crypto/x509: update bundled iOS roots #38843
Comments
FiloSottile
added
NeedsFix
|
Note: iOS and macOS, while sharing the same source tree (I think since iOS 8, if I remember my chronology correctly), can ship different versions of the store depending on when it was built. It can also be updated out of band of an OS release (e.g. via OTA), although I don't think they've done that. Settings -> General -> About -> Certificate Trust Settings will show the Trust Store Version and the Trust Asset Version. Apple's CA/Browser Forum rep previously indicated plans to (eventually) make a machine-readable list of this that is easily consumable (and from which the HTML table is generated - e.g. like https://support.apple.com/en-us/HT210770 , generated by https://opensource.apple.com/source/security_certificates/security_certificates-55161.60.2/CertificateTool/BuildiOSAsset/printroots.auto.html AIUI) |
|
Good to know, we should probably pull the version from the latest iOS when updating, but Go will always be a little out of sync because our release cycles don't match. |
dmitshur
added
the
okay-after-beta1
toothrot
removed
the
okay-after-beta1
|
@FiloSottile Could you please either provide instructions or an update on the status of this for the Go 1.15 release? |
I believe there are instructions in the original issue body. This might also be related to #38710, which I looked into recently. I can take a look here as well (if it's helpful). |
|
Change https://golang.org/cl/239557 mentions this issue: |
Switched the generator to using the open source releases of the root store rather than HTML parsing, while trying to emulate the sorting algorithm of the table to reduce churn. Updates #38843 Change-Id: I78608d245eabc2a35c2f98635ed5f1a531ad2ba8 Reviewed-on: https://go-review.googlesource.com/c/go/+/239557 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
@FiloSottile With CL 239557 submitted, should the milestone be updated to 1.16, or is there more to do here for 1.15? |
|
All done for Go 1.15. |
andybons
added
the
recurring
|
Change https://golang.org/cl/266677 mentions this issue: |
Extended the sorting logic to be stable even when there are two roots with the same name and notBefore timestamp, like the GlobalSign ones. Updates #38843 Change-Id: Ie4db0bb8b6a8b5ffbb7390b6bd527fc0c3badaca Reviewed-on: https://go-review.googlesource.com/c/go/+/266677 Reviewed-by: Katie Hockman <katie@golang.org> Trust: Filippo Valsorda <filippo@golang.org>
|
@FiloSottile Now that CL 266677 is submitted, is there more to do before this can be moved to the Go 1.17 milestone? |
|
I think we should do a late-cycle update too. They are very low-risk, and it's good to be as in sync as possible. |
|
Sounds good. Please apply the okay-after-beta1 label if the late-cycle update doesn't need to block the release of Go 1.16 Beta 1. |
FiloSottile
added
the
okay-after-beta1
toothrot
removed
the
okay-after-beta1
|
Change https://golang.org/cl/284134 mentions this issue: |
Updates #38843 Change-Id: If76844e1caf23f98d814de89f77610de59d96a34 Reviewed-on: https://go-review.googlesource.com/c/go/+/284134 Trust: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
Should this issue be moved to the Go1.17 milestone or is there another update slated? |
|
All done for Go 1.16! |
|
Checked to see if there were any updates before the freeze and it looks like nothing has changed since 1.16. Will re-check before the RC. |
dmitshur
added
the
okay-after-beta1
heschi
removed
the
okay-after-beta1
|
Change https://golang.org/cl/337329 mentions this issue: |
Updates #38843. Change-Id: I6e003ed03cd13d8ecf86ce05ab0e11c47e271c0b Reviewed-on: https://go-review.googlesource.com/c/go/+/337329 Trust: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
dmitshur
added
the
okay-after-beta1
|
Change https://golang.org/cl/353403 mentions this issue: |
and others
Before every release, ideally just before the freeze, we need to regenerate the iOS bundled roots.
This issue should not be closed but moved to the next milestone at each update.
The code generator currently parses an HTML table, but @sleevi pointed out the roots are published in the macOS/iOS sources, which is easier to process.
https://opensource.apple.com/source/security_certificates/security_certificates-55161.60.2/certificates/roots/
https://opensource.apple.com/tarballs/security_certificates/security_certificates-55161.60.2.tar.gz
The security_certificates version is available from the index text file, because all directory listings on opensource.apple.com are out of date. (Note how there currently is no
security_certificates-55161.60.2in https://opensource.apple.com/source/security_certificates/.)https://opensource.apple.com/text/macos-10152.txt
The text was updated successfully, but these errors were encountered: