Compare commits

...

10 Commits

Author SHA1 Message Date
DJ Lucas
9291cf9319 make-ca.conf.dist: remove link to aurora 2022-12-27 20:12:26 -06:00
DJ Lucas
5fec9b5317 CS.txt: Update to latestest list of Microsoft certs. 2022-12-27 20:10:32 -06:00
DJ Lucas
6eee45ffc9 CHANGELOG: add missing changelog entries. 2022-12-27 20:07:18 -06:00
DJ Lucas
327c7e9306 make-ca{,.conf.dist}: set nss tree to default source and introduce workaround for p11-kit mishandling of nss-{email,server}-distrust-after values. 2022-12-21 23:10:22 -06:00
DJ Lucas
dac19a3cf1 make-ca: Keep upstream formatting and remove Opnessl data 2022-11-25 11:17:50 -06:00
DJ Lucas
10d6241bd2
make-ca: post-release version bump 2022-11-23 10:55:18 -06:00
DJ Lucas
0b408bda43
Update CHANGELOG 2022-11-23 10:06:27 -06:00
DJ Lucas
1528fdd47c
update-mscertsign.sh: Fix ouput error in script 2022-11-23 10:01:26 -06:00
DJ Lucas
55f8847147
Update CS.txt
Fix comment
2022-11-23 09:59:56 -06:00
DJ Lucas
62ce400648
Update CS.txt before release 2022-11-23 09:59:23 -06:00
5 changed files with 170 additions and 97 deletions

View File

@ -1,5 +1,10 @@
1.12 - Remove extraneos output at end of downloaded certdata.txt file
- Work around bug in p11-kit trust extract that allows certificates
with nss-{email,server}-distust after attribute to enter downstream
trust bundles where this attribute is not honored.
1.11 - Ship certificate of the CA root of hg.mozilla.org and use it for
verification
- Update CS.txt (and update-mscertsign.sh)
1.10 - Use --filter=ca-anchors for all stores
- Update CS.txt (no changes since last update)
- Fix installation of systemd timers on non-systemd systems

234
CS.txt
View File

@ -1,4 +1,4 @@
Mozilla no longer provides any trust information for code signing, opting only
# Mozilla no longer provides any trust information for code signing, opting only
# to supply VERIFY trust, so that Mozilla neither provides policy, nor removes
# the functionality from NSS. The following list of certificate hashes (already
# installed as they have TLS trust from Mozilla) are also trusted by Microsoft
@ -8,101 +8,155 @@
# See https://www.ccadb.org/ for joint efforts between Google, Microsoft, and
# Mozilla to create a unified trust store.
# List current as of Mon 10 Jan 2022 06:03:13 AM UTC.
# List current as of Wed Dec 28 02:08:33 AM UTC 2022.
# Move this list to $SSLDIR and use -i to add code signing trust
fa5da96b
9482e63a
e35234b1
6869459d
31e28f42
532c5267
a17e7e98
06dc52d5
40193066
0f6fa695
6d41d539
de6d66f3
32888f65
42c52aa6
0e939519
2a8f6cd3
5fa25d3d
7719f463
f51bb24c
9816715c
40547a79
0f5dc4f3
5860aaa6
08063a00
ae1c5a5b
c01eb047
f0c70a8d
0bf05006
6fa5da56
988a38cb
749e9e03
d7e8dc79
064e0aa9
76faf6c0
e18bfb83
f3377b1b
cd58d51e
d6325660
f387163d
4bfab552
09789157
fc5a8f99
f30dd6ad
6b99d060
aee5f10d
ee64a828
930ac5d2
653b494a
e36a6752
e113c810
ef954a4e
02265526
106f3e4d
442adcac
48bec511
c47d9980
76cb8f92
eed8c118
b1159c4c
9d04f354
3513523f
607986c7
dd8e9d41
244b5494
75d1b2ed
7f3d5d1d
f081611a
cbf06781
1636090b
a8e3405a
062cdee6
5ad8a5d6
1d3472b9
dc4d6a89
8160b96c
b66938e9
f39fc864
4f316efb
9b5697b0
f249de83
d887a5bb
5273a94c
57bcb2da
706f604c
c1ddac89
5e98733a
67e4ca4b
14bc7599
bc1f461c
4b718d9b
fe22bb9d
c1223238
9ccd262b
1c3b872e
b090df23
9b5697b0
f249de83
d887a5bb
06dc52d5
773e07ad
e868b802
3bde41ac
2ae6433e
8d86cdd1
442adcac
48bec511
f90208f7
c47d9980
fa5da96b
eed8c118
76cb8f92
c28a8a30
d4dae3dd
349f2832
6b99d060
aee5f10d
ca6e4ad9
5273a94c
cb59f961
0c4c9b6c
0f6fa695
6d41d539
b25038e6
4304c5e5
062cdee6
5ad8a5d6
f081611a
cbf06781
1636090b
8160b96c
988a38cb
de6d66f3
32888f65
66445960
5a7722fb
b1b8a7f3
749e9e03
d7e8dc79
064e0aa9
76faf6c0
e18bfb83
b66938e9
18856ac4
f39fc864
f3377b1b
cd58d51e
42c52aa6
8d5d3d65
f387163d
4bfab552
09789157
4f316efb
a8dee976
57bcb2da
6410666e
0e939519
50175b95
c8a1fab4
6869459d
31e28f42
a4596d83
5cd81ad7
5f15c80c
b7a5b843
8eee9575
bf1c0841
dc4d6a89
32085c07
a17e7e98
532c5267
706f604c
9cf09510
7719f463
9d10baaf
1e54e6fa
9816715c
6410666e
40547a79
62edae9d
681e7650
6f2c1157
0f5dc4f3
c01eb047
f0c70a8d
0bf05006
6fa5da56
5860aaa6
08063a00
d6325660
fc5a8f99
f30dd6ad
1d3472b9
ef954a4e
a8e3405a
02265526
106f3e4d
b924cb2f
f7478e2a
b7adedce
b312fe75
fd273ed5
9482e63a
e35234b1
15186b07
e73d606e
ee64a828
a94d09e5
930ac5d2
2b349938
93bc0acc
b727005e
9c8dfbd4
e36a6752
40193066
0b1b94ef
653b494a
b1159c4c
9d04f354
7f3d5d1d
3513523f
607986c7
dd8e9d41
244b5494
75d1b2ed
dc45b0bd
4a6481c9
b0e59380
9ccd262b
fe22bb9d
f51bb24c
c1223238
1c3b872e
e113c810
c01cdfa2
ad088e1d
2a8f6cd3
567da139

21
make-ca
View File

@ -11,7 +11,7 @@
shopt -s extglob;
VERSION="1.11"
VERSION="1.12"
MAKE_CA_CONF="/etc/make-ca.conf"
# CA root for hg.mozilla.org
@ -40,7 +40,7 @@ else
NSSDB="${PKIDIR}/nssdb"
LOCALDIR="${SSLDIR}/local"
DESTDIR=""
URL="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
fi
# Some data in the certs have UTF-8 characters
@ -372,6 +372,12 @@ function convert_moz_distrust(){
fi
elif test "${val}" == "MULTILINE_OCTAL"; then
mozsadistrust=`printf $(grep -A1 "CKA_NSS_SERVER_DISTRUST_AFTER" "${1}" | tail -n1)`
# FIXME - Work around P11-kit breakage
cdate=$(date -u +%y%m%d)
mozsadate=${mozsadistrust::6}
if test ${cdate} -gt ${mozsadate}; then
satrust="p"
fi
else
mozsadistrust="UNKNOWN"
fi
@ -387,6 +393,12 @@ function convert_moz_distrust(){
fi
elif test "${val}" == "MULTILINE_OCTAL"; then
mozsmdistrust=`printf $(grep -A1 "CKA_NSS_EMAIL_DISTRUST_AFTER" "${1}" | tail -n1)`
# FIXME - Work around P11-kit breakage
cdate=$(date -u +%y%m%d)
mozsmdate=${mozsmdistrust::6}
if test ${cdate} -gt ${mozsmdate}; then
smtrust="p"
fi
else
mozsmdistrust="UNKNOWN"
fi
@ -696,9 +708,12 @@ if test "${GET}" == "1"; then
echo -n "Downloading certdata.txt..."
echo GET ${URL} | \
${OPENSSL} s_client ${SARGS} 2> /dev/null >> "${CERTDATA}"
_line=$(( $(grep -n "certdata.txt" "${CERTDATA}" | cut -d ":" -f 1) - 1))
_line=$(( $(grep -n -m 1 "^#$" "${CERTDATA}" | cut -d ":" -f 1) - 1))
sed -e "1,${_line}d" -i "${CERTDATA}"
sed "1i # Revision:${REVISION}" -i "${CERTDATA}"
mv "${CERTDATA}" "${CERTDATA}.tmp"
head -n -33 "${CERTDATA}.tmp" > "${CERTDATA}"
rm "${CERTDATA}.tmp"
echo "done."
fi

View File

@ -19,15 +19,14 @@ KEYSTORE="${PKIDIR}/tls/java"
NSSDB="${PKIDIR}/nssdb"
LOCALDIR="${SSLDIR}/local"
DESTDIR=""
URL="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
# Source must be downloaded over https
# Valid urls for download are below
# Default to NSS release branch
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
# https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
# https://hg.mozilla.org/mozilla-central/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
# https://hg.mozilla.org/releases/mozilla-beta/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
# https://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt

View File

@ -6,7 +6,7 @@ CSURL="https://ccadb-public.secure.force.com/microsoft/IncludedRootsPEMTxtForMSF
rm -f mscertsign.txt CS.txt
wget -O mscertsign.txt ${CSURL}
echo " Mozilla no longer provides any trust information for code signing, opting only
echo "# Mozilla no longer provides any trust information for code signing, opting only
# to supply VERIFY trust, so that Mozilla neither provides policy, nor removes
# the functionality from NSS. The following list of certificate hashes (already
# installed as they have TLS trust from Mozilla) are also trusted by Microsoft