Date: Friday, November 9, 2018 @ 21:12:59 Author: heftig Revision: 338537
20181109-1: Update to current Fedora master https://src.fedoraproject.org/rpms/ca-certificates/tree/f4842fa2d8bdcfd872fe6113a8d66d2d9f8fb8ee Modified: ca-certificates/trunk/PKGBUILD ca-certificates/trunk/update-ca-trust ca-certificates/trunk/update-ca-trust.8.txt -----------------------+ PKGBUILD | 8 ++--- update-ca-trust | 20 ++++++++---- update-ca-trust.8.txt | 75 ++++++++++++++++++++++++++++++------------------ 3 files changed, 66 insertions(+), 37 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2018-11-09 21:12:58 UTC (rev 338536) +++ PKGBUILD 2018-11-09 21:12:59 UTC (rev 338537) @@ -3,7 +3,7 @@ pkgbase=ca-certificates pkgname=(ca-certificates-utils ca-certificates) -pkgver=20180821 +pkgver=20181109 pkgrel=1 pkgdesc="Common CA certificates" url="https://src.fedoraproject.org/rpms/ca-certificates"; @@ -11,8 +11,8 @@ license=(GPL2) makedepends=(asciidoc p11-kit) source=(update-ca-trust update-ca-trust.8.txt update-ca-trust.hook) -sha256sums=('9edb930441a7c886dcf545799164e2982dfec56330ec4aaba8ee3c5b40fd7dba' - '38c10446738c1e99bc95e42fe844a9e95ea106795059fa769f3b4ba82b395929' +sha256sums=('ba98e00f80f94e2648b66252119d1b0da2339b8c83860cd69738e5c4e2d0fcc3' + 'acf571f7d7a9df2149a373017280e8f22d07a2d36600256fa48159d22ab74751' '15eb04e757b7c61c8ee1540fd697771b8ae8e31f92cfb39c260b423101e21af8') build() { @@ -35,7 +35,7 @@ install -d "$pkgdir"/{etc,usr/share}/$pkgbase/trust-source/{anchors,blacklist} # Directories used by update-ca-trust (aka "trust extract-compat") - install -d "$pkgdir"/etc/{ssl/certs/java,$pkgbase/extracted} + install -d "$pkgdir"/etc/{ssl/certs/{edk2,java},$pkgbase/extracted} # Compatibility link for OpenSSL using /etc/ssl as CAdir # Used in preference to the individual links in /etc/ssl/certs Modified: update-ca-trust =================================================================== --- update-ca-trust 2018-11-09 21:12:58 UTC (rev 338536) +++ update-ca-trust 2018-11-09 21:12:59 UTC (rev 338537) @@ -14,15 +14,26 @@ trust extract --overwrite "$@" } -# The directory-format extractors remove all files in the target directory, but not directories or files therein -extract --format=pem-directory-hash --filter=ca-anchors --purpose=server-auth $DEST/cadir +## Simple PEM bundles extract --comment --format=pem-bundle --filter=ca-anchors --purpose=server-auth $DEST/tls-ca-bundle.pem extract --comment --format=pem-bundle --filter=ca-anchors --purpose=email $DEST/email-ca-bundle.pem extract --comment --format=pem-bundle --filter=ca-anchors --purpose=code-signing $DEST/objsign-ca-bundle.pem + +## OpenSSL PEM bundle that includes trust flags extract --comment --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt +## TianoCore EDK II bundle +extract --format=edk2-cacerts --filter=ca-anchors --purpose=server-auth $DEST/edk2-cacerts.bin + +## Java bundle +extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts + +## OpenSSL-style directory with individual PEM files and hash links +# The directory-format extractors remove all files in the target directory, but not directories or files therein +extract --format=pem-directory-hash --filter=ca-anchors --purpose=server-auth $DEST/cadir + # We don't want to have to remove everything from the certs directory but neither -# do we want to leave stale certs around, so symlink it all from somewhere else +# do we want to leave stale certs around, so only place symlinks in the real cadir for f in $DEST/cadir/*; do ln -fsr -t /etc/ssl/certs "$f" done @@ -29,6 +40,3 @@ # Now find and remove all broken symlinks find -L /etc/ssl/certs -maxdepth 1 -type l -delete - -# Java bundle -extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts Modified: update-ca-trust.8.txt =================================================================== --- update-ca-trust.8.txt 2018-11-09 21:12:58 UTC (rev 338536) +++ update-ca-trust.8.txt 2018-11-09 21:12:59 UTC (rev 338537) @@ -74,11 +74,11 @@ the correct subdirectory for adding files, as the subdirectory defines how contained certificates will be trusted or distrusted, and which file formats are read.* -Files in subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/ contain CA certificates and +Files in *subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/* contain CA certificates and trust settings in the PEM file format. The trust settings found here will be interpreted with a *low priority*. -Files in subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/ contain CA certificates and +Files in *subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/* contain CA certificates and trust settings in the PEM file format. The trust settings found here will be interpreted with a *high priority*. @@ -144,7 +144,7 @@ Applications that rely on a static file for a list of trusted CAs may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted -directory. After modifying any file in the +directories. After modifying any file in the /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ directories or in any of their subdirectories, or after adding a file, it is necessary to run the 'update-ca-trust extract' command, @@ -161,7 +161,7 @@ [[extractconf]] EXTRACTED CONFIGURATION ----------------------- -The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contains generated CA certificate +The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contain generated CA certificate bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>> by running the 'update-ca-trust extract' command. @@ -189,8 +189,13 @@ File cacerts contains CA certificates trusted for TLS server authentication. The directory /etc/ca-certificates/extracted contains +a CA certificate bundle file in the extended BEGIN/END TRUSTED CERTIFICATE file format, +as described in the x509(1) manual page. +File ca-bundle.trust.crt contains the full set of all trusted +or distrusted certificates, including the associated trust flags. +It also contains CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, -as decribed in the x509(1) manual page. +as described in the x509(1) manual page. Distrust information cannot be represented in this file format, and distrusted certificates are missing from these files. File tls-ca-bundle.pem contains CA certificates @@ -199,10 +204,14 @@ trusted for E-Mail protection. File objsign-ca-bundle.pem contains CA certificates trusted for code signing. -File ca-bundle.trust.crt contains certificates in the extended -BEGIN/END TRUSTED CERTIFICATE file format, as described in the x509(1) manual page. -This bundle contains the full set of all trusted -and distrusted certificates, including the associated trust flags. +It also contains a CA +certificate bundle ("edk2-cacerts.bin") in the "sequence of +EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification, +sections "31.4.1 Signature Database" and +"EFI_CERT_X509_GUID". Distrust information cannot be represented in +this file format, and distrusted certificates are missing from these +files. File "edk2-cacerts.bin" contains CA certificates trusted for TLS +server authentication. COMMANDS @@ -215,11 +224,27 @@ *extract*:: Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce updated versions of the consolidated configuration files stored below - the /etc/ssl/certs and /etc/ca-certificates/extracted directory - hierarchies. + the /etc/ssl/certs and /etc/ca-certificates/extracted directory hierarchies. FILES ----- +/etc/ssl/certs:: + Classic directory, files contain individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + Also includes the necessary hash symlinks expected by OpenSSL. + These files are symbolic links that are maintained by the update-ca-trust command. + +/etc/ssl/certs/ca-certificates.crt:: + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/etc/ssl/cert.pem:: + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/etc/ssl/java/cacerts:: + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. + /usr/share/ca-certificates/trust-source:: Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories. @@ -232,32 +257,28 @@ See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details. /etc/ca-certificates/extracted/tls-ca-bundle.pem:: - Contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + File contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/email-ca-bundle.pem:: - Contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + File contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/objsign-ca-bundle.pem:: - Contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + File contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/ca-bundle.trust.crt:: - Contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + File contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + This file is consolidated output created by the update-ca-trust command. /etc/ca-certificates/extracted/cadir:: Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. - Also includes the necessary hash symlinks expected by OpenSSL. + Also includes the necessary hash symlinks expected by OpenSSL. + These files are maintained by the update-ca-trust command. -/etc/ssl/certs:: - Classic directory, contains symlinks into /etc/ca-certificates/extracted/cadir which are maintained by the update-ca-trust command. - -/etc/ssl/certs/ca-certificates.crt:: - Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem. - -/etc/ssl/cert.pem:: - Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem. - -/etc/ssl/java/cacerts:: - Classic filename, contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. +/etc/ca-certificates/extracted/edk2-cacerts.bin:: + File contains a list of CA certificates trusted for TLS server authentication usage, in the UEFI signature database format, without distrust information. This file is consolidated output created by the update-ca-trust command. AUTHOR
