Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
crypto/x509: update bundled iOS roots #38843
Before every release, ideally just before the freeze, we need to regenerate the iOS bundled roots.
This issue should not be closed but moved to the next milestone at each update.
The code generator currently parses an HTML table, but @sleevi pointed out the roots are published in the macOS/iOS sources, which is easier to process.
The security_certificates version is available from the index text file, because all directory listings on opensource.apple.com are out of date. (Note how there currently is no
Note: iOS and macOS, while sharing the same source tree (I think since iOS 8, if I remember my chronology correctly), can ship different versions of the store depending on when it was built. It can also be updated out of band of an OS release (e.g. via OTA), although I don't think they've done that.
Settings -> General -> About -> Certificate Trust Settings will show the Trust Store Version and the Trust Asset Version. Apple's CA/Browser Forum rep previously indicated plans to (eventually) make a machine-readable list of this that is easily consumable (and from which the HTML table is generated - e.g. like https://support.apple.com/en-us/HT210770 , generated by https://opensource.apple.com/source/security_certificates/security_certificates-55161.60.2/CertificateTool/BuildiOSAsset/printroots.auto.html AIUI)
Switched the generator to using the open source releases of the root store rather than HTML parsing, while trying to emulate the sorting algorithm of the table to reduce churn. Updates #38843 Change-Id: I78608d245eabc2a35c2f98635ed5f1a531ad2ba8 Reviewed-on: https://go-review.googlesource.com/c/go/+/239557 Run-TryBot: Filippo Valsorda <firstname.lastname@example.org> TryBot-Result: Gobot Gobot <email@example.com> Reviewed-by: Dmitri Shuralyov <firstname.lastname@example.org>