Merge pull request #1589 from microsoft/joslobo/october-update

Merge from 1.0-dev for October Update
microsoft · Oct 27, 2021 · a87a3ac · a87a3ac
2 parents fcddfc5 + c86505d
commit a87a3ac
Show file tree

Hide file tree

Showing 119 changed files with 6,057 additions and 24,670 deletions.
diff --git a/.github/workflows/check_entangled_specs.py b/.github/workflows/check_entangled_specs.py
@@ -19,6 +19,7 @@
     ]),
     frozenset([
         "SPECS/ca-certificates/ca-certificates.spec",
+        "SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec",
         "SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec"
     ])
 ]

diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        5.10.64.1
-Release:        3%{?dist}
+Version:        5.10.74.1
+Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -147,6 +147,13 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %endif
 
 %changelog
+* Tue Oct 19 2021 Rachel Menge <[email protected]> - 5.10.74.1-1
+- Update source to 5.10.74.1
+- License verified
+
+* Thu Oct 07 2021 Rachel Menge <[email protected]> - 5.10.69.1-1
+- Update source to 5.10.69.1
+
 * Wed Sep 22 2021 Rachel Menge <[email protected]> - 5.10.64.1-3
 - Bump release number to match kernel release
 

diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
diff --git a/SPECS/LICENSES-AND-NOTICES/data/licenses.json b/SPECS/LICENSES-AND-NOTICES/data/licenses.json
@@ -23,6 +23,7 @@
         "calamares",
         "catch",
         "checkpolicy",
+        "checksec",
         "chrony",
         "cmocka",
         "collectd",
@@ -36,6 +37,7 @@
         "docbook5-schemas",
         "dos2unix",
         "dpdk",
+        "dwarves",
         "ebtables",
         "extra-cmake-modules",
         "fipscheck",
@@ -149,6 +151,7 @@
         "bmon",
         "bond",
         "bpftrace",
+        "cassandra-cpp-driver",
         "ccache",
         "check-restart",
         "clamav",
@@ -182,6 +185,7 @@
         "libacvp",
         "libconfini",
         "libconfuse",
+        "libdivsufsort",
         "libiothsm-std",
         "libmaxminddb",
         "libuv",
@@ -208,6 +212,7 @@
         "perl-Test-Warnings",
         "perl-Text-Template",
         "pigz",
+        "prebuilt-ca-certificates",
         "prebuilt-ca-certificates-base",
         "python-cachetools",
         "python-cherrypy",

diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json
@@ -12,10 +12,8 @@
   "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
   "certdata.base.txt": "76c4cd1860b9a6f6ee9c2a0dcddcef46f65950b7ec12d2a7eeabeedca4e379f9",
   "certdata.microsoft.txt": "68736961bfab066c9e3d0edd23ede65fbe09650489b4cb64878cceb61db0d990",
-  "certdata.txt": "cc6408bd4be7fbfb8699bdb40ccb7f6de5780d681d87785ea362646e4dad5e8e",
-  "certdata2pem.py": "0be02cecc27a6e55e1cad1783033b147f502b26f9fb1bb5a53e7a43bbcb68fa0",
-  "nssckbi.h": "9d916fe1586259d94632f186a736449e8344b8a18f7ac97253f13efc764d77ea",
-  "pem2bundle.sh": "79012e7fabf560c3b950349e500770a314006e5b330621a50147eeda11c633ea",
+  "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
+  "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
   "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
   "update-ca-trust": "0c0c0600587db7f59ba5e399666152ea6de6059f37408f3946c43438d607efdd",
   "update-ca-trust.8.txt": "2470551bd11cc393ddf4cf43cf101c29d9f308c15469ee5e78908cfcf2437579"

diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec
@@ -4,86 +4,52 @@
 %define openssl_format_trust_bundle ca-bundle.trust.crt
 %define java_bundle java/cacerts
 
-# Used only to simplify build scripts. Not present in any package.
-%define legacy_default_bundle ca-bundle.legacy.default.crt
-%define legacy_disable_bundle ca-bundle.legacy.disable.crt
-
-%define p11_format_mozilla_bundle ca-bundle.trust.mozilla.p11-kit
-%define legacy_default_mozilla_bundle ca-bundle.legacy.default.mozilla.crt
-%define legacy_disable_mozilla_bundle ca-bundle.legacy.disable.mozilla.crt
-
 %define p11_format_base_bundle ca-bundle.trust.base.p11-kit
-%define legacy_default_base_bundle ca-bundle.legacy.default.base.crt
-%define legacy_disable_base_bundle ca-bundle.legacy.disable.base.crt
 
 %define p11_format_microsoft_bundle ca-bundle.trust.microsoft.p11-kit
-%define legacy_default_microsoft_bundle ca-bundle.legacy.default.microsoft.crt
-%define legacy_disable_microsoft_bundle ca-bundle.legacy.disable.microsoft.crt
 
 # List of packages triggering legacy certs generation if 'ca-certificates-legacy'
 # is installed.
-%global watched_pkgs %{name}, %{name}-base, %{name}-microsoft
+%global watched_pkgs %{name}, %{name}-base
 
 # Rebuilding cert bundles with source certificates.
 %global refresh_bundles \
 %{_bindir}/update-ca-trust
 
-# Converts certdata.txt files to p11-kit format bundles and legacy crt files.
+# Converts certdata.txt files to p11-kit format bundles.
 # Arguments:
 # %1 - the source certdata.txt file;
 %define convert_certdata() \
 WORKDIR=$(basename %{1}.d) \
-mkdir -p $WORKDIR/certs/legacy-default \
-mkdir $WORKDIR/certs/legacy-disable \
+mkdir -p $WORKDIR/certs \
 mkdir $WORKDIR/java \
 pushd $WORKDIR/certs \
  pwd $WORKDIR \
  cp %{1} certdata.txt \
  python3 %{SOURCE4} >c2p.log 2>c2p.err \
 popd \
-%{SOURCE19} $WORKDIR %{SOURCE1} %{openssl_format_trust_bundle} %{legacy_default_bundle} %{legacy_disable_bundle} %{SOURCE3}
+%{SOURCE19} $WORKDIR %{openssl_format_trust_bundle} %{SOURCE3}
 
 # Installs bundle files to the right directories.
 # Arguments:
 # %1 - the source certdata.txt file;
 # %2 - output p11-kit format bundle name;
-# %3 - output legacy default bundle name;
-# %4 - output legacy disabled bundle name;
 %define install_bundles() \
 WORKDIR=$(basename %{1}.d) \
 install -p -m 644 $WORKDIR/%{openssl_format_trust_bundle} %{buildroot}%{_datadir}/pki/ca-trust-source/%{2} \
-install -p -m 644 $WORKDIR/%{legacy_default_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{3} \
-install -p -m 644 $WORKDIR/%{legacy_disable_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{4} \
-touch -r %{SOURCE0} %{buildroot}%{_datadir}/pki/ca-trust-source/%{2} \
-touch -r %{SOURCE0} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{3} \
-touch -r %{SOURCE0} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{4}
+touch -r %{SOURCE23} %{buildroot}%{_datadir}/pki/ca-trust-source/%{2}
 
 Summary:        Certificate Authority certificates
 Name:           ca-certificates
-# The files, certdata.txt and nssckbi.h, should be taken from a released version of NSS, as published
-# at https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/
-#
-# The versions that are used by the latest released version of
-# Mozilla Firefox should be available from:
-# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
-# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
-#
-# The most recent development versions of the files can be found at
-# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
-# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
-# (but these files might have not yet been released).
 
 # When updating, "Version" AND "Release" tags must be updated in the "prebuilt-ca-certificates" package as well.
 Version:        20200720
-Release:        18%{?dist}
+Release:        20%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Security
 URL:            https://hg.mozilla.org
-# Please always update both certdata.txt and nssckbi.h
-Source0:        https://hg.mozilla.org/releases/mozilla-release/raw-file/712412cb974c0392afe31fd9ce974b26ae3993c3/security/nss/lib/ckfw/builtins/certdata.txt
-Source1:        nssckbi.h
 Source2:        update-ca-trust
 Source3:        trust-fixes
 Source4:        certdata2pem.py
@@ -100,6 +66,7 @@ Source19:       pem2bundle.sh
 Source20:       LICENSE
 Source21:       certdata.base.txt
 Source22:       bundle2pem.sh
+# The certdata.microsoft.txt is provided by Microsoft's Trusted Root Program.
 Source23:       certdata.microsoft.txt
 
 BuildRequires:  /bin/ln
@@ -117,18 +84,19 @@ Requires(post): %{name}-tools = %{version}-%{release}
 Requires(post): coreutils
 Requires(postun): %{name}-tools = %{version}-%{release}
 
+Provides:       ca-certificates-microsoft = %{version}-%{release}
 Provides:       ca-certificates-mozilla = %{version}-%{release}
 
 BuildArch:      noarch
 
 %description
-The Public Key Inrastructure is used for many security issues in a
-Linux system. In order for a certificate to be trusted, it must be
-signed by a trusted agent called a Certificate Authority (CA). The
-certificates loaded by this section are from the list on the Mozilla
-version control system and formats it into a form used by
-OpenSSL-1.0.1e. The certificates can also be used by other applications
-either directly of indirectly through openssl.
+The Public Key Inrastructure is used for many security issues in
+a Linux system. In order for a certificate to be trusted, it must be
+signed by a trusted agent called a Certificate Authority (CA).
+The certificates loaded by this section are from the list of CAs trusted
+through the Microsoft Trusted Root Program and formats it into a form
+used by OpenSSL-1.0.1e. The certificates can also be used by other
+applications either directly of indirectly through OpenSSL.
 
 %package shared
 Summary:        A set of directories and files required by all certificate packages.
@@ -149,18 +117,6 @@ Requires(postun): %{name}-tools = %{version}-%{release}
 %description base
 %{summary}
 
-%package microsoft
-Summary:        A list of CAs trusted through the Microsoft Trusted Root Program.
-Group:          System Environment/Security
-
-Requires:       %{name}-shared = %{version}-%{release}
-Requires(post): %{name}-tools = %{version}-%{release}
-Requires(post): coreutils
-Requires(postun): %{name}-tools = %{version}-%{release}
-
-%description microsoft
-%{summary}
-
 %package tools
 Summary:        Cert generation tools.
 Group:          System Environment/Security
@@ -182,13 +138,11 @@ Provides a legacy version of ca-bundle.crt in the format of "[hash].0 -> [hash].
 pairs under %{pkidir}/tls/certs.
 
 %prep -q
-rm -rf %{name}
 mkdir %{name}
 
 %build
 cp -p %{SOURCE20} .
 
-%convert_certdata %{SOURCE0}
 %convert_certdata %{SOURCE21}
 %convert_certdata %{SOURCE23}
 
@@ -212,7 +166,6 @@ mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/edk2
 mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source
 mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source/anchors
 mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source/blacklist
-mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-legacy
 mkdir -p -m 755 %{buildroot}%{_bindir}
 mkdir -p -m 755 %{buildroot}%{_mandir}/man8
 
@@ -226,14 +179,11 @@ install -p -m 644 %{SOURCE16} %{buildroot}%{catrustdir}/extracted/pem/README
 install -p -m 644 %{SOURCE17} %{buildroot}%{catrustdir}/extracted/edk2/README
 install -p -m 644 %{SOURCE18} %{buildroot}%{catrustdir}/source/README
 
-# Mozilla certs
-%install_bundles %{SOURCE0} %{p11_format_mozilla_bundle} %{legacy_default_mozilla_bundle} %{legacy_disable_mozilla_bundle}
-
 # base certs
-%install_bundles %{SOURCE21} %{p11_format_base_bundle} %{legacy_default_base_bundle} %{legacy_disable_base_bundle}
+%install_bundles %{SOURCE21} %{p11_format_base_bundle}
 
 # Microsoft certs
-%install_bundles %{SOURCE23} %{p11_format_microsoft_bundle} %{legacy_default_microsoft_bundle} %{legacy_disable_microsoft_bundle}
+%install_bundles %{SOURCE23} %{p11_format_microsoft_bundle}
 
 # TODO: consider to dynamically create the update-ca-trust script from within
 #       this .spec file, in order to have the output file+directory names at once place only.
@@ -274,18 +224,9 @@ ln -s %{catrustdir}/extracted/%{java_bundle} \
     %{buildroot}%{pkidir}/%{java_bundle}
 
 %post
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_default_mozilla_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_default_mozilla_bundle}
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_disable_mozilla_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_disable_mozilla_bundle}
 %{refresh_bundles}
 
 %post base
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_default_base_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_default_base_bundle}
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_disable_base_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_disable_base_bundle}
-%{refresh_bundles}
-
-%post microsoft
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_default_microsoft_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_default_microsoft_bundle}
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_disable_microsoft_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_disable_microsoft_bundle}
 %{refresh_bundles}
 
 %postun
@@ -310,36 +251,12 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %triggerpostun -n %{name}-legacy -- %{watched_pkgs}
 %{_bindir}/bundle2pem.sh %{pkidir}/tls/certs/%{classic_tls_bundle}
 
-%postun microsoft
-%{refresh_bundles}
-
-%clean
-
-
 %files
-# Mozilla certs bundle file with trust
-%{_datadir}/pki/ca-trust-source/%{p11_format_mozilla_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_default_mozilla_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_mozilla_bundle}
-
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_default_mozilla_bundle}
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_disable_mozilla_bundle}
+# Microsoft certs bundle file with trust
+%{_datadir}/pki/ca-trust-source/%{p11_format_microsoft_bundle}
 
 %files base
 %{_datadir}/pki/ca-trust-source/%{p11_format_base_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_default_base_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_base_bundle}
-
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_default_base_bundle}
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_disable_base_bundle}
-
-%files microsoft
-%{_datadir}/pki/ca-trust-source/%{p11_format_microsoft_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_default_microsoft_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_microsoft_bundle}
-
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_default_microsoft_bundle}
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_disable_microsoft_bundle}
 
 %files shared
 %license LICENSE
@@ -369,7 +286,6 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %dir %{_datadir}/pki/ca-trust-source
 %dir %{_datadir}/pki/ca-trust-source/anchors
 %dir %{_datadir}/pki/ca-trust-source/blacklist
-%dir %{_datadir}/pki/ca-trust-legacy
 %dir %{_sysconfdir}/ssl
 %dir %{catrustdir}
 %dir %{catrustdir}/extracted
@@ -401,6 +317,14 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %{_bindir}/bundle2pem.sh
 
 %changelog
+* Tue Oct 12 2021 Pawel Winogrodzki <[email protected]> - 20200720-20
+- Making 'Release' match with 'prebuilt-ca-certificates*'.
+
+* Thu Oct 07 2021 Pawel Winogrodzki <[email protected]> - 20200720-19
+- Removing Mozilla certs and making Microsoft's the default ones.
+- Removed support for legacy certdata.txt fields.
+- Removed the use of checked-in "nssckbi.h".
+
 * Mon Sep 13 2021 CBL-Mariner Service Account <[email protected]> - 20200720-18
 - Updating Microsoft trusted root CAs.