verify hg.mozilla.org with bundled CA root
Before this, make-ca does not verify the certificate of hg.mozilla.org at all. It makes sense as make-ca often runs on systems without trust anchor. But, a MIM can easily fake hg.mozilla.org and completely hijack the trust anchor of a BLFS system. To improve the situation, we ship the certificate of the CA root for hg.mozilla.org (DigiCert Global Root CA) in the make-ca package, and use it to verify hg.mozilla.org.
This commit is contained in:
parent
3093851fdd
commit
d3562bc2f0
@ -1,3 +1,5 @@
|
|||||||
|
1.11 - Ship certificate of the CA root of hg.mozilla.org and use it for
|
||||||
|
verification
|
||||||
1.10 - Use --filter=ca-anchors for all stores
|
1.10 - Use --filter=ca-anchors for all stores
|
||||||
- Update CS.txt (no changes since last update)
|
- Update CS.txt (no changes since last update)
|
||||||
- Fix installation of systemd timers on non-systemd systems
|
- Fix installation of systemd timers on non-systemd systems
|
||||||
|
7
Makefile
7
Makefile
@ -21,7 +21,8 @@ clean_man:
|
|||||||
rm -f make-ca.8
|
rm -f make-ca.8
|
||||||
chmod 0644 help2man
|
chmod 0644 help2man
|
||||||
|
|
||||||
install: all install_bin install_man install_systemd install_conf install_cs
|
install: all install_bin install_man install_systemd install_conf \
|
||||||
|
install_cs install_mozilla_ca_root
|
||||||
|
|
||||||
install_bin:
|
install_bin:
|
||||||
install -vdm755 $(DESTDIR)$(SBINDIR)
|
install -vdm755 $(DESTDIR)$(SBINDIR)
|
||||||
@ -52,6 +53,10 @@ install_conf:
|
|||||||
install -vdm755 $(DESTDIR)$(ETCDIR)
|
install -vdm755 $(DESTDIR)$(ETCDIR)
|
||||||
install -vm644 make-ca.conf.dist $(DESTDIR)$(ETCDIR)
|
install -vm644 make-ca.conf.dist $(DESTDIR)$(ETCDIR)
|
||||||
|
|
||||||
|
install_mozilla_ca_root:
|
||||||
|
install -vdm755 $(DESTDIR)$(ETCDIR)
|
||||||
|
install -vm644 mozilla-ca-root.pem $(DESTDIR)$(ETCDIR)
|
||||||
|
|
||||||
uninstall:
|
uninstall:
|
||||||
rm -f $(DESTDIR)$(SBINDIR)/make-ca
|
rm -f $(DESTDIR)$(SBINDIR)/make-ca
|
||||||
rm -f $(DESTDIR)$(MANDIR)/man8/make-ca.8
|
rm -f $(DESTDIR)$(MANDIR)/man8/make-ca.8
|
||||||
|
11
make-ca
11
make-ca
@ -11,9 +11,12 @@
|
|||||||
|
|
||||||
shopt -s extglob;
|
shopt -s extglob;
|
||||||
|
|
||||||
VERSION="1.10"
|
VERSION="1.11"
|
||||||
MAKE_CA_CONF="/etc/make-ca.conf"
|
MAKE_CA_CONF="/etc/make-ca.conf"
|
||||||
|
|
||||||
|
# CA root for hg.mozilla.org
|
||||||
|
MOZILLA_CA_ROOT="/etc/make-ca/mozilla-ca-root.pem"
|
||||||
|
|
||||||
# Get/set defaults
|
# Get/set defaults
|
||||||
if test -f "${MAKE_CA_CONF}"; then
|
if test -f "${MAKE_CA_CONF}"; then
|
||||||
. "${MAKE_CA_CONF}"
|
. "${MAKE_CA_CONF}"
|
||||||
@ -658,7 +661,11 @@ if test "${GET}" == "1"; then
|
|||||||
echo -n "Checking for new version of certdata.txt..."
|
echo -n "Checking for new version of certdata.txt..."
|
||||||
HOST=$(echo "${URL}" | /usr/bin/cut -d / -f 3)
|
HOST=$(echo "${URL}" | /usr/bin/cut -d / -f 3)
|
||||||
_url=$(echo "${URL}" | sed 's@raw-file@log@')
|
_url=$(echo "${URL}" | sed 's@raw-file@log@')
|
||||||
SARGS="-ign_eof -connect ${HOST}:443"
|
SARGS="-ign_eof -connect ${HOST}:443 -verifyCAfile ${MOZILLA_CA_ROOT}"
|
||||||
|
if test -d /etc/ssl/certs; then
|
||||||
|
SARGS="${SARGS} -verifyCApath ${CERTDIR}"
|
||||||
|
fi
|
||||||
|
SARGS="${SARGS} -verify_return_error"
|
||||||
if test "${PROXY}x" != "x"; then
|
if test "${PROXY}x" != "x"; then
|
||||||
SARGS="${SARGS} -proxy ${PROXY}"
|
SARGS="${SARGS} -proxy ${PROXY}"
|
||||||
fi
|
fi
|
||||||
|
23
mozilla-ca-root.pem
Normal file
23
mozilla-ca-root.pem
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
-----BEGIN TRUSTED CERTIFICATE-----
|
||||||
|
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
|
||||||
|
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
|
||||||
|
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
|
||||||
|
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
|
||||||
|
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
|
||||||
|
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
|
||||||
|
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
|
||||||
|
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
|
||||||
|
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
|
||||||
|
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
|
||||||
|
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
|
||||||
|
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
|
||||||
|
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
|
||||||
|
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
|
||||||
|
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
|
||||||
|
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
|
||||||
|
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
|
||||||
|
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
|
||||||
|
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
|
||||||
|
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4wLzAUBggrBgEFBQcD
|
||||||
|
BAYIKwYBBQUHAwEMF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENB
|
||||||
|
-----END TRUSTED CERTIFICATE-----
|
Loading…
Reference in New Issue
Block a user