Added distrusted CAs to the cert bundles. (microsoft#11440)

durgajagadeesh · Dec 18, 2024 · f26ed9c · f26ed9c
1 parent 80d7fe2
commit f26ed9c
Show file tree

Hide file tree

Showing 9 changed files with 350 additions and 21 deletions.
diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json
@@ -11,6 +11,7 @@
     "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
     "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
     "certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57",
+    "certdata.distrusted.txt": "93aebf0f1e5253ed91fe269f7128fdb8b20630ef19558f629c79a8b7eb0ba30d",
     "certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd",
     "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
     "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",

diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec
@@ -6,6 +6,8 @@
 
 %define p11_format_base_bundle ca-bundle.trust.base.p11-kit
 
+%define p11_format_distrusted_bundle ca-bundle.trust.distrusted.p11-kit
+
 %define p11_format_microsoft_bundle ca-bundle.trust.microsoft.p11-kit
 
 # List of packages triggering legacy certs generation if 'ca-certificates-legacy'
@@ -45,7 +47,7 @@ Name:           ca-certificates
 # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well.
 Epoch:          1
 Version:        %{azl}.0.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -69,6 +71,8 @@ Source21:       certdata.base.txt
 Source22:       bundle2pem.sh
 # The certdata.microsoft.txt is provided by Microsoft's Trusted Root Program.
 Source23:       certdata.microsoft.txt
+# The certdata.distrusted.txt is provided by Microsoft's Trusted Root Program.
+Source24:       certdata.distrusted.txt
 
 BuildRequires:  /bin/ln
 BuildRequires:  asciidoc
@@ -146,6 +150,7 @@ cp -p %{SOURCE20} .
 
 %convert_certdata %{SOURCE21}
 %convert_certdata %{SOURCE23}
+%convert_certdata %{SOURCE24}
 
 #manpage
 cp %{SOURCE10} %{name}/update-ca-trust.8.txt
@@ -186,6 +191,9 @@ install -p -m 644 %{SOURCE18} %{buildroot}%{catrustdir}/source/README
 # Microsoft certs
 %install_bundles %{SOURCE23} %{p11_format_microsoft_bundle}
 
+# Distrusted certs
+%install_bundles %{SOURCE24} %{p11_format_distrusted_bundle}
+
 # TODO: consider to dynamically create the update-ca-trust script from within
 #       this .spec file, in order to have the output file+directory names at once place only.
 install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust
@@ -257,13 +265,16 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %{_bindir}/bundle2pem.sh %{pkidir}/tls/certs/%{classic_tls_bundle}
 
 %files
+%defattr(-,root,root)
 # Microsoft certs bundle file with trust
 %{_datadir}/pki/ca-trust-source/%{p11_format_microsoft_bundle}
 
 %files base
+%defattr(-,root,root)
 %{_datadir}/pki/ca-trust-source/%{p11_format_base_bundle}
 
 %files shared
+%defattr(-,root,root)
 %license LICENSE
 
 # symlinks for old locations
@@ -307,6 +318,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %dir %{pkidir}/tls
 %dir %{pkidir}/tls/certs
 
+# Distrusted CAs
+%{_datadir}/pki/ca-trust-source/%{p11_format_distrusted_bundle}
+
 %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
@@ -315,15 +329,21 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
 
 %files tools
+%defattr(-,root,root)
 # update/extract tool
 %{_bindir}/update-ca-trust
 
 %{_mandir}/man8/update-ca-trust.8.gz
 
 %files legacy
+%defattr(-,root,root)
 %{_bindir}/bundle2pem.sh
 
 %changelog
+* Wed Dec 11 2024 Pawel Winogrodzki <[email protected]> - 3.0.0-8
+- Update adding Microsoft distrusted CAs.
+- Explicitly set default file ownership to root:root.
+
 * Tue Aug 13 2024 CBL-Mariner Servicing Account <[email protected]> - 3.0.0-7
 - Updating Microsoft trusted root CAs.
 

diff --git a/SPECS/ca-certificates/certdata.distrusted.txt b/SPECS/ca-certificates/certdata.distrusted.txt
diff --git a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec
@@ -3,7 +3,7 @@ Name:           prebuilt-ca-certificates-base
 # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well.
 Epoch:          1
 Version:        %{azl}.0.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -46,6 +46,9 @@ find %{buildroot} -name README -delete
 %{_sysconfdir}/pki/java/cacerts
 
 %changelog
+* Wed Dec 11 2024 Pawel Winogrodzki <[email protected]> - 3.0.0-8
+- Update adding Microsoft distrusted CAs.
+
 * Tue Aug 13 2024 CBL-Mariner Servicing Account <[email protected]> - 3.0.0-7
 - Making 'Release' match with 'ca-certificates'
 

diff --git a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec
@@ -3,7 +3,7 @@ Name:           prebuilt-ca-certificates
 # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "ca-certificates" package as well.
 Epoch:          1
 Version:        %{azl}.0.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -49,6 +49,9 @@ find %{buildroot} -name README -delete
 %{_sysconfdir}/pki/java/cacerts
 
 %changelog
+* Wed Dec 11 2024 Pawel Winogrodzki <[email protected]> - 3.0.0-8
+- Update adding Microsoft distrusted CAs.
+
 * Tue Aug 13 2024 CBL-Mariner Servicing Account <[email protected]> - 3.0.0-7
 - Making 'Release' match with 'ca-certificates'
 

diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -234,10 +234,10 @@ libffi-devel-3.4.4-1.azl3.aarch64.rpm
 libtasn1-4.19.0-1.azl3.aarch64.rpm
 p11-kit-0.25.0-1.azl3.aarch64.rpm
 p11-kit-trust-0.25.0-1.azl3.aarch64.rpm
-ca-certificates-shared-3.0.0-7.azl3.noarch.rpm
-ca-certificates-tools-3.0.0-7.azl3.noarch.rpm
-ca-certificates-base-3.0.0-7.azl3.noarch.rpm
-ca-certificates-3.0.0-7.azl3.noarch.rpm
+ca-certificates-shared-3.0.0-8.azl3.noarch.rpm
+ca-certificates-tools-3.0.0-8.azl3.noarch.rpm
+ca-certificates-base-3.0.0-8.azl3.noarch.rpm
+ca-certificates-3.0.0-8.azl3.noarch.rpm
 dwz-0.14-2.azl3.aarch64.rpm
 unzip-6.0-21.azl3.aarch64.rpm
 python3-3.12.3-5.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -234,10 +234,10 @@ libffi-devel-3.4.4-1.azl3.x86_64.rpm
 libtasn1-4.19.0-1.azl3.x86_64.rpm
 p11-kit-0.25.0-1.azl3.x86_64.rpm
 p11-kit-trust-0.25.0-1.azl3.x86_64.rpm
-ca-certificates-shared-3.0.0-7.azl3.noarch.rpm
-ca-certificates-tools-3.0.0-7.azl3.noarch.rpm
-ca-certificates-base-3.0.0-7.azl3.noarch.rpm
-ca-certificates-3.0.0-7.azl3.noarch.rpm
+ca-certificates-shared-3.0.0-8.azl3.noarch.rpm
+ca-certificates-tools-3.0.0-8.azl3.noarch.rpm
+ca-certificates-base-3.0.0-8.azl3.noarch.rpm
+ca-certificates-3.0.0-8.azl3.noarch.rpm
 dwz-0.14-2.azl3.x86_64.rpm
 unzip-6.0-21.azl3.x86_64.rpm
 python3-3.12.3-5.azl3.x86_64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -37,11 +37,11 @@ bzip2-1.0.8-1.azl3.aarch64.rpm
 bzip2-debuginfo-1.0.8-1.azl3.aarch64.rpm
 bzip2-devel-1.0.8-1.azl3.aarch64.rpm
 bzip2-libs-1.0.8-1.azl3.aarch64.rpm
-ca-certificates-3.0.0-7.azl3.noarch.rpm
-ca-certificates-base-3.0.0-7.azl3.noarch.rpm
-ca-certificates-legacy-3.0.0-7.azl3.noarch.rpm
-ca-certificates-shared-3.0.0-7.azl3.noarch.rpm
-ca-certificates-tools-3.0.0-7.azl3.noarch.rpm
+ca-certificates-3.0.0-8.azl3.noarch.rpm
+ca-certificates-base-3.0.0-8.azl3.noarch.rpm
+ca-certificates-legacy-3.0.0-8.azl3.noarch.rpm
+ca-certificates-shared-3.0.0-8.azl3.noarch.rpm
+ca-certificates-tools-3.0.0-8.azl3.noarch.rpm
 ccache-4.8.3-3.azl3.aarch64.rpm
 ccache-debuginfo-4.8.3-3.azl3.aarch64.rpm
 check-0.15.2-1.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -38,11 +38,11 @@ bzip2-1.0.8-1.azl3.x86_64.rpm
 bzip2-debuginfo-1.0.8-1.azl3.x86_64.rpm
 bzip2-devel-1.0.8-1.azl3.x86_64.rpm
 bzip2-libs-1.0.8-1.azl3.x86_64.rpm
-ca-certificates-3.0.0-7.azl3.noarch.rpm
-ca-certificates-base-3.0.0-7.azl3.noarch.rpm
-ca-certificates-legacy-3.0.0-7.azl3.noarch.rpm
-ca-certificates-shared-3.0.0-7.azl3.noarch.rpm
-ca-certificates-tools-3.0.0-7.azl3.noarch.rpm
+ca-certificates-3.0.0-8.azl3.noarch.rpm
+ca-certificates-base-3.0.0-8.azl3.noarch.rpm
+ca-certificates-legacy-3.0.0-8.azl3.noarch.rpm
+ca-certificates-shared-3.0.0-8.azl3.noarch.rpm
+ca-certificates-tools-3.0.0-8.azl3.noarch.rpm
 ccache-4.8.3-3.azl3.x86_64.rpm
 ccache-debuginfo-4.8.3-3.azl3.x86_64.rpm
 check-0.15.2-1.azl3.x86_64.rpm