[3.0] Added 2 CAs to ca-certificates-base: 'Microsoft TLS RSA Root G2' and 'Microsoft TLS ECC Root G2'

[PawelWMS]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Standard maintenance. Microsoft release new public MSPKI G2 CAs, so I'm adding them to our ca-certificates-base package, so that authentication of any servers with certificates chaining to these CAs is successful.

Does this affect the toolchain?

Yes.

Test Methodology

• PR check build.

[CBL-Mariner-Bot]

✅ PR Check Passed

No critical issues detected in spec file changes.

🤖 AI Analysis Summary:

Brief Analysis:
The changes update the release version from 9 to 10 and add two new base CAs (“Microsoft TLS RSA Root G2” and “Microsoft TLS ECC Root G2”) by inserting the new certificate details into certdata.base.txt and updating the changelog accordingly.

Critical Issues Found:
No CVE-related patches or directives are referenced; no CVE patch file is missing.

Recommended Actions:
• Verify that the updated certificate hashes in ca-certificates.signatures.json match expected upstream values.
• Confirm that the new certificates’ details (fingerprints, validity, etc.) are correct and meet security policy requirements.
• Maintain changelog clarity but note that no CVE fixes are involved.

---

📋 For detailed analysis and recommendations, check the Azure DevOps pipeline logs.