4 changed files with 277 additions and 165 deletions
--- a/SOURCES/README.etcssl
+++ b/SOURCES/README.etcssl
@ -0,0 +1,20 @@
+This directory (/etc/ssl) is provided as a courtesy attempt to provide
+compatibility with software which assumes its existence. It is not a
+supported or canonical location. Software which assumes and relies on
+the existence and layout of this directory is making a wrong assumption
+(this directory is not any kind of 'standard', it is a configuration
+detail of Debian and its derivatives) and should be improved. No
+software packaged in this distribution should use this directory.
+
+An attempt is made to make the layout of /etc/ssl/certs match that
+provided by Debian: it is an OpenSSL 'CApath'-style hashed directory
+of individual certificate files, and also contains a certificate bundle
+file named ca-certificates.crt, as Debian does. It also contains a
+bundle named ca-bundle.crt, as this distribution has long provided
+such a file, and it is possible some software has come to expect its
+existence.
+
+/etc/ssl/certs itself and the bundle files are in fact symlinks to
+some of the output of the 'update-ca-trust' script which forms a part
+of a system of consolidated CA certificates. Please refer to the
+update-ca-trust(8) manual page for additional information.
--- a/SOURCES/update-ca-trust
+++ b/SOURCES/update-ca-trust
@ -8,6 +8,7 @@ set -eu
 # files in $DEST.

 DEST=/etc/pki/ca-trust/extracted
+DEST_CERTS=/etc/pki/tls/certs

 # Prevent p11-kit from reading user configuration files.
 export P11_KIT_NO_USER_CONFIG=1
@ -28,7 +29,8 @@ usage() {

 		EXTRACT OPTIONS
 		-o DIR, --output=DIR: Write the extracted trust store into the given
-		directory instead of updating $DEST.
+		directory instead of updating $DEST. (Note: This option will not
+		populate the ../pki/tls/certs with the directory-hash symbolic links.)
 	EOF
 }

@ -73,9 +75,15 @@ extract() {
 		    "$DEST"/edk2
 	fi

+
+	# Delete all directory hash symlinks from the cert directory
+	if [ -z "$USER_DEST" ]; then
+		find "$DEST_CERTS" -type l -regextype posix-extended \
+		     -regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \;
+	fi
+
 	# OpenSSL PEM bundle that includes trust flags
 	# (BEGIN TRUSTED CERTIFICATE)
-	/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
 	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
@ -85,25 +93,16 @@ extract() {
 	# by GnuTLS)
 	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"

-	# p11-kit extract will have made this directory unwritable; when run with
-	# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
-	# not be the case. See rhbz#2241240.
-	if [ -n "$USER_DEST" ]; then
-	    /usr/bin/chmod u+w "$DEST/pem/directory-hash"
-        fi
-
-	# Debian compatibility: their /etc/ssl/certs has this bundle
-	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
-	# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
-	# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
-	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"

-	# Remove write permissions again
-	if [ -n "$USER_DEST" ]; then
-	    /usr/bin/chmod u-w "$DEST/pem/directory-hash"
-        fi
+	if [ -z "$USER_DEST" ]; then
+		find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
+		     -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do
+			target=$(readlink -f "$link")
+			new_link="$DEST_CERTS/$(basename "$link")"
+			ln -s "$target" "$new_link"
+		done
+	fi
 }
-
 if [ $# -lt 1 ]; then
    set -- extract
 fi
@ -117,21 +116,8 @@ case "$1" in
 		usage
 		exit 0
 	;;
-	"-o"|"--output")
-		echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
-		echo >&2
-		exit 1
-	;;
-	"enable")
-		echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
-		echo >&2
-		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
-		extract
-	;;
 	*)
-		echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
-		echo >&2
-		echo >&2 "Proceeding with extraction anyway for backwards compatibility."
-		extract
+		echo >&2 "Error: unknown command: '$1', see 'update-ca-trust --help' for usage."
+		exit 1
 	;;
 esac
--- a/SOURCES/update-ca-trust.8.txt
+++ b/SOURCES/update-ca-trust.8.txt
@ -230,7 +230,8 @@ EXTRACT OPTIONS
 ^^^^^^^^^^^^^^^
 *-o DIR*, *--output=DIR*::
 	Write the extracted trust store into the given directory instead of
-	updating /etc/pki/ca-trust/extracted.
+	updating /etc/pki/ca-trust/extracted. (Note: This option will not
+	populate the ../pki/tls/certs with the directory-hash symbolic links.)

 FILES
 -----
@ -257,6 +258,9 @@ FILES
 	which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
 	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.

+/etc/pki/tls/certs::
+	Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command.
+
 AUTHOR
 ------
 Written by Kai Engert and Stef Walter.
--- a/SPECS/ca-certificates.spec
+++ b/SPECS/ca-certificates.spec
@ -1,7 +1,6 @@
 %define pkidir %{_sysconfdir}/pki
 %define catrustdir %{_sysconfdir}/pki/ca-trust
 %define classic_tls_bundle ca-bundle.crt
-%define openssl_format_trust_bundle ca-bundle.trust.crt
 %define p11_format_bundle ca-bundle.trust.p11-kit
 %define legacy_default_bundle ca-bundle.legacy.default.crt
 %define legacy_disable_bundle ca-bundle.legacy.disable.crt
@ -36,9 +35,9 @@ Name: ca-certificates
 # because all future versions will start with 2013 or larger.)

 Version: 2024.2.69_v8.0.303
-# for y-stream, please always use 91 <= release  < 100 (91,92,93)
-# for z-stream release branches, please use 90 <= release  < 91 (90.0, 90.1, ...)
-Release: 91.4%{?dist}
+# for Rawhide, please always use release >= 2
+# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
+Release: 101.3%{?dist}
 License: MIT AND GPL-2.0-or-later

 URL: https://fedoraproject.org/wiki/CA-Certificates
@ -61,10 +60,12 @@ Source15: README.openssl
 Source16: README.pem
 Source17: README.edk2
 Source18: README.src
+Source19: README.etcssl

 BuildArch: noarch

 Requires(post): bash
+Requires(post): findutils
 Requires(post): grep
 Requires(post): sed
 Requires(post): coreutils
@ -206,6 +207,7 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/REA
 install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
 install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
 install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
+install -p -m 644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysconfdir}/ssl/README

 install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}

@ -233,32 +235,11 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
-touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
-chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin

-# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
-ln -s /etc/pki/tls/certs \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
-ln -s /etc/pki/tls/openssl.cnf \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
-ln -s /etc/pki/tls/ct_log_list.cnf \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
-# legacy filenames
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
-ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
-ln -s %{catrustdir}/extracted/%{java_bundle} \
-    $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
-
 # Populate %%{catrustdir}/extracted/pem/directory-hash.
 #
 # First direct p11-kit-trust.so to the generated bundle (not the one
@ -288,16 +269,39 @@ trust-policy: yes
 x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
 EOF

+# Extract the trust anchors to the directory-hash format.
 trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
-      --purpose server-auth \
-      $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+              --purpose server-auth \
+              $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash

-# Create a temporary file with the list of (%ghost )files in the directory-hash.
-find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
-sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
 # Clean up the temporary module config.
 rm -f "$trust_module_config"

+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \
+     -regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \
+     -exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \;
+# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies
+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
+find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \
+     -regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt
+
+sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
+
+# /etc/ssl is provided in a Debian compatible form for (bad) code that
+# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
+ln -s %{pkidir}/tls/certs \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
+ln -s /etc/pki/tls/openssl.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
+ln -s /etc/pki/tls/ct_log_list.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
+# legacy filenames
+ln -s %{catrustdir}/extracted/%{java_bundle} \
+    $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}

 %clean
 /usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
@ -305,6 +309,10 @@ rm -rf $RPM_BUILD_ROOT

 %pre
 if [ $1 -gt 1 ] ; then
+  # Remove the old symlinks
+  rm -f %{pkidir}/tls/cert.pem
+  rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
+
  # Upgrade or Downgrade.
  # If the classic filename is a regular file, then we are upgrading
  # from an old package and we will move it to an .rpmsave backup file.
@ -336,17 +344,6 @@ if [ $1 -gt 1 ] ; then
      fi
    fi
  fi
-
-  if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
-    # no backup yet
-    if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
-      # a file exists
-      if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
-        # it's an old regular file, not a link
-        mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
-      fi
-    fi
-  fi
 fi


@ -410,12 +407,12 @@ fi
 %{catrustdir}/source/README

 # symlinks for old locations
-%{pkidir}/tls/cert.pem
 %{pkidir}/tls/certs/%{classic_tls_bundle}
-%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 %{pkidir}/%{java_bundle}
-# symlinks to cross-distro compatibility files and directory
+# Hybrid hash directory with bundle file for Debian compatibility
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
 %{_sysconfdir}/ssl/certs
+%{_sysconfdir}/ssl/README
 %{_sysconfdir}/ssl/cert.pem
 %{_sysconfdir}/ssl/openssl.cnf
 %{_sysconfdir}/ssl/ct_log_list.cnf
@ -433,63 +430,52 @@ fi
 %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
-%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 %ghost %{catrustdir}/extracted/%{java_bundle}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
-%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
-%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt

 %changelog
-*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
+* Tue Nov 26 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2024.2.69_v8.0.303-101.3
+- Rebuilt for MSVSphere 10
+
+*Fri Sep 27 2024 Michel Lind <salimma@centosproject.org> - 2024.2.69_v8.0.303-101.3
+- Add missing Requires(post) on findutils for update-ca-trust
+- Resolves: RHEL-60723
+
+*Wed Aug 28 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.2
+- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
+- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
+
+*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
 - update-ca-trust: return warnings on a unsupported argument instead of error

-*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
+*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
 - Temporarily generate the directory-hash files in %%install ...(next item)
 - Add list of ghost files from directory-hash to %%files

-*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
- Remove write permissions from directory-hash
-
-*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
- Reduce dependency on p11-kit to only the trust subpackage
- Own the Directory-hash directory
+*Mon Aug 19 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
+- remove base-ci.* tests from gating.yaml

-*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
- Fix release number
+*Thu Jul 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
+- Remove blacklist use blocklist-only.
+- add gating.yaml

-*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
+*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101
 - Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
 -    GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER

-*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
+Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-101
 - Update to CKBI 2.68_v8.0.302 from NSS 3.101
 -    Removing:
 -     # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 -     # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
 -     # Certificate "Security Communication Root CA"
-     # Certificate "Camerfirma Chambers of Commerce Root"
-     # Certificate "Hongkong Post Root CA 1"
 -     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
 -     # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
 -     # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
 -     # Certificate "TrustCor RootCert CA-1"
 -     # Certificate "TrustCor RootCert CA-2"
 -     # Certificate "TrustCor ECA-1"
-     # Certificate "FNMT-RCM"
 -    Adding:
-     # Certificate "LAWtrust Root CA2 (4096)"
-     # Certificate "Sectigo Public Email Protection Root E46"
-     # Certificate "Sectigo Public Email Protection Root R46"
-     # Certificate "Sectigo Public Server Authentication Root E46"
-     # Certificate "Sectigo Public Server Authentication Root R46"
-     # Certificate "SSL.com TLS RSA Root CA 2022"
-     # Certificate "SSL.com TLS ECC Root CA 2022"
-     # Certificate "SSL.com Client ECC Root CA 2022"
-     # Certificate "SSL.com Client RSA Root CA 2022"
-     # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
-     # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
-     # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
-     # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
 -     # Certificate "TrustAsia Global Root CA G3"
 -     # Certificate "TrustAsia Global Root CA G4"
 -     # Certificate "CommScope Public Trust ECC Root-01"
@ -504,31 +490,56 @@ fi
 -     # Certificate "Telekom Security TLS RSA Root 2023"
 -     # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
 -     # Certificate "SECOM Trust.net"
-     # Certificate "Chambers of Commerce Root"
 -     # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
 -     # Certificate "SSL.com Code Signing RSA Root CA 2022"
 -     # Certificate "SSL.com Code Signing ECC Root CA 2022"

-* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2023.2.62_v7.0.401-7
+- Bump release for June 2024 mass rebuild
+
+* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-4
 - update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix

-* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
+* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2023.2.62_v7.0.401-3
 - Skip %post if getopt is missing (recent change made update-ca-trust use it)

-* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
+*Wed Oct 04 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-2
+ - Update to CKBI 2.62_v7.0.401 from NSS 3.93
+   Removing: 
+    # Certificate "Camerfirma Chambers of Commerce Root"
+    # Certificate "Hongkong Post Root CA 1"
+    # Certificate "FNMT-RCM"
+   Adding: 
+    # Certificate "LAWtrust Root CA2 (4096)"
+    # Certificate "Sectigo Public Email Protection Root E46"
+    # Certificate "Sectigo Public Email Protection Root R46"
+    # Certificate "Sectigo Public Server Authentication Root E46"
+    # Certificate "Sectigo Public Server Authentication Root R46"
+    # Certificate "SSL.com TLS RSA Root CA 2022"
+    # Certificate "SSL.com TLS ECC Root CA 2022"
+    # Certificate "SSL.com Client ECC Root CA 2022"
+    # Certificate "SSL.com Client RSA Root CA 2022"
+    # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
+    # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
+    # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
+    # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
+    # Certificate "Chambers of Commerce Root"
+
+* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2023.2.60_v7.0.306-4
 - update-ca-trust: Support --output and non-root operation (rhbz#2241240)

-*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
+*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-3
 - update License: field to SPDX

-*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
- Bump release number to make CI happy
-
-*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
+*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-2
 - Update to CKBI 2.60_v7.0.306 from NSS 3.91
 -    Removing:
-     # Certificate "Camerfirma Global Chambersign Root"
-     # Certificate "Staat der Nederlanden EV Root CA"
 -     # Certificate "OpenTrust Root CA G1"
 -     # Certificate "Swedish Government Root Authority v1"
 -     # Certificate "DigiNotar Root CA G2"
@ -563,16 +574,6 @@ fi
 -     # Certificate "Entrust.net Secure Server Certification Authority"
 -     # Certificate "ePKI EV SSL Certification Authority - G1"
 -    Adding:
-     # Certificate "DigiCert TLS ECC P384 Root G5"
-     # Certificate "DigiCert TLS RSA4096 Root G5"
-     # Certificate "DigiCert SMIME ECC P384 Root G5"
-     # Certificate "DigiCert SMIME RSA4096 Root G5"
-     # Certificate "Certainly Root R1"
-     # Certificate "Certainly Root E1"
-     # Certificate "E-Tugra Global Root CA RSA v3"
-     # Certificate "E-Tugra Global Root CA ECC v3"
-     # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
-     # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
 -     # Certificate "BJCA Global Root CA1"
 -     # Certificate "BJCA Global Root CA2"
 -     # Certificate "Symantec Enterprise Mobile Root for Microsoft"
@ -589,7 +590,6 @@ fi
 -     # Certificate "ComSign CA"
 -     # Certificate "ComSign Secured CA"
 -     # Certificate "ComSign Advanced Security CA"
-     # Certificate "Global Chambersign Root"
 -     # Certificate "Sonera Class2 CA"
 -     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
 -     # Certificate "VeriSign, Inc."
@ -604,7 +604,31 @@ fi
 -     # Certificate "GlobalSign Code Signing Root R45"
 -     # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"

-*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2
+*Tue Jul 25 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60-3
+- Fedora mass rebuild
+
+*Fri Jan 20 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 2023.2.60-2
+- Update to CKBI 2.60 from NSS 3.86
+-    Removing:
+-     # Certificate "Camerfirma Global Chambersign Root"
+-     # Certificate "Staat der Nederlanden EV Root CA"
+-    Adding:
+-     # Certificate "DigiCert TLS ECC P384 Root G5"
+-     # Certificate "DigiCert TLS RSA4096 Root G5"
+-     # Certificate "DigiCert SMIME ECC P384 Root G5"
+-     # Certificate "DigiCert SMIME RSA4096 Root G5"
+-     # Certificate "Certainly Root R1"
+-     # Certificate "Certainly Root E1"
+-     # Certificate "E-Tugra Global Root CA RSA v3"
+-     # Certificate "E-Tugra Global Root CA ECC v3"
+-     # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
+-     # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
+-     # Certificate "Global Chambersign Root"
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-5
 - Update to CKBI 2.54 from NSS 3.79
 -    Removing:
 -     # Certificate "TrustCor ECA-1"
@ -625,21 +649,19 @@ fi
 -     # Certificate "Government Root Certification Authority"
 -     # Certificate "AC Raíz Certicámara S.A."

-*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1
+*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-4
 - Update to CKBI 2.54 from NSS 3.79

-*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-2
 - Update to CKBI 2.54 from NSS 3.79
 -    Removing:
 -     # Certificate "GlobalSign Root CA - R2"
 -     # Certificate "DST Root CA X3"
 -     # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
 -    Adding:
-     # Certificate "TunTrust Root CA"
-     # Certificate "HARICA TLS RSA Root CA 2021"
-     # Certificate "HARICA TLS ECC Root CA 2021"
-     # Certificate "HARICA Client RSA Root CA 2021"
-     # Certificate "HARICA Client ECC Root CA 2021"
 -     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
 -     # Certificate "vTrus ECC Root CA"
 -     # Certificate "vTrus Root CA"
@ -862,31 +884,111 @@ fi
 -     # Certificate "HARICA Code Signing ECC Root CA 2021"
 -     # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"

-* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94
- remove blacklist directory and references now that p11-kit has been updated.
-
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
-
-* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
-   Update to CKBI 2.50 from NSS 3.67
-      Removing:
-       # Certificate "QuoVadis Root CA"
-       # Certificate "Sonera Class 2 Root CA"
-       # Certificate "Trustis FPS Root CA"
-      Adding:
-       # Certificate "GLOBALTRUST 2020"
-       # Certificate "ANF Secure Server Root CA"
-       # Certificate "Certum EC-384 CA"
-       # Certificate "Certum Trusted Root CA"
-
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.52-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+*Mon Dec 13 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.52-2
+- Update to CKBI 2.52 from NSS 3.72
+-    Adding:
+-     # Certificate "TunTrust Root CA"
+-     # Certificate "HARICA TLS RSA Root CA 2021"
+-     # Certificate "HARICA TLS ECC Root CA 2021"
+-     # Certificate "HARICA Client RSA Root CA 2021"
+-     # Certificate "HARICA Client ECC Root CA 2021"
+
+*Mon Dec 6 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-5
+- integrate Adam William's /etc/ssl/certs with Debian-compatibility
+- back out blocklist change since p11-kit .24 is not yet available on rawhide
+
+*Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-4
+- remove blacklist directory now that pk11-kit is using blocklist
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.50-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-2
+- Update to CKBI 2.50 from NSS 3.67
+-    Removing:
+-     # Certificate "Trustis FPS Root CA"
+-     # Certificate "GlobalSign Code Signing Root R45"
+-     # Certificate "GlobalSign Code Signing Root E45"
+-     # Certificate "Halcom Root Certificate Authority"
+-     # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
+-     # Certificate "GLOBALTRUST"
+-     # Certificate "MULTICERT Root Certification Authority 01"
+-     # Certificate "Verizon Global Root CA"
+-     # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
+-     # Certificate "CAEDICOM Root"
+-     # Certificate "COMODO Certification Authority"
+-     # Certificate "Security Communication ECC RootCA1"
+-     # Certificate "Security Communication RootCA3"
+-     # Certificate "AC RAIZ DNIE"
+-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
+-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
+-     # Certificate "VeriSign Universal Root Certification Authority"
+-     # Certificate "GeoTrust Global CA"
+-     # Certificate "GeoTrust Primary Certification Authority"
+-     # Certificate "thawte Primary Root CA"
+-     # Certificate "thawte Primary Root CA - G2"
+-     # Certificate "thawte Primary Root CA - G3"
+-     # Certificate "GeoTrust Primary Certification Authority - G3"
+-     # Certificate "GeoTrust Primary Certification Authority - G2"
+-     # Certificate "GeoTrust Universal CA"
+-     # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
+-     # Certificate "GLOBALTRUST 2015"
+-     # Certificate "emSign Root CA - G2"
+-     # Certificate "emSign Root CA - C2"
+-    Adding:
+-     # Certificate "GLOBALTRUST 2020"
+-     # Certificate "ANF Secure Server Root CA"
+
+*Tue May 25 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-2
+- Update to CKBI 2.48 from NSS 3.64
+-    Removing:
+-     # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
+-     # Certificate "GeoTrust Universal CA 2"
+-     # Certificate "QuoVadis Root CA"
+-     # Certificate "Sonera Class 2 Root CA"
+-     # Certificate "Taiwan GRCA"
+-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
+-     # Certificate "EE Certification Centre Root CA"
+-     # Certificate "LuxTrust Global Root 2"
+-     # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
+-     # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
+-    Adding:
+-     # Certificate "Microsoft ECC Root Certificate Authority 2017"
+-     # Certificate "Microsoft RSA Root Certificate Authority 2017"
+-     # Certificate "e-Szigno Root CA 2017"
+-     # Certificate "certSIGN Root CA G2"
+-     # Certificate "Trustwave Global Certification Authority"
+-     # Certificate "Trustwave Global ECC P256 Certification Authority"
+-     # Certificate "Trustwave Global ECC P384 Certification Authority"
+-     # Certificate "NAVER Global Root Certification Authority"
+-     # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
+-     # Certificate "GlobalSign Secure Mail Root R45"
+-     # Certificate "GlobalSign Secure Mail Root E45"
+-     # Certificate "GlobalSign Root R46"
+-     # Certificate "GlobalSign Root E46"
+-     # Certificate "Certum EC-384 CA"
+-     # Certificate "Certum Trusted Root CA"
+-     # Certificate "GlobalSign Code Signing Root R45"
+-     # Certificate "GlobalSign Code Signing Root E45"
+-     # Certificate "Halcom Root Certificate Authority"
+-     # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
+-     # Certificate "GLOBALTRUST"
+-     # Certificate "MULTICERT Root Certification Authority 01"
+-     # Certificate "Verizon Global Root CA"
+-     # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
+-     # Certificate "CAEDICOM Root"
+-     # Certificate "COMODO Certification Authority"
+-     # Certificate "Security Communication ECC RootCA1"
+-     # Certificate "Security Communication RootCA3"
+-     # Certificate "AC RAIZ DNIE"
+-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
+-     # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
+-     # Certificate "GLOBALTRUST 2015"
+-     # Certificate "emSign Root CA - G2"
+-     # Certificate "emSign Root CA - C2"

 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild