rpms/ca-certificates
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:main
rpms:f43
rpms:f41
rpms:f42
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:f19
rpms:f18
rpms:f17
rpms:f14
rpms:f16
rpms:f15
rpms:f11
rpms:f10
rpms:f12
rpms:f13
rpms:ca-certificates-2010_63-3_fc14
rpms:ca-certificates-2010_63-2_fc14
rpms:ca-certificates-2010_63-1_fc14
rpms:ca-certificates-2010-4_fc14
rpms:ca-certificates-2010-3_fc14
rpms:F-13-start
rpms:F-13-split
rpms:ca-certificates-2010-2_fc13
rpms:ca-certificates-2010-1_fc13
rpms:ca-certificates-2009-2_fc12
rpms:F-12-start
rpms:F-12-split
rpms:ca-certificates-2009-1_fc12
rpms:ca-certificates-2009-1_fc10
rpms:ca-certificates-2008-8
rpms:F-11-start
rpms:F-11-split
rpms:ca-certificates-2008-7
rpms:F-10-start
rpms:F-10-split
rpms:ca-certificates-2008-6
rpms:ca-certificates-2008-5
rpms:ca-certificates-2008-4
...
pull from: rpms:f42
Branches Tags
rpms:main
rpms:rawhide
rpms:f43
rpms:f41
rpms:f42
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:f19
rpms:f18
rpms:f17
rpms:f14
rpms:f16
rpms:f15
rpms:f11
rpms:f10
rpms:f12
rpms:f13
rpms:ca-certificates-2010_63-3_fc14
rpms:ca-certificates-2010_63-2_fc14
rpms:ca-certificates-2010_63-1_fc14
rpms:ca-certificates-2010-4_fc14
rpms:ca-certificates-2010-3_fc14
rpms:F-13-start
rpms:F-13-split
rpms:ca-certificates-2010-2_fc13
rpms:ca-certificates-2010-1_fc13
rpms:ca-certificates-2009-2_fc12
rpms:F-12-start
rpms:F-12-split
rpms:ca-certificates-2009-1_fc12
rpms:ca-certificates-2009-1_fc10
rpms:ca-certificates-2008-8
rpms:F-11-start
rpms:F-11-split
rpms:ca-certificates-2008-7
rpms:F-10-start
rpms:F-10-split
rpms:ca-certificates-2008-6
rpms:ca-certificates-2008-5
rpms:ca-certificates-2008-4
Sign in to create a new pull request.

2 commits
rawhide ... f42

Author SHA1 Message Date
Krenzelok Frantisek
163ec28d72 Adding: 
# Certificate "TWCA CYBER Root CA"
    # Certificate "TWCA Global Root CA G2"
    # Certificate "SecureSign Root CA12"
    # Certificate "SecureSign Root CA14"
    # Certificate "SecureSign Root CA15"
    # Certificate "D-TRUST BR Root CA 2 2023"
    # Certificate "TrustAsia SMIME ECC Root CA"
    # Certificate "TrustAsia SMIME RSA Root CA"
    # Certificate "TrustAsia TLS ECC Root CA"
    # Certificate "TrustAsia TLS RSA Root CA"
    # Certificate "D-TRUST EV Root CA 2 2023"
    # Certificate "SwissSign RSA SMIME Root CA 2022 - 1"
    # Certificate "SwissSign RSA TLS Root CA 2022 - 1"
 2025-08-26 13:36:04 +02:00
Krenzelok Frantisek
5a91943b49 Revert dropping of /etc/pki/tls/certs/ca-bundle.trust.crt 2025-04-14 16:11:43 +02:00
4 changed files with 2701 additions and 633 deletions
Download patch file Download diff file Expand all files Collapse all files

45
ca-certificates.spec
View file

@ -1,6 +1,7 @@
%define pkidir %{_sysconfdir}/pki
%define catrustdir %{_sysconfdir}/pki/ca-trust
%define classic_tls_bundle ca-bundle.crt
%define openssl_format_trust_bundle ca-bundle.trust.crt
%define p11_format_bundle ca-bundle.trust.p11-kit
%define legacy_default_bundle ca-bundle.legacy.default.crt
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
@ -34,10 +35,10 @@ Name: ca-certificates
# to have increasing version numbers. However, the new scheme will work,
# because all future versions will start with 2013 or larger.)
Version: 2024.2.69_v8.0.401
Version: 2025.2.80_v9.0.304
# for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 5%{?dist}
Release: 1.0%{?dist}
License: MIT AND GPL-2.0-or-later
URL: https://fedoraproject.org/wiki/CA-Certificates
@ -239,6 +240,8 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
@ -310,6 +313,8 @@ ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-certificates.crt
ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%clean
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
@ -317,9 +322,6 @@ rm -rf $RPM_BUILD_ROOT
%pre
if [ $1 -gt 1 ] ; then
# Remove the old symlinks
rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
# Upgrade or Downgrade.
# If the classic filename is a regular file, then we are upgrading
# from an old package and we will move it to an .rpmsave backup file.
@ -351,6 +353,17 @@ if [ $1 -gt 1 ] ; then
fi
fi
fi
if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
# no backup yet
if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
# a file exists
if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
# it's an old regular file, not a link
mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
fi
fi
fi
fi
@ -417,6 +430,7 @@ fi
%{pkidir}/tls/cert.pem
%{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/ca-certificates.crt
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{pkidir}/%{java_bundle}
# Hybrid hash directory with bundle file for Debian compatibility
# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
@ -439,10 +453,31 @@ fi
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
%changelog
*Tue Aug 26 2025 rhel-developer-toolbox <krenzelok.frantisek@gmail.com> - 2025.2.80_v9.0.304-1.0
- Update to CKBI 2.80_v9.0.304 from NSS 3.114
- Adding:
- # Certificate "TWCA CYBER Root CA"
- # Certificate "TWCA Global Root CA G2"
- # Certificate "SecureSign Root CA12"
- # Certificate "SecureSign Root CA14"
- # Certificate "SecureSign Root CA15"
- # Certificate "D-TRUST BR Root CA 2 2023"
- # Certificate "TrustAsia SMIME ECC Root CA"
- # Certificate "TrustAsia SMIME RSA Root CA"
- # Certificate "TrustAsia TLS ECC Root CA"
- # Certificate "TrustAsia TLS RSA Root CA"
- # Certificate "D-TRUST EV Root CA 2 2023"
- # Certificate "SwissSign RSA SMIME Root CA 2022 - 1"
- # Certificate "SwissSign RSA TLS Root CA 2022 - 1"
*Mon Apr 14 2025 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-6
- Bring back /etc/pki/tls/certs/ca-bundle.trust.crt
* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2024.2.69_v8.0.401-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild

3284
certdata.txt
View file

File diff suppressed because it is too large Load diff

4
nssckbi.h
View file

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 69
#define NSS_BUILTINS_LIBRARY_VERSION "2.69"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 80
#define NSS_BUILTINS_LIBRARY_VERSION "2.80"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

1
update-ca-trust
View file

@ -84,6 +84,7 @@ extract() {
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"