\001\377\004\004\003\002
+\001\206\060\015\006\011\052\206\110\206\367\015\001\001\013\005
+\000\003\202\002\001\000\000\262\030\327\011\042\226\337\356\255
+\361\025\063\233\312\316\276\256\264\347\203\130\045\034\316\145
+\227\375\025\370\226\072\121\166\001\176\345\360\010\113\213\307
+\266\145\344\252\224\202\071\127\226\122\262\125\365\013\331\237
+\242\366\333\266\160\270\115\171\161\150\274\014\040\332\227\165
+\036\367\105\240\000\222\131\061\364\354\204\336\016\043\307\052
+\133\321\070\020\157\160\202\126\304\264\311\316\154\171\146\263
+\301\167\010\171\253\303\171\072\052\145\044\130\152\032\373\361
+\015\231\305\145\353\313\277\160\304\145\324\226\326\331\263\076
+\377\160\076\110\010\066\163\250\217\016\127\241\163\062\261\332
+\206\275\345\005\264\112\103\317\130\153\215\003\360\204\360\052
+\162\000\322\041\273\325\305\256\075\321\103\161\052\171\027\022
+\001\004\050\167\124\115\270\172\137\021\062\324\374\015\240\062
+\153\347\377\017\354\307\264\301\335\156\101\076\316\253\246\263
+\200\337\273\156\264\372\275\273\241\123\144\347\006\324\352\243
+\013\360\173\311\072\240\043\272\333\312\372\061\354\061\027\241
+\176\353\042\041\052\310\323\124\202\344\344\376\355\322\147\205
+\127\023\151\046\305\331\222\207\164\320\277\046\337\156\165\325
+\340\226\302\145\126\252\211\232\332\251\316\350\144\311\321\241
+\152\327\104\155\363\265\271\333\172\317\375\252\024\106\043\263
+\352\136\247\212\044\034\355\305\024\304\126\077\016\066\315\135
+\130\336\154\315\074\032\074\213\341\222\023\267\010\356\104\255
+\115\253\125\325\053\363\334\012\244\325\333\004\340\305\051\033
+\140\305\104\373\321\212\146\047\216\225\125\252\235\002\023\231
+\017\321\024\122\176\030\151\342\332\113\300\043\110\137\341\355
+\111\043\072\046\315\163\212\225\016\043\317\372\271\036\204\125
+\214\353\243\325\234\375\114\262\037\167\265\317\255\150\207\302
+\021\205\114\306\070\174\314\326\305\272\207\073\177\073\357\254
+\122\013\055\356\342\176\361\010\122\244\225\040\057\300\316\231
+\114\374\234\160\355\273\227\025\341\217\326\245\102\004\101\352
+\337\335\135\377\324\100\175\246\165\333\071\060\026\311\176\040
+\254\004\374\346\161\133\300\007\153\330\265\247\201\216\321\204
+\215\271\314\363\022\156
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+
+# Trust for "Russian Trusted Root CA"
+# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
+# Serial Number: 4096 (0x1000)
+# Subject: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
+# Not Valid Before: Tue Mar 01 21:04:15 2022
+# Not Valid After : Fri Feb 27 21:04:15 2032
+# Fingerprint (SHA-256): D2:6D:2D:02:31:B7:C3:9F:92:CC:73:85:12:BA:54:10:35:19:E4:40:5D:68:B5:BD:70:3E:97:88:CA:8E:CF:31
+# Fingerprint (SHA1): 8F:F9:15:CC:AB:7B:C1:6F:8C:5C:80:99:D5:3E:0E:11:5B:3A:EC:2F
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Russian Trusted Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\217\371\025\314\253\173\301\157\214\134\200\231\325\076\016\021
+\133\072\354\057
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\177\273\037\273\321\051\107\347\050\334\277\244\126\214\144\315
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
+\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
+\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
+\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
+\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
+\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
+\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
+\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\020\000
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Russian Trusted Sub CA"
+#
+# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
+# Serial Number: 4098 (0x1002)
+# Subject: CN=Russian Trusted Sub CA,O=The Ministry of Digital Development and Communications,C=RU
+# Not Valid Before: Wed Mar 02 11:25:19 2022
+# Not Valid After : Sat Mar 06 11:25:19 2027
+# Fingerprint (SHA-256): BB:BD:E2:10:3E:79:0B:99:9E:C6:2B:D0:3C:F6:25:A5:A2:E7:C3:16:E1:0A:FE:6A:49:0E:ED:EA:D8:B3:FD:9B
+# Fingerprint (SHA1): 33:5D:43:F5:34:51:B7:81:53:5F:F3:88:2D:F7:13:D3:C1:4F:8A:01
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Russian Trusted Sub CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\157\061\013\060\011\006\003\125\004\006\023\002\122\125\061
+\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
+\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
+\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
+\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
+\061\037\060\035\006\003\125\004\003\014\026\122\165\163\163\151
+\141\156\040\124\162\165\163\164\145\144\040\123\165\142\040\103
+\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
+\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
+\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
+\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
+\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
+\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
+\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
+\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\020\002
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\007\102\060\202\005\052\240\003\002\001\002\002\002\020
+\002\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
+\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
+\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
+\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
+\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
+\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
+\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
+\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
+\103\101\060\036\027\015\062\062\060\063\060\062\061\061\062\065
+\061\071\132\027\015\062\067\060\063\060\066\061\061\062\065\061
+\071\132\060\157\061\013\060\011\006\003\125\004\006\023\002\122
+\125\061\077\060\075\006\003\125\004\012\014\066\124\150\145\040
+\115\151\156\151\163\164\162\171\040\157\146\040\104\151\147\151
+\164\141\154\040\104\145\166\145\154\157\160\155\145\156\164\040
+\141\156\144\040\103\157\155\155\165\156\151\143\141\164\151\157
+\156\163\061\037\060\035\006\003\125\004\003\014\026\122\165\163
+\163\151\141\156\040\124\162\165\163\164\145\144\040\123\165\142
+\040\103\101\060\202\002\042\060\015\006\011\052\206\110\206\367
+\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002
+\202\002\001\000\365\203\352\004\243\244\327\323\105\312\152\304
+\301\350\163\256\020\104\201\075\232\264\267\263\245\333\201\333
+\211\220\354\050\216\153\361\325\244\120\203\105\234\335\306\251
+\141\361\332\344\273\215\074\376\324\346\133\071\115\037\366\353
+\036\344\041\147\371\242\130\243\237\337\231\151\053\070\362\005
+\336\223\074\315\267\270\007\311\274\103\220\333\367\147\050\141
+\211\156\305\050\327\373\235\051\053\361\103\005\107\245\133\367
+\113\315\016\226\133\212\176\025\217\014\105\320\246\014\205\250
+\214\317\243\022\020\114\266\164\165\350\253\147\003\025\035\252
+\331\346\357\007\250\167\255\106\340\055\230\355\231\014\144\047
+\275\123\211\140\010\345\263\341\342\271\352\273\056\076\316\161
+\356\302\102\304\360\125\227\217\371\164\061\333\303\300\150\106
+\167\313\253\020\022\336\253\057\116\235\166\224\235\241\063\051
+\006\160\252\115\274\126\371\345\214\312\071\010\237\253\175\030
+\033\124\127\216\162\007\121\044\034\331\343\330\114\170\033\000
+\242\067\324\374\341\004\043\051\052\376\361\375\051\260\152\331
+\274\366\302\155\000\060\064\122\143\212\302\342\306\170\345\030
+\362\312\153\233\316\230\334\010\207\362\300\311\105\271\016\072
+\144\013\035\064\340\263\303\272\243\351\026\302\227\064\252\132
+\057\140\346\352\347\064\307\202\150\346\157\240\121\065\116\104
+\036\241\071\054\326\235\140\343\330\145\237\242\142\363\317\050
+\306\363\120\321\030\120\151\162\217\316\367\174\336\162\302\015
+\335\042\366\142\310\351\253\134\335\241\055\065\010\306\061\211
+\357\377\367\065\257\143\014\310\333\237\316\146\050\055\236\220
+\210\255\307\166\217\126\072\164\305\005\100\014\300\264\161\076
+\252\305\337\225\042\374\034\204\276\040\221\005\041\012\033\056
+\126\041\036\112\004\335\253\340\067\036\143\226\357\216\055\207
+\264\164\135\030\223\035\117\030\330\333\302\253\323\137\176\321
+\012\175\366\064\310\345\242\325\266\101\301\204\146\020\312\217
+\355\356\255\230\263\247\234\135\114\366\142\264\017\232\022\066
+\114\374\330\273\325\123\235\210\343\364\212\006\360\351\253\031
+\331\374\135\243\066\165\116\164\222\140\326\057\064\004\360\266
+\023\146\147\053\002\003\001\000\001\243\202\001\345\060\202\001
+\341\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
+\001\377\002\001\000\060\016\006\003\125\035\017\001\001\377\004
+\004\003\002\001\206\060\035\006\003\125\035\016\004\026\004\024
+\321\341\161\015\013\055\201\116\156\212\112\217\114\043\263\114
+\136\253\151\013\060\037\006\003\125\035\043\004\030\060\026\200
+\024\341\321\201\345\316\132\137\004\252\322\351\266\235\146\261
+\305\372\254\054\207\060\201\307\006\010\053\006\001\005\005\007
+\001\001\004\201\272\060\201\267\060\073\006\010\053\006\001\005
+\005\007\060\002\206\057\150\164\164\160\072\057\057\162\157\163
+\164\145\154\145\143\157\155\056\162\165\057\143\144\160\057\162
+\157\157\164\143\141\137\163\163\154\137\162\163\141\062\060\062
+\062\056\143\162\164\060\073\006\010\053\006\001\005\005\007\060
+\002\206\057\150\164\164\160\072\057\057\143\157\155\160\141\156
+\171\056\162\164\056\162\165\057\143\144\160\057\162\157\157\164
+\143\141\137\163\163\154\137\162\163\141\062\060\062\062\056\143
+\162\164\060\073\006\010\053\006\001\005\005\007\060\002\206\057
+\150\164\164\160\072\057\057\162\145\145\163\164\162\055\160\153
+\151\056\162\165\057\143\144\160\057\162\157\157\164\143\141\137
+\163\163\154\137\162\163\141\062\060\062\062\056\143\162\164\060
+\201\260\006\003\125\035\037\004\201\250\060\201\245\060\065\240
+\063\240\061\206\057\150\164\164\160\072\057\057\162\157\163\164
+\145\154\145\143\157\155\056\162\165\057\143\144\160\057\162\157
+\157\164\143\141\137\163\163\154\137\162\163\141\062\060\062\062
+\056\143\162\154\060\065\240\063\240\061\206\057\150\164\164\160
+\072\057\057\143\157\155\160\141\156\171\056\162\164\056\162\165
+\057\143\144\160\057\162\157\157\164\143\141\137\163\163\154\137
+\162\163\141\062\060\062\062\056\143\162\154\060\065\240\063\240
+\061\206\057\150\164\164\160\072\057\057\162\145\145\163\164\162
+\055\160\153\151\056\162\165\057\143\144\160\057\162\157\157\164
+\143\141\137\163\163\154\137\162\163\141\062\060\062\062\056\143
+\162\154\060\015\006\011\052\206\110\206\367\015\001\001\013\005
+\000\003\202\002\001\000\104\025\163\146\133\073\364\007\142\110
+\052\132\257\136\135\003\221\353\376\272\323\341\146\353\071\374
+\345\244\217\261\254\267\221\076\265\006\351\345\026\041\156\057
+\112\350\265\313\035\342\250\142\302\214\367\012\157\341\316\117
+\012\021\061\262\072\312\323\377\235\332\167\116\126\056\153\146
+\235\275\200\104\205\053\343\263\356\057\015\223\160\136\277\303
+\152\166\360\041\147\156\255\231\225\211\004\101\014\127\233\246
+\113\347\042\372\356\375\032\126\271\337\371\257\255\270\132\237
+\057\241\223\021\266\077\334\233\246\210\364\273\157\005\364\375
+\161\374\341\071\247\261\043\377\175\163\136\035\312\053\244\327
+\356\220\205\334\012\150\044\123\163\131\235\174\324\046\235\365
+\215\105\267\326\205\140\145\053\170\170\030\141\075\044\255\367
+\032\117\031\113\300\314\256\107\100\207\114\133\313\214\100\103
+\371\222\130\007\326\254\031\237\316\123\252\033\052\001\325\116
+\073\131\063\236\250\326\326\222\112\000\077\154\254\367\217\254
+\046\016\015\116\110\203\126\325\321\027\251\353\351\366\042\321
+\264\216\274\341\140\320\204\053\061\163\266\143\310\062\203\320
+\021\164\362\160\052\333\326\137\305\117\000\060\230\062\045\207
+\207\211\374\155\232\044\042\262\046\124\242\303\100\241\330\342
+\060\254\064\075\207\035\322\137\236\267\113\331\202\160\326\241
+\154\220\323\270\161\043\146\147\047\160\321\151\040\216\377\144
+\027\342\261\252\260\312\224\037\014\146\355\207\162\132\141\352
+\377\302\147\107\320\365\213\204\363\371\154\035\235\020\163\141
+\362\211\043\047\276\070\012\345\360\334\335\060\370\175\257\005
+\023\310\014\066\352\314\372\105\174\075\077\013\064\203\076\341
+\233\076\054\241\025\362\172\221\130\026\261\220\205\111\031\351
+\044\124\243\274\304\060\116\033\366\215\353\140\031\050\163\236
+\031\314\210\166\356\362\064\303\021\212\021\225\144\046\053\362
+\266\042\046\202\242\073\060\352\072\103\344\054\343\335\206\325
+\145\202\170\150\303\061\303\304\301\315\017\361\066\130\016\151
+\144\173\215\063\371\264\115\173\166\301\064\317\057\262\107\331
+\200\264\200\374\377\006\373\322\316\071\054\203\065\071\254\266
+\321\311\102\220\222\005
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+
+# Trust for "Russian Trusted Sub CA"
+# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
+# Serial Number: 4098 (0x1002)
+# Subject: CN=Russian Trusted Sub CA,O=The Ministry of Digital Development and Communications,C=RU
+# Not Valid Before: Wed Mar 02 11:25:19 2022
+# Not Valid After : Sat Mar 06 11:25:19 2027
+# Fingerprint (SHA-256): BB:BD:E2:10:3E:79:0B:99:9E:C6:2B:D0:3C:F6:25:A5:A2:E7:C3:16:E1:0A:FE:6A:49:0E:ED:EA:D8:B3:FD:9B
+# Fingerprint (SHA1): 33:5D:43:F5:34:51:B7:81:53:5F:F3:88:2D:F7:13:D3:C1:4F:8A:01
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Russian Trusted Sub CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\063\135\103\365\064\121\267\201\123\137\363\210\055\367\023\323
+\301\117\212\001
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\304\023\047\226\170\334\005\047\062\041\103\376\100\312\364\332
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
+\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
+\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
+\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
+\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
+\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
+\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
+\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\002\020\002
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

SOURCES/ecdsa-a1.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBVDCB+6ADAgECAgwB3q3A3gCMGXg8etYwCgYIKoZIzj0EAw
+IwHDEaMBgGA1UEAwwRVENJIEVDRFNBIFJPT1QgQTEwHhcNMjIw
+MzMwMDkzMzE4WhcNMzIwMzMwMDkzMzE4WjAcMRowGAYDVQQDDB
+FUQ0kgRUNEU0EgUk9PVCBBMTBZMBMGByqGSM49AgEGCCqGSM49
+AwEHA0IABJni7LJT4Gj86pG0s9wOefWgqgp/EGf4ZcSxNgAJfh
+cl6WYNoWaZfflki4Rd0VzAJgbaTSW26zuv2mGM61txD96jIzAh
+MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAoGCC
+qGSM49BAMCA0gAMEUCIDKjKPoaZrqtljmuy60G1PYINvR3A1eL
+OzT4RfhGBTrBAiEAhJL7IeLDbo2eZAIp4zioaIpo1hVyXkABNb
+npOTQ9KPs=
+-----END CERTIFICATE-----

SOURCES/gost-a1.crt

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBXTCCAQigAwIBAgIMAt6twN4AjBl4PHrWMAwGCCqFAwcBAQ
+MCBQAwGzEZMBcGA1UEAwwQVENJIEdPU1QgUk9PVCBBMTAeFw0y
+MjAzMzAwOTMzMThaFw0zMjAzMzAwOTMzMThaMBsxGTAXBgNVBA
+MMEFRDSSBHT1NUIFJPT1QgQTEwZjAfBggqhQMHAQEBATATBgcq
+hQMCAiMBBggqhQMHAQECAgNDAARASiE+O1G5yX8JjIS0RmQ2Im
+2FKd0RhbOtdjaoAivB3ywbHLGb6deQBRd/MwLP2IrfIZcVb4QP
+5PSYolD/Iu+ExaMjMCEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEw
+EB/wQFMAMBAf8wDAYIKoUDBwEBAwIFAANBAOi6Dn7pxa/SSbV6
+PsfROEKzsBnX6GGggo9wOELuZKfDYdy88/92yr2Aali+fEje63
+XqhHoZExE0CNLoncM3ARc=
+-----END CERTIFICATE-----

SOURCES/rootca_ssl_rsa2022.cer

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFwjCCA6qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMCUlUx
+PzA9BgNVBAoMNlRoZSBNaW5pc3RyeSBvZiBEaWdpdGFsIERldmVsb3BtZW50IGFu
+ZCBDb21tdW5pY2F0aW9uczEgMB4GA1UEAwwXUnVzc2lhbiBUcnVzdGVkIFJvb3Qg
+Q0EwHhcNMjIwMzAxMjEwNDE1WhcNMzIwMjI3MjEwNDE1WjBwMQswCQYDVQQGEwJS
+VTE/MD0GA1UECgw2VGhlIE1pbmlzdHJ5IG9mIERpZ2l0YWwgRGV2ZWxvcG1lbnQg
+YW5kIENvbW11bmljYXRpb25zMSAwHgYDVQQDDBdSdXNzaWFuIFRydXN0ZWQgUm9v
+dCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMfFOZ8pUAL3+r2n
+qqE0Zp52selXsKGFYoG0GM5bwz1bSFtCt+AZQMhkWQheI3poZAToYJu69pHLKS6Q
+XBiwBC1cvzYmUYKMYZC7jE5YhEU2bSL0mX7NaMxMDmH2/NwuOVRj8OImVa5s1F4U
+zn4Kv3PFlDBjjSjXKVY9kmjUBsXQrIHeaqmUIsPIlNWUnimXS0I0abExqkbdrXbX
+YwCOXhOO2pDUx3ckmJlCMUGacUTnylyQW2VsJIyIGA8V0xzdaeUXg0VZ6ZmNUr5Y
+Ber/EAOLPb8NYpsAhJe2mXjMB/J9HNsoFMBFJ0lLOT/+dQvjbdRZoOT8eqJpWnVD
+U+QL/qEZnz57N88OWM3rabJkRNdU/Z7x5SFIM9FrqtN8xewsiBWBI0K6XFuOBOTD
+4V08o4TzJ8+Ccq5XlCUW2L48pZNCYuBDfBh7FxkB7qDgGDiaftEkZZfApRg2E+M9
+G8wkNKTPLDc4wH0FDTijhgxR3Y4PiS1HL2Zhw7bD3CbslmEGgfnnZojNkJtcLeBH
+BLa52/dSwNU4WWLubaYSiAmA9IUMX1/RpfpxOxd4Ykmhz97oFbUaDJFipIggx5sX
+ePAlkTdWnv+RWBxlJwMQ25oEHmRguNYf4Zr/Rxr9cS93Y+mdXIZaBEE0KS2iLRqa
+OiWBki9IMQU4phqPOBAaG7A+eP8PAgMBAAGjZjBkMB0GA1UdDgQWBBTh0YHlzlpf
+BKrS6badZrHF+qwshzAfBgNVHSMEGDAWgBTh0YHlzlpfBKrS6badZrHF+qwshzAS
+BgNVHRMBAf8ECDAGAQH/AgEEMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
+AAOCAgEAALIY1wkilt/urfEVM5vKzr6utOeDWCUczmWX/RX4ljpRdgF+5fAIS4vH
+tmXkqpSCOVeWUrJV9QvZn6L227ZwuE15cWi8DCDal3Ue90WgAJJZMfTshN4OI8cq
+W9E4EG9wglbEtMnObHlms8F3CHmrw3k6KmUkWGoa+/ENmcVl68u/cMRl1JbW2bM+
+/3A+SAg2c6iPDlehczKx2oa95QW0SkPPWGuNA/CE8CpyANIhu9XFrj3RQ3EqeRcS
+AQQod1RNuHpfETLU/A2gMmvn/w/sx7TB3W5BPs6rprOA37tutPq9u6FTZOcG1Oqj
+C/B7yTqgI7rbyvox7DEXoX7rIiEqyNNUguTk/u3SZ4VXE2kmxdmSh3TQvybfbnXV
+4JbCZVaqiZraqc7oZMnRoWrXRG3ztbnbes/9qhRGI7PqXqeKJBztxRTEVj8ONs1d
+WN5szTwaPIvhkhO3CO5ErU2rVdUr89wKpNXbBODFKRtgxUT70YpmJ46VVaqdAhOZ
+D9EUUn4YaeLaS8AjSF/h7UkjOibNc4qVDiPP+rkehFWM66PVnP1Msh93tc+taIfC
+EYVMxjh8zNbFuoc7fzvvrFILLe7ifvEIUqSVIC/AzplM/Jxw7buXFeGP1qVCBEHq
+391d/9RAfaZ12zkwFsl+IKwE/OZxW8AHa9i1p4GO0YSNuczzEm4=
+-----END CERTIFICATE-----

SOURCES/rootca_ssl_rsa2022.cer.detached.sig

@@ -0,0 +1 @@
+MIAGCSqGSIb3DQEHAqCAMIACAQExDDAKBggqhQMHAQECAjCABgkqhkiG9w0BBwEAAKCCB7gwgge0MIIHYaADAgECAgsAybP3lAAAAAAFhjAKBggqhQMHAQEDAjCCASQxHjAcBgkqhkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkGA1UEBhMCUlUxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMuINCc0L7RgdC60LLQsDEuMCwGA1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQsNGPLCDQtNC+0LwgNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxLDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4MB4XDTIxMDUxOTA4MDc1OFoXDTIyMDgxNzA4MDc1OFowggF4MRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMUIwQAYJKoZIhvcNAQkCDDPQn9C+0LTRgdC40YHRgtC10LzQsCDCq9Cg0LXQtdGB0YLRgNGLwrsg0JjQoSDQk9Cj0KYxLjAsBgkqhkiG9w0BCQEWH2Eua29yemhlbmV2c2theWFAZGlnaXRhbC5nb3YucnUxOjA4BgNVBAkMMdCf0YDQtdGB0L3QtdC90YHQutCw0Y8g0L3QsNCxLiwg0LQuIDEwLCDRgdGC0YAuIDIxGTAXBgNVBAcMENCzLiDQnNC+0YHQutCy0LAxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEmMCQGA1UECgwd0JzQuNC90YbQuNGE0YDRiyDQoNC+0YHRgdC40LgxCzAJBgNVBAYTAlJVMSYwJAYDVQQDDB3QnNC40L3RhtC40YTRgNGLINCg0L7RgdGB0LjQuDBmMB8GCCqFAwcBAQEBMBMGByqFAwICJAAGCCqFAwcBAQICA0MABECPKzaqApZOrOkwaZWzx4xo/CsPpTbMMlJuUm2wIrJxpyZPGAdGO7krlWVfWnxPIl+POqsLM1Fq57nK30CAhUdzo4IEEzCCBA8wFQYDVR0lBA4wDAYKKwYBBAGCNwoDDDAOBgNVHQ8BAf8EBAMCBPAwXQYFKoUDZG8EVAxS0KHQmtCX0JggwqvQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQwrsg0LLQtdGA0YHQuNGPIDQuMCAo0LjRgdC/0L7Qu9C90LXQvdC40LUgMy1CYXNlKTAnBgNVHSAEIDAeMAgGBiqFA2RxATAIBgYqhQNkcQIwCAYGKoUDZHEDMB0GA1UdDgQWBBTvvmSAWPkPuWdrcO5mYdM5ixAd/DCCAWUGA1UdIwSCAVwwggFYgBTCVPG0a9RMt+BtNrQjkPH+wzybBqGCASykggEoMIIBJDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQstCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7QvCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LiCEE5tR4sm8n1lf3aOAlzj05MwgZgGA1UdHwSBkDCBjTAtoCugKYYnaHR0cDovL3JlZXN0ci1wa2kucnUvY2RwL2d1Y19nb3N0MTIuY3JsMC2gK6AphidodHRwOi8vY29tcGFueS5ydC5ydS9jZHAvZ3VjX2dvc3QxMi5jcmwwLaAroCmGJ2h0dHA6Ly9yb3N0ZWxlY29tLnJ1L2NkcC9ndWNfZ29zdDEyLmNybDBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9yZWVzdHItcGtpLnJ1L2NkcC9ndWNfZ29zdDEyLmNydDCB9QYFKoUDZHAEgeswgegMNNCf0JDQmtCcIMKr0JrRgNC40L/RgtC+0J/RgNC+IEhTTcK7INCy0LXRgNGB0LjQuCAyLjAMQ9Cf0JDQmiDCq9CT0L7Qu9C+0LLQvdC+0Lkg0YPQtNC+0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3RgtGAwrsMNdCX0LDQutC70Y7Rh9C10L3QuNC1IOKEliAxNDkvMy8yLzIvMjMg0L7RgiAwMi4wMy4yMDE4DDTQl9Cw0LrQu9GO0YfQtdC90LjQtSDihJYgMTQ5LzcvNi8xMDUg0L7RgiAyNy4wNi4yMDE4MAoGCCqFAwcBAQMCA0EAiq8EGuoH/RZ2NPQoW+ZP6tuflm4TMrsyT5QMYjVmOJdAXU7HiEqPSLSwH4eEYL6qkdHF8kmQYp2Kwesl86DcWjGCA5cwggOTAgEBMIIBNTCCASQxHjAcBgkqhkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkGA1UEBhMCUlUxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMuINCc0L7RgdC60LLQsDEuMCwGA1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQsNGPLCDQtNC+0LwgNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxLDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4AgsAybP3lAAAAAAFhjAKBggqhQMHAQECAqCCAfkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjIwMzAyMDgxNDE0WjAvBgkqhkiG9w0BCQQxIgQgzb9RJkaBTAfbMRIMlNXto6nKufJY5FtfqzLnfcuZ+hMwggGMBgsqhkiG9w0BCRACLzGCAXswggF3MIIBczCCAW8wCgYIKoUDBwEBAgIEIIF2ijeXhxSihco1wb5EBZoP1DAnHrpQuB9P656woqXfMIIBPTCCASykggEoMIIBJDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQstCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7QvCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgCCwDJs/eUAAAAAAWGMAoGCCqFAwcBAQEBBEA0eWBz4JnqO6umBiTQK/tkJgTeV0nKAp2SQlJVOlSPwBDx1H5fUZOTQDP0/4OtMakDCKhUHd5KS9DNhZErA0UmAAAAAAAA

SOURCES/update-ca-trust

@@ -8,6 +8,7 @@ set -eu
 # files in $DEST.
 
 DEST=/etc/pki/ca-trust/extracted
+DEST_CERTS=/etc/pki/tls/certs
 
 # Prevent p11-kit from reading user configuration files.
 export P11_KIT_NO_USER_CONFIG=1
@@ -28,7 +29,8 @@ usage() {
 
 		EXTRACT OPTIONS
 		-o DIR, --output=DIR: Write the extracted trust store into the given
-		directory instead of updating $DEST.
+		directory instead of updating $DEST. (Note: This option will not
+		populate the ../pki/tls/certs with the directory-hash symbolic links.)
 	EOF
 }
 
@@ -73,9 +75,15 @@ extract() {
 		    "$DEST"/edk2
 	fi
 
+
+	# Delete all directory hash symlinks from the cert directory
+	if [ -z "$USER_DEST" ]; then
+		find "$DEST_CERTS" -type l -regextype posix-extended \
+		     -regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \;
+	fi
+
 	# OpenSSL PEM bundle that includes trust flags
 	# (BEGIN TRUSTED CERTIFICATE)
-	/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
@@ -85,25 +93,16 @@ extract() {
 	# by GnuTLS)
 	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
 
-	# p11-kit extract will have made this directory unwritable; when run with
-	# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
-	# not be the case. See rhbz#2241240.
-	if [ -n "$USER_DEST" ]; then
-	    /usr/bin/chmod u+w "$DEST/pem/directory-hash"
-        fi
-
-	# Debian compatibility: their /etc/ssl/certs has this bundle
-	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
-	# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
-	# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
-	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
 
-	# Remove write permissions again
-	if [ -n "$USER_DEST" ]; then
-	    /usr/bin/chmod u-w "$DEST/pem/directory-hash"
-        fi
+	if [ -z "$USER_DEST" ]; then
+		find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
+		     -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do
+			target=$(readlink -f "$link")
+			new_link="$DEST_CERTS/$(basename "$link")"
+			ln -s "$target" "$new_link"
+		done
+	fi
 }
-
 if [ $# -lt 1 ]; then
     set -- extract
 fi
@@ -117,21 +116,8 @@ case "$1" in
 		usage
 		exit 0
 	;;
-	"-o"|"--output")
-		echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
-		echo >&2
-		exit 1
-	;;
-	"enable")
-		echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
-		echo >&2
-		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
-		extract
-	;;
 	*)
-		echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
-		echo >&2
-		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
-		extract
+		echo >&2 "Error: unknown command: '$1', see 'update-ca-trust --help' for usage."
+		exit 1
 	;;
 esac

SOURCES/update-ca-trust.8.txt

@@ -230,7 +230,8 @@ EXTRACT OPTIONS
 ^^^^^^^^^^^^^^^
 *-o DIR*, *--output=DIR*::
 	Write the extracted trust store into the given directory instead of
-	updating /etc/pki/ca-trust/extracted.
+	updating /etc/pki/ca-trust/extracted. (Note: This option will not
+	populate the ../pki/tls/certs with the directory-hash symbolic links.)
 
 FILES
 -----
@@ -257,6 +258,9 @@ FILES
 	which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
 	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
 
+/etc/pki/tls/certs::
+	Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command.
+
 AUTHOR
 ------
 Written by Kai Engert and Stef Walter.

SPECS/ca-certificates.spec

@@ -1,7 +1,6 @@
 %define pkidir %{_sysconfdir}/pki
 %define catrustdir %{_sysconfdir}/pki/ca-trust
 %define classic_tls_bundle ca-bundle.crt
-%define openssl_format_trust_bundle ca-bundle.trust.crt
 %define p11_format_bundle ca-bundle.trust.p11-kit
 %define legacy_default_bundle ca-bundle.legacy.default.crt
 %define legacy_disable_bundle ca-bundle.legacy.disable.crt
@@ -36,9 +35,9 @@ Name: ca-certificates
 # because all future versions will start with 2013 or larger.)
 
 Version: 2024.2.69_v8.0.303
-# for y-stream, please always use 91 <= release  < 100 (91,92,93)
-# for z-stream release branches, please use 90 <= release  < 91 (90.0, 90.1, ...)
-Release: 91.4%{?dist}
+# for Rawhide, please always use release >= 2
+# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
+Release: 102.3%{?dist}.inferit
 License: MIT AND GPL-2.0-or-later
 
 URL: https://fedoraproject.org/wiki/CA-Certificates
@@ -61,10 +60,20 @@ Source15: README.openssl
 Source16: README.pem
 Source17: README.edk2
 Source18: README.src
+Source19: README.etcssl
+
+# Russian Ministry of Digital Development and Communications
+Source90: rootca_ssl_rsa2022.cer
+Source91: rootca_ssl_rsa2022.cer.detached.sig
+# TCI ECSDA ROOT A1
+Source92: ecdsa-a1.crt
+# TCI GOST ROOT A1
+Source93: gost-a1.crt
 
 BuildArch: noarch
 
 Requires(post): bash
+Requires(post): findutils
 Requires(post): grep
 Requires(post): sed
 Requires(post): coreutils
@@ -206,6 +215,7 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/REA
 install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
 install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
 install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
+install -p -m 644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysconfdir}/ssl/README
 
 install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
 
@@ -233,32 +243,11 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
-touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
-chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 
-# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
-ln -s /etc/pki/tls/certs \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
-ln -s /etc/pki/tls/openssl.cnf \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
-ln -s /etc/pki/tls/ct_log_list.cnf \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
-# legacy filenames
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
-ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
-ln -s %{catrustdir}/extracted/%{java_bundle} \
-    $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
-
 # Populate %%{catrustdir}/extracted/pem/directory-hash.
 #
 # First direct p11-kit-trust.so to the generated bundle (not the one
@@ -288,16 +277,46 @@ trust-policy: yes
 x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
 EOF
 
+# Extract the trust anchors to the directory-hash format.
 trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
-      --purpose server-auth \
-      $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+              --purpose server-auth \
+              $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
 
-# Create a temporary file with the list of (%ghost )files in the directory-hash.
-find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
-sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
 # Clean up the temporary module config.
 rm -f "$trust_module_config"
 
+# Russian Ministry of Digital Development and Communications
+install -m 644 %{SOURCE90} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
+install -m 644 %{SOURCE91} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
+# TCI ECDSA and GOST root certificates
+install -m 644 %{SOURCE92} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
+install -m 644 %{SOURCE93} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
+
+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \
+     -regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \
+     -exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \;
+# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies
+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
+find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \
+     -regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt
+
+sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
+
+# /etc/ssl is provided in a Debian compatible form for (bad) code that
+# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
+ln -s %{pkidir}/tls/certs \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
+ln -s /etc/pki/tls/openssl.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
+ln -s /etc/pki/tls/ct_log_list.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
+# legacy filenames
+ln -s %{catrustdir}/extracted/%{java_bundle} \
+    $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
 
 %clean
 /usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
@@ -305,6 +324,10 @@ rm -rf $RPM_BUILD_ROOT
 
 %pre
 if [ $1 -gt 1 ] ; then
+  # Remove the old symlinks
+  rm -f %{pkidir}/tls/cert.pem
+  rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
+
   # Upgrade or Downgrade.
   # If the classic filename is a regular file, then we are upgrading
   # from an old package and we will move it to an .rpmsave backup file.
@@ -336,17 +359,6 @@ if [ $1 -gt 1 ] ; then
       fi
     fi
   fi
-
-  if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
-    # no backup yet
-    if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
-      # a file exists
-      if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
-        # it's an old regular file, not a link
-        mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
-      fi
-    fi
-  fi
 fi
 
 
@@ -396,6 +408,11 @@ fi
 %dir %{_datadir}/pki/ca-trust-legacy
 %dir %{catrustdir}/extracted/pem/directory-hash
 
+%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer
+%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer.detached.sig
+%{catrustdir}/source/anchors/ecdsa-a1.crt
+%{catrustdir}/source/anchors/gost-a1.crt
+
 %config(noreplace) %{catrustdir}/ca-legacy.conf
 
 %{_mandir}/man8/update-ca-trust.8.gz
@@ -410,12 +427,12 @@ fi
 %{catrustdir}/source/README
 
 # symlinks for old locations
-%{pkidir}/tls/cert.pem
 %{pkidir}/tls/certs/%{classic_tls_bundle}
-%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 %{pkidir}/%{java_bundle}
-# symlinks to cross-distro compatibility files and directory
+# Hybrid hash directory with bundle file for Debian compatibility
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
 %{_sysconfdir}/ssl/certs
+%{_sysconfdir}/ssl/README
 %{_sysconfdir}/ssl/cert.pem
 %{_sysconfdir}/ssl/openssl.cnf
 %{_sysconfdir}/ssl/ct_log_list.cnf
@@ -433,63 +450,60 @@ fi
 %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
-%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 %ghost %{catrustdir}/extracted/%{java_bundle}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
-%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
-%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
 
 %changelog
-*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
+* Tue Dec 17 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-102.3.inferit
+- Added Russian Trusted Root and Sub CA
+- Added TCI ECDSA and GOST root certificates
+
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2024.2.69_v8.0.303-102.3
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2024.2.69_v8.0.303-101.3
+- Rebuilt for MSVSphere 10
+
+*Fri Sep 27 2024 Michel Lind <salimma@centosproject.org> - 2024.2.69_v8.0.303-101.3
+- Add missing Requires(post) on findutils for update-ca-trust
+- Resolves: RHEL-60723
+
+*Wed Aug 28 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.2
+- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
+- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
+
+*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
 - update-ca-trust: return warnings on a unsupported argument instead of error
 
-*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
+*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
 - Temporarily generate the directory-hash files in %%install ...(next item)
 - Add list of ghost files from directory-hash to %%files
 
-*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
-- Remove write permissions from directory-hash
-
-*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
-- Reduce dependency on p11-kit to only the trust subpackage
-- Own the Directory-hash directory
+*Mon Aug 19 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
+- remove base-ci.* tests from gating.yaml
 
-*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
-- Fix release number
+*Thu Jul 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
+- Remove blacklist use blocklist-only.
+- add gating.yaml
 
-*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
+*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101
 - Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
 -    GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
 
-*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
+Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-101
 - Update to CKBI 2.68_v8.0.302 from NSS 3.101
 -    Removing:
 -     # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 -     # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
 -     # Certificate "Security Communication Root CA"
--     # Certificate "Camerfirma Chambers of Commerce Root"
--     # Certificate "Hongkong Post Root CA 1"
 -     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
 -     # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
 -     # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
 -     # Certificate "TrustCor RootCert CA-1"
 -     # Certificate "TrustCor RootCert CA-2"
 -     # Certificate "TrustCor ECA-1"
--     # Certificate "FNMT-RCM"
 -    Adding:
--     # Certificate "LAWtrust Root CA2 (4096)"
--     # Certificate "Sectigo Public Email Protection Root E46"
--     # Certificate "Sectigo Public Email Protection Root R46"
--     # Certificate "Sectigo Public Server Authentication Root E46"
--     # Certificate "Sectigo Public Server Authentication Root R46"
--     # Certificate "SSL.com TLS RSA Root CA 2022"
--     # Certificate "SSL.com TLS ECC Root CA 2022"
--     # Certificate "SSL.com Client ECC Root CA 2022"
--     # Certificate "SSL.com Client RSA Root CA 2022"
--     # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
--     # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
--     # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
--     # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
 -     # Certificate "TrustAsia Global Root CA G3"
 -     # Certificate "TrustAsia Global Root CA G4"
 -     # Certificate "CommScope Public Trust ECC Root-01"
@@ -504,31 +518,56 @@ fi
 -     # Certificate "Telekom Security TLS RSA Root 2023"
 -     # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
 -     # Certificate "SECOM Trust.net"
--     # Certificate "Chambers of Commerce Root"
 -     # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
 -     # Certificate "SSL.com Code Signing RSA Root CA 2022"
 -     # Certificate "SSL.com Code Signing ECC Root CA 2022"
 
-* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2023.2.62_v7.0.401-7
+- Bump release for June 2024 mass rebuild
+
+* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-4
 - update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
 
-* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
+* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2023.2.62_v7.0.401-3
 - Skip %post if getopt is missing (recent change made update-ca-trust use it)
 
-* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
+*Wed Oct 04 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-2
+ - Update to CKBI 2.62_v7.0.401 from NSS 3.93
+   Removing: 
+    # Certificate "Camerfirma Chambers of Commerce Root"
+    # Certificate "Hongkong Post Root CA 1"
+    # Certificate "FNMT-RCM"
+   Adding: 
+    # Certificate "LAWtrust Root CA2 (4096)"
+    # Certificate "Sectigo Public Email Protection Root E46"
+    # Certificate "Sectigo Public Email Protection Root R46"
+    # Certificate "Sectigo Public Server Authentication Root E46"
+    # Certificate "Sectigo Public Server Authentication Root R46"
+    # Certificate "SSL.com TLS RSA Root CA 2022"
+    # Certificate "SSL.com TLS ECC Root CA 2022"
+    # Certificate "SSL.com Client ECC Root CA 2022"
+    # Certificate "SSL.com Client RSA Root CA 2022"
+    # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
+    # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
+    # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
+    # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
+    # Certificate "Chambers of Commerce Root"
+
+* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2023.2.60_v7.0.306-4
 - update-ca-trust: Support --output and non-root operation (rhbz#2241240)
 
-*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
+*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-3
 - update License: field to SPDX
 
-*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
-- Bump release number to make CI happy
-
-*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
+*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-2
 - Update to CKBI 2.60_v7.0.306 from NSS 3.91
 -    Removing:
--     # Certificate "Camerfirma Global Chambersign Root"
--     # Certificate "Staat der Nederlanden EV Root CA"
 -     # Certificate "OpenTrust Root CA G1"
 -     # Certificate "Swedish Government Root Authority v1"
 -     # Certificate "DigiNotar Root CA G2"
@@ -563,16 +602,6 @@ fi
 -     # Certificate "Entrust.net Secure Server Certification Authority"
 -     # Certificate "ePKI EV SSL Certification Authority - G1"
 -    Adding:
--     # Certificate "DigiCert TLS ECC P384 Root G5"
--     # Certificate "DigiCert TLS RSA4096 Root G5"
--     # Certificate "DigiCert SMIME ECC P384 Root G5"
--     # Certificate "DigiCert SMIME RSA4096 Root G5"
--     # Certificate "Certainly Root R1"
--     # Certificate "Certainly Root E1"
--     # Certificate "E-Tugra Global Root CA RSA v3"
--     # Certificate "E-Tugra Global Root CA ECC v3"
--     # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
--     # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
 -     # Certificate "BJCA Global Root CA1"
 -     # Certificate "BJCA Global Root CA2"
 -     # Certificate "Symantec Enterprise Mobile Root for Microsoft"
@@ -589,7 +618,6 @@ fi
 -     # Certificate "ComSign CA"
 -     # Certificate "ComSign Secured CA"
 -     # Certificate "ComSign Advanced Security CA"
--     # Certificate "Global Chambersign Root"
 -     # Certificate "Sonera Class2 CA"
 -     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
 -     # Certificate "VeriSign, Inc."
@@ -604,7 +632,31 @@ fi
 -     # Certificate "GlobalSign Code Signing Root R45"
 -     # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
 
-*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2
+*Tue Jul 25 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60-3
+- Fedora mass rebuild
+
+*Fri Jan 20 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 2023.2.60-2
+- Update to CKBI 2.60 from NSS 3.86
+-    Removing:
+-     # Certificate "Camerfirma Global Chambersign Root"
+-     # Certificate "Staat der Nederlanden EV Root CA"
+-    Adding:
+-     # Certificate "DigiCert TLS ECC P384 Root G5"
+-     # Certificate "DigiCert TLS RSA4096 Root G5"
+-     # Certificate "DigiCert SMIME ECC P384 Root G5"
+-     # Certificate "DigiCert SMIME RSA4096 Root G5"
+-     # Certificate "Certainly Root R1"
+-     # Certificate "Certainly Root E1"
+-     # Certificate "E-Tugra Global Root CA RSA v3"
+-     # Certificate "E-Tugra Global Root CA ECC v3"
+-     # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
+-     # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
+-     # Certificate "Global Chambersign Root"
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-5
 - Update to CKBI 2.54 from NSS 3.79
 -    Removing:
 -     # Certificate "TrustCor ECA-1"
@@ -625,21 +677,19 @@ fi
 -     # Certificate "Government Root Certification Authority"
 -     # Certificate "AC Raíz Certicámara S.A."
 
-*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1
+*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-4
 - Update to CKBI 2.54 from NSS 3.79
 
-*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-2
 - Update to CKBI 2.54 from NSS 3.79
 -    Removing:
 -     # Certificate "GlobalSign Root CA - R2"
 -     # Certificate "DST Root CA X3"
 -     # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
 -    Adding:
--     # Certificate "TunTrust Root CA"
--     # Certificate "HARICA TLS RSA Root CA 2021"
--     # Certificate "HARICA TLS ECC Root CA 2021"
--     # Certificate "HARICA Client RSA Root CA 2021"
--     # Certificate "HARICA Client ECC Root CA 2021"
 -     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
 -     # Certificate "vTrus ECC Root CA"
 -     # Certificate "vTrus Root CA"
@@ -862,31 +912,111 @@ fi
 -     # Certificate "HARICA Code Signing ECC Root CA 2021"
 -     # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
 
-* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94
-- remove blacklist directory and references now that p11-kit has been updated.
-
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
-- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
-
-* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
--   Update to CKBI 2.50 from NSS 3.67
--      Removing:
--       # Certificate "QuoVadis Root CA"
--       # Certificate "Sonera Class 2 Root CA"
--       # Certificate "Trustis FPS Root CA"
--      Adding:
--       # Certificate "GLOBALTRUST 2020"
--       # Certificate "ANF Secure Server Root CA"
--       # Certificate "Certum EC-384 CA"
--       # Certificate "Certum Trusted Root CA"
-
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.52-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+*Mon Dec 13 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.52-2
+- Update to CKBI 2.52 from NSS 3.72
+-    Adding:
+-     # Certificate "TunTrust Root CA"
+-     # Certificate "HARICA TLS RSA Root CA 2021"
+-     # Certificate "HARICA TLS ECC Root CA 2021"
+-     # Certificate "HARICA Client RSA Root CA 2021"
+-     # Certificate "HARICA Client ECC Root CA 2021"
+
+*Mon Dec 6 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-5
+- integrate Adam William's /etc/ssl/certs with Debian-compatibility
+- back out blocklist change since p11-kit .24 is not yet available on rawhide
+
+*Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-4
+- remove blacklist directory now that pk11-kit is using blocklist
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.50-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-2
+- Update to CKBI 2.50 from NSS 3.67
+-    Removing:
+-     # Certificate "Trustis FPS Root CA"
+-     # Certificate "GlobalSign Code Signing Root R45"
+-     # Certificate "GlobalSign Code Signing Root E45"
+-     # Certificate "Halcom Root Certificate Authority"
+-     # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
+-     # Certificate "GLOBALTRUST"
+-     # Certificate "MULTICERT Root Certification Authority 01"
+-     # Certificate "Verizon Global Root CA"
+-     # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
+-     # Certificate "CAEDICOM Root"
+-     # Certificate "COMODO Certification Authority"
+-     # Certificate "Security Communication ECC RootCA1"
+-     # Certificate "Security Communication RootCA3"
+-     # Certificate "AC RAIZ DNIE"
+-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
+-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
+-     # Certificate "VeriSign Universal Root Certification Authority"
+-     # Certificate "GeoTrust Global CA"
+-     # Certificate "GeoTrust Primary Certification Authority"
+-     # Certificate "thawte Primary Root CA"
+-     # Certificate "thawte Primary Root CA - G2"
+-     # Certificate "thawte Primary Root CA - G3"
+-     # Certificate "GeoTrust Primary Certification Authority - G3"
+-     # Certificate "GeoTrust Primary Certification Authority - G2"
+-     # Certificate "GeoTrust Universal CA"
+-     # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
+-     # Certificate "GLOBALTRUST 2015"
+-     # Certificate "emSign Root CA - G2"
+-     # Certificate "emSign Root CA - C2"
+-    Adding:
+-     # Certificate "GLOBALTRUST 2020"
+-     # Certificate "ANF Secure Server Root CA"
+
+*Tue May 25 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-2
+- Update to CKBI 2.48 from NSS 3.64
+-    Removing:
+-     # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
+-     # Certificate "GeoTrust Universal CA 2"
+-     # Certificate "QuoVadis Root CA"
+-     # Certificate "Sonera Class 2 Root CA"
+-     # Certificate "Taiwan GRCA"
+-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
+-     # Certificate "EE Certification Centre Root CA"
+-     # Certificate "LuxTrust Global Root 2"
+-     # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
+-     # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
+-    Adding:
+-     # Certificate "Microsoft ECC Root Certificate Authority 2017"
+-     # Certificate "Microsoft RSA Root Certificate Authority 2017"
+-     # Certificate "e-Szigno Root CA 2017"
+-     # Certificate "certSIGN Root CA G2"
+-     # Certificate "Trustwave Global Certification Authority"
+-     # Certificate "Trustwave Global ECC P256 Certification Authority"
+-     # Certificate "Trustwave Global ECC P384 Certification Authority"
+-     # Certificate "NAVER Global Root Certification Authority"
+-     # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
+-     # Certificate "GlobalSign Secure Mail Root R45"
+-     # Certificate "GlobalSign Secure Mail Root E45"
+-     # Certificate "GlobalSign Root R46"
+-     # Certificate "GlobalSign Root E46"
+-     # Certificate "Certum EC-384 CA"
+-     # Certificate "Certum Trusted Root CA"
+-     # Certificate "GlobalSign Code Signing Root R45"
+-     # Certificate "GlobalSign Code Signing Root E45"
+-     # Certificate "Halcom Root Certificate Authority"
+-     # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
+-     # Certificate "GLOBALTRUST"
+-     # Certificate "MULTICERT Root Certification Authority 01"
+-     # Certificate "Verizon Global Root CA"
+-     # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
+-     # Certificate "CAEDICOM Root"
+-     # Certificate "COMODO Certification Authority"
+-     # Certificate "Security Communication ECC RootCA1"
+-     # Certificate "Security Communication RootCA3"
+-     # Certificate "AC RAIZ DNIE"
+-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
+-     # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
+-     # Certificate "GLOBALTRUST 2015"
+-     # Certificate "emSign Root CA - G2"
+-     # Certificate "emSign Root CA - C2"
 
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild