You are not logged in.

#1 2015-09-02 19:31:54

skwee
Member
Registered: 2013-08-15
Posts: 41

After updating mono, I've accidentally added 159 new certificates

Hi,

I don't know why but for some reason I had mono installed. I've made a pacman -Syu and got the following output:

:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (4) chromium-45.0.2454.85-1  iso-codes-3.61-1  mono-4.0.3.20-1
             perl-xml-libxml-2.0122-1

Total Download Size:    73.48 MiB
Total Installed Size:  295.58 MiB
Net Upgrade Size:        3.24 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages ...
 chromium-45.0.2454....    44.4 MiB  6.36M/s 00:07 [######################] 100%
 iso-codes-3.61-1-any       2.2 MiB  2.47M/s 00:01 [######################] 100%
 mono-4.0.3.20-1-x86_64    26.6 MiB  6.29M/s 00:04 [######################] 100%
 perl-xml-libxml-2.0...   264.6 KiB  3.11M/s 00:00 [######################] 100%
(4/4) checking keys in keyring                     [######################] 100%
(4/4) checking package integrity                   [######################] 100%
(4/4) loading package files                        [######################] 100%
(4/4) checking for file conflicts                  [######################] 100%
(4/4) checking available disk space                [######################] 100%
(1/4) upgrading chromium                           [######################] 100%
(2/4) upgrading iso-codes                          [######################] 100%
(3/4) upgrading mono                               [######################] 100%
Linux Cert Store Sync - version 4.0.3.0
Synchronize local certs with certs from local Linux trust store.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

I already trust 0, your new list has 159
Certificate added: C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH, OU=A-Trust-nQual-03, CN=A-Trust-nQual-03
Certificate added: CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES
Certificate added: CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES
Certificate added: C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA
Certificate added: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
Certificate added: C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root
Certificate added: C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Public CA Root
Certificate added: C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Qualified CA Root
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Commercial
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Networking
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Premium
Certificate added: C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC
Certificate added: C=JP, O=Japanese Government, OU=ApplicationCA
Certificate added: CN=Atos TrustedRoot 2011, O=Atos, C=DE
Certificate added: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
Certificate added: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Certificate added: C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 CA 1
Certificate added: C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA
Certificate added: C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 CA 1
Certificate added: C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA
Certificate added: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig
Certificate added: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1
Certificate added: C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2
Certificate added: C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT
Certificate added: C=CN, O=CNNIC, CN=CNNIC ROOT
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Certificate added: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root
Certificate added: C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root
Certificate added: C=FR, O=Dhimyotis, CN=Certigna
Certificate added: C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorité Racine
Certificate added: C=FR, O=Certplus, CN=Class 2 Primary CA
Certificate added: C=PL, O=Unizeto Sp. z o.o., CN=Certum CA
Certificate added: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA
Certificate added: C=EU, L=Madrid (see current address at www.camerfirma.com/address), OID.2.5.4.5=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008
Certificate added: C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root
Certificate added: CN=ComSign Secured CA, O=ComSign, C=IL
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure Certificate Services
Certificate added: C=GB, S=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted Certificate Services
Certificate added: O="Cybertrust, Inc", CN=Cybertrust Global Root
Certificate added: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009
Certificate added: C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009
Certificate added: C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6
Certificate added: O=Digital Signature Trust Co., CN=DST Root CA X3
Certificate added: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
Certificate added: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4
Certificate added: C=TR, L=Ankara, O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority
Certificate added: CN=EBG Elektronik Sertifika Hizmet Sağlayıcısı, O=EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., C=TR
Certificate added: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC
Certificate added: C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=pki@sk.ee
Certificate added: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
Certificate added: C=US, O="Entrust, Inc.", OU=www.entrust.net/CPS is incorporated by reference, OU="(c) 2006 Entrust, Inc.", CN=Entrust Root Certification Authority
Certificate added: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - EC1
Certificate added: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2
Certificate added: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority
Certificate added: C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2
Certificate added: C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA
Certificate added: C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2
Certificate added: OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign
Certificate added: OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign
Certificate added: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Certificate added: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
Certificate added: OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
Certificate added: C=EU, L=Madrid (see current address at www.camerfirma.com/address), OID.2.5.4.5=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008
Certificate added: C=US, O="The Go Daddy Group, Inc.", OU=Go Daddy Class 2 Certification Authority
Certificate added: C=US, S=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", CN=Go Daddy Root Certificate Authority - G2
Certificate added: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011
Certificate added: C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1
Certificate added: C=FR, S=France, L=Paris, O=PM/SGDN, OU=DCSSI, CN=IGC/A, E=igca@sgdn.pm.gouv.fr
Certificate added: C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1
Certificate added: C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1
Certificate added: C=ES, O=IZENPE S.A., CN=Izenpe.com
Certificate added: E=pki@sk.ee, C=EE, O=AS Sertifitseerimiskeskus, CN=Juur-SK
Certificate added: C=HU, L=Budapest, O=Microsec Ltd., OU=e-Szigno CA, CN=Microsec e-Szigno Root CA
Certificate added: C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=info@e-szigno.hu
Certificate added: C=HU, L=Budapest, O=NetLock Kft., OU=Tanúsítványkiadók (Certification Services), CN=NetLock Arany (Class Gold) Főtanúsítvány
Certificate added: C=HU, S=Hungary, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado
Certificate added: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
Certificate added: C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA
Certificate added: E=contacto@procert.net.ve, L=Chacao, S=Miranda, OU=Proveedor de Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica, C=VE, CN=PSCProcert
Certificate added: C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3
Certificate added: C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3
Certificate added: O=RSA Security Inc, OU=RSA Security 2048 V3
Certificate added: C=ES, O=Generalitat Valenciana, OU=PKIGVA, CN=Root CA Generalitat Valenciana
Certificate added: C=JP, O="Japan Certification Services, Inc.", CN=SecureSign RootCA11
Certificate added: C=US, O=SecureTrust Corporation, CN=SecureTrust CA
Certificate added: C=US, O=SecureTrust Corporation, CN=Secure Global CA
Certificate added: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication EV RootCA1
Certificate added: C=JP, O="SECOM Trust Systems CO.,LTD.", OU=Security Communication RootCA2
Certificate added: C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1
Certificate added: C=FI, O=Sonera, CN=Sonera Class2 CA
Certificate added: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA
Certificate added: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA
Certificate added: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2
Certificate added: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3
Certificate added: C=US, O="Starfield Technologies, Inc.", OU=Starfield Class 2 Certification Authority
Certificate added: C=US, S=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", CN=Starfield Root Certificate Authority - G2
Certificate added: C=US, S=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", CN=Starfield Services Root Certificate Authority - G2
Certificate added: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
Certificate added: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
Certificate added: C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2
Certificate added: C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2
Certificate added: C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2
Certificate added: C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 1
Certificate added: C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 2
Certificate added: C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root EV CA 2
Certificate added: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2
Certificate added: C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3
Certificate added: C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 2 CA, CN=TC TrustCenter Class 2 CA II
Certificate added: C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Universal CA, CN=TC TrustCenter Universal CA I
Certificate added: CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı, C=TR, L=ANKARA, O=(c) 2005 TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş.
Certificate added: CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı, C=TR, L=Ankara, O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007
Certificate added: CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı, C=TR, L=Ankara, O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005
Certificate added: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA
Certificate added: C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority
Certificate added: C=TW, O=Government Root Certification Authority
Certificate added: O=TeliaSonera, CN=TeliaSonera Root CA v1
Certificate added: C=GB, O=Trustis Limited, OU=Trustis FPS Root CA
Certificate added: C=TR, L=Gebze - Kocaeli, O=Türkiye Bilimsel ve Teknolojik Araştırma Kurumu - TÜBİTAK, OU=Ulusal Elektronik ve Kriptoloji Araştırma Enstitüsü - UEKAE, OU=Kamu Sertifikasyon Merkezi, CN=TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
Certificate added: C=US, S=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority
Certificate added: C=US, S=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Certificate added: C=US, S=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN - DATACorp SGC
Certificate added: C=US, S=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2007 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G4
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2008 VeriSign, Inc. - For authorized use only", CN=VeriSign Universal Root Certification Authority
Certificate added: C=US, O="VeriSign, Inc.", OU=Class 3 Public Primary Certification Authority
Certificate added: C=US, O="VeriSign, Inc.", OU=Class 3 Public Primary Certification Authority
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 1999 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G3
Certificate added: C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 1999 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 4 Public Primary Certification Authority - G3
Certificate added: C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root
Certificate added: C=US, O=Wells Fargo WellsSecure, OU=Wells Fargo Bank NA, CN=WellsSecure Public Root Certificate Authority
Certificate added: C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign
Certificate added: C=CN, O=WoSign CA Limited, CN=CA 沃通根证书
Certificate added: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
Certificate added: C=RO, O=certSIGN, OU=certSIGN ROOT CA
Certificate added: C=TW, O="Chunghwa Telecom Co., Ltd.", OU=ePKI Root Certification Authority
Certificate added: C=US, O="thawte, Inc.", OU=Certification Services Division, OU="(c) 2006 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA
Certificate added: C=US, O="thawte, Inc.", OU="(c) 2007 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA - G2
Certificate added: C=US, O="thawte, Inc.", OU=Certification Services Division, OU="(c) 2008 thawte, Inc. - For authorized use only", CN=thawte Primary Root CA - G3
Certificate added: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
Certificate added: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority, E=support@cacert.org
159 new root certificates were added to your trust store.
Import process completed.
(4/4) upgrading perl-xml-libxml                    [######################] 100%

What are those certificates? Why they were added? Why I need them? How do I remove them?

Thanks in advance!


dotfiles
git pull strings master-of-puppets

Offline

#2 2015-09-02 19:38:40

Roken
Member
From: UK
Registered: 2012-01-16
Posts: 1,051

Re: After updating mono, I've accidentally added 159 new certificates

I got the same, and would like to know the answer.


[img=Speedtest]http://www.speedtest.net/my-result/5145583518[/img]

Ryzen 1800x 8 core/16 thread - GTX 1070 8Gb, Asus ROG STRIX B350-F, 16Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2SSD - 3Spinners) + 1 x optical.
Linux user #545703

Offline

#3 2015-09-02 22:07:41

dice
Member
From: Germany
Registered: 2014-02-10
Posts: 413

Re: After updating mono, I've accidentally added 159 new certificates

In addition to mono adding a load of certificates nuget showed similar behaviour:

(4/5) upgrading nuget                                                    [----------------------------------------] 100%
Mozilla Roots Importer - version 4.0.3.0
Download and import trusted root certificates from Mozilla's MXR.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Downloading from 'http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1'...
Importing certificates into machine store...
79 previously trusted certificates were removed.
Import process completed.

Mono Certificate Manager - version 4.0.3.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


X.509 Certificate v3
   Issued from: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
   Issued to:   C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2
   Valid from:  5/7/2014 5:04:09 PM
   Valid until: 5/7/2018 5:03:30 PM
   *** WARNING: Certificate signature is INVALID ***
This certificate is already in the CA store.

X.509 Certificate v3
   Issued from: C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2
   Issued to:   C=US, S=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=go.microsoft.com
   Valid from:  4/8/2015 8:13:03 PM
   Valid until: 4/7/2017 8:13:03 PM
This certificate is already in the AddressBook store.

No certificate were added to the stores.
yes: standard output: Broken pipe
Mono Certificate Manager - version 4.0.3.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


X.509 Certificate v3
   Issued from: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
   Issued to:   C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2
   Valid from:  12/19/2013 8:07:32 PM
   Valid until: 12/19/2017 8:06:55 PM
   *** WARNING: Certificate signature is INVALID ***
Import this certificate into the CA store ?
X.509 Certificate v3
   Issued from: C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2
   Issued to:   CN=*.blob.core.windows.net
   Valid from:  6/10/2015 1:45:43 AM
   Valid until: 6/9/2017 1:45:43 AM
Import this certificate into the AddressBook store ?
2 certificates added to the stores.
yes: standard output: Broken pipe
Mono Certificate Manager - version 4.0.3.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


X.509 Certificate v3
   Issued from: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
   Issued to:   C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2
   Valid from:  12/19/2013 8:07:32 PM
   Valid until: 12/19/2017 8:06:55 PM
   *** WARNING: Certificate signature is INVALID ***
Import this certificate into the CA store ?
X.509 Certificate v3
   Issued from: C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2
   Issued to:   CN=nuget.org
   Valid from:  3/9/2015 8:07:54 PM
   Valid until: 3/8/2017 8:07:54 PM
This certificate is already in the AddressBook store.

1 certificate added to the stores.
yes: standard output: Broken pipe

I put at button on it. Yes. I wish to press it, but I'm not sure what will happen if I do.  (Gune | Titan A.E.)

Offline

#4 2015-09-02 22:41:09

Raynman
Member
Registered: 2011-10-22
Posts: 1,250

Re: After updating mono, I've accidentally added 159 new certificates

If you guys are too lazy, I'll have a look tongue (Don't use mono myself.)

Apparently mono has its own certificate store and the install script runs cert-sync to sync this to the certificates on your system. While cert-sync has been part of mono for a while, the install script was only recently added to the Arch package.

nuget's install script uses the mozroots/certmgr commands to manipulate mono's certificate store. This seems to redownload (on each upgrade) the certificates, both from Mozilla (which I think would also be provided by ca-certificates-mozilla and if you have that, the cert-sync from mono might already have covered these, but I didn't really check this) and Microsoft/NuGet.

Brief overview of the commands: http://www.mono-project.com/docs/faq/security/

Offline

#5 2015-09-02 22:46:36

fidbc
Member
Registered: 2014-01-17
Posts: 3

Re: After updating mono, I've accidentally added 159 new certificates

It seems what is going on is that

cert-sync /etc/ssl/certs/ca-certificates.crt

is being executed after the upgrade. Also, ca-certificates seems to be a new dependency. See here for details.

Also curious about the reason why the certs needed to be trusted. Daniel Isenmann, the pkg manteiner, might have the answer :-P

skwee wrote:

I don't know why but for some reason I had mono installed.

You can install pkgtools from aur and use

whoneeds mono

to try to find out why ;-)

--
fidb

Offline

#6 2015-09-03 07:12:06

skwee
Member
Registered: 2013-08-15
Posts: 41

Re: After updating mono, I've accidentally added 159 new certificates

Oh, so I've already had all those certificates, and mono did not install them so that NSA can spy me? smile

So I can safely ignore this?

Last edited by skwee (2015-09-03 07:12:28)


dotfiles
git pull strings master-of-puppets

Offline

#7 2015-09-03 10:18:35

respiranto
Member
Registered: 2015-05-15
Posts: 412
Website

Re: After updating mono, I've accidentally added 159 new certificates

Was surprised by the same today.
What I am particularly concerned about is the absence of a post_remove() function in the .install.

For some reason after each reinstall it says:

I already trust 158, your new list has 159
Certificate added: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
1 new root certificates were added to your trust store.

The same for a remove followed by a regular install.

In any case at least 158 of the certificates are not removed.

skwee wrote:

Oh, so I've already had all those certificates, and mono did not install them

If so, why would the installer say so? And not again after complete remove & reinstall?

Offline

#8 2015-09-03 10:22:38

skwee
Member
Registered: 2013-08-15
Posts: 41

Re: After updating mono, I've accidentally added 159 new certificates

respiranto wrote:
skwee wrote:

Oh, so I've already had all those certificates, and mono did not install them

If so, why would the installer say so? And not again after complete remove & reinstall?

Valid point.


dotfiles
git pull strings master-of-puppets

Offline

#9 2015-09-03 11:05:55

ProdigySim
Member
Registered: 2015-09-03
Posts: 1

Re: After updating mono, I've accidentally added 159 new certificates

Theoretically it just installed those certs to /usr/share/.mono/certs/Trust (check man mozroot). There's a noted issue with TLS handshakes on the wiki. Maybe this update is meant to prevent that issue.

I ended up with only 158 in that directory though, yet pacman reported 159 installed.

Last edited by ProdigySim (2015-09-03 11:06:39)

Offline

#10 2015-09-03 11:20:03

respiranto
Member
Registered: 2015-05-15
Posts: 412
Website

Re: After updating mono, I've accidentally added 159 new certificates

ProdigySim wrote:

Theoretically it just installed those certs to /usr/share/.mono/certs/Trust (check man mozroot).

Then something like that should be added to mono.install:

post_remove()
{
	rm -r /usr/share/.mono
}

If some tool like mozroots provided this feature, that would be cleaner, but according to its manpage, there is no such option.

Offline

#11 2015-09-03 16:15:56

skwee
Member
Registered: 2013-08-15
Posts: 41

Re: After updating mono, I've accidentally added 159 new certificates

I ended up removing the entire /usr/share/.mono dir. Looks like it did solve the issue because re installing mono will re-import those keys. However I as ProdigySim had only 158 files in that dir, while mono installer reported 159.. suspicious!


dotfiles
git pull strings master-of-puppets

Offline

#12 2015-09-11 09:26:02

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 6,104

Re: After updating mono, I've accidentally added 159 new certificates

I see this too. I don't think removing the package should remove the directory, though, because the certificates are not part of the package itself. That is, they are installed here based on the certificates available elsewhere on the system. Unless you tell it to also remove all configuration files, as well. Maybe that's what was meant by removing completely above?


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Corporation Wireless 8265 / 8275 | US keyboard with Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#13 2015-09-13 22:05:19

Jristz
Member
From: America/Santiago
Registered: 2011-06-11
Posts: 1,022

Re: After updating mono, I've accidentally added 159 new certificates

if keep the onld certa post uninstall is unsafe or you think is a bad practice, fill a bug/feature request againt arch mono/nuget to remove the unused/untrust-afeter-unistall certs from the system, maybe that could in te best case claryfy why this new behavoid.


Well, I suppose that this is somekind of signature, no?

Offline

Board footer

Powered by FluxBB