Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: update bundled iOS roots #38843

Open
FiloSottile opened this issue May 4, 2020 · 7 comments
Open

crypto/x509: update bundled iOS roots #38843

FiloSottile opened this issue May 4, 2020 · 7 comments
Assignees
Milestone

Comments

@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented May 4, 2020

Before every release, ideally just before the freeze, we need to regenerate the iOS bundled roots.

This issue should not be closed but moved to the next milestone at each update.


The code generator currently parses an HTML table, but @sleevi pointed out the roots are published in the macOS/iOS sources, which is easier to process.

https://opensource.apple.com/source/security_certificates/security_certificates-55161.60.2/certificates/roots/

https://opensource.apple.com/tarballs/security_certificates/security_certificates-55161.60.2.tar.gz

The security_certificates version is available from the index text file, because all directory listings on opensource.apple.com are out of date. (Note how there currently is no security_certificates-55161.60.2 in https://opensource.apple.com/source/security_certificates/.)

https://opensource.apple.com/text/macos-10152.txt

@FiloSottile FiloSottile added this to the Go1.15 milestone May 4, 2020
@sleevi
Copy link

@sleevi sleevi commented May 4, 2020

Note: iOS and macOS, while sharing the same source tree (I think since iOS 8, if I remember my chronology correctly), can ship different versions of the store depending on when it was built. It can also be updated out of band of an OS release (e.g. via OTA), although I don't think they've done that.

Settings -> General -> About -> Certificate Trust Settings will show the Trust Store Version and the Trust Asset Version. Apple's CA/Browser Forum rep previously indicated plans to (eventually) make a machine-readable list of this that is easily consumable (and from which the HTML table is generated - e.g. like https://support.apple.com/en-us/HT210770 , generated by https://opensource.apple.com/source/security_certificates/security_certificates-55161.60.2/CertificateTool/BuildiOSAsset/printroots.auto.html AIUI)

@FiloSottile
Copy link
Member Author

@FiloSottile FiloSottile commented May 4, 2020

Good to know, we should probably pull the version from the latest iOS when updating, but Go will always be a little out of sync because our release cycles don't match.

@toothrot
Copy link
Contributor

@toothrot toothrot commented Jun 11, 2020

@FiloSottile Could you please either provide instructions or an update on the status of this for the Go 1.15 release?

@dmitshur
Copy link
Member

@dmitshur dmitshur commented Jun 18, 2020

please either provide instructions

I believe there are instructions in the original issue body. This might also be related to #38710, which I looked into recently. I can take a look here as well (if it's helpful).

@gopherbot
Copy link

@gopherbot gopherbot commented Jun 23, 2020

Change https://golang.org/cl/239557 mentions this issue: crypto/x509: update bundled iOS roots and rewrite generator

gopherbot pushed a commit that referenced this issue Jun 24, 2020
Switched the generator to using the open source releases of the root
store rather than HTML parsing, while trying to emulate the sorting
algorithm of the table to reduce churn.

Updates #38843

Change-Id: I78608d245eabc2a35c2f98635ed5f1a531ad2ba8
Reviewed-on: https://go-review.googlesource.com/c/go/+/239557
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@dmitshur
Copy link
Member

@dmitshur dmitshur commented Jun 24, 2020

@FiloSottile With CL 239557 submitted, should the milestone be updated to 1.16, or is there more to do here for 1.15?

@FiloSottile
Copy link
Member Author

@FiloSottile FiloSottile commented Jun 24, 2020

All done for Go 1.15.

@FiloSottile FiloSottile modified the milestones: Go1.15, Go1.16 Jun 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.