p11-kit trust module on Debian and OpenSUSE
ludwig.nussel at suse.de
Wed Jun 19 23:39:23 PDT 2013
Stef Walter wrote:
> On 12.06.2013 13:51, Ludwig Nussel wrote:
>> What is the native way to blacklist stuff in p11-kit?
> p11-kit-trust module loads from directories specified in
> --with-trust-paths during ./configure. For example, one might have;
> /usr/share/pki/trust (for files installed by rpms)
> /etc/pki/trust (for files added by admins)
Talking about path names... It looks like there are several variants. I see
that Fedora went ahead with using /etc/pki/ca-trust/source and
/usr/share/pki/ca-trust-source. The p11-kit documentation refers to
/usr/share/p11-kit/trust. So far we put the certificates in
/usr/share/ca-certificates but there is no need to stick to that.
What's wrong with /usr/share/pki/trust that Fedora didn't use it?
>> Maybe it's
>> possible to do a one-shot conversion of ca-certificates.conf in some
>> %post script?
> I had imagined that ca-certificates.conf was a cross distro standard,
> and so was willing to support it directly in p11-kit. But if it is
> fragmented, then it does make more sense to move away from it.
> So the %post script would look for any certificates blacklisted, and
> move them into the appropriate /etc/pki/trust/blacklist/ subdirectory.
I've prepared the openSUSE package for that method now by putting
symlinks to the certificates in the blacklist directory. However,
p11-kit outputs some annoying warnings about duplicate certificates if I
Also, when using the ordering of /usr vs /etc like in the docu
blacklist symlink in /etc apparently has no effect on certificates that
come from /usr!?
> In addition it would move stuff from /usr/share/local/ca-certificates
> into /etc/pki/trust/anchors/
It's better to not touch /usr/local in packages. It's admin space and
might be mounted via nfs etc. So I'd just ignore /usr/local.
(o_ Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
More information about the p11-glue