mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-29 12:44:53 +01:00
fbd46fe94a
The original intention for caroot was to be packaged separately, perhaps so that users can have a more/less conservative upgrade policy for this separated from the rest of base. secure/caroot/Makefile doesn't have anything interesting to package, but its subdirectories might. Move the PACKAGE= to Makefile.inc so both blacklisted and trusted get packaged consistently into the correct one rather than the default -utilities. Also tag the directories for package=caroot, as they could also be empty; blacklisted is empty by default, but trusted is not. Add a post-install script to do certctl rehash, along with a note should we eventually come up with a way to detect that files have been added or removed that requires a rehash. -caroot gets a dependency on -utilities, as that's where we provide certctl at the moment. We can perhaps reconsider this and put certctl into this package in the future, but there are some bits within -utilities that unconditionally invoke certctl so let's hold off for now. Reviewed by: manu (earlier version, before -utilities dep added) Differential Revision: https://reviews.freebsd.org/D23352 |
||
---|---|---|
.. | ||
blacklisted | ||
trusted | ||
MAca-bundle.pl | ||
Makefile | ||
Makefile.inc | ||
README |
# $FreeBSD$ This directory contains the scripts to update the TLS CA Root Certificates that comprise the 'root trust store'. The 'updatecerts' make target should be run periodically by secteam@ specifically when there is an important change to the list of trusted root certificates included by Mozilla. It will: 1) Remove the old trusted certificates (cleancerts) 2) Download the latest certdata.txt from Mozilla (fetchcerts) 3) Split certdata.txt into the individual .pem files (updatecerts) Then the results should manually be inspected (svn status) 1) Any no-longer-trusted certificates should be moved to the blacklisted directory (svn mv) 2) any newly added certificates will need to be added (svn add) The following make targets exist: cleancerts: Delete the old certificates, run as a dependency of updatecerts. fetchcerts: Download the latest certdata.txt from the Mozilla NSS hg repo See the changelog here: https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt updatecerts: Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt to generate the individual certificate files (.pem) and store them in the trusted/ directory.