.gitignore

@@ -1 +1,28 @@
-SOURCES/opendnssec-2.1.7.tar.gz
+/opendnssec-1.4.0a1.tar.gz
+/opendnssec-1.4.0a2.tar.gz
+/opendnssec-1.4.0b1.tar.gz
+/opendnssec-1.4.0b2.tar.gz
+/opendnssec-1.4.0rc1.tar.gz
+/opendnssec-1.4.0rc2.tar.gz
+/opendnssec-1.4.0rc3.tar.gz
+/opendnssec-1.4.0.tar.gz
+/opendnssec-1.4.1.tar.gz
+/opendnssec-1.4.2.tar.gz
+/opendnssec-1.4.3.tar.gz
+/opendnssec-1.4.4.tar.gz
+/opendnssec-1.4.5.tar.gz
+/opendnssec-1.4.6.tar.gz
+/opendnssec-1.4.7.tar.gz
+/opendnssec-1.4.9.tar.gz
+/opendnssec-1.4.14.tar.gz
+/opendnssec-2.1.6.tar.gz
+/opendnssec-2.1.7.tar.gz
+/opendnssec-2.1.8.tar.gz
+/opendnssec-2.1.9.tar.gz
+/opendnssec-2.1.9.tar.gz.sig
+/opendnssec-2.1.10.tar.gz.sig
+/opendnssec-2.1.10.tar.gz
+/opendnssec-2.1.14rc1.tar.gz
+/opendnssec-2.1.14rc1.tar.gz.sig
+/opendnssec-2.1.14.tar.gz
+/opendnssec-2.1.14.tar.gz.sig

.opendnssec.metadata

@@ -1 +0,0 @@
-0277e4f54098bea74809e3d8e6cad1a435570349 SOURCES/opendnssec-2.1.7.tar.gz

0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch

@@ -0,0 +1,35 @@
+From 4d87db0f11bcdd5c54fadb92351b603bd07f76f8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 30 Jan 2023 11:44:49 +0200
+Subject: [PATCH] Pass right remaining buffer size in hsm_hex_unparse to handle
+ string fortification
+
+When string fortification is in use (-DFORTIFY_SOURCE=3), GCC and glibc
+will cut few bytes off the string buffer for prevention of buffer
+overruns. As a result, hsm_hex_unparse() will call into snprintf() with
+a buffer length bigger than the size of the buffer as seen by the
+GCC/glibc pair.
+
+See also: https://pagure.io/freeipa/issue/9312
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ libhsm/src/lib/libhsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
+index 88dc79e31..8f1e0c3bc 100644
+--- a/libhsm/src/lib/libhsm.c
++++ b/libhsm/src/lib/libhsm.c
+@@ -1382,7 +1382,7 @@ hsm_hex_unparse(char *dst, const unsigned char *src, size_t len)
+     size_t i;
+ 
+     for (i = 0; i < len; i++) {
+-        snprintf(dst + (2*i), dst_len, "%02x", src[i]);
++        snprintf(dst + (2*i), dst_len - (2*i), "%02x", src[i]);
+     }
+     dst[len*2] = '\0';
+ }
+-- 
+2.39.0
+

gating.yaml

@@ -0,0 +1,7 @@
+# recipients: abokovoy, frenaud, kaleem, ftrivino
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

ods-enforcerd.init

@@ -0,0 +1,106 @@
+#!/bin/bash
+#
+# ods-enforcerd:         Starts the OpenDNSSEC Enforcer Daemon
+#
+# chkconfig: - 13 87
+# description:  ods-enforcerd is the OpenDNSSEC DNSSEC policy enforcer daemon
+# processname: /usr/sbin/ods-enforcerd
+# config: /etc/opendnssec/conf.xml
+#
+### BEGIN INIT INFO
+# Provides: ods-enforcerd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $network $syslog
+# Default-Stop: 0 11 89
+# Short-Description: start|stop|status|restart|try-restart| OpenDNSSEC Enforcer Daemon
+# Description: control OpenDNSSEC enforcer daemon
+### END INIT INFO
+
+# Init script default settings
+ODS_ENFORCERD_CONF="/etc/opendnssec/conf.xml"
+ODS_ENFORCERD_OPT=""
+ODS_ENFORCERD_PROG="/usr/sbin/ods-enforcerd"
+ODS_ENFORCERD_PIDFILE="/var/run/opendnssec/enforcerd.pid"
+PIDDIR="/var/run/opendnssec"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
+
+# Check that networking is configured.
+[ "${NETWORKING}" = "no" ] && exit 0
+
+start() {
+  # Source networking configuration.
+  [ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
+
+  # Check that networking is up
+  [ "${NETWORKING}" = "no" ] && exit 1
+
+  # Sanity checks.
+  [ -f $ODS_ENFORCERD_CONF ] || exit 5
+  [ -x $ODS_ENFORCERD_PROG ] || exit 5
+  # /var/run could (and should) be tmpfs
+  [ -d $PIDDIR ] || mkdir -p $PIDDIR
+
+  echo -n $"Starting ods-enforcerd:"
+  $ODS_ENFORCERD_PROG -c $ODS_ENFORCERD_CONF $ODS_ENFORCERD_OPT
+  RETVAL=$?
+        if [ $RETVAL -eq 0 ]; then
+           touch /var/lock/subsys/ods-enforcerd;
+           success
+           echo
+        else
+           failure
+           echo
+           exit 7;
+        fi
+  return 0;
+}
+
+stop() {
+  echo -n $"Stopping ods-enforcerd: "
+    killproc -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
+    retval=$?
+    if [ $retval -eq 0 ] ; then
+       rm -f $ODS_ENFORCERD_PIDFILE
+       rm -f /var/lock/subsys/ods-enforcerd
+       success
+    else
+       failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+	stop
+	start
+}
+
+RETVAL=0
+
+# See how we were called.
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  restart)
+	restart
+	;;
+  condrestart)
+        [ -f /var/lock/subsys/ods-enforcerd ] && restart || :
+	;;
+  status)
+	status -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|status|restart|condrestart}"
+	exit 1
+esac
+
+exit $?

ods-signerd.init

@@ -0,0 +1,112 @@
+#!/bin/bash
+#
+# ods-signerd:         Starts the OpenDNSSEC Signer Daemon
+#
+# chkconfig: - 13 87
+# description:  ods-signerd is the OpenDNSSEC DNSSEC zone signer daemon
+# processname: /usr/sbin/ods-signerd
+# config: /etc/opendnssec/conf.xml
+#
+### BEGIN INIT INFO
+# Provides: ods-signerd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $network $syslog
+# Default-Stop: 0 11 89
+# Short-Description: start|stop|status|restart|try-restart|reload|force-reload OpenDNSSEC Signer Daemon
+# Description: control OpenDNSSEC signer daemon
+### END INIT INFO
+
+# Init script default settings
+ODS_SIGNERD_CONF="/etc/opendnssec/conf.xml"
+ODS_SIGNERD_OPT=""
+ODS_SIGNERD_PROG="/usr/sbin/ods-signerd"
+ODS_SIGNER_PROG="/usr/sbin/ods-signer"
+ODS_SIGNERD_PIDFILE="/var/run/opendnssec/signerd.pid"
+PIDDIR="/var/run/opendnssec"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
+
+# Check that networking is configured.
+[ "${NETWORKING}" = "no" ] && exit 0
+
+start() {
+  # Source networking configuration.
+  [ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
+
+  # Check that networking is up
+  [ "${NETWORKING}" = "no" ] && exit 1
+
+  # Sanity checks.
+  [ -f $ODS_SIGNERD_CONF ] || exit 5
+  [ -x $ODS_SIGNERD_PROG ] || exit 5
+  # /var/run could (and should) be tmpfs
+  [ -d $PIDDIR ] || mkdir -p $PIDDIR
+
+  echo -n $"Starting ods-signerd:"
+# ods-signerd is lying about supporting -c conf.file option :(
+#  $ODS_SIGNERD_PROG -c $ODS_SIGNERD_CONF $ODS_SIGNERD_OPT
+  $ODS_SIGNERD_PROG $ODS_SIGNERD_OPT
+  RETVAL=$?
+        if [ $RETVAL -eq 0 ]; then
+           touch /var/lock/subsys/ods-signerd;
+           success
+           echo
+        else
+           failure
+           echo
+           exit 7;
+        fi
+  return 0;
+}
+
+stop() {
+  echo -n $"Stopping ods-signerd: "
+  #$ODS_SIGNER_PROG -c $ODS_SIGNERD_CONF stop
+  # seems that this loses our settings :(
+  /usr/sbin/ods-signer stop
+  RETVAL=$?
+  [ "$RETVAL" -eq 0 ] || killproc $ODS_SIGNERD_PROG -TERM >/dev/null 2>&1
+  if [ $RETVAL -eq 0 ] ; then
+     rm -f $ODS_SIGNERD_PIDFILE
+     rm -f /var/lock/subsys/ods-signerd
+     success
+  else
+     failure
+  fi
+  echo
+  return $RETVAL
+}
+
+restart() {
+	stop
+	start
+}
+
+RETVAL=0
+
+# See how we were called.
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  restart)
+	restart
+	;;
+  condrestart)
+        [ -f /var/lock/subsys/ods-signerd ] && restart || :
+	;;
+  status)
+	status -p $ODS_SIGNERD_PIDFILE $ODS_SIGNERD_PROG
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|status|restart|condrestart}"
+	exit 1
+esac
+
+exit $?

ods-signerd.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=OpenDNSSEC signer daemon
-After=syslog.target network.target ods-enforcerd
+After=syslog.target network.target ods-enforcerd.service
 
 [Service]
 Type=simple

opendnssec-1.4.13-openssl1.1.patch

@@ -0,0 +1,95 @@
+From e2bbb899195ea98b6b5f6c972ab764a53b387789 Mon Sep 17 00:00:00 2001
+From: Yuri Schaeffer <yuri@nlnetlabs.nl>
+Date: Fri, 4 Nov 2016 15:35:06 +0100
+Subject: [PATCH] HMAC_CTX_init deprecated in openssl-1.1.0
+
+---
+ m4/acx_ssl.m4                  | 12 +++++++++---
+ signer/src/Makefile.am         |  4 ++--
+ signer/src/wire/tsig-openssl.c | 15 ++++++++++++---
+ 3 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/m4/acx_ssl.m4 b/m4/acx_ssl.m4
+index 1dc6e40..3d64626 100644
+--- a/m4/acx_ssl.m4
++++ b/m4/acx_ssl.m4
+@@ -35,12 +35,18 @@ AC_DEFUN([ACX_SSL], [
+             if test x_$ssldir = x_/usr/sfw; then
+                 SSL_LIBS="$SSL_LIBS -R$ssldir/lib";
+             fi
+-            AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
+-                    AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+-            ])
++            AC_CHECK_LIB(crypto, HMAC_CTX_reset, [
++                    AC_DEFINE_UNQUOTED([HAVE_SSL_NEW_HMAC], [], [Define if you have the SSL libraries with new HMAC related functions.])
++                    SSL_LIBS="$SSL_LIBS -lcrypto";
++            ], [
++                    AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
++                            AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
++                    ])
++            ] )
+             AC_CHECK_FUNCS([EVP_sha1 EVP_sha256])
+         fi
+         AC_SUBST(HAVE_SSL)
++        AC_SUBST(HAVE_SSL_NEW_HMAC)
+         AC_SUBST(SSL_INCLUDES)
+         AC_SUBST(SSL_LIBS)
+     fi
+diff --git a/signer/src/Makefile.am b/signer/src/Makefile.am
+index 60e8877..b39eac8 100644
+--- a/signer/src/Makefile.am
++++ b/signer/src/Makefile.am
+@@ -133,7 +133,7 @@ ods_signer_SOURCES=		ods-signer.c \
+ 				wire/xfrd.c wire/xfrd.h
+ 
+ ods_signer_LDADD=		$(LIBHSM)
+-ods_signer_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
++ods_signer_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@ @SSL_LIBS@ 
+ ods_signer_LDADD+=		$(LIBCOMPAT)
+ 
+ ods_getconf_SOURCES=		ods-getconf.c \
+@@ -193,5 +193,5 @@ ods_getconf_SOURCES=		ods-getconf.c \
+ 				wire/xfrd.c wire/xfrd.h
+ 
+ ods_getconf_LDADD=		$(LIBHSM)
+-ods_getconf_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
++ods_getconf_LDADD+=		@SSL_LIBS@ @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
+ ods_getconf_LDADD+=		$(LIBCOMPAT)
+diff --git a/signer/src/wire/tsig-openssl.c b/signer/src/wire/tsig-openssl.c
+index c26b1e7..24fd342 100644
+--- a/signer/src/wire/tsig-openssl.c
++++ b/signer/src/wire/tsig-openssl.c
+@@ -131,8 +131,11 @@ static void
+ cleanup_context(void *data)
+ {
+     HMAC_CTX* context = (HMAC_CTX*) data;
++#ifdef HAVE_SSL_NEW_HMAC
++    HMAC_CTX_free(context);
++#else
+     HMAC_CTX_cleanup(context);
+-    return;
++#endif
+ }
+ 
+ static void
+@@ -155,9 +158,15 @@ context_add_cleanup(void* context)
+ static void*
+ create_context(allocator_type* allocator)
+ {
+-    HMAC_CTX* context = (HMAC_CTX*) allocator_alloc(allocator,
+-        sizeof(HMAC_CTX));
++    HMAC_CTX* context;
++#ifdef HAVE_SSL_NEW_HMAC
++    context = HMAC_CTX_new();
++    if (!context) return NULL;
++    HMAC_CTX_reset(context);
++#else
++    context = (HMAC_CTX*) allocator_alloc(allocator, sizeof(HMAC_CTX));
+     HMAC_CTX_init(context);
++#endif
+     context_add_cleanup(context);
+     return context;
+ }
+-- 
+2.9.3
+

opendnssec-1.4.5-serial0.patch

@@ -0,0 +1,13 @@
+diff -Naur opendnssec-1.4.5-orig/signer/src/adapter/addns.c opendnssec-1.4.5/signer/src/adapter/addns.c
+--- opendnssec-1.4.5-orig/signer/src/adapter/addns.c	2014-03-25 06:45:44.000000000 +0000
++++ opendnssec-1.4.5/signer/src/adapter/addns.c	2014-04-18 16:26:39.079974120 +0000
+@@ -243,7 +243,8 @@
+             tmp_serial =
+                 ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
+             old_serial = adapi_get_serial(zone);
+-            if (!util_serial_gt(tmp_serial, old_serial)) {
++            if (!util_serial_gt(tmp_serial, old_serial)
++		&& zone->db->is_initialized) {
+                 ods_log_info("[%s] zone %s is already up to date, have "
+                     "serial %u, got serial %u", adapter_str, zone->name,
+                     old_serial, tmp_serial);

opendnssec-1.4.6-extract.patch

@@ -0,0 +1,168 @@
+commit 672d2c75ccd3cd5f2317bb76af4c9cc4e5aa4a37
+Author: Petr Spacek <pspacek@redhat.com>
+Date:   Fri Jul 18 16:19:36 2014 +0200
+
+    add libhsm configuration option <AllowExtraction/>
+    
+    This option allows user to generate private keys with CKA_EXTRACTABLE
+    flag set to TRUE. Defaults to FALSE.
+
+diff --git a/NEWS b/NEWS
+index 4db7038..2efa176 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,3 +1,8 @@
++* Enforcer: New repository option <AllowExtraction/> allows to generate keys
++  with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
++  and extracted from HSM.
++
++
+ OpenDNSSEC 1.4.6 - 2014-07-21
+ 
+ * Signer Engine: Print secondary server address when logging notify reply
+diff --git a/conf/conf.rnc b/conf/conf.rnc
+index 71d527f..65f837e 100644
+--- a/conf/conf.rnc
++++ b/conf/conf.rnc
+@@ -50,7 +50,10 @@ start = element Configuration {
+ 			element RequireBackup { empty }?,
+ 
+ 			# Do not maintain public keys in the repository (optional)
+-			element SkipPublicKey { empty }?
++			element SkipPublicKey { empty }?,
++
++			# Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
++			element AllowExtraction { empty }?
+ 		}*
+ 	},
+ 
+diff --git a/conf/conf.xml.in b/conf/conf.xml.in
+index 0ef2ab9..0536681 100644
+--- a/conf/conf.xml.in
++++ b/conf/conf.xml.in
+@@ -9,6 +9,9 @@
+ 			<TokenLabel>OpenDNSSEC</TokenLabel>
+ 			<PIN>1234</PIN>
+ 			<SkipPublicKey/>
++			<!--
++			<AllowExtraction/>
++			-->
+ 		</Repository>
+ 
+ <!--
+diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
+index d723b31..1f9720e 100644
+--- a/libhsm/src/lib/libhsm.c
++++ b/libhsm/src/lib/libhsm.c
+@@ -504,6 +504,7 @@ static void
+ hsm_config_default(hsm_config_t *config)
+ {
+     config->use_pubkey = 1;
++    config->allow_extract = 0;
+ }
+ 
+ /* creates a session_t structure, and automatically adds and initializes
+@@ -2054,6 +2055,8 @@ hsm_open(const char *config,
+                     module_pin = (char *) xmlNodeGetContent(curNode);
+                 if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
+                     module_config.use_pubkey = 0;
++                if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
++                    module_config.allow_extract = 1;
+                 curNode = curNode->next;
+             }
+ 
+@@ -2341,10 +2344,12 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
+     CK_BBOOL ctoken = CK_TRUE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+     do {
+@@ -2380,7 +2385,7 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,   &ctrue,   sizeof (ctrue) },
+         { CKA_TOKEN,       &ctrue,   sizeof (ctrue)  },
+         { CKA_PRIVATE,     &ctrue,   sizeof (ctrue)  },
+-        { CKA_EXTRACTABLE, &cfalse,  sizeof (cfalse) }
++        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
+@@ -2420,6 +2425,7 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
+     CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2466,12 +2472,13 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
++        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+@@ -2533,6 +2540,7 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
+     CK_OBJECT_HANDLE publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2569,12 +2577,13 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
++        { CKA_EXTRACTABLE,         &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+diff --git a/libhsm/src/lib/libhsm.h b/libhsm/src/lib/libhsm.h
+index 45d110a..08224b8 100644
+--- a/libhsm/src/lib/libhsm.h
++++ b/libhsm/src/lib/libhsm.h
+@@ -75,6 +75,7 @@
+ /*! HSM configuration */
+ typedef struct {
+     unsigned int use_pubkey;     /*!< Maintain public keys in HSM */
++    unsigned int allow_extract;  /*!< Generate CKA_EXTRACTABLE private keys */
+ } hsm_config_t;
+ 
+ /*! Data type to describe an HSM */
+--- a/conf/conf.rng
++++ b/conf/conf.rng
+@@ -71,6 +71,12 @@
+                 <empty/>
+               </element>
+             </optional>
++            <optional>
++              <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
++              <element name="AllowExtraction">
++                <empty/>
++              </element>
++            </optional>
+           </element>
+         </zeroOrMore>
+       </element>

opendnssec-1.4.7-extract.patch

@@ -0,0 +1,156 @@
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rnc opendnssec-1.4.7/conf/conf.rnc
+--- opendnssec-1.4.7-orig/conf/conf.rnc	2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rnc	2014-12-08 22:49:16.100212010 -0500
+@@ -50,7 +50,10 @@
+ 			element RequireBackup { empty }?,
+ 
+ 			# Do not maintain public keys in the repository (optional)
+-			element SkipPublicKey { empty }?
++			element SkipPublicKey { empty }?,
++
++			# Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
++			element AllowExtraction { empty }?
+ 		}*
+ 	},
+ 
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rng opendnssec-1.4.7/conf/conf.rng
+--- opendnssec-1.4.7-orig/conf/conf.rng	2014-12-04 10:18:39.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rng	2014-12-08 22:49:16.105212137 -0500
+@@ -71,6 +71,12 @@
+                 <empty/>
+               </element>
+             </optional>
++            <optional>
++              <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
++              <element name="AllowExtraction">
++                <empty/>
++              </element>
++            </optional>
+           </element>
+         </zeroOrMore>
+       </element>
+diff -Naur opendnssec-1.4.7-orig/conf/conf.xml.in opendnssec-1.4.7/conf/conf.xml.in
+--- opendnssec-1.4.7-orig/conf/conf.xml.in	2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.xml.in	2014-12-08 22:49:16.101212036 -0500
+@@ -9,6 +9,9 @@
+ 			<TokenLabel>OpenDNSSEC</TokenLabel>
+ 			<PIN>1234</PIN>
+ 			<SkipPublicKey/>
++			<!--
++			<AllowExtraction/>
++			-->
+ 		</Repository>
+ 
+ <!--
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c opendnssec-1.4.7/libhsm/src/lib/libhsm.c
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c	2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/libhsm/src/lib/libhsm.c	2014-12-08 22:49:16.102212061 -0500
+@@ -504,6 +504,7 @@
+ hsm_config_default(hsm_config_t *config)
+ {
+     config->use_pubkey = 1;
++    config->allow_extract = 0;
+ }
+ 
+ /* creates a session_t structure, and automatically adds and initializes
+@@ -2054,6 +2055,8 @@
+                     module_pin = (char *) xmlNodeGetContent(curNode);
+                 if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
+                     module_config.use_pubkey = 0;
++                if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
++                    module_config.allow_extract = 1;
+                 curNode = curNode->next;
+             }
+ 
+@@ -2341,10 +2344,12 @@
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
+     CK_BBOOL ctoken = CK_TRUE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+     do {
+@@ -2380,7 +2385,7 @@
+         { CKA_SENSITIVE,   &ctrue,   sizeof (ctrue) },
+         { CKA_TOKEN,       &ctrue,   sizeof (ctrue)  },
+         { CKA_PRIVATE,     &ctrue,   sizeof (ctrue)  },
+-        { CKA_EXTRACTABLE, &cfalse,  sizeof (cfalse) }
++        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
+@@ -2420,6 +2425,7 @@
+     CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2466,12 +2472,13 @@
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
++        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+@@ -2533,6 +2540,7 @@
+     CK_OBJECT_HANDLE publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2569,12 +2577,13 @@
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
++        { CKA_EXTRACTABLE,         &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h opendnssec-1.4.7/libhsm/src/lib/libhsm.h
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h	2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/libhsm/src/lib/libhsm.h	2014-12-08 22:49:16.102212061 -0500
+@@ -75,6 +75,7 @@
+ /*! HSM configuration */
+ typedef struct {
+     unsigned int use_pubkey;     /*!< Maintain public keys in HSM */
++    unsigned int allow_extract;  /*!< Generate CKA_EXTRACTABLE private keys */
+ } hsm_config_t;
+ 
+ /*! Data type to describe an HSM */
+diff -Naur opendnssec-1.4.7-orig/NEWS opendnssec-1.4.7/NEWS
+--- opendnssec-1.4.7-orig/NEWS	2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/NEWS	2014-12-08 22:50:00.560342544 -0500
+@@ -1,3 +1,9 @@
++
++Fedora patch:
++* Enforcer: New repository option <AllowExtraction/> allows to generate keys
++  with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
++  and extracted from HSM.
++
+ OpenDNSSEC 1.4.7 - 2014-12-04
+ 
+ Bugfixes:

opendnssec-2.1.14rc1-gcc14.patch

@@ -0,0 +1,34 @@
+From 17e9e444e052ca43ab31da77e9327f159baf5b9c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 8 Feb 2024 13:10:53 +0200
+Subject: [PATCH] Fix missing include
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+scheduler/task.c: In function ‘task_perform’:
+scheduler/task.c:137:25: error: implicit declaration of function ‘clamp’ [-Wimplicit-function-declaration]
+  137 |         task->backoff = clamp(task->backoff * 2, 60, ODS_SE_MAX_BACKOFF);
+      |                         ^~~~~
+make[2]: *** [Makefile:600: scheduler/task.o] Error 1
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ common/scheduler/task.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/common/scheduler/task.c b/common/scheduler/task.c
+index 4dcf9e900..0dfa496a2 100644
+--- a/common/scheduler/task.c
++++ b/common/scheduler/task.c
+@@ -40,6 +40,7 @@
+ #include "duration.h"
+ #include "file.h"
+ #include "log.h"
++#include "utilities.h"
+ 
+ static const char* task_str = "task";
+ static pthread_mutex_t worklock = PTHREAD_MUTEX_INITIALIZER;
+-- 
+2.43.0
+

opendnssec-LICENSE

@@ -0,0 +1,25 @@
+$Id: LICENSE 6226 2012-03-26 17:25:52Z jakob $
+
+Copyright (c) 2012 OpenDNSSEC AB (svb). All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

opendnssec-c99-2.patch

@@ -0,0 +1,20 @@
+commit 5422819c17c02e6069328b2f5e4bef6fe5c179df
+Author: Mathieu Mirmont <mat@parad0x.org>
+Date:   Sun Dec 1 17:57:36 2019 +0100
+
+    enforcer: remove remove strptime build warning
+
+diff --git a/enforcer/src/daemon/time_leap_cmd.c b/enforcer/src/daemon/time_leap_cmd.c
+index f1ee21b87529c136..5baef1b6ff7c4cc2 100644
+--- a/enforcer/src/daemon/time_leap_cmd.c
++++ b/enforcer/src/daemon/time_leap_cmd.c
+@@ -26,8 +26,8 @@
+  *
+  */
+ 
+-#include <getopt.h>
+ #include "config.h"
++#include <getopt.h>
+ 
+ #include "file.h"
+ #include "duration.h"

opendnssec-configure-c99.patch

@@ -0,0 +1,45 @@
+Include <unistd.h> for the setresuid and setresgid functions,
+to avoid an implicit function declaration.
+
+Submitted upstream: <https://github.com/opendnssec/opendnssec/pull/843>
+
+diff --git a/configure b/configure
+index bf515cde3d4fab71..52d2885d6a6ef546 100755
+--- a/configure
++++ b/configure
+@@ -21101,6 +21101,7 @@ else
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+@@ -21143,6 +21144,7 @@ else
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+diff --git a/m4/acx_broken_setres.m4 b/m4/acx_broken_setres.m4
+index 374cee0b0b8ef196..467db9170a319170 100644
+--- a/m4/acx_broken_setres.m4
++++ b/m4/acx_broken_setres.m4
+@@ -4,6 +4,7 @@ AC_DEFUN([ACX_BROKEN_SETRES],[
+ 		AC_MSG_CHECKING(if setresuid seems to work)
+ 		AC_RUN_IFELSE(
+ 			[AC_LANG_SOURCE([[
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+@@ -20,6 +21,7 @@ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+ 		AC_MSG_CHECKING(if setresgid seems to work)
+ 		AC_RUN_IFELSE(
+ 			[AC_LANG_SOURCE([[
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}

opendnssec-implicit-declarations.patch

@@ -0,0 +1,48 @@
+From 7060607ef359162d5b0aef62a4b8440fd42c9d28 Mon Sep 17 00:00:00 2001
+From: Yaakov Selkowitz <yselkowi@redhat.com>
+Date: Tue, 26 Dec 2023 14:09:12 -0500
+Subject: [PATCH] Fix implicit function declarations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+utils/kaspcheck.c:101:33: error: implicit declaration of function ‘exit’
+utils/kaspcheck.c:136:17: error: implicit declaration of function ‘free’
+utils/kc_helper.c:47:40: error: implicit declaration of function ‘free’
+utils/kc_helper.c:519:85: error: implicit declaration of function ‘atoi’
+utils/kc_helper.c:569:83: error: implicit declaration of function ‘malloc’
+utils/kc_helper.c:1122:28: error: implicit declaration of function ‘strtol’
+utils/kc_helper.c:1274:25: error: implicit declaration of function ‘exit’
+utils/kc_helper.c:1375:21: error: implicit declaration of function ‘calloc’
+---
+ enforcer/src/utils/kaspcheck.c | 1 +
+ enforcer/src/utils/kc_helper.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/enforcer/src/utils/kaspcheck.c b/enforcer/src/utils/kaspcheck.c
+index 9bac3b796..b3b808598 100644
+--- a/enforcer/src/utils/kaspcheck.c
++++ b/enforcer/src/utils/kaspcheck.c
+@@ -26,6 +26,7 @@
+ #define _GNU_SOURCE
+ #include <stdio.h>
+ #include <getopt.h>
++#include <stdlib.h>
+ #include <string.h>
+ #include <syslog.h>
+ 
+diff --git a/enforcer/src/utils/kc_helper.c b/enforcer/src/utils/kc_helper.c
+index 89e56c61e..e1704f6f9 100644
+--- a/enforcer/src/utils/kc_helper.c
++++ b/enforcer/src/utils/kc_helper.c
+@@ -27,6 +27,7 @@
+ #include <syslog.h>
+ #include <stdarg.h>
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <string.h>
+ #include <sys/stat.h>
+ #include <errno.h>
+-- 
+2.43.0
+

opendnssec-sysusers.conf

@@ -0,0 +1 @@
+u ods - "opendnssec daemon account"

opendnssec.spec

@@ -1,13 +1,13 @@
-#global prever rcX
 %global _hardened_build 1
 
 Summary: DNSSEC key and zone management software
 Name: opendnssec
-Version: 2.1.7
-Release: 2%{?prever}%{?dist}
-License: BSD
+Version: 2.1.14
+Release: 1%{?dist}
+License: BSD-2-Clause
 Url: http://www.opendnssec.org/
-Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
+Source0: https://dist.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
+Source10: https://dist.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz.sig
 Source1: ods-enforcerd.service
 Source2: ods-signerd.service
 Source3: ods.sysconfig
@@ -16,9 +16,16 @@ Source5: tmpfiles-opendnssec.conf
 Source6: opendnssec.cron
 Source7: opendnssec-2.1.sqlite_convert.sql
 Source8: opendnssec-2.1.sqlite_rpmversion.sql
+Source9: %{name}-sysusers.conf
+Patch1: 0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch
+Patch2: opendnssec-configure-c99.patch
+Patch3: opendnssec-2.1.14rc1-gcc14.patch
+Patch4: opendnssec-c99-2.patch
+Patch5: opendnssec-implicit-declarations.patch
 
 Requires: opencryptoki, softhsm >= 2.5.0 , systemd-units
 Requires: libxml2, libxslt sqlite
+BuildRequires: make
 BuildRequires:  gcc
 BuildRequires: ldns-devel >= 1.6.12, sqlite-devel >= 3.0.0, openssl-devel
 BuildRequires: libxml2-devel CUnit-devel, doxygen
@@ -34,7 +41,10 @@ Requires(preun): systemd-units
 Requires(postun): systemd-units
 %if 0%{?prever:1}
 # For building development snapshots
-Buildrequires: autoconf, automake, libtool, java
+Buildrequires: autoconf, automake, libtool
+%ifarch %{java_arches}
+Buildrequires: java
+%endif
 %endif
 
 %description
@@ -44,19 +54,28 @@ name server. It requires a PKCS#11 crypto module library, such as softhsm
 
 %prep
 %setup -q -n %{name}-%{version}%{?prever}
+%patch -P1 -p1
+%patch -P2 -p1
+%patch -P3 -p1
+%patch -P4 -p1
+%patch -P5 -p1
+
+# Prevent re-running autoconf.
+touch -r aclocal.m4 configure* m4/*
+
 # bump default policy ZSK keysize to 2048
 sed -i "s/1024/2048/" conf/kasp.xml.in
 
 %build
-#export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
-#export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
-#export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
+export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
+export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
+export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
 %if 0%{?prever:1}
 # for development snapshots
-sh ./autogen.sh
+autoreconf
 %endif
 %configure --with-ldns=%{_libdir}
-make %{?_smp_mflags}
+%make_build
 
 %check
 # Requires sample db not shipped with upstream
@@ -64,7 +83,7 @@ make %{?_smp_mflags}
 
 %install
 rm -rf %{buildroot}
-make DESTDIR=%{buildroot} install
+%make_install
 mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf,enforcer}
 install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
 install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
@@ -77,6 +96,8 @@ install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
 install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
 mkdir -p %{buildroot}%{_tmpfilesdir}/
 install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf
+install -D %{SOURCE9} %{buildroot}%{_sysusersdir}/%{name}.conf
+mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
 mkdir -p %{buildroot}%{_datadir}/opendnssec/
 cp -a enforcer/utils %{buildroot}%{_datadir}/opendnssec/migration
 cp -a enforcer/src/db/schema.* %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/
@@ -102,6 +123,7 @@ sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert
 %attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/enforcer
 %attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
+%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec
 %doc NEWS README.md
 %license LICENSE
@@ -110,13 +132,11 @@ sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert
 %{_bindir}/*
 %attr(0755,root,root) %dir %{_datadir}/opendnssec
 %{_datadir}/opendnssec/*
+%{_sysusersdir}/%{name}.conf
 
 %pre
-getent group ods >/dev/null || groupadd -r ods
-getent passwd ods >/dev/null || \
-useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
--c "opendnssec daemon account" ods
-exit 0
+
+%sysusers_create_package %{name} %{SOURCE9}
 
 %post
 # Initialise a slot on the softhsm on first install
@@ -175,19 +195,120 @@ ods-enforcer update all >/dev/null 2>/dev/null ||:
 %systemd_postun_with_restart ods-signerd.service
 
 %changelog
-* Mon Mar 10 2025 Rafael Jeffman <rjeffman@redhat.com> - 2.1.7-2
-- Don't creat /var/run/opendnssec directory
-- Resolves: RHEL-12163
+* Wed Jan 22 2025 Rafael Jeffman <rjeffman@redhat.com> - 2.1.14-1
+- Rebase to stable version 2.1.14
+  Resolves: RHEL-75904
+- Use systemd-sysusers to create users
+  Resolves: RHEL-4896
+
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.1.14-0.3rc1
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.1.14-0.2rc1
+- Bump release for June 2024 mass rebuild
+
+* Thu Feb 08 2024 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.14-0.1rc1
+- Upstream release 2.1.14RC1
+- Fix build with gcc 14
+- Resolves: rhbz#2261421
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Feb 24 2023 Florian Weimer <fweimer@redhat.com> - 2.1.10-6
+- Port to C99
+
+* Mon Jan 30 2023 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.10-5
+- Fix fortification issues leading to crash in FreeIPA setup
+  Upstream PR: https://github.com/opendnssec/opendnssec/pull/842
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Mon Oct 18 2021 François Cami <fcami@redhat.com> - 2.1.10-1
+- Update to 2.1.10 (rhbz#2003250).
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.1.9-3
+- Rebuilt with OpenSSL 3.0.0
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jul 06 2021 François Cami <fcami@redhat.com> - 2.1.9-1
+- Update to 2.1.9 (rhbz#1956561). Solves OPENDNSSEC-955 and OPENDNSSEC-956.
+- Known issue: OPENDNSSEC-957: Signer daemon stops with failure exit code even when no error occured.
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.1.8-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Sat Feb 20 2021 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 2.1.8-1
+- Update to 2.1.8 (#1931143)
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sat Dec 19 10:13:50 PST 2020 awilliam@redhat.com - 2.1.7-3
+- Rebuild for libldns soname bump
+
+* Tue Dec  8 21:09:23 EST 2020 Paul Wouters <pwouters@redhat.com> - 2.1.7-2
+- Resolves rhbz#1826233 ods-enforcerd.service should wait until socket is ready
 
 * Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.7-1
 - Upstream release 2.1.7
-- Resolves: rhbz#1904484
 
-* Fri May 08 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-2
-- Resolves: rhbz#1831732 AVC avc: denied { dac_override } for comm="ods-enforcerd
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.6-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
-* Wed Apr 15 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-1
-- Resolves: rhbz#1759888 Rebase OpenDNSSEC to 2.1
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 2.1.6-7
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Thu May 28 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-6
+- Resolves: rhbz#1833718 ods-signerd.service missing .service
+
+* Mon Apr 20 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-5
+- Resolves: rhbz#1825812 AVC avc: denied { dac_override } for comm="ods-enforcerd
+
+* Wed Mar 11 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-4
+- Fix migration check to not attempt to check on first install with no db
+
+* Tue Mar 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.6-3
+- Create and manage /var/opendnssec/enforcer directory
+- Resolves rhbz#1809492
+
+* Wed Feb 19 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-2
+- Update to 2.1.6 (major upgrade, supports migration from 1.4.x)
+- gcc10 compile fixups
+- Fix trying to use unversioned libsqlite3.so file
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 
 * Tue Dec 12 2017 Paul Wouters <pwouters@redhat.com> - 1.4.14-1
 - Update to 1.4.14 as first steop to migrating to 2.x

sources

@@ -0,0 +1,2 @@
+SHA512 (opendnssec-2.1.14.tar.gz) = 406532008b85fbcae765a41e9fba28ce97051d86f6b64f58ded02288ac7a417a83bf93739712588b641c7d782a06448aeeb65415fd5585f70a362211a184593f
+SHA512 (opendnssec-2.1.14.tar.gz.sig) = 45684220fa29e31e7c77a2f5802f5e56edb780a536fe7c81b9fae2b9c41664647f1f321f1f3bea8a82d806dda08d21ac32edc8f3e5ed3bea72729c7fd3b94620