5.1.0 Homebrew interface update

• Fix how homebrew installed formula are listed - special thanks to @jameswmcnab

5.0.1: macOS Catalina bugfix

* Fix an issue with using the ssl profile for verification leading to CT log
  failures for all certificates, resulting in empty roots.

The Slow Deprecation Run

v5 switches from the objective c implementation to a ruby script that drives
security(1). It's slow, but correct and does not depend on deprecated
features. This should probably be replaced with a swift runtime soon, based
on non-deprecated methods, but I had limited time.

Gotta catch 'em all

Version 3 and before were missing versioned packages from homebrew, for example openssl@1.1. As of version 4, all openssl and libressl versions will have root PEMs created.

Version 3 and before were running c_rehash after installing certs.pem. This operation was not related to the installation of the roots, and will no longer be performed. Users that need to hash certs from etc/{openssl,libressl}/certs should perform the hashing themselves.

3.0.0 SECURITY - Trusting Trust

A bug was discovered that stems from the projects prior reliance on security(1) that exports not just trusted certificates, but untrusted certificates. It provides no mechanism for differentiating untrusted certificates. As a result, a new binary is introduced in this release osx-ca-certs that generates a certificate pem from the relevant keychains, skipping untrusted certificates. Most users are unaffected by this change, but those users that are will know it, and should be concerned.

The implementation is based on code from the Go programming language.

The bug was reported in excellent form by Eric Hodel.

Please see commit 1039bec for full details.

Note also that this change removes support for the two --skip arguments that were introduced in recent releases. They can be reimplemented if there is demand. This release was prepared relatively quickly, if any issues are experienced please reach out to me, I will fix them promptly.

2.0.1

• Added support for LibreSSL

openssl-osx-ca 2.0.0 - decron

Summary:

• launchd replaces cron
• login.keychain certificates are included by default
• Makefile revamped with more options

This release major breaking change is the replacement of the old crontab
installation mechanism for a launchd agent instead. Launchd agents are able to
run on a periodic schedule just like cron, and doing so, if the user has no
other crontab entries will avoid a cron daemon being started.

The primary motivation for this change is actually to better integrate with
modern homebrew, which has some built-in support for services. Users are
recommended to use brew services to manage the installation and uninstallation
of the 'cron' from now on. The related brew tap, raggi/ale will be updated
accordingly shortly after this tag is published.

The second important change is that the user login keychain is included in the
installed CA pem by default. This makes it more convenient for users who use the
keychain UI in the common user flows when adding certificates to their system.
Credit and thanks for this change go to Brian Pitts.

As a reminder, users can uninstall their previous crontab before upgrading using
the following command:

    (crontab -l | grep -v openssl-osx-ca) | crontab -

Fix some issues with command line parsing

Fix some issues with command line parsing causing errors with at least 0.98z* versions of openssl.