After running a 12.4 installworld found TrustCor certs had been reinstalled. Out of curiosity, were these known bad certificates intentionally left in RELEASE? If so it does appear we could use a ports-based solution. At this point all the port would need to do is periodically "rm /usr/share/certs/trusted/TrustCor*" but there's sure to be room for options to better harden PKI.
Roger Marquis
