Features/SharedSystemCertificates:SubTasks

Done items:

• prepare NSS for alternatives links (Bug 915818)
• ship p11-kit with trust module

TODO

• ship new ca-certificates
  • must conflict with older p11-kit (new ca-cert needs new p11-kit)

Facts:

• system-manage scripts cannot be in p11-kit, because of multilib.
• system-manage scripts will be in ca-certificates.NOARCH

Decisions needed:

• exact path for 2 input directories. proposal:
  • /usr/share/pki/ca-trust-intake/
  • /etc/pki/ca-trust/intake/
• parent path for extracted output. proposal:
  • /etc/pki/ca-trust/toolkits/[openssl|gnutls]
• exact path for extractex directories, proposal:

/etc/pki/ca-trust/toolkits/openssl/ /etc/pki/ca-trust/toolkits/openssl/tls-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/email-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/objsign-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/openssl/trust-bundle.pem /etc/pki/ca-trust/toolkits/openssl/trusted-hashed/ /etc/pki/ca-trust/toolkits/gnutls/tls-whitelist-bundle.pem -> ../openssl/tls-whitelist-bundle.pem /etc/pki/ca-trust/toolkits/java/cacerts

• for feature freeze:
  • java
  • gnutls == openssl classic bundle without trust
  • both openssl-directory and openssl-trust bundle?

Tasks for ca-certificates package:

• requires p11-kit
• use alternatives for symbolic links? NO
• it writes to a filename in /usr/share/ - only the trust bundle, not the old bundle
• installs symlinks to generated files
• makes backups of old bundles in .rpmsave backup files (in %pre script)
• calls "p11-kit extract" at install time (in %post script) to create sub-bundle at install time
• must have re-generate command/script in ca-certificates before feature freeze

• which tool/script defines the output directory?
  • ca-certificates generation script
  • same package contains READMEs (no PEM headers there)
  • use chmod -w for output dirs ? Make it work.
  • in Readme file, document that
    • files in intake directory without trust = TLS trust only
    • explains that all files inside here are automatically generated by "{tool}", manual changes are not allowed and will be overwritten
    • mention that NSS loads p11-kit-trust.so which directly reads "input"

Tasks for p11-kit:

• must have Conflicts: nss < first-version-with-alternatives-symlink
• must use update-alternatives in %post and %postun scripts, priority 30
• currently uses only the non-trust file as input
• must change p11-kit to use both /usr/share/ and /etc/ TRUST-BUNDLES by monday
• later: fix priorities (/usr low priority, /etc high priority)
• fact (document?): p11-trust ignores all unknown files, ignores subdirs