From 1447e64bc398a807b7b725cec84983fbdb7a552d Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Thu, 5 May 2022 17:05:35 +0200 Subject: [PATCH] Include hash in FIPS module version Include a hash of specfile, patches, and sources in the FIPS module version. This should allow us to uniquely identify a build that we do, so that we can be sure which specific binary is being submitted for validation and was certified. The previous solution used $(date +%Y%m%d), which had some risks related to build server timezone and build date differences on different architectures. Resolves: rhbz#2070550 Signed-off-by: Clemens Lang --- openssl.spec | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/openssl.spec b/openssl.spec index 723ac94..8f009bc 100644 --- a/openssl.spec +++ b/openssl.spec @@ -10,12 +10,26 @@ # also be handled in opensslconf-new.h. %define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64 +%define srpmhash() %{lua: +local files = rpm.expand("%_specdir/openssl.spec") +for i, p in ipairs(patches) do + files = files.." "..p +end +for i, p in ipairs(sources) do + files = files.." "..p +end +local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum")) +local hash = sha256sum:read("*a") +sha256sum:close() +print(string.sub(hash, 0, 16)) +} + %global _performance_build 1 Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.1 -Release: 26%{?dist} +Release: 27%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -228,7 +242,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-not export HASHBANGPERL=/usr/bin/perl -%define fips %{version}-%(date +%Y%m%d) +%define fips %{version}-%{srpmhash} # ia64, x86_64, ppc are OK by default # Configure the build tree. Override OpenSSL defaults with known-good defaults # usable on all platforms. The Configure script already knows to use -fPIC and @@ -426,6 +440,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Fri May 06 2022 Clemens Lang - 1:3.0.1-27 +- Change FIPS module version to include hash of specfile, patches and sources + Resolves: rhbz#2070550 + * Thu May 05 2022 Dmitry Belyavskiy - 1:3.0.1-26 - OpenSSL FIPS module should not build in non-approved algorithms - Resolves: rhbz#2081378