Re: [Savannah-hackers-public] Please add new HARICA certificate to the machine that runs Mirmon

Wed, 14 Jan 2026 21:46:10 -0800 

Jacob Bachmeyer <[email protected]> writes:

> On 1/14/26 07:10, Thérèse Godefroy via Discussions among Savannah
> Hackers, open subscription wrote:
>> Hello,
>>
>> Mirmon can't download the timestamp from mirror.ibcp.fr, most likely
>> because it can't find the new version (2021) of the HARICA TLS root
>> certificate. Could you please add this certificate to the machine that
>> runs Mirmon? It is attached. Thanks in advance.
>>
>> Best,
>> Thérèse
>
> I really hate to have to point this out, but you just sent a proposed
> trust anchor to the list with no information whatsoever to validate
> that it really is the root certificate that it purports to be.  In
> fact, the message itself is unauthenticated: the Savannah admins have
> no solid proof that this is you offering this certificate and not
> Mallory wearing a "Thérèse Godefroy" mask offering a fake certificate
> in furtherance of some malicious scheme.
>
> Please think about what damage Mallory could do by impersonating you
> in this matter, if a phony root certificate were to be accepted.
>
> Could you provide pointers to HARICA themselves or some other
> trustworthy source for this certificate, instead of suggesting "here,
> install this root certificate from this email"?

To be fair to them, I think that it is likely that Trisquel just needs
some updating:

    $ wget 
https://archive.trisquel.info/trisquel/pool/main/c/ca-certificates/ca-certificates_20211016+11.0trisquel2.tar.gz
    $ tar -xf ca-certificates_20211016+11.0trisquel2.tar.gz
    $ cd ca-certificates-20211016+11.0trisquel2/
    $ dpkg-buildpackage -us -uc
    $ cp ../ca-certificates_20211016+11.0trisquel2_all.deb .
    $ mkdir -p tmp && dpkg --extract 
ca-certificates_20211016+11.0trisquel2_all.deb tmp
    $ find . -name 'Hellenic_*'
    $ 
./usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
    $ 
./usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
    $ 
./usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt

On a Fedora system:

    $ while openssl x509 -issuer -noout; do :; done < 
/etc/ssl/certs/ca-certificates.crt 2>/dev/null | grep HARICA 
    issuer=C=GR, O=Hellenic Academic and Research Institutions CA, CN=HARICA 
TLS ECC Root CA 2021
    issuer=C=GR, O=Hellenic Academic and Research Institutions CA, CN=HARICA 
TLS RSA Root CA 2021

Collin

Reply via email to