make-ca/CHANGELOG

115 lines
6.3 KiB
Plaintext
Raw Permalink Normal View History

1.13 - Update the certificate of the CA root of hg.mozilla.org. It seems
it has changed on September 19th, 2023.
1.12 - Remove extraneos output at end of downloaded certdata.txt file
- Work around bug in p11-kit trust extract that allows certificates
with nss-{email,server}-distust after attribute to enter downstream
trust bundles where this attribute is not honored.
1.11 - Ship certificate of the CA root of hg.mozilla.org and use it for
verification
2022-11-23 21:36:27 +05:30
- Update CS.txt (and update-mscertsign.sh)
1.10 - Use --filter=ca-anchors for all stores
2022-01-10 11:47:38 +05:30
- Update CS.txt (no changes since last update)
- Fix installation of systemd timers on non-systemd systems
2021-09-17 05:26:59 +05:30
1.9 - Guard overrides on first run to avoid error message
- Move dist files to /etc/make-ca
- Add distribution script to update CS.txt from CCADB
2021-08-30 10:02:18 +05:30
1.8.1 - Set defualt for code signing to off
1.8 - Use get_p11_label for certificate name in output when processing
local certificates
- Use "Subject:" line for get_p11_label()
- Use last OU= value for get_p11_label() fallback
2021-08-08 06:31:19 +05:30
- Fix several text issues in get_p11_label - Thanks to Michael Joost
- Omit x-certificate-extension in comparison for
copy-local-modifications
- Use X509v3 Key Usage section to determine local trust for anchors
added using 'trust anchor --store'
- Add nss-{server,email}-distrust-after values in anchors - requires
p11-kit >= 0.23.19
- Use --filter=certificates for all stores
- Fix output of NSSDB and Java PCKS#12 stores
- Correct incorrectly named get_p11_val()
- Use .p11-kit extension for anchors
- Handle getopt style short options in get_args()
- Use Microsoft's trust for code signing with -i | --mscodesign
Note: this is manually generated, will add CCADB when avaialble
- Backup and restore anchors with PKIX extensions
1.7 - Revert help2man update (requires complete perl environment)
1.6 - Fix install target for make -j#
2020-03-08 10:10:11 +05:30
- Add detailed dependency info and add note about configuration file
2020-03-08 10:11:51 +05:30
- Update help2man to 1.47.12
1.5 - Allow generation of all stores in alternate directory
1.4 - Revert change to use /usr/bin/update-ca-certifiates for systemd
service
1.3 - Added write_nss_db() and write_java_p12() functions to eliminate
duplicate code
- Corrected version string
- Remove unused variables saarg, csarg, and smarg in
get_trust_values() function
- Remove unused CERTLIST variable in copy-trust-modifications
- Fix syntax error in check_arg() function
- Correct STDERR redirection in multiple functions
- Redirect errors in copy-trust-modifications script
- Use update-ca-certificates for systemd service
1.2 - Use md5sum values for anchors.txt to detect p11-kit changes
- Added get_p11_label() function to get reliable label values
- Added get_trust_values(), get_p11_trust(), and write_anchor()
functions to eliminate duplicate code
- Fix certificate label in local certificates
- Changed default name of anchors list to use md5sums extension
- Added copy-trust-modifcations script for use by p11-kit
1.1 - Add anchorlist for use by p11-kit to utilize LOCALDIR
2018-12-02 03:37:58 +05:30
1.0 - Move bundle defaults to /etc/pki/tls/{certs,java}/
- Fix invalid test cases on command line processing
2018-12-02 03:35:08 +05:30
- Remove -c/--cadir flags, replace with -b/--bundledir to store
all bundles in same location
- Perform system installation of update service files
- Separate installation step for other consumers
- Install default configuration file
0.9 - Use P11-Kit trust module to generate alternate certificate stores
from trust policy
- Only generate the trust store (and optionally NSSDB and Java PKCS#12)
when using DESTDIR - you now must run the installed script as part of
2020-11-13 08:04:58 +05:30
your post-installation procedure, with P11-Kit trust available, to
generate the alternate certificate stores - only the trust store (and
optionally NSSDB and Java P12 stores) are distributed
2018-09-02 13:42:44 +05:30
- Added "Wants=network-online.target" to update-pki.service - Thanks to
Brendan L for the fix
- No longer generate Java p12 format cacerts by default
- No longer generate NSSDB store by default
0.8 - Use 'openssl rehash' instead of c-rehash script
0.7 - Generate both PKCS#12 and JKS stores for Java
- Local certs keep out of band trust when copied to system certs
- Remove use of .old files/directories
0.6 - Allow use of proxy with OpenSSL s_client
- Really check revision before download
- Make sure download was successful before testing values
0.5 - Install systemd timer and service units
- Add uninstall and clean targets
0.4 - Add email and code signing flat file certificate stores
0.3 - Generate single file stores (Java and GNUTLS) using main OpenSSL
store as source to avoid duplicates
0.2 - Install source certdata.txt file
- Provide -r/--rebuild option
- Add -g/--get option to download using only s_client
- Always add REVISION value to installed certdata.txt
- Use HG revision value (fall back to date for local files)
2017-09-23 03:07:00 +05:30
- Allow rebuid within DESTDIR
- Complete manpage
2017-09-19 11:08:45 +05:30
0.1 - Check executable bit for CERTUTIL, KEYTOOL, and OPENSSL
- Allow global configuration file
- Use correct license text (MIT)
20170425 - Use p11-kit format anchors
- Add CKA_NSS_MOZILLA_CA_POLICY attribute for p11-kit anchors
- Add clientAuth OpenSSL attribute and (currently unused) NSS
CKA_TRUST_CLIENT_AUTH
20170119 - Show trust bits on local certs
- Add version output for help2man
2020-11-13 08:04:58 +05:30
20161210 - Add note about --force switch when same version
20161126 - Add -D/--destdir switch
20161124 - Add -f/--force switch to bypass version check
2020-11-13 08:04:58 +05:30
- Add multiple switches to allow for alternate locations
- Add help text
20161118 - Drop make-cert.pl script
- Add support for Java and NSSDB