bump pkimetal to v1.41.0 and ignore new ctlint warning

docker-compose.yml

@@ -144,7 +144,7 @@ services:
       - bouldernet
 
   bpkimetal:
-    image: ghcr.io/pkimetal/pkimetal:v1.20.0
+    image: ghcr.io/pkimetal/pkimetal:v1.41.0
     networks:
       - bouldernet
 

test/config-next/zlint.toml

@@ -18,7 +18,10 @@ ignore_lints = [
   # Some linters continue to complain about the lack of an AIA OCSP URI, even
   # when a CRLDP is present.
   "certlint:br_certificates_must_include_an_http_url_of_the_ocsp_responder",
-  "x509lint:no_ocsp_over_http"
+  "x509lint:no_ocsp_over_http",
+  # ctlint requires CCADB data to verify SCT signatures; our test issuers are
+  # not in CCADB so this warning fires for every issued certificate.
+  "ctlint:cannot_verify_sct_signature_without_issuer_spki,_which_could_not_be_found_in_the_available_ccadb_data",
 ]
 
 [e_pkimetal_lint_cabf_serverauth_crl]

test/config/zlint.toml

@@ -15,6 +15,9 @@ ignore_lints = [
   # issued under the "classic" profile, but have removed it from our "tlsserver"
   # and "shortlived" profiles.
   "pkilint:cabf.serverauth.subscriber_rsa_digitalsignature_and_keyencipherment_present",
+  # ctlint requires CCADB data to verify SCT signatures; our test issuers are
+  # not in CCADB so this warning fires for every issued certificate.
+  "ctlint:cannot_verify_sct_signature_without_issuer_spki,_which_could_not_be_found_in_the_available_ccadb_data",
 ]
 
 [e_pkimetal_lint_cabf_serverauth_crl]