Update to CKBI 2.69_v8.0.401 from NSS 3.103

Adding:
    # Certificate "Sectigo Public Code Signing Root R46"
    # Certificate "Sectigo Public Code Signing Root E46"

.fmf/version

@@ -1 +0,0 @@
-1

README.openssl

@@ -0,0 +1,18 @@
+This directory /etc/pki/ca-trust/extracted/openssl/ contains 
+CA certificate bundle files which are automatically created
+based on the information found in the
+/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
+directories.
+
+All files are in the BEGIN/END TRUSTED CERTIFICATE file format, 
+as described in the x509(1) manual page.
+
+If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
+then you can use these files in your application to load a list of global
+root CA certificates.
+
+Please never manually edit the files stored in this directory,
+because your changes will be lost and the files automatically overwritten,
+each time the update-ca-trust command gets executed.
+
+Please refer to the update-ca-trust(8) manual page for additional information.

ca-certificates.spec

@@ -1,5 +1,7 @@
 %define pkidir %{_sysconfdir}/pki
 %define catrustdir %{_sysconfdir}/pki/ca-trust
+%define classic_tls_bundle ca-bundle.crt
+%define openssl_format_trust_bundle ca-bundle.trust.crt
 %define p11_format_bundle ca-bundle.trust.p11-kit
 %define legacy_default_bundle ca-bundle.legacy.default.crt
 %define legacy_disable_bundle ca-bundle.legacy.disable.crt
@@ -33,10 +35,10 @@ Name: ca-certificates
 # to have increasing version numbers. However, the new scheme will work, 
 # because all future versions will start with 2013 or larger.)
 
-Version: 2025.2.80_v9.0.304
+Version: 2024.2.69_v8.0.401
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release: 3%{?dist}
+Release: 1.0%{?dist}
 License: MIT AND GPL-2.0-or-later
 
 URL: https://fedoraproject.org/wiki/CA-Certificates
@@ -55,6 +57,7 @@ Source11: README.usr
 Source12: README.etc
 Source13: README.extr
 Source14: README.java
+Source15: README.openssl
 Source16: README.pem
 Source17: README.edk2
 Source18: README.src
@@ -63,17 +66,16 @@ Source19: README.etcssl
 BuildArch: noarch
 
 Requires(post): bash
-Requires(post): findutils
 Requires(post): grep
 Requires(post): sed
 Requires(post): coreutils
 Requires: bash
 Requires: grep
 Requires: sed
-Requires(post): p11-kit >= 0.24
-Requires(post): p11-kit-trust >= 0.24
-Requires: p11-kit >= 0.24
-Requires: p11-kit-trust >= 0.24
+Requires(post): p11-kit >= 0.23
+Requires(post): p11-kit-trust >= 0.23
+Requires: p11-kit >= 0.23
+Requires: p11-kit-trust >= 0.23
 Requires: libffi
 Requires(post): libffi
 
@@ -185,14 +187,16 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
+mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
-mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
+mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
@@ -204,6 +208,7 @@ install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/REA
 install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README
 install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
 install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
+install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
 install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
 install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
 install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
@@ -235,84 +240,36 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
+touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
+chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 
-# Populate %%{catrustdir}/extracted/pem/directory-hash.
-#
-# First direct p11-kit-trust.so to the generated bundle (not the one
-# already present on the build system) with an overriding module
-# config. Note that we have to use a different config path based on
-# the current user: if root, ~/.config/pkcs11/modules/* are not read,
-# while if a regular user, she can't write to /etc.
-if test "$(id -u)" -eq 0; then
-   trust_module_dir=/etc/pkcs11/modules
-else
-   trust_module_dir=$HOME/.config/pkcs11/modules
-fi
-
-mkdir -p "$trust_module_dir"
-
-# It is unlikely that the directory would contain any files on a build system,
-# but let's make sure just in case.
-if [ -n "$(ls -A "$trust_module_dir")" ]; then
-        echo "Directory $trust_module_dir is not empty. Aborting build!"
-        exit 1
-fi
-
-trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
-cat >"$trust_module_config" <<EOF
-module: p11-kit-trust.so
-trust-policy: yes
-x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
-EOF
-
-# Extract the trust anchors to the directory-hash format.
-trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
-              --purpose server-auth \
-              $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
-
-# Clean up the temporary module config.
-rm -f "$trust_module_config"
-
-find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \
-     -regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \
-     -exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \;
-# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies
-find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
-find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \
-     -regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt
-
-sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
-
 # /etc/ssl is provided in a Debian compatible form for (bad) code that
 # expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
-ln -s %{pkidir}/tls/certs \
+ln -s %{catrustdir}/extracted/pem/directory-hash \
     $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
 ln -s /etc/pki/tls/openssl.cnf \
     $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
 ln -s /etc/pki/tls/ct_log_list.cnf \
     $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
 # legacy filenames
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
+ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
+    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 ln -s %{catrustdir}/extracted/%{java_bundle} \
     $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
 
-%clean
-/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
-rm -rf $RPM_BUILD_ROOT
 
 %pre
 if [ $1 -gt 1 ] ; then
-  # Remove the old symlinks
-  rm -f %{pkidir}/tls/cert.pem
-  rm -f %{pkidir}/tls/certs/ca-bundle.crt
-  rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
-  rm -f %{pkidir}/tls/certs/ca-certificates.crt
-  rm -f %{_sysconfdir}/ssl/cert.pem
-
-
   # Upgrade or Downgrade.
   # If the classic filename is a regular file, then we are upgrading
   # from an old package and we will move it to an .rpmsave backup file.
@@ -333,6 +290,28 @@ if [ $1 -gt 1 ] ; then
       fi
     fi
   fi
+
+  if ! test -e %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave; then
+    # no backup yet
+    if test -e %{pkidir}/tls/certs/%{classic_tls_bundle}; then
+      # a file exists
+      if ! test -L %{pkidir}/tls/certs/%{classic_tls_bundle}; then
+        # it's an old regular file, not a link
+        mv -f %{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave
+      fi
+    fi
+  fi
+
+  if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
+    # no backup yet
+    if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
+      # a file exists
+      if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
+        # it's an old regular file, not a link
+        mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
+      fi
+    fi
+  fi
 fi
 
 
@@ -361,8 +340,7 @@ fi
 %{_bindir}/ca-legacy install
 %{_bindir}/update-ca-trust
 
-# The file .files.txt contains the list of (%ghost )files in the directory-hash
-%files -f .files.txt
+%files
 %dir %{_sysconfdir}/ssl
 %dir %{pkidir}/tls
 %dir %{pkidir}/tls/certs
@@ -370,16 +348,18 @@ fi
 %dir %{catrustdir}
 %dir %{catrustdir}/source
 %dir %{catrustdir}/source/anchors
+%dir %{catrustdir}/source/blacklist
 %dir %{catrustdir}/source/blocklist
 %dir %{catrustdir}/extracted
 %dir %{catrustdir}/extracted/pem
+%dir %{catrustdir}/extracted/openssl
 %dir %{catrustdir}/extracted/java
 %dir %{_datadir}/pki
 %dir %{_datadir}/pki/ca-trust-source
 %dir %{_datadir}/pki/ca-trust-source/anchors
+%dir %{_datadir}/pki/ca-trust-source/blacklist
 %dir %{_datadir}/pki/ca-trust-source/blocklist
 %dir %{_datadir}/pki/ca-trust-legacy
-%dir %{catrustdir}/extracted/pem/directory-hash
 
 %config(noreplace) %{catrustdir}/ca-legacy.conf
 
@@ -389,16 +369,21 @@ fi
 %{catrustdir}/README
 %{catrustdir}/extracted/README
 %{catrustdir}/extracted/java/README
+%{catrustdir}/extracted/openssl/README
 %{catrustdir}/extracted/pem/README
 %{catrustdir}/extracted/edk2/README
 %{catrustdir}/source/README
 
 # symlinks for old locations
+%{pkidir}/tls/cert.pem
+%{pkidir}/tls/certs/%{classic_tls_bundle}
+%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 %{pkidir}/%{java_bundle}
 # Hybrid hash directory with bundle file for Debian compatibility
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
 %{_sysconfdir}/ssl/certs
 %{_sysconfdir}/ssl/README
+%{_sysconfdir}/ssl/cert.pem
 %{_sysconfdir}/ssl/openssl.cnf
 %{_sysconfdir}/ssl/ct_log_list.cnf
 
@@ -415,95 +400,22 @@ fi
 %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
+%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 %ghost %{catrustdir}/extracted/%{java_bundle}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
 
+
 %changelog
-*Tue Sep 16 2025 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 2025.2.80_v9.0.304-3
-- Migrate STI test to tmt
-
-*Tue Aug 26 2025 rhel-developer-toolbox <krenzelok.frantisek@gmail.com> - 2025.2.80_v9.0.304-2
-- Update to CKBI 2.80_v9.0.304 from NSS 3.114
--    Adding:
--     # Certificate "TWCA CYBER Root CA"
--     # Certificate "TWCA Global Root CA G2"
--     # Certificate "SecureSign Root CA12"
--     # Certificate "SecureSign Root CA14"
--     # Certificate "SecureSign Root CA15"
--     # Certificate "D-TRUST BR Root CA 2 2023"
--     # Certificate "TrustAsia SMIME ECC Root CA"
--     # Certificate "TrustAsia SMIME RSA Root CA"
--     # Certificate "TrustAsia TLS ECC Root CA"
--     # Certificate "TrustAsia TLS RSA Root CA"
--     # Certificate "D-TRUST EV Root CA 2 2023"
--     # Certificate "SwissSign RSA SMIME Root CA 2022 - 1"
--     # Certificate "SwissSign RSA TLS Root CA 2022 - 1"
-
-* Tue Aug 12 2025 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-8
-- update-ca-trust: Added a temporary, compatibility option `--rhbz2387674` to
-  the `extract` command. This flag restores legacy certificate
-  symlinks (e.g., `/etc/ssl/cert.pem`) to address issues with older software
-  that has not yet adapted to their removal. This essentially provides a
-  temporary way to revert the "Dropping of cert.pem file".
-
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2024.2.69_v8.0.401-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Wed Jul 9 2025 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-6
-- Change: Dropping of cert.pem file (Resolves: rhbz#2360110)
-  https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile
-- Remove the following symlinks:
--    # /etc/pki/tls/cert.pem
--    # /etc/pki/tls/certs/ca-certificates.crt
--    # /etc/pki/tls/certs/ca-bundle.trust.crt
--    # /etc/pki/tls/certs/ca-bundle.crt
--    # /etc/ssl/cert.pem
--    # /etc/ssl/certs/ca-certificates.crt
--    # /etc/ssl/certs/ca-bundle.trust.crt
--    # /etc/ssl/certs/ca-bundle.crt
-- Directory /etc/pki/ca-trust/extracted/openssl is being deprecated,
-  it is removed upon updating unless there are files present inside it.
-
-* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2024.2.69_v8.0.401-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-*Tue Dec 17 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-4
-- Bring back /etc/pki/tls/certs/ca-certificates.crt
-
-*Fri Sep 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-3
-- Bring back /etc/pki/tls/cert.pem
-
-*Fri Sep 27 2024 Michel Lind <salimma@fedoraproject.org> - 2024.2.69_v8.0.401-2
-- Add missing Requires(post) on findutils for update-ca-trust
-- Fixes: RHBZ#2315320
-
-*Mon Sep 23 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-1
+*Mon Sep 23 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-1.0
 - Update to CKBI 2.69_v8.0.401 from NSS 3.103
 -    Adding:
 -     # Certificate "Sectigo Public Code Signing Root R46"
 -     # Certificate "Sectigo Public Code Signing Root E46"
 
-*Wed Aug 28 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-5
-- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
-- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
-
-*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-5
-- update-ca-trust: return warnings on a unsupported argument instead of error
-
-*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-5
-- Temporarily generate the directory-hash files in %%install ...(next item)
-- Add list of ghost files from directory-hash to %%files
-
 *Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-5
 - Add libffi to required packages
 
-*Thu Jul 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-4
-- Remove blacklist use blocklist-only.
-
-* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2024.2.68_v8.0.302-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-*Tue Jun 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-2
+*Tue Jun 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-1
 - Update to CKBI 2.68_v8.0.302 from NSS 3.101
 -    Removing:
 -     # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"

nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 80
-#define NSS_BUILTINS_LIBRARY_VERSION "2.80"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 69
+#define NSS_BUILTINS_LIBRARY_VERSION "2.69"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

plans/smoke.fmf

@@ -1,4 +0,0 @@
- discover:
-     how: fmf
- execute:
-     how: tmt

tests/smoke-test/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/ca-certificates/Sanity/smoke-test
+#   Description: Check presence of Verisign root.
+#   Author: Ondrej Moris <omoris@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2010 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/ca-certificates/Sanity/smoke-test
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Ondrej Moris <omoris@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Check presence of Verisign root." >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          ca-certificates" >> $(METADATA)
+	@echo "Requires:        ca-certificates" >> $(METADATA)
+	@echo "Requires:        wget" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/smoke-test/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/ca-certificates/Sanity/smoke-test
+Description: Check presence of Verisign root.
+Author: Ondrej Moris <omoris@redhat.com>

tests/smoke-test/main.fmf

@@ -1,5 +0,0 @@
-summary: Check presence of Verisign root.
-test: bash ./runtest.sh
-framework: beakerlib
-recommend:
-  - beakerlib

tests/smoke-test/runtest.sh

@@ -27,7 +27,7 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 # Include rhts environment
-. /usr/share/beakerlib/beakerlib.sh || exit 1
+. /usr/lib/beakerlib/beakerlib.sh
 
 PACKAGE="ca-certificates"
 

tests/tests.yml

@@ -0,0 +1,13 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - atomic
+    - classic
+    - container
+    tests:
+    - smoke-test
+    required_packages:
+    - findutils         # beakerlib needs find command

update-ca-trust

@@ -8,19 +8,18 @@ set -eu
 # files in $DEST.
 
 DEST=/etc/pki/ca-trust/extracted
-DEST_CERTS=/etc/pki/tls/certs
 
 # Prevent p11-kit from reading user configuration files.
 export P11_KIT_NO_USER_CONFIG=1
 
 usage() {
 	fold -s -w 76 >&2 <<-EOF
-		Usage: $0 [extract] [-o DIR|--output DIR]
+		Usage: $0 [extract] [-o DIR|--output=DIR]
 
 		Update the system trust store in $DEST.
 
 		COMMANDS
-		(absent/empty command): Same as the extract command without arguments.
+		(absent/empty command): Same as the extract command described below.
 
 		extract: Instruct update-ca-trust to scan the source configuration in
 		/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
@@ -28,47 +27,13 @@ usage() {
 		the $DEST directory hierarchy.
 
 		EXTRACT OPTIONS
-		-o DIR, --output DIR: Write the extracted trust store into the given
-		directory instead of updating $DEST. (Note: This option will not
-		populate the ../pki/tls/certs with the directory-hash symbolic links.)
-
-		--rhbz2387674: A temporary compatibility option that restores several
-		legacy certificate-bundle symlinks (e.g., /etc/ssl/cert.pem) to
-		address issues with older software.
-		These symlinks will be removed on ca-certificate updates or reinstalls,
-		so you'll have to re-run this command after ca-certificates updates if
-		the issue is still not fixed.
-		WARNING: Do not use in automation or build scripts. This flag
-		is going to be removed in a future release, and any scripts relying on
-		it will inevitably break!
-	EOF
-}
-
-rhbz2387674_msg() {
-	fold -s -w 76 >&2 <<-EOF
-	----------------------------------------------------------------------------
-	** DEPRECATION WARNING **
-	----------------------------------------------------------------------------
-	The option --rhbz2387674 is a temporary workaround and will be removed in a
-	future release. Please do not use it in build scripts or automation.
-
-	----------------------------------------------------------------------------
-	** ACTION REQUIRED **
-	----------------------------------------------------------------------------
-	To ensure the affected package works correctly in the future, a bug report must
-	be filed.
-
-	1.  Check if a bug already exists for the affected package: https://bugzilla.redhat.com/buglist.cgi?component=ca-certificates&product=Fedora&short_desc=droppingOfCertPemFile%20package%3A&short_desc_type=allwordssubstr
-
-	2.  If no bug exists, please file a new one using this template: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=ca-certificates&version=rawhide&short_desc=droppingOfCertPemFile+package:+<<package_name>>+is+affected
-
-	Thank you for helping improve Fedora.
+		-o DIR, --output=DIR: Write the extracted trust store into the given
+		directory instead of updating $DEST.
 	EOF
 }
 
 extract() {
 	USER_DEST=
-	compat=
 
         # can't use getopt here. ca-certificates can't depend on a lot
         # of other libraries since openssl depends on ca-certificates
@@ -76,38 +41,22 @@ extract() {
 
         while [ $# -ne 0 ]; do
 	    case "$1" in
-		"-o"|"--output")
-		  if [ $# -lt 2 ]; then
-			  echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
-			  echo >&2
-			  exit 1
-		  fi
+	      "-o"|"--output")
 	          USER_DEST=$2
 		  shift 2
 		  continue
 		  ;;
-		"--rhbz2387674")
-		  compat="true"
-		  shift
-		  continue
-		  ;;
 		"--")
 		  shift
 		  break
 		  ;;
 		*)
-		  echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
+		  usage
 		  exit 1
 		  ;;
 	    esac
 	done
 
-	if [[ "$compat" = "true" && -n "$USER_DEST" ]]; then
-		echo "Error: arguments '-o DIR|--output DIR' and '--rhbz2387674' can't be used together"
-		exit 1
-	
-	fi
-
 	if [ -n "$USER_DEST" ]; then
 		DEST=$USER_DEST
 	        # Attempt to create the directories if they do not exist
@@ -119,49 +68,35 @@ extract() {
 		    "$DEST"/edk2
 	fi
 
-
-	# Delete all directory hash symlinks from the cert directory
-	if [ -z "$USER_DEST" ]; then
-		find "$DEST_CERTS" -type l -regextype posix-extended \
-		     -regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \;
-	fi
-
 	# OpenSSL PEM bundle that includes trust flags
 	# (BEGIN TRUSTED CERTIFICATE)
-	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
-	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
-	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
-	/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
-	/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
+	/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
+	/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
+	/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
+	/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
+	/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
+	/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
 	# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
 	# by GnuTLS)
-	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
+	/usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
 
+	# p11-kit extract will have made this directory unwritable; when run with
+	# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
+	# not be the case. See rhbz#2241240.
+	if [ -n "$USER_DEST" ]; then
+	    /usr/bin/chmod u+w "$DEST/pem/directory-hash"
+        fi
 
-	if [ -n "$compat" ]; then
-		# print warning message
-		rhbz2387674_msg
+	# Debian compatibility: their /etc/ssl/certs has this bundle
+	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
+	# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
+	# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
+	/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
 
-		# bring back bundle in openssl trust format
-		/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST_CERTS/ca-bundle.trust.crt"
-
-		# create symlinks to /etc/pki/tls/..
-		ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/../cert.pem"
-		ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-certificates.crt"
-		ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-bundle.crt"
-
-		# create symlinks to /etc/ssl/ the certs folder is already sym-linked
-		ln -sf "$DEST/pem/tls-ca-bundle.pem" "/etc/ssl/cert.pem"
-	fi
-
-	if [ -z "$USER_DEST" ]; then
-		find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
-		     -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do
-			target=$(readlink -f "$link")
-			new_link="$DEST_CERTS/$(basename "$link")"
-			ln -s "$target" "$new_link"
-		done
-	fi
+	# Remove write permissions again
+	if [ -n "$USER_DEST" ]; then
+	    /usr/bin/chmod u-w "$DEST/pem/directory-hash"
+        fi
 }
 if [ $# -lt 1 ]; then
     set -- extract
@@ -170,14 +105,16 @@ fi
 case "$1" in
 	"extract")
 		shift
-		extract "$@"
+		extract $@
 	;;
-	"--help")
-		usage
-		exit 0
+	"--"*|"-"*)
+		# First parameter seems to be an option, assume the command is 'extract'
+		extract $@
 	;;
 	*)
-		echo >&2 "Error: unknown command: '$1', see 'update-ca-trust --help' for usage."
+		echo >&2 "Error: Unknown command: $1"
+		echo >&2
+		usage
 		exit 1
 	;;
 esac

update-ca-trust.8.txt

@@ -230,11 +230,18 @@ EXTRACT OPTIONS
 ^^^^^^^^^^^^^^^
 *-o DIR*, *--output=DIR*::
 	Write the extracted trust store into the given directory instead of
-	updating /etc/pki/ca-trust/extracted. (Note: This option will not
-	populate the ../pki/tls/certs with the directory-hash symbolic links.)
+	updating /etc/pki/ca-trust/extracted.
 
 FILES
 -----
+/etc/pki/tls/certs/ca-bundle.crt::
+	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
+	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
+/etc/pki/tls/certs/ca-bundle.trust.crt::
+	Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
+	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
+
 /etc/pki/java/cacerts::
 	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
 	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
@@ -250,27 +257,6 @@ FILES
 	which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
 	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
 
-/etc/pki/tls/certs::
-	Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command, they are inteded as a internal format for OpenSSL and not to be used directly by the other crypto libraries or applications.
-
-LEGACY FILES
-------------
-The following file paths were used in legacy versions of the utility
-and have since been replaced. Scripts and configurations referencing
-these old paths should be updated.
-
-/etc/pki/cert.pem::
-    This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
-
-/etc/pki/tls/certs/ca-certificates.crt::
-    This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
-
-/etc/pki/tls/certs/ca-bundle.crt::
-    This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
-
-/etc/pki/tls/certs/ca-bundle.trust.crt::
-    This has been replaced by the directory-hash format certificates stored in /etc/pki/ca-trust/extracted/pem/directory-hash/ directory.
-
 AUTHOR
 ------
 Written by Kai Engert and Stef Walter.