rpms
/
openssl3
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Include hash in FIPS module version

Browse Source 
Include a hash of specfile, patches, and sources in the FIPS module
version. This should allow us to uniquely identify a build that we do,
so that we can be sure which specific binary is being submitted for
validation and was certified.

The previous solution used $(date +%Y%m%d), which had some risks related
to build server timezone and build date differences on different
architectures.

Resolves: rhbz#2070550
Signed-off-by: Clemens Lang <cllang@redhat.com>
epel8
Clemens Lang 3 years ago
parent ad863e9fc8
commit 1447e64bc3
1 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File

22
openssl.spec
Unescape View File

@ -10,12 +10,26 @@
# also be handled in opensslconf-new.h.
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
%define srpmhash() %{lua:
local files = rpm.expand("%_specdir/openssl.spec")
for i, p in ipairs(patches) do
files = files.." "..p
end
for i, p in ipairs(sources) do
files = files.." "..p
end
local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum"))
local hash = sha256sum:read("*a")
sha256sum:close()
print(string.sub(hash, 0, 16))
}
%global _performance_build 1
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.1
Release: 26%{?dist}
Release: 27%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -228,7 +242,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-not
export HASHBANGPERL=/usr/bin/perl
%define fips %{version}-%(date +%Y%m%d)
%define fips %{version}-%{srpmhash}
# ia64, x86_64, ppc are OK by default
# Configure the build tree. Override OpenSSL defaults with known-good defaults
# usable on all platforms. The Configure script already knows to use -fPIC and
@ -426,6 +440,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Fri May 06 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-27
- Change FIPS module version to include hash of specfile, patches and sources
Resolves: rhbz#2070550
* Thu May 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-26
- OpenSSL FIPS module should not build in non-approved algorithms
- Resolves: rhbz#2081378

Write Preview
Loading…
Cancel
Save