This update fixes the CI issue in GnuTLS: https://gitlab.com/gnutls/gnutls/-/merge_requests/1594
@ckujau, if you are in doubt, try (temporarily) blacklisting the cross-signed "COMODO RSA Certification Authority" on the system and see if the connection fails as expected:
$ trust list # check the URL of the cross-signed certificate $ trust dump --filter 'pkcs11:id=%BB%AF%7E%02%3D%FA%A6%F1%3C%84%8E%AD%EE%38%98%EC%D9%32%32%D4;type=cert' > comodo-rsa.p11-kit $ sudo cp comodo-rsa.p11-kit /etc/pki/ca-trust/source/blacklist/ $ gnutls-cli host:443 [...] *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate.
@ckujau, no, the message is just misleading. The certificate is internally dropped from the input chain, and the cross signed (non-expired) certificate is used from the system trust store. See the background of the fix: https://gitlab.com/gnutls/gnutls/-/issues/1008#note_352448705
I'll try to update the command output later.
@remi, possibly a repo problem on your side? I don't see anything wrong here:
$ rpm -qP nspr-4.20.0-1.fc27.x86_64.rpm | grep '^nspr' nspr = 4.20.0-1.fc27 nspr(x86-64) = 4.20.0-1.fc27 $ rpm -qR thunderbird-60.0-1.fc27.x86_64.rpm | grep '^nspr' nspr >= 4.20.0
@jchaloup, well nss is NOT pushed into the stable yet. I suspect it's a transitional issue: 20 minutes ago I created override for nss-util, nss-softokn, and nss (all 3.37.3) for building firefox. I can see all those packages are now in the buildroot:
$ koji wait-repo f28-build --build=nss-util-3.37.3-1.0.fc28 Successfully waited 0:01 for nss-util-3.37.3-1.0.fc28 to appear in the f28-build repo koji wait-repo f28-build --build=nss-softokn-3.37.3-1.0.fc28 Successfully waited 0:01 for nss-softokn-3.37.3-1.0.fc28 to appear in the f28-build repo koji wait-repo f28-build --build=nss-3.37.3-1.1.fc28 Successfully waited 0:02 for nss-3.37.3-1.1.fc28 to appear in the f28-build repo