Closed GoogleCodeExporter closed 9 years ago
This issue was closed by revision 4eb6bdad883c.
Original comment by mh.in.en...@gmail.com
on 25 Feb 2014 at 10:44
Binary file changes like this are near impossible to audit. Can we somehow
switch to a text based format for the trust store that gets converted to binary
to the build process (if needed as a binary at all).
Original comment by andreas....@gmail.com
on 25 Feb 2014 at 11:02
Auditing is simple. Run:
keytool -list -keystore cacerts -storepass changeit
You can do a textual diff from the prev and next binaries to see the
difference. Doing better is tricky because certificates are inherently binary:
key stores represented as text just end up including lots of data as base64
encoded, which isn't much better.
The "real" solutions are still as described above - I want to switch to the
Mozilla set of roots as I trust them to do a better job. Mozilla uses a bizarre
custom format to represent their CA certs. The fix is probably to have a build
step that downloads their source file from their web interface to their version
control, run it through a script helpfully provided by the curl guys to convert
it into a PEM file, and then convert the PEM into a JKS file.
I fiddled a bit with this over the weekend but it turned out to be complicated.
I'll open up a separate issue for it.
Original comment by mh.in.en...@gmail.com
on 25 Feb 2014 at 11:12
Original issue reported on code.google.com by
mh.in.en...@gmail.com
on 7 Feb 2014 at 5:16