Commit graph

70 commits

Author SHA1 Message Date
Martin Weinelt
37119a0585
Merge pull request #289160 from helsinki-systems/upd/cacert
cacert: 3.95 -> 3.98
2024-02-16 13:48:31 +01:00
ajs124
b45c60727c cacert: 3.95 -> 3.98
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/Tsq5_Ot9Ay4
2024-02-16 00:37:53 +01:00
Raito Bezarius
19159a2349 nixos/security/ca: enable support for compatibility bundles
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use
our NixOS CA bundle.

For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional
trust rules.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-02-11 17:51:00 +01:00
ajs124
d8b1778995 cacert: 3.92 -> 3.95
- remove blacklisted certificates, because they aren't part of the bundle anymore
- switch to fetching from github, because they forgot/failed to upload a
  release tarball (again)
- https://github.com/nss-dev/nss/blob/NSS_3_95_RTM/doc/rst/releases/nss_3_95.rst
2023-11-22 13:03:18 +01:00
ajs124
c1a72d1469 cacert: 3.90 -> 3.92
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/oNYCNPU21k0/m/rM3q7pM3BAAJ
2023-07-27 16:58:17 +02:00
ajs124
4fcb96e0f6 cacert: 3.89.1 -> 3.90
https://github.com/nss-dev/nss/blob/NSS_3_90_BRANCH/doc/rst/releases/nss_3_90.rst
2023-06-06 16:35:09 +02:00
Martin Weinelt
bc4549fe3a
cacert: 3.86 -> 3.89.1
https://github.com/nss-dev/nss/blob/master/doc/rst/releases/nss_3_89_1.rst
2023-05-06 02:32:17 +02:00
figsoda
ec8cb34358 treewide: fix typos 2022-12-17 19:39:44 -05:00
ajs124
e5212aaa67 cacert: 3.83 -> 3.86
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/NqCkaX216zY/m/QAUPTaBWCgAJ
2022-12-09 00:22:17 +01:00
Martin Weinelt
2e7853293d
cacert: Distrust TrustCor root certificates
Mozilla set "Distrust After" for the three TrustCor Root CAs¹, so new
certificates issued would not be trusted after 2022/11/30, while older
enduser certificates would continue working until they expire. This is a
fine-grained policy option available to consumers of the NSS library,
such as Firefox or Thunderbird.

For Linux systems we generally export the Mozilla trust store into our
own CA bundle that ultimately lacks that metadata, because there is no
standardized way to parse it in the first place.

That means that as long as Mozilla keeps the certificate in their CA
program, even with time-based "Distrust" configured, we would keep
trusting it fully². That is completely unreasonable and that is why we
reject these CAs here for all users of nixpkgs.

The TrustCor CAs were primarily used to sign certificates for dynamic
hosts for domains provided through no-ip.com, so we expect the fallout
from this to be minimal.

[1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ
[2] https://utcc.utoronto.ca/~cks/space/blog/linux/CARootStoreTrustProblem
2022-12-06 19:12:53 +01:00
Martin Weinelt
2c9b58573f
cacert: 3.80 -> 3.83
- Bug 1785297 - Add two SECOM root certificates to NSS
- Bug 1787075 - Add two DigitalSign root certificates to NSS
- Bug 1778412 - Remove Camerfirma Global Chambersign Root from NSS
2022-09-16 01:16:59 +02:00
ajs124
04be37dead cacert: 3.77 -> 3.80 2022-06-24 15:09:56 +02:00
ajs124
8e77380250 cacert: 3.74 -> 3.77 2022-04-03 13:14:08 +01:00
github-actions[bot]
b74b591fbe
Merge master into staging-next 2022-01-20 00:01:46 +00:00
Andreas Rammhold
31e5b8dc21
Remove myself from maintainers
I don't have time and energy to deal with all of this anymore.
2022-01-20 00:24:52 +01:00
ajs124
eb9b64fc32 cacert: 3.71 -> 3.74 2022-01-06 22:46:17 +01:00
Luke Granger-Brown
91e4957081 cacert: extract certdata.txt from main package
This allows users to specify custom CAs without needing to download the
entirety of the NSS source code - just certdata.txt, which should end up
in cache.nixos.org.
2021-10-08 01:21:57 +00:00
Luke Granger-Brown
906f44cef3 cacert: port to use buildcatrust
This introduces the ability to have additional certificates in the trust
store using an override, similar to how the blacklist is done. If the
certificates are provided in OpenSSL TRUSTED CERTIFICATE form, then
those trust bits will be respected.

It also adds a p11-kit compatible trust store output.
2021-10-08 00:56:49 +00:00
ajs124
5a9b23f539 cacert: 3.66 -> 3.71 2021-09-30 21:16:26 +02:00
Sandro Jäckel
419a0f39ac
cacert: convert to pname + version, format, cleanup 2021-07-30 15:10:52 +02:00
Robert Hensing
5d57104d84 cacert: Add Haskell x509-system compatibility
This allows cacert to be used with Haskell-based fetchers like
you would with regular OpenSSL-based fetchers:

  buildInputs = [ cacert ];
2021-07-08 19:27:09 +02:00
ajs124
e579e93b65 cacert: 3.63 -> 3.66
mozilla says this is CA version 2.50, up from 2.48 in nss 3.63
2021-06-01 23:12:06 +02:00
Andreas Rammhold
4e318bcca1
cacerts: Make updater script aware of the nss_latest attribute
Usually, on the stable channel, we have a nss_latest attribute that is
more up to date than the nss attribute (which is usually frozen during
branch-off and only receives security updates). Cacerts are a sensitive
matter and should be updated more frequently than the stable NSS package,
if required. By making the update script aware of the nss_latest
attribute we can prefer that when it exists.

By having this change in the unstable branch of Nixpgks we can carry it
from release to release without requiring more churn from those doing
the stable release maintenance.
2021-05-30 17:01:33 +02:00
github-actions[bot]
636e58e31b
Merge staging-next into staging 2021-04-02 00:21:46 +00:00
Vladimír Čunát
10cb065706
cacert: fix fetchurl invocation
It was breaking probably just the tarball job (difficult to localize).
https://hydra.nixos.org/build/140479925
2021-04-01 22:18:02 +02:00
ajs124
8dbc855b49 cacert: 3.60 -> 3.63 2021-03-20 16:42:40 +01:00
Dmitry Kalinkin
11ae139333 cacert.certdata2pem: add a download mirror from ubuntu 2021-03-20 09:11:48 +01:00
Dmitry Kalinkin
62d332feaf cacert: refactor to put certdata2pem on tarballs.nixos.org
nix-instantiate --eval --json --strict ./maintainers/scripts/find-tarballs.nix --arg expr '(import ./. {}).cacert' 2>/dev/null | jq '.[].name' | grep cert
"certdata2pem.py"
2021-03-20 09:11:48 +01:00
Ben Siraphob
4eb185bd6a pkgs/data: stdenv.lib -> lib 2021-01-15 14:29:18 +07:00
ajs124
11d6355308 cacert: 3.57 -> 3.60 2020-12-17 07:31:34 +01:00
Luke Granger-Brown
87f4676492 cacert: add lukegb as maintainer 2020-12-01 17:55:59 +00:00
Andreas Rammhold
17b1bde9c5
cacert: add myself as maintainer 2020-12-01 17:51:05 +01:00
Luke Granger-Brown
b28436a7e9 cacert: remove broken includeEmail option
This doesn't do anything. Building with includeEmail = true produces
the same set as includeEmail = false, and the substitute rule removes
a random dictionary index operation.
2020-12-01 15:54:58 +00:00
Luke Granger-Brown
b1f9e9c259 cacert: fix blacklist
It's broken under Python 3, ironically due to the patch we're carrying.
Fix it, and add a test to check it works.

Fixes #93230.
2020-12-01 15:54:58 +00:00
Andreas Rammhold
94448baf6d
cacert: decouple from NSS to reduce rebuild amount
In [#100765] @vcunat pointed out that we could decouple cacert from the
NSS package to make it more rebuild friendly. Just rebuilding packages
that depend on NSS seems to be about ~100. Rebuilding all the packages
that depend on cacert is >9k as of this writing. This makes it much more
feasible to upgrade high-profile packages that are (rightfully) pedantic
on their NSS version like firefox and thunderbird.

[#100765]: https://github.com/NixOS/nixpkgs/pull/100765
2020-11-18 20:13:22 +01:00
Markus Kowalewski
3ddeb521d8
nss-cacert: add license 2020-06-27 00:54:50 +02:00
Michael Reilly
84cf00f980
treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
Jan Tojnar
3a8d826723
cacert: switch to python3 2019-12-15 01:50:34 +01:00
Matthew Bauer
f7e4eeda6c
Merge pull request #68614 from nspin/pr/simplify-cacert-setup-hook
cacert: simplify setupHook
2019-09-20 17:59:34 -04:00
Nick Spinale
e7ede726ba cacert: simplify setupHook
Triggering this setupHook for dependencies at targetOffset does not work
in cross-compilation cases where such a dependency is lacking. This
simplified setupHook is more robust.
2019-09-12 20:14:47 +00:00
volth
08f68313a4 treewide: remove redundant rec 2019-08-28 11:07:32 +00:00
Vladimír Čunát
79bd4ad579
stdenv, cacert: consider $NIX_SSL_CERT_FILE in hooks
Some SSL libs don't react to $SSL_CERT_FILE.
That actually makes sense to me, as we add this behavior
as nixpkgs-specific, so it seems "safer" to use $NIX_*.
2019-05-09 08:46:22 +02:00
Jörg Thalheim
b5c1deca8a
treewide: remove wkennington as maintainer
He prefers to contribute to his own nixpkgs fork triton.
Since he is still marked as maintainer in many packages
this leaves the wrong impression he still maintains those.
2019-01-26 10:05:32 +00:00
volth
52f53c69ce pkgs/*: remove unreferenced function arguments 2018-07-21 02:48:04 +00:00
Chaz Schlarp
933d7f37ac
cacert: fix certdata2pem url
Related to #39927

```
$ nix-prefetch-url https://salsa.debian.org/debian/ca-certificates/raw/debian/20170717/mozilla/certdata2pem.py
path is '/nix/store/0d00axdac4h8ffxrf90s5zh8xdw3r29z-certdata2pem.py'
1d4q27j1gss0186a5m8bs5dk786w07ccyq0qi6xmd2zr1a8q16wy
```
2018-06-01 17:56:53 -07:00
Michael Raskin
c940d2e1ac
Merge pull request #37158 from oxij/pkgs/tor-browsers
update tor browsers
2018-03-16 18:06:50 +00:00
taku0
16ee6b5ed9 nss: 3.34.1 -> 3.35; cacert.certdata2pem: 20160104 -> 20170717 2018-03-16 03:42:09 +00:00
xeji
c9a1639e20 cacert: add output "unbundled"
which contains all certs, each in a separate file.
This output is not installed by default.
2018-02-25 23:48:54 +01:00
Daiderd Jordan
406e162884
cacert: use addEnvHooks 2018-01-07 21:25:48 +01:00
Daiderd Jordan
bfccf8e42c
cacert: add hook that sets SSL_CERT_FILE
Fixes #32981
2017-12-27 21:03:29 +01:00