diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/README.openssl b/README.openssl deleted file mode 100644 index 99f8d79..0000000 --- a/README.openssl +++ /dev/null @@ -1,18 +0,0 @@ -This directory /etc/pki/ca-trust/extracted/openssl/ contains -CA certificate bundle files which are automatically created -based on the information found in the -/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ -directories. - -All files are in the BEGIN/END TRUSTED CERTIFICATE file format, -as described in the x509(1) manual page. - -If your application isn't able to load the PKCS#11 module p11-kit-trust.so, -then you can use these files in your application to load a list of global -root CA certificates. - -Please never manually edit the files stored in this directory, -because your changes will be lost and the files automatically overwritten, -each time the update-ca-trust command gets executed. - -Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/ca-certificates.spec b/ca-certificates.spec index d38dd44..2f9e003 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -1,7 +1,5 @@ %define pkidir %{_sysconfdir}/pki %define catrustdir %{_sysconfdir}/pki/ca-trust -%define classic_tls_bundle ca-bundle.crt -%define openssl_format_trust_bundle ca-bundle.trust.crt %define p11_format_bundle ca-bundle.trust.p11-kit %define legacy_default_bundle ca-bundle.legacy.default.crt %define legacy_disable_bundle ca-bundle.legacy.disable.crt @@ -38,7 +36,7 @@ Name: ca-certificates Version: 2025.2.80_v9.0.304 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 1.1%{?dist} +Release: 3%{?dist} License: MIT AND GPL-2.0-or-later URL: https://fedoraproject.org/wiki/CA-Certificates @@ -57,7 +55,6 @@ Source11: README.usr Source12: README.etc Source13: README.extr Source14: README.java -Source15: README.openssl Source16: README.pem Source17: README.edk2 Source18: README.src @@ -192,7 +189,6 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source @@ -208,7 +204,6 @@ install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/REA install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README -install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README @@ -240,8 +235,6 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem -touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} -chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin @@ -298,23 +291,13 @@ sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt # expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882 ln -s %{pkidir}/tls/certs \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem ln -s /etc/pki/tls/openssl.cnf \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf ln -s /etc/pki/tls/ct_log_list.cnf \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf # legacy filenames -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem ln -s %{catrustdir}/extracted/%{java_bundle} \ $RPM_BUILD_ROOT%{pkidir}/%{java_bundle} -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle} -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-certificates.crt -ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \ - $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle} %clean /usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash @@ -322,6 +305,14 @@ rm -rf $RPM_BUILD_ROOT %pre if [ $1 -gt 1 ] ; then + # Remove the old symlinks + rm -f %{pkidir}/tls/cert.pem + rm -f %{pkidir}/tls/certs/ca-bundle.crt + rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt + rm -f %{pkidir}/tls/certs/ca-certificates.crt + rm -f %{_sysconfdir}/ssl/cert.pem + + # Upgrade or Downgrade. # If the classic filename is a regular file, then we are upgrading # from an old package and we will move it to an .rpmsave backup file. @@ -342,28 +333,6 @@ if [ $1 -gt 1 ] ; then fi fi fi - - if ! test -e %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave; then - # no backup yet - if test -e %{pkidir}/tls/certs/%{classic_tls_bundle}; then - # a file exists - if ! test -L %{pkidir}/tls/certs/%{classic_tls_bundle}; then - # it's an old regular file, not a link - mv -f %{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave - fi - fi - fi - - if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then - # no backup yet - if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then - # a file exists - if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then - # it's an old regular file, not a link - mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave - fi - fi - fi fi @@ -404,7 +373,6 @@ fi %dir %{catrustdir}/source/blocklist %dir %{catrustdir}/extracted %dir %{catrustdir}/extracted/pem -%dir %{catrustdir}/extracted/openssl %dir %{catrustdir}/extracted/java %dir %{_datadir}/pki %dir %{_datadir}/pki/ca-trust-source @@ -421,22 +389,16 @@ fi %{catrustdir}/README %{catrustdir}/extracted/README %{catrustdir}/extracted/java/README -%{catrustdir}/extracted/openssl/README %{catrustdir}/extracted/pem/README %{catrustdir}/extracted/edk2/README %{catrustdir}/source/README # symlinks for old locations -%{pkidir}/tls/cert.pem -%{pkidir}/tls/certs/%{classic_tls_bundle} -%{pkidir}/tls/certs/%{openssl_format_trust_bundle} -%{pkidir}/tls/certs/ca-certificates.crt %{pkidir}/%{java_bundle} # Hybrid hash directory with bundle file for Debian compatibility # See https://bugzilla.redhat.com/show_bug.cgi?id=1053882 %{_sysconfdir}/ssl/certs %{_sysconfdir}/ssl/README -%{_sysconfdir}/ssl/cert.pem %{_sysconfdir}/ssl/openssl.cnf %{_sysconfdir}/ssl/ct_log_list.cnf @@ -453,27 +415,14 @@ fi %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem -%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} %ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/edk2/cacerts.bin %changelog -* Tue Aug 26 2025 Frantisek Krenzelok - 2025.2.80_v9.0.304-1.1 -- Revert the "Dropping of cert.pem file" change to restore legacy CA symlinks -- https://fedoraproject.org/wiki/Changes/droppingOfCertPemFile -- Restored directory /etc/pki/ca-trust/extracted/openssl -- Remove update-ca-trust extract compatibility option -- Restored symlinks: - - /etc/pki/tls/cert.pem - - /etc/pki/tls/certs/ca-certificates.crt - - /etc/pki/tls/certs/ca-bundle.trust.crt - - /etc/pki/tls/certs/ca-bundle.crt - - /etc/ssl/cert.pem - - /etc/ssl/certs/ca-certificates.crt - - /etc/ssl/certs/ca-bundle.trust.crt - - /etc/ssl/certs/ca-bundle.crt +*Tue Sep 16 2025 Frantisek Krenzelok - 2025.2.80_v9.0.304-3 +- Migrate STI test to tmt -*Tue Aug 26 2025 rhel-developer-toolbox - 2025.2.80_v9.0.304-1.0 +*Tue Aug 26 2025 rhel-developer-toolbox - 2025.2.80_v9.0.304-2 - Update to CKBI 2.80_v9.0.304 from NSS 3.114 - Adding: - # Certificate "TWCA CYBER Root CA" diff --git a/plans/smoke.fmf b/plans/smoke.fmf new file mode 100644 index 0000000..5e339a4 --- /dev/null +++ b/plans/smoke.fmf @@ -0,0 +1,4 @@ + discover: + how: fmf + execute: + how: tmt diff --git a/tests/smoke-test/Makefile b/tests/smoke-test/Makefile deleted file mode 100644 index b490f26..0000000 --- a/tests/smoke-test/Makefile +++ /dev/null @@ -1,64 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/ca-certificates/Sanity/smoke-test -# Description: Check presence of Verisign root. -# Author: Ondrej Moris -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2010 Red Hat, Inc. All rights reserved. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/ca-certificates/Sanity/smoke-test -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Ondrej Moris " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: Check presence of Verisign root." >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 5m" >> $(METADATA) - @echo "RunFor: ca-certificates" >> $(METADATA) - @echo "Requires: ca-certificates" >> $(METADATA) - @echo "Requires: wget" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/smoke-test/PURPOSE b/tests/smoke-test/PURPOSE deleted file mode 100644 index 9f8f063..0000000 --- a/tests/smoke-test/PURPOSE +++ /dev/null @@ -1,3 +0,0 @@ -PURPOSE of /CoreOS/ca-certificates/Sanity/smoke-test -Description: Check presence of Verisign root. -Author: Ondrej Moris diff --git a/tests/smoke-test/main.fmf b/tests/smoke-test/main.fmf new file mode 100644 index 0000000..5dd20c1 --- /dev/null +++ b/tests/smoke-test/main.fmf @@ -0,0 +1,5 @@ +summary: Check presence of Verisign root. +test: bash ./runtest.sh +framework: beakerlib +recommend: + - beakerlib diff --git a/tests/smoke-test/runtest.sh b/tests/smoke-test/runtest.sh old mode 100644 new mode 100755 index 349b38a..084be23 --- a/tests/smoke-test/runtest.sh +++ b/tests/smoke-test/runtest.sh @@ -27,7 +27,7 @@ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include rhts environment -. /usr/lib/beakerlib/beakerlib.sh +. /usr/share/beakerlib/beakerlib.sh || exit 1 PACKAGE="ca-certificates" diff --git a/tests/tests.yml b/tests/tests.yml deleted file mode 100644 index 2e53c43..0000000 --- a/tests/tests.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# This first play always runs on the local staging system -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - atomic - - classic - - container - tests: - - smoke-test - required_packages: - - findutils # beakerlib needs find command diff --git a/update-ca-trust b/update-ca-trust index 2a80b99..5a07260 100755 --- a/update-ca-trust +++ b/update-ca-trust @@ -31,11 +31,44 @@ usage() { -o DIR, --output DIR: Write the extracted trust store into the given directory instead of updating $DEST. (Note: This option will not populate the ../pki/tls/certs with the directory-hash symbolic links.) + + --rhbz2387674: A temporary compatibility option that restores several + legacy certificate-bundle symlinks (e.g., /etc/ssl/cert.pem) to + address issues with older software. + These symlinks will be removed on ca-certificate updates or reinstalls, + so you'll have to re-run this command after ca-certificates updates if + the issue is still not fixed. + WARNING: Do not use in automation or build scripts. This flag + is going to be removed in a future release, and any scripts relying on + it will inevitably break! + EOF +} + +rhbz2387674_msg() { + fold -s -w 76 >&2 <<-EOF + ---------------------------------------------------------------------------- + ** DEPRECATION WARNING ** + ---------------------------------------------------------------------------- + The option --rhbz2387674 is a temporary workaround and will be removed in a + future release. Please do not use it in build scripts or automation. + + ---------------------------------------------------------------------------- + ** ACTION REQUIRED ** + ---------------------------------------------------------------------------- + To ensure the affected package works correctly in the future, a bug report must + be filed. + + 1. Check if a bug already exists for the affected package: https://bugzilla.redhat.com/buglist.cgi?component=ca-certificates&product=Fedora&short_desc=droppingOfCertPemFile%20package%3A&short_desc_type=allwordssubstr + + 2. If no bug exists, please file a new one using this template: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=ca-certificates&version=rawhide&short_desc=droppingOfCertPemFile+package:+<>+is+affected + + Thank you for helping improve Fedora. EOF } extract() { USER_DEST= + compat= # can't use getopt here. ca-certificates can't depend on a lot # of other libraries since openssl depends on ca-certificates @@ -53,6 +86,11 @@ extract() { shift 2 continue ;; + "--rhbz2387674") + compat="true" + shift + continue + ;; "--") shift break @@ -64,6 +102,12 @@ extract() { esac done + if [[ "$compat" = "true" && -n "$USER_DEST" ]]; then + echo "Error: arguments '-o DIR|--output DIR' and '--rhbz2387674' can't be used together" + exit 1 + + fi + if [ -n "$USER_DEST" ]; then DEST=$USER_DEST # Attempt to create the directories if they do not exist @@ -84,7 +128,6 @@ extract() { # OpenSSL PEM bundle that includes trust flags # (BEGIN TRUSTED CERTIFICATE) - /usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem" @@ -95,6 +138,22 @@ extract() { /usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash" + if [ -n "$compat" ]; then + # print warning message + rhbz2387674_msg + + # bring back bundle in openssl trust format + /usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST_CERTS/ca-bundle.trust.crt" + + # create symlinks to /etc/pki/tls/.. + ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/../cert.pem" + ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-certificates.crt" + ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-bundle.crt" + + # create symlinks to /etc/ssl/ the certs folder is already sym-linked + ln -sf "$DEST/pem/tls-ca-bundle.pem" "/etc/ssl/cert.pem" + fi + if [ -z "$USER_DEST" ]; then find "$DEST/pem/directory-hash" -type l -regextype posix-extended \ -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do diff --git a/update-ca-trust.8.txt b/update-ca-trust.8.txt index bcdb057..0acc871 100644 --- a/update-ca-trust.8.txt +++ b/update-ca-trust.8.txt @@ -235,10 +235,6 @@ EXTRACT OPTIONS FILES ----- -/etc/pki/tls/certs/ca-bundle.trust.crt:: - Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. - This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. - /etc/pki/java/cacerts:: Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. @@ -257,6 +253,24 @@ FILES /etc/pki/tls/certs:: Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command, they are inteded as a internal format for OpenSSL and not to be used directly by the other crypto libraries or applications. +LEGACY FILES +------------ +The following file paths were used in legacy versions of the utility +and have since been replaced. Scripts and configurations referencing +these old paths should be updated. + +/etc/pki/cert.pem:: + This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. + +/etc/pki/tls/certs/ca-certificates.crt:: + This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. + +/etc/pki/tls/certs/ca-bundle.crt:: + This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. + +/etc/pki/tls/certs/ca-bundle.trust.crt:: + This has been replaced by the directory-hash format certificates stored in /etc/pki/ca-trust/extracted/pem/directory-hash/ directory. + AUTHOR ------ Written by Kai Engert and Stef Walter.