Commits · main · Adélie Linux / ca-certificates

22 Apr, 2022 1 commit
- Update certificate data to 20220331 · a735520e
  A. Wilcox authored Apr 21, 2022
```
NSS 3.77
```
  a735520e
16 Jun, 2020 1 commit
- Merge branch '20200603' into 'master' · 256ed96a
  Max Rees authored Jun 16, 2020
```
Bump to 20200603

See merge request !1
```
  256ed96a
03 Jun, 2020 13 commits

Revert "blacklist: distrust Symantec Root CAs" · 1bb1c32d

Max Rees authored Jun 02, 2020

As of this writing there are still large service providers still using
GeoTrust-based certificates, such as Apple Mail:

Certificate chain
 0 s:CN = imap.mail.me.com, OU = management:idms.group.859635, O = Apple Inc., ST = California, C = US
   i:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US
 1 s:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US
   i:C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
 2 s:C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
   i:C = US, O = GeoTrust Inc., CN = GeoTrust Global CA

This reverts commit 4023193a.

1bb1c32d

update-ca-certificates.8: further fixes · bbe11682
Max Rees authored Jun 02, 2020
```
* Remove [ options ]
* There is no c_rehash manpage yet, so don't mention it.
```
bbe11682
Bump version to 20200603 · 1fcd3d9e
Max Rees authored Jun 02, 2020

1fcd3d9e
Add machinery to detect expired certificates · 86080304
Max Rees authored Jun 02, 2020

86080304
blacklist: distrust Symantec Root CAs · 4023193a
Max Rees authored Jun 02, 2020
```
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911289
```
4023193a

blacklist: silence untrusted errors · a4c6115d

Max Rees authored Jun 02, 2020

When certdata2pem is run, it checks whether certificates are marked as
untrusted. If they are, it excludes them but emits a loud warning that
they were not explicitly blacklisted.

Silence this warning by explicitly blacklisting them.

a4c6115d

blacklist: remove old DigiNotar entry · 11bdc29e
Max Rees authored Jun 02, 2020
```
This certificate no longer exists in certdata.txt.
```
11bdc29e
update-ca-certificates.8: remove unsupported options · 9bcd058a
Max Rees authored Jun 02, 2020

9bcd058a

update-ca: insert newline between certs · b0da9ea5

Natanael Copa authored Feb 05, 2020 and

Max Rees committed Jun 02, 2020

There may be certificates that lack a trailing newline, which is allowed
in the certificate format. We work around that by inject a newline after
each cert.

see https://gitlab.alpinelinux.org/alpine/aports/issues/8379

b0da9ea5

update-ca: fix compiler warning · 4d132ee3
Natanael Copa authored Feb 05, 2020 and Max Rees committed Jun 02, 2020

4d132ee3

update-ca: fix build with newer musl · 4bf07639

Natanael Copa authored Sep 24, 2018 and

Max Rees committed Jun 02, 2020

musl removed SYMLINK_MAX define[1]. Use PATH_MAX instead for symlink
target.

[1]: http://git.musl-libc.org/cgit/musl/commit/?id=767f7a1091af3a3dcee2f7a49d0713359a81961c

4bf07639

Update Mozilla CA bundle to 2.40 (nss 2.53) · af90437e
Max Rees authored Jun 02, 2020

af90437e

Remove email-only roots from mozilla trust store · a27f4564

Jacob Hoffman-Andrews authored Mar 20, 2017 and

Max Rees committed Jun 02, 2020

These roots are trusted in the Mozilla program only for S/MIME, so should not be
included in ca-certificates, which most applications use to validate TLS
certificates.

Per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721976, the only MUAs that
depend on or suggest ca-certificates are Mutt and Sylpheed. Sylpheed doesn't use
ca-certificates for S/MIME. Mutt does, but I think it is still safe to remove
thes because:

  (a) S/MIME is relatively uncommon, and
  (b) The CAs that have both TLS and S/MIME bits will continue to work, and
  (c) Nearly all of the 12 removed email-only CAs have ceased operation of their
      email certificate services

Verisign Class 1 Public Primary Certification Authority - G3
Verisign Class 2 Public Primary Certification Authority - G3
UTN USERFirst Email Root CA
SwissSign Platinum CA - G2
AC Raiz Certicamara S.A.
TC TrustCenter Class 3 CA II
ComSign CA
S-TRUST Universal Root CA
Symantec Class 1 Public Primary Certification Authority - G6
Symantec Class 2 Public Primary Certification Authority - G6
Symantec Class 1 Public Primary Certification Authority - G4
Symantec Class 2 Public Primary Certification Authority - G4

a27f4564

08 Mar, 2019 1 commit
- Update certdata.txt from NSS 3.42.1 · 9f002a55
  A. Wilcox authored Mar 07, 2019
  
  9f002a55
25 Jun, 2018 2 commits

Add readme and license files · 1eb1303d
A. Wilcox authored Jun 24, 2018

1eb1303d

Update for 20180411 · 28a7a0bc

A. Wilcox authored Jun 24, 2018

Remove WoSign from blacklist since the certs themselves are gone.

Update certdata.txt from NSS upstream.

Update VERSION file for new release.

28a7a0bc

14 Nov, 2017 2 commits
- === release 20171114 === · 2133dc84
  Ariadne Conill authored Nov 14, 2017
  
  2133dc84
- update-ca: remove arbitrary symlink restrictions on local cert dir, entirely pointless · 69215d70
  Ariadne Conill authored Nov 14, 2017
  
  69215d70
02 Aug, 2017 3 commits
- === release 20170801 === · d71632c2
  Ariadne Conill authored Aug 02, 2017
  
  d71632c2
- add generic build infrastructure · dfe832ba
  Ariadne Conill authored Aug 02, 2017
  
  dfe832ba
- Add additional data from Alpineized ca-certificates package. · c17d7322
  Ariadne Conill authored Aug 02, 2017
  
  c17d7322
31 Jul, 2017 1 commit
- import ca-certificates 20170726 data · db98f6b8
  Ariadne Conill authored Jul 31, 2017
  
  db98f6b8