Mastodawn

I'd appreciate someone with more knowledge about certificates checking if this is a good idea and if I did it correctly. It definitely fixes the issue.
https://codeberg.org/tusky/Tusky/pulls/5427
#tuskydev

trust sectigo root certificates to make some servers work on older Android versions

These certificates are from 2021 and not trusted on Android versions that are older. We already do the same with two ISRG/Let's Encrypt certificates for the same reason. Closes https://codeberg.org/tusky/Tusky/issues/5423

Codeberg.org

Show thread

Eli the Bearded Feb 5

@ConnyDuck

These are the certs in newer Android trust chains? Looks like a sound change to me, but it does mean Tusky will be a loose end if other sources stop trusting either of these

Show thread

Nogweii S Feb 5

@ConnyDuck hi! Former Let's Encrypt Dev here, so I do have background on this.

Overall the change is fine. I'd love to say that the original bug report user should upgrade their android, but that's often not practical. You should be aware that the certificates expire, though not for a long time (they are root CAs after all), so that's a tiny concern.

Show thread

vramvoolenaar Feb 5

@ConnyDuck This is a legit workaround, it is hard coding the new Sectigo's root CAs into the application. I have verified the certificates on the Sectigo website.

TLDR: Sectigo's root CAs on older Android distributions are no longer being updated. Sectigo's Root CA expired in 2020 causing them to be revoked on older android systems.

Show thread

paillp Feb 6

@ConnyDuck as long as the root cert is valid, you are good to go. Sectigo remains a trusted CA as of today, and is now in the top 3 biggest commercial CAs.