Include hash in FIPS module version
Include a hash of specfile, patches, and sources in the FIPS module version. This should allow us to uniquely identify a build that we do, so that we can be sure which specific binary is being submitted for validation and was certified. The previous solution used $(date +%Y%m%d), which had some risks related to build server timezone and build date differences on different architectures. Resolves: rhbz#2070550 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
Clemens Lang
parent
ad863e9fc8
commit
1447e64bc3
22
openssl.spec
22
openssl.spec
@ -10,12 +10,26 @@
|
||||
# also be handled in opensslconf-new.h.
|
||||
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
|
||||
|
||||
%define srpmhash() %{lua:
|
||||
local files = rpm.expand("%_specdir/openssl.spec")
|
||||
for i, p in ipairs(patches) do
|
||||
files = files.." "..p
|
||||
end
|
||||
for i, p in ipairs(sources) do
|
||||
files = files.." "..p
|
||||
end
|
||||
local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum"))
|
||||
local hash = sha256sum:read("*a")
|
||||
sha256sum:close()
|
||||
print(string.sub(hash, 0, 16))
|
||||
}
|
||||
|
||||
%global _performance_build 1
|
||||
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.1
|
||||
Release: 26%{?dist}
|
||||
Release: 27%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -228,7 +242,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-not
|
||||
|
||||
export HASHBANGPERL=/usr/bin/perl
|
||||
|
||||
%define fips %{version}-%(date +%Y%m%d)
|
||||
%define fips %{version}-%{srpmhash}
|
||||
# ia64, x86_64, ppc are OK by default
|
||||
# Configure the build tree. Override OpenSSL defaults with known-good defaults
|
||||
# usable on all platforms. The Configure script already knows to use -fPIC and
|
||||
@ -426,6 +440,10 @@ install -m644 %{SOURCE9} \
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Fri May 06 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-27
|
||||
- Change FIPS module version to include hash of specfile, patches and sources
|
||||
Resolves: rhbz#2070550
|
||||
|
||||
* Thu May 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-26
|
||||
- OpenSSL FIPS module should not build in non-approved algorithms
|
||||
- Resolves: rhbz#2081378
|
||||
|
||||
Loading…
Reference in New Issue
Block a user