From 92dbb064c5c2f87a1b9c977e8a59da36baa8a4f0 Mon Sep 17 00:00:00 2001 From: DJ Lucas Date: Thu, 16 Sep 2021 18:56:30 -0500 Subject: [PATCH] CS.txt,update-mscertsign.sh: Add update script for CS.txt now that MS has update CCADB. --- CS.txt | 123 ++++++++++++++++++++++++++++++++----------- update-mscertsign.sh | 33 ++++++++++++ 2 files changed, 125 insertions(+), 31 deletions(-) create mode 100644 update-mscertsign.sh diff --git a/CS.txt b/CS.txt index a6fca00..d16596d 100644 --- a/CS.txt +++ b/CS.txt @@ -1,4 +1,4 @@ -# Mozilla no longer provides any trust information for code signing, opting only + Mozilla no longer provides any trust information for code signing, opting only # to supply VERIFY trust, so that Mozilla neither provides policy, nor removes # the functionality from NSS. The following list of certificate hashes (already # installed as they have TLS trust from Mozilla) are also trusted by Microsoft @@ -8,40 +8,101 @@ # See https://www.ccadb.org/ for joint efforts between Google, Microsoft, and # Mozilla to create a unified trust store. -# List current as of 2021-08-07 04:30:00 UTC +# List current as of Thu 16 Sep 2021 11:54:54 PM UTC. # Move this list to $SSLDIR and use -i to add code signing trust -02265526 +fa5da96b +9482e63a +e35234b1 +6869459d +31e28f42 +532c5267 +a17e7e98 +06dc52d5 +40193066 +0f6fa695 +6d41d539 +de6d66f3 +32888f65 +42c52aa6 +0e939519 +2a8f6cd3 +5fa25d3d +7719f463 +f51bb24c +9816715c +40547a79 +0f5dc4f3 +5860aaa6 +08063a00 +ae1c5a5b +c01eb047 +f0c70a8d +0bf05006 +6fa5da56 +988a38cb +749e9e03 +d7e8dc79 064e0aa9 -244b5494 -3513523f -4304c5e5 -442adcac -48bec511 -4a6481c9 -4bfab552 -4f316efb -5ad8a5d6 -5cd81ad7 -607986c7 -653b494a -6b99d060 -75d1b2ed -aee5f10d -b1159c4c -b7a5b843 -c28a8a30 -cbf06781 +76faf6c0 +e18bfb83 +f3377b1b cd58d51e d6325660 -d7e8dc79 -dd8e9d41 -ee64a828 -ef954a4e -f081611a -f30dd6ad -f3377b1b f387163d -f39fc864 +4bfab552 +09789157 fc5a8f99 - +f30dd6ad +6b99d060 +aee5f10d +ee64a828 +930ac5d2 +653b494a +e36a6752 +e113c810 +ef954a4e +02265526 +106f3e4d +442adcac +48bec511 +c47d9980 +76cb8f92 +eed8c118 +b1159c4c +9d04f354 +3513523f +607986c7 +dd8e9d41 +244b5494 +75d1b2ed +7f3d5d1d +f081611a +cbf06781 +1636090b +a8e3405a +062cdee6 +5ad8a5d6 +1d3472b9 +dc4d6a89 +8160b96c +b66938e9 +f39fc864 +4f316efb +9b5697b0 +f249de83 +d887a5bb +5273a94c +57bcb2da +706f604c +c1ddac89 +5e98733a +67e4ca4b +14bc7599 +bc1f461c +4b718d9b +fe22bb9d +c1223238 +9ccd262b +1c3b872e +a4596d83 diff --git a/update-mscertsign.sh b/update-mscertsign.sh new file mode 100644 index 0000000..ebff4e0 --- /dev/null +++ b/update-mscertsign.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# Simple script to use Microsoft code signing trust from CCADB + +CSURL="https://ccadb-public.secure.force.com/microsoft/IncludedRootsPEMTxtForMSFT?MicrosoftEKUs=Code%20Signing" + +rm -f mscertsign.txt CS.txt +wget -O mscertsign.txt ${CSURL} + +echo " Mozilla no longer provides any trust information for code signing, opting only +# to supply VERIFY trust, so that Mozilla neither provides policy, nor removes +# the functionality from NSS. The following list of certificate hashes (already +# installed as they have TLS trust from Mozilla) are also trusted by Microsoft +# for code signing. The Microsoft Trusted Root Certificate Program's inclusion +# policy is available for review at: +# https://docs.microsoft.com/en-us/security/trusted-root/program-requirements. +# See https://www.ccadb.org/ for joint efforts between Google, Microsoft, and +# Mozilla to create a unified trust store. +" > CS.txt + +date=`date -u` +echo "# List current as of ${date}." >> CS.txt +echo -e "# Move this list to \$SSLDIR and use -i to add code signing trust\n" \ + >> CS.txt + +startlist=`grep -n "^-----BEGIN" mscertsign.txt | cut -d ":" -f 1` +for certbegin in ${startlist}; do + awk "NR==$certbegin,/^-----END CERTIFICATE-----/" mscertsign.txt \ + > ${certbegin}.crt + openssl x509 -noout -in ${certbegin}.crt -hash >> CS.txt + rm ${certbegin}.crt +done +rm -r mscertsign.txt +