I'm using the new trust dump command for comparison purposes. If the input to p11-kit-trust is BEGIN TRUSTED CERTIFICATE, the resulting object has modifiable: false If the input is [p11-kit-object-v1], the resulting object has modifiable: true Even if the attribute modifiable: false is added to the [p11-kit-object-v1] input format, the resuling object is listed as modifiable: true
It seems that the behavior was introduced when p11-kit persist files gained writing support: https://github.com/p11-glue/p11-kit/commit/96771f49dc945800ae28c77ff407753cbb995c7f I am not sure if it is intended, but I have opened a PR that respects "modifiable" settings from the file itself: https://github.com/p11-glue/p11-kit/pull/51
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.