Version 20210119 in hirsute-proposed fixes this issue. The Symantec certs were never blacklisted in focal and earlier, so they aren't affected.
This issue does affect Groovy, but even if we removed the blacklist from the ca-certificates package, the certs will still be blacklisted because of debian bug #743339. We need to investigate how to remove the blacklist in a maintainer script on package upgrade. ** Bug watch added: Debian Bug tracker #962596 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596 ** Also affects: ca-certificates (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596 Importance: Unknown Status: Unknown ** Also affects: ca-certificates (Ubuntu Hirsute) Importance: Undecided Status: Confirmed ** Also affects: ca-certificates (Ubuntu Groovy) Importance: Undecided Status: New ** Changed in: ca-certificates (Ubuntu Groovy) Status: New => Confirmed ** Changed in: ca-certificates (Ubuntu Hirsute) Status: Confirmed => Fix Committed ** Changed in: ca-certificates (Ubuntu Groovy) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ca-certificates (Ubuntu Groovy) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1913951 Title: ca-certificates: Symantec CA blacklisted for non-TLS uses Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Groovy: Confirmed Status in ca-certificates source package in Hirsute: Fix Committed Status in ca-certificates package in Debian: Unknown Bug description: ~$ lsb_release -rd Description: Ubuntu 20.10 Release: 20.10 ~$ apt list --installed | grep ca-certificates WARNING: apt does not have a stable CLI interface. Use with caution in scripts. ca-certificates/groovy-updates,groovy-security,now 20201027ubuntu0.20.10.1 all [installed,automatic] Repro steps: 1. Open Terminal. 2. Execute: wget https://dot.net/v1/dotnet-install.sh chmod +x ./dotnet-install.sh ./dotnet-install.sh -c 5.0 export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet dotnet new console dotnet add package System.Collections.Immutable Expected result: Package restore will succeed. Actual result: Package restore fails with: error: NU3028: Package 'System.Collections.Immutable 5.0.0' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain There has been a planned process to distrust Symantec certificates in the certificate store over the past two years. The Debian ca-certificates package removed this CA for both TLS (expected) and other uses (like timestamping) (unexpected). Trust was added back in a subsequent update. See https://release.debian.org/proposed-updates/stable.html#ca-certificates_20200601~deb10u2 for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1913951/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
