[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
Hello, Will Ubuntu hirsute be affected by this bug? For context, Network Security Services (NSS) 3.63 and newer distrusts Symantec which will cause failures when installing NuGet packages. As per this question, Ubuntu contains NSS 3.63 in hirsute-proposed: https://answers.launchpad.net/ubuntu/+source/ca- certificates/+question/696339 For more information, please see: https://github.com/NuGet/Announcements/issues/56 Best, Loic ** Bug watch added: github.com/NuGet/Announcements/issues #56 https://github.com/NuGet/Announcements/issues/56 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Groovy: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates package in Debian: Fix Released Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
** Changed in: ca-certificates (Debian) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Groovy: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates package in Debian: Fix Released Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
It's possible in certain upgrade scenarios that the certs have been permanently blacklisted on your system. Look at the /etc/ca-certificates.conf file to see if the following two lines start with a "!" character: mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt mozilla/VeriSign_Universal_Root_Certification_Authority.crt If they do begin with "!", you need to reconfigure ca-certificates with: sudo dpkg-reconfigure ca-certificates That should ask you which certificates to activate. Make sure those two are checked. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Groovy: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates package in Debian: Fix Committed Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
Yes. I can confirm that the package ca-certificates 20210119~20.10.1, make possible to restore nuget packages using "nuget restore". Although invoking the dotnet cli, like doing "dotnet restore" yields the same certificate error. Is it possible to solve this certificate issue once and for all? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Groovy: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates package in Debian: Fix Committed Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
Odd. I can see that the package ca-certificates 20210119~20.10.1 is installed on my ubuntu 20.10, but I still can't restore my nuget packages. I'm getting the following error message: error NU3028: Package 'Microsoft.Extensions.Configuration 3.1.10' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Groovy: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates package in Debian: Fix Committed Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
** Changed in: ca-certificates (Ubuntu Hirsute) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Groovy: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates package in Debian: Fix Committed Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
No, GeoTrust Global CA is no longer to be used and has been removed from the CA list as requested by DigiCert. Please see: https://bugzilla.mozilla.org/show_bug.cgi?id=1670769 ** Bug watch added: Mozilla Bugzilla #1670769 https://bugzilla.mozilla.org/show_bug.cgi?id=1670769 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Groovy: Fix Released Status in ca-certificates source package in Hirsute: Fix Committed Status in ca-certificates package in Debian: Fix Committed Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
Will this issue also be fixed in Focal? It's currently not possible to connect to Apple Push servers in Ubuntu 20.04 due to the removal of the GeoTrust Global Root which Apple returns in their certificate chain from api.push.apple.com. ``` ~cat /etc/issue Ubuntu 20.04.2 LTS \n \l ~ apt list ca-certificates -a Listing... Done ca-certificates/focal-updates,focal-updates,focal-security,focal-security,now 20210119~20.04.1 all [installed] ca-certificates/focal,focal 20190110ubuntu1 all ~ echo "Q" | openssl s_client -connect api.push.apple.com:443 CONNECTED(0003) depth=1 CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = api.push.apple.com, OU = management:idms.group.533599, O = Apple Inc., ST = California, C = US verify return:1 --- Certificate chain 0 s:CN = api.push.apple.com, OU = management:idms.group.533599, O = Apple Inc., ST = California, C = US i:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US 1 s:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US i:C = US, O = GeoTrust Inc., CN = GeoTrust Global CA --- Server certificate -BEGIN CERTIFICATE- MIIIljCCB36gAwIBAgIQdSHfCVs4iuOJe4Ja2rbxdjANBgkqhkiG9w0BAQsFADBi MRwwGgYDVQQDExNBcHBsZSBJU1QgQ0EgMiAtIEcxMSAwHgYDVQQLExdDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTETMBEGA1UEChMKQXBwbGUgSW5jLjELMAkGA1UEBhMC VVMwHhcNMTkwMzE0MTc1MDEwWhcNMjEwNDEyMTc1MDEwWjB7MRswGQYDVQQDDBJh cGkucHVzaC5hcHBsZS5jb20xJTAjBgNVBAsMHG1hbmFnZW1lbnQ6aWRtcy5ncm91 cC41MzM1OTkxEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3Ju aWExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA tWbNpQnuwvVCjPhif9E3mYASUhteM5FWWFDIjkZ8dHPuhXnk8NX46My2VTQeEHS8 OGgfG8ruloU7syiRZSkCkq6WaosPXMJ+eBRbHVqGAIClBE/LdCd6uMoMYbMOX3W2 ch9Q5mDrO0IOCOEnGhzFQNwF0xfRcRwG1+tw7CQpIfR9XoKkyxBZ8LQfCX7NNcmH DHS26F9jFaCrS/CnK/rzTl31PBJOhq42VsqfYo9vGp0JQxJgN9R6/EAvEDwCmc5L U5ZBxMVo2LvH9mXn3J7+VuZz1yEsLSQfLhWiH9mDuEAWn5MGJU9CjnY8zdvEAxk7 OVfwhcn6L/SrMAZlHja2VwIDAQABo4IFLTCCBSkwDAYDVR0TAQH/BAIwADAfBgNV HSMEGDAWgBTYepREfJBwkBae3RecAUQDhtYqKTB+BggrBgEFBQcBAQRyMHAwNAYI KwYBBQUHMAKGKGh0dHA6Ly9jZXJ0cy5hcHBsZS5jb20vYXBwbGVpc3RjYTJnMS5k ZXIwOAYIKwYBBQUHMAGGLGh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBw bGVpc3RjYTJnMTIwMHwGA1UdEQR1MHOCEmFwaS5wdXNoLmFwcGxlLmNvbYIYYXBp LWNhcnJ5LnB1c2guYXBwbGUuY29tghVtci1hcGkucHVzaC5hcHBsZS5jb22CFXB2 LWFwaS5wdXNoLmFwcGxlLmNvbYIVc3QtYXBpLnB1c2guYXBwbGUuY29tMIH/BgNV HSAEgfcwgfQwgfEGCiqGSIb3Y2QFCwQwgeIwgaQGCCsGAQUFBwICMIGXDIGUUmVs aWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBh Y2NlcHRhbmNlIG9mIGFueSBhcHBsaWNhYmxlIHRlcm1zIGFuZCBjb25kaXRpb25z IG9mIHVzZSBhbmQvb3IgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRz LjA5BggrBgEFBQcCARYtaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVh dXRob3JpdHkvcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA3BgNV HR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmFwcGxlLmNvbS9hcHBsZWlzdGNhMmcx LmNybDAdBgNVHQ4EFgQUrKXVnJ+gzUh8UQ2Yfz/rnudZxT4wDgYDVR0PAQH/BAQD AgWgMIICbwYKKwYBBAHWeQIEAgSCAl8EggJbAlkAdQCkuQmQtBhYFIe7E6LMZ3AK PDWYBPkb37jjd80OyA3cEWl9XIxaAAAEAwBGMEQCID+yu2PPyWszJnLFzyue exKgs0Id8nTEUE6GSyNx/VBjAiBB13SWmcPE95+UFdQ7VHP6gi9K2afgIUVtAXXF RM72dgB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABaX1cjFsA AAQDAEgwRgIhAPewM38VBwGeNFF711tlWb7fB7n7DmVyiTdLfsVQIWtWAiEA80WF wc7XZECdkDCDcGT/mCYalBNqwvTi4vKQiI/iTdwAdgBVgdTCFpA2AUrqC5tXPFPw wOQ4eHAlCBcvo6odBxPTDWl9XI8OAAAEAwBHMEUCIQCax8e/z0tOEV8rP/nX AC6suCycpuNqXQYLE8ps7S1n4gIgZl/3/my5AzCV1FfGcx1qCAAomJkAmfob4o2J qwNkscoAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAWl9XI9+ AAAEAwBHMEUCIAaCMiskTWo2MxgG1BDte1DHNwS4zAz6BuLzTf4oioshAiEA1IE2 NicxAfkVjHXe9mnDjBrm8m+ZBcUeM8RlgL+BmqwAdwBElGUusO7Or8RAB9io/ijA 2uaCvtjLMbU/0zOWtbaBqWl9XIxEAAAEAwBIMEYCIQCtgJpEU7feE/rovZN4 k93/zvhwVuUTkjOtFoKB0vkWvgIhALw0Pj/zdWLrax7wBInSqLVHWwERi7+kOsV/ GJrOuHKXMA0GCSqGSIb3DQEBCwUAA4IBAQB1iPfHUYVmVSlCXF1V06Z5Zr/Cualz JGaLKm31trj7xS4+uQOU0pXRcecyKrpB+NgAQY2E+hlf83boXGlFytvgBuM9j3H/ tAb2S5HNum/AqP1VcYpUp6g46wpH1Fhau+XqVjjxD0xwC+CyAgUENGqMav1ly9A1 ZOGzDVGnNDb5EDx/Qbe6mxqp6Ls5NncAJ2cSlDKv4yhmqRA/sUf+xop9uLwAoOVz 8ykBTuJ904ys1gYTYem57o3kfFy3kpMMReUlTbt53zxY1/7v90UBoQzkqnegqD+N Ygw1YsWvv4tTXCMGApjBxB+QMksN1OD7wpOl6NQZVtOG7T31COPQ4X+M -END CERTIFICATE- subject=CN = api.push.apple.com, OU = management:idms.group.533599, O = Apple Inc., ST = California, C = US issuer=CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US --- Acceptable client certificate CA names C = US, O = Apple Inc., OU = Apple Certification Authority, CN = Apple Root CA CN = Apple Application Integration 2 Certification Authority, OU = Apple Certification Authority, O = Apple Inc., C = US CN = Apple Corporate Authentication CA 1, OU = Certification Authority, O = Apple Inc., C = US C = US, O = Apple Inc., OU = Apple Worldwide Developer Relations, CN = Apple Worldwide Developer Relations Certification Authority CN = Apple Corporate Root CA, OU = Certification Authori
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
The nuget restore command works again on my Ubuntu 20.10 OS, thanks for the fix. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Groovy: Fix Released Status in ca-certificates source package in Hirsute: Fix Committed Status in ca-certificates package in Debian: Fix Committed Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
This bug was fixed in the package ca-certificates - 20210119~20.10.1
---
ca-certificates (20210119~20.10.1) groovy-security; urgency=medium
* Update ca-certificates database to 20210119 (LP: #1914064):
- mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate
authority bundle to version 2.46.
- backport certain changes from the Ubuntu 20.10 20210119 package
* mozilla/blacklist.txt: revert Symantec CA blacklist (LP: #1913951)
The following root certificates were added back (+):
+ "GeoTrust Primary Certification Authority - G2"
+ "VeriSign Universal Root Certification Authority"
-- Marc Deslauriers Mon, 01 Feb 2021
10:14:19 -0500
** Changed in: ca-certificates (Ubuntu Groovy)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1913951
Title:
ca-certificates: Symantec CA blacklisted for non-TLS uses
Status in ca-certificates package in Ubuntu:
Fix Committed
Status in ca-certificates source package in Groovy:
Fix Released
Status in ca-certificates source package in Hirsute:
Fix Committed
Status in ca-certificates package in Debian:
Fix Committed
Bug description:
~$ lsb_release -rd
Description: Ubuntu 20.10
Release: 20.10
~$ apt list --installed | grep ca-certificates
WARNING: apt does not have a stable CLI interface. Use with caution in
scripts.
ca-certificates/groovy-updates,groovy-security,now
20201027ubuntu0.20.10.1 all [installed,automatic]
Repro steps:
1. Open Terminal.
2. Execute:
wget https://dot.net/v1/dotnet-install.sh
chmod +x ./dotnet-install.sh
./dotnet-install.sh -c 5.0
export DOTNET_ROOT=$HOME/.dotnet
export PATH=$PATH:$HOME/.dotnet
dotnet new console
dotnet add package System.Collections.Immutable
Expected result:
Package restore will succeed.
Actual result:
Package restore fails with:
error: NU3028: Package 'System.Collections.Immutable 5.0.0' from
source 'https://api.nuget.org/v3/index.json': The author primary
signature's timestamp found a chain building issue: UntrustedRoot:
self signed certificate in certificate chain
There has been a planned process to distrust Symantec certificates in the
certificate store over the past two years. The Debian ca-certificates package
removed this CA for both TLS (expected) and other uses (like timestamping)
(unexpected). Trust was added back in a subsequent update. See
https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2
for details.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
It looks like the reverted blacklist will work fine for new installs of groovy, so I'll be pushing a new version of the ca-certificates package tomorrow with an updated bundle that will solve this issue at the same time. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Groovy: Confirmed Status in ca-certificates source package in Hirsute: Fix Committed Status in ca-certificates package in Debian: Fix Committed Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
** Changed in: ca-certificates (Debian) Status: Unknown => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Groovy: Confirmed Status in ca-certificates source package in Hirsute: Fix Committed Status in ca-certificates package in Debian: Fix Committed Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
Version 20210119 in hirsute-proposed fixes this issue. The Symantec certs were never blacklisted in focal and earlier, so they aren't affected. This issue does affect Groovy, but even if we removed the blacklist from the ca-certificates package, the certs will still be blacklisted because of debian bug #743339. We need to investigate how to remove the blacklist in a maintainer script on package upgrade. ** Bug watch added: Debian Bug tracker #962596 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596 ** Also affects: ca-certificates (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596 Importance: Unknown Status: Unknown ** Also affects: ca-certificates (Ubuntu Hirsute) Importance: Undecided Status: Confirmed ** Also affects: ca-certificates (Ubuntu Groovy) Importance: Undecided Status: New ** Changed in: ca-certificates (Ubuntu Groovy) Status: New => Confirmed ** Changed in: ca-certificates (Ubuntu Hirsute) Status: Confirmed => Fix Committed ** Changed in: ca-certificates (Ubuntu Groovy) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ca-certificates (Ubuntu Groovy) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Groovy: Confirmed Status in ca-certificates source package in Hirsute: Fix Committed Status in ca-certificates package in Debian: Unknown Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
You can find every details about the Nuget incident here: https://github.com/NuGet/Announcements/issues/49#issue-795386700 ** Bug watch added: github.com/NuGet/Announcements/issues #49 https://github.com/NuGet/Announcements/issues/49 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Confirmed Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913951] Re: ca-certificates: Symantec CA blacklisted for non-TLS uses
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: ca-certificates (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Confirmed Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
