Index: general.ent
===================================================================
--- general.ent (revision 35c18794132742e79a63d667e0499e63012426e4)
+++ general.ent (revision 254e3bf842fcb1e4f63ebe686f551c6af6b70d42)
@@ -1,5 +1,5 @@
-
+
@@ -7,5 +7,5 @@
-
+
Index: introduction/welcome/changelog.xml
===================================================================
--- introduction/welcome/changelog.xml (revision 35c18794132742e79a63d667e0499e63012426e4)
+++ introduction/welcome/changelog.xml (revision 254e3bf842fcb1e4f63ebe686f551c6af6b70d42)
@@ -42,4 +42,13 @@
-->
+
+ April 13th, 2019
+
+
+ [dj] - Update to make-ca-1.4.
+
+
+
+
April 11th, 2019
Index: packages.ent
===================================================================
--- packages.ent (revision 35c18794132742e79a63d667e0499e63012426e4)
+++ packages.ent (revision 254e3bf842fcb1e4f63ebe686f551c6af6b70d42)
@@ -25,5 +25,5 @@
-
+
Index: postlfs/security/make-ca.xml
===================================================================
--- postlfs/security/make-ca.xml (revision 35c18794132742e79a63d667e0499e63012426e4)
+++ postlfs/security/make-ca.xml (revision 254e3bf842fcb1e4f63ebe686f551c6af6b70d42)
@@ -12,5 +12,5 @@
-
+
]>
@@ -104,5 +104,9 @@
/etc/ssl/local will be imported to both the trust
anchors and the generated certificate stores (overriding Mozilla's
- trust).
+ trust). Additionally, any modified trust values will be copied from the
+ trust anchors to /etc/ssl/local prior to any updates,
+ preserving custom trust values that differ from Mozilla when using the
+ trust utility from p11-kit
+ to operate on the trust store.
To install the various certificate stores, first install the
@@ -110,5 +114,6 @@
As the root user:
-make install
+make install &&
+install -vdm755 /etc/ssl/local
As the root user, after
@@ -136,5 +141,5 @@
/etc/ssl/ca-bundle.crt
- You should periodically update the store with the above command
+ You should periodically update the store with the above command,
either manually, or via a cron job.
systemd timer. A timer is installed at
@@ -215,6 +220,5 @@
is installed):
-install -vdm755 /etc/ssl/local &&
-wget http://www.cacert.org/certs/root.crt &&
+wget http://www.cacert.org/certs/root.crt &&
wget http://www.cacert.org/certs/class3.crt &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
@@ -223,5 +227,6 @@
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
-addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
- > /etc/ssl/local/CAcert_Class_3_root.pem
+ > /etc/ssl/local/CAcert_Class_3_root.pem &&
+/usr/sbin/make-ca -r -f
Overriding Mozilla Trust
@@ -235,6 +240,5 @@
file, run the following commands:
-install -vdm755 /etc/ssl/local &&
-openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
+openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
-text \
-fingerprint
Index: postlfs/security/p11-kit.xml
===================================================================
--- postlfs/security/p11-kit.xml (revision 35c18794132742e79a63d667e0499e63012426e4)
+++ postlfs/security/p11-kit.xml (revision 254e3bf842fcb1e4f63ebe686f551c6af6b70d42)
@@ -229,8 +229,11 @@
is a command line tool to both extract local certificates from an
upadated anchor store, and regenerate all anchors and certificate
- stores on the system.
+ stores on the system. This is done unconditionally on BLFS using
+ the --force and --get
+ flags to make-ca and should likely not be used
+ for automated updates.
- update-ca-certificates
+ update-ca-certificates