Description of problem: After update to p11-kit-0.19.3-1.fc20.i686 I see warnings: p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Indeed. Some of the fields for the p11-kit persistence format have changed, based on discussion on the mailing list. Will adapt the *.p11-kit files in ca-certificates...
AFAICS "the CKA_X_CRITICAL attribute is not valid for the object" errors results from running /usr/bin/update-ca-trust script while installing ca-certificates. Packages ca-certificates-2013.1.94-16.fc20, with a build date "Fri 02 Aug 2013 10:32:00 PM MDT", and p11-kit-trust-0.19.3-2.fc20 are still affected by the issue. /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit indeed remains untouched.
Created attachment 785635 [details] Update BasicConstraints for Entrust root The PKCS#11 attributes of a stapled extension changed slightly during the 0.19.x releases. This was due to specification work on the 'Storing Trust Policy' document.
Created attachment 785638 [details] Update BasicConstraints for Entrust root The PKCS#11 attributes of a stapled extension changed slightly during the 0.19.x releases. This was due to specification work on the 'Storing Trust Policy' document.
Kai, can I push this change and do a build/update to ca-certificates?
Sorry, it wasn't clear to me that you had asked for an update. It seems like you are requiring changes to the files we ship, because of incompatibilities between p11-kit versions. Can you please clearly document until which version the old format was being used, and from which version the new format is required?
Comment on attachment 785638 [details] Update BasicConstraints for Entrust root If this new file is incompatible with old p11-kit, and works correctly with a newer p11-kit only, we should have a conflicts: rpm statement in the spec file, and a requires: statement for the newer version.
Updating : ca-certificates-2013.1.94-17.fc21.noarch 23/358 p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
Could you please try the ca-certificates package for rawhide/f21 here: http://koji.fedoraproject.org/koji/taskinfo?taskID=5905170 Does it fix the issue for you?
It looks like the issue is fixed. Thanks.
Thanks for testing. I assume the F20 package will still be picked up automatically.
(In reply to Kai Engert (:kaie) from comment #11) > Thanks for testing. > I assume the F20 package will still be picked up automatically. Hmmm, I started to have to do updates recently. But maybe I'm just confused :)
ca-certificates-2013.1.94-18.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/ca-certificates-2013.1.94-18.fc20
(In reply to Stef Walter from comment #12) > (In reply to Kai Engert (:kaie) from comment #11) > > Thanks for testing. > > I assume the F20 package will still be picked up automatically. > > Hmmm, I started to have to do updates recently. But maybe I'm just confused > :) Thanks for motivating me to doublecheck. Since bodhi now lists f20, you are probably right, and submitting an update is indeed necessary already. ca-certificates-2013.1.94-18.fc20
ca-certificates-2013.1.94-18.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.