DEV Community: ZHANG, HENGMING

certificate authority ( ca ) config for fedora distro

ZHANG, HENGMING — Sun, 05 Oct 2025 08:22:10 +0000

certificate authority ( ca ) on fedora has managed by ca-bundle.trust.p11-kit in recent distributions , and their update method has changed to let old update methods outdated . therefore , i create this post to record my changes of ca management on feodra .

no third parties / companies / govts certificates

i deleted all of those certificated included in the recent mozillia ca bundle , including the nostalgic cnnic certificates etc . only the oss one ( let's encrypt ) remined . this change irrivertiably puts some websites inaccessible ( github , etc . ) while minimal websites are on the table .

start configuration

i configured two environments to use the config :

application based environments ( those on /etc/pki/ca-trust/source , high priority and /usr/share/pki/ca-trust-source , low priority ) such as curl .
browser based environments ( firefox , tor browser ) .

the above two environments use different ca settings to config and manage certificates ( tls , ssl , java , edk2 , etc . ) . in order to config all envs to use one setting , each environment has to be configured separately .

when started to config it , i had to be reminded , it was not enough to use the trust cli to config ( since it was unable to change read - only mozilla ca bundle ) and had to edit the original file while put # comment before each line . and it was still not done correctly . which was done alright was that i created a .bak file of the original file and moved the .bak file ( and the original one ) out of the dir above ( the one on /etc/pki/ca-trust/source directory ) , leaving only the commented or deleted lines of file in directory . then i executed sudo update-ca-trust , and all certs updated just in line .

chain of logs

changing of the ca root certs on system config will put other configs collapsed and should be changed inaccordingly . which include :

protocols that use ca certs ( xmpp , websockets , etc . )
applications that use tls , ssl , java , edk2 configs ( such as fedora mirrors , rpm repos ) .
anything else .

the road to self - managed ca certs

the best choice of internet pki ( public key infrastructure ) is managing certs ( probably including root certs ) by one themselves . to be easily managing and configuring ca in internet trust chains , personal solutions , e . g . openxpki and enterprise solutions ( hyperledger fabric with pkcs # 11 interface ) could be considered .

On Canary

ZHANG, HENGMING — Tue, 19 Aug 2025 13:59:17 +0000

Definition

A canary/warrant canary/canary statement is a practice to say that someone or something is safe or unsafe due to legal processes, certain circumstances, etc.

How should it be used?

Least people or online service providers offer canaries to confirm the circumstances around them, but most of it are abused due to fashions, internet slangs, etc.

A canary should include at least:

Confirmations or affirmative statements to the audience.
Evidences (newest block headers of blockchains, recent news articles, etc.).
A OpenPGP signature.

A canary should be updated regularly to reflect recent circumstances, such as every 14 days.

Methodology

A canary file or text shall be created originally on the providers' websites or spots, hosted by the providers (all underlaying infrastructures shall be made by the providers), as plain text, not encrypted or the signature corrupted.

There's no third party involved, or shall not, as the canary shall be spoken as an evidence of the author themselves.

The canary shall be verified or attested true by its content and other searchable evidences. A falsified canary should not exist and shall be avoided.

Resolve E-AC-3(ASTC A/52B) decoder codec issue related to Fedora Linux (Asahi Linux).

ZHANG, HENGMING — Sun, 03 Aug 2025 03:27:29 +0000

Introduction

When playing a video file containing E-AC-3 (ATSC A/52B) audio codec on Fedora Linux, open with default player (either GNONE Videos
(aka Totem) or next generation video player Showtime Player) will error as E-AC-3 (ATSC A/52B) audio codec not found, but it's actually installed on the system.

Resolution

I referred to the post on the forum:

https://discussion.fedoraproject.org/t/e-ac-3-codec-missing/135347/3.

, and enabled the RPM Fusion repository on the Feodra Linux by the command:

sudo dnf install -y \
  https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm

, and installed additional gstreamer library by:

sudo dnf install -y gstreamer1-plugins-bad-freeworld

sudo dnf install -y gstreamer1-plugins-ugly

, and also removed ffmpeg-free (in order to install ffmpeg from RPM Fusion) by those commands:

sudo dnf remove -y ffmpeg-free

sudo dnf remove -y libswscale-free

sudo dnf remove -y libswresample-free

, and install ffmpeg from RPM Fusion repository:

sudo dnf install -y ffmpeg

Also, I needed to remove the libavcodec-free library from default fedora and updates repositories to install libavcodec-freeworld from RPM Fusion repository:

sudo dnf remove -y libavcodec-free

, and install libavcodec-freeworld:

sudo dnf install -y libavcodec-freeworld

And that's it. Now I can play most videos containing E-AC-3 audio codec without hassle using cross platform video players (not GTK-based) on Fedora Linux.