@ -36,13 +36,11 @@ Name: ca-certificates
# because all future versions will start with 2013 or larger.)
# because all future versions will start with 2013 or larger.)
Version: 2024.2.69_v8.0.303
Version: 2024.2.69_v8.0.303
# On RHEL 8.x, please keep the release version >= 80
# for y-stream, please always use 91 <= release < 100 (91,92,93)
# When rebasing on Y-Stream (8.y), use 81, 82, 83, ...
# for z-stream release branches, please use 90 <= release < 91 (90.0, 90.1, ...)
# When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, ..
Release: 91.4%{?dist}
Release: 80.0%{?dist}.inferit.1
License: MIT AND GPL-2.0-or-later
License: Public Domain
Group: System Environment/Base
URL: https://fedoraproject.org/wiki/CA-Certificates
URL: https://fedoraproject.org/wiki/CA-Certificates
#Please always update both certdata.txt and nssckbi.h
#Please always update both certdata.txt and nssckbi.h
@ -64,14 +62,6 @@ Source16: README.pem
Source17: README.edk2
Source17: README.edk2
Source18: README.src
Source18: README.src
# Russian Ministry of Digital Development and Communications
Source90: rootca_ssl_rsa2022.cer
Source91: rootca_ssl_rsa2022.cer.detached.sig
# TCI ECSDA ROOT A1
Source92: ecdsa-a1.crt
# TCI GOST ROOT A1
Source93: gost-a1.crt
BuildArch: noarch
BuildArch: noarch
Requires(post): bash
Requires(post): bash
@ -81,16 +71,14 @@ Requires(post): coreutils
Requires: bash
Requires: bash
Requires: grep
Requires: grep
Requires: sed
Requires: sed
Requires(post): p11-kit >= 0.23.12
Requires(post): p11-kit-trust >= 0.24
Requires(post): p11-kit-trust >= 0.23.12
Requires: p11-kit-trust >= 0.24
Requires: p11-kit >= 0.23.12
Requires: p11-kit-trust >= 0.23.12
BuildRequires: perl-interpreter
BuildRequires: perl-interpreter
BuildRequires: python3-devel
BuildRequires: python3
BuildRequires: openssl
BuildRequires: openssl
BuildRequires: asciidoc
BuildRequires: asciidoc
BuildRequires: libxslt
BuildRequires: xmlto
%description
%description
This package contains the set of CA certificates chosen by the
This package contains the set of CA certificates chosen by the
@ -108,7 +96,7 @@ mkdir %{name}/java
pushd %{name}/certs
pushd %{name}/certs
pwd
pwd
cp %{SOURCE0} .
cp %{SOURCE0} .
%{__ python3} %{SOURCE4} >c2p.log 2>c2p.err
python3 %{SOURCE4} >c2p.log 2>c2p.err
popd
popd
pushd %{name}
pushd %{name}
(
(
@ -179,12 +167,12 @@ popd
#manpage
#manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml
cp %{SOURCE9} %{name}/ca-legacy.8.txt
cp %{SOURCE9} %{name}/ca-legacy.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
xmlto -v -o %{name} man %{name}/ca-legacy.8.xml
%install
%install
@ -194,15 +182,16 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/bla cklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blo cklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/bla cklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blo cklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@ -251,9 +240,15 @@ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
# /etc/ssl/certs symlink for 3rd-party tools
# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
ln -s .. /pki/tls/certs \
ln -s /etc /pki/tls/certs \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
ln -s /etc/pki/tls/openssl.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
ln -s /etc/pki/tls/ct_log_list.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
# legacy filenames
# legacy filenames
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
@ -264,12 +259,49 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
ln -s %{catrustdir}/extracted/%{java_bundle} \
ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
# Russian Ministry of Digital Development and Communications
# Populate %%{catrustdir}/extracted/pem/directory-hash.
install -m 644 %{SOURCE90} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
#
install -m 644 %{SOURCE91} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
# First direct p11-kit-trust.so to the generated bundle (not the one
# TCI ECDSA and GOST root certificates
# already present on the build system) with an overriding module
install -m 644 %{SOURCE92} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
# config. Note that we have to use a different config path based on
install -m 644 %{SOURCE93} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
# the current user: if root, ~/.config/pkcs11/modules/* are not read,
# while if a regular user, she can't write to /etc.
if test "$(id -u)" -eq 0; then
trust_module_dir=/etc/pkcs11/modules
else
trust_module_dir=$HOME/.config/pkcs11/modules
fi
mkdir -p "$trust_module_dir"
# It is unlikely that the directory would contain any files on a build system,
# but let's make sure just in case.
if [ -n "$(ls -A "$trust_module_dir")" ]; then
echo "Directory $trust_module_dir is not empty. Aborting build!"
exit 1
fi
trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
cat >"$trust_module_config" <<EOF
module: p11-kit-trust.so
trust-policy: yes
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
EOF
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
--purpose server-auth \
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
# Create a temporary file with the list of (%ghost )files in the directory-hash.
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
# Clean up the temporary module config.
rm -f "$trust_module_config"
%clean
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
rm -rf $RPM_BUILD_ROOT
%pre
%pre
if [ $1 -gt 1 ] ; then
if [ $1 -gt 1 ] ; then
@ -317,6 +349,7 @@ if [ $1 -gt 1 ] ; then
fi
fi
fi
fi
%post
%post
#if [ $1 -gt 1 ] ; then
#if [ $1 -gt 1 ] ; then
# # when upgrading or downgrading
# # when upgrading or downgrading
@ -342,9 +375,8 @@ fi
%{_bindir}/ca-legacy install
%{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust
%{_bindir}/update-ca-trust
%files
# The file .files.txt contains the list of (%ghost )files in the directory-hash
%defattr(-,root,root,-)
%files -f .files.txt
%dir %{_sysconfdir}/ssl
%dir %{_sysconfdir}/ssl
%dir %{pkidir}/tls
%dir %{pkidir}/tls
%dir %{pkidir}/tls/certs
%dir %{pkidir}/tls/certs
@ -352,7 +384,7 @@ fi
%dir %{catrustdir}
%dir %{catrustdir}
%dir %{catrustdir}/source
%dir %{catrustdir}/source
%dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/bla cklist
%dir %{catrustdir}/source/blo cklist
%dir %{catrustdir}/extracted
%dir %{catrustdir}/extracted
%dir %{catrustdir}/extracted/pem
%dir %{catrustdir}/extracted/pem
%dir %{catrustdir}/extracted/openssl
%dir %{catrustdir}/extracted/openssl
@ -360,13 +392,9 @@ fi
%dir %{_datadir}/pki
%dir %{_datadir}/pki
%dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/bla cklist
%dir %{_datadir}/pki/ca-trust-source/blo cklist
%dir %{_datadir}/pki/ca-trust-legacy
%dir %{_datadir}/pki/ca-trust-legacy
%dir %{catrustdir}/extracted/pem/directory-hash
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer.detached.sig
%{catrustdir}/source/anchors/ecdsa-a1.crt
%{catrustdir}/source/anchors/gost-a1.crt
%config(noreplace) %{catrustdir}/ca-legacy.conf
%config(noreplace) %{catrustdir}/ca-legacy.conf
@ -386,10 +414,13 @@ fi
%{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{pkidir}/%{java_bundle}
%{pkidir}/%{java_bundle}
# symlink directory
# symlinks to cross-distro compatibility files and directory
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/cert.pem
%{_sysconfdir}/ssl/openssl.cnf
%{_sysconfdir}/ssl/ct_log_list.cnf
# master bundle file with trust
# pri mary bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
@ -405,18 +436,33 @@ fi
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
%changelog
%changelog
* Wed Sep 11 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-80.0.inferit.1
*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
- Remove TCI GOST certificate from certdata.txt
- update-ca-trust: return warnings on a unsupported argument instead of error
- Bump version
*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
- Temporarily generate the directory-hash files in %%install ...(next item)
- Add list of ghost files from directory-hash to %%files
* Thu Aug 22 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-80.0.inferit
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
- Update to 2024.2.69_v8.0.303-80.0
- Remove write permissions from directory-hash
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
- Reduce dependency on p11-kit to only the trust subpackage
- Own the Directory-hash directory
*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
- Fix release number
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
- Update to CKBI 2.68_v8.0.302 from NSS 3.101
- Removing:
- Removing:
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
@ -463,27 +509,22 @@ fi
- # Certificate "SSL.com Code Signing RSA Root CA 2022"
- # Certificate "SSL.com Code Signing RSA Root CA 2022"
- # Certificate "SSL.com Code Signing ECC Root CA 2022"
- # Certificate "SSL.com Code Signing ECC Root CA 2022"
* Wed Jul 10 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit.2
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0
- Fixed addition TCI GOST certificate
- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
- Bump version
* Tue Jul 09 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit.1
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
- Added TCI ECDSA and GOST root certificates
- Skip %post if getopt is missing (recent change made update-ca-trust use it)
* Fri Dec 15 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
- Update to version 2023.2.60_v7.0.306-80.0
- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
- Rebuilt for MSVSphere 8.9
* Fri Dec 15 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2022.2.54-80.2.inferit.1
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
- place MDDC certificates to /etc/pki/ca-trust/source/anchors (Arkady L. Shane <tigro@msvsphere-os.ru>)
- update License: field to SPDX
* Wed Aug 30 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 2022.2.54-80.2.inferit
*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
- Added:
- Bump release number to make CI happy
- # Certificate "Russian Trusted Root CA"
- # Certificate "Russian Trusted Sub CA"
- Rebuilt for MSVSphere 8.8
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-8 0.0
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
- Update to CKBI 2.60_v7.0.306 from NSS 3.91
- Update to CKBI 2.60_v7.0.306 from NSS 3.91
- Removing:
- Removing:
- # Certificate "Camerfirma Global Chambersign Root"
- # Certificate "Camerfirma Global Chambersign Root"
@ -563,10 +604,7 @@ fi
- # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
* Tue Jul 25 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2022.2.54-80.2
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2
- Rebuilt for MSVSphere 8.8
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
- Update to CKBI 2.54 from NSS 3.79
- Update to CKBI 2.54 from NSS 3.79
- Removing:
- Removing:
- # Certificate "TrustCor ECA-1"
- # Certificate "TrustCor ECA-1"
@ -587,12 +625,29 @@ fi
- # Certificate "Government Root Certification Authority"
- # Certificate "Government Root Certification Authority"
- # Certificate "AC Raíz Certicámara S.A."
- # Certificate "AC Raíz Certicámara S.A."
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-8 0.1
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-9 0.1
- Update to CKBI 2.54 from NSS 3.79
- Update to CKBI 2.54 from NSS 3.79
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-8 0.0
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-9 0.0
- Update to CKBI 2.54 from NSS 3.79
- Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding:
- Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
- # Certificate "CAEDICOM Root"
- # Certificate "CAEDICOM Root"
- # Certificate "I.CA Root CA/RSA"
- # Certificate "I.CA Root CA/RSA"
- # Certificate "MULTICERT Root Certification Authority 01"
- # Certificate "MULTICERT Root Certification Authority 01"
@ -734,7 +789,6 @@ fi
- # Certificate "Certipost E-Trust TOP Root CA"
- # Certificate "Certipost E-Trust TOP Root CA"
- # Certificate "Certipost E-Trust Primary Qualified CA"
- # Certificate "Certipost E-Trust Primary Qualified CA"
- # Certificate "Certipost E-Trust Primary Normalised CA"
- # Certificate "Certipost E-Trust Primary Normalised CA"
- # Certificate "Cybertrust Global Root"
- # Certificate "GlobalSign"
- # Certificate "GlobalSign"
- # Certificate "IGC/A"
- # Certificate "IGC/A"
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
@ -808,34 +862,19 @@ fi
- # Certificate "HARICA Code Signing ECC Root CA 2021"
- # Certificate "HARICA Code Signing ECC Root CA 2021"
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
*Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81
* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94
- Update to CKBI 2.54 from NSS 3.79
- remove blacklist directory and references now that p11-kit has been updated.
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Cybertrust Global Root"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
- Update to CKBI 2.50 from NSS 3.67
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
- version number update only
Related: rhbz#1991688
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
*Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82
* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
- Update to CKBI 2.48 from NSS 3.66
- Update to CKBI 2.50 from NSS 3.67
- Removing:
- Removing:
- # Certificate "QuoVadis Root CA"
- # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA"
- # Certificate "Sonera Class 2 Root CA"
@ -846,91 +885,90 @@ fi
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
- # Certificate "Certum Trusted Root CA"
*Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
- Update to CKBI 2.48 from NSS 3.64
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
- Removing:
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
- # Certificate "GeoTrust Global CA"
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
- # Certificate "GeoTrust Universal CA"
- # Certificate "GeoTrust Universal CA 2"
* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
- # Certificate "Taiwan GRCA"
- remove unnecessarily divisive terms, take 1.
- # Certificate "GeoTrust Primary Certification Authority"
- in ca-certificates there are 3 cases:
- # Certificate "thawte Primary Root CA"
- 1) master refering to the fedora master branch in the fetch.sh script.
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
- This can only be changed once fedora changes the master branch name.
- # Certificate "GeoTrust Primary Certification Authority - G3"
- 2) a reference to the 'master bundle' in this file: this has been changed
- # Certificate "thawte Primary Root CA - G2"
- to 'primary bundle'.
- # Certificate "thawte Primary Root CA - G3"
- 3) a couple of blacklist directories owned by this package, but used to
- # Certificate "GeoTrust Primary Certification Authority - G2"
- p11-kit. New 'blocklist' directories have been created, but p11-kit
- # Certificate "VeriSign Universal Root Certification Authority"
- needs to be updated before the old blacklist directories can be removed
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
- and the man pages corrected.
- # Certificate "EE Certification Centre Root CA"
- # Certificate "LuxTrust Global Root 2"
* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
- Adding:
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
- # Certificate "Microsoft ECC Root Certificate Authority 2017"
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
- # Certificate "Microsoft RSA Root Certificate Authority 2017"
- # Certificate "e-Szigno Root CA 2017"
* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
- # Certificate "certSIGN Root CA G2"
- Fix up broken %post and %postinstall scriptlet changes from -2
- # Certificate "Trustwave Global Certification Authority"
- # Certificate "Trustwave Global ECC P256 Certification Authority"
* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
- # Certificate "Trustwave Global ECC P384 Certification Authority"
- # Certificate "NAVER Global Root Certification Authority"
- # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
- # Certificate "GlobalSign Secure Mail Root R45"
- # Certificate "GlobalSign Secure Mail Root E45"
- # Certificate "GlobalSign Root R46"
- # Certificate "GlobalSign Root E46"
*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
- fix post issues
*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
- Update to CKBI 2.41 from NSS 3.53.0
- Update to CKBI 2.41 from NSS 3.53.0
- Removing:
- Removing:
- # Certificate "AddTrust Low-Value Services Root"
- # Certificate "AddTrust Low-Value Services Root"
- # Certificate "AddTrust External Root"
- # Certificate "AddTrust External Root"
- # Certificate "Staat der Nederlanden Root CA - G2"
* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3
- Update versioned dependency on p11-kit
* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2
- Update to CKBI 2.40 from NSS 3.48
- Removing:
- # Certificate "UTN USERFirst Email Root CA"
- # Certificate "UTN USERFirst Email Root CA"
- # Certificate "Certplus Class 2 Primary CA"
- # Certificate "Certplus Class 2 Primary CA"
- # Certificate "Deutsche Telekom Root CA 2"
- # Certificate "Deutsche Telekom Root CA 2"
- # Certificate "Staat der Nederlanden Root CA - G2"
- # Certificate "Swisscom Root CA 2"
- # Certificate "Swisscom Root CA 2"
- # Certificate "Certinomis - Root CA"
- # Certificate "Certinomis - Root CA"
- Adding:
- Adding:
- # Certificate "Entrust Root Certification Authority - G4"
- # Certificate "Entrust Root Certification Authority - G4"
- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
- Update to CKBI 2.32 from NSS 3.44
- Update to CKBI 2.32 from NSS 3.44
- Removing:
Removing:
- # Certificate "Visa eCommerce Root"
# Certificate "Visa eCommerce Root"
- # Certificate "AC Raiz Certicamara S.A."
# Certificate "AC Raiz Certicamara S.A."
- # Certificate "ComSign CA "
# Certificate "Certplus Root CA G1 "
- # Certificate "Certplus Root CA G1 "
# Certificate "Certplus Root CA G2 "
- # Certificate "Certplus Root CA G2 "
# Certificate "OpenTrust Root CA G1 "
- # Certificate "OpenTrust Root CA G1 "
# Certificate "OpenTrust Root CA G2 "
- # Certificate "OpenTrust Root CA G2 "
# Certificate "OpenTrust Root CA G3 "
- # Certificate "OpenTrust Root CA G3"
Adding:
- Adding:
# Certificate "GTS Root R1"
- # Certificate "GlobalSign Root CA - R6 "
# Certificate "GTS Root R2 "
- # Certificate "OISTE WISeKey Global Root GC CA "
# Certificate "GTS Root R3 "
- # Certificate "GTS Root R1 "
# Certificate "GTS Root R4 "
- # Certificate "GTS Root R2 "
# Certificate "UCA Global G2 Root "
- # Certificate "GTS Root R3 "
# Certificate "UCA Extended Validation Root "
- # Certificate "GTS Root R4 "
# Certificate "Certigna Root CA "
- # Certificate "UCA Global G2 Root "
# Certificate "emSign Root CA - G1 "
- # Certificate "UCA Extended Validation Root "
# Certificate "emSign ECC Root CA - G3 "
- # Certificate "Certigna Root CA "
# Certificate "emSign Root CA - C1 "
- # Certificate "emSign Root CA - G1 "
# Certificate "emSign ECC Root CA - C3 "
- # Certificate "emSign ECC Root CA - G 3"
# Certificate "Hongkong Post Root CA 3"
- # Certificate "emSign Root CA - C1"
- # Certificate "emSign ECC Root CA - C3"
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
- # Certificate "Hongkong Post Root CA 3"
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2
- Test gating
- Update to CKBI 2.26 from NSS 3.39
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com > - 2018.2.24-6
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org > - 2018.2.24-6
- Use __python3 macro when invoking Python
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
- Ported scripts to python3
- Ported scripts to python3