When a CA that is included in tls-ca-bundled.pem is added in /etc/pki/ca-trust/source/blacklist/, and update-ca-trust is run, nothing changes in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem How reproducible: Steps to Reproduce: 0. backup /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem to /tmp/bak 1. open /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem 2. copy the any certificate from it to clipboard 3. open a file in /etc/pki/ca-trust/source/blacklist/ and paste the certificate 4. run update-ca-trust 5. run diff -u /tmp/bak /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem Actual results: No changes. Expected results: The selected CA should have been removed.
I think the right place to fix this issue is in p11-kit-trust, as it decides which certificates get produced in the "extracted" list.
Confirming on Fedora 20. Regression.
Patches available upstream for testing. https://bugs.freedesktop.org/show_bug.cgi?id=73558
I cannot verify the fix. If I use p11-kit from the compiled directory I get: p11-kit: couldn't run trust tool: No such file or directory If I install in /usr/local and run the Steps above I see no difference than the version of p11-kit in F20.
Hmm, I think you would need to build with at least the following configure options: ./configure --prefix=/usr --with-trust-paths=/etc/pki/ca-trust/source:/usr/share/pki/ca-trust-source But I've added more integration tests which verify this, so I guess I'll just go ahead and release p11-kit 0.20.2 (ie: without these patches) # yum reinstall p11-kit-trust # make installcheck ... sh ./test-extract 1..2 ok 1 test_extract test-extract: blacklist-test.pem contains test_A4R794lRVSwCVinsUsvXDCctIF3lzBdsa1U2lZZQv2Daz4FGiDcA not ok 2 test_blacklist (and with these patches) # make install # make installcheck ... sh ./test-extract 1..2 ok 1 test_extract ok 2 test_blacklist
It works for me.
p11-kit-0.20.2-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/p11-kit-0.20.2-1.fc20
(In reply to Nikos Mavrogiannopoulos from comment #7) > It works for me. Thanks! I've done a fedora update. Kai and Nikos, if you are able to test it and give it positive feedback (if it works) then we can get this fix out to people. Nikos above problem description is a good test case.
Package p11-kit-0.20.2-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing p11-kit-0.20.2-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0832/p11-kit-0.20.2-1.fc20 then log in and leave karma (feedback).
p11-kit-0.20.2-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.