{"id":29905382,"url":"https://github.com/webprofusion/trust-store-updater","last_synced_at":"2026-06-21T01:02:50.393Z","repository":{"id":305803337,"uuid":"1024000653","full_name":"webprofusion/trust-store-updater","owner":"webprofusion","description":null,"archived":false,"fork":false,"pushed_at":"2025-07-23T08:46:33.000Z","size":7762,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-01T19:31:01.558Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/webprofusion.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-22T03:32:01.000Z","updated_at":"2025-07-23T08:46:37.000Z","dependencies_parsed_at":"2025-07-22T05:31:42.027Z","dependency_job_id":"fcd5a4d0-64aa-4442-a395-740ef3a787cd","html_url":"https://github.com/webprofusion/trust-store-updater","commit_stats":null,"previous_names":["webprofusion-chrisc/trust-store-updater"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/webprofusion/trust-store-updater","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webprofusion%2Ftrust-store-updater","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webprofusion%2Ftrust-store-updater/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webprofusion%2Ftrust-store-updater/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webprofusion%2Ftrust-store-updater/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/webprofusion","download_url":"https://codeload.github.com/webprofusion/trust-store-updater/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/webprofusion%2Ftrust-store-updater/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272934844,"owners_count":25017957,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-31T02:00:09.071Z","response_time":79,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-08-01T19:12:27.597Z","updated_at":"2026-06-21T01:02:50.384Z","avatar_url":"https://github.com/webprofusion.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Trust Store Updater\n\nA cross-platform tool written in Go for updating operating system and application trust stores with new root certificates.\n\nNote: this tool is a prototype and not yet suitable for production use. As Uncle Ben/Voltaire would say, with great power comes great responsibility (yours).\n\n## Features\n\n- **Cross-platform support**: Linux, macOS, and Windows\n- **Configuration-driven**: Uses YAML configuration to specify which trust stores to update\n- **Multiple certificate sources**: Fetch certificates from URLs, files, or directories\n- **Backup and restore**: Automatic backup creation before updates\n- **Dry-run mode**: Test updates without making changes\n- **Comprehensive validation**: Certificate validation before installation\n- **Flexible targeting**: Update system and application trust stores\n\n## Architecture\n\nThe tool follows a modular architecture with clear separation of concerns:\n\n```\ncmd/\n├── trust-store-updater/ # CLI application entry point\ninternal/\n├── certstore/ # Certificate store interfaces and management\n├── config/ # Configuration handling\n├── platform/ # Platform-specific implementations\n│ ├── linux/ # Linux certificate store implementations\n│ ├── darwin/ # macOS certificate store implementations\n│ └── windows/ # Windows certificate store implementations\n├── cert/ # Certificate fetching and validation\n├── updater/ # Main update orchestration logic\n└── cmd/ # CLI command definitions\n```\n\n## Supported Trust Stores\n\n### Linux\n- **System stores**: ca-certificates, update-ca-trust\n- **Applications**: Docker, Java cacerts, Firefox, Chrome\n\n### macOS\n- **System stores**: System Keychain, Login Keychain\n- **Applications**: Docker, Java cacerts, Firefox, Chrome, Safari\n\n### Windows\n- **System stores**: Root, CA, Personal, Enterprise Trust\n- **Applications**: Docker, Java cacerts, Firefox, Chrome, Edge, IIS\n\n## Installation\n\n### Prerequisites\n- Go 1.21 or later\n- Platform-specific tools (varies by target store)\n\n### Build from source\n```bash\ngo mod download\ngo build -o trust-store-updater ./cmd/trust-store-updater\n```\n\n### Install dependencies\n```bash\ngo mod tidy\n```\n\n## Usage\n\n### Basic usage\n```bash\n# Update trust stores using default configuration\n./trust-store-updater\n\n# Use custom configuration file\n./trust-store-updater --config /path/to/config.yaml\n\n# Dry run to see what would be changed\n./trust-store-updater --dry-run\n\n# Verbose output\n./trust-store-updater --verbose\n```\n\n### Configuration\n\nThe tool uses a YAML configuration file (`trust-store-config.yaml` by default). If the file doesn't exist, a default configuration will be created.\n\n#### Example configuration:\n```yaml\n# Certificate sources - where to fetch new root certificates from\ncertificate_sources:\n - name: \"mozilla-ca-bundle\"\n type: \"url\"\n source: \"https://curl.se/ca/cacert.pem\"\n enabled: true\n verify_tls: true\n\n - name: \"local-certificates\"\n type: \"directory\"\n source: \"./certificates\"\n enabled: false\n filters:\n - \"*.crt\"\n - \"*.pem\"\n\n# Trust stores - target stores to update with new certificates\ntrust_stores:\n - name: \"system-ca-certificates\"\n type: \"system\"\n platform: [\"linux\"]\n target: \"ca-certificates\"\n enabled: true\n require_root: true\n\n - name: \"system-keychain\"\n type: \"system\"\n platform: [\"darwin\"]\n target: \"system-keychain\"\n enabled: true\n require_root: true\n\n - name: \"system-cert-store\"\n type: \"system\"\n platform: [\"windows\"]\n target: \"root\"\n enabled: true\n require_root: true\n\n# Global settings\nsettings:\n backup_enabled: true\n backup_directory: \"./backups\"\n log_level: \"info\"\n max_retries: 3\n timeout_seconds: 30\n validate_after: true\n```\n\n### Certificate Sources\n\nThe tool supports fetching certificates from multiple sources:\n\n- **URL**: Fetch CA bundle from HTTP/HTTPS endpoints\n- **File**: Load certificates from local PEM/DER files\n- **Directory**: Scan directory for certificate files\n\n### Trust Store Types\n\n- **System stores**: Operating system certificate stores\n- **Application stores**: Application-specific certificate stores\n\n## Security Considerations\n\n- **Root privileges**: Many system store operations require administrator/root privileges\n- **Backup creation**: Always creates backups before making changes (configurable)\n- **Certificate validation**: Validates certificates before installation\n- **TLS verification**: Verifies TLS connections when fetching from URLs\n\n## Development\n\n### Project Structure\n- Uses Go modules for dependency management\n- Follows standard Go project layout\n- Platform-specific code isolated in separate packages\n- Interfaces used for abstraction and testability\n\n### Key Dependencies\n- `github.com/spf13/cobra`: CLI framework\n- `github.com/spf13/viper`: Configuration management\n- `gopkg.in/yaml.v3`: YAML parsing\n\n### Building for Different Platforms\n```bash\n# Linux\nGOOS=linux GOARCH=amd64 go build -o trust-store-updater-linux ./cmd/trust-store-updater\n\n# macOS\nGOOS=darwin GOARCH=amd64 go build -o trust-store-updater-darwin ./cmd/trust-store-updater\n\n# Windows\nGOOS=windows GOARCH=amd64 go build -o trust-store-updater.exe ./cmd/trust-store-updater\n```\n\n## Limitations\n\n- Some platform-specific implementations are still in development\n- Requires appropriate system permissions for trust store modifications\n- Certificate validation is basic (no chain validation)\n- No automatic rollback mechanism (manual restore from backup required)\n\n## Contributing\n\n1. Fork the repository\n2. Create a feature branch\n3. Make your changes\n4. Add tests for new functionality\n5. Submit a pull request\n\n## License\n\nThis project is licensed under the MIT License - see the LICENSE file for details.\n\n## Original Requirements\n\nThis tool was created to implement a cross-platform solution for updating operating system and application trust stores (CA bundles) with recommended new root certificates. It targets Linux, macOS, and Windows, using configuration to decide which target application stores or OS stores to update.\n\nKey requirements addressed:\n- Cross-platform compatibility (Linux, macOS, Windows)\n- Configuration-driven trust store targeting\n- Support for both OS and application trust stores\n- Automated certificate fetching and validation\n- Backup and restore capabilities\n- Comprehensive error handling and logging\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwebprofusion%2Ftrust-store-updater","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwebprofusion%2Ftrust-store-updater","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwebprofusion%2Ftrust-store-updater/lists"}