romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-14 15:01:47 +03:00
Code Issues Projects Releases Packages Wiki Activity

mk-ca-bundle.pl: drop reproducible timestamp feature

Browse source 
Mozilla may push to its repo much later than the commit date, which can
be a source of confusion when using the reproducible timestamp (which is
determined by the commit date) by default. Example:

https://curl.se/ca/cacert-2026-03-19.pem vs.
https://github.com/mozilla-firefox/firefox/commits/1a84aee6387d2f9c9531c655edeea4a80aa0fcfa/security/nss/lib/ckfw/builtins/certdata.txt

This feature had no actual user (or a planned one) from within curl at
the moment, and not requested by curl users. curl-for-win does this on
its own, which is the more practical way there since everything (not
just the CA bundle) needs to be reproducible anyway. I surmise this may
be true for most if not all reproducible use-cases.

Another limitation was that it could bump into GitHub's rate limiting,
needing further updates.

Also: code had some unintented leftovers.

Reported-by: Daniel Stenberg
Bug: https://github.com/curl/curl/pull/20528#issuecomment-4140610008
Follow-up to ca92e20123 #20528

Closes #21116
This commit is contained in:
Viktor Szakats 2026-03-27 09:26:15 +01:00
parent 7523de760d
commit 351e4f956a
No known key found for this signature in database
1 changed files with 1 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

27
scripts/mk-ca-bundle.pl
View file

@ -60,7 +60,7 @@ $opt_d = 'release';
# If the OpenSSL commandline is not in search path you can configure it here!
my $openssl = 'openssl';
my $version = '1.32';
my $version = '1.33';
$opt_w = 76; # default base64 encoded lines length
@ -307,31 +307,6 @@ my $filedate_iso = '';
if(!$opt_n) {
report "Using URL: $url";
my $sha = '';
if($opt_d ne 'ref') {
report "Determining latest commit and timestamp for the remote file ...";
my $out = '';
# https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/autoland/security/nss/lib/ckfw/builtins/certdata.txt
if($url =~ /^https:\/\/raw.githubusercontent.com\/([a-zA-Z0-9_.-]+\/[a-zA-Z0-9_.-]+)\/(refs\/heads\/[a-z]+)(\/.+)$/) {
my $slug = $1;
my $refs = "&sha=$2";
my $path = $3;
if(open(my $fh, '-|', 'curl', '-A', 'curl', '-H', 'X-GitHub-Api-Version: 2022-11-28',
"https://api.github.com/repos/mozilla-firefox/firefox/commits?path=$path$refs")) {
$out = do { local $/; <$fh> };
close $fh;
}
if($out) {
use JSON::PP;
my $json = decode_json($out);
$sha = $json->[0]->{sha};
$filedate_iso = $json->[0]->{commit}->{committer}->{date};
}
}
}
report "Downloading $txt ...";
# If we have an HTTPS URL then use curl