Fix certificate generation at build time

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
This commit is contained in:
Alexander Scheel 2019-05-08 13:58:05 -04:00
parent a9000f05d2
commit 765b2552b2
No known key found for this signature in database
GPG Key ID: C0D6C737D0003143
2 changed files with 112 additions and 2 deletions

View File

@ -0,0 +1,104 @@
From e6f7c9d4c2af1cda7760ca8155166bb5d4d541d0 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 8 May 2019 12:58:02 -0400
Subject: [PATCH] Don't generate certificates in reproducible builds
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
Make.inc.in | 5 +++++
configure | 4 ++++
configure.ac | 3 +++
raddb/all.mk | 4 ++++
4 files changed, 16 insertions(+)
diff --git a/Make.inc.in b/Make.inc.in
index 0b2cd74de8..8c623cf95c 100644
--- a/Make.inc.in
+++ b/Make.inc.in
@@ -173,3 +173,8 @@ else
TESTBINDIR = ./$(BUILD_DIR)/bin
TESTBIN = ./$(BUILD_DIR)/bin
endif
+
+#
+# With reproducible builds, do not generate certificates during installation
+#
+ENABLE_REPRODUCIBLE_BUILDS = @ENABLE_REPRODUCIBLE_BUILDS@
diff --git a/configure b/configure
index c2c599c92b..3d4403a844 100755
--- a/configure
+++ b/configure
@@ -655,6 +655,7 @@ RUSERS
SNMPWALK
SNMPGET
PERL
+ENABLE_REPRODUCIBLE_BUILDS
openssl_version_check_config
WITH_DHCP
modconfdir
@@ -5586,6 +5587,7 @@ else
fi
+ENABLE_REPRODUCIBLE_BUILDS=yes
# Check whether --enable-reproducible-builds was given.
if test "${enable_reproducible_builds+set}" = set; then :
enableval=$enable_reproducible_builds; case "$enableval" in
@@ -5597,6 +5599,7 @@ $as_echo "#define ENABLE_REPRODUCIBLE_BUILDS 1" >>confdefs.h
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac
fi
@@ -5604,6 +5607,7 @@ fi
+
CHECKRAD=checkrad
# Extract the first word of "perl", so it can be a program name with args.
set dummy perl; ac_word=$2
diff --git a/configure.ac b/configure.ac
index a7abf0025a..35b013f4af 100644
--- a/configure.ac
+++ b/configure.ac
@@ -619,6 +619,7 @@ AC_SUBST([openssl_version_check_config])
dnl #
dnl # extra argument: --enable-reproducible-builds
dnl #
+ENABLE_REPRODUCIBLE_BUILDS=yes
AC_ARG_ENABLE(reproducible-builds,
[AS_HELP_STRING([--enable-reproducible-builds],
[ensure the build does not change each time])],
@@ -630,8 +631,10 @@ AC_ARG_ENABLE(reproducible-builds,
;;
*)
reproducible_builds=no
+ ENABLE_REPRODUCIBLE_BUILDS=no
esac ]
)
+AC_SUBST(ENABLE_REPRODUCIBLE_BUILDS)
dnl #############################################################
diff --git a/raddb/all.mk b/raddb/all.mk
index c966edd657..c8e976a499 100644
--- a/raddb/all.mk
+++ b/raddb/all.mk
@@ -124,7 +124,11 @@ $(R)$(raddbdir)/users: $(R)$(modconfdir)/files/authorize
ifneq "$(LOCAL_CERT_PRODUCTS)" ""
$(LOCAL_CERT_PRODUCTS):
@echo BOOTSTRAP raddb/certs/
+ifeq "$(ENABLE_REPRODUCIBLE_BUILDS)" "yes"
+ @$(MAKE) -C $(R)$(raddbdir)/certs/ passwords.mk
+else
@$(MAKE) -C $(R)$(raddbdir)/certs/
+endif
# Bootstrap is special
$(R)$(raddbdir)/certs/bootstrap: | raddb/certs/bootstrap $(LOCAL_CERT_PRODUCTS)
--
2.21.0

View File

@ -23,6 +23,7 @@ Source104: freeradius-tmpfiles.conf
Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch Patch1: freeradius-Adjust-configuration-to-fit-Red-Hat-specifics.patch
Patch2: freeradius-Use-system-crypto-policy-by-default.patch Patch2: freeradius-Use-system-crypto-policy-by-default.patch
Patch3: freeradius-bootstrap-create-only.patch Patch3: freeradius-bootstrap-create-only.patch
Patch4: freeradius-no-buildtime-cert-gen.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -192,6 +193,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1
%build %build
# Force compile/link options, extra security for network facing daemon # Force compile/link options, extra security for network facing daemon
@ -199,6 +201,8 @@ This plugin provides the REST support for the FreeRADIUS server project.
%configure \ %configure \
--libdir=%{_libdir}/freeradius \ --libdir=%{_libdir}/freeradius \
--enable-reproducible-builds \
--with-package \
--disable-openssl-version-check \ --disable-openssl-version-check \
--with-openssl \ --with-openssl \
--with-udpfromto \ --with-udpfromto \
@ -790,9 +794,11 @@ exit 0
%changelog %changelog
* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-2 * Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-2
- Updated crypto-policies patch - Updated crypto-policies patch
- Updated /etc/raddb/certs/bootstrap to only create certificates if missing - Updated /etc/raddb/certs/bootstrap to only create certificates if missing: bz#1705165
- Updated logrotate definitions to run as radiusd:radiusd - Updated logrotate definitions to run as radiusd:radiusd: bz#1705343
- Drop python2 package on Fedora 31+ - Drop python2 package on Fedora 31+
- Add database dependencies: bz#1658697
- Don't generate certificate during build
* Wed Apr 10 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-1 * Wed Apr 10 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-1
- Rebased to 3.0.19 - Rebased to 3.0.19