Separate ssh-keysign to a dedicated package

Resolves: RHEL-62112

openssh-9.9p1-separate-keysign.patch

@@ -0,0 +1,12 @@
+diff -up openssh-9.9p1/ssh_config.5.xxx openssh-9.9p1/ssh_config.5
+--- openssh-9.9p1/ssh_config.5.xxx	2024-10-11 12:01:14.260566303 +0200
++++ openssh-9.9p1/ssh_config.5	2024-10-11 12:01:59.725654775 +0200
+@@ -759,7 +759,7 @@ or
+ This option should be placed in the non-hostspecific section.
+ See
+ .Xr ssh-keysign 8
+-for more information.
++for more information. ssh-keysign should be installed explicitly.
+ .It Cm EscapeChar
+ Sets the escape character (default:
+ .Ql ~ ) .

openssh.spec

@@ -195,6 +195,7 @@ Patch1012: openssh-9.0p1-evp-fips-kex.patch
 Patch1014: openssh-8.7p1-nohostsha1proof.patch
 
 Patch1015: openssh-9.6p1-pam-rhost.patch
+Patch1016: openssh-9.9p1-separate-keysign.patch
 
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -247,6 +248,10 @@ Summary: An open source SSH client applications
 Requires: openssh = %{version}-%{release}
 Requires: crypto-policies >= 20220824-1
 
+%package keysign
+Summary: A helper program used for host-based authentication
+Requires: openssh = %{version}-%{release}
+
 %package server
 Summary: An open source SSH server daemon
 Requires: openssh = %{version}-%{release}
@@ -286,6 +291,11 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package includes
 the clients necessary to make encrypted connections to SSH servers.
 
+%description keysign
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. ssh-keysign is a
+helper program used for host-based authentication disabled by default.
+
 %description server
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
@@ -367,6 +377,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1012 -p1 -b .evp-fips-dh
 %patch -P 1014 -p1 -b .nosha1hostproof
 %patch -P 1015 -p1 -b .pam-rhost
+%patch -P 1016 -p1 -b .sep-keysign
 
 %patch -P 100 -p1 -b .coverity
 
@@ -573,8 +584,6 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_bindir}/ssh-keygen
 %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
 %attr(0755,root,root) %dir %{_libexecdir}/openssh
-%attr(4555,root,root) %{_libexecdir}/openssh/ssh-keysign
-%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
 
 %files clients
 %attr(0755,root,root) %{_bindir}/ssh
@@ -602,6 +611,10 @@ test -f %{sysconfig_anaconda} && \
 %attr(0644,root,root) %{_userunitdir}/ssh-agent.service
 %attr(0644,root,root) %{_userunitdir}/ssh-agent.socket
 
+%files keysign
+%attr(4555,root,root) %{_libexecdir}/openssh/ssh-keysign
+%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
+
 %files server
 %dir %attr(0711,root,root) %{_datadir}/empty.sshd
 %attr(0755,root,root) %{_sbindir}/sshd
@@ -647,6 +660,8 @@ test -f %{sysconfig_anaconda} && \
 * Thu Oct 10 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-1
 - Update to OpenSSH 9.9p1
   Resolves: RHEL-60564
+- Separate ssh-keysign to a dedicated package
+  Resolves: RHEL-62112
 
 * Mon Sep 16 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-6
 - rebuilt