%define pkidir %{_sysconfdir}/pki

%define catrustdir %{_sysconfdir}/pki/ca-trust

%define classic_tls_bundle ca-bundle.crt

%define openssl_format_trust_bundle ca-bundle.trust.crt

%define p11_format_bundle ca-bundle.trust.p11-kit

%define legacy_default_bundle ca-bundle.legacy.default.crt

%define legacy_disable_bundle ca-bundle.legacy.disable.crt

%define java_bundle java/cacerts

Summary: The Mozilla CA root certificate bundle

Name: ca-certificates

# For the package version number, we use: year.{upstream version}

#

# The {upstream version} can be found as symbol

# NSS_BUILTINS_LIBRARY_VERSION in file nss/lib/ckfw/builtins/nssckbi.h

# which corresponds to the data in file nss/lib/ckfw/builtins/certdata.txt.

#

# The files should be taken from a released version of NSS, as published

# at https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/

#

# The versions that are used by the latest released version of 

# Mozilla Firefox should be available from:

# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h

# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt

#

# The most recent development versions of the files can be found at

# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h

# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt

# (but these files might have not yet been released).

#

# (until 2012.87 the version was based on the cvs revision ID of certdata.txt,

# but in 2013 the NSS projected was migrated to HG. Old version 2012.87 is 

# equivalent to new version 2012.1.93, which would break the requirement 

# to have increasing version numbers. However, the new scheme will work, 

# because all future versions will start with 2013 or larger.)

Version: 2023.2.60_v7.0.306

# for Rawhide, please always use release >= 2

# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)

Release: 1.0%{?dist}

License: Public Domain

URL: https://fedoraproject.org/wiki/CA-Certificates

#Please always update both certdata.txt and nssckbi.h

Source0: certdata.txt

Source1: nssckbi.h

Source2: update-ca-trust

Source3: trust-fixes

Source4: certdata2pem.py

Source5: ca-legacy.conf

Source6: ca-legacy

Source9: ca-legacy.8.txt

Source10: update-ca-trust.8.txt

Source11: README.usr

Source12: README.etc

Source13: README.extr

Source14: README.java

Source15: README.openssl

Source16: README.pem

Source17: README.edk2

Source18: README.src

Source19: README.etcssl

BuildArch: noarch

Requires(post): bash

Requires(post): grep

Requires(post): sed

Requires(post): coreutils

Requires: bash

Requires: grep

Requires: sed

Requires(post): p11-kit >= 0.23

Requires(post): p11-kit-trust >= 0.23

Requires: p11-kit >= 0.23

Requires: p11-kit-trust >= 0.23

BuildRequires: perl-interpreter

BuildRequires: python3

BuildRequires: openssl

BuildRequires: asciidoc

BuildRequires: libxslt

%description

This package contains the set of CA certificates chosen by the

Mozilla Foundation for use with the Internet PKI.

%prep

rm -rf %{name}

mkdir %{name}

mkdir %{name}/certs

mkdir %{name}/certs/legacy-default

mkdir %{name}/certs/legacy-disable

mkdir %{name}/java

%build

pushd %{name}/certs

 pwd

 cp %{SOURCE0} .

 python3 %{SOURCE4} >c2p.log 2>c2p.err

popd

pushd %{name}

 (

   cat <

# This is a bundle of X.509 certificates of public Certificate

# Authorities.  It was generated from the Mozilla root CA list.

# These certificates and trust/distrust attributes use the file format accepted

# by the p11-kit-trust module.

#

# Source: nss/lib/ckfw/builtins/certdata.txt

# Source: nss/lib/ckfw/builtins/nssckbi.h

#

# Generated from:

EOF

   cat %{SOURCE1}  |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';

   echo '#';

 ) > %{p11_format_bundle}

 touch %{legacy_default_bundle}

 NUM_LEGACY_DEFAULT=`find certs/legacy-default -type f | wc -l`

 if [ $NUM_LEGACY_DEFAULT -ne 0 ]; then

     for f in certs/legacy-default/*.crt; do 

       echo "processing $f"

       tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`

       alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`

       targs=""

       if [ -n "$tbits" ]; then

          for t in $tbits; do

             targs="${targs} -addtrust $t"

          done

       fi

       if [ -n "$targs" ]; then

          echo "legacy default flags $targs for $f" >> info.trust

          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_default_bundle}

       fi

     done

 fi

 touch %{legacy_disable_bundle}

 NUM_LEGACY_DISABLE=`find certs/legacy-disable -type f | wc -l`

 if [ $NUM_LEGACY_DISABLE -ne 0 ]; then

     for f in certs/legacy-disable/*.crt; do 

       echo "processing $f"

       tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`

       alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`

       targs=""

       if [ -n "$tbits" ]; then

          for t in $tbits; do

             targs="${targs} -addtrust $t"

          done

       fi

       if [ -n "$targs" ]; then

          echo "legacy disable flags $targs for $f" >> info.trust

          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_disable_bundle}

       fi

     done

 fi

 P11FILES=`find certs -name \*.tmp-p11-kit | wc -l`

 if [ $P11FILES -ne 0 ]; then

   for p in certs/*.tmp-p11-kit; do 

     cat "$p" >> %{p11_format_bundle}

   done

 fi

 # Append our trust fixes

 cat %{SOURCE3} >> %{p11_format_bundle}

popd

#manpage

cp %{SOURCE10} %{name}/update-ca-trust.8.txt

asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt

xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml

cp %{SOURCE9} %{name}/ca-legacy.8.txt

asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt

xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml

%install

rm -rf $RPM_BUILD_ROOT

mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/tls/certs

mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java

mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl

mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source

mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors

mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist

mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist

mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted

mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem

mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl

mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java

mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2

mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source

mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors

mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist

mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist

mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy

mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}

mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8

install -p -m 644 %{name}/update-ca-trust.8 $RPM_BUILD_ROOT%{_mandir}/man8

install -p -m 644 %{name}/ca-legacy.8 $RPM_BUILD_ROOT%{_mandir}/man8

install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/README

install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README

install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README

install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README

install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README

install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README

install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README

install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README

install -p -m 644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysconfdir}/ssl/README

install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}

install -p -m 644 %{name}/%{legacy_default_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}

install -p -m 644 %{name}/%{legacy_disable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}

install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf

touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}

touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}

touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}

# TODO: consider to dynamically create the update-ca-trust script from within

#       this .spec file, in order to have the output file+directory names at once place only.

install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/update-ca-trust

install -p -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/ca-legacy

# touch ghosted files that will be extracted dynamically

# Set chmod 444 to use identical permission

touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/tls-ca-bundle.pem

chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/tls-ca-bundle.pem

touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem

chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem

touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem

chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem

touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}

chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}

touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}

chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}

touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin

chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin

# /etc/ssl is provided in a Debian compatible form for (bad) code that

# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882

ln -s %{catrustdir}/extracted/pem/directory-hash \

    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs

ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \

    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem

ln -s /etc/pki/tls/openssl.cnf \

    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf

ln -s /etc/pki/tls/ct_log_list.cnf \

    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf

# legacy filenames

ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \

    $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem

ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \

    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}

ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \

    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}

ln -s %{catrustdir}/extracted/%{java_bundle} \

    $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}

%pre

if [ $1 -gt 1 ] ; then

  # Upgrade or Downgrade.

  # If the classic filename is a regular file, then we are upgrading

  # from an old package and we will move it to an .rpmsave backup file.

  # If the filename is a symbolic link, then we are good already.

  # If the system will later be downgraded to an old package with regular 

  # files, and afterwards updated again to a newer package with symlinks,

  # and the old .rpmsave backup file didn't get cleaned up,

  # then we don't backup again. We keep the older backup file.

  # In other words, if an .rpmsave file already exists, we don't overwrite it.

  #

  if ! test -e %{pkidir}/%{java_bundle}.rpmsave; then

    # no backup yet

    if test -e %{pkidir}/%{java_bundle}; then

      # a file exists

        if ! test -L %{pkidir}/%{java_bundle}; then

        # it's an old regular file, not a link

        mv -f %{pkidir}/%{java_bundle} %{pkidir}/%{java_bundle}.rpmsave

      fi

    fi

  fi

  if ! test -e %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave; then

    # no backup yet

    if test -e %{pkidir}/tls/certs/%{classic_tls_bundle}; then

      # a file exists

      if ! test -L %{pkidir}/tls/certs/%{classic_tls_bundle}; then

        # it's an old regular file, not a link

        mv -f %{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave

      fi

    fi

  fi

  if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then

    # no backup yet

    if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then

      # a file exists

      if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then

        # it's an old regular file, not a link

        mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave

      fi

    fi

  fi

fi

%post

#if [ $1 -gt 1 ] ; then

#  # when upgrading or downgrading

#fi

# if ln is available, go ahead and run the ca-legacy and update

# scripts. If not, wait until %posttrans.

if [ -x %{_bindir}/ln ]; then

%{_bindir}/ca-legacy install

%{_bindir}/update-ca-trust

fi

%posttrans

# When coreutils is installing with ca-certificates

# we need to wait until coreutils install to

# run our update since update requires ln to complete.

# There is a circular dependency here where

# ca-certificates depends on coreutils

# coreutils depends on openssl

# openssl depends on ca-certificates

# so we run the scripts here too, in case we couldn't run them in

# post. If we *could* run them in post this is an unnecessary

# duplication, but it shouldn't hurt anything

%{_bindir}/ca-legacy install

%{_bindir}/update-ca-trust

%files

%dir %{_sysconfdir}/ssl

%dir %{pkidir}/tls

%dir %{pkidir}/tls/certs

%dir %{pkidir}/java

%dir %{catrustdir}

%dir %{catrustdir}/source

%dir %{catrustdir}/source/anchors

%dir %{catrustdir}/source/blacklist

%dir %{catrustdir}/source/blocklist

%dir %{catrustdir}/extracted

%dir %{catrustdir}/extracted/pem

%dir %{catrustdir}/extracted/openssl

%dir %{catrustdir}/extracted/java

%dir %{_datadir}/pki

%dir %{_datadir}/pki/ca-trust-source

%dir %{_datadir}/pki/ca-trust-source/anchors

%dir %{_datadir}/pki/ca-trust-source/blacklist

%dir %{_datadir}/pki/ca-trust-source/blocklist

%dir %{_datadir}/pki/ca-trust-legacy

%config(noreplace) %{catrustdir}/ca-legacy.conf

%{_mandir}/man8/update-ca-trust.8.gz

%{_mandir}/man8/ca-legacy.8.gz

%{_datadir}/pki/ca-trust-source/README

%{catrustdir}/README

%{catrustdir}/extracted/README

%{catrustdir}/extracted/java/README

%{catrustdir}/extracted/openssl/README

%{catrustdir}/extracted/pem/README

%{catrustdir}/extracted/edk2/README

%{catrustdir}/source/README

# symlinks for old locations

%{pkidir}/tls/cert.pem

%{pkidir}/tls/certs/%{classic_tls_bundle}

%{pkidir}/tls/certs/%{openssl_format_trust_bundle}

%{pkidir}/%{java_bundle}

# Hybrid hash directory with bundle file for Debian compatibility

# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882

%{_sysconfdir}/ssl/certs

%{_sysconfdir}/ssl/README

%{_sysconfdir}/ssl/cert.pem

%{_sysconfdir}/ssl/openssl.cnf

%{_sysconfdir}/ssl/ct_log_list.cnf

# primary bundle file with trust

%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}

%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}

%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}

# update/extract tool

%{_bindir}/update-ca-trust

%{_bindir}/ca-legacy

%ghost %{catrustdir}/source/ca-bundle.legacy.crt

# files extracted files

%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem

%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem

%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem

%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}

%ghost %{catrustdir}/extracted/%{java_bundle}

%ghost %{catrustdir}/extracted/edk2/cacerts.bin

%changelog

*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-1.0

- Update to CKBI 2.60_v7.0.306 from NSS 3.91

-    Removing:

-     # Certificate "OpenTrust Root CA G1"

-     # Certificate "Swedish Government Root Authority v1"

-     # Certificate "DigiNotar Root CA G2"

-     # Certificate "Federal Common Policy CA"

-     # Certificate "TC TrustCenter Universal CA III"

-     # Certificate "CCA India 2007"

-     # Certificate "ipsCA Global CA Root"

-     # Certificate "ipsCA Main CA Root"

-     # Certificate "Macao Post eSignTrust Root Certification Authority"

-     # Certificate "InfoNotary CSP Root"

-     # Certificate "DigiNotar Root CA"

-     # Certificate "Root CA"

-     # Certificate "GPKIRootCA"

-     # Certificate "D-TRUST Qualified Root CA 1 2007:PN"

-     # Certificate "TC TrustCenter Universal CA I"

-     # Certificate "TC TrustCenter Universal CA II"

-     # Certificate "TC TrustCenter Class 2 CA II"

-     # Certificate "TC TrustCenter Class 4 CA II"

-     # Certificate "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı"

-     # Certificate "CertRSA01"

-     # Certificate "KISA RootCA 3"

-     # Certificate "A-CERT ADVANCED"

-     # Certificate "A-Trust-Qual-01"

-     # Certificate "A-Trust-nQual-01"

-     # Certificate "Serasa Certificate Authority II"

-     # Certificate "TDC Internet"

-     # Certificate "America Online Root Certification Authority 2"

-     # Certificate "RSA Security Inc"

-     # Certificate "Public Notary Root"

-     # Certificate "Autoridade Certificadora Raiz Brasileira"

-     # Certificate "Post.Trust Root CA"

-     # Certificate "Entrust.net Secure Server Certification Authority"

-     # Certificate "ePKI EV SSL Certification Authority - G1"

-    Adding:

-     # Certificate "BJCA Global Root CA1"

-     # Certificate "BJCA Global Root CA2"

-     # Certificate "Symantec Enterprise Mobile Root for Microsoft"

-     # Certificate "A-Trust-Root-05"

-     # Certificate "ADOCA02"

-     # Certificate "StartCom Certification Authority G2"

-     # Certificate "ATHEX Root CA"

-     # Certificate "EBG Elektronik Sertifika Hizmet Sağlayıcısı"

-     # Certificate "GeoTrust Primary Certification Authority"

-     # Certificate "thawte Primary Root CA"

-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"

-     # Certificate "America Online Root Certification Authority 1"

-     # Certificate "Juur-SK"

-     # Certificate "ComSign CA"

-     # Certificate "ComSign Secured CA"

-     # Certificate "ComSign Advanced Security CA"

-     # Certificate "Sonera Class2 CA"

-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"

-     # Certificate "VeriSign, Inc."

-     # Certificate "GTE CyberTrust Global Root"

-     # Certificate "Equifax Secure Global eBusiness CA-1"

-     # Certificate "Equifax"

-     # Certificate "Class 1 Primary CA"

-     # Certificate "Swiss Government Root CA III"

-     # Certificate "Application CA G4 Root"

-     # Certificate "SSC GDL CA Root A"

-     # Certificate "GlobalSign Code Signing Root E45"

-     # Certificate "GlobalSign Code Signing Root R45"

-     # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"

*Wed Jan 18 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 2023.2.60-1.0

- Update to CKBI 2.60 from NSS 3.86

-    Removing:

-     # Certificate "Camerfirma Global Chambersign Root"

-     # Certificate "Staat der Nederlanden EV Root CA"

-    Adding:

-     # Certificate "DigiCert TLS ECC P384 Root G5"

-     # Certificate "DigiCert TLS RSA4096 Root G5"

-     # Certificate "DigiCert SMIME ECC P384 Root G5"

-     # Certificate "DigiCert SMIME RSA4096 Root G5"

-     # Certificate "Certainly Root R1"

-     # Certificate "Certainly Root E1"

-     # Certificate "E-Tugra Global Root CA RSA v3"

-     # Certificate "E-Tugra Global Root CA ECC v3"

-     # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"

-     # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"

-     # Certificate "Global Chambersign Root"

*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-5

- Update to CKBI 2.54 from NSS 3.79

-    Removing:

-     # Certificate "TrustCor ECA-1"

-     # Certificate "TrustCor RootCert CA-2"

-     # Certificate "TrustCor RootCert CA-1"

-     # Certificate "Network Solutions Certificate Authority"

-     # Certificate "COMODO Certification Authority"

-     # Certificate "Autoridad de Certificacion Raiz del Estado Venezolano"

-     # Certificate "Microsec e-Szigno Root CA 2009"

-     # Certificate "TWCA Root Certification Authority"

-     # Certificate "Izenpe.com"

-     # Certificate "state-institutions"

-     # Certificate "GlobalSign"

-     # Certificate "Common Policy"

-     # Certificate "A-Trust-nQual-03"

-     # Certificate "A-Trust-Qual-02"

-     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"

-     # Certificate "Government Root Certification Authority"

-     # Certificate "AC Raíz Certicámara S.A."

*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-4

- Update to CKBI 2.54 from NSS 3.79

* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild

*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-2

- Update to CKBI 2.54 from NSS 3.79

-    Removing:

-     # Certificate "GlobalSign Root CA - R2"

-     # Certificate "DST Root CA X3"

-     # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"

-    Adding:

-     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"

-     # Certificate "vTrus ECC Root CA"

-     # Certificate "vTrus Root CA"

-     # Certificate "ISRG Root X2"

-     # Certificate "HiPKI Root CA - G1"

-     # Certificate "Telia Root CA v2"

-     # Certificate "D-TRUST BR Root CA 1 2020"

-     # Certificate "D-TRUST EV Root CA 1 2020"

-     # Certificate "CAEDICOM Root"

-     # Certificate "I.CA Root CA/RSA"

-     # Certificate "MULTICERT Root Certification Authority 01"

-     # Certificate "Certification Authority of WoSign G2"

-     # Certificate "CA WoSign ECC Root"

-     # Certificate "CCA India 2015 SPL"

-     # Certificate "Swedish Government Root Authority v3"

-     # Certificate "Swedish Government Root Authority v2"

-     # Certificate "Tunisian Root Certificate Authority - TunRootCA2"

-     # Certificate "OpenTrust Root CA G1"

-     # Certificate "OpenTrust Root CA G2"

-     # Certificate "OpenTrust Root CA G3"

-     # Certificate "Certplus Root CA G1"

-     # Certificate "Certplus Root CA G2"

-     # Certificate "Government Root Certification Authority"

-     # Certificate "A-Trust-Qual-02"

-     # Certificate "Thailand National Root Certification Authority - G1"

-     # Certificate "TrustCor ECA-1"

-     # Certificate "TrustCor RootCert CA-2"

-     # Certificate "TrustCor RootCert CA-1"

-     # Certificate "Certification Authority of WoSign"

-     # Certificate "CA 沃通根证书"

-     # Certificate "SSC GDL CA Root B"

-     # Certificate "SAPO Class 2 Root CA"

-     # Certificate "SAPO Class 3 Root CA"

-     # Certificate "SAPO Class 4 Root CA"

-     # Certificate "CA Disig Root R1"

-     # Certificate "Autoridad Certificadora Raíz Nacional de Uruguay"

-     # Certificate "ApplicationCA2 Root"

-     # Certificate "GlobalSign"

-     # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"

-     # Certificate "Symantec Class 3 Public Primary Certification Authority - G4"

-     # Certificate "Halcom Root CA"

-     # Certificate "Swisscom Root EV CA 2"

-     # Certificate "CFCA GT CA"

-     # Certificate "Digidentity L3 Root CA - G2"

-     # Certificate "SITHS Root CA v1"

-     # Certificate "Macao Post eSignTrust Root Certification Authority (G02)"

-     # Certificate "Autoridade Certificadora Raiz Brasileira v2"

-     # Certificate "Swisscom Root CA 2"

-     # Certificate "IGC/A AC racine Etat francais"

-     # Certificate "PersonalID Trustworthy RootCA 2011"

-     # Certificate "Swedish Government Root Authority v1"

-     # Certificate "Swiss Government Root CA II"

-     # Certificate "Swiss Government Root CA I"

-     # Certificate "Network Solutions Certificate Authority"

-     # Certificate "COMODO Certification Authority"

-     # Certificate "LuxTrust Global Root"

-     # Certificate "AC1 RAIZ MTIN"

-     # Certificate "Microsoft Root Certificate Authority 2011"

-     # Certificate "CCA India 2011"

-     # Certificate "ANCERT Certificados Notariales V2"

-     # Certificate "ANCERT Certificados CGN V2"

-     # Certificate "EE Certification Centre Root CA"

-     # Certificate "DigiNotar Root CA G2"

-     # Certificate "Federal Common Policy CA"

-     # Certificate "Autoridad de Certificacion Raiz del Estado Venezolano"

-     # Certificate "Autoridad de Certificacion Raiz del Estado Venezolano"

-     # Certificate "China Internet Network Information Center EV Certificates Root"

-     # Certificate "Verizon Global Root CA"

-     # Certificate "SwissSign Silver Root CA - G3"

-     # Certificate "SwissSign Platinum Root CA - G3"

-     # Certificate "SwissSign Gold Root CA - G3"

-     # Certificate "Microsec e-Szigno Root CA 2009"

-     # Certificate "SITHS CA v3"

-     # Certificate "Certinomis - Autorité Racine"

-     # Certificate "ANF Server CA"

-     # Certificate "Thawte Premium Server CA"

-     # Certificate "Thawte Server CA"

-     # Certificate "TC TrustCenter Universal CA III"

-     # Certificate "KEYNECTIS ROOT CA"

-     # Certificate "I.CA - Standard Certification Authority, 09/2009"

-     # Certificate "I.CA - Qualified Certification Authority, 09/2009"

-     # Certificate "VI Registru Centras RCSC (RootCA)"

-     # Certificate "CCA India 2007"

-     # Certificate "Autoridade Certificadora Raiz Brasileira v1"

-     # Certificate "ipsCA Global CA Root"

-     # Certificate "ipsCA Main CA Root"

-     # Certificate "Actalis Authentication CA G1"

-     # Certificate "A-Trust-Qual-03"

-     # Certificate "AddTrust External CA Root"

-     # Certificate "ECRaizEstado"

-     # Certificate "Configuration"

-     # Certificate "FNMT-RCM"

-     # Certificate "StartCom Certification Authority"

-     # Certificate "TWCA Root Certification Authority"

-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"

-     # Certificate "thawte Primary Root CA - G2"

-     # Certificate "GeoTrust Primary Certification Authority - G2"

-     # Certificate "VeriSign Universal Root Certification Authority"

-     # Certificate "thawte Primary Root CA - G3"

-     # Certificate "GeoTrust Primary Certification Authority - G3"

-     # Certificate "E-ME SSI (RCA)"

-     # Certificate "ACEDICOM Root"

-     # Certificate "Autoridad Certificadora Raiz de la Secretaria de Economia"

-     # Certificate "Correo Uruguayo - Root CA"

-     # Certificate "CNNIC ROOT"

-     # Certificate "Common Policy"

-     # Certificate "Macao Post eSignTrust Root Certification Authority"

-     # Certificate "Staat der Nederlanden Root CA - G2"

-     # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"

-     # Certificate "AC Raíz Certicámara S.A."

-     # Certificate "Cisco Root CA 2048"

-     # Certificate "CA Disig"

-     # Certificate "InfoNotary CSP Root"

-     # Certificate "UCA Global Root"

-     # Certificate "UCA Root"

-     # Certificate "DigiNotar Root CA"

-     # Certificate "Starfield Services Root Certificate Authority"

-     # Certificate "I.CA - Qualified root certificate"

-     # Certificate "I.CA - Standard root certificate"

-     # Certificate "e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"

-     # Certificate "Japanese Government"

-     # Certificate "AdminCA-CD-T01"

-     # Certificate "Admin-Root-CA"

-     # Certificate "Izenpe.com"

-     # Certificate "TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3"

-     # Certificate "Halcom CA FO"

-     # Certificate "Halcom CA PO 2"

-     # Certificate "Root CA"

-     # Certificate "GPKIRootCA"

-     # Certificate "ACNLB"

-     # Certificate "state-institutions"

-     # Certificate "state-institutions"

-     # Certificate "SECOM Trust Systems CO.,LTD."

-     # Certificate "D-TRUST Qualified Root CA 1 2007:PN"

-     # Certificate "D-TRUST Root Class 2 CA 2007"

-     # Certificate "D-TRUST Root Class 3 CA 2007"

-     # Certificate "SSC Root CA A"

-     # Certificate "SSC Root CA B"

-     # Certificate "SSC Root CA C"

-     # Certificate "Autoridad de Certificacion de la Abogacia"

-     # Certificate "Root CA Generalitat Valenciana"

-     # Certificate "VAS Latvijas Pasts SSI(RCA)"

-     # Certificate "ANCERT Certificados CGN"

-     # Certificate "ANCERT Certificados Notariales"

-     # Certificate "ANCERT Corporaciones de Derecho Publico"

-     # Certificate "GLOBALTRUST"

-     # Certificate "Certipost E-Trust TOP Root CA"

-     # Certificate "Certipost E-Trust Primary Qualified CA"

-     # Certificate "Certipost E-Trust Primary Normalised CA"

-     # Certificate "GlobalSign"

-     # Certificate "IGC/A"

-     # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"

-     # Certificate "TC TrustCenter Universal CA I"

-     # Certificate "TC TrustCenter Universal CA II"

-     # Certificate "TC TrustCenter Class 2 CA II"

-     # Certificate "TC TrustCenter Class 4 CA II"

-     # Certificate "Swisscom Root CA 1"

-     # Certificate "Microsec e-Szigno Root CA"

-     # Certificate "LGPKI"

-     # Certificate "AC RAIZ DNIE"

-     # Certificate "Common Policy"

-     # Certificate "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı"

-     # Certificate "A-Trust-nQual-03"

-     # Certificate "A-Trust-nQual-03"

-     # Certificate "CertRSA01"

-     # Certificate "KISA RootCA 1"

-     # Certificate "KISA RootCA 3"

-     # Certificate "NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado"

-     # Certificate "A-CERT ADVANCED"

-     # Certificate "A-Trust-Qual-01"

-     # Certificate "A-Trust-nQual-01"

-     # Certificate "A-Trust-Qual-02"

-     # Certificate "Staat der Nederlanden Root CA"

-     # Certificate "Serasa Certificate Authority II"

-     # Certificate "TDC Internet"

-     # Certificate "America Online Root Certification Authority 2"

-     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"

-     # Certificate "Government Root Certification Authority"

-     # Certificate "RSA Security Inc"

-     # Certificate "Public Notary Root"

-     # Certificate "GeoTrust Global CA"

-     # Certificate "GeoTrust Global CA 2"

-     # Certificate "GeoTrust Universal CA"

-     # Certificate "GeoTrust Universal CA 2"

-     # Certificate "QuoVadis Root Certification Authority"

-     # Certificate "Autoridade Certificadora Raiz Brasileira"

-     # Certificate "Post.Trust Root CA"

-     # Certificate "Microsoft Root Authority"

-     # Certificate "Microsoft Root Certificate Authority"

-     # Certificate "Microsoft Root Certificate Authority 2010"

-     # Certificate "Entrust.net Secure Server Certification Authority"

-     # Certificate "UTN-USERFirst-Object"

-     # Certificate "BYTE Root Certification Authority 001"

-     # Certificate "CISRCA1"

-     # Certificate "ePKI Root Certification Authority - G2"

-     # Certificate "ePKI EV SSL Certification Authority - G1"

-     # Certificate "AC Raíz Certicámara S.A."

-     # Certificate "SSL.com EV Root Certification Authority RSA"

-     # Certificate "LuxTrust Global Root 2"

-     # Certificate "ACA ROOT"

-     # Certificate "Security Communication ECC RootCA1"

-     # Certificate "Security Communication RootCA3"

-     # Certificate "CHAMBERS OF COMMERCE ROOT - 2016"

-     # Certificate "Network Solutions RSA Certificate Authority"

-     # Certificate "Network Solutions ECC Certificate Authority"

-     # Certificate "Australian Defence Public Root CA"

-     # Certificate "SI-TRUST Root"

-     # Certificate "Halcom Root Certificate Authority"

-     # Certificate "Application CA G3 Root"

-     # Certificate "GLOBALTRUST 2015"

-     # Certificate "Microsoft ECC Product Root Certificate Authority 2018"

-     # Certificate "emSign Root CA - G2"

-     # Certificate "emSign Root CA - C2"

-     # Certificate "Microsoft ECC TS Root Certificate Authority 2018"

-     # Certificate "DigiCert CS ECC P384 Root G5"

-     # Certificate "DigiCert CS RSA4096 Root G5"

-     # Certificate "DigiCert RSA4096 Root G5"

-     # Certificate "DigiCert ECC P384 Root G5"

-     # Certificate "HARICA Code Signing RSA Root CA 2021"

-     # Certificate "HARICA Code Signing ECC Root CA 2021"

-     # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"

* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.52-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

*Mon Dec 13 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.52-2

- Update to CKBI 2.52 from NSS 3.72

-    Adding:

-     # Certificate "TunTrust Root CA"

-     # Certificate "HARICA TLS RSA Root CA 2021"

-     # Certificate "HARICA TLS ECC Root CA 2021"

-     # Certificate "HARICA Client RSA Root CA 2021"

-     # Certificate "HARICA Client ECC Root CA 2021"

*Mon Dec 6 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-5

- integrate Adam William's /etc/ssl/certs with Debian-compatibility

- back out blocklist change since p11-kit .24 is not yet available on rawhide

*Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-4

- remove blacklist directory now that pk11-kit is using blocklist

* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.50-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-2

- Update to CKBI 2.50 from NSS 3.67

-    Removing:

-     # Certificate "Trustis FPS Root CA"

-     # Certificate "GlobalSign Code Signing Root R45"

-     # Certificate "GlobalSign Code Signing Root E45"