Include hash in FIPS module version
Include a hash of specfile, patches, and sources in the FIPS module version. This should allow us to uniquely identify a build that we do, so that we can be sure which specific binary is being submitted for validation and was certified. The previous solution used $(date +%Y%m%d), which had some risks related to build server timezone and build date differences on different architectures. Resolves: rhbz#2070550 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
parent
ad863e9fc8
commit
1447e64bc3
22
openssl.spec
22
openssl.spec
@ -10,12 +10,26 @@
|
|||||||
# also be handled in opensslconf-new.h.
|
# also be handled in opensslconf-new.h.
|
||||||
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
|
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
|
||||||
|
|
||||||
|
%define srpmhash() %{lua:
|
||||||
|
local files = rpm.expand("%_specdir/openssl.spec")
|
||||||
|
for i, p in ipairs(patches) do
|
||||||
|
files = files.." "..p
|
||||||
|
end
|
||||||
|
for i, p in ipairs(sources) do
|
||||||
|
files = files.." "..p
|
||||||
|
end
|
||||||
|
local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum"))
|
||||||
|
local hash = sha256sum:read("*a")
|
||||||
|
sha256sum:close()
|
||||||
|
print(string.sub(hash, 0, 16))
|
||||||
|
}
|
||||||
|
|
||||||
%global _performance_build 1
|
%global _performance_build 1
|
||||||
|
|
||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 3.0.1
|
Version: 3.0.1
|
||||||
Release: 26%{?dist}
|
Release: 27%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -228,7 +242,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-not
|
|||||||
|
|
||||||
export HASHBANGPERL=/usr/bin/perl
|
export HASHBANGPERL=/usr/bin/perl
|
||||||
|
|
||||||
%define fips %{version}-%(date +%Y%m%d)
|
%define fips %{version}-%{srpmhash}
|
||||||
# ia64, x86_64, ppc are OK by default
|
# ia64, x86_64, ppc are OK by default
|
||||||
# Configure the build tree. Override OpenSSL defaults with known-good defaults
|
# Configure the build tree. Override OpenSSL defaults with known-good defaults
|
||||||
# usable on all platforms. The Configure script already knows to use -fPIC and
|
# usable on all platforms. The Configure script already knows to use -fPIC and
|
||||||
@ -426,6 +440,10 @@ install -m644 %{SOURCE9} \
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 06 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-27
|
||||||
|
- Change FIPS module version to include hash of specfile, patches and sources
|
||||||
|
Resolves: rhbz#2070550
|
||||||
|
|
||||||
* Thu May 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-26
|
* Thu May 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-26
|
||||||
- OpenSSL FIPS module should not build in non-approved algorithms
|
- OpenSSL FIPS module should not build in non-approved algorithms
|
||||||
- Resolves: rhbz#2081378
|
- Resolves: rhbz#2081378
|
||||||
|
Loading…
Reference in New Issue
Block a user