[Bug 276129] "make delete-old/delete-old-files" does not run "certctl rehash" after deletion

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 276129] "make delete-old/delete-old-files" does not run "certctl rehash" after deletion"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 05 Jan 2024 16:57:04 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276129

            Bug ID: 276129
           Summary: "make delete-old/delete-old-files" does not run
                    "certctl rehash" after deletion
           Product: Base System
           Version: 13.2-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: michaelo@FreeBSD.org

I have just upgraded a host from 12.4-STABLE to "FreeBSD
deblndw013x4v.ad001.siemens.net 13.2-STABLE FreeBSD 13.2-STABLE a317a5865
GENERIC amd64".

Let's check what can be deleted:
root@deblndw013x4v:/usr/src
# make check-old | grep certs
/usr/share/certs/trusted/Cybertrust_Global_Root.pem
/usr/share/certs/trusted/DST_Root_CA_X3.pem
/usr/share/certs/trusted/E-Tugra_Certification_Authority.pem
/usr/share/certs/trusted/GlobalSign_Root_CA_-_R2.pem
/usr/share/certs/trusted/Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
/usr/share/certs/trusted/Hongkong_Post_Root_CA_1.pem
/usr/share/certs/trusted/Network_Solutions_Certificate_Authority.pem
/usr/share/certs/trusted/Staat_der_Nederlanden_EV_Root_CA.pem
/usr/share/certs/trusted/TrustCor_ECA-1.pem
/usr/share/certs/trusted/TrustCor_RootCert_CA-1.pem
/usr/share/certs/trusted/TrustCor_RootCert_CA-2.pem

Looking to Makefile.incl for "delete-old-files" target "certctl rehash" is not
invoked might leave dead links on the system.
In this case all of them are blacklisted, but one should not rely on that:
root@deblndw013x4v:/usr/src
# make check-old | grep certs | cut -f 6 -d / >> /tmp/cert-names
root@deblndw013x4v:/usr/src
# ls -l /usr/share/certs/blacklisted/ | grep -f /tmp/cert-names
-r--r--r--  1 root  wheel  5018 2023-12-19 17:59 Cybertrust_Global_Root.pem
-r--r--r--  1 root  wheel  4648 2023-12-19 17:59 DST_Root_CA_X3.pem
-r--r--r--  1 root  wheel  8061 2023-12-19 17:59
E-Tugra_Certification_Authority.pem
-r--r--r--  1 root  wheel  5068 2023-12-19 17:59 GlobalSign_Root_CA_-_R2.pem
-r--r--r--  1 root  wheel  5389 2023-12-19 17:59
Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
-r--r--r--  1 root  wheel  4511 2023-12-19 17:59 Hongkong_Post_Root_CA_1.pem
-r--r--r--  1 root  wheel  5104 2023-12-19 17:59
Network_Solutions_Certificate_Authority.pem
-r--r--r--  1 root  wheel  7437 2023-12-19 17:59
Staat_der_Nederlanden_EV_Root_CA.pem
-r--r--r--  1 root  wheel  5212 2023-12-19 17:59 TrustCor_ECA-1.pem
-r--r--r--  1 root  wheel  5256 2023-12-19 17:59 TrustCor_RootCert_CA-1.pem
-r--r--r--  1 root  wheel  7971 2023-12-19 17:59 TrustCor_RootCert_CA-2.pem

I think it should happen right before this line:
https://github.com/freebsd/freebsd-src/blob/a68d5a66258e953ef6ccdbdd82e89572a3cc04f9/Makefile.inc1#L3430
like here:
https://github.com/freebsd/freebsd-src/blob/a68d5a66258e953ef6ccdbdd82e89572a3cc04f9/Makefile.inc1#L1494

-- 
You are receiving this mail because:
You are the assignee for the bug.