import crypto-policies-20240304-1.gitb1c706d.el9

i9c-beta changed/i9c-beta/crypto-policies-20240304-1.gitb1c706d.el9
MSVSphere Packaging Team 1 month ago
parent ec0d964ae3
commit 967700dadc
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

@ -1 +1 @@
61d1e62750bb43415038892681dd29637832ee4d SOURCES/crypto-policies-git283706d.tar.gz 0f5b3ec83594d3256334f086b0e1c7755e770022 SOURCES/crypto-policies-gitb1c706d.tar.gz

2
.gitignore vendored

@ -1 +1 @@
SOURCES/crypto-policies-git283706d.tar.gz SOURCES/crypto-policies-gitb1c706d.tar.gz

@ -1,31 +1,9 @@
%global git_date 20240202 %global git_date 20240304
%global git_commit 283706dbc258f4ac0b19b3291bc18f9b691b222f %global git_commit b1c706d663ae796caab6d1144668ba63ea84a28a
%{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
%global _python_bytecompile_extra 0 %global _python_bytecompile_extra 0
# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1
%if 0%{?rhel} == 9
# RHEL-9: must be RequiredRSASize in RHEL >= 9.2, Conflicts-enforced,
%global MIN_RSA_NAME RequiredRSASize
%elif 0%{?rhel} == 10
# ELN: RequiredRSASize for openssh >= 9.0p1-5, RSAMinSize for >= 9.0p1-2
%if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-5"
%global MIN_RSA_NAME RequiredRSASize
%elif v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-2"
%global MIN_RSA_NAME RSAMinSize
%else
%global MIN_RSA_NAME none
%endif
%else
# some other distro, follow autodetection which checks for openssh >= 9.1
%if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.1"
%global MIN_RSA_NAME RequiredRSASize
%else
%global MIN_RSA_NAME none
%endif
%endif
Name: crypto-policies Name: crypto-policies
Version: %{git_date} Version: %{git_date}
Release: 1.git%{git_commit_hash}%{?dist} Release: 1.git%{git_commit_hash}%{?dist}
@ -44,26 +22,19 @@ BuildRequires: asciidoc
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: openssl BuildRequires: openssl
BuildRequires: nss-tools BuildRequires: nss-tools
BuildRequires: gnutls-utils >= 3.6.0 BuildRequires: gnutls-utils
BuildRequires: openssh-clients
BuildRequires: java-devel BuildRequires: java-devel
BuildRequires: bind BuildRequires: bind
BuildRequires: perl-interpreter BuildRequires: python3-devel >= 3.9
BuildRequires: perl-generators
BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
BuildRequires: perl(File::Which)
BuildRequires: python3-devel >= 3.6
BuildRequires: python3-pytest BuildRequires: python3-pytest
BuildRequires: make BuildRequires: make
Conflicts: openssl < 1:3.0.1-10 Conflicts: openssl-libs < 1:3.0.1-10
Conflicts: nss < 3.90.0 Conflicts: nss < 3.90.0
Conflicts: libreswan < 3.28 Conflicts: libreswan < 3.28
Conflicts: openssh < 8.7p1-24 Conflicts: openssh < 8.7p1-24
%if 0%{?rhel} == 10
Conflicts: gnutls < 3.7.2-3
%else
Conflicts: gnutls < 3.7.6-22 Conflicts: gnutls < 3.7.6-22
%endif
%description %description
This package provides pre-built configuration files with This package provides pre-built configuration files with
@ -91,12 +62,11 @@ to enable or disable the system FIPS mode.
%build %build
sed -i \ sed -i \
"s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \ "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \
python/policygenerators/openssh.py python/policygenerators/openssh.py
grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py
%if 0%{?rhel} == 11
%if 0%{?rhel} == 10 # currently ELN NSS doesn't carry the TLS-REQUIRE-EMS patch
# currently ELN 3.90-1 doesn't carry the TLS-REQUIRE-EMS patch
sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \ sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \
python/policygenerators/nss.py tests/nss.py python/policygenerators/nss.py tests/nss.py
sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt
@ -141,16 +111,7 @@ done
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python %py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
%check %check
# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1 make test SKIP_LINTING=1
%if "%{MIN_RSA_NAME}" == "none"
sed -i '/RequiredRSASize .*/d' tests/outputs/*.txt
%elif "%{MIN_RSA_NAME}" == "RSAMinSize"
sed -i 's/RequiredRSASize/RSAMinSize/' tests/outputs/*.txt
%else
[ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7
%endif
make ON_RHEL9=1 test
%post -p <lua> %post -p <lua>
if not posix.access("%{_sysconfdir}/crypto-policies/config") then if not posix.access("%{_sysconfdir}/crypto-policies/config") then
@ -241,6 +202,11 @@ end
%{_mandir}/man8/fips-finish-install.8* %{_mandir}/man8/fips-finish-install.8*
%changelog %changelog
* Mon Mar 04 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240304-1.gitb1c706d
- packaging: remove perl build-dependency, it's not needed anymore
- packaging: use newly introduced SKIP_LINTING=1
- packaging: drop stale workarounds
* Fri Feb 02 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240202-1.git283706d * Fri Feb 02 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240202-1.git283706d
- fips-finish-install: make sure ostree is detected in chroot - fips-finish-install: make sure ostree is detected in chroot
- fips-mode-setup: make sure ostree is detected in chroot - fips-mode-setup: make sure ostree is detected in chroot

Loading…
Cancel
Save