Simple periodic task to sync OSX Keychain certs to Homebrew installed OpenSSL & LibreSSL
v5 switches from the objective c implementation to a ruby script that drives security(1). It's slow, but correct and does not depend on deprecated features. This should probably be replaced with a swift runtime soon, based on non-deprecated methods, but I had limited time.
Version 3 and before were missing versioned packages from homebrew, for example [email protected]. As of version 4, all openssl and libressl versions will have root PEMs created.
Version 3 and before were running c_rehash after installing certs.pem. This operation was not related to the installation of the roots, and will no longer be performed. Users that need to hash certs from etc/{openssl,libressl}/certs should perform the hashing themselves.
A bug was discovered that stems from the projects prior reliance on security(1) that exports not just trusted certificates, but untrusted certificates. It provides no mechanism for differentiating untrusted certificates. As a result, a new binary is introduced in this release osx-ca-certs that generates a certificate pem from the relevant keychains, skipping untrusted certificates. Most users are unaffected by this change, but those users that are will know it, and should be concerned.
The implementation is based on code from the Go programming language.
The bug was reported in excellent form by Eric Hodel.
Please see commit 1039bec6d7d641331c746baae5075ab45e5349b5 for full details.
Note also that this change removes support for the two --skip arguments that were introduced in recent releases. They can be reimplemented if there is demand. This release was prepared relatively quickly, if any issues are experienced please reach out to me, I will fix them promptly.
Summary:
This release major breaking change is the replacement of the old crontab installation mechanism for a launchd agent instead. Launchd agents are able to run on a periodic schedule just like cron, and doing so, if the user has no other crontab entries will avoid a cron daemon being started.
The primary motivation for this change is actually to better integrate with
modern homebrew, which has some built-in support for services. Users are
recommended to use brew services to manage the installation and uninstallation
of the 'cron' from now on. The related brew tap, raggi/ale will be updated
accordingly shortly after this tag is published.
The second important change is that the user login keychain is included in the installed CA pem by default. This makes it more convenient for users who use the keychain UI in the common user flows when adding certificates to their system. Credit and thanks for this change go to Brian Pitts.
As a reminder, users can uninstall their previous crontab before upgrading using the following command:
(crontab -l | grep -v openssl-osx-ca) | crontab -
Fix some issues with command line parsing causing errors with at least 0.98z* versions of openssl.