Hi Dmitry, ca-cacert just fell out of testing because of this issue.
Lucas Nussbaum wrote: > > make[1]: Entering directory '/<<PKGBUILDDIR>>' > > #find . -maxdepth 1 -type f -name "*.crt" -exec openssl verify "{}" \; > > certtool --verify --load-ca-certificate root.crt --infile class3.crt > > Loaded CAs (1 available) > > Subject: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc. > > Issuer: EMAIL=supp...@cacert.org,CN=CA Cert Signing > > Authority,OU=http://www.cacert.org,O=Root CA > > Checked against: EMAIL=supp...@cacert.org,CN=CA Cert Signing > > Authority,OU=http://www.cacert.org,O=Root CA > > Signature algorithm: RSA-SHA256 > > Output: Verified. The certificate is trusted. > > > > Chain verification output: Verified. The certificate is trusted. > > > > certtool --verify --load-ca-certificate root.crt --infile root.crt > > Loaded CAs (1 available) > > Subject: EMAIL=supp...@cacert.org,CN=CA Cert Signing > > Authority,OU=http://www.cacert.org,O=Root CA > > Issuer: EMAIL=supp...@cacert.org,CN=CA Cert Signing > > Authority,OU=http://www.cacert.org,O=Root CA > > Checked against: EMAIL=supp...@cacert.org,CN=CA Cert Signing > > Authority,OU=http://www.cacert.org,O=Root CA > > Signature algorithm: RSA-MD5 ^^^ > > Output: Not verified. The certificate is NOT trusted. > > > > Chain verification output: Not verified. The certificate is NOT trusted. Reason for this test suite failure is likely that certtool stopped to accept the MD5 hashing algorithm. The man page says: --verify-allow-broken Allow broken algorithms, such as MD5 for verification. This can be combined with --p7-verify, --verify or --verify-chain. This could be fixed to change certtool --verify --load-ca-certificate root.crt --infile root.crt to certtool --verify --verify-allow-broken --load-ca-certificate root.crt --infile root.crt As far as I see understand that seems to be only the self-signature of root.crt (which AFAICT should be neglectable) while the (AFAICT relevant) signature on class3.crt uses SHA256 which is ok. Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE