Move key generation to the post-install stage

Don't package any keys. Generate the keys only if they are missing. Keep
the keys on uninstall.

For TLS keys, increase validity to 10 years. No need to have xrdp stop
working in one year.
This commit is contained in:
Pavel Roskin 2016-12-27 00:22:59 -08:00
parent 85247383dc
commit 1ab54b8592

View File

@ -29,6 +29,7 @@ Requires: tigervnc-server-minimal
Requires(post): systemd Requires(post): systemd
Requires(post): systemd-sysv Requires(post): systemd-sysv
Requires(post): openssl
Requires(preun): systemd Requires(preun): systemd
Requires(postun): systemd Requires(postun): systemd
@ -60,6 +61,9 @@ echo '#!/bin/bash -l
#install logrotate /etc/logrotate.d/xrdp #install logrotate /etc/logrotate.d/xrdp
%{__install} -Dp -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/xrdp %{__install} -Dp -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/xrdp
#install openssl.conf /etc/xrdp
%{__install} -Dp -m 644 keygen/openssl.conf %{buildroot}%{_sysconfdir}/xrdp/openssl.conf
#install log file /var/log/xrdp-sesman.log #install log file /var/log/xrdp-sesman.log
%{__mkdir} -p %{buildroot}%{_localstatedir}/log/ %{__mkdir} -p %{buildroot}%{_localstatedir}/log/
touch %{buildroot}%{_localstatedir}/log/xrdp-sesman.log touch %{buildroot}%{_localstatedir}/log/xrdp-sesman.log
@ -75,8 +79,18 @@ touch %{buildroot}%{_sysconfdir}/xrdp/rsakeys.ini
%post %post
%systemd_post xrdp.service %systemd_post xrdp.service
xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini > /dev/null if [ ! -f %{_sysconfdir}/xrdp/rsakeys.ini ]; then
%{__chmod} 0600 %{_sysconfdir}/xrdp/rsakeys.ini xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini > /dev/null
%{__chmod} 0600 %{_sysconfdir}/xrdp/rsakeys.ini
fi
if [ ! -f %{_sysconfdir}/xrdp/cert.pem ]; then
openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
-keyout %{_sysconfdir}/xrdp/key.pem \
-out %{_sysconfdir}/xrdp/cert.pem \
-subj /C=US/ST=CA/L=Sunnyvale/O=xrdp/CN=www.xrdp.org \
-config %{_sysconfdir}/xrdp/openssl.conf
fi
%preun %preun
%systemd_preun xrdp.service %systemd_preun xrdp.service
@ -110,8 +124,12 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/xrdp %config(noreplace) %{_sysconfdir}/sysconfig/xrdp
%config(noreplace) %{_sysconfdir}/xrdp/sesman.ini %config(noreplace) %{_sysconfdir}/xrdp/sesman.ini
%{_sysconfdir}/xrdp/*.sh %{_sysconfdir}/xrdp/*.sh
%{_sysconfdir}/xrdp/*.pem %exclude %ghost %{_sysconfdir}/xrdp/*.pem
%exclude %ghost %{_sysconfdir}/xrdp/rsakeys.ini
%{_sysconfdir}/xrdp/km*.ini %{_sysconfdir}/xrdp/km*.ini
%{_sysconfdir}/xrdp/openssl.conf
%{_sysconfdir}/xrdp/sesman.ini
%{_sysconfdir}/xrdp/xrdp.ini
%{_sysconfdir}/xrdp/xrdp_keyboard.ini %{_sysconfdir}/xrdp/xrdp_keyboard.ini
%{_bindir}/xrdp-genkeymap %{_bindir}/xrdp-genkeymap
%{_bindir}/xrdp-sesadmin %{_bindir}/xrdp-sesadmin