Changeset 6133936 for postlfs

Timestamp:

09/04/2021 03:45:41 AM (3 years ago)

Author:

DJ Lucas <dj@…>

Branches:

11.1, 11.2, 11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

31dc50d

Parents:

673c070

Message:

Update to make-ca-1.8.1.

Location:

postlfs/security

Files:

• make-ca.xml (modified) (4 diffs)
• p11-kit.xml (modified) (1 diff)

postlfs/security/make-ca.xml

@@ -11 +11 @@
 
   <!ENTITY make-ca-download      "https://github.com/djlucas/make-ca/releases/download/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
-  <!ENTITY make-ca-size          "28.5 KB">
-  <!ENTITY make-ca-md5sum        "e0356f5ae5623f227a3f69b5e8848ec6">
+  <!ENTITY make-ca-size          "29.8 KB">
+  <!ENTITY make-ca-md5sum        "957c39206ba0e9139807c5a47535747f">
 ]>
 
@@ -221 +221 @@
     <para>
       The <filename class="directory">/etc/ssl/local</filename> directory
-      is available to add additional CA certificates to the system. For
-      instance, you might need to add an organization or government CA
-      certificate. Files in this directory must be in the
-      <application>OpenSSL</application> trusted certificate format. To
-      create an <application>OpenSSL</application> trusted certificate from
-      a regular PEM encoded file, you need to add trust arguments to the
+      is available to add additional CA certificates to the system trust store.
+      This directory is also used to store certificates that were added to or
+      modified  in the system trust store by <xref linkend="p11-kit"/> so that
+      trust values are maintained across upgrades. Files in this directory must
+      be in the <application>OpenSSL</application> trusted certificate format.
+      Certificates imported using the <command>trust</command> utility from
+      <xref linkend="p11-kit"/> will utilize the x509 Extended Key Usage values
+      to assign default trust values for the system anchors.
+    </para>
+
+    <para>If you need to override trust values, or otherwise need to create
+      an <application>OpenSSL</application> trusted certificate manually
+      from a regular PEM encoded file, you need to add trust arguments to the
       <command>openssl</command> command, and create a new certificate. For
       example, using the <ulink url="http://www.cacert.org/">CAcert</ulink>
@@ -243 +250 @@
         -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
         > /etc/ssl/local/CAcert_Class_3_root.pem &amp;&amp;
-/usr/sbin/make-ca -r -f</userinput></screen>
+/usr/sbin/make-ca -r</userinput></screen>
 
     <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>
@@ -265 +272 @@
              -addreject codeSigning \
        > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &amp;&amp;
-/usr/sbin/make-ca -r -f</userinput></screen>
+/usr/sbin/make-ca -r</userinput></screen>
 
   </sect2>

postlfs/security/p11-kit.xml

@@ -104 +104 @@
 /usr/libexec/make-ca/copy-trust-modifications
 
-# Generate a new trust store
-/usr/sbin/make-ca -f -g</literal>
+# Update trust stores
+/usr/sbin/make-ca -r</literal>
 EOF</userinput></screen>