diff --git a/.fmf/version b/.fmf/version deleted file mode 100644 index d00491f..0000000 --- a/.fmf/version +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/README.openssl b/README.openssl new file mode 100644 index 0000000..99f8d79 --- /dev/null +++ b/README.openssl @@ -0,0 +1,18 @@ +This directory /etc/pki/ca-trust/extracted/openssl/ contains +CA certificate bundle files which are automatically created +based on the information found in the +/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/ +directories. + +All files are in the BEGIN/END TRUSTED CERTIFICATE file format, +as described in the x509(1) manual page. + +If your application isn't able to load the PKCS#11 module p11-kit-trust.so, +then you can use these files in your application to load a list of global +root CA certificates. + +Please never manually edit the files stored in this directory, +because your changes will be lost and the files automatically overwritten, +each time the update-ca-trust command gets executed. + +Please refer to the update-ca-trust(8) manual page for additional information. diff --git a/ca-certificates.spec b/ca-certificates.spec index 2f9e003..d38dd44 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -1,5 +1,7 @@ %define pkidir %{_sysconfdir}/pki %define catrustdir %{_sysconfdir}/pki/ca-trust +%define classic_tls_bundle ca-bundle.crt +%define openssl_format_trust_bundle ca-bundle.trust.crt %define p11_format_bundle ca-bundle.trust.p11-kit %define legacy_default_bundle ca-bundle.legacy.default.crt %define legacy_disable_bundle ca-bundle.legacy.disable.crt @@ -36,7 +38,7 @@ Name: ca-certificates Version: 2025.2.80_v9.0.304 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 3%{?dist} +Release: 1.1%{?dist} License: MIT AND GPL-2.0-or-later URL: https://fedoraproject.org/wiki/CA-Certificates @@ -55,6 +57,7 @@ Source11: README.usr Source12: README.etc Source13: README.extr Source14: README.java +Source15: README.openssl Source16: README.pem Source17: README.edk2 Source18: README.src @@ -189,6 +192,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash +mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source @@ -204,6 +208,7 @@ install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/REA install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README +install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README @@ -235,6 +240,8 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem +touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} +chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle} touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin @@ -291,13 +298,23 @@ sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt # expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882 ln -s %{pkidir}/tls/certs \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs +ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ + $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem ln -s /etc/pki/tls/openssl.cnf \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf ln -s /etc/pki/tls/ct_log_list.cnf \ $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf # legacy filenames +ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ + $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem ln -s %{catrustdir}/extracted/%{java_bundle} \ $RPM_BUILD_ROOT%{pkidir}/%{java_bundle} +ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ + $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle} +ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ + $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-certificates.crt +ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \ + $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle} %clean /usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash @@ -305,14 +322,6 @@ rm -rf $RPM_BUILD_ROOT %pre if [ $1 -gt 1 ] ; then - # Remove the old symlinks - rm -f %{pkidir}/tls/cert.pem - rm -f %{pkidir}/tls/certs/ca-bundle.crt - rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt - rm -f %{pkidir}/tls/certs/ca-certificates.crt - rm -f %{_sysconfdir}/ssl/cert.pem - - # Upgrade or Downgrade. # If the classic filename is a regular file, then we are upgrading # from an old package and we will move it to an .rpmsave backup file. @@ -333,6 +342,28 @@ if [ $1 -gt 1 ] ; then fi fi fi + + if ! test -e %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave; then + # no backup yet + if test -e %{pkidir}/tls/certs/%{classic_tls_bundle}; then + # a file exists + if ! test -L %{pkidir}/tls/certs/%{classic_tls_bundle}; then + # it's an old regular file, not a link + mv -f %{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave + fi + fi + fi + + if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then + # no backup yet + if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then + # a file exists + if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then + # it's an old regular file, not a link + mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave + fi + fi + fi fi @@ -373,6 +404,7 @@ fi %dir %{catrustdir}/source/blocklist %dir %{catrustdir}/extracted %dir %{catrustdir}/extracted/pem +%dir %{catrustdir}/extracted/openssl %dir %{catrustdir}/extracted/java %dir %{_datadir}/pki %dir %{_datadir}/pki/ca-trust-source @@ -389,16 +421,22 @@ fi %{catrustdir}/README %{catrustdir}/extracted/README %{catrustdir}/extracted/java/README +%{catrustdir}/extracted/openssl/README %{catrustdir}/extracted/pem/README %{catrustdir}/extracted/edk2/README %{catrustdir}/source/README # symlinks for old locations +%{pkidir}/tls/cert.pem +%{pkidir}/tls/certs/%{classic_tls_bundle} +%{pkidir}/tls/certs/%{openssl_format_trust_bundle} +%{pkidir}/tls/certs/ca-certificates.crt %{pkidir}/%{java_bundle} # Hybrid hash directory with bundle file for Debian compatibility # See https://bugzilla.redhat.com/show_bug.cgi?id=1053882 %{_sysconfdir}/ssl/certs %{_sysconfdir}/ssl/README +%{_sysconfdir}/ssl/cert.pem %{_sysconfdir}/ssl/openssl.cnf %{_sysconfdir}/ssl/ct_log_list.cnf @@ -415,14 +453,27 @@ fi %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem +%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} %ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/edk2/cacerts.bin %changelog -*Tue Sep 16 2025 Frantisek Krenzelok - 2025.2.80_v9.0.304-3 -- Migrate STI test to tmt +* Tue Aug 26 2025 Frantisek Krenzelok - 2025.2.80_v9.0.304-1.1 +- Revert the "Dropping of cert.pem file" change to restore legacy CA symlinks +- https://fedoraproject.org/wiki/Changes/droppingOfCertPemFile +- Restored directory /etc/pki/ca-trust/extracted/openssl +- Remove update-ca-trust extract compatibility option +- Restored symlinks: + - /etc/pki/tls/cert.pem + - /etc/pki/tls/certs/ca-certificates.crt + - /etc/pki/tls/certs/ca-bundle.trust.crt + - /etc/pki/tls/certs/ca-bundle.crt + - /etc/ssl/cert.pem + - /etc/ssl/certs/ca-certificates.crt + - /etc/ssl/certs/ca-bundle.trust.crt + - /etc/ssl/certs/ca-bundle.crt -*Tue Aug 26 2025 rhel-developer-toolbox - 2025.2.80_v9.0.304-2 +*Tue Aug 26 2025 rhel-developer-toolbox - 2025.2.80_v9.0.304-1.0 - Update to CKBI 2.80_v9.0.304 from NSS 3.114 - Adding: - # Certificate "TWCA CYBER Root CA" diff --git a/plans/smoke.fmf b/plans/smoke.fmf deleted file mode 100644 index 5e339a4..0000000 --- a/plans/smoke.fmf +++ /dev/null @@ -1,4 +0,0 @@ - discover: - how: fmf - execute: - how: tmt diff --git a/tests/smoke-test/Makefile b/tests/smoke-test/Makefile new file mode 100644 index 0000000..b490f26 --- /dev/null +++ b/tests/smoke-test/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/ca-certificates/Sanity/smoke-test +# Description: Check presence of Verisign root. +# Author: Ondrej Moris +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2010 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/ca-certificates/Sanity/smoke-test +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Ondrej Moris " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Check presence of Verisign root." >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: ca-certificates" >> $(METADATA) + @echo "Requires: ca-certificates" >> $(METADATA) + @echo "Requires: wget" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/smoke-test/PURPOSE b/tests/smoke-test/PURPOSE new file mode 100644 index 0000000..9f8f063 --- /dev/null +++ b/tests/smoke-test/PURPOSE @@ -0,0 +1,3 @@ +PURPOSE of /CoreOS/ca-certificates/Sanity/smoke-test +Description: Check presence of Verisign root. +Author: Ondrej Moris diff --git a/tests/smoke-test/main.fmf b/tests/smoke-test/main.fmf deleted file mode 100644 index 5dd20c1..0000000 --- a/tests/smoke-test/main.fmf +++ /dev/null @@ -1,5 +0,0 @@ -summary: Check presence of Verisign root. -test: bash ./runtest.sh -framework: beakerlib -recommend: - - beakerlib diff --git a/tests/smoke-test/runtest.sh b/tests/smoke-test/runtest.sh old mode 100755 new mode 100644 index 084be23..349b38a --- a/tests/smoke-test/runtest.sh +++ b/tests/smoke-test/runtest.sh @@ -27,7 +27,7 @@ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include rhts environment -. /usr/share/beakerlib/beakerlib.sh || exit 1 +. /usr/lib/beakerlib/beakerlib.sh PACKAGE="ca-certificates" diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..2e53c43 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,13 @@ +--- +# This first play always runs on the local staging system +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - atomic + - classic + - container + tests: + - smoke-test + required_packages: + - findutils # beakerlib needs find command diff --git a/update-ca-trust b/update-ca-trust index 5a07260..2a80b99 100755 --- a/update-ca-trust +++ b/update-ca-trust @@ -31,44 +31,11 @@ usage() { -o DIR, --output DIR: Write the extracted trust store into the given directory instead of updating $DEST. (Note: This option will not populate the ../pki/tls/certs with the directory-hash symbolic links.) - - --rhbz2387674: A temporary compatibility option that restores several - legacy certificate-bundle symlinks (e.g., /etc/ssl/cert.pem) to - address issues with older software. - These symlinks will be removed on ca-certificate updates or reinstalls, - so you'll have to re-run this command after ca-certificates updates if - the issue is still not fixed. - WARNING: Do not use in automation or build scripts. This flag - is going to be removed in a future release, and any scripts relying on - it will inevitably break! - EOF -} - -rhbz2387674_msg() { - fold -s -w 76 >&2 <<-EOF - ---------------------------------------------------------------------------- - ** DEPRECATION WARNING ** - ---------------------------------------------------------------------------- - The option --rhbz2387674 is a temporary workaround and will be removed in a - future release. Please do not use it in build scripts or automation. - - ---------------------------------------------------------------------------- - ** ACTION REQUIRED ** - ---------------------------------------------------------------------------- - To ensure the affected package works correctly in the future, a bug report must - be filed. - - 1. Check if a bug already exists for the affected package: https://bugzilla.redhat.com/buglist.cgi?component=ca-certificates&product=Fedora&short_desc=droppingOfCertPemFile%20package%3A&short_desc_type=allwordssubstr - - 2. If no bug exists, please file a new one using this template: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=ca-certificates&version=rawhide&short_desc=droppingOfCertPemFile+package:+<>+is+affected - - Thank you for helping improve Fedora. EOF } extract() { USER_DEST= - compat= # can't use getopt here. ca-certificates can't depend on a lot # of other libraries since openssl depends on ca-certificates @@ -86,11 +53,6 @@ extract() { shift 2 continue ;; - "--rhbz2387674") - compat="true" - shift - continue - ;; "--") shift break @@ -102,12 +64,6 @@ extract() { esac done - if [[ "$compat" = "true" && -n "$USER_DEST" ]]; then - echo "Error: arguments '-o DIR|--output DIR' and '--rhbz2387674' can't be used together" - exit 1 - - fi - if [ -n "$USER_DEST" ]; then DEST=$USER_DEST # Attempt to create the directories if they do not exist @@ -128,6 +84,7 @@ extract() { # OpenSSL PEM bundle that includes trust flags # (BEGIN TRUSTED CERTIFICATE) + /usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem" /usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem" @@ -138,22 +95,6 @@ extract() { /usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash" - if [ -n "$compat" ]; then - # print warning message - rhbz2387674_msg - - # bring back bundle in openssl trust format - /usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST_CERTS/ca-bundle.trust.crt" - - # create symlinks to /etc/pki/tls/.. - ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/../cert.pem" - ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-certificates.crt" - ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-bundle.crt" - - # create symlinks to /etc/ssl/ the certs folder is already sym-linked - ln -sf "$DEST/pem/tls-ca-bundle.pem" "/etc/ssl/cert.pem" - fi - if [ -z "$USER_DEST" ]; then find "$DEST/pem/directory-hash" -type l -regextype posix-extended \ -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do diff --git a/update-ca-trust.8.txt b/update-ca-trust.8.txt index 0acc871..bcdb057 100644 --- a/update-ca-trust.8.txt +++ b/update-ca-trust.8.txt @@ -235,6 +235,10 @@ EXTRACT OPTIONS FILES ----- +/etc/pki/tls/certs/ca-bundle.trust.crt:: + Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + /etc/pki/java/cacerts:: Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. @@ -253,24 +257,6 @@ FILES /etc/pki/tls/certs:: Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command, they are inteded as a internal format for OpenSSL and not to be used directly by the other crypto libraries or applications. -LEGACY FILES ------------- -The following file paths were used in legacy versions of the utility -and have since been replaced. Scripts and configurations referencing -these old paths should be updated. - -/etc/pki/cert.pem:: - This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. - -/etc/pki/tls/certs/ca-certificates.crt:: - This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. - -/etc/pki/tls/certs/ca-bundle.crt:: - This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. - -/etc/pki/tls/certs/ca-bundle.trust.crt:: - This has been replaced by the directory-hash format certificates stored in /etc/pki/ca-trust/extracted/pem/directory-hash/ directory. - AUTHOR ------ Written by Kai Engert and Stef Walter.