Compare commits
2 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
33db9507d1 | ||
|
|
bba6159a2f |
6 changed files with 2764 additions and 716 deletions
18
README.openssl
Normal file
18
README.openssl
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
This directory /etc/pki/ca-trust/extracted/openssl/ contains
|
||||
CA certificate bundle files which are automatically created
|
||||
based on the information found in the
|
||||
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
|
||||
directories.
|
||||
|
||||
All files are in the BEGIN/END TRUSTED CERTIFICATE file format,
|
||||
as described in the x509(1) manual page.
|
||||
|
||||
If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
|
||||
then you can use these files in your application to load a list of global
|
||||
root CA certificates.
|
||||
|
||||
Please never manually edit the files stored in this directory,
|
||||
because your changes will be lost and the files automatically overwritten,
|
||||
each time the update-ca-trust command gets executed.
|
||||
|
||||
Please refer to the update-ca-trust(8) manual page for additional information.
|
||||
|
|
@ -1,5 +1,7 @@
|
|||
%define pkidir %{_sysconfdir}/pki
|
||||
%define catrustdir %{_sysconfdir}/pki/ca-trust
|
||||
%define classic_tls_bundle ca-bundle.crt
|
||||
%define openssl_format_trust_bundle ca-bundle.trust.crt
|
||||
%define p11_format_bundle ca-bundle.trust.p11-kit
|
||||
%define legacy_default_bundle ca-bundle.legacy.default.crt
|
||||
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
|
||||
|
|
@ -33,10 +35,10 @@ Name: ca-certificates
|
|||
# to have increasing version numbers. However, the new scheme will work,
|
||||
# because all future versions will start with 2013 or larger.)
|
||||
|
||||
Version: 2024.2.69_v8.0.401
|
||||
Version: 2025.2.80_v9.0.304
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 8%{?dist}
|
||||
Release: 1.1%{?dist}
|
||||
License: MIT AND GPL-2.0-or-later
|
||||
|
||||
URL: https://fedoraproject.org/wiki/CA-Certificates
|
||||
|
|
@ -55,6 +57,7 @@ Source11: README.usr
|
|||
Source12: README.etc
|
||||
Source13: README.extr
|
||||
Source14: README.java
|
||||
Source15: README.openssl
|
||||
Source16: README.pem
|
||||
Source17: README.edk2
|
||||
Source18: README.src
|
||||
|
|
@ -189,6 +192,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
|
|||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
|
||||
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
|
||||
|
|
@ -204,6 +208,7 @@ install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/REA
|
|||
install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README
|
||||
install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
|
||||
install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
|
||||
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
|
||||
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
|
||||
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
|
||||
install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
|
||||
|
|
@ -235,6 +240,8 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
|
|||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
||||
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
|
||||
|
|
@ -291,13 +298,23 @@ sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
|
|||
# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
|
||||
ln -s %{pkidir}/tls/certs \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
|
||||
ln -s /etc/pki/tls/openssl.cnf \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
|
||||
ln -s /etc/pki/tls/ct_log_list.cnf \
|
||||
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
|
||||
# legacy filenames
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
|
||||
ln -s %{catrustdir}/extracted/%{java_bundle} \
|
||||
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
|
||||
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-certificates.crt
|
||||
ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
|
||||
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
||||
|
||||
%clean
|
||||
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
|
||||
|
|
@ -305,14 +322,6 @@ rm -rf $RPM_BUILD_ROOT
|
|||
|
||||
%pre
|
||||
if [ $1 -gt 1 ] ; then
|
||||
# Remove the old symlinks
|
||||
rm -f %{pkidir}/tls/cert.pem
|
||||
rm -f %{pkidir}/tls/certs/ca-bundle.crt
|
||||
rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
|
||||
rm -f %{pkidir}/tls/certs/ca-certificates.crt
|
||||
rm -f %{_sysconfdir}/ssl/cert.pem
|
||||
|
||||
|
||||
# Upgrade or Downgrade.
|
||||
# If the classic filename is a regular file, then we are upgrading
|
||||
# from an old package and we will move it to an .rpmsave backup file.
|
||||
|
|
@ -333,6 +342,28 @@ if [ $1 -gt 1 ] ; then
|
|||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if ! test -e %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave; then
|
||||
# no backup yet
|
||||
if test -e %{pkidir}/tls/certs/%{classic_tls_bundle}; then
|
||||
# a file exists
|
||||
if ! test -L %{pkidir}/tls/certs/%{classic_tls_bundle}; then
|
||||
# it's an old regular file, not a link
|
||||
mv -f %{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
|
||||
# no backup yet
|
||||
if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
|
||||
# a file exists
|
||||
if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
|
||||
# it's an old regular file, not a link
|
||||
mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
|
|
@ -373,6 +404,7 @@ fi
|
|||
%dir %{catrustdir}/source/blocklist
|
||||
%dir %{catrustdir}/extracted
|
||||
%dir %{catrustdir}/extracted/pem
|
||||
%dir %{catrustdir}/extracted/openssl
|
||||
%dir %{catrustdir}/extracted/java
|
||||
%dir %{_datadir}/pki
|
||||
%dir %{_datadir}/pki/ca-trust-source
|
||||
|
|
@ -389,16 +421,22 @@ fi
|
|||
%{catrustdir}/README
|
||||
%{catrustdir}/extracted/README
|
||||
%{catrustdir}/extracted/java/README
|
||||
%{catrustdir}/extracted/openssl/README
|
||||
%{catrustdir}/extracted/pem/README
|
||||
%{catrustdir}/extracted/edk2/README
|
||||
%{catrustdir}/source/README
|
||||
|
||||
# symlinks for old locations
|
||||
%{pkidir}/tls/cert.pem
|
||||
%{pkidir}/tls/certs/%{classic_tls_bundle}
|
||||
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
|
||||
%{pkidir}/tls/certs/ca-certificates.crt
|
||||
%{pkidir}/%{java_bundle}
|
||||
# Hybrid hash directory with bundle file for Debian compatibility
|
||||
# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
|
||||
%{_sysconfdir}/ssl/certs
|
||||
%{_sysconfdir}/ssl/README
|
||||
%{_sysconfdir}/ssl/cert.pem
|
||||
%{_sysconfdir}/ssl/openssl.cnf
|
||||
%{_sysconfdir}/ssl/ct_log_list.cnf
|
||||
|
||||
|
|
@ -415,10 +453,43 @@ fi
|
|||
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
|
||||
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
|
||||
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
|
||||
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
|
||||
%ghost %{catrustdir}/extracted/%{java_bundle}
|
||||
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
|
||||
|
||||
%changelog
|
||||
* Tue Aug 26 2025 Frantisek Krenzelok <fkrenzel@redhat.com> - 2025.2.80_v9.0.304-1.1
|
||||
- Revert the "Dropping of cert.pem file" change to restore legacy CA symlinks
|
||||
- https://fedoraproject.org/wiki/Changes/droppingOfCertPemFile
|
||||
- Restored directory /etc/pki/ca-trust/extracted/openssl
|
||||
- Remove update-ca-trust extract compatibility option
|
||||
- Restored symlinks:
|
||||
- /etc/pki/tls/cert.pem
|
||||
- /etc/pki/tls/certs/ca-certificates.crt
|
||||
- /etc/pki/tls/certs/ca-bundle.trust.crt
|
||||
- /etc/pki/tls/certs/ca-bundle.crt
|
||||
- /etc/ssl/cert.pem
|
||||
- /etc/ssl/certs/ca-certificates.crt
|
||||
- /etc/ssl/certs/ca-bundle.trust.crt
|
||||
- /etc/ssl/certs/ca-bundle.crt
|
||||
|
||||
*Tue Aug 26 2025 rhel-developer-toolbox <krenzelok.frantisek@gmail.com> - 2025.2.80_v9.0.304-1.0
|
||||
- Update to CKBI 2.80_v9.0.304 from NSS 3.114
|
||||
- Adding:
|
||||
- # Certificate "TWCA CYBER Root CA"
|
||||
- # Certificate "TWCA Global Root CA G2"
|
||||
- # Certificate "SecureSign Root CA12"
|
||||
- # Certificate "SecureSign Root CA14"
|
||||
- # Certificate "SecureSign Root CA15"
|
||||
- # Certificate "D-TRUST BR Root CA 2 2023"
|
||||
- # Certificate "TrustAsia SMIME ECC Root CA"
|
||||
- # Certificate "TrustAsia SMIME RSA Root CA"
|
||||
- # Certificate "TrustAsia TLS ECC Root CA"
|
||||
- # Certificate "TrustAsia TLS RSA Root CA"
|
||||
- # Certificate "D-TRUST EV Root CA 2 2023"
|
||||
- # Certificate "SwissSign RSA SMIME Root CA 2022 - 1"
|
||||
- # Certificate "SwissSign RSA TLS Root CA 2022 - 1"
|
||||
|
||||
* Tue Aug 12 2025 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-8
|
||||
- update-ca-trust: Added a temporary, compatibility option `--rhbz2387674` to
|
||||
the `extract` command. This flag restores legacy certificate
|
||||
|
|
|
|||
3284
certdata.txt
3284
certdata.txt
File diff suppressed because it is too large
Load diff
|
|
@ -46,8 +46,8 @@
|
|||
* It's recommend to switch back to 0 after having reached version 98/99.
|
||||
*/
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 69
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION "2.69"
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 80
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION "2.80"
|
||||
|
||||
/* These version numbers detail the semantic changes to the ckfw engine. */
|
||||
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
|
||||
|
|
|
|||
|
|
@ -31,44 +31,11 @@ usage() {
|
|||
-o DIR, --output DIR: Write the extracted trust store into the given
|
||||
directory instead of updating $DEST. (Note: This option will not
|
||||
populate the ../pki/tls/certs with the directory-hash symbolic links.)
|
||||
|
||||
--rhbz2387674: A temporary compatibility option that restores several
|
||||
legacy certificate-bundle symlinks (e.g., /etc/ssl/cert.pem) to
|
||||
address issues with older software.
|
||||
These symlinks will be removed on ca-certificate updates or reinstalls,
|
||||
so you'll have to re-run this command after ca-certificates updates if
|
||||
the issue is still not fixed.
|
||||
WARNING: Do not use in automation or build scripts. This flag
|
||||
is going to be removed in a future release, and any scripts relying on
|
||||
it will inevitably break!
|
||||
EOF
|
||||
}
|
||||
|
||||
rhbz2387674_msg() {
|
||||
fold -s -w 76 >&2 <<-EOF
|
||||
----------------------------------------------------------------------------
|
||||
** DEPRECATION WARNING **
|
||||
----------------------------------------------------------------------------
|
||||
The option --rhbz2387674 is a temporary workaround and will be removed in a
|
||||
future release. Please do not use it in build scripts or automation.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
** ACTION REQUIRED **
|
||||
----------------------------------------------------------------------------
|
||||
To ensure the affected package works correctly in the future, a bug report must
|
||||
be filed.
|
||||
|
||||
1. Check if a bug already exists for the affected package: https://bugzilla.redhat.com/buglist.cgi?component=ca-certificates&product=Fedora&short_desc=droppingOfCertPemFile%20package%3A&short_desc_type=allwordssubstr
|
||||
|
||||
2. If no bug exists, please file a new one using this template: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=ca-certificates&version=rawhide&short_desc=droppingOfCertPemFile+package:+<<package_name>>+is+affected
|
||||
|
||||
Thank you for helping improve Fedora.
|
||||
EOF
|
||||
}
|
||||
|
||||
extract() {
|
||||
USER_DEST=
|
||||
compat=
|
||||
|
||||
# can't use getopt here. ca-certificates can't depend on a lot
|
||||
# of other libraries since openssl depends on ca-certificates
|
||||
|
|
@ -86,11 +53,6 @@ extract() {
|
|||
shift 2
|
||||
continue
|
||||
;;
|
||||
"--rhbz2387674")
|
||||
compat="true"
|
||||
shift
|
||||
continue
|
||||
;;
|
||||
"--")
|
||||
shift
|
||||
break
|
||||
|
|
@ -102,12 +64,6 @@ extract() {
|
|||
esac
|
||||
done
|
||||
|
||||
if [[ "$compat" = "true" && -n "$USER_DEST" ]]; then
|
||||
echo "Error: arguments '-o DIR|--output DIR' and '--rhbz2387674' can't be used together"
|
||||
exit 1
|
||||
|
||||
fi
|
||||
|
||||
if [ -n "$USER_DEST" ]; then
|
||||
DEST=$USER_DEST
|
||||
# Attempt to create the directories if they do not exist
|
||||
|
|
@ -128,6 +84,7 @@ extract() {
|
|||
|
||||
# OpenSSL PEM bundle that includes trust flags
|
||||
# (BEGIN TRUSTED CERTIFICATE)
|
||||
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
|
||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
|
||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
|
||||
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
|
||||
|
|
@ -138,22 +95,6 @@ extract() {
|
|||
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
|
||||
|
||||
|
||||
if [ -n "$compat" ]; then
|
||||
# print warning message
|
||||
rhbz2387674_msg
|
||||
|
||||
# bring back bundle in openssl trust format
|
||||
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST_CERTS/ca-bundle.trust.crt"
|
||||
|
||||
# create symlinks to /etc/pki/tls/..
|
||||
ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/../cert.pem"
|
||||
ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-certificates.crt"
|
||||
ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-bundle.crt"
|
||||
|
||||
# create symlinks to /etc/ssl/ the certs folder is already sym-linked
|
||||
ln -sf "$DEST/pem/tls-ca-bundle.pem" "/etc/ssl/cert.pem"
|
||||
fi
|
||||
|
||||
if [ -z "$USER_DEST" ]; then
|
||||
find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
|
||||
-regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do
|
||||
|
|
|
|||
|
|
@ -235,6 +235,10 @@ EXTRACT OPTIONS
|
|||
|
||||
FILES
|
||||
-----
|
||||
/etc/pki/tls/certs/ca-bundle.trust.crt::
|
||||
Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
|
||||
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
||||
|
||||
/etc/pki/java/cacerts::
|
||||
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
|
||||
This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
|
||||
|
|
@ -253,24 +257,6 @@ FILES
|
|||
/etc/pki/tls/certs::
|
||||
Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command, they are inteded as a internal format for OpenSSL and not to be used directly by the other crypto libraries or applications.
|
||||
|
||||
LEGACY FILES
|
||||
------------
|
||||
The following file paths were used in legacy versions of the utility
|
||||
and have since been replaced. Scripts and configurations referencing
|
||||
these old paths should be updated.
|
||||
|
||||
/etc/pki/cert.pem::
|
||||
This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
|
||||
|
||||
/etc/pki/tls/certs/ca-certificates.crt::
|
||||
This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
|
||||
|
||||
/etc/pki/tls/certs/ca-bundle.crt::
|
||||
This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
|
||||
|
||||
/etc/pki/tls/certs/ca-bundle.trust.crt::
|
||||
This has been replaced by the directory-hash format certificates stored in /etc/pki/ca-trust/extracted/pem/directory-hash/ directory.
|
||||
|
||||
AUTHOR
|
||||
------
|
||||
Written by Kai Engert and Stef Walter.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue