Merge branch 'fasttrack/2.0' into kanbansal/python-jinja2/2.0-CVEs

microsoft · Jan 7, 2025 · 578879b · 578879b
2 parents 52230d0 + b94dca4
commit 578879b
Show file tree

Hide file tree

Showing 29 changed files with 598 additions and 62 deletions.
diff --git a/.github/workflows/check-entangled-specs.yml b/.github/workflows/check-entangled-specs.yml
@@ -25,10 +25,10 @@ jobs:
         uses: actions/checkout@v4
 
       # For consistency, we use the same major/minor version of Python that CBL-Mariner ships
-      - name: Setup Python 3.7
+      - name: Setup Python 3.9
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.9
 
       - name: Get Python dependencies
         run: python3 -m pip install -r toolkit/scripts/requirements.txt

diff --git a/.github/workflows/lint-specs.yml b/.github/workflows/lint-specs.yml
@@ -62,10 +62,10 @@ jobs:
           path: 'spec-cleaner'
 
       # For consistency, we use the same major/minor version of Python that CBL-Mariner ships
-      - name: Setup Python 3.7
+      - name: Setup Python 3.9
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.9
 
       # We take our version of the linting tool from the master branch to ensure rules
       # are consistent across all branches

diff --git a/SPECS/ca-certificates/ca-certificates.signatures.json b/SPECS/ca-certificates/ca-certificates.signatures.json
@@ -11,6 +11,7 @@
     "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
     "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
     "certdata.base.txt": "771a6c9995ea00bb4ce50fd842a252454fe9b26acad8b0568a1055207442db57",
+    "certdata.distrusted.txt": "93aebf0f1e5253ed91fe269f7128fdb8b20630ef19558f629c79a8b7eb0ba30d",
     "certdata.microsoft.txt": "1707ab328312f4ecce167a886e866136b46d7f979a01cc6f9e4afd042174babd",
     "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
     "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",

diff --git a/SPECS/ca-certificates/ca-certificates.spec b/SPECS/ca-certificates/ca-certificates.spec
@@ -6,6 +6,8 @@
 
 %define p11_format_base_bundle ca-bundle.trust.base.p11-kit
 
+%define p11_format_distrusted_bundle ca-bundle.trust.distrusted.p11-kit
+
 %define p11_format_microsoft_bundle ca-bundle.trust.microsoft.p11-kit
 
 # List of packages triggering legacy certs generation if 'ca-certificates-legacy'
@@ -45,7 +47,7 @@ Name:           ca-certificates
 # When updating, "Epoch, "Version", AND "Release" tags must be updated in the "prebuilt-ca-certificates*" packages as well.
 Epoch:          1
 Version:        2.0.0
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -69,6 +71,8 @@ Source21:       certdata.base.txt
 Source22:       bundle2pem.sh
 # The certdata.microsoft.txt is provided by Microsoft's Trusted Root Program.
 Source23:       certdata.microsoft.txt
+# The certdata.distrusted.txt is provided by Microsoft's Trusted Root Program.
+Source24:       certdata.distrusted.txt
 
 BuildRequires:  /bin/ln
 BuildRequires:  asciidoc
@@ -91,7 +95,7 @@ Provides:       ca-certificates-mozilla = %{version}-%{release}
 BuildArch:      noarch
 
 %description
-The Public Key Inrastructure is used for many security issues in
+The Public Key Infrastructure is used for many security issues in
 a Linux system. In order for a certificate to be trusted, it must be
 signed by a trusted agent called a Certificate Authority (CA).
 The certificates loaded by this section are from the list of CAs trusted
@@ -146,6 +150,7 @@ cp -p %{SOURCE20} .
 
 %convert_certdata %{SOURCE21}
 %convert_certdata %{SOURCE23}
+%convert_certdata %{SOURCE24}
 
 #manpage
 cp %{SOURCE10} %{name}/update-ca-trust.8.txt
@@ -186,6 +191,9 @@ install -p -m 644 %{SOURCE18} %{buildroot}%{catrustdir}/source/README
 # Microsoft certs
 %install_bundles %{SOURCE23} %{p11_format_microsoft_bundle}
 
+# Distrusted certs
+%install_bundles %{SOURCE24} %{p11_format_distrusted_bundle}
+
 # TODO: consider to dynamically create the update-ca-trust script from within
 #       this .spec file, in order to have the output file+directory names at once place only.
 install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust
@@ -257,13 +265,16 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %{_bindir}/bundle2pem.sh %{pkidir}/tls/certs/%{classic_tls_bundle}
 
 %files
+%defattr(-,root,root)
 # Microsoft certs bundle file with trust
 %{_datadir}/pki/ca-trust-source/%{p11_format_microsoft_bundle}
 
 %files base
+%defattr(-,root,root)
 %{_datadir}/pki/ca-trust-source/%{p11_format_base_bundle}
 
 %files shared
+%defattr(-,root,root)
 %license LICENSE
 
 # symlinks for old locations
@@ -307,6 +318,9 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %dir %{pkidir}/tls
 %dir %{pkidir}/tls/certs
 
+# Distrusted CAs
+%{_datadir}/pki/ca-trust-source/%{p11_format_distrusted_bundle}
+
 %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
@@ -315,15 +329,21 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
 
 %files tools
+%defattr(-,root,root)
 # update/extract tool
 %{_bindir}/update-ca-trust
 
 %{_mandir}/man8/update-ca-trust.8.gz
 
 %files legacy
+%defattr(-,root,root)
 %{_bindir}/bundle2pem.sh
 
 %changelog
+* Wed Dec 11 2024 Pawel Winogrodzki <[email protected]> - 2.0.0-19
+- Update adding Microsoft distrusted CAs.
+- Explicitly set default file ownership to root:root.
+
 * Fri Aug 09 2024 CBL-Mariner Servicing Account <[email protected]> - 2.0.0-18
 - Updating Microsoft trusted root CAs.