On Fri, 16 Feb 2024 15:01:34 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> > `security dump-trust-settings -s` returns only predefined root > > certificates. KEYCHAINSTORE-ROOT additionally contains installed root > > trusted certificates in the system domain > > Are you sure they should be added into this keystore? It looks like all the > extra certs in KEYCHAINSTORE-ROOT that are not in `security > dump-trust-settings -s` are all inside KEYCHAINSTORE. Maybe that's where they > should belong to? Thank you. You are right. It is better if KEYCHAINSTORE-ROOT contains only predefined roots. Unfortunately, SecTrustCopyAnchorCertificates can not be used in this case. I have updated the patch to read certificates from the "/System/Library/Keychains/SystemRootCertificates.keychain" keychain ------------- PR Comment: https://git.openjdk.org/jdk/pull/16722#issuecomment-1962117463
