CS.txt,update-mscertsign.sh: Add update script for CS.txt now that MS has update CCADB.

This commit is contained in:
DJ Lucas 2021-09-16 18:56:30 -05:00
parent 1ff5a0a672
commit 92dbb064c5
2 changed files with 125 additions and 31 deletions

123
CS.txt
View File

@ -1,4 +1,4 @@
# Mozilla no longer provides any trust information for code signing, opting only Mozilla no longer provides any trust information for code signing, opting only
# to supply VERIFY trust, so that Mozilla neither provides policy, nor removes # to supply VERIFY trust, so that Mozilla neither provides policy, nor removes
# the functionality from NSS. The following list of certificate hashes (already # the functionality from NSS. The following list of certificate hashes (already
# installed as they have TLS trust from Mozilla) are also trusted by Microsoft # installed as they have TLS trust from Mozilla) are also trusted by Microsoft
@ -8,40 +8,101 @@
# See https://www.ccadb.org/ for joint efforts between Google, Microsoft, and # See https://www.ccadb.org/ for joint efforts between Google, Microsoft, and
# Mozilla to create a unified trust store. # Mozilla to create a unified trust store.
# List current as of 2021-08-07 04:30:00 UTC # List current as of Thu 16 Sep 2021 11:54:54 PM UTC.
# Move this list to $SSLDIR and use -i to add code signing trust # Move this list to $SSLDIR and use -i to add code signing trust
02265526 fa5da96b
9482e63a
e35234b1
6869459d
31e28f42
532c5267
a17e7e98
06dc52d5
40193066
0f6fa695
6d41d539
de6d66f3
32888f65
42c52aa6
0e939519
2a8f6cd3
5fa25d3d
7719f463
f51bb24c
9816715c
40547a79
0f5dc4f3
5860aaa6
08063a00
ae1c5a5b
c01eb047
f0c70a8d
0bf05006
6fa5da56
988a38cb
749e9e03
d7e8dc79
064e0aa9 064e0aa9
244b5494 76faf6c0
3513523f e18bfb83
4304c5e5 f3377b1b
442adcac
48bec511
4a6481c9
4bfab552
4f316efb
5ad8a5d6
5cd81ad7
607986c7
653b494a
6b99d060
75d1b2ed
aee5f10d
b1159c4c
b7a5b843
c28a8a30
cbf06781
cd58d51e cd58d51e
d6325660 d6325660
d7e8dc79
dd8e9d41
ee64a828
ef954a4e
f081611a
f30dd6ad
f3377b1b
f387163d f387163d
f39fc864 4bfab552
09789157
fc5a8f99 fc5a8f99
f30dd6ad
6b99d060
aee5f10d
ee64a828
930ac5d2
653b494a
e36a6752
e113c810
ef954a4e
02265526
106f3e4d
442adcac
48bec511
c47d9980
76cb8f92
eed8c118
b1159c4c
9d04f354
3513523f
607986c7
dd8e9d41
244b5494
75d1b2ed
7f3d5d1d
f081611a
cbf06781
1636090b
a8e3405a
062cdee6
5ad8a5d6
1d3472b9
dc4d6a89
8160b96c
b66938e9
f39fc864
4f316efb
9b5697b0
f249de83
d887a5bb
5273a94c
57bcb2da
706f604c
c1ddac89
5e98733a
67e4ca4b
14bc7599
bc1f461c
4b718d9b
fe22bb9d
c1223238
9ccd262b
1c3b872e
a4596d83

33
update-mscertsign.sh Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
# Simple script to use Microsoft code signing trust from CCADB
CSURL="https://ccadb-public.secure.force.com/microsoft/IncludedRootsPEMTxtForMSFT?MicrosoftEKUs=Code%20Signing"
rm -f mscertsign.txt CS.txt
wget -O mscertsign.txt ${CSURL}
echo " Mozilla no longer provides any trust information for code signing, opting only
# to supply VERIFY trust, so that Mozilla neither provides policy, nor removes
# the functionality from NSS. The following list of certificate hashes (already
# installed as they have TLS trust from Mozilla) are also trusted by Microsoft
# for code signing. The Microsoft Trusted Root Certificate Program's inclusion
# policy is available for review at:
# https://docs.microsoft.com/en-us/security/trusted-root/program-requirements.
# See https://www.ccadb.org/ for joint efforts between Google, Microsoft, and
# Mozilla to create a unified trust store.
" > CS.txt
date=`date -u`
echo "# List current as of ${date}." >> CS.txt
echo -e "# Move this list to \$SSLDIR and use -i to add code signing trust\n" \
>> CS.txt
startlist=`grep -n "^-----BEGIN" mscertsign.txt | cut -d ":" -f 1`
for certbegin in ${startlist}; do
awk "NR==$certbegin,/^-----END CERTIFICATE-----/" mscertsign.txt \
> ${certbegin}.crt
openssl x509 -noout -in ${certbegin}.crt -hash >> CS.txt
rm ${certbegin}.crt
done
rm -r mscertsign.txt