mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions

Apply the upstream patch to restore certificates that are going to be removed in the future, but should still be available to verify existing certificates.

Note that the CKA_NSS_SERVER_DISTRUST_AFTER cannot be encoded in the generated certificate bundle, so that means newly generated certificates will be trusted as well. This is a trade-off between breaking existing certificates versus not trusting newly generated certificates.

With this change, the following root certificates would be restored:

• Entrust.net Premium 2048 Secure Server CA
• Entrust Root Certification Authority
• AffirmTrust Commercial
• AffirmTrust Networking
• AffirmTrust Premium
• AffirmTrust Premium ECC
• Entrust Root Certification Authority - G2
• Entrust Root Certification Authority - EC
• GLOBALTRUST 2020

Fixes #6 (closed)

assigned to @ncopa

Thanks for this. Losing Entrust Root CA has been very disruptive.

added 2 commits

• 103d13b0 - mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
• 61aff889 - ci: verify build

Compare with previous version

added 1 commit

• 5c6a258e - ci: verify build

Compare with previous version

added 1 commit

• f1cf3917 - ci: verify build

Compare with previous version

added 1 commit

• 0e545256 - ci: verify build

Compare with previous version

added 1 commit

• 8fdecc83 - ci: verify build

Compare with previous version

added 1 commit

• 86c088ff - ci: verify build

Compare with previous version

merged

mentioned in commit 914471a5

Thanks for merging! A new tag needs to be released correct?

Eventually, yes, but for now it has been included as a patch in the aports ca-certificates package.