diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/README.openssl b/README.openssl deleted file mode 100644 index 7c368a9..0000000 --- a/README.openssl +++ /dev/null @@ -1,18 +0,0 @@ -This directory /etc/pki/ca-trust/extracted/openssl/ contains -CA certificate bundle files which are automatically created -based on the information found in the -/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ -directories. - -All files are in the BEGIN/END TRUSTED CERTIFICATE file format, -as described in the x509(1) manual page. - -If your application isn't able to load the PKCS#11 module p11-kit-trust.so, -then you can use these files in your application to load a list of global -root CA certificates. - -Please never manually edit the files stored in this directory, -because your changes will be lost and the files automatically overwritten, -each time the update-ca-trust command gets executed. - -Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/ca-certificates.spec b/ca-certificates.spec index 3111c39..2f9e003 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -1,7 +1,5 @@ %define pkidir %{_sysconfdir}/pki %define catrustdir %{_sysconfdir}/pki/ca-trust -%define classic_tls_bundle ca-bundle.crt -%define openssl_format_trust_bundle ca-bundle.trust.crt %define p11_format_bundle ca-bundle.trust.p11-kit %define legacy_default_bundle ca-bundle.legacy.default.crt %define legacy_disable_bundle ca-bundle.legacy.disable.crt @@ -38,7 +36,7 @@ Name: ca-certificates Version: 2025.2.80_v9.0.304 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 1.0%{?dist} +Release: 3%{?dist} License: MIT AND GPL-2.0-or-later URL: https://fedoraproject.org/wiki/CA-Certificates @@ -57,7 +55,6 @@ Source11: README.usr Source12: README.etc Source13: README.extr Source14: README.java -Source15: README.openssl Source16: README.pem Source17: README.edk2 Source18: README.src @@ -66,6 +63,7 @@ Source19: README.etcssl BuildArch: noarch Requires(post): bash +Requires(post): findutils Requires(post): grep Requires(post): sed Requires(post): coreutils @@ -190,7 +188,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem -mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl +mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source @@ -206,7 +204,6 @@ install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/REA install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README -install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README @@ -238,36 +235,84 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem -touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} -chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin +# Populate %%{catrustdir}/extracted/pem/directory-hash. +# +# First direct p11-kit-trust.so to the generated bundle (not the one +# already present on the build system) with an overriding module +# config. Note that we have to use a different config path based on +# the current user: if root, ~/.config/pkcs11/modules/* are not read, +# while if a regular user, she can't write to /etc. +if test "$(id -u)" -eq 0; then + trust_module_dir=/etc/pkcs11/modules +else + trust_module_dir=$HOME/.config/pkcs11/modules +fi + +mkdir -p "$trust_module_dir" + +# It is unlikely that the directory would contain any files on a build system, +# but let's make sure just in case. +if [ -n "$(ls -A "$trust_module_dir")" ]; then + echo "Directory $trust_module_dir is not empty. Aborting build!" + exit 1 +fi + +trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module +cat >"$trust_module_config" < .files.txt +find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \ + -regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt + +sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt + # /etc/ssl is provided in a Debian compatible form for (bad) code that # expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882 -ln -s %{catrustdir}/extracted/pem/directory-hash \ +ln -s %{pkidir}/tls/certs \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem ln -s /etc/pki/tls/openssl.cnf \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf ln -s /etc/pki/tls/ct_log_list.cnf \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf # legacy filenames -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem -ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ - $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle} -ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \ - $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle} ln -s %{catrustdir}/extracted/%{java_bundle} \ $RPM_BUILD_ROOT%{pkidir}/%{java_bundle} +%clean +/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash +rm -rf $RPM_BUILD_ROOT %pre if [ $1 -gt 1 ] ; then + # Remove the old symlinks + rm -f %{pkidir}/tls/cert.pem + rm -f %{pkidir}/tls/certs/ca-bundle.crt + rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt + rm -f %{pkidir}/tls/certs/ca-certificates.crt + rm -f %{_sysconfdir}/ssl/cert.pem + + # Upgrade or Downgrade. # If the classic filename is a regular file, then we are upgrading # from an old package and we will move it to an .rpmsave backup file. @@ -288,28 +333,6 @@ if [ $1 -gt 1 ] ; then fi fi fi - - if ! test -e %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave; then - # no backup yet - if test -e %{pkidir}/tls/certs/%{classic_tls_bundle}; then - # a file exists - if ! test -L %{pkidir}/tls/certs/%{classic_tls_bundle}; then - # it's an old regular file, not a link - mv -f %{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave - fi - fi - fi - - if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then - # no backup yet - if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then - # a file exists - if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then - # it's an old regular file, not a link - mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave - fi - fi - fi fi @@ -338,7 +361,8 @@ fi %{_bindir}/ca-legacy install %{_bindir}/update-ca-trust -%files +# The file .files.txt contains the list of (%ghost )files in the directory-hash +%files -f .files.txt %dir %{_sysconfdir}/ssl %dir %{pkidir}/tls %dir %{pkidir}/tls/certs @@ -349,13 +373,13 @@ fi %dir %{catrustdir}/source/blocklist %dir %{catrustdir}/extracted %dir %{catrustdir}/extracted/pem -%dir %{catrustdir}/extracted/openssl %dir %{catrustdir}/extracted/java %dir %{_datadir}/pki %dir %{_datadir}/pki/ca-trust-source %dir %{_datadir}/pki/ca-trust-source/anchors %dir %{_datadir}/pki/ca-trust-source/blocklist %dir %{_datadir}/pki/ca-trust-legacy +%dir %{catrustdir}/extracted/pem/directory-hash %config(noreplace) %{catrustdir}/ca-legacy.conf @@ -365,21 +389,16 @@ fi %{catrustdir}/README %{catrustdir}/extracted/README %{catrustdir}/extracted/java/README -%{catrustdir}/extracted/openssl/README %{catrustdir}/extracted/pem/README %{catrustdir}/extracted/edk2/README %{catrustdir}/source/README # symlinks for old locations -%{pkidir}/tls/cert.pem -%{pkidir}/tls/certs/%{classic_tls_bundle} -%{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/%{java_bundle} # Hybrid hash directory with bundle file for Debian compatibility # See https://bugzilla.redhat.com/show_bug.cgi?id=1053882 %{_sysconfdir}/ssl/certs %{_sysconfdir}/ssl/README -%{_sysconfdir}/ssl/cert.pem %{_sysconfdir}/ssl/openssl.cnf %{_sysconfdir}/ssl/ct_log_list.cnf @@ -396,13 +415,14 @@ fi %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem -%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} %ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/edk2/cacerts.bin - %changelog -*Tue Aug 26 2025 rhel-developer-toolbox - 2025.2.80_v9.0.304-1.0 +*Tue Sep 16 2025 Frantisek Krenzelok - 2025.2.80_v9.0.304-3 +- Migrate STI test to tmt + +*Tue Aug 26 2025 rhel-developer-toolbox - 2025.2.80_v9.0.304-2 - Update to CKBI 2.80_v9.0.304 from NSS 3.114 - Adding: - # Certificate "TWCA CYBER Root CA" @@ -419,12 +439,61 @@ fi - # Certificate "SwissSign RSA SMIME Root CA 2022 - 1" - # Certificate "SwissSign RSA TLS Root CA 2022 - 1" -*Mon Sep 23 2024 Frantisek Krenzelok - 2024.2.69_v8.0.401-1.0 +* Tue Aug 12 2025 Frantisek Krenzelok - 2024.2.69_v8.0.401-8 +- update-ca-trust: Added a temporary, compatibility option `--rhbz2387674` to + the `extract` command. This flag restores legacy certificate + symlinks (e.g., `/etc/ssl/cert.pem`) to address issues with older software + that has not yet adapted to their removal. This essentially provides a + temporary way to revert the "Dropping of cert.pem file". + +* Wed Jul 23 2025 Fedora Release Engineering - 2024.2.69_v8.0.401-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Wed Jul 9 2025 Frantisek Krenzelok - 2024.2.69_v8.0.401-6 +- Change: Dropping of cert.pem file (Resolves: rhbz#2360110) + https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile +- Remove the following symlinks: +- # /etc/pki/tls/cert.pem +- # /etc/pki/tls/certs/ca-certificates.crt +- # /etc/pki/tls/certs/ca-bundle.trust.crt +- # /etc/pki/tls/certs/ca-bundle.crt +- # /etc/ssl/cert.pem +- # /etc/ssl/certs/ca-certificates.crt +- # /etc/ssl/certs/ca-bundle.trust.crt +- # /etc/ssl/certs/ca-bundle.crt +- Directory /etc/pki/ca-trust/extracted/openssl is being deprecated, + it is removed upon updating unless there are files present inside it. + +* Thu Jan 16 2025 Fedora Release Engineering - 2024.2.69_v8.0.401-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +*Tue Dec 17 2024 Frantisek Krenzelok - 2024.2.69_v8.0.401-4 +- Bring back /etc/pki/tls/certs/ca-certificates.crt + +*Fri Sep 27 2024 Frantisek Krenzelok - 2024.2.69_v8.0.401-3 +- Bring back /etc/pki/tls/cert.pem + +*Fri Sep 27 2024 Michel Lind - 2024.2.69_v8.0.401-2 +- Add missing Requires(post) on findutils for update-ca-trust +- Fixes: RHBZ#2315320 + +*Mon Sep 23 2024 Frantisek Krenzelok - 2024.2.69_v8.0.401-1 - Update to CKBI 2.69_v8.0.401 from NSS 3.103 - Adding: - # Certificate "Sectigo Public Code Signing Root R46" - # Certificate "Sectigo Public Code Signing Root E46" +*Wed Aug 28 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-5 +- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs +- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default + +*Tue Aug 27 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-5 +- update-ca-trust: return warnings on a unsupported argument instead of error + +*Tue Aug 27 2024 Frantisek Krenzelok - 2024.2.69_v8.0.303-5 +- Temporarily generate the directory-hash files in %%install ...(next item) +- Add list of ghost files from directory-hash to %%files + *Mon Jul 29 2024 Frantisek Krenzelok - 2024.2.68_v8.0.302-5 - Add libffi to required packages diff --git a/plans/smoke.fmf b/plans/smoke.fmf new file mode 100644 index 0000000..5e339a4 --- /dev/null +++ b/plans/smoke.fmf @@ -0,0 +1,4 @@ + discover: + how: fmf + execute: + how: tmt diff --git a/tests/smoke-test/Makefile b/tests/smoke-test/Makefile deleted file mode 100644 index b490f26..0000000 --- a/tests/smoke-test/Makefile +++ /dev/null @@ -1,64 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/ca-certificates/Sanity/smoke-test -# Description: Check presence of Verisign root. -# Author: Ondrej Moris -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2010 Red Hat, Inc. All rights reserved. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/ca-certificates/Sanity/smoke-test -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Ondrej Moris " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: Check presence of Verisign root." >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 5m" >> $(METADATA) - @echo "RunFor: ca-certificates" >> $(METADATA) - @echo "Requires: ca-certificates" >> $(METADATA) - @echo "Requires: wget" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/smoke-test/PURPOSE b/tests/smoke-test/PURPOSE deleted file mode 100644 index 9f8f063..0000000 --- a/tests/smoke-test/PURPOSE +++ /dev/null @@ -1,3 +0,0 @@ -PURPOSE of /CoreOS/ca-certificates/Sanity/smoke-test -Description: Check presence of Verisign root. -Author: Ondrej Moris diff --git a/tests/smoke-test/main.fmf b/tests/smoke-test/main.fmf new file mode 100644 index 0000000..5dd20c1 --- /dev/null +++ b/tests/smoke-test/main.fmf @@ -0,0 +1,5 @@ +summary: Check presence of Verisign root. +test: bash ./runtest.sh +framework: beakerlib +recommend: + - beakerlib diff --git a/tests/smoke-test/runtest.sh b/tests/smoke-test/runtest.sh old mode 100644 new mode 100755 index 349b38a..084be23 --- a/tests/smoke-test/runtest.sh +++ b/tests/smoke-test/runtest.sh @@ -27,7 +27,7 @@ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include rhts environment -. /usr/lib/beakerlib/beakerlib.sh +. /usr/share/beakerlib/beakerlib.sh || exit 1 PACKAGE="ca-certificates" diff --git a/tests/tests.yml b/tests/tests.yml deleted file mode 100644 index 2e53c43..0000000 --- a/tests/tests.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# This first play always runs on the local staging system -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - atomic - - classic - - container - tests: - - smoke-test - required_packages: - - findutils # beakerlib needs find command diff --git a/update-ca-trust b/update-ca-trust old mode 100644 new mode 100755 index a93f496..5a07260 --- a/update-ca-trust +++ b/update-ca-trust @@ -8,18 +8,19 @@ set -eu # files in $DEST. DEST=/etc/pki/ca-trust/extracted +DEST_CERTS=/etc/pki/tls/certs # Prevent p11-kit from reading user configuration files. export P11_KIT_NO_USER_CONFIG=1 usage() { fold -s -w 76 >&2 <<-EOF - Usage: $0 [extract] [-o DIR|--output=DIR] + Usage: $0 [extract] [-o DIR|--output DIR] Update the system trust store in $DEST. COMMANDS - (absent/empty command): Same as the extract command described below. + (absent/empty command): Same as the extract command without arguments. extract: Instruct update-ca-trust to scan the source configuration in /usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce @@ -27,13 +28,47 @@ usage() { the $DEST directory hierarchy. EXTRACT OPTIONS - -o DIR, --output=DIR: Write the extracted trust store into the given - directory instead of updating $DEST. + -o DIR, --output DIR: Write the extracted trust store into the given + directory instead of updating $DEST. (Note: This option will not + populate the ../pki/tls/certs with the directory-hash symbolic links.) + + --rhbz2387674: A temporary compatibility option that restores several + legacy certificate-bundle symlinks (e.g., /etc/ssl/cert.pem) to + address issues with older software. + These symlinks will be removed on ca-certificate updates or reinstalls, + so you'll have to re-run this command after ca-certificates updates if + the issue is still not fixed. + WARNING: Do not use in automation or build scripts. This flag + is going to be removed in a future release, and any scripts relying on + it will inevitably break! + EOF +} + +rhbz2387674_msg() { + fold -s -w 76 >&2 <<-EOF + ---------------------------------------------------------------------------- + ** DEPRECATION WARNING ** + ---------------------------------------------------------------------------- + The option --rhbz2387674 is a temporary workaround and will be removed in a + future release. Please do not use it in build scripts or automation. + + ---------------------------------------------------------------------------- + ** ACTION REQUIRED ** + ---------------------------------------------------------------------------- + To ensure the affected package works correctly in the future, a bug report must + be filed. + + 1. Check if a bug already exists for the affected package: https://bugzilla.redhat.com/buglist.cgi?component=ca-certificates&product=Fedora&short_desc=droppingOfCertPemFile%20package%3A&short_desc_type=allwordssubstr + + 2. If no bug exists, please file a new one using this template: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=ca-certificates&version=rawhide&short_desc=droppingOfCertPemFile+package:+<>+is+affected + + Thank you for helping improve Fedora. EOF } extract() { USER_DEST= + compat= # can't use getopt here. ca-certificates can't depend on a lot # of other libraries since openssl depends on ca-certificates @@ -41,22 +76,38 @@ extract() { while [ $# -ne 0 ]; do case "$1" in - "-o"|"--output") + "-o"|"--output") + if [ $# -lt 2 ]; then + echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage." + echo >&2 + exit 1 + fi USER_DEST=$2 shift 2 continue ;; + "--rhbz2387674") + compat="true" + shift + continue + ;; "--") shift break ;; *) - usage + echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage." exit 1 ;; esac done + if [[ "$compat" = "true" && -n "$USER_DEST" ]]; then + echo "Error: arguments '-o DIR|--output DIR' and '--rhbz2387674' can't be used together" + exit 1 + + fi + if [ -n "$USER_DEST" ]; then DEST=$USER_DEST # Attempt to create the directories if they do not exist @@ -68,9 +119,15 @@ extract() { "$DEST"/edk2 fi + + # Delete all directory hash symlinks from the cert directory + if [ -z "$USER_DEST" ]; then + find "$DEST_CERTS" -type l -regextype posix-extended \ + -regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \; + fi + # OpenSSL PEM bundle that includes trust flags # (BEGIN TRUSTED CERTIFICATE) - /usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem" @@ -80,23 +137,31 @@ extract() { # by GnuTLS) /usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash" - # p11-kit extract will have made this directory unwritable; when run with - # CAP_DAC_OVERRIDE this does not matter, but in container use cases that may - # not be the case. See rhbz#2241240. - if [ -n "$USER_DEST" ]; then - /usr/bin/chmod u+w "$DEST/pem/directory-hash" - fi - # Debian compatibility: their /etc/ssl/certs has this bundle - /usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt" - # Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt - # since https://bugzilla.redhat.com/show_bug.cgi?id=572725 - /usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt" + if [ -n "$compat" ]; then + # print warning message + rhbz2387674_msg - # Remove write permissions again - if [ -n "$USER_DEST" ]; then - /usr/bin/chmod u-w "$DEST/pem/directory-hash" - fi + # bring back bundle in openssl trust format + /usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST_CERTS/ca-bundle.trust.crt" + + # create symlinks to /etc/pki/tls/.. + ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/../cert.pem" + ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-certificates.crt" + ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-bundle.crt" + + # create symlinks to /etc/ssl/ the certs folder is already sym-linked + ln -sf "$DEST/pem/tls-ca-bundle.pem" "/etc/ssl/cert.pem" + fi + + if [ -z "$USER_DEST" ]; then + find "$DEST/pem/directory-hash" -type l -regextype posix-extended \ + -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do + target=$(readlink -f "$link") + new_link="$DEST_CERTS/$(basename "$link")" + ln -s "$target" "$new_link" + done + fi } if [ $# -lt 1 ]; then set -- extract @@ -105,16 +170,14 @@ fi case "$1" in "extract") shift - extract $@ + extract "$@" ;; - "--"*|"-"*) - # First parameter seems to be an option, assume the command is 'extract' - extract $@ + "--help") + usage + exit 0 ;; *) - echo >&2 "Error: Unknown command: $1" - echo >&2 - usage + echo >&2 "Error: unknown command: '$1', see 'update-ca-trust --help' for usage." exit 1 ;; esac diff --git a/update-ca-trust.8.txt b/update-ca-trust.8.txt index 51ed02b..0acc871 100644 --- a/update-ca-trust.8.txt +++ b/update-ca-trust.8.txt @@ -230,18 +230,11 @@ EXTRACT OPTIONS ^^^^^^^^^^^^^^^ *-o DIR*, *--output=DIR*:: Write the extracted trust store into the given directory instead of - updating /etc/pki/ca-trust/extracted. + updating /etc/pki/ca-trust/extracted. (Note: This option will not + populate the ../pki/tls/certs with the directory-hash symbolic links.) FILES ----- -/etc/pki/tls/certs/ca-bundle.crt:: - Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. - This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. - -/etc/pki/tls/certs/ca-bundle.trust.crt:: - Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. - This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. - /etc/pki/java/cacerts:: Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. @@ -257,6 +250,27 @@ FILES which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten. See section <> for additional details. +/etc/pki/tls/certs:: + Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command, they are inteded as a internal format for OpenSSL and not to be used directly by the other crypto libraries or applications. + +LEGACY FILES +------------ +The following file paths were used in legacy versions of the utility +and have since been replaced. Scripts and configurations referencing +these old paths should be updated. + +/etc/pki/cert.pem:: + This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. + +/etc/pki/tls/certs/ca-certificates.crt:: + This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. + +/etc/pki/tls/certs/ca-bundle.crt:: + This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. + +/etc/pki/tls/certs/ca-bundle.trust.crt:: + This has been replaced by the directory-hash format certificates stored in /etc/pki/ca-trust/extracted/pem/directory-hash/ directory. + AUTHOR ------ Written by Kai Engert and Stef Walter.