Page MenuHomeFreeBSD
Differential D56617

certctl: Unstickify (un)trusted certificates
AcceptedPublic
Actions

Authored by des on Fri, Apr 24, 12:21 PM.
Tags
None
Referenced Files
F154118971: D56617.diff
Sun, Apr 26, 7:57 AM
Unknown Object (File)
Fri, Apr 24, 1:06 PM
Subscribers
bcr
imp
ziaee

Details

Reviewers
kevans
bcr
Group Reviewers
security
Summary

Ever since certctl was rewritten in C, the rehash command has reingested
TRUSTDESTDIR / UNTRUSTDESTDIR in addition to TRUSTPATH / UNTRUSTPATH.
This seemed like a good idea at the time but was, in retrospect, a
mistake, as it means a (un)trusted certificate remains (un)trusted
forever (or at least until it expires) even if it is removed from
(UN)TRUSTPATH. Among other issues, it causes ports QA to fail for any
port that either installs certificates or depends on a port that does.

Although this behavior was undocumented, the change may surprise users
who have added certificates manually, so update the manual page to point
it out.

PR: 290078
MFC after: 1 week

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 72521
Build 69404: arc lint + arc unit

Event Timeline

des created this revision.Fri, Apr 24, 12:21 PM
Herald added a subscriber: imp. · View Herald TranscriptFri, Apr 24, 12:21 PM
des requested review of this revision.Fri, Apr 24, 12:21 PM
Harbormaster completed remote builds in B72516: Diff 176325.Fri, Apr 24, 12:21 PM
des updated this revision to Diff 176334.Fri, Apr 24, 1:59 PM

untrusted as well

Harbormaster completed remote builds in B72519: Diff 176334.Fri, Apr 24, 1:59 PM
des retitled this revision from certctl: Unstickify trusted certificates to certctl: Unstickify (un)trusted certificates.Fri, Apr 24, 2:02 PM
des edited the summary of this revision. (Show Details)
des updated this revision to Diff 176336.Fri, Apr 24, 2:08 PM

documentation

Herald added a subscriber: ziaee. · View Herald TranscriptFri, Apr 24, 2:08 PM
Harbormaster completed remote builds in B72521: Diff 176336.Fri, Apr 24, 2:08 PM
des edited the summary of this revision. (Show Details)Fri, Apr 24, 2:09 PM
bcr accepted this revision.Sat, Apr 25, 8:24 AM
bcr added a subscriber: bcr.

OK for the changes to the manpage.

This revision is now accepted and ready to land.Sat, Apr 25, 8:24 AM

Revision Contents
Changeset List

PathSize
usr.sbin/
certctl/
15 lines
10 lines

Diff 176336

View Options

usr.sbin/certctl/certctl.8

Loading...
View Options

usr.sbin/certctl/certctl.c

Loading...