我刚刚更新了我的 arch 发行版并得到了这个:
create mode 120000 ca-certificates/extracted/cadir/02756ea4.0
create mode 120000 ca-certificates/extracted/cadir/2c11d503.0
create mode 120000 ca-certificates/extracted/cadir/32888f65.0
create mode 120000 ca-certificates/extracted/cadir/3929ec9f.0
create mode 120000 ca-certificates/extracted/cadir/451b5485.0
create mode 120000 ca-certificates/extracted/cadir/559f7c71.0
create mode 120000 ca-certificates/extracted/cadir/608a55ad.0
create mode 120000 ca-certificates/extracted/cadir/7719f463.0
create mode 120000 ca-certificates/extracted/cadir/87229d21.0
create mode 120000 ca-certificates/extracted/cadir/9168f543.0
create mode 120000 ca-certificates/extracted/cadir/9479c8c3.0
create mode 120000 ca-certificates/extracted/cadir/9c3323d4.0
create mode 100644 ca-certificates/extracted/cadir/Certplus_Root_CA_G1.pem
create mode 100644 ca-certificates/extracted/cadir/Certplus_Root_CA_G2.pem
create mode 100644 ca-certificates/extracted/cadir/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
create mode 100644 ca-certificates/extracted/cadir/Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
create mode 100644 ca-certificates/extracted/cadir/OpenTrust_Root_CA_G1.pem
create mode 100644 ca-certificates/extracted/cadir/OpenTrust_Root_CA_G2.pem
create mode 100644 ca-certificates/extracted/cadir/OpenTrust_Root_CA_G3.pem
create mode 120000 ca-certificates/extracted/cadir/d8317ada.0
create mode 120000 ca-certificates/extracted/cadir/dc99f41e.0
create mode 120000 ssl/certs/02756ea4.0
create mode 120000 ssl/certs/2c11d503.0
create mode 120000 ssl/certs/32888f65.0
create mode 120000 ssl/certs/3929ec9f.0
create mode 120000 ssl/certs/451b5485.0
create mode 120000 ssl/certs/559f7c71.0
create mode 120000 ssl/certs/608a55ad.0
create mode 120000 ssl/certs/7719f463.0
create mode 120000 ssl/certs/87229d21.0
create mode 120000 ssl/certs/9168f543.0
create mode 120000 ssl/certs/9479c8c3.0
create mode 120000 ssl/certs/9c3323d4.0
create mode 120000 ssl/certs/Certplus_Root_CA_G1.pem
create mode 120000 ssl/certs/Certplus_Root_CA_G2.pem
create mode 120000 ssl/certs/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
create mode 120000 ssl/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
create mode 120000 ssl/certs/OpenTrust_Root_CA_G1.pem
create mode 120000 ssl/certs/OpenTrust_Root_CA_G2.pem
create mode 120000 ssl/certs/OpenTrust_Root_CA_G3.pem
create mode 120000 ssl/certs/d8317ada.0
create mode 120000 ssl/certs/dc99f41e.0
但这很奇怪,因为这不是任何类型的网络服务器。我应该担心这里有任何类型的恶意软件吗?
答案1
CA 证书具有与网络服务器无关。具体来说,它们主要是 TLS 所需要的客户,因为客户端关心的是验证服务器自己的证书。每个操作系统都附带这样的列表。
TLS 有许多非 HTTP 用途(例如电子邮件 SMTP/IMAP 流量),但即使是相同的 HTTPS 也被许多非“web”程序使用 - 例如许多pacman
镜像使用 https://,因此它也需要 CA 证书集合。
在 Arch Linux 上,“受信任的证书颁发机构”的主要列表是ca-certificates-mozilla
,从 Mozilla 的软件包中分离出来nss
。换句话说,它与 Mozilla 放入 Firefox 中的内容相同,因此您可以对照所有新添加的证书进行交叉检查Bugzilla并经常反对谷歌Chromium 错误追踪器(它维护着自己的列表)。OpenTrust/Certplus 证书似乎只是续订(错误日志和铬),HARICA 也是如此(错误日志)。
请注意,受信任 CA 的主副本已安装到/usr/share/ca-certificates
(etckeeper 未跟踪)。您看到的/etc
只是自动转换为 OpenSSL 兼容格式的输出(????????.0
符号链接是 OpenSSL“散列”名称);请参阅更新 CA 信任 (8)有关如何更新它的手册页。