summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2020-06-02Revert "blacklist: distrust Symantec Root CAs"20200603Max Rees1-24/+0
As of this writing there are still large service providers still using GeoTrust-based certificates, such as Apple Mail: Certificate chain 0 s:CN = imap.mail.me.com, OU = management:idms.group.859635, O = Apple Inc., ST = California, C = US i:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US 1 s:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US i:C = US, O = GeoTrust Inc., CN = GeoTrust Global CA 2 s:C = US, O = GeoTrust Inc., CN = GeoTrust Global CA i:C = US, O = GeoTrust Inc., CN = GeoTrust Global CA This reverts commit 4023193aac8706830d99720de6628cc0d8eabd84.
2020-06-02update-ca-certificates.8: further fixesMax Rees1-3/+0
* Remove [ options ] * There is no c_rehash manpage yet, so don't mention it.
2020-06-02Bump version to 20200603Max Rees1-1/+1
2020-06-02Add machinery to detect expired certificatesMax Rees2-5/+39
2020-06-02blacklist: distrust Symantec Root CAsMax Rees1-0/+24
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911289
2020-06-02blacklist: silence untrusted errorsMax Rees1-0/+12
When certdata2pem is run, it checks whether certificates are marked as untrusted. If they are, it excludes them but emits a loud warning that they were not explicitly blacklisted. Silence this warning by explicitly blacklisting them.
2020-06-02blacklist: remove old DigiNotar entryMax Rees1-2/+0
This certificate no longer exists in certdata.txt.
2020-06-02update-ca-certificates.8: remove unsupported optionsMax Rees1-11/+0
2020-06-02update-ca: insert newline between certsNatanael Copa1-1/+2
There may be certificates that lack a trailing newline, which is allowed in the certificate format. We work around that by inject a newline after each cert. see https://gitlab.alpinelinux.org/alpine/aports/issues/8379
2020-06-02update-ca: fix compiler warningNatanael Copa1-1/+1
2020-06-02update-ca: fix build with newer muslNatanael Copa1-1/+1
musl removed SYMLINK_MAX define[1]. Use PATH_MAX instead for symlink target. [1]: http://git.musl-libc.org/cgit/musl/commit/?id=767f7a1091af3a3dcee2f7a49d0713359a81961c
2020-06-02Update Mozilla CA bundle to 2.40 (nss 2.53)Max Rees1-1271/+1153
2020-06-02Remove email-only roots from mozilla trust storeJacob Hoffman-Andrews1-2/+0
These roots are trusted in the Mozilla program only for S/MIME, so should not be included in ca-certificates, which most applications use to validate TLS certificates. Per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721976, the only MUAs that depend on or suggest ca-certificates are Mutt and Sylpheed. Sylpheed doesn't use ca-certificates for S/MIME. Mutt does, but I think it is still safe to remove thes because: (a) S/MIME is relatively uncommon, and (b) The CAs that have both TLS and S/MIME bits will continue to work, and (c) Nearly all of the 12 removed email-only CAs have ceased operation of their email certificate services Verisign Class 1 Public Primary Certification Authority - G3 Verisign Class 2 Public Primary Certification Authority - G3 UTN USERFirst Email Root CA SwissSign Platinum CA - G2 AC Raiz Certicamara S.A. TC TrustCenter Class 3 CA II ComSign CA S-TRUST Universal Root CA Symantec Class 1 Public Primary Certification Authority - G6 Symantec Class 2 Public Primary Certification Authority - G6 Symantec Class 1 Public Primary Certification Authority - G4 Symantec Class 2 Public Primary Certification Authority - G4
2019-03-07Update certdata.txt from NSS 3.42.120190131A. Wilcox1-1158/+1873
2018-06-24Add readme and license files20180411A. Wilcox2-0/+40
2018-06-24Update for 20180411A. Wilcox3-6184/+1285
Remove WoSign from blacklist since the certs themselves are gone. Update certdata.txt from NSS upstream. Update VERSION file for new release.
2017-11-14=== release 20171114 ===20171114William Pitcock1-1/+1
2017-11-14update-ca: remove arbitrary symlink restrictions on local cert dir, entirely ↵William Pitcock1-26/+3
pointless
2017-08-02=== release 20170801 ===20170801William Pitcock1-0/+1
2017-08-02add generic build infrastructureWilliam Pitcock2-0/+38
2017-08-02Add additional data from Alpineized ca-certificates package.William Pitcock4-0/+965
2017-07-31import ca-certificates 20170726 data20170726William Pitcock2-0/+27898