Hi,
I've noticed ca-certificates package was updated recently, and went looking
at the changes, and I have some questions.
The first issue is what certdata.txt was used ? It's supposed to be
downloaded from Mozilla NSS sources, but doesn't match any released
versions.
The second issue is what are the changes that were made to certdata.txt ?
The commit messages and RPM changelogs say the root CA certificate database
was updated thrice to the same version.
Below the 3 latest updates to certdata.txt used to build the root CA
certificates database in ca-certificates RPM package for Fedora Rawhide
from ca-certificates git repository (file digests are SHA-2 256 truncated
to 12 hexadecimal characters):
- 4a4152aa79bb certdata.txt [commit 3e2443900394 ('Update to CKBI
2.54 from NSS 3.79')]
https://src.fedoraproject.org/rpms/ca-certificates/c/3e2443900394
- fb7f5af4187e certdata.txt [commit d4451d31cd7b ('Update to CKBI
2.54 from NSS 3.79')]
https://src.fedoraproject.org/rpms/ca-certificates/c/d4451d31cd7b
- 18b023a77e5e certdata.txt [commit f6b8f45e836d ('Update to CKBI
2.54 from NSS 3.79')]
https://src.fedoraproject.org/rpms/ca-certificates/c/f6b8f45e836d
Previous package version used the following Mozilla NSS's certdata.txt:
- bb36818a81fe certdata.txt [commit 662998d9d75a ('Update to CKBI
2.52 from NSS 3.72')]
https://src.fedoraproject.org/rpms/ca-certificates/c/662998d9d75a
Checking all NSS releases from 3.72 up to the latest from NSS mercurial
repository:
- 9bf3799611fb lib/ckfw/builtins/certdata.txt [tag NSS_3_81_RTM
('Set version numbers to 3.81 final')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_81_RTM
- 9bf3799611fb lib/ckfw/builtins/certdata.txt [tag NSS_3_80_RTM
('Set version numbers to 3.80 final')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_80_RTM
- 34a54d519177 lib/ckfw/builtins/certdata.txt [tag NSS_3_79_RTM
('Set version numbers to 3.79 final')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_79_RTM
- 34a54d519177 lib/ckfw/builtins/certdata.txt [tag NSS_3_78_1_RTM
('Release notes for NSS 3.78.1')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_78_1_RTM
- 34a54d519177 lib/ckfw/builtins/certdata.txt [tag NSS_3_78_RTM
('Set version numbers to 3.78 final')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_78_RTM
- 34a54d519177 lib/ckfw/builtins/certdata.txt [tag NSS_3_77_RTM
('Set version number to 3.77 final')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_77_RTM
- d59c5c83ce7a lib/ckfw/builtins/certdata.txt [tag NSS_3_76_1_RTM
('Release notes for NSS 3.76.1')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_76_1_RTM
- d59c5c83ce7a lib/ckfw/builtins/certdata.txt [tag NSS_3_76_RTM
('Set version numbers to 3.76 final')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_76_RTM
- 187ef9dc2311 lib/ckfw/builtins/certdata.txt [tag NSS_3_75_RTM
('Release notes for NSS 3.75')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_75_RTM
- 187ef9dc2311 lib/ckfw/builtins/certdata.txt [tag NSS_3_74_RTM
('Set version numbers to 3.74 RTM')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_74_RTM
- bb36818a81fe lib/ckfw/builtins/certdata.txt [tag NSS_3_73_1_RTM
('Bug 966856 - mozilla::pkix: support SHA-2...')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_73_1_RTM
- bb36818a81fe lib/ckfw/builtins/certdata.txt [tag NSS_3_73_RTM
('Set version numbers to 3.73 final')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_73_RTM
- bb36818a81fe lib/ckfw/builtins/certdata.txt [tag NSS_3_72_1_RTM
('Bug 966856 - mozilla::pkix: support SHA-2...')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_72_1_RTM
- bb36818a81fe lib/ckfw/builtins/certdata.txt [tag NSS_3_72_RTM
('Set version numbers to 3.72 final')]
https://hg.mozilla.org/projects/nss/rev/NSS_3_72_RTM
Checking every changes to NSS's certdata.txt from around NSS 3.70 to
the today's tip:
- 9bf3799611fb lib/ckfw/builtins/certdata.txt [commit 9c2cbf14f6a5
('Bug 1759815 - Remove Hellenic Academic 2011...')]
https://hg.mozilla.org/projects/nss/rev/9c2cbf14f6a5
- b39fa9e1d7a4 lib/ckfw/builtins/certdata.txt [commit 9555008fdd1a
('Bug 1770267 - Add E-Tugra Roots...')]
https://hg.mozilla.org/projects/nss/rev/9555008fdd1a
- 855c5457fb00 lib/ckfw/builtins/certdata.txt [commit 6307e75bedce
('Bug 1768970 - Add Certainly Roots...')]
https://hg.mozilla.org/projects/nss/rev/6307e75bedce
- 751a9a328987 lib/ckfw/builtins/certdata.txt [commit 0863d9ec3ece
('Bug 1764392 - Add DigitCert Roots...')]
https://hg.mozilla.org/projects/nss/rev/0863d9ec3ece
- 34a54d519177 lib/ckfw/builtins/certdata.txt [commit f63fb86db692
('Bug 1754890 - Add two D-TRUST 2020...')]
https://hg.mozilla.org/projects/nss/rev/f63fb86db692
- 07e19378e7c1 lib/ckfw/builtins/certdata.txt [commit 1fcbbd7e4f5f
('Bug 1751298 - Add Telia Root CA v2 root...')]
https://hg.mozilla.org/projects/nss/rev/1fcbbd7e4f5f
- 1086fe6b0e58 lib/ckfw/builtins/certdata.txt [commit b722e523d662
('Bug 1751305 - Remove expired explicitly...')]
https://hg.mozilla.org/projects/nss/rev/b722e523d662
- d59c5c83ce7a lib/ckfw/builtins/certdata.txt [commit 7a34cf74b659
('Bug 1679803 - Add SHA256 fingerprint...')]
https://hg.mozilla.org/projects/nss/rev/7a34cf74b659
- 187ef9dc2311 lib/ckfw/builtins/certdata.txt [commit 7554fb4e12af
('Bug 1735407 - Replace Google Trust Services...')]
https://hg.mozilla.org/projects/nss/rev/7554fb4e12af
- 29bc76a60ed4 lib/ckfw/builtins/certdata.txt [commit 47d15f5348ef
('Bug 1735407 - Replace Google Trust Services...')]
https://hg.mozilla.org/projects/nss/rev/47d15f5348ef
- 0849fb84e602 lib/ckfw/builtins/certdata.txt [commit 9634edf97c6e
('Bug 1735407 - Replace Google Trust Services...')]
https://hg.mozilla.org/projects/nss/rev/9634edf97c6e
- e5d281e52345 lib/ckfw/builtins/certdata.txt [commit 6d591d75447b
('Bug 1735407 - Replace Google Trust Services...')]
https://hg.mozilla.org/projects/nss/rev/6d591d75447b
- 4f2c5c40b3a7 lib/ckfw/builtins/certdata.txt [commit 53f589f17c34
('Bug 1735407 - Replace GlobalSign ECC Root CA...')]
https://hg.mozilla.org/projects/nss/rev/53f589f17c34
- 767b6aded06f lib/ckfw/builtins/certdata.txt [commit 7a917bc99059
('Bug 1733560 - Remove Expired Root Certificates...')]
https://hg.mozilla.org/projects/nss/rev/7a917bc99059
- a46776a5d963 lib/ckfw/builtins/certdata.txt [commit 27026e52b449
('Bug 1740807 - Remove Expiring Cybertrust Global...')]
https://hg.mozilla.org/projects/nss/rev/27026e52b449
- 9dc08b38e930 lib/ckfw/builtins/certdata.txt [commit 99e80c98603f
('Bug 1741930 - Add renewed Autoridad de Certificacion...')]
https://hg.mozilla.org/projects/nss/rev/99e80c98603f
- 0b7f59ae2265 lib/ckfw/builtins/certdata.txt [commit 6ef6195adf87
('Bug 1740095 - Add iTrusChina ECC root certificate...')]
https://hg.mozilla.org/projects/nss/rev/6ef6195adf87
- 5004c779600a lib/ckfw/builtins/certdata.txt [commit 71350878e12c
('Bug 1740095 - Add iTrusChina RSA root certificate...')]
https://hg.mozilla.org/projects/nss/rev/71350878e12c
- bce0ef1dc4c5 lib/ckfw/builtins/certdata.txt [commit 7445fee9bab8
('Bug 1738805 - Add ISRG Root X2 root certificate...')]
https://hg.mozilla.org/projects/nss/rev/7445fee9bab8
- 8afe1675b41d lib/ckfw/builtins/certdata.txt [commit 08315e90fb12
('Bug 1733012 - Add Chunghwa Telecom's HiPKI Root...')]
https://hg.mozilla.org/projects/nss/rev/08315e90fb12
- bb36818a81fe lib/ckfw/builtins/certdata.txt [commit ed21a4b608a6
('Bug 1717707 - Add HARICA Client ECC Root CA 2021...')]
https://hg.mozilla.org/projects/nss/rev/ed21a4b608a6
May be there was some changes made in Firefox's bundled NSS, from Mozilla
releases mercurial repository:
- 9bf3799611fb security/nss/lib/ckfw/builtins/certdata.txt [commit
8a140b717695 ('Bug 1773966 - land NSS tip UPGRADE_NSS_RELEASE...')]
https://hg.mozilla.org/releases/mozilla-release/rev/8a140b717695
- 34a54d519177 security/nss/lib/ckfw/builtins/certdata.txt [commit
8cf7b945601f ('Bug 1758579 - land NSS NSS_3_77_BETA1
UPGRADE_NSS_RELEASE...')]
https://hg.mozilla.org/releases/mozilla-release/rev/8cf7b945601f
- d59c5c83ce7a security/nss/lib/ckfw/builtins/certdata.txt [commit
8e3a124602d0 ('Bug 1753980 - land NSS 4a8880ef UPGRADE_NSS_RELEASE...')]
https://hg.mozilla.org/releases/mozilla-release/rev/8e3a124602d0
- 187ef9dc2311 security/nss/lib/ckfw/builtins/certdata.txt [commit
d7c8bc02bda4 ('Bug 1743993 - land NSS 7d4f221b1fff UPGRADE_NSS_RELEASE...')]
https://hg.mozilla.org/releases/mozilla-release/rev/d7c8bc02bda4
- bb36818a81fe security/nss/lib/ckfw/builtins/certdata.txt [commit
330c22fc463e ('Bug 1729163 - land NSS 2199f01d7f1e UPGRADE_NSS_RELEASE...')]
https://hg.mozilla.org/releases/mozilla-release/rev/330c22fc463e
As you can find, the last 3 ca-certificate's certdata.txt version match
*no* NSS's certdata.txt which is suspicious.
In https://fedoraproject.org/wiki/CA-Certificates it is said, that since
Fedora 25, there's no modification on the upstream root certificates
database. So what happened here ?
Unfortunately, the ca-certificates' commit messages nor the RPM's changelog
provide any reason for the differences.
This raise the question of the trust we can have in the update, if the
certdata.txt supposedly imported from Mozilla NSS, doesn't match any file
released by Mozilla.
Commit messages (and RPM changelog) should details the changes made to the
NSS's certdata.txt during the update. And, for the sake of traceability, the
repository, branch, tag, hg commit, from which certdata.txt was pulled
should
also be part of the commit message (and RPM changelog). (and an empty line
between commit title and the rest of the commit message would be
appreciated,
for git log --oneline usage).
It should also be noted the fetch.sh script (most notably check_certs.sh) is
doing a terrible job at reporting the changes, most notably saying already
present certificates are added.
Regards.
--
Yann Droneaud
OPTEYA
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
