emo/make-ca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

verify hg.mozilla.org with bundled CA root

Browse Source 
Before this, make-ca does not verify the certificate of hg.mozilla.org
at all.  It makes sense as make-ca often runs on systems without trust
anchor.  But, a MIM can easily fake hg.mozilla.org and completely hijack
the trust anchor of a BLFS system.

To improve the situation, we ship the certificate of the CA root for
hg.mozilla.org (DigiCert Global Root CA) in the make-ca package, and use
it to verify hg.mozilla.org.
This commit is contained in:
Xi Ruoyao
2022-01-31 18:52:21 +08:00
parent 3093851fdd
commit d3562bc2f0
4 changed files with 40 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Makefile
View File

@@ -21,7 +21,8 @@ clean_man:
rm -f make-ca.8
chmod 0644 help2man
install: all install_bin install_man install_systemd install_conf install_cs
install: all install_bin install_man install_systemd install_conf \
install_cs install_mozilla_ca_root
install_bin:
install -vdm755 $(DESTDIR)$(SBINDIR)
@@ -52,6 +53,10 @@ install_conf:
install -vdm755 $(DESTDIR)$(ETCDIR)
install -vm644 make-ca.conf.dist $(DESTDIR)$(ETCDIR)
install_mozilla_ca_root:
install -vdm755 $(DESTDIR)$(ETCDIR)
install -vm644 mozilla-ca-root.pem $(DESTDIR)$(ETCDIR)
uninstall:
rm -f $(DESTDIR)$(SBINDIR)/make-ca
rm -f $(DESTDIR)$(MANDIR)/man8/make-ca.8