Skip to content

[dev] ca-certificates: removing Mozilla CAs in favour of Microsoft ones#1437

Merged
PawelWMS merged 17 commits intomicrosoft:devfrom
PawelWMS:pawelwi/removing_mozilla_certs
Oct 7, 2021
Merged

[dev] ca-certificates: removing Mozilla CAs in favour of Microsoft ones#1437
PawelWMS merged 17 commits intomicrosoft:devfrom
PawelWMS:pawelwi/removing_mozilla_certs

Conversation

@PawelWMS
Copy link
Copy Markdown
Contributor

@PawelWMS PawelWMS commented Sep 23, 2021
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/tools/cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

Since we now received steady updates of trusted CAs from the Microsoft Trusted Root Program, we are retiring the Mozilla certificate bundle. The Microsoft bundle will now be installed with the default package and ca-certificates-microsoft will be available for backward compatibility through the Provides.

The PR also takes the latest changes from 1.0-dev and cleans up the spec a little by removing unused support for legacy entries inside the certdata.txt files.

Change Log
  • Merged latest changes from 1.0-dev.
  • Removed Mozilla trusted CAs.
  • Use CAs trusted by Microsoft in the default package.
  • Added the prebuilt-ca-certificates package similar to prebuilt-ca-certificates-base.
  • Removed support for legacy certdata.txt entries.
  • Removed the unused NSS header.
Does this affect the toolchain?

Yes.

Test Methodology
  • Local package build.
  • Installed new packages and verified I am still able to connect to PMC (with only ca-certificates-base) and known, non-Microsoft URLs (with ca-certificates).

@PawelWMS PawelWMS requested review from a team and jslobodzian September 23, 2021 21:43
jslobodzian
jslobodzian approved these changes Oct 7, 2021
View reviewed changes
Comment thread SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec
@PawelWMS PawelWMS merged commit 514a5fc into microsoft:dev Oct 7, 2021
@PawelWMS PawelWMS deleted the pawelwi/removing_mozilla_certs branch October 7, 2021 19:51
@PawelWMS PawelWMS mentioned this pull request Oct 7, 2021
Merged
11 tasks
PawelWMS added a commit that referenced this pull request Oct 8, 2021
@PawelWMS
ca-certificates: removing Mozilla CAs in favour of Microsoft ones (…
307b8fc 
…CP of #1437) (#1502)
henryli001 pushed a commit that referenced this pull request Feb 25, 2022
@PawelWMS
[dev] ca-certificates: removing Mozilla CAs in favour of Microsoft …
6900cce 
…ones (#1437)
@jiasli jiasli mentioned this pull request Mar 31, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jslobodzian jslobodzian jslobodzian approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PawelWMS @jslobodzian