TBH, there is no need to download the entire package of root certs from a new version of macOS. Installing the updated root certificate you need should be enough. For the case of the expired intermediate certificate of Letsencrypt (that causes most of the problems in my personal experience) installing the root certificate for ISRG X1 in the keychain from the CA itself should fix the problem without creating new packages (and maintaining them). In the case of Letencrypt, from this page https://letsencrypt.org/certificates/ <https://letsencrypt.org/certificates/> you need to install https://letsencrypt.org/certs/isrgrootx1.pem <https://letsencrypt.org/certs/isrgrootx1.pem> to fix the problem with Letsencrypt “expired” certificates (this works even on old iOS versions). This is just a stopgap for what I think it’s the more critical problem now. Of course: ymmv, just a quick note, you should not install root certificates when a stranger tell you to do so from a link on the Internet, etc. etc.
Ciao, gt > Il giorno 29 ott 2021, alle ore 18:45, Richard Bonomo TDS personal > <bon...@tds.net> ha scritto: > > > Well, some of us are reasonably competent in managing risk, but cannot afford > to be buying new computers. > So the Apples I have, or are on loan to me, have to be kept going. > > On a more pathologic level, I am also in possession (extended load) of a µVAX > workstation that I should try > to get working again. There is no such thing as a support contract for that, > and DEC does not exist any more. > > Rich > > ----- Original Message ----- > From: "Richard L. Hamilton" <rlha...@smart.net> > To: "macports-users Users" <macports-users@lists.macports.org> > Sent: Friday, October 29, 2021 11:25:56 AM > Subject: Re: provide latest OS root certificates via port? > > > >> On Oct 29, 2021, at 12:02, Michael <keybou...@gmail.com> wrote: >> >> As a user who spent a week trying to figure out what was going on with more >> and more sites not working, making less of the information out there >> available to figure out how to solve the expired cert, it was really painful >> to find out that this was "known in advance", and worse, this implies that >> ANY "modern", "secure" OS is an inherent time-death, for no good reason. >> >> Having an easy way to update certs would be wonderful. >> Finding out the hard way that not only did I need to put the DST root in, >> but that in the next year there's a couple more that will expire, when this >> was something that could have, and should have, been made very public in >> advance, was painful. >> >> Discovering the *harder* way that adding a root key to your personal account >> is not the same as adding it system wide, meaning that the first information >> I got wasn't even accurate, only made things worse -- I could browse the web >> just fine, but stuff running as root from launchd was using a different set >> of certs that did not include this. >> >> Some sort of "Warning! This system is considered extremely vulnerable" is >> fine. But we see ATM's running windows XP, voting machines running Vista, >> etc. Old systems being used past their expiration date is normal. > > The ancient (and inadequately audited and reviewed, even if not ancient) > software on ATMs and voting machines should be a scandal. Although they are > (supposedly) more physically controlled than user desktops/laptops are, and > are at least INTENDED to be limited to specific kiosk-like functions and > nothing else, so they're FAR less exposed (software-wise) than a browser > accessing potentially anything, including once-legit sites that had been > hacked to become nasty. The risks are (IMO) NOT THE SAME. > >> Or do you think that 50 year old FORTRAN programs on 370 systems should be >> retired and the entire financial system forced to rewrite code used all >> around the world? > > A heck of a lot had to be fixed for Y2K, and some things that couldn't be > fixed were either replaced or tossed (including a few that were tossed simply > because nobody would take responsibility to affirm that they didn't use > dates, even though it was obvious). Been there, done that. It was only a big > yawn-fest due to a LOT of hard work. Same thing will happen again in 2038 for > any 32-bit Unix/Linux code, btw. That won't be modern desktops (just about > all of which are already 64-bit, some now 64-bit only), but a heck of a lot > of embedded devices may still be running that old code then. Fortunately I'm > retired, so assuming I'm still around, I won't have to deal with THAT mess. > >>> Sometimes, one has to work with what one has. >> >> Exactly. > > Ok, sometimes. In a retro computing museum. Or in a nonprofit with no budget. > But for anything serious, one REALLY should be aware of the risks, even if > that means going back to pen, paper, and snail mail rather than taking the > risks. Or else realizing that EVERYTHING they do where the information or > transaction has any value at all, is at greater risk of being corrupted or > exploited by hostiles if they're doing it on that old system, at least if > that system has Internet access. > > But basically EVERY computer, even if the physical box could last longer, has > support issues past 5 years old, CERTAINLY if one doesn't have a paid support > contract. I have a box that's industrial enough that it's 20+ years old and > has only had a drive or two (mirrored, so never any data loss) replaced, but > I can't (ok, won't) afford a support contract for it (there probably is still > support for an older OS version that could still run on it, those things were > built like tanks!), so I know I'm taking my chances. In other words, no > system seller is going to be on the hook to support an old system forever as > part of the purchase price; if they'll provide extended support at all, you'd > better expect to pay extra for that, every year. EVERYTHING costs, 'cause > everybody has to make a living, including the rich people and the little > people at the rich people's companies. Magic no problems forever does NOT > exist.
