Compare commits

...

No commits in common. 'c9' and 'i8c' have entirely different histories.
c9 ... i8c

@ -177,11 +177,6 @@ openssl_trust = {
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection", "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
} }
cert_distrust_types = {
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
}
for tobj in objects: for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST': if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
key = tobj['CKA_LABEL'] + printable_serial(tobj) key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -374,16 +369,6 @@ for tobj in objects:
f.write("nss-mozilla-ca-policy: true\n") f.write("nss-mozilla-ca-policy: true\n")
f.write("modifiable: false\n"); f.write("modifiable: false\n");
# requires p11-kit >= 0.23.19
for t in list(cert_distrust_types.keys()):
if t in obj:
value = obj[t]
if value == 'CK_FALSE':
value = bytearray(1)
f.write(cert_distrust_types[t] + ": \"")
f.write(urllib.parse.quote(value));
f.write("\"\n")
f.write("-----BEGIN CERTIFICATE-----\n") f.write("-----BEGIN CERTIFICATE-----\n")
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE']) temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64) temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)

@ -1,9 +1,9 @@
#!/bin/sh #!/bin/sh
#set -vx #set -vx
set -eu
# For backwards compatibility reasons, future versions of this script must # At this time, while this script is trivial, we ignore any parameters given.
# However, for backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output # support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST. # files in $DEST.
@ -12,126 +12,11 @@ DEST=/etc/pki/ca-trust/extracted
# Prevent p11-kit from reading user configuration files. # Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1 export P11_KIT_NO_USER_CONFIG=1
usage() { # OpenSSL PEM bundle that includes trust flags
fold -s -w 76 >&2 <<-EOF # (BEGIN TRUSTED CERTIFICATE)
Usage: $0 [extract] [-o DIR|--output=DIR] /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
Update the system trust store in $DEST. /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
COMMANDS /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
(absent/empty command): Same as the extract command without arguments. /usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
extract: Instruct update-ca-trust to scan the source configuration in
/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
updated versions of the consolidated configuration files stored below
the $DEST directory hierarchy.
EXTRACT OPTIONS
-o DIR, --output=DIR: Write the extracted trust store into the given
directory instead of updating $DEST.
EOF
}
extract() {
USER_DEST=
# can't use getopt here. ca-certificates can't depend on a lot
# of other libraries since openssl depends on ca-certificates
# just fail when we hand parse
while [ $# -ne 0 ]; do
case "$1" in
"-o"|"--output")
if [ $# -lt 2 ]; then
echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
fi
USER_DEST=$2
shift 2
continue
;;
"--")
shift
break
;;
*)
echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
exit 1
;;
esac
done
if [ -n "$USER_DEST" ]; then
DEST=$USER_DEST
# Attempt to create the directories if they do not exist
# yet (rhbz#2241240)
/usr/bin/mkdir -p \
"$DEST"/openssl \
"$DEST"/pem \
"$DEST"/java \
"$DEST"/edk2
fi
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
# by GnuTLS)
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
# p11-kit extract will have made this directory unwritable; when run with
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
# not be the case. See rhbz#2241240.
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u+w "$DEST/pem/directory-hash"
fi
# Debian compatibility: their /etc/ssl/certs has this bundle
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
# Remove write permissions again
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u-w "$DEST/pem/directory-hash"
fi
}
if [ $# -lt 1 ]; then
set -- extract
fi
case "$1" in
"extract")
shift
extract "$@"
;;
"--help")
usage
exit 0
;;
"-o"|"--output")
echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
;;
"enable")
echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
*)
echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
esac

@ -27,7 +27,7 @@ certificates and associated trust
SYNOPSIS SYNOPSIS
-------- --------
*update-ca-trust* [extract] [-o 'DIR'|--output='DIR'] *update-ca-trust* ['COMMAND']
DESCRIPTION DESCRIPTION
@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/ * add it as a new file to directory /etc/pki/ca-trust/source/anchors/
* run 'update-ca-trust extract' * run 'update-ca-trust extract'
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then: .*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
* add it as a new file to directory /etc/pki/ca-trust/source/ * add it as a new file to directory /etc/pki/ca-trust/source/
* run 'update-ca-trust extract' * run 'update-ca-trust extract'
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to. .In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ * simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/ * simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ * extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats: .In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format. format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes. Each certificate will be treated as *trusted* for all purposes.
In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/ In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
you may install one or multiple certificates in either the DER file you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format. format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes. Each certificate will be treated as *distrusted* for all purposes.
@ -214,23 +214,15 @@ server authentication.
COMMANDS COMMANDS
-------- --------
(absent/empty command) (absent/empty command)::
~~~~~~~~~~~~~~~~~~~~~~ Same as the *extract* command described below. (However, the command may
Same as the *extract* command described below. (However, the command may print print fewer warnings, as this command is being run during rpm package
fewer warnings, as this command is being run during rpm package installation, installation, where non-fatal status output is undesired.)
where non-fatal status output is undesired.)
*extract*::
extract Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
~~~~~~~ updated versions of the consolidated configuration files stored below
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and the /etc/pki/ca-trust/extracted directory hierarchy.
produce updated versions of the consolidated configuration files stored below
the /etc/pki/ca-trust/extracted directory hierarchy.
EXTRACT OPTIONS
^^^^^^^^^^^^^^^
*-o DIR*, *--output=DIR*::
Write the extracted trust store into the given directory instead of
updating /etc/pki/ca-trust/extracted.
FILES FILES
----- -----

@ -36,11 +36,13 @@ Name: ca-certificates
# because all future versions will start with 2013 or larger.) # because all future versions will start with 2013 or larger.)
Version: 2024.2.69_v8.0.303 Version: 2024.2.69_v8.0.303
# for y-stream, please always use 91 <= release < 100 (91,92,93) # On RHEL 8.x, please keep the release version >= 80
# for z-stream release branches, please use 90 <= release < 91 (90.0, 90.1, ...) # When rebasing on Y-Stream (8.y), use 81, 82, 83, ...
Release: 91.4%{?dist} # When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, ..
License: MIT AND GPL-2.0-or-later Release: 80.0%{?dist}
License: Public Domain
Group: System Environment/Base
URL: https://fedoraproject.org/wiki/CA-Certificates URL: https://fedoraproject.org/wiki/CA-Certificates
#Please always update both certdata.txt and nssckbi.h #Please always update both certdata.txt and nssckbi.h
@ -71,14 +73,16 @@ Requires(post): coreutils
Requires: bash Requires: bash
Requires: grep Requires: grep
Requires: sed Requires: sed
Requires(post): p11-kit-trust >= 0.24 Requires(post): p11-kit >= 0.23.12
Requires: p11-kit-trust >= 0.24 Requires(post): p11-kit-trust >= 0.23.12
Requires: p11-kit >= 0.23.12
Requires: p11-kit-trust >= 0.23.12
BuildRequires: perl-interpreter BuildRequires: perl-interpreter
BuildRequires: python3 BuildRequires: python3-devel
BuildRequires: openssl BuildRequires: openssl
BuildRequires: asciidoc BuildRequires: asciidoc
BuildRequires: xmlto BuildRequires: libxslt
%description %description
This package contains the set of CA certificates chosen by the This package contains the set of CA certificates chosen by the
@ -96,7 +100,7 @@ mkdir %{name}/java
pushd %{name}/certs pushd %{name}/certs
pwd pwd
cp %{SOURCE0} . cp %{SOURCE0} .
python3 %{SOURCE4} >c2p.log 2>c2p.err %{__python3} %{SOURCE4} >c2p.log 2>c2p.err
popd popd
pushd %{name} pushd %{name}
( (
@ -167,12 +171,12 @@ popd
#manpage #manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt cp %{SOURCE10} %{name}/update-ca-trust.8.txt
asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
cp %{SOURCE9} %{name}/ca-legacy.8.txt cp %{SOURCE9} %{name}/ca-legacy.8.txt
asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xmlto -v -o %{name} man %{name}/ca-legacy.8.xml xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
%install %install
@ -182,16 +186,15 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir} mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8 mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@ -240,15 +243,9 @@ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility # /etc/ssl/certs symlink for 3rd-party tools
ln -s /etc/pki/tls/certs \ ln -s ../pki/tls/certs \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
ln -s /etc/pki/tls/openssl.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
ln -s /etc/pki/tls/ct_log_list.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
# legacy filenames # legacy filenames
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
@ -259,49 +256,6 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
ln -s %{catrustdir}/extracted/%{java_bundle} \ ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle} $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
# Populate %%{catrustdir}/extracted/pem/directory-hash.
#
# First direct p11-kit-trust.so to the generated bundle (not the one
# already present on the build system) with an overriding module
# config. Note that we have to use a different config path based on
# the current user: if root, ~/.config/pkcs11/modules/* are not read,
# while if a regular user, she can't write to /etc.
if test "$(id -u)" -eq 0; then
trust_module_dir=/etc/pkcs11/modules
else
trust_module_dir=$HOME/.config/pkcs11/modules
fi
mkdir -p "$trust_module_dir"
# It is unlikely that the directory would contain any files on a build system,
# but let's make sure just in case.
if [ -n "$(ls -A "$trust_module_dir")" ]; then
echo "Directory $trust_module_dir is not empty. Aborting build!"
exit 1
fi
trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
cat >"$trust_module_config" <<EOF
module: p11-kit-trust.so
trust-policy: yes
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
EOF
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
--purpose server-auth \
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
# Create a temporary file with the list of (%ghost )files in the directory-hash.
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
# Clean up the temporary module config.
rm -f "$trust_module_config"
%clean
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
rm -rf $RPM_BUILD_ROOT
%pre %pre
if [ $1 -gt 1 ] ; then if [ $1 -gt 1 ] ; then
@ -349,7 +303,6 @@ if [ $1 -gt 1 ] ; then
fi fi
fi fi
%post %post
#if [ $1 -gt 1 ] ; then #if [ $1 -gt 1 ] ; then
# # when upgrading or downgrading # # when upgrading or downgrading
@ -375,8 +328,9 @@ fi
%{_bindir}/ca-legacy install %{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust %{_bindir}/update-ca-trust
# The file .files.txt contains the list of (%ghost )files in the directory-hash %files
%files -f .files.txt %defattr(-,root,root,-)
%dir %{_sysconfdir}/ssl %dir %{_sysconfdir}/ssl
%dir %{pkidir}/tls %dir %{pkidir}/tls
%dir %{pkidir}/tls/certs %dir %{pkidir}/tls/certs
@ -384,7 +338,7 @@ fi
%dir %{catrustdir} %dir %{catrustdir}
%dir %{catrustdir}/source %dir %{catrustdir}/source
%dir %{catrustdir}/source/anchors %dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/blocklist %dir %{catrustdir}/source/blacklist
%dir %{catrustdir}/extracted %dir %{catrustdir}/extracted
%dir %{catrustdir}/extracted/pem %dir %{catrustdir}/extracted/pem
%dir %{catrustdir}/extracted/openssl %dir %{catrustdir}/extracted/openssl
@ -392,9 +346,8 @@ fi
%dir %{_datadir}/pki %dir %{_datadir}/pki
%dir %{_datadir}/pki/ca-trust-source %dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source/anchors %dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/blocklist %dir %{_datadir}/pki/ca-trust-source/blacklist
%dir %{_datadir}/pki/ca-trust-legacy %dir %{_datadir}/pki/ca-trust-legacy
%dir %{catrustdir}/extracted/pem/directory-hash
%config(noreplace) %{catrustdir}/ca-legacy.conf %config(noreplace) %{catrustdir}/ca-legacy.conf
@ -414,13 +367,10 @@ fi
%{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{pkidir}/%{java_bundle} %{pkidir}/%{java_bundle}
# symlinks to cross-distro compatibility files and directory # symlink directory
%{_sysconfdir}/ssl/certs %{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/cert.pem
%{_sysconfdir}/ssl/openssl.cnf
%{_sysconfdir}/ssl/ct_log_list.cnf
# primary bundle file with trust # master bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle} %{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle} %{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
@ -436,33 +386,11 @@ fi
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} %ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin %ghost %{catrustdir}/extracted/edk2/cacerts.bin
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
%changelog
*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
- update-ca-trust: return warnings on a unsupported argument instead of error
*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
- Temporarily generate the directory-hash files in %%install ...(next item)
- Add list of ghost files from directory-hash to %%files
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
- Remove write permissions from directory-hash
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1 %changelog
- Reduce dependency on p11-kit to only the trust subpackage *Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0
- Own the Directory-hash directory
*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
- Fix release number
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1 - Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
- Update to CKBI 2.68_v8.0.302 from NSS 3.101
- Removing: - Removing:
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3" - # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3" - # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
@ -509,22 +437,7 @@ fi
- # Certificate "SSL.com Code Signing RSA Root CA 2022" - # Certificate "SSL.com Code Signing RSA Root CA 2022"
- # Certificate "SSL.com Code Signing ECC Root CA 2022" - # Certificate "SSL.com Code Signing ECC Root CA 2022"
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0 *Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0
- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
- Skip %post if getopt is missing (recent change made update-ca-trust use it)
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
- update License: field to SPDX
*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
- Bump release number to make CI happy
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
- Update to CKBI 2.60_v7.0.306 from NSS 3.91 - Update to CKBI 2.60_v7.0.306 from NSS 3.91
- Removing: - Removing:
- # Certificate "Camerfirma Global Chambersign Root" - # Certificate "Camerfirma Global Chambersign Root"
@ -604,7 +517,10 @@ fi
- # Certificate "GlobalSign Code Signing Root R45" - # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1" - # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2 * Tue Jul 25 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2022.2.54-80.2
- Rebuilt for MSVSphere 8.8
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing: - Removing:
- # Certificate "TrustCor ECA-1" - # Certificate "TrustCor ECA-1"
@ -625,29 +541,12 @@ fi
- # Certificate "Government Root Certification Authority" - # Certificate "Government Root Certification Authority"
- # Certificate "AC Raíz Certicámara S.A." - # Certificate "AC Raíz Certicámara S.A."
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1 *Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0 *Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding: - Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
- # Certificate "CAEDICOM Root" - # Certificate "CAEDICOM Root"
- # Certificate "I.CA Root CA/RSA" - # Certificate "I.CA Root CA/RSA"
- # Certificate "MULTICERT Root Certification Authority 01" - # Certificate "MULTICERT Root Certification Authority 01"
@ -789,6 +688,7 @@ fi
- # Certificate "Certipost E-Trust TOP Root CA" - # Certificate "Certipost E-Trust TOP Root CA"
- # Certificate "Certipost E-Trust Primary Qualified CA" - # Certificate "Certipost E-Trust Primary Qualified CA"
- # Certificate "Certipost E-Trust Primary Normalised CA" - # Certificate "Certipost E-Trust Primary Normalised CA"
- # Certificate "Cybertrust Global Root"
- # Certificate "GlobalSign" - # Certificate "GlobalSign"
- # Certificate "IGC/A" - # Certificate "IGC/A"
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN" - # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
@ -862,113 +762,129 @@ fi
- # Certificate "HARICA Code Signing ECC Root CA 2021" - # Certificate "HARICA Code Signing ECC Root CA 2021"
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020" - # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94 *Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81
- remove blacklist directory and references now that p11-kit has been updated. - Update to CKBI 2.54 from NSS 3.79
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
- Update to CKBI 2.50 from NSS 3.67
- Removing:
- # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA"
- # Certificate "Trustis FPS Root CA"
- Adding:
- # Certificate "GLOBALTRUST 2020"
- # Certificate "ANF Secure Server Root CA"
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
- remove unnecessarily divisive terms, take 1.
- in ca-certificates there are 3 cases:
- 1) master refering to the fedora master branch in the fetch.sh script.
- This can only be changed once fedora changes the master branch name.
- 2) a reference to the 'master bundle' in this file: this has been changed
- to 'primary bundle'.
- 3) a couple of blacklist directories owned by this package, but used to
- p11-kit. New 'blocklist' directories have been created, but p11-kit
- needs to be updated before the old blacklist directories can be removed
- and the man pages corrected.
* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
- Fix up broken %post and %postinstall scriptlet changes from -2
* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
- Update to CKBI 2.41 from NSS 3.53.0
- Removing: - Removing:
- # Certificate "AddTrust Low-Value Services Root" - # Certificate "GlobalSign Root CA - R2"
- # Certificate "AddTrust External Root" - # Certificate "DST Root CA X3"
- # Certificate "Staat der Nederlanden Root CA - G2" - # Certificate "Cybertrust Global Root"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3 *Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
- Update versioned dependency on p11-kit - Update to CKBI 2.50 from NSS 3.67
- version number update only
* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2 *Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82
- Update to CKBI 2.40 from NSS 3.48 - Update to CKBI 2.48 from NSS 3.66
- Removing: - Removing:
- # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA"
- # Certificate "Trustis FPS Root CA"
- Adding:
- # Certificate "GLOBALTRUST 2020"
- # Certificate "ANF Secure Server Root CA"
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
*Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81
- Update to CKBI 2.48 from NSS 3.64
- Removing:
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
- # Certificate "GeoTrust Global CA"
- # Certificate "GeoTrust Universal CA"
- # Certificate "GeoTrust Universal CA 2"
- # Certificate "Taiwan GRCA"
- # Certificate "GeoTrust Primary Certification Authority"
- # Certificate "thawte Primary Root CA"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
- # Certificate "GeoTrust Primary Certification Authority - G3"
- # Certificate "thawte Primary Root CA - G2"
- # Certificate "thawte Primary Root CA - G3"
- # Certificate "GeoTrust Primary Certification Authority - G2"
- # Certificate "VeriSign Universal Root Certification Authority"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
- # Certificate "EE Certification Centre Root CA"
- # Certificate "LuxTrust Global Root 2"
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
- Adding:
- # Certificate "Microsoft ECC Root Certificate Authority 2017"
- # Certificate "Microsoft RSA Root Certificate Authority 2017"
- # Certificate "e-Szigno Root CA 2017"
- # Certificate "certSIGN Root CA G2"
- # Certificate "Trustwave Global Certification Authority"
- # Certificate "Trustwave Global ECC P256 Certification Authority"
- # Certificate "Trustwave Global ECC P384 Certification Authority"
- # Certificate "NAVER Global Root Certification Authority"
- # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
- # Certificate "GlobalSign Secure Mail Root R45"
- # Certificate "GlobalSign Secure Mail Root E45"
- # Certificate "GlobalSign Root R46"
- # Certificate "GlobalSign Root E46"
*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
- fix post issues
*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
- Update to CKBI 2.41 from NSS 3.53.0
- Removing:
- # Certificate "AddTrust Low-Value Services Root"
- # Certificate "AddTrust External Root"
- # Certificate "UTN USERFirst Email Root CA" - # Certificate "UTN USERFirst Email Root CA"
- # Certificate "Certplus Class 2 Primary CA" - # Certificate "Certplus Class 2 Primary CA"
- # Certificate "Deutsche Telekom Root CA 2" - # Certificate "Deutsche Telekom Root CA 2"
- # Certificate "Staat der Nederlanden Root CA - G2"
- # Certificate "Swisscom Root CA 2" - # Certificate "Swisscom Root CA 2"
- # Certificate "Certinomis - Root CA" - # Certificate "Certinomis - Root CA"
- Adding: - Adding:
- # Certificate "Entrust Root Certification Authority - G4" - # Certificate "Entrust Root Certification Authority - G4"
- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3 - Update to CKBI 2.32 from NSS 3.44
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - Removing:
- # Certificate "Visa eCommerce Root"
* Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2 - # Certificate "AC Raiz Certicamara S.A."
- Update to CKBI 2.32 from NSS 3.44 - # Certificate "ComSign CA"
Removing: - # Certificate "Certplus Root CA G1"
# Certificate "Visa eCommerce Root" - # Certificate "Certplus Root CA G2"
# Certificate "AC Raiz Certicamara S.A." - # Certificate "OpenTrust Root CA G1"
# Certificate "Certplus Root CA G1" - # Certificate "OpenTrust Root CA G2"
# Certificate "Certplus Root CA G2" - # Certificate "OpenTrust Root CA G3"
# Certificate "OpenTrust Root CA G1" - Adding:
# Certificate "OpenTrust Root CA G2" - # Certificate "GlobalSign Root CA - R6"
# Certificate "OpenTrust Root CA G3" - # Certificate "OISTE WISeKey Global Root GC CA"
Adding: - # Certificate "GTS Root R1"
# Certificate "GTS Root R1" - # Certificate "GTS Root R2"
# Certificate "GTS Root R2" - # Certificate "GTS Root R3"
# Certificate "GTS Root R3" - # Certificate "GTS Root R4"
# Certificate "GTS Root R4" - # Certificate "UCA Global G2 Root"
# Certificate "UCA Global G2 Root" - # Certificate "UCA Extended Validation Root"
# Certificate "UCA Extended Validation Root" - # Certificate "Certigna Root CA"
# Certificate "Certigna Root CA" - # Certificate "emSign Root CA - G1"
# Certificate "emSign Root CA - G1" - # Certificate "emSign ECC Root CA - G3"
# Certificate "emSign ECC Root CA - G3" - # Certificate "emSign Root CA - C1"
# Certificate "emSign Root CA - C1" - # Certificate "emSign ECC Root CA - C3"
# Certificate "emSign ECC Root CA - C3" - # Certificate "Hongkong Post Root CA 3"
# Certificate "Hongkong Post Root CA 3"
* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3 - Test gating
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6
* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2 - Use __python3 macro when invoking Python
- Update to CKBI 2.26 from NSS 3.39
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5 * Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
- Ported scripts to python3 - Ported scripts to python3

Loading…
Cancel
Save