Bug 2163554

Summary: System Certificate Trust Tool Fails To Correctly Manipulate Certificates
Product: [Fedora] Fedora Reporter: Brett Holman <brett.holman>
Component: p11-kitAssignee: Daiki Ueno <dueno>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: low    
Version: 37CC: bdas, crypto-team, dueno, eesposit, kai-engert-fedora, stefw
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-07 13:08:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brett Holman 2023-01-23 21:52:31 UTC 
Description of problem:

Per the docs[1], the following should remove a system cert from the system trust store:

trust anchor --remove path.to/certificate.crt

Version-Release number of selected component (if applicable):

[root@fedora-cloud ~]# rpm -qf /usr/bin/trust 
p11-kit-trust-0.24.1-3.fc37.x86_64
[root@fedora-cloud ~]# rpm -qi p11-kit-trust-0.24.1-3.fc37.x86_64
Name        : p11-kit-trust
Version     : 0.24.1
Release     : 3.fc37


How reproducible:
Every time.

Steps to Reproduce:
1. find a cert: trust list
2. remove the cert: trust anchor --remove <cert>


Actual results:

[root@fedora-cloud ~]# sudo trust anchor --remove "pkcs11:id=%BD%88%87%C9%8F%F6%A4%0A%0B%AA%EB%C5%FE%91%23%9D%AB%4A%8A%32;type=cert"
p11-kit: couldn't remove read-only certificate
p11-kit: 1 error while processing


Expected results:

It should remove the cert.

Additional info:
[1] https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/
Comment 1 Brett Holman 2023-01-23 22:02:46 UTC 
Originally reported in upstream cloud-init.

https://github.com/canonical/cloud-init/pull/1962#issuecomment-1382915160
Comment 3 Daiki Ueno 2023-01-24 14:00:45 UTC 
I would say this is a documentation issue. Basically, only certificates installed with `trust anchor --store` can be removed with `trust anchor --remove`. If you want to pre-populate certain certificates on an immutable media, I would suggest simply add/remove them under /usr/share/pki/ca-trust-source/anchors or /usr/share/pki/ca-trust-source/blocklist.
Comment 7 Daiki Ueno 2023-02-07 00:50:00 UTC 
I have file a PR to update the documentation:
https://pagure.io/fedora-docs/quick-docs/pull-request/556
Comment 8 Daiki Ueno 2023-02-07 13:08:39 UTC 
The fixed documentation has been published:
https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/

I'm closing as NOTABUG for now, but feel free to reopen if anything can be done from the tooling side.