crypto/x509: update bundled iOS roots

[FiloSottile]

Before every release, ideally just before the freeze, we need to regenerate the iOS bundled roots.

This issue should not be closed but moved to the next milestone at each update.

---

The code generator currently parses an HTML table, but @sleevi pointed out the roots are published in the macOS/iOS sources, which is easier to process.

https://opensource.apple.com/source/security_certificates/security_certificates-55161.60.2/certificates/roots/

https://opensource.apple.com/tarballs/security_certificates/security_certificates-55161.60.2.tar.gz

The security_certificates version is available from the index text file, because all directory listings on opensource.apple.com are out of date. (Note how there currently is no security_certificates-55161.60.2 in https://opensource.apple.com/source/security_certificates/.)

https://opensource.apple.com/text/macos-10152.txt

[sleevi]

Note: iOS and macOS, while sharing the same source tree (I think since iOS 8, if I remember my chronology correctly), can ship different versions of the store depending on when it was built. It can also be updated out of band of an OS release (e.g. via OTA), although I don't think they've done that.

Settings -> General -> About -> Certificate Trust Settings will show the Trust Store Version and the Trust Asset Version. Apple's CA/Browser Forum rep previously indicated plans to (eventually) make a machine-readable list of this that is easily consumable (and from which the HTML table is generated - e.g. like https://support.apple.com/en-us/HT210770 , generated by https://opensource.apple.com/source/security_certificates/security_certificates-55161.60.2/CertificateTool/BuildiOSAsset/printroots.auto.html AIUI)

[FiloSottile]

Good to know, we should probably pull the version from the latest iOS when updating, but Go will always be a little out of sync because our release cycles don't match.

[toothrot]

@FiloSottile Could you please either provide instructions or an update on the status of this for the Go 1.15 release?

[dmitshur]

please either provide instructions

I believe there are instructions in the original issue body. This might also be related to #38710, which I looked into recently. I can take a look here as well (if it's helpful).

[gopherbot]

Change https://golang.org/cl/239557 mentions this issue: crypto/x509: update bundled iOS roots and rewrite generator

[dmitshur]

@FiloSottile With CL 239557 submitted, should the milestone be updated to 1.16, or is there more to do here for 1.15?