Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: update bundled iOS roots #38843

Closed
FiloSottile opened this issue May 4, 2020 · 17 comments
Closed

crypto/x509: update bundled iOS roots #38843

FiloSottile opened this issue May 4, 2020 · 17 comments
Labels
NeedsFix okay-after-beta1 recurring release-blocker
Milestone

Comments

@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented May 4, 2020

Before every release, ideally just before the freeze, we need to regenerate the iOS bundled roots.

This issue should not be closed but moved to the next milestone at each update.


The code generator currently parses an HTML table, but @sleevi pointed out the roots are published in the macOS/iOS sources, which is easier to process.

https://opensource.apple.com/source/security_certificates/security_certificates-55161.60.2/certificates/roots/

https://opensource.apple.com/tarballs/security_certificates/security_certificates-55161.60.2.tar.gz

The security_certificates version is available from the index text file, because all directory listings on opensource.apple.com are out of date. (Note how there currently is no security_certificates-55161.60.2 in https://opensource.apple.com/source/security_certificates/.)

https://opensource.apple.com/text/macos-10152.txt

@FiloSottile FiloSottile added NeedsFix release-blocker labels May 4, 2020
@FiloSottile FiloSottile added this to the Go1.15 milestone May 4, 2020
@sleevi
Copy link

@sleevi sleevi commented May 4, 2020

Note: iOS and macOS, while sharing the same source tree (I think since iOS 8, if I remember my chronology correctly), can ship different versions of the store depending on when it was built. It can also be updated out of band of an OS release (e.g. via OTA), although I don't think they've done that.

Settings -> General -> About -> Certificate Trust Settings will show the Trust Store Version and the Trust Asset Version. Apple's CA/Browser Forum rep previously indicated plans to (eventually) make a machine-readable list of this that is easily consumable (and from which the HTML table is generated - e.g. like https://support.apple.com/en-us/HT210770 , generated by https://opensource.apple.com/source/security_certificates/security_certificates-55161.60.2/CertificateTool/BuildiOSAsset/printroots.auto.html AIUI)

@FiloSottile
Copy link
Contributor Author

@FiloSottile FiloSottile commented May 4, 2020

Good to know, we should probably pull the version from the latest iOS when updating, but Go will always be a little out of sync because our release cycles don't match.

@dmitshur dmitshur added the okay-after-beta1 label May 14, 2020
@toothrot toothrot removed the okay-after-beta1 label Jun 10, 2020
@toothrot
Copy link
Contributor

@toothrot toothrot commented Jun 11, 2020

@FiloSottile Could you please either provide instructions or an update on the status of this for the Go 1.15 release?

@dmitshur
Copy link
Contributor

@dmitshur dmitshur commented Jun 18, 2020

please either provide instructions

I believe there are instructions in the original issue body. This might also be related to #38710, which I looked into recently. I can take a look here as well (if it's helpful).

@gopherbot
Copy link

@gopherbot gopherbot commented Jun 23, 2020

Change https://golang.org/cl/239557 mentions this issue: crypto/x509: update bundled iOS roots and rewrite generator

gopherbot pushed a commit that referenced this issue Jun 24, 2020
Switched the generator to using the open source releases of the root
store rather than HTML parsing, while trying to emulate the sorting
algorithm of the table to reduce churn.

Updates #38843

Change-Id: I78608d245eabc2a35c2f98635ed5f1a531ad2ba8
Reviewed-on: https://go-review.googlesource.com/c/go/+/239557
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@dmitshur
Copy link
Contributor

@dmitshur dmitshur commented Jun 24, 2020

@FiloSottile With CL 239557 submitted, should the milestone be updated to 1.16, or is there more to do here for 1.15?

@FiloSottile
Copy link
Contributor Author

@FiloSottile FiloSottile commented Jun 24, 2020

All done for Go 1.15.

@FiloSottile FiloSottile removed this from the Go1.15 milestone Jun 24, 2020
@FiloSottile FiloSottile added this to the Go1.16 milestone Jun 24, 2020
@andybons andybons added the recurring label Jul 30, 2020
@gopherbot
Copy link

@gopherbot gopherbot commented Oct 30, 2020

Change https://golang.org/cl/266677 mentions this issue: crypto/x509: update iOS bundled roots to version 55161.140.3

gopherbot pushed a commit that referenced this issue Nov 9, 2020
Extended the sorting logic to be stable even when there are two roots
with the same name and notBefore timestamp, like the GlobalSign ones.

Updates #38843

Change-Id: Ie4db0bb8b6a8b5ffbb7390b6bd527fc0c3badaca
Reviewed-on: https://go-review.googlesource.com/c/go/+/266677
Reviewed-by: Katie Hockman <katie@golang.org>
Trust: Filippo Valsorda <filippo@golang.org>
@dmitshur
Copy link
Contributor

@dmitshur dmitshur commented Nov 9, 2020

@FiloSottile Now that CL 266677 is submitted, is there more to do before this can be moved to the Go 1.17 milestone?

@FiloSottile
Copy link
Contributor Author

@FiloSottile FiloSottile commented Nov 9, 2020

I think we should do a late-cycle update too. They are very low-risk, and it's good to be as in sync as possible.

@dmitshur
Copy link
Contributor

@dmitshur dmitshur commented Nov 9, 2020

Sounds good. Please apply the okay-after-beta1 label if the late-cycle update doesn't need to block the release of Go 1.16 Beta 1.

@FiloSottile FiloSottile added the okay-after-beta1 label Nov 9, 2020
@toothrot toothrot removed the okay-after-beta1 label Dec 17, 2020
@gopherbot
Copy link

@gopherbot gopherbot commented Jan 15, 2021

Change https://golang.org/cl/284134 mentions this issue: crypto/x509: update iOS bundled roots to version 55188.40.9

gopherbot pushed a commit that referenced this issue Jan 15, 2021
Updates #38843

Change-Id: If76844e1caf23f98d814de89f77610de59d96a34
Reviewed-on: https://go-review.googlesource.com/c/go/+/284134
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@cagedmantis
Copy link
Contributor

@cagedmantis cagedmantis commented Jan 15, 2021

Should this issue be moved to the Go1.17 milestone or is there another update slated?

@FiloSottile
Copy link
Contributor Author

@FiloSottile FiloSottile commented Jan 15, 2021

All done for Go 1.16!

@FiloSottile FiloSottile removed this from the Go1.16 milestone Jan 15, 2021
@FiloSottile FiloSottile added this to the Go1.17 milestone Jan 15, 2021
@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented Apr 29, 2021

Checked to see if there were any updates before the freeze and it looks like nothing has changed since 1.16. Will re-check before the RC.

@dmitshur dmitshur added the okay-after-beta1 label Apr 29, 2021
@heschi heschi removed the okay-after-beta1 label Jun 10, 2021
@gopherbot
Copy link

@gopherbot gopherbot commented Jul 26, 2021

Change https://golang.org/cl/337329 mentions this issue: crypto/x509: update iOS bundled roots to version 55188.120.1.0.1

gopherbot pushed a commit that referenced this issue Jul 26, 2021
Updates #38843.

Change-Id: I6e003ed03cd13d8ecf86ce05ab0e11c47e271c0b
Reviewed-on: https://go-review.googlesource.com/c/go/+/337329
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
@FiloSottile FiloSottile removed this from the Go1.17 milestone Jul 27, 2021
@FiloSottile FiloSottile added this to the Go1.18 milestone Jul 27, 2021
steeve pushed a commit to znly/go that referenced this issue Aug 19, 2021
Updates golang#38843.

Change-Id: I6e003ed03cd13d8ecf86ce05ab0e11c47e271c0b
Reviewed-on: https://go-review.googlesource.com/c/go/+/337329
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
@dmitshur dmitshur added the okay-after-beta1 label Oct 20, 2021
@gopherbot
Copy link

@gopherbot gopherbot commented Nov 5, 2021

Change https://golang.org/cl/353403 mentions this issue: crypto/x509: use the platform verifier on iOS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix okay-after-beta1 recurring release-blocker
Projects
None yet
Development

No branches or pull requests

10 participants