make-ca.conf.dist: remove link to aurora

Fix comment

CHANGELOG

@@ -1,5 +1,10 @@
+1.12     - Remove extraneos output at end of downloaded certdata.txt file
+         - Work around bug in p11-kit trust extract that allows certificates
+           with nss-{email,server}-distust after attribute to enter downstream
+           trust bundles where this attribute is not honored.
 1.11     - Ship certificate of the CA root of hg.mozilla.org and use it for
            verification
+         - Update CS.txt (and update-mscertsign.sh)
 1.10     - Use --filter=ca-anchors for all stores
          - Update CS.txt (no changes since last update)
          - Fix installation of systemd timers on non-systemd systems

CS.txt

@@ -1,4 +1,4 @@
- Mozilla no longer provides any trust information for code signing, opting only
+# Mozilla no longer provides any trust information for code signing, opting only
 # to supply VERIFY trust, so that Mozilla neither provides policy, nor removes
 # the functionality from NSS. The following list of certificate hashes (already
 # installed as they have TLS trust from Mozilla) are also trusted by Microsoft
@@ -8,101 +8,155 @@
 # See https://www.ccadb.org/ for joint efforts between Google, Microsoft, and
 # Mozilla to create a unified trust store.
 
-# List current as of Mon 10 Jan 2022 06:03:13 AM UTC.
+# List current as of Wed Dec 28 02:08:33 AM UTC 2022.
 # Move this list to $SSLDIR and use -i to add code signing trust
 
-fa5da96b
-9482e63a
-e35234b1
-6869459d
-31e28f42
-532c5267
-a17e7e98
-06dc52d5
-40193066
-0f6fa695
-6d41d539
-de6d66f3
-32888f65
-42c52aa6
-0e939519
-2a8f6cd3
-5fa25d3d
-7719f463
-f51bb24c
-9816715c
-40547a79
-0f5dc4f3
-5860aaa6
-08063a00
-ae1c5a5b
-c01eb047
-f0c70a8d
-0bf05006
-6fa5da56
-988a38cb
-749e9e03
-d7e8dc79
-064e0aa9
-76faf6c0
-e18bfb83
-f3377b1b
-cd58d51e
-d6325660
-f387163d
-4bfab552
-09789157
-fc5a8f99
-f30dd6ad
-6b99d060
-aee5f10d
-ee64a828
-930ac5d2
-653b494a
-e36a6752
-e113c810
-ef954a4e
-02265526
-106f3e4d
-442adcac
-48bec511
-c47d9980
-76cb8f92
-eed8c118
-b1159c4c
-9d04f354
-3513523f
-607986c7
-dd8e9d41
-244b5494
-75d1b2ed
-7f3d5d1d
-f081611a
-cbf06781
-1636090b
-a8e3405a
-062cdee6
-5ad8a5d6
-1d3472b9
-dc4d6a89
-8160b96c
-b66938e9
-f39fc864
-4f316efb
-9b5697b0
-f249de83
-d887a5bb
-5273a94c
-57bcb2da
-706f604c
 c1ddac89
 5e98733a
 67e4ca4b
 14bc7599
 bc1f461c
 4b718d9b
-fe22bb9d
-c1223238
-9ccd262b
-1c3b872e
+b090df23
+9b5697b0
+f249de83
+d887a5bb
+06dc52d5
+773e07ad
+e868b802
+3bde41ac
+2ae6433e
+8d86cdd1
+442adcac
+48bec511
+f90208f7
+c47d9980
+fa5da96b
+eed8c118
+76cb8f92
+c28a8a30
+d4dae3dd
+349f2832
+6b99d060
+aee5f10d
+ca6e4ad9
+5273a94c
+cb59f961
+0c4c9b6c
+0f6fa695
+6d41d539
+b25038e6
+4304c5e5
+062cdee6
+5ad8a5d6
+f081611a
+cbf06781
+1636090b
+8160b96c
+988a38cb
+de6d66f3
+32888f65
+66445960
+5a7722fb
+b1b8a7f3
+749e9e03
+d7e8dc79
+064e0aa9
+76faf6c0
+e18bfb83
+b66938e9
+18856ac4
+f39fc864
+f3377b1b
+cd58d51e
+42c52aa6
+8d5d3d65
+f387163d
+4bfab552
+09789157
+4f316efb
+a8dee976
+57bcb2da
+6410666e
+0e939519
+50175b95
+c8a1fab4
+6869459d
+31e28f42
 a4596d83
+5cd81ad7
+5f15c80c
+b7a5b843
+8eee9575
+bf1c0841
+dc4d6a89
+32085c07
+a17e7e98
+532c5267
+706f604c
+9cf09510
+7719f463
+9d10baaf
+1e54e6fa
+9816715c
+6410666e
+40547a79
+62edae9d
+681e7650
+6f2c1157
+0f5dc4f3
+c01eb047
+f0c70a8d
+0bf05006
+6fa5da56
+5860aaa6
+08063a00
+d6325660
+fc5a8f99
+f30dd6ad
+1d3472b9
+ef954a4e
+a8e3405a
+02265526
+106f3e4d
+b924cb2f
+f7478e2a
+b7adedce
+b312fe75
+fd273ed5
+9482e63a
+e35234b1
+15186b07
+e73d606e
+ee64a828
+a94d09e5
+930ac5d2
+2b349938
+93bc0acc
+b727005e
+9c8dfbd4
+e36a6752
+40193066
+0b1b94ef
+653b494a
+b1159c4c
+9d04f354
+7f3d5d1d
+3513523f
+607986c7
+dd8e9d41
+244b5494
+75d1b2ed
+dc45b0bd
+4a6481c9
+b0e59380
+9ccd262b
+fe22bb9d
+f51bb24c
+c1223238
+1c3b872e
+e113c810
+c01cdfa2
+ad088e1d
+2a8f6cd3
+567da139

make-ca

@@ -11,7 +11,7 @@
 
 shopt -s extglob;
 
-VERSION="1.11"
+VERSION="1.12"
 MAKE_CA_CONF="/etc/make-ca.conf"
 
 # CA root for hg.mozilla.org
@@ -40,7 +40,7 @@ else
     NSSDB="${PKIDIR}/nssdb"
     LOCALDIR="${SSLDIR}/local"
     DESTDIR=""
-    URL="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
+    URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
 fi
 
 # Some data in the certs have UTF-8 characters
@@ -372,6 +372,12 @@ function convert_moz_distrust(){
     fi
   elif test "${val}" == "MULTILINE_OCTAL"; then
     mozsadistrust=`printf $(grep -A1 "CKA_NSS_SERVER_DISTRUST_AFTER" "${1}" | tail -n1)`
+    # FIXME - Work around P11-kit breakage
+    cdate=$(date -u +%y%m%d)
+    mozsadate=${mozsadistrust::6}
+    if test ${cdate} -gt ${mozsadate}; then
+      satrust="p"
+    fi
   else
     mozsadistrust="UNKNOWN"
   fi
@@ -387,6 +393,12 @@ function convert_moz_distrust(){
     fi
   elif test "${val}" == "MULTILINE_OCTAL"; then
     mozsmdistrust=`printf $(grep -A1 "CKA_NSS_EMAIL_DISTRUST_AFTER" "${1}" | tail -n1)`
+    # FIXME - Work around P11-kit breakage
+    cdate=$(date -u +%y%m%d)
+    mozsmdate=${mozsmdistrust::6}
+    if test ${cdate} -gt ${mozsmdate}; then
+      smtrust="p"
+    fi
   else
     mozsmdistrust="UNKNOWN"
   fi
@@ -696,9 +708,12 @@ if test "${GET}" == "1"; then
   echo -n "Downloading certdata.txt..."
   echo GET ${URL} | \
   ${OPENSSL} s_client ${SARGS} 2> /dev/null >> "${CERTDATA}"
-  _line=$(( $(grep -n "certdata.txt" "${CERTDATA}" | cut -d ":" -f 1) - 1))
+  _line=$(( $(grep -n -m 1 "^#$" "${CERTDATA}" | cut -d ":" -f 1) - 1))
   sed -e "1,${_line}d" -i "${CERTDATA}"
   sed "1i # Revision:${REVISION}" -i "${CERTDATA}"
+  mv "${CERTDATA}" "${CERTDATA}.tmp"
+  head -n -33 "${CERTDATA}.tmp" > "${CERTDATA}"
+  rm "${CERTDATA}.tmp"
   echo "done."
 fi
 

make-ca.conf.dist

@@ -19,15 +19,14 @@ KEYSTORE="${PKIDIR}/tls/java"
 NSSDB="${PKIDIR}/nssdb"
 LOCALDIR="${SSLDIR}/local"
 DESTDIR=""
-URL="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
+URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
 
 # Source must be downloaded over https
 # Valid urls for download are below
 # Default to NSS release branch
 
-# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
 # https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt
+# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
 # https://hg.mozilla.org/mozilla-central/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
 # https://hg.mozilla.org/releases/mozilla-beta/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
-# https://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
 

update-mscertsign.sh

@@ -6,7 +6,7 @@ CSURL="https://ccadb-public.secure.force.com/microsoft/IncludedRootsPEMTxtForMSF
 rm -f mscertsign.txt CS.txt
 wget -O mscertsign.txt ${CSURL}
 
-echo " Mozilla no longer provides any trust information for code signing, opting only
+echo "# Mozilla no longer provides any trust information for code signing, opting only
 # to supply VERIFY trust, so that Mozilla neither provides policy, nor removes
 # the functionality from NSS. The following list of certificate hashes (already
 # installed as they have TLS trust from Mozilla) are also trusted by Microsoft