Join Log in
Score:3
Daycent avatar Ubuntu

Why does installing "pdftk-java" change root certificate authority? Is this bad?

nu flag
Daycent

new ubuntu user here. I installed pdftk-java using sudo-apt, and it changed a lot of my root certificate authorities. Is this bad? I don't understand why this root certificate authority is needed by a PDF editing software/program. I'm not sure if I accidently installed malware, and how to get rid of it.

Here is my product release:

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:    22.04
Codename:   jammy



sudo apt install pdftk-java


[sudo] password for [USERNAME]: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  ca-certificates-java default-jre-headless java-common libbcprov-java
  libcommons-lang3-java openjdk-11-jre-headless

[...]

Adding debian:ANF_Secure_Server_Root_CA.pem
Adding debian:emSign_Root_CA_-_C1.pem
Adding debian:AffirmTrust_Networking.pem
Adding debian:IdenTrust_Public_Sector_Root_CA_1.pem
Adding debian:Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
Adding debian:COMODO_ECC_Certification_Authority.pem
Adding debian:ssl-cert-snakeoil.pem
Adding debian:Staat_der_Nederlanden_EV_Root_CA.pem
Adding debian:DigiCert_High_Assurance_EV_Root_CA.pem
Adding debian:Network_Solutions_Certificate_Authority.pem
Adding debian:Buypass_Class_3_Root_CA.pem
Adding debian:OISTE_WISeKey_Global_Root_GB_CA.pem
Adding debian:Buypass_Class_2_Root_CA.pem
Adding debian:Amazon_Root_CA_4.pem
Adding debian:DigiCert_Trusted_Root_G4.pem
Adding debian:CFCA_EV_ROOT.pem
Adding debian:GTS_Root_R4.pem
Adding debian:GlobalSign_Root_CA_-_R2.pem
Adding debian:Secure_Global_CA.pem
Adding debian:DigiCert_Global_Root_G3.pem
Adding debian:Security_Communication_RootCA2.pem
Adding debian:GlobalSign_ECC_Root_CA_-_R5.pem
Adding debian:DigiCert_Assured_ID_Root_G3.pem
Adding debian:Microsec_e-Szigno_Root_CA_2009.pem
Adding debian:GlobalSign_Root_CA_-_R3.pem
Adding debian:Entrust_Root_Certification_Authority_-_G2.pem
Adding debian:QuoVadis_Root_CA_1_G3.pem
Adding debian:TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem
Adding debian:XRamp_Global_CA_Root.pem
Adding debian:ACCVRAIZ1.pem
Adding debian:GLOBALTRUST_2020.pem
Adding debian:Starfield_Root_Certificate_Authority_-_G2.pem
Adding debian:GTS_Root_R3.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_2009.pem
Adding debian:Amazon_Root_CA_1.pem
Adding debian:SecureSign_RootCA11.pem
Adding debian:AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
Adding debian:Baltimore_CyberTrust_Root.pem
Adding debian:CA_Disig_Root_R2.pem
Adding debian:Certum_Trusted_Root_CA.pem
Adding debian:Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
Adding debian:NAVER_Global_Root_Certification_Authority.pem
Adding debian:AffirmTrust_Commercial.pem
Adding debian:SSL.com_Root_Certification_Authority_ECC.pem
Adding debian:Actalis_Authentication_Root_CA.pem
Adding debian:Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
Adding debian:Trustwave_Global_ECC_P256_Certification_Authority.pem
Adding debian:Entrust_Root_Certification_Authority_-_EC1.pem
Adding debian:emSign_ECC_Root_CA_-_G3.pem
Adding debian:Izenpe.com.pem
Adding debian:Certum_Trusted_Network_CA.pem
Adding debian:AffirmTrust_Premium.pem
Adding debian:Certigna.pem
Adding debian:Certigna_Root_CA.pem
Adding debian:AC_RAIZ_FNMT-RCM.pem
Adding debian:Hongkong_Post_Root_CA_1.pem
Adding debian:QuoVadis_Root_CA_3_G3.pem
Adding debian:SwissSign_Silver_CA_-_G2.pem
Adding debian:Hongkong_Post_Root_CA_3.pem
Adding debian:Entrust_Root_Certification_Authority.pem
Adding debian:Starfield_Services_Root_Certificate_Authority_-_G2.pem
Adding debian:Entrust_Root_Certification_Authority_-_G4.pem
Adding debian:SecureTrust_CA.pem
Adding debian:Go_Daddy_Root_Certificate_Authority_-_G2.pem
Adding debian:AffirmTrust_Premium_ECC.pem
Adding debian:emSign_ECC_Root_CA_-_C3.pem
Adding debian:OISTE_WISeKey_Global_Root_GC_CA.pem
Adding debian:UCA_Extended_Validation_Root.pem
Adding debian:DigiCert_Assured_ID_Root_CA.pem
Adding debian:certSIGN_Root_CA_G2.pem
Adding debian:TWCA_Root_Certification_Authority.pem
Adding debian:DigiCert_Global_Root_CA.pem
Adding debian:Go_Daddy_Class_2_CA.pem
Adding debian:UCA_Global_G2_Root.pem
Adding debian:certSIGN_ROOT_CA.pem
Adding debian:EC-ACC.pem
Adding debian:TWCA_Global_Root_CA.pem
Adding debian:Starfield_Class_2_CA.pem
Adding debian:GlobalSign_Root_CA.pem
Adding debian:DigiCert_Global_Root_G2.pem
Adding debian:Security_Communication_Root_CA.pem
Adding debian:T-TeleSec_GlobalRoot_Class_2.pem
Adding debian:Entrust.net_Premium_2048_Secure_Server_CA.pem
Adding debian:QuoVadis_Root_CA_3.pem
Adding debian:COMODO_Certification_Authority.pem
Adding debian:Trustwave_Global_Certification_Authority.pem
Adding debian:Comodo_AAA_Services_root.pem
Adding debian:SSL.com_Root_Certification_Authority_RSA.pem
Adding debian:GTS_Root_R2.pem
Adding debian:Certum_EC-384_CA.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_EV_2009.pem
Adding debian:Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
Adding debian:Atos_TrustedRoot_2011.pem
Adding debian:GlobalSign_ECC_Root_CA_-_R4.pem
Adding debian:SSL.com_EV_Root_Certification_Authority_ECC.pem
Adding debian:ISRG_Root_X1.pem
Adding debian:COMODO_RSA_Certification_Authority.pem
Adding debian:T-TeleSec_GlobalRoot_Class_3.pem
Adding debian:Microsoft_RSA_Root_Certificate_Authority_2017.pem
Adding debian:TeliaSonera_Root_CA_v1.pem
Adding debian:USERTrust_ECC_Certification_Authority.pem
Adding debian:GTS_Root_R1.pem
Adding debian:SZAFIR_ROOT_CA2.pem
Adding debian:QuoVadis_Root_CA_2.pem
Adding debian:GlobalSign_Root_E46.pem
Adding debian:GlobalSign_Root_CA_-_R6.pem
Adding debian:USERTrust_RSA_Certification_Authority.pem
Adding debian:Cybertrust_Global_Root.pem
Adding debian:ePKI_Root_Certification_Authority.pem
Adding debian:QuoVadis_Root_CA_2_G3.pem
Adding debian:GlobalSign_Root_R46.pem
Adding debian:DigiCert_Assured_ID_Root_G2.pem
Adding debian:Microsoft_ECC_Root_Certificate_Authority_2017.pem
Adding debian:NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem
Adding debian:SwissSign_Gold_CA_-_G2.pem
Adding debian:Trustwave_Global_ECC_P384_Certification_Authority.pem
Adding debian:Certum_Trusted_Network_CA_2.pem
Adding debian:SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
Adding debian:GDCA_TrustAUTH_R5_ROOT.pem
Adding debian:Amazon_Root_CA_3.pem
Adding debian:emSign_Root_CA_-_G1.pem
Adding debian:Amazon_Root_CA_2.pem
Adding debian:IdenTrust_Commercial_Root_CA_1.pem
Adding debian:E-Tugra_Certification_Authority.pem
Adding debian:e-Szigno_Root_CA_2017.pem
done.
Setting up default-jre-headless (2:1.11-72build2) ...
Setting up pdftk-java (3.2.2-1) ...
update-alternatives: using /usr/bin/pdftk.pdftk-java to provide /usr/bin/pdftk (
pdftk) in auto mode
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for ca-certificates (20211016ubuntu0.22.04.1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
Updating Mono key store
Mono Certificate Store Sync - version 6.8.0.105
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD license
d.

Importing into legacy system store:
I already trust 124, your new list has 124
Import process completed.

Importing into BTLS system store:
I already trust 124, your new list has 124
Import process completed.
Done
199
1 + 0
pdf
Score:4
avatar Ubuntu
pl flag
popey

You snipped out the single line that would have answered this. Immediately before Adding debian:ANF_Secure_Server_Root_CA.pem was probably the line Setting up ca-certificates-java (20190909) ....

This indicates that the output following (all the "Adding debian:") lines came from the processing of the ca-certificates-java package. Further up in the output you'll notice ca-certificates-java in the section of output "The following additional packages will be installed".

So, it's not pdftk-java specifically which added/replaced/updated the certificate files, but a dependency of it. As pdftk-java is a java application, the packagers determined that when installed, it should recommend a java runtime, which subsequently requires the certificates accessible to the java runtime in the java keystore.

So in summary, installing pdftk-java then pulled in default-jre-headless which pulled in ca-certificates-java which pulled in ca-certificates (which you already had).

So, no, not malware, not anything to be worried about. This is all working normally.

+ 1
zwets avatar
us flag
zwets
To complete this answer: the output that you saw rolling by was `ca-certificates-java` adding each CA certificate (`/etc/ssl/certs/*.pem` provided by `ca-certificates`) to the **Java keystore**. Java has its own "JKS" format keystore at `/etc/ssl/certs/java/cacerts`.
2
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.