Hi!

I've been working on a related project cert-manage which works to trim down trusted CA's on a device. It can list installed CA certs and then apply a whitelist against them to remove trust.

I want to build some sort of observatory (ideally captured from opt-in running installs of cert-manage) and some clean room builds. It would be pretty easy to report what's installed in a format consumable for this project.

After installing (no releases yet) you can list see what's installed with the following:

$ cert-manage list # platform 
$ cert-manage list -app java [-format openssl, etc]

What output format could cert-manage produce that's easily read by this project? I've already got support for some of the same platforms, but on a "what's installed" level vs the provider's page.

That's a cool project!

I think using the same YAML format as this project would be pretty cool. It's quite simple: https://github.com/nabla-c0d3/trust_stores_observatory/blob/master/trust_stores/apple_ios.yaml

I am also open to extending this format if you need additional fields.

Thanks for reaching out!

Sure thing. Are all the fields required?

cert-manage might not always be able to populate url (if not from a url it'd be a filepath) and version (though it's likely not hard to pull this out).

The version is already optional (but would be nice to have), and I can make the url optional.

It will also be nice to see if what's on the trust store pages (my project) and what's actually on the host (via your project) is the same.

Agreed. I'm working out a way to export into this project's format today. In a few cases I won't be able to provide all the fields, but it should work out alright.

I've got adamdecaf/cert-manage#132 working out pretty well. There are some rouge edges I need to cleanup, but it's a start.

I don't know much about mozilla/tls-observatory, but are there input/output formats they use?

I don't know much about mozilla/tls-observatory, but are there input/output formats they use?

I don't see anything. They've got a json representation for Certificates (and properties), but I don't see it as an import format. Instead they're parsing the CA stores, PEM/DER etc

Cool! Have you tried doing a diff of darwin.yaml and apple_macos.yaml? They should be identical but it's interesting if they're not.
For the Mozilla observatory, I did have a quick look a while ago and it wasn't obvious how it works. I think they are using the catt project (https://github.com/kirei/catt) but I am not sure. Also, when I checked, their stores also don't seem to be updated often.

They use catt. It's a submodule in their code, but I noticed the stores weren't updated very often either.

Have you tried doing a diff of darwin.yaml and apple_macos.yaml?

Not yet. There's going to be some diff if certs are installed (e.g. enterprise). I think such diff code (between yaml outputs) should live here or another project. What are your thoughts on extending this project to support that?

Yeah I can support this in this project (it kind of already does), but one thing that's cool about this yaml format is that it is easy to diff two files using the diff command.

Yep! That's why I'm planning to switch cert-manage from json to yaml.

I'll open a different issue for showing yaml diffs. Thanks!

cert-manage supports outputting a list of certs into the yaml format specified in this project. I haven't cut a release yet (soon) as I want to finish up a couple things first.