Changes - SailfishOS Open Build Service

Changes of Revision 2

We truncated the diff of some files because they were too big. If you want to see the full diff for every file, click here.

[-] [+]	Changed	ca-certificates.changes
@@ -1,3 +1,6 @@ +* Wed Jan 24 2024 Matti Lehtimäki <matti.lehtimaki@jolla.com> - 2023.2.62_v7.0.401-6 +- Update to latest upstream ca-certificates. Fixes JB#61387 + * Wed Oct 13 2021 Rinat Dobrokhotov <r.dobrokhotov@omprussia.ru> - 2021.2.50-3 - Update to latest upstream ca-certificates. Fixes JB#55911
[-] [+]	Changed	ca-certificates.spec ^
@@ -35,9 +35,9 @@ # to have increasing version numbers. However, the new scheme will work, # because all future versions will start with 2013 or larger.) -Version: 2021.2.50 -Release: 3 -License: Public Domain +Version: 2023.2.62_v7.0.401 +Release: 6 +License: MIT AND GPLv2+ URL: https://fedoraproject.org/wiki/CA-Certificates @@ -59,6 +59,7 @@ Source16: README.pem Source17: README.edk2 Source18: README.src +Source19: README.etcssl Source30: fetch.sh Source31: README Source32: sources @@ -76,16 +77,16 @@ Requires: bash Requires: grep Requires: sed -Requires(post): p11-kit >= 0.23.19 -Requires(post): p11-kit-trust >= 0.23.19 -Requires: p11-kit >= 0.23.19 -Requires: p11-kit-trust >= 0.23.19 +Requires(post): p11-kit >= 0.23 +Requires(post): p11-kit-trust >= 0.23 +Requires: p11-kit >= 0.23 +Requires: p11-kit-trust >= 0.23 #BuildRequires: perl-interpreter BuildRequires: python3-base BuildRequires: openssl #BuildRequires: asciidoc -#BuildRequires: libxslt +#BuildRequires: xmlto %description This package contains the set of CA certificates chosen by the @@ -174,12 +175,12 @@ #manpage cp %{SOURCE10} %{name}/update-ca-trust.8.txt -#asciidoc.py -v -d manpage -b docbook %%{name}/update-ca-trust.8.txt -#xsltproc --nonet -o %%{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %%{name}/update-ca-trust.8.xml +#asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt +#xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml cp %{SOURCE9} %{name}/ca-legacy.8.txt -#asciidoc.py -v -d manpage -b docbook %%{name}/ca-legacy.8.txt -#xsltproc --nonet -o %%{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %%{name}/ca-legacy.8.xml +#asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt +#xmlto -v -o %{name} man %{name}/ca-legacy.8.xml %install @@ -189,8 +190,8 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors -mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist +mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl @@ -198,8 +199,8 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors -mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist +mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir} mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8 @@ -214,6 +215,7 @@ install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README +install -p -m 644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysconfdir}/ssl/README install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle} @@ -248,8 +250,9 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin -# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility -ln -s /etc/pki/tls/certs \ +# /etc/ssl is provided in a Debian compatible form for (bad) code that +# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882 +ln -s %{catrustdir}/extracted/pem/directory-hash \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem @@ -348,8 +351,8 @@ %dir %{catrustdir} %dir %{catrustdir}/source %dir %{catrustdir}/source/anchors -%dir %{catrustdir}/source/blocklist %dir %{catrustdir}/source/blacklist +%dir %{catrustdir}/source/blocklist %dir %{catrustdir}/extracted %dir %{catrustdir}/extracted/pem %dir %{catrustdir}/extracted/openssl @@ -357,8 +360,8 @@ %dir %{_datadir}/pki %dir %{_datadir}/pki/ca-trust-source %dir %{_datadir}/pki/ca-trust-source/anchors -%dir %{_datadir}/pki/ca-trust-source/blocklist %dir %{_datadir}/pki/ca-trust-source/blacklist +%dir %{_datadir}/pki/ca-trust-source/blocklist %dir %{_datadir}/pki/ca-trust-legacy %config(noreplace) %{catrustdir}/ca-legacy.conf @@ -379,8 +382,10 @@ %{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/%{java_bundle} -# symlinks to cross-distro compatibility files and directory +# Hybrid hash directory with bundle file for Debian compatibility +# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882 %{_sysconfdir}/ssl/certs +%{_sysconfdir}/ssl/README %{_sysconfdir}/ssl/cert.pem %{_sysconfdir}/ssl/openssl.cnf %{_sysconfdir}/ssl/ct_log_list.cnf
[-] [+]	Added	README.etcssl ^
@@ -0,0 +1,20 @@ +This directory (/etc/ssl) is provided as a courtesy attempt to provide +compatibility with software which assumes its existence. It is not a +supported or canonical location. Software which assumes and relies on +the existence and layout of this directory is making a wrong assumption +(this directory is not any kind of 'standard', it is a configuration +detail of Debian and its derivatives) and should be improved. No +software packaged in this distribution should use this directory. + +An attempt is made to make the layout of /etc/ssl/certs match that +provided by Debian: it is an OpenSSL 'CApath'-style hashed directory +of individual certificate files, and also contains a certificate bundle +file named ca-certificates.crt, as Debian does. It also contains a +bundle named ca-bundle.crt, as this distribution has long provided +such a file, and it is possible some software has come to expect its +existence. + +/etc/ssl/certs itself and the bundle files are in fact symlinks to +some of the output of the 'update-ca-trust' script which forms a part +of a system of consolidated CA certificates. Please refer to the +update-ca-trust(8) manual page for additional information.
[-] [+]	Changed	certdata.txt ^
@@ -79,7 +79,7 @@ # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE # Not Valid Before: Tue Sep 01 12:00:00 1998 # Not Valid After : Fri Jan 28 12:00:00 2028 -# Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A +# Fingerprint (SHA-256): EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99 # Fingerprint (SHA1): B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE @@ -169,13 +169,13 @@ CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE -# Trust for Certificate "GlobalSign Root CA" +# Trust for "GlobalSign Root CA" # Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE # Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94 # Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE # Not Valid Before: Tue Sep 01 12:00:00 1998 # Not Valid After : Fri Jan 28 12:00:00 2028 -# Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A +# Fingerprint (SHA-256): EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99 # Fingerprint (SHA1): B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST CKA_TOKEN CK_BBOOL CK_TRUE @@ -202,142 +202,7 @@ END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - -# -# Certificate "GlobalSign Root CA - R2" -# -# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 -# Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d -# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 -# Not Valid Before: Fri Dec 15 08:00:00 2006 -# Not Valid After : Wed Dec 15 08:00:00 2021 -# Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30 -# Fingerprint (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalSign Root CA - R2" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157 -\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040 -\055\040\122\062\061\023\060\021\006\003\125\004\012\023\012\107 -\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125 -\004\003\023\012\107\154\157\142\141\154\123\151\147\156 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157 -\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040 -\055\040\122\062\061\023\060\021\006\003\125\004\012\023\012\107 -\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125 -\004\003\023\012\107\154\157\142\141\154\123\151\147\156 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\013\004\000\000\000\000\001\017\206\046\346\015 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\272\060\202\002\242\240\003\002\001\002\002\013\004 -\000\000\000\000\001\017\206\046\346\015\060\015\006\011\052\206 -\110\206\367\015\001\001\005\005\000\060\114\061\040\060\036\006 -\003\125\004\013\023\027\107\154\157\142\141\154\123\151\147\156 -\040\122\157\157\164\040\103\101\040\055\040\122\062\061\023\060 -\021\006\003\125\004\012\023\012\107\154\157\142\141\154\123\151 -\147\156\061\023\060\021\006\003\125\004\003\023\012\107\154\157 -\142\141\154\123\151\147\156\060\036\027\015\060\066\061\062\061 -\065\060\070\060\060\060\060\132\027\015\062\061\061\062\061\065 -\060\070\060\060\060\060\132\060\114\061\040\060\036\006\003\125 -\004\013\023\027\107\154\157\142\141\154\123\151\147\156\040\122 -\157\157\164\040\103\101\040\055\040\122\062\061\023\060\021\006 -\003\125\004\012\023\012\107\154\157\142\141\154\123\151\147\156 -\061\023\060\021\006\003\125\004\003\023\012\107\154\157\142\141 -\154\123\151\147\156\060\202\001\042\060\015\006\011\052\206\110 -\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001 -\012\002\202\001\001\000\246\317\044\016\276\056\157\050\231\105 -\102\304\253\076\041\124\233\013\323\177\204\160\372\022\263\313 -\277\207\137\306\177\206\323\262\060\134\326\375\255\361\173\334 -\345\370\140\226\011\222\020\365\320\123\336\373\173\176\163\210 -\254\122\210\173\112\246\312\111\246\136\250\247\214\132\021\274 -\172\202\353\276\214\351\263\254\226\045\007\227\112\231\052\007 -\057\264\036\167\277\212\017\265\002\174\033\226\270\305\271\072 -\054\274\326\022\271\353\131\175\342\320\006\206\137\136\111\152 -\265\071\136\210\064\354\274\170\014\010\230\204\154\250\315\113 -\264\240\175\014\171\115\360\270\055\313\041\312\325\154\133\175 -\341\240\051\204\241\371\323\224\111\313\044\142\221\040\274\335 -\013\325\331\314\371\352\047\012\053\163\221\306\235\033\254\310 -\313\350\340\240\364\057\220\213\115\373\260\066\033\366\031\172 -\205\340\155\362\141\023\210\134\237\340\223\012\121\227\212\132 -\316\257\253\325\367\252\011\252\140\275\334\331\137\337\162\251 -\140\023\136\000\001\311\112\372\077\244\352\007\003\041\002\216 -\202\312\003\302\233\217\002\003\001\000\001\243\201\234\060\201 -\231\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001 -\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001 -\001\377\060\035\006\003\125\035\016\004\026\004\024\233\342\007 -\127\147\034\036\300\152\006\336\131\264\232\055\337\334\031\206 -\056\060\066\006\003\125\035\037\004\057\060\055\060\053\240\051 -\240\047\206\045\150\164\164\160\072\057\057\143\162\154\056\147 -\154\157\142\141\154\163\151\147\156\056\156\145\164\057\162\157 -\157\164\055\162\062\056\143\162\154\060\037\006\003\125\035\043 -\004\030\060\026\200\024\233\342\007\127\147\034\036\300\152\006 -\336\131\264\232\055\337\334\031\206\056\060\015\006\011\052\206 -\110\206\367\015\001\001\005\005\000\003\202\001\001\000\231\201 -\123\207\034\150\227\206\221\354\340\112\270\104\013\253\201\254 -\047\117\326\301\270\034\103\170\263\014\232\374\352\054\074\156 -\141\033\115\113\051\365\237\005\035\046\301\270\351\203\000\142 -\105\266\251\010\223\271\251\063\113\030\232\302\370\207\210\116 -\333\335\161\064\032\301\124\332\106\077\340\323\052\253\155\124 -\042\365\072\142\315\040\157\272\051\211\327\335\221\356\323\134 -\242\076\241\133\101\365\337\345\144\103\055\351\325\071\253\322 -\242\337\267\213\320\300\200\031\034\105\300\055\214\350\370\055 -\244\164\126\111\305\005\265\117\025\336\156\104\170\071\207\250 -\176\273\363\171\030\221\273\364\157\235\301\360\214\065\214\135 -\001\373\303\155\271\357\104\155\171\106\061\176\012\376\251\202 -\301\377\357\253\156\040\304\120\311\137\235\115\233\027\214\014 -\345\001\311\240\101\152\163\123\372\245\120\264\156\045\017\373 -\114\030\364\375\122\331\216\151\261\350\021\017\336\210\330\373 -\035\111\367\252\336\225\317\040\170\302\140\022\333\045\100\214 -\152\374\176\102\070\100\144\022\367\236\201\341\223\056 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE -CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE - -# Trust for Certificate "GlobalSign Root CA - R2" -# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 -# Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d -# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 -# Not Valid Before: Fri Dec 15 08:00:00 2006 -# Not Valid After : Wed Dec 15 08:00:00 2021 -# Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30 -# Fingerprint (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "GlobalSign Root CA - R2" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\165\340\253\266\023\205\022\047\034\004\370\137\335\336\070\344 -\267\044\056\376 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\224\024\167\176\076\136\375\217\060\275\101\260\317\347\320\060 -END -CKA_ISSUER MULTILINE_OCTAL -\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157 -\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040 -\055\040\122\062\061\023\060\021\006\003\125\004\012\023\012\107 -\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125 -\004\003\023\012\107\154\157\142\141\154\123\151\147\156 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\013\004\000\000\000\000\001\017\206\046\346\015 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -348,8 +213,9 @@ # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US # Not Valid Before: Fri Oct 01 00:00:00 1999 # Not Valid After : Wed Jul 16 23:59:59 2036 -# Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73 +# Fingerprint (SHA-256): CB:B5:AF:18:5E:94:2A:24:02:F9:EA:CB:C0:ED:5B:B8:76:EE:A3:C1:22:36:23:D0:04:47:E4:F3:BA:55:4B:65 # Fingerprint (SHA1): 20:42:85:DC:F7:EB:76:41:95:57:8E:13:6B:D4:B7:D1:E9:8E:46:A5 +# For Email Distrust After: Wed Aug 31 00:00:00 2022 CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE CKA_TOKEN CK_BBOOL CK_TRUE CKA_PRIVATE CK_BBOOL CK_FALSE @@ -461,18 +327,17 @@ END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE -# For Email Distrust After: Wed Aug 31 00:00:00 2022 CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL \062\062\060\070\063\061\060\060\060\060\060\060\132 END -# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3" +# Trust for "Verisign Class 1 Public Primary Certification Authority - G3" # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4 # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US # Not Valid Before: Fri Oct 01 00:00:00 1999 # Not Valid After : Wed Jul 16 23:59:59 2036 -# Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73 +# Fingerprint (SHA-256): CB:B5:AF:18:5E:94:2A:24:02:F9:EA:CB:C0:ED:5B:B8:76:EE:A3:C1:22:36:23:D0:04:47:E4:F3:BA:55:4B:65 # Fingerprint (SHA1): 20:42:85:DC:F7:EB:76:41:95:57:8E:13:6B:D4:B7:D1:E9:8E:46:A5 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
[-] [+]	Changed	fetch.sh ^
@@ -94,6 +94,21 @@ else release="1.0" fi + + +# fetch the codesigning certs now so we can get +# the code signing version number +if [ ${skip_signed_obj} -eq 0 ]; then + ./fetch_objsign.sh + if [ -f codesign-release.txt ]; then + mcs_version=$(cat codesign-release.txt) + if [[ $ms_version != "unknown" ]]; then + ckbi_version="${ckbi_version}_${mcs_version}" + fi + signobjects="and Microsoft Signed Objects version $ms_version" + fi +fi + version=${year}.${ckbi_version} #make sure the the current version is newer than what is already there @@ -113,13 +128,15 @@ exit 1; fi +# merge the signing certs into the normal certdata.txt file. if [ ${skip_signed_obj} -eq 0 ]; then - ./fetch_objsign.sh + cp certdata.txt certdata.txt.orig + python3 ./mergepem2certdata.py -c "certdata.txt.orig" -p "microsoft_sign_obj_ca.pem" -o "certdata.txt" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate" -x "NEVER" fi # Verify everything is good with the user echo -e "Upgrading ${current_version} -> ${version}:" -echo -e "${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}" +echo -e "${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}${sign_objects}" ./check_certs.sh echo ""
[-] [+]	Changed	fetch_objsign.sh ^
@@ -3,16 +3,62 @@ # This script fetches the object signing list from the Microsoft list. It then # mergest that list into the fetched certdata.txt. # -baseurl="https://ccadb-public.secure.force.com/microsoft/IncludedRootsPEMTxtForMSFT?TrustBitsInclude=Code%20Signing" -target="microsoft_code_siging.pem" +giturl="https://github.com/dotnet/sdk" +gitrawurl="https://raw.githubusercontent.com/dotnet/sdk" +release="latest" +treedir="src/Layout/redist/trustedroots/codesignctl.pem" +target="microsoft_sign_obj_ca.pem" certdata="./certdata.txt" +baseurl="" merge=1 diff=0 + +function getlatest +{ + local url=$1 + local latest="0" + local tags=($(git ls-remote --tags ${url})) + for tag in "${tags[@]}" + do + if [[ ! ${tag} =~ refs/.* ]]; then + continue # skip hashes + fi + if [[ ${tag} =~ .preview. ]]; then + continue # skip preview tags, we only want release tags + fi + if [[ ${tag} =~ .rc. ]]; then + continue # skip release candidate tags, we only want release tags + fi + if [[ ${latest} < ${tag} ]]; then + latest=$tag + fi + done + latest=${latest##refs/tags/} + echo $latest +} + while [ -n "$1" ]; do case $1 in + "-g") + shift + giturl=$1 + ;; + "-r") + shift + gitrawurl=$1 + ;; + "-t") + shift + treedir=$1 + ;; + "-r") + shift + release=$1 + ;; "-u") shift baseurl=$1 + release="unknown" ;; "-o") shift @@ -26,11 +72,16 @@ merge=0 ;; "-d") + shift diff=1 difffile=$1 ;; *) echo "usage: $0 [-u URL] [-o target] [-c certdata] [-n]" + echo "-g URL git URL to fetch code signing list" + echo "-r URL raw git URL to fetch code signing list" + echo "-t URL git tree directory to fetch code signing list" + echo "-r release code signing list release version" echo "-u URL base URL to fetch code signing list" echo "-o target name of the codesigning target" echo "-c certdata patch to certdata.txt to merge with" @@ -42,6 +93,17 @@ shift done +if [ "${release}" = "latest" ]; then + release=$(getlatest ${giturl} ) +fi + +if [ "${baseurl}" = "" ]; then + baseurl="${gitrawurl}/${release}/${treedir}" +fi + +echo $release > "./codesign-release.txt" + +echo "Fetching release=${release}, ${target} from ${baseurl}" wget ${baseurl} -O ${target} @@ -53,7 +115,6 @@ if [ ${diff} -eq 1 ]; then out=${certdata}.out fi - python3 ./mergepem2certdata.py -c "${certdata}" -p "${target}" -o "${out}" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate" if [ ${diff} -eq 1 ]; then
[-] [+]	Changed	mergepem2certdata.py ^
@@ -30,7 +30,7 @@ import getopt import asn1 from cryptography import x509 -from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives import hashes, serialization from datetime import datetime from dateutil.parser import parse @@ -118,6 +118,40 @@ return False return obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED' + +def stripQuotes(label) : + if label[:1] == "\"" : + label=label[1:] + if label[-1] == "\"" : + label = label[:-1] + return label + +# another object of the same class has the same label +def labelExists(objlist, obj) : + for iobj in objlist: + if obj['CKA_CLASS'] == iobj['CKA_CLASS'] and obj['CKA_LABEL'] == iobj['CKA_LABEL']: + return True + return False + +# add an object, make sure that label is unique +def addObj(objlist, newObj, specialLabel, drop) : + label = stripQuotes(newObj['CKA_LABEL']) + count=1 + if specialLabel != None : + count=0 + label=label+' '+specialLabel + # make sure the label is unique + while labelExists(objlist, newObj) : + if drop : + return 'DROPPED' + if count != 0 : + newObj['CKA_LABEL'] = "\"%s %d\""%(label,count) + else : + newObj['CKA_LABEL'] = "\"%s\""%label + count=count+1 + objlist.append(obj) + return stripQuotes(newObj['CKA_LABEL']) + try: opts, args = getopt.getopt(sys.argv[1:],"c:o:p:t:l:x:",) except getopt.GetoptError as err: @@ -146,11 +180,13 @@ dateString = arg # parse dateString +print ("datastring=",dateString) verifyDate = True if dateString.upper() == "NEVER": verifyDate = False else: date = getdate(dateString) +print ("verifyDate=",verifyDate) # read the pem file @@ -193,7 +229,7 @@ # collect all the inline comments in this object obj['Comment'] += comment comment = "" - objects.append(obj) + addObj(objects, obj, None, False) obj = dict() in_obj = False continue @@ -232,14 +268,15 @@ binval = bytearray() continue obj[field] = value + if len(list(obj.items())) > 0: - objects.append(obj) + addObj(objects, obj, None, False) # strip out expired certificates from certdata.txt if verifyDate : for obj in objects: if obj['CKA_CLASS'] == 'CKO_CERTIFICATE' : - cert = x509.load_der_x509_certificate(obj['CKA_VALUE']) + cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE'])) if (cert.not_valid_after <= date) : trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER']) # we don't remove distrusted expired certificates @@ -265,11 +302,12 @@ label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME)[0].value except: label="Unknown Certificate" - if cert.not_valid_after <= date: - print(" Skipping code signing cert %s"%label) - print(" Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y")) - print(" Prune time %s: "%date.strftime("%m/%d/%Y")) - continue + if verifyDate : + if cert.not_valid_after <= date: + print(" Skipping code signing cert %s"%label) + print(" Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y")) + print(" Prune time %s: "%date.strftime("%m/%d/%Y")) + continue certhashsha1 = cert.fingerprint(hashes.SHA1()) certhashmd5 = cert.fingerprint(hashes.MD5()) @@ -292,6 +330,32 @@ break if found : continue + + # check for almost duplicates, certs with the same subject and key, but + # different values. If they exist, treat them as the same certificate + for obj in objects: + if obj['CKA_CLASS'] != 'CKO_CERTIFICATE': + continue + # do they have the same subject? + if obj['CKA_SUBJECT'] != cert.subject.public_bytes(): + continue + # do they have the same public key? + cert2 = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE'])) + if cert2.public_key().public_bytes(serialization.Encoding.DER,serialization.PublicFormat.SubjectPublicKeyInfo) != cert.public_key().public_bytes(serialization.Encoding.DER,serialization.PublicFormat.SubjectPublicKeyInfo) : + continue + #found now update trust record + trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER']) + if trust_obj is None : + print('Couldn\'t find trust object for "'+obj['CKA_LABEL']); + exit + trust_obj[trust] = 'CKT_NSS_TRUSTED_DELEGATOR' + found = True + print('Updating sister certificate "'+obj['CKA_LABEL']+'" with code signing based on Microsoft "'+label+'"'); + break + if found : + break + if found : + continue # append this certificate obj=dict() time='%a %b %d %H:%M:%S %Y' @@ -323,7 +387,9 @@ obj['CKA_NSS_MOZILLA_CA_POLICY'] = 'CK_FALSE' obj['CKA_NSS_SERVER_DISTRUST_AFTER'] = 'CK_FALSE' obj['CKA_NSS_EMAIL_DISTRUST_AFTER'] = 'CK_FALSE' - objects.append(obj) + label = addObj(objects, obj, 'CodeSigning', True) + if label == 'DROPPED' : + continue # append the trust values obj=dict() @@ -343,7 +409,7 @@ else: obj[t] = 'CKT_NSS_MUST_VERIFY_TRUST' obj['CKA_TRUST_STEP_UP_APPROVED'] = 'CK_FALSE' - objects.append(obj) + label = addObj(objects, obj, 'CodeSigning', True) print('Adding code signing cert "'+label+'"'); # now dump the results
[-] [+]	Changed	nssckbi.h ^
@@ -46,8 +46,8 @@ * It's recommend to switch back to 0 after having reached version 98/99. / #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 50 -#define NSS_BUILTINS_LIBRARY_VERSION "2.50" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60 +#define NSS_BUILTINS_LIBRARY_VERSION "2.60" / These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
[-] [+]	Changed	update-ca-trust ^
@@ -1,10 +1,10 @@ #!/bin/sh #set -vx +set -eu -# At this time, while this script is trivial, we ignore any parameters given. -# However, for backwards compatibility reasons, future versions of this script must -# support the syntax "update-ca-trust extract" trigger the generation of output +# For backwards compatibility reasons, future versions of this script must +# support the syntax "update-ca-trust extract" trigger the generation of output # files in $DEST. DEST=/etc/pki/ca-trust/extracted @@ -12,11 +12,109 @@ # Prevent p11-kit from reading user configuration files. export P11_KIT_NO_USER_CONFIG=1 -# OpenSSL PEM bundle that includes trust flags -# (BEGIN TRUSTED CERTIFICATE) -/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt -/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem -/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem -/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem -/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts -/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin +usage() { + fold -s -w 76 >&2 <<-EOF + Usage: $0 [extract] [-o DIR\|--output=DIR] + + Update the system trust store in $DEST. + + COMMANDS + (absent/empty command): Same as the extract command described below. + + extract: Instruct update-ca-trust to scan the source configuration in + /usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce + updated versions of the consolidated configuration files stored below + the $DEST directory hierarchy. + + EXTRACT OPTIONS + -o DIR, --output=DIR: Write the extracted trust store into the given + directory instead of updating $DEST. + EOF +} + +extract() { + USER_DEST= + + # can't use getopt here. ca-certificates can't depend on a lot + # of other libraries since openssl depends on ca-certificates + # just fail when we hand parse + + while [ $# -ne 0 ]; do + case "$1" in + "-o"\|"--output") + USER_DEST=$2 + shift 2 + continue + ;; + "--") + shift + break + ;; + ) + usage + exit 1 + ;; + esac + done + + if [ -n "$USER_DEST" ]; then + DEST=$USER_DEST + # Attempt to create the directories if they do not exist + # yet (rhbz#2241240) + /usr/bin/mkdir -p \ + "$DEST"/openssl \ + "$DEST"/pem \ + "$DEST"/java \ + "$DEST"/edk2 + fi + + # OpenSSL PEM bundle that includes trust flags + # (BEGIN TRUSTED CERTIFICATE) + /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt" + /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem" + /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem" + /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem" + /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts" + /usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin" + # Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and + # by GnuTLS) + /usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash" + + # p11-kit extract will have made this directory unwritable; when run with + # CAP_DAC_OVERRIDE this does not matter, but in container use cases that may + # not be the case. See rhbz#2241240. + if [ -n "$USER_DEST" ]; then + /usr/bin/chmod u+w "$DEST/pem/directory-hash" + fi + + # Debian compatibility: their /etc/ssl/certs has this bundle + /usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt" + # Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt + # since https://bugzilla.redhat.com/show_bug.cgi?id=572725 + /usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt" + + # Remove write permissions again + if [ -n "$USER_DEST" ]; then + /usr/bin/chmod u-w "$DEST/pem/directory-hash" + fi +} +if [ $# -lt 1 ]; then + set -- extract +fi + +case "$1" in + "extract") + shift + extract $@ + ;; + "--"\|"-") + # First parameter seems to be an option, assume the command is 'extract' + extract $@ + ;; + ) + echo >&2 "Error: Unknown command: $1" + echo >&2 + usage + exit 1 + ;; +esac
[-] [+]	Changed	update-ca-trust.8.txt ^
@@ -27,7 +27,7 @@ SYNOPSIS -------- -update-ca-trust ['COMMAND'] +update-ca-trust [extract] [-o 'DIR'\|--output='DIR'] DESCRIPTION @@ -98,13 +98,13 @@ * add it as a new file to directory /etc/pki/ca-trust/source/anchors/ * run 'update-ca-trust extract' -.QUICK HELP 2: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then: +.QUICK HELP 2: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then: * add it as a new file to directory /etc/pki/ca-trust/source/ * run 'update-ca-trust extract' .In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to. * simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ -* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/ +* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/ * extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ .In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats: @@ -134,7 +134,7 @@ format or in the PEM (BEGIN/END CERTIFICATE) file format. Each certificate will be treated as trusted for all purposes. -In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/ +In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/ you may install one or multiple certificates in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format. Each certificate will be treated as distrusted for all purposes. @@ -214,15 +214,23 @@ COMMANDS -------- -(absent/empty command):: - Same as the extract command described below. (However, the command may - print fewer warnings, as this command is being run during rpm package - installation, where non-fatal status output is undesired.) - -extract:: - Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce - updated versions of the consolidated configuration files stored below - the /etc/pki/ca-trust/extracted directory hierarchy. +(absent/empty command) +~~~~~~~~~~~~~~~~~~~~~~ +Same as the extract command described below. (However, the command may print +fewer warnings, as this command is being run during rpm package installation, +where non-fatal status output is undesired.) + +extract +~~~~~~~ +Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and +produce updated versions of the consolidated configuration files stored below +the /etc/pki/ca-trust/extracted directory hierarchy. + +EXTRACT OPTIONS +^^^^^^^^^^^^^^^ +-o DIR, --output=DIR:: + Write the extracted trust store into the given directory instead of + updating /etc/pki/ca-trust/extracted. FILES -----