diff --git a/SOURCES/macros.rpmsign-gnupg b/SOURCES/macros.rpmsign-gnupg deleted file mode 100644 index 110ef26..0000000 --- a/SOURCES/macros.rpmsign-gnupg +++ /dev/null @@ -1,22 +0,0 @@ -#============================================================================== -# ---- GPG signature macros. -# The signature to use and the location of configuration files for -# signing packages with GNU gpg. -# -#%_gpg_name -#%_gpg_path - -%__gpg /usr/bin/gpg2 - -# Macro(s) to hold the arguments passed to GPG/PGP for package -# signing. Expansion result is parsed by popt, so be sure to use -# %{shescape} where needed. -# -%__gpg_sign_cmd %{shescape:%{__gpg}} \ - gpg --no-verbose --no-armor --no-secmem-warning \ - %{?_gpg_digest_algo:--digest-algo=%{_gpg_digest_algo}} \ - %{?_gpg_sign_cmd_extra_args} \ - %{?_gpg_name:-u %{shescape:%{_gpg_name}}} \ - -sbo %{shescape:%{?__signature_filename}} \ - %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}} - diff --git a/SOURCES/macros.rpmsign-sequoia b/SOURCES/macros.rpmsign-sequoia new file mode 100644 index 0000000..7476887 --- /dev/null +++ b/SOURCES/macros.rpmsign-sequoia @@ -0,0 +1,26 @@ +#============================================================================== +# ---- Sequoia signature macros. +# The signature to use and the location of configuration files for +# signing packages with Sequoia. +# +# To enable signing with sequoia-sq, just copy this file to /etc/rpm: +# cp /usr/share/doc/rpm/macros.rpmsign-sequoia /etc/rpm/ +# +# Unlike GnuPG, Sequoia doesn't support specifying the signer key by +# email or name match, you need to supply the hex fingerprint (or keyid) +#%_gpg_name +#%_gpg_path + +%__gpg /usr/bin/sq + +# Macro(s) to hold the arguments passed to Sequoia for package +# signing. Expansion result is parsed by popt, so be sure to use +# %{shescape} where needed. +# + +%__gpg_sign_cmd %{__gpg} %{__gpg} sign \ + %{?_gpg_sign_cmd_extra_args} \ + %{?_gpg_name:--signer-key %{_gpg_name}} \ + --binary --detached --output %{shescape:%{?__signature_filename}} \ + %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}} + diff --git a/SOURCES/rpm-4.19.1.1-nogpg.patch b/SOURCES/rpm-4.19.1.1-nogpg.patch deleted file mode 100644 index 8d21d4a..0000000 --- a/SOURCES/rpm-4.19.1.1-nogpg.patch +++ /dev/null @@ -1,59 +0,0 @@ -diff -up rpm-4.19.1.1/macros.in.nogpg rpm-4.19.1.1/macros.in ---- rpm-4.19.1.1/macros.in.nogpg 2024-10-14 10:01:22.265773552 +0300 -+++ rpm-4.19.1.1/macros.in 2024-10-14 10:02:32.245317535 +0300 -@@ -30,7 +30,6 @@ - %__chown @__CHOWN@ - %__cp @__CP@ - %__file @__FILE@ --%__gpg @__GPG@ - %__grep @__GREP@ - %__gzip @__GZIP@ - %__id @__ID@ -@@ -321,12 +320,6 @@ Supplements: (%{name} = %{version}-%{r - # marked as %doc should be installed. - #%_excludedocs - --# The signature to use and the location of configuration files for --# signing packages with GNU gpg. --# --#%_gpg_name --#%_gpg_path -- - # The port and machine name of an HTTP proxy host (used for FTP/HTTP). - # - #%_httpport -@@ -595,10 +588,10 @@ Supplements: (%{name} = %{version}-%{r - %_fileattrsdir %{_rpmconfigdir}/fileattrs - - # This macro defines how much space (in bytes) in package should be --# reserved for gpg signatures during building of a package. If this space is --# big enough for gpg signatures to fit into it then signing of the packages is -+# reserved for OpenPGP signatures during building of a package. If this space -+# big enough for the signature to fit into it then signing of the packages is - # very quick because it is not necessary to rewrite the whole package to make --# some space for gpg signatures. -+# some space for the signature. - %__gpg_reserved_space 4096 - - #============================================================================== -@@ -613,20 +606,6 @@ Supplements: (%{name} = %{version}-%{r - %_db_backend @DB_BACKEND@ - - #============================================================================== --# ---- GPG/PGP/PGP5 signature macros. --# Macro(s) to hold the arguments passed to GPG/PGP for package --# signing. Expansion result is parsed by popt, so be sure to use --# %{shescape} where needed. --# --%__gpg_sign_cmd %{shescape:%{__gpg}} \ -- gpg --no-verbose --no-armor --no-secmem-warning \ -- %{?_gpg_digest_algo:--digest-algo=%{_gpg_digest_algo}} \ -- %{?_gpg_sign_cmd_extra_args} \ -- %{?_gpg_name:-u %{shescape:%{_gpg_name}}} \ -- -sbo %{shescape:%{?__signature_filename}} \ -- %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}} -- --#============================================================================== - # ---- Transaction macros. - # Macro(s) used to parameterize transactions. - # diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec index bd10307..d0c545e 100644 --- a/SPECS/rpm.spec +++ b/SPECS/rpm.spec @@ -27,7 +27,7 @@ %global rpmver 4.19.1.1 #global snapver rc1 -%global baserelease 7 +%global baserelease 9 %global sover 10 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -46,7 +46,7 @@ Source10: rpmdb-rebuild.service Source20: rpmdb-migrate.service Source21: rpmdb_migrate -Source31: macros.rpmsign-gnupg +Source30: macros.rpmsign-sequoia Requires: coreutils Requires: popt%{_isa} >= 1.10.2.1 @@ -137,9 +137,6 @@ rpm-4.9.90-no-man-dirs.patch rpm-4.18.92-disable-sysusers.patch rpm-4.18.90-weak-user-group.patch -# We supply gpg config separately, remove gpg stuff from main macros -rpm-4.19.1.1-nogpg.patch - # Patches already upstream: 0001-Fix-potential-use-of-uninitialized-pipe-array.patch 0001-Fix-potential-use-of-uninitialized-pgp-struct.patch @@ -183,19 +180,13 @@ This package contains the RPM shared libraries for building packages. %package sign-libs Summary: Libraries for signing RPM packages Requires: rpm-libs%{_isa} = %{version}-%{release} -Requires(meta): rpm-sign-gnupg +# in case somebody on the stream had these installed +Obsoletes: rpm-sign-gnupg < 4.19.1.1-9.el10 +Obsoletes: rpm-sign-sequoia < 4.19.1.1-9.el10 %description sign-libs This package contains the RPM shared libraries for signing packages. -%package sign-gnupg -Summary: Support for signing RPM packages using GnuPG -Requires: gnupg2 -Requires(meta): rpm-sign-libs%{_isa} >= %{version}-%{release} - -%description sign-gnupg -This package provides configuration for signing RPM packages using GnuPG. - %package devel Summary: Development files for manipulating RPM packages License: GPL-2.0-or-later OR LGPL-2.1-or-later @@ -440,8 +431,8 @@ rm -rf $RPM_BUILD_ROOT/var/tmp # workaround for https://github.com/rpm-software-management/rpm/issues/2811 rm $RPM_BUILD_ROOT/%{_defaultdocdir}/rpm/README.md -# Signing macros for GnuPG -install -m 644 %{SOURCE31} $RPM_BUILD_ROOT/%{rpmhome}/macros.d +# Signing macros for Sequoia +install -m 644 %{SOURCE30} $RPM_BUILD_ROOT/%{_defaultdocdir}/rpm/ %pre # Symlink all rpmdb files to the new location if we're still using /var/lib/rpm @@ -580,9 +571,6 @@ fi %{_libdir}/librpmsign.so.%{sover} %{_libdir}/librpmsign.so.%{sover}.* -%files sign-gnupg -%{rpmhome}/macros.d/macros.rpmsign-gnupg - %files build %{_bindir}/rpmbuild %{_bindir}/gendiff @@ -610,6 +598,7 @@ fi %files sign %{_bindir}/rpmsign %{_mandir}/man8/rpmsign.8* +%doc %{_defaultdocdir}/rpm/macros.rpmsign-sequoia %files -n python3-%{name} %dir %{python3_sitearch}/rpm @@ -639,6 +628,14 @@ fi %doc %{_defaultdocdir}/rpm/API/ %changelog +* Wed Dec 04 2024 Panu Matilainen - 4.19.1.1-9 +- Revert the gnupg/sequoia sub-packages, too much headache +- Ship sequoia-signing enablement macros as documentation instead +- Generate binary signatures with Sequoia too + +* Tue Nov 12 2024 Michal Domonkos - 4.19.1.1-8 +- Add Sequoia signing support back + * Tue Oct 29 2024 Troy Dawson - 4.19.1.1-7 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018