Compare commits

...

No commits in common. 'c9' and 'i10-beta' have entirely different histories.
c9 ... i10-beta

@ -0,0 +1,20 @@
This directory (/etc/ssl) is provided as a courtesy attempt to provide
compatibility with software which assumes its existence. It is not a
supported or canonical location. Software which assumes and relies on
the existence and layout of this directory is making a wrong assumption
(this directory is not any kind of 'standard', it is a configuration
detail of Debian and its derivatives) and should be improved. No
software packaged in this distribution should use this directory.
An attempt is made to make the layout of /etc/ssl/certs match that
provided by Debian: it is an OpenSSL 'CApath'-style hashed directory
of individual certificate files, and also contains a certificate bundle
file named ca-certificates.crt, as Debian does. It also contains a
bundle named ca-bundle.crt, as this distribution has long provided
such a file, and it is possible some software has come to expect its
existence.
/etc/ssl/certs itself and the bundle files are in fact symlinks to
some of the output of the 'update-ca-trust' script which forms a part
of a system of consolidated CA certificates. Please refer to the
update-ca-trust(8) manual page for additional information.

@ -58327,3 +58327,381 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Russian Trusted Root CA"
#
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4096 (0x1000)
# Subject: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Tue Mar 01 21:04:15 2022
# Not Valid After : Fri Feb 27 21:04:15 2032
# Fingerprint (SHA-256): D2:6D:2D:02:31:B7:C3:9F:92:CC:73:85:12:BA:54:10:35:19:E4:40:5D:68:B5:BD:70:3E:97:88:CA:8E:CF:31
# Fingerprint (SHA1): 8F:F9:15:CC:AB:7B:C1:6F:8C:5C:80:99:D5:3E:0E:11:5B:3A:EC:2F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Root CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\000
END
CKA_VALUE MULTILINE_OCTAL
\060\202\005\302\060\202\003\252\240\003\002\001\002\002\002\020
\000\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101\060\036\027\015\062\062\060\063\060\061\062\061\060\064
\061\065\132\027\015\063\062\060\062\062\067\062\061\060\064\061
\065\132\060\160\061\013\060\011\006\003\125\004\006\023\002\122
\125\061\077\060\075\006\003\125\004\012\014\066\124\150\145\040
\115\151\156\151\163\164\162\171\040\157\146\040\104\151\147\151
\164\141\154\040\104\145\166\145\154\157\160\155\145\156\164\040
\141\156\144\040\103\157\155\155\165\156\151\143\141\164\151\157
\156\163\061\040\060\036\006\003\125\004\003\014\027\122\165\163
\163\151\141\156\040\124\162\165\163\164\145\144\040\122\157\157
\164\040\103\101\060\202\002\042\060\015\006\011\052\206\110\206
\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
\002\202\002\001\000\307\305\071\237\051\120\002\367\372\275\247
\252\241\064\146\236\166\261\351\127\260\241\205\142\201\264\030
\316\133\303\075\133\110\133\102\267\340\031\100\310\144\131\010
\136\043\172\150\144\004\350\140\233\272\366\221\313\051\056\220
\134\030\260\004\055\134\277\066\046\121\202\214\141\220\273\214
\116\130\204\105\066\155\042\364\231\176\315\150\314\114\016\141
\366\374\334\056\071\124\143\360\342\046\125\256\154\324\136\024
\316\176\012\277\163\305\224\060\143\215\050\327\051\126\075\222
\150\324\006\305\320\254\201\336\152\251\224\042\303\310\224\325
\224\236\051\227\113\102\064\151\261\061\252\106\335\255\166\327
\143\000\216\136\023\216\332\220\324\307\167\044\230\231\102\061
\101\232\161\104\347\312\134\220\133\145\154\044\214\210\030\017
\025\323\034\335\151\345\027\203\105\131\351\231\215\122\276\130
\005\352\377\020\003\213\075\277\015\142\233\000\204\227\266\231
\170\314\007\362\175\034\333\050\024\300\105\047\111\113\071\077
\376\165\013\343\155\324\131\240\344\374\172\242\151\132\165\103
\123\344\013\376\241\031\237\076\173\067\317\016\130\315\353\151
\262\144\104\327\124\375\236\361\345\041\110\063\321\153\252\323
\174\305\354\054\210\025\201\043\102\272\134\133\216\004\344\303
\341\135\074\243\204\363\047\317\202\162\256\127\224\045\026\330
\276\074\245\223\102\142\340\103\174\030\173\027\031\001\356\240
\340\030\070\232\176\321\044\145\227\300\245\030\066\023\343\075
\033\314\044\064\244\317\054\067\070\300\175\005\015\070\243\206
\014\121\335\216\017\211\055\107\057\146\141\303\266\303\334\046
\354\226\141\006\201\371\347\146\210\315\220\233\134\055\340\107
\004\266\271\333\367\122\300\325\070\131\142\356\155\246\022\210
\011\200\364\205\014\137\137\321\245\372\161\073\027\170\142\111
\241\317\336\350\025\265\032\014\221\142\244\210\040\307\233\027
\170\360\045\221\067\126\236\377\221\130\034\145\047\003\020\333
\232\004\036\144\140\270\326\037\341\232\377\107\032\375\161\057
\167\143\351\235\134\206\132\004\101\064\051\055\242\055\032\232
\072\045\201\222\057\110\061\005\070\246\032\217\070\020\032\033
\260\076\170\377\017\002\003\001\000\001\243\146\060\144\060\035
\006\003\125\035\016\004\026\004\024\341\321\201\345\316\132\137
\004\252\322\351\266\235\146\261\305\372\254\054\207\060\037\006
\003\125\035\043\004\030\060\026\200\024\341\321\201\345\316\132
\137\004\252\322\351\266\235\146\261\305\372\254\054\207\060\022
\006\003\125\035\023\001\001\377\004\010\060\006\001\001\377\002
\001\004\060\016\006\003\125\035\017\001\001\377\004\004\003\002
\001\206\060\015\006\011\052\206\110\206\367\015\001\001\013\005
\000\003\202\002\001\000\000\262\030\327\011\042\226\337\356\255
\361\025\063\233\312\316\276\256\264\347\203\130\045\034\316\145
\227\375\025\370\226\072\121\166\001\176\345\360\010\113\213\307
\266\145\344\252\224\202\071\127\226\122\262\125\365\013\331\237
\242\366\333\266\160\270\115\171\161\150\274\014\040\332\227\165
\036\367\105\240\000\222\131\061\364\354\204\336\016\043\307\052
\133\321\070\020\157\160\202\126\304\264\311\316\154\171\146\263
\301\167\010\171\253\303\171\072\052\145\044\130\152\032\373\361
\015\231\305\145\353\313\277\160\304\145\324\226\326\331\263\076
\377\160\076\110\010\066\163\250\217\016\127\241\163\062\261\332
\206\275\345\005\264\112\103\317\130\153\215\003\360\204\360\052
\162\000\322\041\273\325\305\256\075\321\103\161\052\171\027\022
\001\004\050\167\124\115\270\172\137\021\062\324\374\015\240\062
\153\347\377\017\354\307\264\301\335\156\101\076\316\253\246\263
\200\337\273\156\264\372\275\273\241\123\144\347\006\324\352\243
\013\360\173\311\072\240\043\272\333\312\372\061\354\061\027\241
\176\353\042\041\052\310\323\124\202\344\344\376\355\322\147\205
\127\023\151\046\305\331\222\207\164\320\277\046\337\156\165\325
\340\226\302\145\126\252\211\232\332\251\316\350\144\311\321\241
\152\327\104\155\363\265\271\333\172\317\375\252\024\106\043\263
\352\136\247\212\044\034\355\305\024\304\126\077\016\066\315\135
\130\336\154\315\074\032\074\213\341\222\023\267\010\356\104\255
\115\253\125\325\053\363\334\012\244\325\333\004\340\305\051\033
\140\305\104\373\321\212\146\047\216\225\125\252\235\002\023\231
\017\321\024\122\176\030\151\342\332\113\300\043\110\137\341\355
\111\043\072\046\315\163\212\225\016\043\317\372\271\036\204\125
\214\353\243\325\234\375\114\262\037\167\265\317\255\150\207\302
\021\205\114\306\070\174\314\326\305\272\207\073\177\073\357\254
\122\013\055\356\342\176\361\010\122\244\225\040\057\300\316\231
\114\374\234\160\355\273\227\025\341\217\326\245\102\004\101\352
\337\335\135\377\324\100\175\246\165\333\071\060\026\311\176\040
\254\004\374\346\161\133\300\007\153\330\265\247\201\216\321\204
\215\271\314\363\022\156
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Russian Trusted Root CA"
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4096 (0x1000)
# Subject: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Tue Mar 01 21:04:15 2022
# Not Valid After : Fri Feb 27 21:04:15 2032
# Fingerprint (SHA-256): D2:6D:2D:02:31:B7:C3:9F:92:CC:73:85:12:BA:54:10:35:19:E4:40:5D:68:B5:BD:70:3E:97:88:CA:8E:CF:31
# Fingerprint (SHA1): 8F:F9:15:CC:AB:7B:C1:6F:8C:5C:80:99:D5:3E:0E:11:5B:3A:EC:2F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Root CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\217\371\025\314\253\173\301\157\214\134\200\231\325\076\016\021
\133\072\354\057
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\177\273\037\273\321\051\107\347\050\334\277\244\126\214\144\315
END
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\000
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Russian Trusted Sub CA"
#
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4098 (0x1002)
# Subject: CN=Russian Trusted Sub CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Wed Mar 02 11:25:19 2022
# Not Valid After : Sat Mar 06 11:25:19 2027
# Fingerprint (SHA-256): BB:BD:E2:10:3E:79:0B:99:9E:C6:2B:D0:3C:F6:25:A5:A2:E7:C3:16:E1:0A:FE:6A:49:0E:ED:EA:D8:B3:FD:9B
# Fingerprint (SHA1): 33:5D:43:F5:34:51:B7:81:53:5F:F3:88:2D:F7:13:D3:C1:4F:8A:01
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Sub CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\157\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\037\060\035\006\003\125\004\003\014\026\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\123\165\142\040\103
\101
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\002
END
CKA_VALUE MULTILINE_OCTAL
\060\202\007\102\060\202\005\052\240\003\002\001\002\002\002\020
\002\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101\060\036\027\015\062\062\060\063\060\062\061\061\062\065
\061\071\132\027\015\062\067\060\063\060\066\061\061\062\065\061
\071\132\060\157\061\013\060\011\006\003\125\004\006\023\002\122
\125\061\077\060\075\006\003\125\004\012\014\066\124\150\145\040
\115\151\156\151\163\164\162\171\040\157\146\040\104\151\147\151
\164\141\154\040\104\145\166\145\154\157\160\155\145\156\164\040
\141\156\144\040\103\157\155\155\165\156\151\143\141\164\151\157
\156\163\061\037\060\035\006\003\125\004\003\014\026\122\165\163
\163\151\141\156\040\124\162\165\163\164\145\144\040\123\165\142
\040\103\101\060\202\002\042\060\015\006\011\052\206\110\206\367
\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002
\202\002\001\000\365\203\352\004\243\244\327\323\105\312\152\304
\301\350\163\256\020\104\201\075\232\264\267\263\245\333\201\333
\211\220\354\050\216\153\361\325\244\120\203\105\234\335\306\251
\141\361\332\344\273\215\074\376\324\346\133\071\115\037\366\353
\036\344\041\147\371\242\130\243\237\337\231\151\053\070\362\005
\336\223\074\315\267\270\007\311\274\103\220\333\367\147\050\141
\211\156\305\050\327\373\235\051\053\361\103\005\107\245\133\367
\113\315\016\226\133\212\176\025\217\014\105\320\246\014\205\250
\214\317\243\022\020\114\266\164\165\350\253\147\003\025\035\252
\331\346\357\007\250\167\255\106\340\055\230\355\231\014\144\047
\275\123\211\140\010\345\263\341\342\271\352\273\056\076\316\161
\356\302\102\304\360\125\227\217\371\164\061\333\303\300\150\106
\167\313\253\020\022\336\253\057\116\235\166\224\235\241\063\051
\006\160\252\115\274\126\371\345\214\312\071\010\237\253\175\030
\033\124\127\216\162\007\121\044\034\331\343\330\114\170\033\000
\242\067\324\374\341\004\043\051\052\376\361\375\051\260\152\331
\274\366\302\155\000\060\064\122\143\212\302\342\306\170\345\030
\362\312\153\233\316\230\334\010\207\362\300\311\105\271\016\072
\144\013\035\064\340\263\303\272\243\351\026\302\227\064\252\132
\057\140\346\352\347\064\307\202\150\346\157\240\121\065\116\104
\036\241\071\054\326\235\140\343\330\145\237\242\142\363\317\050
\306\363\120\321\030\120\151\162\217\316\367\174\336\162\302\015
\335\042\366\142\310\351\253\134\335\241\055\065\010\306\061\211
\357\377\367\065\257\143\014\310\333\237\316\146\050\055\236\220
\210\255\307\166\217\126\072\164\305\005\100\014\300\264\161\076
\252\305\337\225\042\374\034\204\276\040\221\005\041\012\033\056
\126\041\036\112\004\335\253\340\067\036\143\226\357\216\055\207
\264\164\135\030\223\035\117\030\330\333\302\253\323\137\176\321
\012\175\366\064\310\345\242\325\266\101\301\204\146\020\312\217
\355\356\255\230\263\247\234\135\114\366\142\264\017\232\022\066
\114\374\330\273\325\123\235\210\343\364\212\006\360\351\253\031
\331\374\135\243\066\165\116\164\222\140\326\057\064\004\360\266
\023\146\147\053\002\003\001\000\001\243\202\001\345\060\202\001
\341\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
\001\377\002\001\000\060\016\006\003\125\035\017\001\001\377\004
\004\003\002\001\206\060\035\006\003\125\035\016\004\026\004\024
\321\341\161\015\013\055\201\116\156\212\112\217\114\043\263\114
\136\253\151\013\060\037\006\003\125\035\043\004\030\060\026\200
\024\341\321\201\345\316\132\137\004\252\322\351\266\235\146\261
\305\372\254\054\207\060\201\307\006\010\053\006\001\005\005\007
\001\001\004\201\272\060\201\267\060\073\006\010\053\006\001\005
\005\007\060\002\206\057\150\164\164\160\072\057\057\162\157\163
\164\145\154\145\143\157\155\056\162\165\057\143\144\160\057\162
\157\157\164\143\141\137\163\163\154\137\162\163\141\062\060\062
\062\056\143\162\164\060\073\006\010\053\006\001\005\005\007\060
\002\206\057\150\164\164\160\072\057\057\143\157\155\160\141\156
\171\056\162\164\056\162\165\057\143\144\160\057\162\157\157\164
\143\141\137\163\163\154\137\162\163\141\062\060\062\062\056\143
\162\164\060\073\006\010\053\006\001\005\005\007\060\002\206\057
\150\164\164\160\072\057\057\162\145\145\163\164\162\055\160\153
\151\056\162\165\057\143\144\160\057\162\157\157\164\143\141\137
\163\163\154\137\162\163\141\062\060\062\062\056\143\162\164\060
\201\260\006\003\125\035\037\004\201\250\060\201\245\060\065\240
\063\240\061\206\057\150\164\164\160\072\057\057\162\157\163\164
\145\154\145\143\157\155\056\162\165\057\143\144\160\057\162\157
\157\164\143\141\137\163\163\154\137\162\163\141\062\060\062\062
\056\143\162\154\060\065\240\063\240\061\206\057\150\164\164\160
\072\057\057\143\157\155\160\141\156\171\056\162\164\056\162\165
\057\143\144\160\057\162\157\157\164\143\141\137\163\163\154\137
\162\163\141\062\060\062\062\056\143\162\154\060\065\240\063\240
\061\206\057\150\164\164\160\072\057\057\162\145\145\163\164\162
\055\160\153\151\056\162\165\057\143\144\160\057\162\157\157\164
\143\141\137\163\163\154\137\162\163\141\062\060\062\062\056\143
\162\154\060\015\006\011\052\206\110\206\367\015\001\001\013\005
\000\003\202\002\001\000\104\025\163\146\133\073\364\007\142\110
\052\132\257\136\135\003\221\353\376\272\323\341\146\353\071\374
\345\244\217\261\254\267\221\076\265\006\351\345\026\041\156\057
\112\350\265\313\035\342\250\142\302\214\367\012\157\341\316\117
\012\021\061\262\072\312\323\377\235\332\167\116\126\056\153\146
\235\275\200\104\205\053\343\263\356\057\015\223\160\136\277\303
\152\166\360\041\147\156\255\231\225\211\004\101\014\127\233\246
\113\347\042\372\356\375\032\126\271\337\371\257\255\270\132\237
\057\241\223\021\266\077\334\233\246\210\364\273\157\005\364\375
\161\374\341\071\247\261\043\377\175\163\136\035\312\053\244\327
\356\220\205\334\012\150\044\123\163\131\235\174\324\046\235\365
\215\105\267\326\205\140\145\053\170\170\030\141\075\044\255\367
\032\117\031\113\300\314\256\107\100\207\114\133\313\214\100\103
\371\222\130\007\326\254\031\237\316\123\252\033\052\001\325\116
\073\131\063\236\250\326\326\222\112\000\077\154\254\367\217\254
\046\016\015\116\110\203\126\325\321\027\251\353\351\366\042\321
\264\216\274\341\140\320\204\053\061\163\266\143\310\062\203\320
\021\164\362\160\052\333\326\137\305\117\000\060\230\062\045\207
\207\211\374\155\232\044\042\262\046\124\242\303\100\241\330\342
\060\254\064\075\207\035\322\137\236\267\113\331\202\160\326\241
\154\220\323\270\161\043\146\147\047\160\321\151\040\216\377\144
\027\342\261\252\260\312\224\037\014\146\355\207\162\132\141\352
\377\302\147\107\320\365\213\204\363\371\154\035\235\020\163\141
\362\211\043\047\276\070\012\345\360\334\335\060\370\175\257\005
\023\310\014\066\352\314\372\105\174\075\077\013\064\203\076\341
\233\076\054\241\025\362\172\221\130\026\261\220\205\111\031\351
\044\124\243\274\304\060\116\033\366\215\353\140\031\050\163\236
\031\314\210\166\356\362\064\303\021\212\021\225\144\046\053\362
\266\042\046\202\242\073\060\352\072\103\344\054\343\335\206\325
\145\202\170\150\303\061\303\304\301\315\017\361\066\130\016\151
\144\173\215\063\371\264\115\173\166\301\064\317\057\262\107\331
\200\264\200\374\377\006\373\322\316\071\054\203\065\071\254\266
\321\311\102\220\222\005
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Russian Trusted Sub CA"
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4098 (0x1002)
# Subject: CN=Russian Trusted Sub CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Wed Mar 02 11:25:19 2022
# Not Valid After : Sat Mar 06 11:25:19 2027
# Fingerprint (SHA-256): BB:BD:E2:10:3E:79:0B:99:9E:C6:2B:D0:3C:F6:25:A5:A2:E7:C3:16:E1:0A:FE:6A:49:0E:ED:EA:D8:B3:FD:9B
# Fingerprint (SHA1): 33:5D:43:F5:34:51:B7:81:53:5F:F3:88:2D:F7:13:D3:C1:4F:8A:01
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Sub CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\063\135\103\365\064\121\267\201\123\137\363\210\055\367\023\323
\301\117\212\001
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\304\023\047\226\170\334\005\047\062\041\103\376\100\312\364\332
END
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\002
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBVDCB+6ADAgECAgwB3q3A3gCMGXg8etYwCgYIKoZIzj0EAw
IwHDEaMBgGA1UEAwwRVENJIEVDRFNBIFJPT1QgQTEwHhcNMjIw
MzMwMDkzMzE4WhcNMzIwMzMwMDkzMzE4WjAcMRowGAYDVQQDDB
FUQ0kgRUNEU0EgUk9PVCBBMTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABJni7LJT4Gj86pG0s9wOefWgqgp/EGf4ZcSxNgAJfh
cl6WYNoWaZfflki4Rd0VzAJgbaTSW26zuv2mGM61txD96jIzAh
MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAoGCC
qGSM49BAMCA0gAMEUCIDKjKPoaZrqtljmuy60G1PYINvR3A1eL
OzT4RfhGBTrBAiEAhJL7IeLDbo2eZAIp4zioaIpo1hVyXkABNb
npOTQ9KPs=
-----END CERTIFICATE-----

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBXTCCAQigAwIBAgIMAt6twN4AjBl4PHrWMAwGCCqFAwcBAQ
MCBQAwGzEZMBcGA1UEAwwQVENJIEdPU1QgUk9PVCBBMTAeFw0y
MjAzMzAwOTMzMThaFw0zMjAzMzAwOTMzMThaMBsxGTAXBgNVBA
MMEFRDSSBHT1NUIFJPT1QgQTEwZjAfBggqhQMHAQEBATATBgcq
hQMCAiMBBggqhQMHAQECAgNDAARASiE+O1G5yX8JjIS0RmQ2Im
2FKd0RhbOtdjaoAivB3ywbHLGb6deQBRd/MwLP2IrfIZcVb4QP
5PSYolD/Iu+ExaMjMCEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEw
EB/wQFMAMBAf8wDAYIKoUDBwEBAwIFAANBAOi6Dn7pxa/SSbV6
PsfROEKzsBnX6GGggo9wOELuZKfDYdy88/92yr2Aali+fEje63
XqhHoZExE0CNLoncM3ARc=
-----END CERTIFICATE-----

@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFwjCCA6qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMCUlUx
PzA9BgNVBAoMNlRoZSBNaW5pc3RyeSBvZiBEaWdpdGFsIERldmVsb3BtZW50IGFu
ZCBDb21tdW5pY2F0aW9uczEgMB4GA1UEAwwXUnVzc2lhbiBUcnVzdGVkIFJvb3Qg
Q0EwHhcNMjIwMzAxMjEwNDE1WhcNMzIwMjI3MjEwNDE1WjBwMQswCQYDVQQGEwJS
VTE/MD0GA1UECgw2VGhlIE1pbmlzdHJ5IG9mIERpZ2l0YWwgRGV2ZWxvcG1lbnQg
YW5kIENvbW11bmljYXRpb25zMSAwHgYDVQQDDBdSdXNzaWFuIFRydXN0ZWQgUm9v
dCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMfFOZ8pUAL3+r2n
qqE0Zp52selXsKGFYoG0GM5bwz1bSFtCt+AZQMhkWQheI3poZAToYJu69pHLKS6Q
XBiwBC1cvzYmUYKMYZC7jE5YhEU2bSL0mX7NaMxMDmH2/NwuOVRj8OImVa5s1F4U
zn4Kv3PFlDBjjSjXKVY9kmjUBsXQrIHeaqmUIsPIlNWUnimXS0I0abExqkbdrXbX
YwCOXhOO2pDUx3ckmJlCMUGacUTnylyQW2VsJIyIGA8V0xzdaeUXg0VZ6ZmNUr5Y
Ber/EAOLPb8NYpsAhJe2mXjMB/J9HNsoFMBFJ0lLOT/+dQvjbdRZoOT8eqJpWnVD
U+QL/qEZnz57N88OWM3rabJkRNdU/Z7x5SFIM9FrqtN8xewsiBWBI0K6XFuOBOTD
4V08o4TzJ8+Ccq5XlCUW2L48pZNCYuBDfBh7FxkB7qDgGDiaftEkZZfApRg2E+M9
G8wkNKTPLDc4wH0FDTijhgxR3Y4PiS1HL2Zhw7bD3CbslmEGgfnnZojNkJtcLeBH
BLa52/dSwNU4WWLubaYSiAmA9IUMX1/RpfpxOxd4Ykmhz97oFbUaDJFipIggx5sX
ePAlkTdWnv+RWBxlJwMQ25oEHmRguNYf4Zr/Rxr9cS93Y+mdXIZaBEE0KS2iLRqa
OiWBki9IMQU4phqPOBAaG7A+eP8PAgMBAAGjZjBkMB0GA1UdDgQWBBTh0YHlzlpf
BKrS6badZrHF+qwshzAfBgNVHSMEGDAWgBTh0YHlzlpfBKrS6badZrHF+qwshzAS
BgNVHRMBAf8ECDAGAQH/AgEEMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
AAOCAgEAALIY1wkilt/urfEVM5vKzr6utOeDWCUczmWX/RX4ljpRdgF+5fAIS4vH
tmXkqpSCOVeWUrJV9QvZn6L227ZwuE15cWi8DCDal3Ue90WgAJJZMfTshN4OI8cq
W9E4EG9wglbEtMnObHlms8F3CHmrw3k6KmUkWGoa+/ENmcVl68u/cMRl1JbW2bM+
/3A+SAg2c6iPDlehczKx2oa95QW0SkPPWGuNA/CE8CpyANIhu9XFrj3RQ3EqeRcS
AQQod1RNuHpfETLU/A2gMmvn/w/sx7TB3W5BPs6rprOA37tutPq9u6FTZOcG1Oqj
C/B7yTqgI7rbyvox7DEXoX7rIiEqyNNUguTk/u3SZ4VXE2kmxdmSh3TQvybfbnXV
4JbCZVaqiZraqc7oZMnRoWrXRG3ztbnbes/9qhRGI7PqXqeKJBztxRTEVj8ONs1d
WN5szTwaPIvhkhO3CO5ErU2rVdUr89wKpNXbBODFKRtgxUT70YpmJ46VVaqdAhOZ
D9EUUn4YaeLaS8AjSF/h7UkjOibNc4qVDiPP+rkehFWM66PVnP1Msh93tc+taIfC
EYVMxjh8zNbFuoc7fzvvrFILLe7ifvEIUqSVIC/AzplM/Jxw7buXFeGP1qVCBEHq
391d/9RAfaZ12zkwFsl+IKwE/OZxW8AHa9i1p4GO0YSNuczzEm4=
-----END CERTIFICATE-----

@ -0,0 +1 @@
MIAGCSqGSIb3DQEHAqCAMIACAQExDDAKBggqhQMHAQECAjCABgkqhkiG9w0BBwEAAKCCB7gwgge0MIIHYaADAgECAgsAybP3lAAAAAAFhjAKBggqhQMHAQEDAjCCASQxHjAcBgkqhkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkGA1UEBhMCUlUxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMuINCc0L7RgdC60LLQsDEuMCwGA1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQsNGPLCDQtNC+0LwgNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxLDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4MB4XDTIxMDUxOTA4MDc1OFoXDTIyMDgxNzA4MDc1OFowggF4MRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMUIwQAYJKoZIhvcNAQkCDDPQn9C+0LTRgdC40YHRgtC10LzQsCDCq9Cg0LXQtdGB0YLRgNGLwrsg0JjQoSDQk9Cj0KYxLjAsBgkqhkiG9w0BCQEWH2Eua29yemhlbmV2c2theWFAZGlnaXRhbC5nb3YucnUxOjA4BgNVBAkMMdCf0YDQtdGB0L3QtdC90YHQutCw0Y8g0L3QsNCxLiwg0LQuIDEwLCDRgdGC0YAuIDIxGTAXBgNVBAcMENCzLiDQnNC+0YHQutCy0LAxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEmMCQGA1UECgwd0JzQuNC90YbQuNGE0YDRiyDQoNC+0YHRgdC40LgxCzAJBgNVBAYTAlJVMSYwJAYDVQQDDB3QnNC40L3RhtC40YTRgNGLINCg0L7RgdGB0LjQuDBmMB8GCCqFAwcBAQEBMBMGByqFAwICJAAGCCqFAwcBAQICA0MABECPKzaqApZOrOkwaZWzx4xo/CsPpTbMMlJuUm2wIrJxpyZPGAdGO7krlWVfWnxPIl+POqsLM1Fq57nK30CAhUdzo4IEEzCCBA8wFQYDVR0lBA4wDAYKKwYBBAGCNwoDDDAOBgNVHQ8BAf8EBAMCBPAwXQYFKoUDZG8EVAxS0KHQmtCX0JggwqvQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQwrsg0LLQtdGA0YHQuNGPIDQuMCAo0LjRgdC/0L7Qu9C90LXQvdC40LUgMy1CYXNlKTAnBgNVHSAEIDAeMAgGBiqFA2RxATAIBgYqhQNkcQIwCAYGKoUDZHEDMB0GA1UdDgQWBBTvvmSAWPkPuWdrcO5mYdM5ixAd/DCCAWUGA1UdIwSCAVwwggFYgBTCVPG0a9RMt+BtNrQjkPH+wzybBqGCASykggEoMIIBJDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQstCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7QvCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LiCEE5tR4sm8n1lf3aOAlzj05MwgZgGA1UdHwSBkDCBjTAtoCugKYYnaHR0cDovL3JlZXN0ci1wa2kucnUvY2RwL2d1Y19nb3N0MTIuY3JsMC2gK6AphidodHRwOi8vY29tcGFueS5ydC5ydS9jZHAvZ3VjX2dvc3QxMi5jcmwwLaAroCmGJ2h0dHA6Ly9yb3N0ZWxlY29tLnJ1L2NkcC9ndWNfZ29zdDEyLmNybDBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9yZWVzdHItcGtpLnJ1L2NkcC9ndWNfZ29zdDEyLmNydDCB9QYFKoUDZHAEgeswgegMNNCf0JDQmtCcIMKr0JrRgNC40L/RgtC+0J/RgNC+IEhTTcK7INCy0LXRgNGB0LjQuCAyLjAMQ9Cf0JDQmiDCq9CT0L7Qu9C+0LLQvdC+0Lkg0YPQtNC+0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3RgtGAwrsMNdCX0LDQutC70Y7Rh9C10L3QuNC1IOKEliAxNDkvMy8yLzIvMjMg0L7RgiAwMi4wMy4yMDE4DDTQl9Cw0LrQu9GO0YfQtdC90LjQtSDihJYgMTQ5LzcvNi8xMDUg0L7RgiAyNy4wNi4yMDE4MAoGCCqFAwcBAQMCA0EAiq8EGuoH/RZ2NPQoW+ZP6tuflm4TMrsyT5QMYjVmOJdAXU7HiEqPSLSwH4eEYL6qkdHF8kmQYp2Kwesl86DcWjGCA5cwggOTAgEBMIIBNTCCASQxHjAcBgkqhkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkGA1UEBhMCUlUxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMuINCc0L7RgdC60LLQsDEuMCwGA1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQsNGPLCDQtNC+0LwgNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxLDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4AgsAybP3lAAAAAAFhjAKBggqhQMHAQECAqCCAfkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjIwMzAyMDgxNDE0WjAvBgkqhkiG9w0BCQQxIgQgzb9RJkaBTAfbMRIMlNXto6nKufJY5FtfqzLnfcuZ+hMwggGMBgsqhkiG9w0BCRACLzGCAXswggF3MIIBczCCAW8wCgYIKoUDBwEBAgIEIIF2ijeXhxSihco1wb5EBZoP1DAnHrpQuB9P656woqXfMIIBPTCCASykggEoMIIBJDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQstCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7QvCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgCCwDJs/eUAAAAAAWGMAoGCCqFAwcBAQEBBEA0eWBz4JnqO6umBiTQK/tkJgTeV0nKAp2SQlJVOlSPwBDx1H5fUZOTQDP0/4OtMakDCKhUHd5KS9DNhZErA0UmAAAAAAAA

@ -8,6 +8,7 @@ set -eu
# files in $DEST. # files in $DEST.
DEST=/etc/pki/ca-trust/extracted DEST=/etc/pki/ca-trust/extracted
DEST_CERTS=/etc/pki/tls/certs
# Prevent p11-kit from reading user configuration files. # Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1 export P11_KIT_NO_USER_CONFIG=1
@ -28,7 +29,8 @@ usage() {
EXTRACT OPTIONS EXTRACT OPTIONS
-o DIR, --output=DIR: Write the extracted trust store into the given -o DIR, --output=DIR: Write the extracted trust store into the given
directory instead of updating $DEST. directory instead of updating $DEST. (Note: This option will not
populate the ../pki/tls/certs with the directory-hash symbolic links.)
EOF EOF
} }
@ -73,9 +75,15 @@ extract() {
"$DEST"/edk2 "$DEST"/edk2
fi fi
# Delete all directory hash symlinks from the cert directory
if [ -z "$USER_DEST" ]; then
find "$DEST_CERTS" -type l -regextype posix-extended \
-regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \;
fi
# OpenSSL PEM bundle that includes trust flags # OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE) # (BEGIN TRUSTED CERTIFICATE)
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
@ -85,25 +93,16 @@ extract() {
# by GnuTLS) # by GnuTLS)
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash" /usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
# p11-kit extract will have made this directory unwritable; when run with
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
# not be the case. See rhbz#2241240.
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u+w "$DEST/pem/directory-hash"
fi
# Debian compatibility: their /etc/ssl/certs has this bundle
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
# Remove write permissions again if [ -z "$USER_DEST" ]; then
if [ -n "$USER_DEST" ]; then find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
/usr/bin/chmod u-w "$DEST/pem/directory-hash" -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do
fi target=$(readlink -f "$link")
new_link="$DEST_CERTS/$(basename "$link")"
ln -s "$target" "$new_link"
done
fi
} }
if [ $# -lt 1 ]; then if [ $# -lt 1 ]; then
set -- extract set -- extract
fi fi
@ -117,21 +116,8 @@ case "$1" in
usage usage
exit 0 exit 0
;; ;;
"-o"|"--output")
echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
;;
"enable")
echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
*) *)
echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage." echo >&2 "Error: unknown command: '$1', see 'update-ca-trust --help' for usage."
echo >&2 exit 1
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;; ;;
esac esac

@ -230,7 +230,8 @@ EXTRACT OPTIONS
^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^
*-o DIR*, *--output=DIR*:: *-o DIR*, *--output=DIR*::
Write the extracted trust store into the given directory instead of Write the extracted trust store into the given directory instead of
updating /etc/pki/ca-trust/extracted. updating /etc/pki/ca-trust/extracted. (Note: This option will not
populate the ../pki/tls/certs with the directory-hash symbolic links.)
FILES FILES
----- -----
@ -257,6 +258,9 @@ FILES
which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten. which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details. See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
/etc/pki/tls/certs::
Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command.
AUTHOR AUTHOR
------ ------
Written by Kai Engert and Stef Walter. Written by Kai Engert and Stef Walter.

@ -1,7 +1,6 @@
%define pkidir %{_sysconfdir}/pki %define pkidir %{_sysconfdir}/pki
%define catrustdir %{_sysconfdir}/pki/ca-trust %define catrustdir %{_sysconfdir}/pki/ca-trust
%define classic_tls_bundle ca-bundle.crt %define classic_tls_bundle ca-bundle.crt
%define openssl_format_trust_bundle ca-bundle.trust.crt
%define p11_format_bundle ca-bundle.trust.p11-kit %define p11_format_bundle ca-bundle.trust.p11-kit
%define legacy_default_bundle ca-bundle.legacy.default.crt %define legacy_default_bundle ca-bundle.legacy.default.crt
%define legacy_disable_bundle ca-bundle.legacy.disable.crt %define legacy_disable_bundle ca-bundle.legacy.disable.crt
@ -36,9 +35,9 @@ Name: ca-certificates
# because all future versions will start with 2013 or larger.) # because all future versions will start with 2013 or larger.)
Version: 2024.2.69_v8.0.303 Version: 2024.2.69_v8.0.303
# for y-stream, please always use 91 <= release < 100 (91,92,93) # for Rawhide, please always use release >= 2
# for z-stream release branches, please use 90 <= release < 91 (90.0, 90.1, ...) # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 91.4%{?dist} Release: 101.3%{?dist}.inferit
License: MIT AND GPL-2.0-or-later License: MIT AND GPL-2.0-or-later
URL: https://fedoraproject.org/wiki/CA-Certificates URL: https://fedoraproject.org/wiki/CA-Certificates
@ -61,10 +60,20 @@ Source15: README.openssl
Source16: README.pem Source16: README.pem
Source17: README.edk2 Source17: README.edk2
Source18: README.src Source18: README.src
Source19: README.etcssl
# Russian Ministry of Digital Development and Communications
Source90: rootca_ssl_rsa2022.cer
Source91: rootca_ssl_rsa2022.cer.detached.sig
# TCI ECSDA ROOT A1
Source92: ecdsa-a1.crt
# TCI GOST ROOT A1
Source93: gost-a1.crt
BuildArch: noarch BuildArch: noarch
Requires(post): bash Requires(post): bash
Requires(post): findutils
Requires(post): grep Requires(post): grep
Requires(post): sed Requires(post): sed
Requires(post): coreutils Requires(post): coreutils
@ -206,6 +215,7 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/REA
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
install -p -m 644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysconfdir}/ssl/README
install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle} install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
@ -233,32 +243,11 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
ln -s /etc/pki/tls/certs \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
ln -s /etc/pki/tls/openssl.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
ln -s /etc/pki/tls/ct_log_list.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
# legacy filenames
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
# Populate %%{catrustdir}/extracted/pem/directory-hash. # Populate %%{catrustdir}/extracted/pem/directory-hash.
# #
# First direct p11-kit-trust.so to the generated bundle (not the one # First direct p11-kit-trust.so to the generated bundle (not the one
@ -288,16 +277,46 @@ trust-policy: yes
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source' x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
EOF EOF
# Extract the trust anchors to the directory-hash format.
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \ trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
--purpose server-auth \ --purpose server-auth \
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
# Create a temporary file with the list of (%ghost )files in the directory-hash.
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
# Clean up the temporary module config. # Clean up the temporary module config.
rm -f "$trust_module_config" rm -f "$trust_module_config"
# Russian Ministry of Digital Development and Communications
install -m 644 %{SOURCE90} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
install -m 644 %{SOURCE91} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
# TCI ECDSA and GOST root certificates
install -m 644 %{SOURCE92} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
install -m 644 %{SOURCE93} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \
-regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \
-exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \;
# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \
-regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
# /etc/ssl is provided in a Debian compatible form for (bad) code that
# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
ln -s %{pkidir}/tls/certs \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
ln -s /etc/pki/tls/openssl.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
ln -s /etc/pki/tls/ct_log_list.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
# legacy filenames
ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
%clean %clean
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash /usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
@ -305,6 +324,10 @@ rm -rf $RPM_BUILD_ROOT
%pre %pre
if [ $1 -gt 1 ] ; then if [ $1 -gt 1 ] ; then
# Remove the old symlinks
rm -f %{pkidir}/tls/cert.pem
rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
# Upgrade or Downgrade. # Upgrade or Downgrade.
# If the classic filename is a regular file, then we are upgrading # If the classic filename is a regular file, then we are upgrading
# from an old package and we will move it to an .rpmsave backup file. # from an old package and we will move it to an .rpmsave backup file.
@ -336,17 +359,6 @@ if [ $1 -gt 1 ] ; then
fi fi
fi fi
fi fi
if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
# no backup yet
if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
# a file exists
if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
# it's an old regular file, not a link
mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
fi
fi
fi
fi fi
@ -396,6 +408,11 @@ fi
%dir %{_datadir}/pki/ca-trust-legacy %dir %{_datadir}/pki/ca-trust-legacy
%dir %{catrustdir}/extracted/pem/directory-hash %dir %{catrustdir}/extracted/pem/directory-hash
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer.detached.sig
%{catrustdir}/source/anchors/ecdsa-a1.crt
%{catrustdir}/source/anchors/gost-a1.crt
%config(noreplace) %{catrustdir}/ca-legacy.conf %config(noreplace) %{catrustdir}/ca-legacy.conf
%{_mandir}/man8/update-ca-trust.8.gz %{_mandir}/man8/update-ca-trust.8.gz
@ -410,12 +427,12 @@ fi
%{catrustdir}/source/README %{catrustdir}/source/README
# symlinks for old locations # symlinks for old locations
%{pkidir}/tls/cert.pem
%{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{pkidir}/%{java_bundle} %{pkidir}/%{java_bundle}
# symlinks to cross-distro compatibility files and directory # Hybrid hash directory with bundle file for Debian compatibility
# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
%{_sysconfdir}/ssl/certs %{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/README
%{_sysconfdir}/ssl/cert.pem %{_sysconfdir}/ssl/cert.pem
%{_sysconfdir}/ssl/openssl.cnf %{_sysconfdir}/ssl/openssl.cnf
%{_sysconfdir}/ssl/ct_log_list.cnf %{_sysconfdir}/ssl/ct_log_list.cnf
@ -433,63 +450,56 @@ fi
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin %ghost %{catrustdir}/extracted/edk2/cacerts.bin
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
%changelog %changelog
*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4 * Tue Dec 17 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-101.3.inferit
- Added Russian Trusted Root and Sub CA
- Added TCI ECDSA and GOST root certificates
* Tue Nov 26 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2024.2.69_v8.0.303-101.3
- Rebuilt for MSVSphere 10
*Fri Sep 27 2024 Michel Lind <salimma@centosproject.org> - 2024.2.69_v8.0.303-101.3
- Add missing Requires(post) on findutils for update-ca-trust
- Resolves: RHEL-60723
*Wed Aug 28 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.2
- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
- update-ca-trust: return warnings on a unsupported argument instead of error - update-ca-trust: return warnings on a unsupported argument instead of error
*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3 *Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
- Temporarily generate the directory-hash files in %%install ...(next item) - Temporarily generate the directory-hash files in %%install ...(next item)
- Add list of ghost files from directory-hash to %%files - Add list of ghost files from directory-hash to %%files
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2 *Mon Aug 19 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
- Remove write permissions from directory-hash - remove base-ci.* tests from gating.yaml
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
- Reduce dependency on p11-kit to only the trust subpackage
- Own the Directory-hash directory
*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0 *Thu Jul 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
- Fix release number - Remove blacklist use blocklist-only.
- add gating.yaml
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91 *Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1 - Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER - GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91 Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-101
- Update to CKBI 2.68_v8.0.302 from NSS 3.101 - Update to CKBI 2.68_v8.0.302 from NSS 3.101
- Removing: - Removing:
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3" - # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3" - # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
- # Certificate "Security Communication Root CA" - # Certificate "Security Communication Root CA"
- # Certificate "Camerfirma Chambers of Commerce Root"
- # Certificate "Hongkong Post Root CA 1"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068" - # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G6" - # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G6" - # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
- # Certificate "TrustCor RootCert CA-1" - # Certificate "TrustCor RootCert CA-1"
- # Certificate "TrustCor RootCert CA-2" - # Certificate "TrustCor RootCert CA-2"
- # Certificate "TrustCor ECA-1" - # Certificate "TrustCor ECA-1"
- # Certificate "FNMT-RCM"
- Adding: - Adding:
- # Certificate "LAWtrust Root CA2 (4096)"
- # Certificate "Sectigo Public Email Protection Root E46"
- # Certificate "Sectigo Public Email Protection Root R46"
- # Certificate "Sectigo Public Server Authentication Root E46"
- # Certificate "Sectigo Public Server Authentication Root R46"
- # Certificate "SSL.com TLS RSA Root CA 2022"
- # Certificate "SSL.com TLS ECC Root CA 2022"
- # Certificate "SSL.com Client ECC Root CA 2022"
- # Certificate "SSL.com Client RSA Root CA 2022"
- # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
- # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
- # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
- # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
- # Certificate "TrustAsia Global Root CA G3" - # Certificate "TrustAsia Global Root CA G3"
- # Certificate "TrustAsia Global Root CA G4" - # Certificate "TrustAsia Global Root CA G4"
- # Certificate "CommScope Public Trust ECC Root-01" - # Certificate "CommScope Public Trust ECC Root-01"
@ -504,31 +514,56 @@ fi
- # Certificate "Telekom Security TLS RSA Root 2023" - # Certificate "Telekom Security TLS RSA Root 2023"
- # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB" - # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
- # Certificate "SECOM Trust.net" - # Certificate "SECOM Trust.net"
- # Certificate "Chambers of Commerce Root"
- # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3" - # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
- # Certificate "SSL.com Code Signing RSA Root CA 2022" - # Certificate "SSL.com Code Signing RSA Root CA 2022"
- # Certificate "SSL.com Code Signing ECC Root CA 2022" - # Certificate "SSL.com Code Signing ECC Root CA 2022"
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2023.2.62_v7.0.401-7
- Bump release for June 2024 mass rebuild
* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-4
- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix - update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0 * Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2023.2.62_v7.0.401-3
- Skip %post if getopt is missing (recent change made update-ca-trust use it) - Skip %post if getopt is missing (recent change made update-ca-trust use it)
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0 *Wed Oct 04 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-2
- Update to CKBI 2.62_v7.0.401 from NSS 3.93
Removing:
# Certificate "Camerfirma Chambers of Commerce Root"
# Certificate "Hongkong Post Root CA 1"
# Certificate "FNMT-RCM"
Adding:
# Certificate "LAWtrust Root CA2 (4096)"
# Certificate "Sectigo Public Email Protection Root E46"
# Certificate "Sectigo Public Email Protection Root R46"
# Certificate "Sectigo Public Server Authentication Root E46"
# Certificate "Sectigo Public Server Authentication Root R46"
# Certificate "SSL.com TLS RSA Root CA 2022"
# Certificate "SSL.com TLS ECC Root CA 2022"
# Certificate "SSL.com Client ECC Root CA 2022"
# Certificate "SSL.com Client RSA Root CA 2022"
# Certificate "Atos TrustedRoot Root CA ECC G2 2020"
# Certificate "Atos TrustedRoot Root CA RSA G2 2020"
# Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
# Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
# Certificate "Chambers of Commerce Root"
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2023.2.60_v7.0.306-4
- update-ca-trust: Support --output and non-root operation (rhbz#2241240) - update-ca-trust: Support --output and non-root operation (rhbz#2241240)
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0 *Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-3
- update License: field to SPDX - update License: field to SPDX
*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1 *Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-2
- Bump release number to make CI happy
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
- Update to CKBI 2.60_v7.0.306 from NSS 3.91 - Update to CKBI 2.60_v7.0.306 from NSS 3.91
- Removing: - Removing:
- # Certificate "Camerfirma Global Chambersign Root"
- # Certificate "Staat der Nederlanden EV Root CA"
- # Certificate "OpenTrust Root CA G1" - # Certificate "OpenTrust Root CA G1"
- # Certificate "Swedish Government Root Authority v1" - # Certificate "Swedish Government Root Authority v1"
- # Certificate "DigiNotar Root CA G2" - # Certificate "DigiNotar Root CA G2"
@ -563,16 +598,6 @@ fi
- # Certificate "Entrust.net Secure Server Certification Authority" - # Certificate "Entrust.net Secure Server Certification Authority"
- # Certificate "ePKI EV SSL Certification Authority - G1" - # Certificate "ePKI EV SSL Certification Authority - G1"
- Adding: - Adding:
- # Certificate "DigiCert TLS ECC P384 Root G5"
- # Certificate "DigiCert TLS RSA4096 Root G5"
- # Certificate "DigiCert SMIME ECC P384 Root G5"
- # Certificate "DigiCert SMIME RSA4096 Root G5"
- # Certificate "Certainly Root R1"
- # Certificate "Certainly Root E1"
- # Certificate "E-Tugra Global Root CA RSA v3"
- # Certificate "E-Tugra Global Root CA ECC v3"
- # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
- # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
- # Certificate "BJCA Global Root CA1" - # Certificate "BJCA Global Root CA1"
- # Certificate "BJCA Global Root CA2" - # Certificate "BJCA Global Root CA2"
- # Certificate "Symantec Enterprise Mobile Root for Microsoft" - # Certificate "Symantec Enterprise Mobile Root for Microsoft"
@ -589,7 +614,6 @@ fi
- # Certificate "ComSign CA" - # Certificate "ComSign CA"
- # Certificate "ComSign Secured CA" - # Certificate "ComSign Secured CA"
- # Certificate "ComSign Advanced Security CA" - # Certificate "ComSign Advanced Security CA"
- # Certificate "Global Chambersign Root"
- # Certificate "Sonera Class2 CA" - # Certificate "Sonera Class2 CA"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" - # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
- # Certificate "VeriSign, Inc." - # Certificate "VeriSign, Inc."
@ -604,7 +628,31 @@ fi
- # Certificate "GlobalSign Code Signing Root R45" - # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1" - # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2 *Tue Jul 25 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60-3
- Fedora mass rebuild
*Fri Jan 20 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 2023.2.60-2
- Update to CKBI 2.60 from NSS 3.86
- Removing:
- # Certificate "Camerfirma Global Chambersign Root"
- # Certificate "Staat der Nederlanden EV Root CA"
- Adding:
- # Certificate "DigiCert TLS ECC P384 Root G5"
- # Certificate "DigiCert TLS RSA4096 Root G5"
- # Certificate "DigiCert SMIME ECC P384 Root G5"
- # Certificate "DigiCert SMIME RSA4096 Root G5"
- # Certificate "Certainly Root R1"
- # Certificate "Certainly Root E1"
- # Certificate "E-Tugra Global Root CA RSA v3"
- # Certificate "E-Tugra Global Root CA ECC v3"
- # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
- # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
- # Certificate "Global Chambersign Root"
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-5
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing: - Removing:
- # Certificate "TrustCor ECA-1" - # Certificate "TrustCor ECA-1"
@ -625,21 +673,19 @@ fi
- # Certificate "Government Root Certification Authority" - # Certificate "Government Root Certification Authority"
- # Certificate "AC Raíz Certicámara S.A." - # Certificate "AC Raíz Certicámara S.A."
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1 *Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-4
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0 * Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-2
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing: - Removing:
- # Certificate "GlobalSign Root CA - R2" - # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3" - # Certificate "DST Root CA X3"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" - # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding: - Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068" - # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA" - # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA" - # Certificate "vTrus Root CA"
@ -862,31 +908,111 @@ fi
- # Certificate "HARICA Code Signing ECC Root CA 2021" - # Certificate "HARICA Code Signing ECC Root CA 2021"
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020" - # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94 * Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.52-3
- remove blacklist directory and references now that p11-kit has been updated. - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93 *Mon Dec 13 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.52-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Update to CKBI 2.52 from NSS 3.72
Related: rhbz#1991688 - Adding:
- # Certificate "TunTrust Root CA"
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92 - # Certificate "HARICA TLS RSA Root CA 2021"
- Rebuilt for RHEL 9 BETA for openssl 3.0 - # Certificate "HARICA TLS ECC Root CA 2021"
Related: rhbz#1971065 - # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
- Update to CKBI 2.50 from NSS 3.67 *Mon Dec 6 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-5
- Removing: - integrate Adam William's /etc/ssl/certs with Debian-compatibility
- # Certificate "QuoVadis Root CA" - back out blocklist change since p11-kit .24 is not yet available on rawhide
- # Certificate "Sonera Class 2 Root CA"
- # Certificate "Trustis FPS Root CA" *Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-4
- Adding: - remove blacklist directory now that pk11-kit is using blocklist
- # Certificate "GLOBALTRUST 2020"
- # Certificate "ANF Secure Server Root CA" * Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.50-3
- # Certificate "Certum EC-384 CA" - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
- # Certificate "Certum Trusted Root CA"
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-2
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8 - Update to CKBI 2.50 from NSS 3.67
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - Removing:
- # Certificate "Trustis FPS Root CA"
- # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "GlobalSign Code Signing Root E45"
- # Certificate "Halcom Root Certificate Authority"
- # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
- # Certificate "GLOBALTRUST"
- # Certificate "MULTICERT Root Certification Authority 01"
- # Certificate "Verizon Global Root CA"
- # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
- # Certificate "CAEDICOM Root"
- # Certificate "COMODO Certification Authority"
- # Certificate "Security Communication ECC RootCA1"
- # Certificate "Security Communication RootCA3"
- # Certificate "AC RAIZ DNIE"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
- # Certificate "VeriSign Universal Root Certification Authority"
- # Certificate "GeoTrust Global CA"
- # Certificate "GeoTrust Primary Certification Authority"
- # Certificate "thawte Primary Root CA"
- # Certificate "thawte Primary Root CA - G2"
- # Certificate "thawte Primary Root CA - G3"
- # Certificate "GeoTrust Primary Certification Authority - G3"
- # Certificate "GeoTrust Primary Certification Authority - G2"
- # Certificate "GeoTrust Universal CA"
- # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
- # Certificate "GLOBALTRUST 2015"
- # Certificate "emSign Root CA - G2"
- # Certificate "emSign Root CA - C2"
- Adding:
- # Certificate "GLOBALTRUST 2020"
- # Certificate "ANF Secure Server Root CA"
*Tue May 25 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-2
- Update to CKBI 2.48 from NSS 3.64
- Removing:
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
- # Certificate "GeoTrust Universal CA 2"
- # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA"
- # Certificate "Taiwan GRCA"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
- # Certificate "EE Certification Centre Root CA"
- # Certificate "LuxTrust Global Root 2"
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
- Adding:
- # Certificate "Microsoft ECC Root Certificate Authority 2017"
- # Certificate "Microsoft RSA Root Certificate Authority 2017"
- # Certificate "e-Szigno Root CA 2017"
- # Certificate "certSIGN Root CA G2"
- # Certificate "Trustwave Global Certification Authority"
- # Certificate "Trustwave Global ECC P256 Certification Authority"
- # Certificate "Trustwave Global ECC P384 Certification Authority"
- # Certificate "NAVER Global Root Certification Authority"
- # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
- # Certificate "GlobalSign Secure Mail Root R45"
- # Certificate "GlobalSign Secure Mail Root E45"
- # Certificate "GlobalSign Root R46"
- # Certificate "GlobalSign Root E46"
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
- # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "GlobalSign Code Signing Root E45"
- # Certificate "Halcom Root Certificate Authority"
- # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
- # Certificate "GLOBALTRUST"
- # Certificate "MULTICERT Root Certification Authority 01"
- # Certificate "Verizon Global Root CA"
- # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
- # Certificate "CAEDICOM Root"
- # Certificate "COMODO Certification Authority"
- # Certificate "Security Communication ECC RootCA1"
- # Certificate "Security Communication RootCA3"
- # Certificate "AC RAIZ DNIE"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
- # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
- # Certificate "GLOBALTRUST 2015"
- # Certificate "emSign Root CA - G2"
- # Certificate "emSign Root CA - C2"
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Loading…
Cancel
Save