verify hg.mozilla.org with bundled CA root
Before this, make-ca does not verify the certificate of hg.mozilla.org at all. It makes sense as make-ca often runs on systems without trust anchor. But, a MIM can easily fake hg.mozilla.org and completely hijack the trust anchor of a BLFS system. To improve the situation, we ship the certificate of the CA root for hg.mozilla.org (DigiCert Global Root CA) in the make-ca package, and use it to verify hg.mozilla.org.
This commit is contained in:
parent
3093851fdd
commit
d3562bc2f0
@ -1,3 +1,5 @@
|
||||
1.11 - Ship certificate of the CA root of hg.mozilla.org and use it for
|
||||
verification
|
||||
1.10 - Use --filter=ca-anchors for all stores
|
||||
- Update CS.txt (no changes since last update)
|
||||
- Fix installation of systemd timers on non-systemd systems
|
||||
|
7
Makefile
7
Makefile
@ -21,7 +21,8 @@ clean_man:
|
||||
rm -f make-ca.8
|
||||
chmod 0644 help2man
|
||||
|
||||
install: all install_bin install_man install_systemd install_conf install_cs
|
||||
install: all install_bin install_man install_systemd install_conf \
|
||||
install_cs install_mozilla_ca_root
|
||||
|
||||
install_bin:
|
||||
install -vdm755 $(DESTDIR)$(SBINDIR)
|
||||
@ -52,6 +53,10 @@ install_conf:
|
||||
install -vdm755 $(DESTDIR)$(ETCDIR)
|
||||
install -vm644 make-ca.conf.dist $(DESTDIR)$(ETCDIR)
|
||||
|
||||
install_mozilla_ca_root:
|
||||
install -vdm755 $(DESTDIR)$(ETCDIR)
|
||||
install -vm644 mozilla-ca-root.pem $(DESTDIR)$(ETCDIR)
|
||||
|
||||
uninstall:
|
||||
rm -f $(DESTDIR)$(SBINDIR)/make-ca
|
||||
rm -f $(DESTDIR)$(MANDIR)/man8/make-ca.8
|
||||
|
11
make-ca
11
make-ca
@ -11,9 +11,12 @@
|
||||
|
||||
shopt -s extglob;
|
||||
|
||||
VERSION="1.10"
|
||||
VERSION="1.11"
|
||||
MAKE_CA_CONF="/etc/make-ca.conf"
|
||||
|
||||
# CA root for hg.mozilla.org
|
||||
MOZILLA_CA_ROOT="/etc/make-ca/mozilla-ca-root.pem"
|
||||
|
||||
# Get/set defaults
|
||||
if test -f "${MAKE_CA_CONF}"; then
|
||||
. "${MAKE_CA_CONF}"
|
||||
@ -658,7 +661,11 @@ if test "${GET}" == "1"; then
|
||||
echo -n "Checking for new version of certdata.txt..."
|
||||
HOST=$(echo "${URL}" | /usr/bin/cut -d / -f 3)
|
||||
_url=$(echo "${URL}" | sed 's@raw-file@log@')
|
||||
SARGS="-ign_eof -connect ${HOST}:443"
|
||||
SARGS="-ign_eof -connect ${HOST}:443 -verifyCAfile ${MOZILLA_CA_ROOT}"
|
||||
if test -d /etc/ssl/certs; then
|
||||
SARGS="${SARGS} -verifyCApath ${CERTDIR}"
|
||||
fi
|
||||
SARGS="${SARGS} -verify_return_error"
|
||||
if test "${PROXY}x" != "x"; then
|
||||
SARGS="${SARGS} -proxy ${PROXY}"
|
||||
fi
|
||||
|
23
mozilla-ca-root.pem
Normal file
23
mozilla-ca-root.pem
Normal file
@ -0,0 +1,23 @@
|
||||
-----BEGIN TRUSTED CERTIFICATE-----
|
||||
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
|
||||
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
||||
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
|
||||
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
|
||||
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
|
||||
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
|
||||
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
|
||||
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
|
||||
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
|
||||
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
|
||||
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
|
||||
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
|
||||
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
|
||||
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
|
||||
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
|
||||
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
|
||||
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
|
||||
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
|
||||
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
|
||||
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4wLzAUBggrBgEFBQcD
|
||||
BAYIKwYBBQUHAwEMF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENB
|
||||
-----END TRUSTED CERTIFICATE-----
|
Loading…
Reference in New Issue
Block a user