Accepting request 1268602 from Base:System

- reenable the distrusted certs again. the distrust is only for certs
  issued after the distrust date, not for all certs of a CA.
  remove: remove-distrusted.patch

OBS-URL: https://build.opensuse.org/request/show/1268602
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ca-certificates-mozilla?expand=0&rev=69

ca-certificates-mozilla-prebuilt.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Feb  4 15:48:48 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- test for a concretely missing certificate rather than
+  just the directory, as the latter is now also provided by
+  openssl-3
+
 -------------------------------------------------------------------
 Thu Aug  8 12:16:30 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
 

ca-certificates-mozilla-prebuilt.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ca-certificates-mozilla-prebuilt
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -71,7 +71,7 @@ echo "C /var/lib/ca-certificates" > %{buildroot}%{_tmpfilesdir}/%{name}.conf
 if [ -z "${TRANSACTIONAL_UPDATE}" ]; then
   if [ -x /usr/bin/systemd-tmpfiles ]; then
     /usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/ca-certificates-mozilla-prebuilt.conf || :
-  elif [ -x /bin/cp ] && [ ! -e /var/lib/ca-certificates ]; then
+  elif [ -x /bin/cp ] && [ ! -e /var/lib/ca-certificates/openssl/002c0b4f.0 ]; then
     /bin/cp -as /usr/share/factory/var/lib/ca-certificates /var/lib || :
   fi
 fi

ca-certificates-mozilla.changes

@@ -1,3 +1,73 @@
+-------------------------------------------------------------------
+Fri Apr 11 10:42:18 UTC 2025 - Marcus Meissner <meissner@suse.com>
+
+- reenable the distrusted certs again. the distrust is only for certs
+  issued after the distrust date, not for all certs of a CA.
+  remove: remove-distrusted.patch
+
+-------------------------------------------------------------------
+Mon Mar 31 11:42:58 UTC 2025 - Marcus Meissner <meissner@suse.com>
+
+- explit remove distruted certs, as the distrust does not get exported
+  correctly and the SSL certs are still trusted. (bsc#1240343)
+  - Entrust.net Premium 2048 Secure Server CA
+  - Entrust Root Certification Authority
+  - AffirmTrust Commercial
+  - AffirmTrust Networking
+  - AffirmTrust Premium
+  - AffirmTrust Premium ECC
+  - Entrust Root Certification Authority - G2
+  - Entrust Root Certification Authority - EC1
+  - GlobalSign Root E46
+  - GLOBALTRUST 2020
+- remove-distrusted.patch: apply to certdata.txt
+
+-------------------------------------------------------------------
+Tue Mar 25 09:45:30 UTC 2025 - Elisei Roca <eroca@suse.com>
+
+- Fix awk to compare (missing a =) and give the following output:
+  # NSS_BUILTINS_LIBRARY_VERSION "2.74"
+
+-------------------------------------------------------------------
+Tue Mar 25 08:11:46 UTC 2025 - Marcus Meissner <meissner@suse.com>
+
+- pass file argument to awk (bsc#1240009)
+
+-------------------------------------------------------------------
+Tue Feb  4 15:24:38 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.74 state of Mozilla SSL root CAs:
+  Removed:
+  * SwissSign Silver CA - G2
+  Added:
+  * D-TRUST BR Root CA 2 2023
+  * D-TRUST EV Root CA 2 2023
+
+-------------------------------------------------------------------
+Tue Feb  4 09:55:01 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- remove extensive signature printing in comments of the cert
+  bundle
+
+-------------------------------------------------------------------
+Thu Jan 23 08:23:15 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Define two macros to break a build cycle with p11-kit.
+
+-------------------------------------------------------------------
+Sun Dec 15 21:07:58 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- Updated to 2.72 state of Mozilla SSL root CAs (bsc#1234798)
+  Removed:
+  - SecureSign RootCA11
+  - Security Communication RootCA3
+  Added:
+  - TWCA CYBER Root CA
+  - TWCA Global Root CA G2
+  - SecureSign Root CA12
+  - SecureSign Root CA14
+  - SecureSign Root CA15
+
 -------------------------------------------------------------------
 Mon Jul  8 15:19:02 UTC 2024 - Marcus Meissner <meissner@suse.com>
 
@@ -158,7 +228,7 @@ Mon May  2 11:35:33 UTC 2022 - Marcus Meissner <meissner@suse.com>
   - GTS Root R2
   - GTS Root R3
   - GTS Root R4
- 
+
 -------------------------------------------------------------------
 Sat Oct  2 07:33:52 UTC 2021 - Marcus Meissner <meissner@suse.com>
 
@@ -203,7 +273,7 @@ Mon Jul  5 12:16:33 UTC 2021 - Marcus Meissner <meissner@suse.com>
 -------------------------------------------------------------------
 Sun Jul  4 09:14:00 UTC 2021 - Dirk Müller <dmueller@suse.com>
 
-- fix mozila typo in installed files 
+- fix mozila typo in installed files
 
 -------------------------------------------------------------------
 Tue Feb  9 13:11:37 UTC 2021 - Marcus Meissner <meissner@suse.com>
@@ -479,7 +549,7 @@ Tue Jan 24 12:46:29 UTC 2017 - meissner@suse.com
     emailProtection
 
 - diff-from-upstream-2.7.patch: removed as we should be able to do
-  intermediate root chains now with openssl 1.0.2 and also gnutls 3.5 
+  intermediate root chains now with openssl 1.0.2 and also gnutls 3.5
   is able to do so.
 
 -------------------------------------------------------------------
@@ -902,7 +972,7 @@ Wed Sep 30 13:17:45 UTC 2009 - lnussel@suse.de
 Tue Dec  2 11:29:03 CET 2008 - cfarrell@suse.de
 
 - Add openssl-certs.COPYING to fix bnc#441356
- 
+
 
 -------------------------------------------------------------------
 Thu Oct  9 17:49:57 CEST 2008 - lnussel@suse.de
@@ -912,6 +982,6 @@ Thu Oct  9 17:49:57 CEST 2008 - lnussel@suse.de
 -------------------------------------------------------------------
 Wed Jul  9 15:15:38 CEST 2008 - mkoenig@suse.de
 
-- split out the CA root certificates from the openssl certs 
-  subpackage into a package of its own. 
+- split out the CA root certificates from the openssl certs
+  subpackage into a package of its own.
 

ca-certificates-mozilla.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ca-certificates-mozilla
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -33,11 +33,14 @@
 %endif
 %endif
 #
+# Taken from p11-kit, to avoid a build cycle
+%define pkidir_static    %{_datadir}/pki
+%define trustdir_static  %{pkidir_static}/trust
 %define certdir %{trustdir_static}
 Name:           ca-certificates-mozilla
 # Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
 # http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/nssckbi.h
-Version:        2.68
+Version:        2.74
 Release:        0
 Summary:        CA certificates for OpenSSL
 License:        MPL-2.0
@@ -61,11 +64,10 @@ Source11:       %{name}.COPYING
 Source12:       compareoldnew
 BuildRequires:  ca-certificates
 BuildRequires:  openssl
-BuildRequires:  p11-kit-devel
 BuildRequires:  python3-base
 # for update-ca-certificates
 Requires(post): ca-certificates
-Requires(postun):ca-certificates
+Requires(postun): ca-certificates
 #
 # replaces this package from SLE11 times
 Obsoletes:      openssl-certs < %version
@@ -82,7 +84,9 @@ from MozillaFirefox
 %setup -qcT
 
 mkdir certs
-cp %{SOURCE0} certs
+cd certs
+cp %{SOURCE0} .
+cd ..
 
 install -m 644 %{SOURCE11} COPYING
 ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
@@ -108,7 +112,7 @@ cd ..
 	#
 	# Generated from:
 	EOF
-   awk '$2 = "NSS_BUILTINS_LIBRARY_VERSION" {print "# " $2 " " $3}';
+   awk '$2 == "NSS_BUILTINS_LIBRARY_VERSION" {print "# " $2 " " $3}' %{SOURCE1}
    echo '#';
    ls -1 certs/*.tmp-p11-kit | sort | xargs cat
 ) > %{name}.trust.p11-kit

certdata2pem.py

@@ -280,7 +280,7 @@ for tobj in objects:
             # obtain certificate information suitable as a comment
             comment_fname = "comment-" + fname
             fcout = open(comment_fname, "w")
-            comment_command = ["openssl", "x509", "-in", cert_fname, "-noout", "-text"]
+            comment_command = ["openssl", "x509", "-in", cert_fname, "-noout", "-text", "-certopt", "no_pubkey,no_sigdump"]
             subprocess.call(comment_command, stdout=fcout)
             fcout.close()
             sed_command = ["sed", "--in-place", "s/^/#/", comment_fname]

compareoldnew

@@ -16,7 +16,7 @@ trap cleanup EXIT
 mkdir old new
 cd old
 echo old...
-ln -s ../.osc/certdata.txt
+ln -s ../.osc/sources/certdata.txt
 python3 ../certdata2pem.py > stdout 2> stderr
 ls -1 cert-* | sort > ../old.files
 cd ..

nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 68
-#define NSS_BUILTINS_LIBRARY_VERSION "2.68"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 74
+#define NSS_BUILTINS_LIBRARY_VERSION "2.74"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1