Page MenuHomeFreeBSD
Differential D56617

certctl: Unstickify (un)trusted certificates
ClosedPublic
Actions

Authored by des on Apr 24 2026, 12:21 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, May 26, 10:21 AM
Unknown Object (File)
Tue, May 26, 10:13 AM
Unknown Object (File)
Tue, May 26, 7:51 AM
Unknown Object (File)
Tue, May 26, 12:50 AM
Unknown Object (File)
Mon, May 25, 8:29 AM
Unknown Object (File)
Mon, May 25, 8:21 AM
Unknown Object (File)
Mon, May 25, 1:02 AM
Unknown Object (File)
Mon, May 25, 1:00 AM
View All 70 Files
Subscribers
bcr
imp
ziaee

Details

Reviewers
kevans
bcr
Group Reviewers
security
Commits
rGcef90b438635: certctl: Unstickify (un)trusted certificates
rGc65e233a52c6: certctl: Unstickify (un)trusted certificates
rG2fef18ff5943: certctl: Unstickify (un)trusted certificates
Summary

Ever since certctl was rewritten in C, the rehash command has reingested
TRUSTDESTDIR / UNTRUSTDESTDIR in addition to TRUSTPATH / UNTRUSTPATH.
This seemed like a good idea at the time but was, in retrospect, a
mistake, as it means a (un)trusted certificate remains (un)trusted
forever (or at least until it expires) even if it is removed from
(UN)TRUSTPATH. Among other issues, it causes ports QA to fail for any
port that either installs certificates or depends on a port that does.

Although this behavior was undocumented, the change may surprise users
who have added certificates manually, so update the manual page to point
it out and add prominent warnings to the trust and untrust commands.

PR: 290078
MFC after: 1 week

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

des created this revision.Apr 24 2026, 12:21 PM
Herald added a subscriber: imp. · View Herald TranscriptApr 24 2026, 12:21 PM
des requested review of this revision.Apr 24 2026, 12:21 PM
Harbormaster completed remote builds in B72516: Diff 176325.Apr 24 2026, 12:21 PM
des updated this revision to Diff 176334.Apr 24 2026, 1:59 PM

untrusted as well

Harbormaster completed remote builds in B72519: Diff 176334.Apr 24 2026, 1:59 PM
des retitled this revision from certctl: Unstickify trusted certificates to certctl: Unstickify (un)trusted certificates.Apr 24 2026, 2:02 PM
des edited the summary of this revision. (Show Details)
des updated this revision to Diff 176336.Apr 24 2026, 2:08 PM

documentation

Herald added a subscriber: ziaee. · View Herald TranscriptApr 24 2026, 2:08 PM
Harbormaster completed remote builds in B72521: Diff 176336.Apr 24 2026, 2:08 PM
des edited the summary of this revision. (Show Details)Apr 24 2026, 2:09 PM
bcr accepted this revision.Apr 25 2026, 8:24 AM
bcr added a subscriber: bcr.

OK for the changes to the manpage.

This revision is now accepted and ready to land.Apr 25 2026, 8:24 AM
des updated this revision to Diff 176581.Apr 26 2026, 5:48 PM

unbreak list command

This revision now requires review to proceed.Apr 26 2026, 5:48 PM
Harbormaster completed remote builds in B72556: Diff 176581.Apr 26 2026, 5:48 PM
kevans added inline comments.Apr 27 2026, 3:31 AM
usr.sbin/certctl/certctl.8
116

Reading the caveat here, I guess I'm wondering why untrust doesn't act as a slightly nicer shorthand for copying the cert into one of the default_untrusted_paths (probably the localbase one?) rather than accidentally presenting a footgun, since we do some implicit rehashes (e.g. when the trust store changes) that they may not be considering that will drop it.

des added inline comments.Apr 27 2026, 9:19 AM
usr.sbin/certctl/certctl.8
116

I'm torn between a) changing certctl untrust to doing just that and b) leaving the code as-is but documenting that as the preferred alternative.

des updated this revision to Diff 177058.Sat, May 2, 10:49 PM

add warnings

Harbormaster completed remote builds in B72734: Diff 177058.Sat, May 2, 10:49 PM
des updated this revision to Diff 177059.Sat, May 2, 11:07 PM

don't switch to distrust yet

Harbormaster completed remote builds in B72735: Diff 177059.Sat, May 2, 11:07 PM
des updated this revision to Diff 177060.Sat, May 2, 11:09 PM

add commas

Harbormaster completed remote builds in B72736: Diff 177060.Sat, May 2, 11:09 PM
des edited the summary of this revision. (Show Details)Sat, May 2, 11:09 PM
kevans accepted this revision.Tue, May 5, 7:54 PM
This revision is now accepted and ready to land.Tue, May 5, 7:54 PM
Closed by commit rG2fef18ff5943: certctl: Unstickify (un)trusted certificates (authored by des). · Explain WhyTue, May 5, 10:31 PM
This revision was automatically updated to reflect the committed changes.
des added a commit: rG2fef18ff5943: certctl: Unstickify (un)trusted certificates.
des added a commit: rGc65e233a52c6: certctl: Unstickify (un)trusted certificates.Thu, May 7, 6:59 PM
cperciva added a commit: rGcef90b438635: certctl: Unstickify (un)trusted certificates.Thu, May 7, 8:19 PM

Revision Contents
Changeset List

PathSize
usr.sbin/
certctl/
15 lines
81 lines
tests/
3 lines

Diff 177275

View Options

usr.sbin/certctl/certctl.8

Loading...
View Options

usr.sbin/certctl/certctl.c

Loading...
View Options

usr.sbin/certctl/tests/certctl_test.sh

Loading...