.gitignore

@@ -1 +1 @@
-SOURCES/opendnssec-2.1.7.tar.gz
+SOURCES/opendnssec-2.1.10.tar.gz

.opendnssec.metadata

@@ -1 +1 @@
-0277e4f54098bea74809e3d8e6cad1a435570349 SOURCES/opendnssec-2.1.7.tar.gz
+450313b710434d1d7531b5eb5c28a475646a49fb SOURCES/opendnssec-2.1.10.tar.gz

SOURCES/0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch

@@ -0,0 +1,35 @@
+From 4d87db0f11bcdd5c54fadb92351b603bd07f76f8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 30 Jan 2023 11:44:49 +0200
+Subject: [PATCH] Pass right remaining buffer size in hsm_hex_unparse to handle
+ string fortification
+
+When string fortification is in use (-DFORTIFY_SOURCE=3), GCC and glibc
+will cut few bytes off the string buffer for prevention of buffer
+overruns. As a result, hsm_hex_unparse() will call into snprintf() with
+a buffer length bigger than the size of the buffer as seen by the
+GCC/glibc pair.
+
+See also: https://pagure.io/freeipa/issue/9312
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ libhsm/src/lib/libhsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
+index 88dc79e31..8f1e0c3bc 100644
+--- a/libhsm/src/lib/libhsm.c
++++ b/libhsm/src/lib/libhsm.c
+@@ -1382,7 +1382,7 @@ hsm_hex_unparse(char *dst, const unsigned char *src, size_t len)
+     size_t i;
+ 
+     for (i = 0; i < len; i++) {
+-        snprintf(dst + (2*i), dst_len, "%02x", src[i]);
++        snprintf(dst + (2*i), dst_len - (2*i), "%02x", src[i]);
+     }
+     dst[len*2] = '\0';
+ }
+-- 
+2.39.0
+

SOURCES/1001-opendnssec-c99.patch

@@ -0,0 +1,83 @@
+Include <unistd.h> for the setresuid and setresgid functions,
+to avoid an implicit function declaration.
+
+Submitted upstream: <https://github.com/opendnssec/opendnssec/pull/843>
+
+diff --git a/configure b/configure
+index bf515cde3d4fab71..52d2885d6a6ef546 100755
+--- a/configure
++++ b/configure
+@@ -21101,6 +21101,7 @@ else
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+@@ -21143,6 +21144,7 @@ else
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+diff --git a/m4/acx_broken_setres.m4 b/m4/acx_broken_setres.m4
+index 374cee0b0b8ef196..467db9170a319170 100644
+--- a/m4/acx_broken_setres.m4
++++ b/m4/acx_broken_setres.m4
+@@ -4,6 +4,7 @@ AC_DEFUN([ACX_BROKEN_SETRES],[
+ 		AC_MSG_CHECKING(if setresuid seems to work)
+ 		AC_RUN_IFELSE(
+ 			[AC_LANG_SOURCE([[
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+@@ -20,6 +21,7 @@ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+ 		AC_MSG_CHECKING(if setresgid seems to work)
+ 		AC_RUN_IFELSE(
+ 			[AC_LANG_SOURCE([[
++#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+commit 27290c5fcd065a5a857d37236e7f79121e303d0a
+Author: Mathieu Mirmont <mat@parad0x.org>
+Date:   Sun Dec 1 18:43:53 2019 +0100
+
+    common: add missing util.h header
+
+diff --git a/common/scheduler/task.c b/common/scheduler/task.c
+index cfdbd2d101aae795..9c09dc1893363abe 100644
+--- a/common/scheduler/task.c
++++ b/common/scheduler/task.c
+@@ -39,6 +39,7 @@
+ #include "status.h"
+ #include "duration.h"
+ #include "file.h"
++#include "util.h"
+ #include "log.h"
+ 
+ static const char* task_str = "task";
+commit 5422819c17c02e6069328b2f5e4bef6fe5c179df
+Author: Mathieu Mirmont <mat@parad0x.org>
+Date:   Sun Dec 1 17:57:36 2019 +0100
+
+    enforcer: remove remove strptime build warning
+
+diff --git a/enforcer/src/daemon/time_leap_cmd.c b/enforcer/src/daemon/time_leap_cmd.c
+index f1ee21b87529c136..5baef1b6ff7c4cc2 100644
+--- a/enforcer/src/daemon/time_leap_cmd.c
++++ b/enforcer/src/daemon/time_leap_cmd.c
+@@ -26,8 +26,8 @@
+  *
+  */
+ 
+-#include <getopt.h>
+ #include "config.h"
++#include <getopt.h>
+ 
+ #include "file.h"
+ #include "duration.h"

SOURCES/ods-signerd.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=OpenDNSSEC signer daemon
-After=syslog.target network.target ods-enforcerd
+After=syslog.target network.target ods-enforcerd.service
 
 [Service]
 Type=simple

SOURCES/opendnssec-sysusers.conf

@@ -0,0 +1 @@
+u ods - "opendnssec daemon account"

SPECS/opendnssec.spec

@@ -1,10 +1,15 @@
+# Due to https://issues.redhat.com/browse/RHEL-70841, opendnssec cannot
+# be built on i686. The java_arches macro is not available at this time,
+# so we define it explicitly.
+%global java_arches aarch64 ppc64le s390x x86_64
+
 #global prever rcX
 %global _hardened_build 1
 
 Summary: DNSSEC key and zone management software
 Name: opendnssec
-Version: 2.1.7
-Release: 2%{?prever}%{?dist}
+Version: 2.1.10
+Release: 4%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
@@ -16,9 +21,17 @@ Source5: tmpfiles-opendnssec.conf
 Source6: opendnssec.cron
 Source7: opendnssec-2.1.sqlite_convert.sql
 Source8: opendnssec-2.1.sqlite_rpmversion.sql
+Source9: %{name}-sysusers.conf
+
+Patch1:    0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch
+Patch1001: 1001-opendnssec-c99.patch
 
 Requires: opencryptoki, softhsm >= 2.5.0 , systemd-units
 Requires: libxml2, libxslt sqlite
+
+ExclusiveArch: %{java_arches}
+
+BuildRequires: make
 BuildRequires:  gcc
 BuildRequires: ldns-devel >= 1.6.12, sqlite-devel >= 3.0.0, openssl-devel
 BuildRequires: libxml2-devel CUnit-devel, doxygen
@@ -32,10 +45,8 @@ Requires(pre): shadow-utils
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
-%if 0%{?prever:1}
-# For building development snapshots
+
 Buildrequires: autoconf, automake, libtool, java
-%endif
 
 %description
 OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
@@ -44,19 +55,21 @@ name server. It requires a PKCS#11 crypto module library, such as softhsm
 
 %prep
 %setup -q -n %{name}-%{version}%{?prever}
+%autopatch -p1
+
 # bump default policy ZSK keysize to 2048
 sed -i "s/1024/2048/" conf/kasp.xml.in
 
 %build
-#export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
-#export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
-#export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
+export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
+export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
+export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
 %if 0%{?prever:1}
 # for development snapshots
 sh ./autogen.sh
 %endif
 %configure --with-ldns=%{_libdir}
-make %{?_smp_mflags}
+%make_build
 
 %check
 # Requires sample db not shipped with upstream
@@ -64,7 +77,7 @@ make %{?_smp_mflags}
 
 %install
 rm -rf %{buildroot}
-make DESTDIR=%{buildroot} install
+%make_install
 mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf,enforcer}
 install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
 install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
@@ -77,6 +90,7 @@ install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
 install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
 mkdir -p %{buildroot}%{_tmpfilesdir}/
 install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf
+install -D %{SOURCE9} %{buildroot}%{_sysusersdir}/%{name}.conf
 mkdir -p %{buildroot}%{_datadir}/opendnssec/
 cp -a enforcer/utils %{buildroot}%{_datadir}/opendnssec/migration
 cp -a enforcer/src/db/schema.* %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/
@@ -110,13 +124,11 @@ sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert
 %{_bindir}/*
 %attr(0755,root,root) %dir %{_datadir}/opendnssec
 %{_datadir}/opendnssec/*
+%{_sysusersdir}/%{name}.conf
 
 %pre
-getent group ods >/dev/null || groupadd -r ods
-getent passwd ods >/dev/null || \
-useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
--c "opendnssec daemon account" ods
-exit 0
+
+%sysusers_create_package %{name} %{SOURCE9}
 
 %post
 # Initialise a slot on the softhsm on first install
@@ -175,19 +187,87 @@ ods-enforcer update all >/dev/null 2>/dev/null ||:
 %systemd_postun_with_restart ods-signerd.service
 
 %changelog
-* Mon Mar 10 2025 Rafael Jeffman <rjeffman@redhat.com> - 2.1.7-2
-- Don't creat /var/run/opendnssec directory
-- Resolves: RHEL-12163
+* Wed Jul 23 2025 Rafael Jeffman <rjeffman@redhat.com> - 2.1.10-3
+- Don't package files in obsoleted /var/run
+  Resolves: RHEL-4866
+
+* Fri Jan 24 2025 Rafael Jeffman <rjeffman@redhat.com> - 2.1.10-3
+- Exclude i686 arch, as there's no OpenJDK 17 for this arch
+  Resolves: RHEL-75905
+
+* Wed Jan 22 2025 Rafael Jeffman <rjeffman@redhat.com> - 2.1.10-2
+- Use systemd-sysusers to create users
+  Resolves: RHEL-75905
+
+* Thu Apr 27 2023 Rafael Jeffman <rjeffman@redhat.com> - 2.1.10-1
+- Upstream release 2.1.10.
+  Resolves: rhbz#1981324
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.8-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.8-3
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.1.8-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Sat Feb 20 2021 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 2.1.8-1
+- Update to 2.1.8 (#1931143)
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sat Dec 19 10:13:50 PST 2020 awilliam@redhat.com - 2.1.7-3
+- Rebuild for libldns soname bump
+
+* Tue Dec  8 21:09:23 EST 2020 Paul Wouters <pwouters@redhat.com> - 2.1.7-2
+- Resolves rhbz#1826233 ods-enforcerd.service should wait until socket is ready
 
 * Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.7-1
 - Upstream release 2.1.7
-- Resolves: rhbz#1904484
 
-* Fri May 08 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-2
-- Resolves: rhbz#1831732 AVC avc: denied { dac_override } for comm="ods-enforcerd
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.6-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
-* Wed Apr 15 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-1
-- Resolves: rhbz#1759888 Rebase OpenDNSSEC to 2.1
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 2.1.6-7
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Thu May 28 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-6
+- Resolves: rhbz#1833718 ods-signerd.service missing .service
+
+* Mon Apr 20 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-5
+- Resolves: rhbz#1825812 AVC avc: denied { dac_override } for comm="ods-enforcerd
+
+* Wed Mar 11 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-4
+- Fix migration check to not attempt to check on first install with no db
+
+* Tue Mar 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.6-3
+- Create and manage /var/opendnssec/enforcer directory
+- Resolves rhbz#1809492
+
+* Wed Feb 19 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-2
+- Update to 2.1.6 (major upgrade, supports migration from 1.4.x)
+- gcc10 compile fixups
+- Fix trying to use unversioned libsqlite3.so file
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 
 * Tue Dec 12 2017 Paul Wouters <pwouters@redhat.com> - 1.4.14-1
 - Update to 1.4.14 as first steop to migrating to 2.x