-
Wed Jul 22 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-65.1
- remove DISTRUST_AFTER attributes.
-
Tue Jun 09 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-60.0
- Update to CKBI 2.41 from NSS 3.53.0
- Removing:
- # Certificate "AddTrust Low-Value Services Root"
- # Certificate "AddTrust External Root"
- # Certificate "UTN USERFirst Email Root CA"
- # Certificate "Certplus Class 2 Primary CA"
- # Certificate "Deutsche Telekom Root CA 2"
- # Certificate "Staat der Nederlanden Root CA - G2"
- # Certificate "Swisscom Root CA 2"
- # Certificate "Certinomis - Root CA"
- Adding:
- # Certificate "Entrust Root Certification Authority - G4"
-
Thu Oct 03 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-65.1
- Remove expired 1024 bit roots
- Removing:
- # Certificate "GTE CyberTrust Global Root"
- # Certificate "Equifax Secure CA"
- # Certificate "ValiCert Class 1 VA"
- # Certificate "ValiCert Class 2 VA"
- # Certificate "RSA Root Certificate 1"
- # Certificate "Entrust.net Secure Server CA"
- # Certificate "NetLock Business (Class B) Root"
- # Certificate "NetLock Express (Class C) Root"
-
Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-60.0
-Update to CKBI 2.32 from NSS 3.44
- Removing:
- # Certificate "Visa eCommerce Root"
- # Certificate "AC Raiz Certicamara S.A."
- # Certificate "TC TrustCenter Class 3 CA II"
- # Certificate "ComSign CA"
- # Certificate "S-TRUST Universal Root CA"
- # Certificate "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
- # Certificate "Certplus Root CA G1"
- # Certificate "Certplus Root CA G2"
- # Certificate "OpenTrust Root CA G1"
- # Certificate "OpenTrust Root CA G2"
- # Certificate "OpenTrust Root CA G3"
- Adding:
- # Certificate "GlobalSign Root CA - R6"
- # Certificate "OISTE WISeKey Global Root GC CA"
- # Certificate "GTS Root R1"
- # Certificate "GTS Root R2"
- # Certificate "GTS Root R3"
- # Certificate "GTS Root R4"
- # Certificate "UCA Global G2 Root"
- # Certificate "UCA Extended Validation Root"
- # Certificate "Certigna Root CA"
- # Certificate "emSign Root CA - G1"
- # Certificate "emSign ECC Root CA - G3"
- # Certificate "emSign Root CA - C1"
- # Certificate "emSign ECC Root CA - C3"
- # Certificate "Hongkong Post Root CA 3"
-
Wed Feb 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.22-65.1
- Update to CKBI 2.22 from NSS 3.35 with legacy modifications.
-
Mon Dec 18 2017 Kai Engert <kaie@redhat.com> - 2017.2.20-65.1
- Update to CKBI 2.20 from NSS 3.34.1 with legacy modifications.
In the original upstream release, Mozilla.org removed all trust for
the code signing usage. As part of the default legacy configuration,
this package retains code signing trust for all CAs that are still
trusted for the server authentication usage.
The ca-legacy disable configuration disables all code signing trust.
-
Fri Apr 28 2017 Kai Engert <kaie@redhat.com> - 2017.2.14-65.1
- Update to CKBI 2.14 from NSS 3.28.5 with legacy modifications.
-
Thu Feb 23 2017 Kai Engert <kaie@redhat.com> - 2017.2.11-65.1
- Update to CKBI 2.11 from NSS 3.28.1 with legacy modifications.
-
Tue Nov 01 2016 Kai Engert <kaie@redhat.com> - 2016.2.10-65.4
- fix a typo in the manual page
-
Wed Oct 26 2016 Kai Engert <kaie@redhat.com> - 2016.2.10-65.3
- Update to CKBI 2.10 from NSS 3.27 with legacy modifications.
-
Mon Jan 18 2016 Kai Engert <kaie@redhat.com> - 2015.2.6-65.1
- Update to CKBI 2.6 from NSS 3.21 with legacy modifications.
-
Thu Apr 23 2015 Kai Engert <kaie@redhat.com> - 2015.2.4-65.1
- Update to CKBI 2.4 from NSS 3.18.1 with legacy modifications.
-
Tue Apr 14 2015 Kai Engert <kaie@redhat.com> - 2015.2.3-65.3
- Fix a typo in the ca-legacy manual page (rhbz#1208850)
-
Wed Apr 01 2015 Kai Engert <kaie@redhat.com> - 2015.2.3-65.2
- Include the legacy CA certificates in the classic TLS bundle, too.
-
Tue Mar 31 2015 Kai Engert <kaie@redhat.com> - 2015.2.3-65.1
- Update to CKBI 2.3 from NSS 3.18 with legacy modifications.
- Add a patch to the source RPM that documents the changes from the
upstream version.
- Introduce the ca-legacy utility, a manual page, and the ca-legacy.conf
configuration file.
- The new scriptlets require the coreutils package.
- Remove the obsolete blacklist.txt file.
-
Thu Dec 04 2014 Kai Engert <kaie@redhat.com> - 2014.1.98-65.2
- Add an alternative version of the "Thawte Premium Server CA" root,
which carries a SHA1-RSA signature, to allow OpenJDK to verify applets
which contain that version of the root certificate (rhbz#1138230).
This change doesn't add trust for another key, because both versions
of the certificate use the same public key.
-
Mon Jul 14 2014 Kai Engert <kaie@redhat.com> - 2014.1.98-65.1
- Rebuild, ensure y-stream uses larger release number than z-stream.
-
Thu May 29 2014 Kai Engert <kaie@redhat.com> - 2014.1.98-65.0
- Update to CKBI 1.98 from NSS 3.16.1
-
Tue Dec 17 2013 Kai Engert <kaie@redhat.com> - 2013.1.95-65.1
- Bump release number for consistency across branches
-
Tue Dec 17 2013 Kai Engert <kaie@redhat.com> - 2013.1.95-65.0
- Update to CKBI 1.95 from NSS 3.15.3.1
-
Tue Sep 03 2013 Kai Engert <kaie@redhat.com> - 2013.1.94-65.0
- Update to CKBI 1.94 from NSS 3.15
-
Thu Jul 18 2013 Kai Engert <kaie@redhat.com> - 2012.87-65.9
- fix manpage format
-
Wed Jul 17 2013 Kai Engert <kaie@redhat.com> - 2012.87-65.8
- improve manpage
-
Thu Jul 11 2013 Kai Engert <kaie@redhat.com> - 2012.87-65.7
- ExcludeArch/ExclusiveArch doesn't work to enforce a build host
- Added comment that explains the special build requirements.
- Added a comment suggesting to keep the release number below the
ones used on RHEL 7.
- Fixed permissions of /etc/pki/java (thanks to stefw)
-
Mon Jul 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-65.6
- set a certificate alias in trusted bundle (thanks to Ludwig Nussel)
-
Mon Jul 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-65.5
- update required p11-kit version
-
Wed Jul 03 2013 Kai Engert <kaie@redhat.com> - 2012.87-65.4
- attempt to handle unsupported downgrades, where the admin has enabled
legacy support, but downgrades to an old package that is incompatible
provide the new feature.
- move manual page to the man8 section (system administration commands)
- simplify the README files now that we have a manual page
-
Fri Jun 14 2013 Kai Engert <kaie@redhat.com> - 2012.87-65.3
- added a manual page and related build requirements
- updated copyright sections in scripts
- enhance update-ca-trust script
-
Fri Jun 14 2013 Stef Walter <stefw@redhat.com> - 2012.87-65.2
- update-ca-trust: Print warnings to stderr
-
Fri Jun 14 2013 Stef Walter <stefw@redhat.com> - 2012.87-65.1
- update-ca-trust: Update p11-kit script path
- update-ca-trust: script uses bash not sh
-
Fri Jun 14 2013 Kai Engert <kaie@redhat.com> - 2012.87-65.0
- Major rework introducing the SharedSystemCertificates feature,
disabled by default.
- Require the p11-kit package that contains tools to automatically create
other file format bundles.
- Added a update-ca-trust script which can be used to enable the
new system and to regenerate the merged trust output.
- Refer to the various README files that have been added for more detailed
explanation of the new system.
- No longer require rsc for building. Remove use of rcs/ident.
- Update source URLs and comments, add source file for version information.
- Add explanation for the future version numbering scheme,
because the old numbering scheme assumed upstream using cvs,
which is no longer true, and therefore can no longer be used.
-
Thu Mar 01 2012 Joe Orton <jorton@redhat.com> - 2010.63-4
- fix inclusion of code-signing-only certs in .trust.crt
- exclude blacklisted root from java keystore too
- remove trust from DigiNotar root (#734678)
-
Wed Apr 07 2010 Joe Orton <jorton@redhat.com> - 2010.63-3
- package /etc/ssl/certs symlink for third-party apps (#572725)
-
Wed Apr 07 2010 Joe Orton <jorton@redhat.com> - 2010.63-2
- rebuild
-
Wed Apr 07 2010 Joe Orton <jorton@redhat.com> - 2010.63-1
- update to certdata.txt r1.63
- use upstream RCS version in Version
-
Fri Mar 19 2010 Joe Orton <jorton@redhat.com> - 2010-4
- fix ca-bundle.crt (#575111)
-
Thu Mar 18 2010 Joe Orton <jorton@redhat.com> - 2010-3
- update to certdata.txt r1.58
- add /etc/pki/tls/certs/ca-bundle.trust.crt using 'TRUSTED CERTICATE' format
- exclude ECC certs from the Java cacerts database
- catch keytool failures
- fail parsing certdata.txt on finding untrusted but not blacklisted cert
-
Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
- fix Java cacert database generation: use Subject rather than Issuer
for alias name; add diagnostics; fix some alias names.
-
Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
- adopt Python certdata.txt parsing script from Debian
-
Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
-
Wed Jul 22 2009 Joe Orton <jorton@redhat.com> 2009-1
- update to certdata.txt r1.53
-
Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2008-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
-
Tue Oct 14 2008 Joe Orton <jorton@redhat.com> 2008-7
- update to certdata.txt r1.49
-
Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6
- Change generate-cacerts.pl to produce pretty aliases.
-
Mon Jun 02 2008 Joe Orton <jorton@redhat.com> 2008-5
- include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
-
Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4
- use package name for temp dir, recreate it in prep
-
Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3
- fix source script perms
- mark packaged files as config(noreplace)
-
Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2
- add (but don't use) mkcabundle.pl
- tweak description
- use /usr/bin/keytool directly; BR java-openjdk
-
Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1
- Initial build (#448497)