Announcing ctlint

[Rob Stradling]

https://github.com/crtsh/ctlint is a new linting tool for precertificates and certificates that aims to comprehensively check for any noncompliance with the various browser CT policies, with particular focus on ensuring that precertificate SCT lists embedded in certificates contain a sufficient quantity and variety of valid SCTs from approved CT logs.  (See https://github.com/crtsh/ctlint/blob/main/README.md for a more detailed description of ctlint's features plus a list of some real-world examples of CT-related mishaps that ctlint can detect).

I've integrated ctlint with the just-released pkimetal v1.31.0.

Andrew just posted about CAs embedding SCTs from non-Usable logs.  Here's what ctlint reports for one example of that:

"ctlint v0.0.0-20251202204249-6806d5396dad:

 WARNING: SCT list contains fewer approved SCTs than required by the Apple CT Policy
 WARNING: SCT list satisfies the Chrome CT Policy using at least 1 SCT from a Qualified log that is not yet Usable
    INFO: An SCT has a valid signature
    INFO: An SCT has a valid signature
    INFO: An SCT has a valid signature"