diff --git a/.crypto-policies.metadata b/.crypto-policies.metadata index cb7bb96..4e1fdfa 100644 --- a/.crypto-policies.metadata +++ b/.crypto-policies.metadata @@ -1 +1 @@ -61d1e62750bb43415038892681dd29637832ee4d SOURCES/crypto-policies-git283706d.tar.gz +0f5b3ec83594d3256334f086b0e1c7755e770022 SOURCES/crypto-policies-gitb1c706d.tar.gz diff --git a/.gitignore b/.gitignore index 6b5168f..8e361e8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/crypto-policies-git283706d.tar.gz +SOURCES/crypto-policies-gitb1c706d.tar.gz diff --git a/SPECS/crypto-policies.spec b/SPECS/crypto-policies.spec index 4980042..a2ed1f7 100644 --- a/SPECS/crypto-policies.spec +++ b/SPECS/crypto-policies.spec @@ -1,31 +1,9 @@ -%global git_date 20240202 -%global git_commit 283706dbc258f4ac0b19b3291bc18f9b691b222f +%global git_date 20240304 +%global git_commit b1c706d663ae796caab6d1144668ba63ea84a28a %{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})} %global _python_bytecompile_extra 0 -# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1 -%if 0%{?rhel} == 9 - # RHEL-9: must be RequiredRSASize in RHEL >= 9.2, Conflicts-enforced, - %global MIN_RSA_NAME RequiredRSASize -%elif 0%{?rhel} == 10 - # ELN: RequiredRSASize for openssh >= 9.0p1-5, RSAMinSize for >= 9.0p1-2 - %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-5" - %global MIN_RSA_NAME RequiredRSASize - %elif v"%(rpm -q openssh | head -n1)" >= v"openssh-9.0p1-2" - %global MIN_RSA_NAME RSAMinSize - %else - %global MIN_RSA_NAME none - %endif -%else - # some other distro, follow autodetection which checks for openssh >= 9.1 - %if v"%(rpm -q openssh | head -n1)" >= v"openssh-9.1" - %global MIN_RSA_NAME RequiredRSASize - %else - %global MIN_RSA_NAME none - %endif -%endif - Name: crypto-policies Version: %{git_date} Release: 1.git%{git_commit_hash}%{?dist} @@ -44,26 +22,19 @@ BuildRequires: asciidoc BuildRequires: libxslt BuildRequires: openssl BuildRequires: nss-tools -BuildRequires: gnutls-utils >= 3.6.0 +BuildRequires: gnutls-utils +BuildRequires: openssh-clients BuildRequires: java-devel BuildRequires: bind -BuildRequires: perl-interpreter -BuildRequires: perl-generators -BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy) -BuildRequires: perl(File::Which) -BuildRequires: python3-devel >= 3.6 +BuildRequires: python3-devel >= 3.9 BuildRequires: python3-pytest BuildRequires: make -Conflicts: openssl < 1:3.0.1-10 +Conflicts: openssl-libs < 1:3.0.1-10 Conflicts: nss < 3.90.0 Conflicts: libreswan < 3.28 Conflicts: openssh < 8.7p1-24 -%if 0%{?rhel} == 10 -Conflicts: gnutls < 3.7.2-3 -%else Conflicts: gnutls < 3.7.6-22 -%endif %description This package provides pre-built configuration files with @@ -91,12 +62,11 @@ to enable or disable the system FIPS mode. %build sed -i \ - "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'/" \ + "s/MIN_RSA_DEFAULT = .*/MIN_RSA_DEFAULT = 'RequiredRSASize'/" \ python/policygenerators/openssh.py -grep "MIN_RSA_DEFAULT = '%{MIN_RSA_NAME}'" python/policygenerators/openssh.py - -%if 0%{?rhel} == 10 -# currently ELN 3.90-1 doesn't carry the TLS-REQUIRE-EMS patch +grep "MIN_RSA_DEFAULT = 'RequiredRSASize'" python/policygenerators/openssh.py +%if 0%{?rhel} == 11 +# currently ELN NSS doesn't carry the TLS-REQUIRE-EMS patch sed -i "s/'NSS_NO_TLS_REQUIRE_EMS', '0'/'NSS_NO_TLS_REQUIRE_EMS', '1'/" \ python/policygenerators/nss.py tests/nss.py sed -i "s/:TLS-REQUIRE-EMS:/:/" tests/outputs/*FIPS*.txt @@ -141,16 +111,7 @@ done %py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python %check -# RSAMinSize vs RequiredRSASize vs nothing, remove when OpenSSH >= 9.1 -%if "%{MIN_RSA_NAME}" == "none" - sed -i '/RequiredRSASize .*/d' tests/outputs/*.txt -%elif "%{MIN_RSA_NAME}" == "RSAMinSize" - sed -i 's/RequiredRSASize/RSAMinSize/' tests/outputs/*.txt -%else - [ "%{MIN_RSA_NAME}" == "RequiredRSASize" ] || exit 7 -%endif - -make ON_RHEL9=1 test +make test SKIP_LINTING=1 %post -p if not posix.access("%{_sysconfdir}/crypto-policies/config") then @@ -241,6 +202,11 @@ end %{_mandir}/man8/fips-finish-install.8* %changelog +* Mon Mar 04 2024 Alexander Sosedkin - 20240304-1.gitb1c706d +- packaging: remove perl build-dependency, it's not needed anymore +- packaging: use newly introduced SKIP_LINTING=1 +- packaging: drop stale workarounds + * Fri Feb 02 2024 Alexander Sosedkin - 20240202-1.git283706d - fips-finish-install: make sure ostree is detected in chroot - fips-mode-setup: make sure ostree is detected in chroot