Migrate STI to tmt

Resolves: FC-1842

.fmf/version

@@ -0,0 +1 @@
+1

README.openssl

@@ -1,18 +0,0 @@
-This directory /etc/pki/ca-trust/extracted/openssl/ contains 
-CA certificate bundle files which are automatically created
-based on the information found in the
-/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
-directories.
-
-All files are in the BEGIN/END TRUSTED CERTIFICATE file format, 
-as described in the x509(1) manual page.
-
-If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
-then you can use these files in your application to load a list of global
-root CA certificates.
-
-Please never manually edit the files stored in this directory,
-because your changes will be lost and the files automatically overwritten,
-each time the update-ca-trust command gets executed.
-
-Please refer to the update-ca-trust(8) manual page for additional information.

ca-certificates.spec

@@ -1,6 +1,5 @@
 %define pkidir %{_sysconfdir}/pki
 %define catrustdir %{_sysconfdir}/pki/ca-trust
-%define classic_tls_bundle ca-bundle.crt
 %define p11_format_bundle ca-bundle.trust.p11-kit
 %define legacy_default_bundle ca-bundle.legacy.default.crt
 %define legacy_disable_bundle ca-bundle.legacy.disable.crt
@@ -34,10 +33,10 @@ Name: ca-certificates
 # to have increasing version numbers. However, the new scheme will work, 
 # because all future versions will start with 2013 or larger.)
 
-Version: 2024.2.69_v8.0.401
+Version: 2025.2.80_v9.0.304
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release: 5%{?dist}
+Release: 3%{?dist}
 License: MIT AND GPL-2.0-or-later
 
 URL: https://fedoraproject.org/wiki/CA-Certificates
@@ -56,7 +55,6 @@ Source11: README.usr
 Source12: README.etc
 Source13: README.extr
 Source14: README.java
-Source15: README.openssl
 Source16: README.pem
 Source17: README.edk2
 Source18: README.src
@@ -191,7 +189,6 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
 mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
-mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
@@ -207,7 +204,6 @@ install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/REA
 install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README
 install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
 install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
-install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
 install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
 install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
 install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
@@ -295,21 +291,13 @@ sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
 # expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
 ln -s %{pkidir}/tls/certs \
     $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
 ln -s /etc/pki/tls/openssl.cnf \
     $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
 ln -s /etc/pki/tls/ct_log_list.cnf \
     $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
 # legacy filenames
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
 ln -s %{catrustdir}/extracted/%{java_bundle} \
     $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-certificates.crt
 
 %clean
 /usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
@@ -318,7 +306,12 @@ rm -rf $RPM_BUILD_ROOT
 %pre
 if [ $1 -gt 1 ] ; then
   # Remove the old symlinks
+  rm -f %{pkidir}/tls/cert.pem
+  rm -f %{pkidir}/tls/certs/ca-bundle.crt
   rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
+  rm -f %{pkidir}/tls/certs/ca-certificates.crt
+  rm -f %{_sysconfdir}/ssl/cert.pem
+
 
   # Upgrade or Downgrade.
   # If the classic filename is a regular file, then we are upgrading
@@ -340,17 +333,6 @@ if [ $1 -gt 1 ] ; then
       fi
     fi
   fi
-
-  if ! test -e %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave; then
-    # no backup yet
-    if test -e %{pkidir}/tls/certs/%{classic_tls_bundle}; then
-      # a file exists
-      if ! test -L %{pkidir}/tls/certs/%{classic_tls_bundle}; then
-        # it's an old regular file, not a link
-        mv -f %{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave
-      fi
-    fi
-  fi
 fi
 
 
@@ -391,7 +373,6 @@ fi
 %dir %{catrustdir}/source/blocklist
 %dir %{catrustdir}/extracted
 %dir %{catrustdir}/extracted/pem
-%dir %{catrustdir}/extracted/openssl
 %dir %{catrustdir}/extracted/java
 %dir %{_datadir}/pki
 %dir %{_datadir}/pki/ca-trust-source
@@ -408,21 +389,16 @@ fi
 %{catrustdir}/README
 %{catrustdir}/extracted/README
 %{catrustdir}/extracted/java/README
-%{catrustdir}/extracted/openssl/README
 %{catrustdir}/extracted/pem/README
 %{catrustdir}/extracted/edk2/README
 %{catrustdir}/source/README
 
 # symlinks for old locations
-%{pkidir}/tls/cert.pem
-%{pkidir}/tls/certs/%{classic_tls_bundle}
-%{pkidir}/tls/certs/ca-certificates.crt
 %{pkidir}/%{java_bundle}
 # Hybrid hash directory with bundle file for Debian compatibility
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
 %{_sysconfdir}/ssl/certs
 %{_sysconfdir}/ssl/README
-%{_sysconfdir}/ssl/cert.pem
 %{_sysconfdir}/ssl/openssl.cnf
 %{_sysconfdir}/ssl/ct_log_list.cnf
 
@@ -443,6 +419,51 @@ fi
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
 
 %changelog
+*Tue Sep 16 2025 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 2025.2.80_v9.0.304-3
+- Migrate STI test to tmt
+
+*Tue Aug 26 2025 rhel-developer-toolbox <krenzelok.frantisek@gmail.com> - 2025.2.80_v9.0.304-2
+- Update to CKBI 2.80_v9.0.304 from NSS 3.114
+-    Adding:
+-     # Certificate "TWCA CYBER Root CA"
+-     # Certificate "TWCA Global Root CA G2"
+-     # Certificate "SecureSign Root CA12"
+-     # Certificate "SecureSign Root CA14"
+-     # Certificate "SecureSign Root CA15"
+-     # Certificate "D-TRUST BR Root CA 2 2023"
+-     # Certificate "TrustAsia SMIME ECC Root CA"
+-     # Certificate "TrustAsia SMIME RSA Root CA"
+-     # Certificate "TrustAsia TLS ECC Root CA"
+-     # Certificate "TrustAsia TLS RSA Root CA"
+-     # Certificate "D-TRUST EV Root CA 2 2023"
+-     # Certificate "SwissSign RSA SMIME Root CA 2022 - 1"
+-     # Certificate "SwissSign RSA TLS Root CA 2022 - 1"
+
+* Tue Aug 12 2025 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-8
+- update-ca-trust: Added a temporary, compatibility option `--rhbz2387674` to
+  the `extract` command. This flag restores legacy certificate
+  symlinks (e.g., `/etc/ssl/cert.pem`) to address issues with older software
+  that has not yet adapted to their removal. This essentially provides a
+  temporary way to revert the "Dropping of cert.pem file".
+
+* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2024.2.69_v8.0.401-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Wed Jul 9 2025 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-6
+- Change: Dropping of cert.pem file (Resolves: rhbz#2360110)
+  https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile
+- Remove the following symlinks:
+-    # /etc/pki/tls/cert.pem
+-    # /etc/pki/tls/certs/ca-certificates.crt
+-    # /etc/pki/tls/certs/ca-bundle.trust.crt
+-    # /etc/pki/tls/certs/ca-bundle.crt
+-    # /etc/ssl/cert.pem
+-    # /etc/ssl/certs/ca-certificates.crt
+-    # /etc/ssl/certs/ca-bundle.trust.crt
+-    # /etc/ssl/certs/ca-bundle.crt
+- Directory /etc/pki/ca-trust/extracted/openssl is being deprecated,
+  it is removed upon updating unless there are files present inside it.
+
 * Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2024.2.69_v8.0.401-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
 

nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 69
-#define NSS_BUILTINS_LIBRARY_VERSION "2.69"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 80
+#define NSS_BUILTINS_LIBRARY_VERSION "2.80"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

plans/smoke.fmf

@@ -0,0 +1,4 @@
+ discover:
+     how: fmf
+ execute:
+     how: tmt

tests/smoke-test/Makefile

@@ -1,64 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/ca-certificates/Sanity/smoke-test
-#   Description: Check presence of Verisign root.
-#   Author: Ondrej Moris <omoris@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2010 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/ca-certificates/Sanity/smoke-test
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Ondrej Moris <omoris@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     Check presence of Verisign root." >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        5m" >> $(METADATA)
-	@echo "RunFor:          ca-certificates" >> $(METADATA)
-	@echo "Requires:        ca-certificates" >> $(METADATA)
-	@echo "Requires:        wget" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/smoke-test/PURPOSE

@@ -1,3 +0,0 @@
-PURPOSE of /CoreOS/ca-certificates/Sanity/smoke-test
-Description: Check presence of Verisign root.
-Author: Ondrej Moris <omoris@redhat.com>

tests/smoke-test/main.fmf

@@ -0,0 +1,5 @@
+summary: Check presence of Verisign root.
+test: bash ./runtest.sh
+framework: beakerlib
+recommend:
+  - beakerlib

tests/smoke-test/runtest.sh

@@ -27,7 +27,7 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 # Include rhts environment
-. /usr/lib/beakerlib/beakerlib.sh
+. /usr/share/beakerlib/beakerlib.sh || exit 1
 
 PACKAGE="ca-certificates"
 

tests/tests.yml

@@ -1,13 +0,0 @@
----
-# This first play always runs on the local staging system
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - atomic
-    - classic
-    - container
-    tests:
-    - smoke-test
-    required_packages:
-    - findutils         # beakerlib needs find command

update-ca-trust

@@ -15,7 +15,7 @@ export P11_KIT_NO_USER_CONFIG=1
 
 usage() {
 	fold -s -w 76 >&2 <<-EOF
-		Usage: $0 [extract] [-o DIR|--output=DIR]
+		Usage: $0 [extract] [-o DIR|--output DIR]
 
 		Update the system trust store in $DEST.
 
@@ -28,14 +28,47 @@ usage() {
 		the $DEST directory hierarchy.
 
 		EXTRACT OPTIONS
-		-o DIR, --output=DIR: Write the extracted trust store into the given
+		-o DIR, --output DIR: Write the extracted trust store into the given
 		directory instead of updating $DEST. (Note: This option will not
 		populate the ../pki/tls/certs with the directory-hash symbolic links.)
+
+		--rhbz2387674: A temporary compatibility option that restores several
+		legacy certificate-bundle symlinks (e.g., /etc/ssl/cert.pem) to
+		address issues with older software.
+		These symlinks will be removed on ca-certificate updates or reinstalls,
+		so you'll have to re-run this command after ca-certificates updates if
+		the issue is still not fixed.
+		WARNING: Do not use in automation or build scripts. This flag
+		is going to be removed in a future release, and any scripts relying on
+		it will inevitably break!
+	EOF
+}
+
+rhbz2387674_msg() {
+	fold -s -w 76 >&2 <<-EOF
+	----------------------------------------------------------------------------
+	** DEPRECATION WARNING **
+	----------------------------------------------------------------------------
+	The option --rhbz2387674 is a temporary workaround and will be removed in a
+	future release. Please do not use it in build scripts or automation.
+
+	----------------------------------------------------------------------------
+	** ACTION REQUIRED **
+	----------------------------------------------------------------------------
+	To ensure the affected package works correctly in the future, a bug report must
+	be filed.
+
+	1.  Check if a bug already exists for the affected package: https://bugzilla.redhat.com/buglist.cgi?component=ca-certificates&product=Fedora&short_desc=droppingOfCertPemFile%20package%3A&short_desc_type=allwordssubstr
+
+	2.  If no bug exists, please file a new one using this template: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=ca-certificates&version=rawhide&short_desc=droppingOfCertPemFile+package:+<<package_name>>+is+affected
+
+	Thank you for helping improve Fedora.
 	EOF
 }
 
 extract() {
 	USER_DEST=
+	compat=
 
         # can't use getopt here. ca-certificates can't depend on a lot
         # of other libraries since openssl depends on ca-certificates
@@ -43,7 +76,7 @@ extract() {
 
         while [ $# -ne 0 ]; do
 	    case "$1" in
-	      "-o"|"--output")
+		"-o"|"--output")
 		  if [ $# -lt 2 ]; then
 			  echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
 			  echo >&2
@@ -53,6 +86,11 @@ extract() {
 		  shift 2
 		  continue
 		  ;;
+		"--rhbz2387674")
+		  compat="true"
+		  shift
+		  continue
+		  ;;
 		"--")
 		  shift
 		  break
@@ -64,6 +102,12 @@ extract() {
 	    esac
 	done
 
+	if [[ "$compat" = "true" && -n "$USER_DEST" ]]; then
+		echo "Error: arguments '-o DIR|--output DIR' and '--rhbz2387674' can't be used together"
+		exit 1
+	
+	fi
+
 	if [ -n "$USER_DEST" ]; then
 		DEST=$USER_DEST
 	        # Attempt to create the directories if they do not exist
@@ -94,6 +138,22 @@ extract() {
 	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
 
 
+	if [ -n "$compat" ]; then
+		# print warning message
+		rhbz2387674_msg
+
+		# bring back bundle in openssl trust format
+		/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST_CERTS/ca-bundle.trust.crt"
+
+		# create symlinks to /etc/pki/tls/..
+		ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/../cert.pem"
+		ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-certificates.crt"
+		ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-bundle.crt"
+
+		# create symlinks to /etc/ssl/ the certs folder is already sym-linked
+		ln -sf "$DEST/pem/tls-ca-bundle.pem" "/etc/ssl/cert.pem"
+	fi
+
 	if [ -z "$USER_DEST" ]; then
 		find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
 		     -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do

update-ca-trust.8.txt

@@ -235,14 +235,6 @@ EXTRACT OPTIONS
 
 FILES
 -----
-/etc/pki/tls/certs/ca-bundle.crt::
-	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
-	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
-
-/etc/pki/tls/certs/ca-bundle.trust.crt::
-	Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
-	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
-
 /etc/pki/java/cacerts::
 	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
 	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
@@ -259,7 +251,25 @@ FILES
 	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
 
 /etc/pki/tls/certs::
-	Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command.
+	Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command, they are inteded as a internal format for OpenSSL and not to be used directly by the other crypto libraries or applications.
+
+LEGACY FILES
+------------
+The following file paths were used in legacy versions of the utility
+and have since been replaced. Scripts and configurations referencing
+these old paths should be updated.
+
+/etc/pki/cert.pem::
+    This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
+
+/etc/pki/tls/certs/ca-certificates.crt::
+    This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
+
+/etc/pki/tls/certs/ca-bundle.crt::
+    This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
+
+/etc/pki/tls/certs/ca-bundle.trust.crt::
+    This has been replaced by the directory-hash format certificates stored in /etc/pki/ca-trust/extracted/pem/directory-hash/ directory.
 
 AUTHOR
 ------