From: Theo Buehler Subject: Re: update cert.pem To: tech@openbsd.org Date: Fri, 1 Nov 2024 12:11:50 +0100 On Fri, Nov 01, 2024 at 10:59:43AM +0000, Stuart Henderson wrote: > On 2024/11/01 11:41, Theo Buehler wrote: > > Baltimore will expire shortly after 7.7 release (May 12, 2025) > > Apart from a warning on that, there was only the usual Unizeto error: > > > > ERROR: '/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2' cannot be verified with libressl > > The usual date format issue. yep > > Nothing particularly interesting this time. Comodo was hoisted over > > COMODO again. > > This is because of lc() in the sort order; the order of the "equal > except for case" lines then depends on the perl hash order which is > random. ah. Yes, it's annoying noise. > The diff below makes the output from format-pem repeatable (at the cost > of one-off churn). Do we want that? (I think so). Yes, I think we do. Thanks ok tb A slight downside is that COMODO and Comodo will no longer be next to each other, but I don't think it matters. I suggest I commit my update as it is. Then switching to the new format-pem.pl will only result in reshuffling cert.pem rather than interleaving it with additions and removals. I have that ready. I can send it out if you want to verify it or commit directly.