From 27820b26c0f73f1b5e5159ead1032b7e78182b2e Mon Sep 17 00:00:00 2001
From: Petr Vokac <petr.vokac@fjfi.cvut.cz>
Date: Sun, 28 Dec 2025 11:13:56 +0100
Subject: [PATCH] Update signing policy to use right X1 vs. X2 Signing policy
 should use CA trust chain defined in this package. ``` $ for x in *.pem; do
 openssl x509 -noout -issuer -in $x | sed "s/^/${x}: /"; done isrgrootx1.pem:
 issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1
 isrg-root-x2.pem: issuer=C=US, O=Internet Security Research Group, CN=ISRG
 Root X2 lets-encrypt-e5.pem: issuer=C=US, O=Internet Security Research Group,
 CN=ISRG Root X2 lets-encrypt-e6.pem: issuer=C=US, O=Internet Security
 Research Group, CN=ISRG Root X2 lets-encrypt-e7.pem: issuer=C=US, O=Internet
 Security Research Group, CN=ISRG Root X2 lets-encrypt-e8.pem: issuer=C=US,
 O=Internet Security Research Group, CN=ISRG Root X2 lets-encrypt-e9.pem:
 issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X2
 lets-encrypt-r10.pem: issuer=C=US, O=Internet Security Research Group,
 CN=ISRG Root X1 lets-encrypt-r11.pem: issuer=C=US, O=Internet Security
 Research Group, CN=ISRG Root X1 lets-encrypt-r12.pem: issuer=C=US, O=Internet
 Security Research Group, CN=ISRG Root X1 lets-encrypt-r13.pem: issuer=C=US,
 O=Internet Security Research Group, CN=ISRG Root X1 lets-encrypt-r14.pem:
 issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1 ```

---
 isrg-root-x2.signing_policy | 2 +-
 isrgrootx1.signing_policy   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/isrg-root-x2.signing_policy b/isrg-root-x2.signing_policy
index 1774903..ba73aa9 100644
--- a/isrg-root-x2.signing_policy
+++ b/isrg-root-x2.signing_policy
@@ -1,3 +1,3 @@
 access_id_CA   X509    '/C=US/O=Internet Security Research Group/CN=ISRG Root X2'
 pos_rights     globus  CA:sign
-cond_subjects  globus  '"/C=US/O=Let\'s Encrypt/CN=E5" "/C=US/O=Let\'s Encrypt/CN=E6" "/C=US/O=Let\'s Encrypt/CN=R10" "/C=US/O=Let\'s Encrypt/CN=R11" "/C=US/O=Let\'s Encrypt/CN=E7" "/C=US/O=Let\'s Encrypt/CN=E8" "/C=US/O=Let\'s Encrypt/CN=E9" "/C=US/O=Let\'s Encrypt/CN=R12" "/C=US/O=Let\'s Encrypt/CN=R13" "/C=US/O=Let\'s Encrypt/CN=R14"'
+cond_subjects  globus  '"/C=US/O=Let\'s Encrypt/CN=E5" "/C=US/O=Let\'s Encrypt/CN=E6" "/C=US/O=Let\'s Encrypt/CN=E7" "/C=US/O=Let\'s Encrypt/CN=E8" "/C=US/O=Let\'s Encrypt/CN=E9"
diff --git a/isrgrootx1.signing_policy b/isrgrootx1.signing_policy
index 6d01eee..9f300e7 100644
--- a/isrgrootx1.signing_policy
+++ b/isrgrootx1.signing_policy
@@ -1,3 +1,3 @@
 access_id_CA   X509    '/C=US/O=Internet Security Research Group/CN=ISRG Root X1'
 pos_rights     globus  CA:sign
-cond_subjects  globus  '"/C=US/O=Let\'s Encrypt/CN=R3" "/C=US/O=Let\'s Encrypt/CN=R4"'
+cond_subjects  globus  "/C=US/O=Let\'s Encrypt/CN=R10" "/C=US/O=Let\'s Encrypt/CN=R11" "/C=US/O=Let\'s Encrypt/CN=R12" "/C=US/O=Let\'s Encrypt/CN=R13" "/C=US/O=Let\'s Encrypt/CN=R14"'