Created attachment 239361 [details] patch Drop dependency on ca_root_nss and use base system root certificates instead. This allows users to add their own certificates. trust_paths now points to a directory and that directory contains "anchors" and "blocklist" symlinks pointing to the base system certificate directories. This is based on the documentation from https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-module.html. The list of certificates known to p11-kit can be verified by running "trust list".
Sorry for the delay. This looks reasonable, but I don't have use cases for that myself. If this works for you, feel free to commit. Thanks, Roman
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8672992ef7f072f87304e953231de77179143f1d commit 8672992ef7f072f87304e953231de77179143f1d Author: Tijl Coosemans <tijl@FreeBSD.org> AuthorDate: 2022-08-13 16:52:35 +0000 Commit: Tijl Coosemans <tijl@FreeBSD.org> CommitDate: 2023-02-01 11:05:18 +0000 security/p11-kit: Use base system CA certificates Drop dependency on ca_root_nss and use base system root certificates instead. This allows users to add their own certificates. trust_paths now points to a directory and that directory contains "anchors" and "blocklist" symlinks pointing to the base system certificate directories. This is based on the documentation from https://p11-glue.github.io/p11-glue/p11-kit/manual/trust-module.html. The list of certificates known to p11-kit can be verified by running "trust list". PR: 268841 Approved by: novel (maintainer) security/p11-kit/Makefile | 17 ++++++++++++----- security/p11-kit/pkg-plist | 2 ++ 2 files changed, 14 insertions(+), 5 deletions(-)