Bug#917742: ca-cacert: FTBFS: tests failed

Tue, 29 Jan 2019 05:57:20 -0800 

Hi Dmitry,

ca-cacert just fell out of testing because of this issue.

Lucas Nussbaum wrote:
> > make[1]: Entering directory '/<<PKGBUILDDIR>>'
> > #find . -maxdepth 1 -type f -name "*.crt" -exec openssl verify "{}" \;
> > certtool --verify --load-ca-certificate root.crt --infile class3.crt
> > Loaded CAs (1 available)
> >     Subject: CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.
> >     Issuer: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> > Authority,OU=http://www.cacert.org,O=Root CA
> >     Checked against: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> > Authority,OU=http://www.cacert.org,O=Root CA
> >     Signature algorithm: RSA-SHA256
> >     Output: Verified. The certificate is trusted. 
> > 
> > Chain verification output: Verified. The certificate is trusted. 
> > 
> > certtool --verify --load-ca-certificate root.crt --infile root.crt
> > Loaded CAs (1 available)
> >     Subject: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> > Authority,OU=http://www.cacert.org,O=Root CA
> >     Issuer: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> > Authority,OU=http://www.cacert.org,O=Root CA
> >     Checked against: EMAIL=supp...@cacert.org,CN=CA Cert Signing 
> > Authority,OU=http://www.cacert.org,O=Root CA
> >     Signature algorithm: RSA-MD5
                                 ^^^
> >     Output: Not verified. The certificate is NOT trusted. 
> > 
> > Chain verification output: Not verified. The certificate is NOT trusted. 

Reason for this test suite failure is likely that certtool stopped to
accept the MD5 hashing algorithm.

The man page says:

       --verify-allow-broken
              Allow broken algorithms, such as MD5 for verification.

              This can be combined with --p7-verify, --verify or
              --verify-chain.

This could be fixed to change

  certtool --verify --load-ca-certificate root.crt --infile root.crt

to

  certtool --verify --verify-allow-broken --load-ca-certificate root.crt 
--infile root.crt

As far as I see understand that seems to be only the self-signature of
root.crt (which AFAICT should be neglectable) while the (AFAICT
relevant) signature on class3.crt uses SHA256 which is ok.

                Regards, Axel
-- 
 ,''`.  |  Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Reply via email to