diff --git a/.gitignore b/.gitignore index 9805149..fe9dd45 100644 --- a/.gitignore +++ b/.gitignore @@ -82,3 +82,4 @@ /pki-10.10.5.tar.gz /pki-10.11.0-alpha1.tar.gz /pki-11.0.0-alpha1.tar.gz +/pki-11.0.0-beta1.tar.gz diff --git a/0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch b/0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch new file mode 100644 index 0000000..18f5af4 --- /dev/null +++ b/0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch @@ -0,0 +1,70 @@ +From 1a7e9b493fc3cfbbd74ab9009fa840c5dcb55c8c Mon Sep 17 00:00:00 2001 +From: jmagne +Date: Thu, 16 Sep 2021 15:48:37 -0700 +Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server + in FIPS mode (RHEL-8.5) (#3742) + +It looks like this is an issue in FIPS mode because when we restart the subsystem, there is a pki command +that runs before the server runs. In order for this command to succeed, we must alter the python script that +runs pki commands to add the following switch to turn off fips mode in java: "-Dcom.redhat.fips=false". + +This allows the JSS proivder to be selected instead of a differnt one which doesn't work for us, when we are in +fips mode. +--- + base/common/python/pki/cli/main.py | 11 ++++++++++- + base/common/share/etc/pki.conf | 10 ++++++++++ + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py +index b0ae6c6fc..bc215aaa4 100644 +--- a/base/common/python/pki/cli/main.py ++++ b/base/common/python/pki/cli/main.py +@@ -98,6 +98,7 @@ class PKICLI(pki.cli.CLI): + + java_path = os.getenv('PKI_JAVA_PATH') + java_home = os.getenv('JAVA_HOME') ++ java_fips_cmd = os.getenv('JAVA_FIPS_ENABLED') + pki_lib = os.getenv('PKI_LIB') + logging_config = os.getenv('PKI_LOGGING_CONFIG') + +@@ -113,7 +114,15 @@ class PKICLI(pki.cli.CLI): + cmd.extend(['/usr/bin/env', 'java']) + + cmd.extend([ +- '-cp', pki_lib + '/*', ++ '-cp', pki_lib + '/*' ++ ]) ++ ++ if java_fips_cmd is not None: ++ cmd.extend([ ++ java_fips_cmd ++ ]) ++ ++ cmd.extend([ + '-Djava.util.logging.config.file=' + logging_config, + 'com.netscape.cmstools.cli.MainCLI' + ]) +diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf +index 17615b042..fd40ece3b 100644 +--- a/base/common/share/etc/pki.conf ++++ b/base/common/share/etc/pki.conf +@@ -14,6 +14,16 @@ export JAVA_HOME + PKI_JAVA_PATH=${PKI_JAVA_PATH} + export PKI_JAVA_PATH + ++# JVM options ++# ++# Command switch we want to tell java to observer fips mode ++# For the moment we want this to be false even if we really are ++# in fips mode, because we want the jss prover instead of the sun ++# fips provider to be selected. ++JAVA_FIPS_ENABLED="-Dcom.redhat.fips=false" # Disable FIPS mode ++ ++export JAVA_FIPS_ENABLED ++ + # JNI jar file location + JNI_JAR_DIR=/usr/lib/java + export JNI_JAR_DIR +-- +2.31.1 + diff --git a/0002-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch b/0002-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch new file mode 100644 index 0000000..6c6b05f --- /dev/null +++ b/0002-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch @@ -0,0 +1,26 @@ +From 115778bf20812b271c81f19806332f14151dcb7d Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Thu, 23 Sep 2021 13:50:41 -0400 +Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server + in FIPS mode (RHEL-8.5). Additional fix to this issue to account for our + standalone java tools. + +--- + base/tools/templates/pki_java_command_wrapper.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/base/tools/templates/pki_java_command_wrapper.in b/base/tools/templates/pki_java_command_wrapper.in +index 05650630d4..d68ed93a30 100644 +--- a/base/tools/templates/pki_java_command_wrapper.in ++++ b/base/tools/templates/pki_java_command_wrapper.in +@@ -90,6 +90,7 @@ JAVA_OPTIONS="" + + ${JAVA} ${JAVA_OPTIONS} \ + -cp "${PKI_LIB}/*" \ ++ -Dcom.redhat.fips=false \ + -Djava.util.logging.config.file=${PKI_LOGGING_CONFIG} \ + com.netscape.cmstools.${COMMAND} "$@" + +-- +2.31.1 + diff --git a/pki-core.spec b/pki-core.spec index 78d06a3..e97c410 100644 --- a/pki-core.spec +++ b/pki-core.spec @@ -2,10 +2,13 @@ Name: pki-core ################################################################################ -%global vendor_id redhat -%global brand Red Hat +%global product_name PKI +%global product_id pki -Summary: %{brand} PKI Core Package +# NOTE: Do not specify the theme for pki-core +# global theme dogtag + +Summary: %{product_name} Core Package URL: https://www.dogtagpki.org # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 License: GPLv2 and LGPLv2 @@ -13,8 +16,8 @@ License: GPLv2 and LGPLv2 # For development (i.e. unsupported) releases, use x.y.z-0.n.. # For official (i.e. supported) releases, use x.y.z-r where r >=1. Version: 11.0.0 -Release: 0.5.alpha1%{?_timestamp}%{?_commit_id}%{?dist} -%global _phase -alpha1 +Release: 0.6.beta1%{?_timestamp}%{?_commit_id}%{?dist} +%global _phase -beta1 # To create a tarball from a version tag: # $ git archive \ @@ -31,7 +34,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch -Patch1: admin-cert-p12.patch +Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch +Patch2: 0002-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch # md2man isn't available on i686. Additionally, we aren't generally multi-lib # compatible (https://fedoraproject.org/wiki/Packaging:Java) @@ -88,8 +92,7 @@ ExcludeArch: i686 # If --with pkgs option is specified, only packages specified with # --with will be built (inclusion method). -# bcond_with pkgs -%global with_pkgs 1 +%bcond_with pkgs # Define package_option macro to wrap bcond_with or bcond_without macro # depending on package selection method. @@ -103,16 +106,13 @@ ExcludeArch: i686 # Define --with or --without options depending on # package selection method. -# package_option base -%global with_base 1 -# package_option server -%global with_server 1 -# package_option acme -%global with_acme 1 -# package_option ca -%global with_ca 1 -# package_option kra -%global with_kra 1 +%package_option base +%package_option server +%package_option acme +%package_option ca +%package_option kra + +# NOTE: Do not build the following packages for pki-core # package_option ocsp # package_option tks # package_option tps @@ -120,7 +120,6 @@ ExcludeArch: i686 # package_option theme # package_option meta # package_option tests -%global with_tests 1 # package_option debug %if ! %{with debug} @@ -248,13 +247,13 @@ BuildRequires: nss-tools BuildRequires: openssl # description for top-level package (if there is a separate meta package) -%if "%{name}" != "%{vendor_id}-pki" +%if "%{name}" != "%{product_id}" %description -%{brand} PKI is an enterprise software system designed +%{product_name} is an enterprise software system designed to manage enterprise Public Key Infrastructure deployments. -PKI consists of the following components: +%{product_name} consists of the following components: * Automatic Certificate Management Environment (ACME) Responder * Certificate Authority (CA) @@ -266,36 +265,32 @@ PKI consists of the following components: %endif %if %{with meta} -%if "%{name}" != "%{vendor_id}-pki" +%if "%{name}" != "%{product_id}" ################################################################################ -%package -n %{vendor_id}-pki +%package -n %{product_id} ################################################################################ -Summary: %{brand} PKI Package +Summary: %{product_name} Package %endif +Obsoletes: pki-console < %{version} +Obsoletes: pki-console-theme < %{version} +Obsoletes: idm-console-framework < 2.0 + # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI theme packages -Requires: %{vendor_id}-pki-server-theme = %{version} -%if %{with console} -Requires: %{vendor_id}-pki-console-theme = %{version} -%endif +Requires: %{product_id}-server-theme = %{version}-%{release} # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI core packages -Requires: pki-acme = %{version} -Requires: pki-ca = %{version} -Requires: pki-kra = %{version} -Requires: pki-ocsp = %{version} -Requires: pki-tks = %{version} -Requires: pki-tps = %{version} +Requires: %{product_id}-acme = %{version}-%{release} +Requires: %{product_id}-ca = %{version}-%{release} +Requires: %{product_id}-kra = %{version}-%{release} +Requires: %{product_id}-ocsp = %{version}-%{release} +Requires: %{product_id}-tks = %{version}-%{release} +Requires: %{product_id}-tps = %{version}-%{release} -# Make certain that this 'meta' package requires the latest version(s) -# of PKI console -%if %{with console} -Requires: pki-console = %{version} -%endif -Requires: pki-javadoc = %{version} +Requires: %{product_id}-javadoc = %{version}-%{release} # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI clients -- except for s390/s390x where 'esc' is not built @@ -304,16 +299,16 @@ Requires: esc >= 1.1.1 %endif # description for top-level package (unless there is a separate meta package) -%if "%{name}" == "%{vendor_id}-pki" +%if "%{name}" == "%{product_id}" %description %else -%description -n %{vendor_id}-pki +%description -n %{product_id} %endif -%{brand} PKI is an enterprise software system designed +%{product_name} is an enterprise software system designed to manage enterprise Public Key Infrastructure deployments. -PKI consists of the following components: +%{product_name} consists of the following components: * Automatic Certificate Management Environment (ACME) Responder * Certificate Authority (CA) @@ -327,10 +322,13 @@ PKI consists of the following components: %if %{with base} ################################################################################ -%package -n pki-symkey +%package -n %{product_id}-symkey ################################################################################ -Summary: PKI Symmetric Key Package +Summary: %{product_name} Symmetric Key Package + +Obsoletes: pki-symkey < %{version}-%{release} +Provides: pki-symkey = %{version}-%{release} Requires: %{java_headless} Requires: jpackage-utils >= 0:1.7.5-10 @@ -341,21 +339,20 @@ Requires: nss >= 3.38.0 Conflicts: pki-symkey < %{version} Conflicts: pki-javadoc < %{version} Conflicts: pki-server-theme < %{version} -%if %{with console} -Conflicts: pki-console-theme < %{version} -%endif -%description -n pki-symkey -The PKI Symmetric Key Java Package supplies various native -symmetric key operations to Java programs. +%description -n %{product_id}-symkey +This package provides library for symmetric key operations. ################################################################################ -%package -n pki-base +%package -n %{product_id}-base ################################################################################ -Summary: PKI Base Package +Summary: %{product_name} Base Package BuildArch: noarch +Obsoletes: pki-base < %{version}-%{release} +Provides: pki-base = %{version}-%{release} + Requires: nss >= 3.36.1 Requires: python3-pki = %{version}-%{release} @@ -365,28 +362,28 @@ Requires(post): python3-pki = %{version}-%{release} Conflicts: pki-symkey < %{version} Conflicts: pki-javadoc < %{version} Conflicts: pki-server-theme < %{version} -%if %{with console} -Conflicts: pki-console-theme < %{version} -%endif -%description -n pki-base -The PKI Base Package contains the common and client libraries and utilities -written in Python. +%description -n %{product_id}-base +This package provides default configuration files for %{product_name} client. ################################################################################ -%package -n python3-pki +%package -n python3-%{product_id} ################################################################################ -Summary: PKI Python 3 Package +Summary: %{product_name} Python 3 Package BuildArch: noarch -Obsoletes: pki-base-python3 < %{version} -Provides: pki-base-python3 = %{version} +Obsoletes: python3-pki < %{version}-%{release} +Provides: python3-pki = %{version}-%{release} + +Obsoletes: pki-base-python3 < %{version}-%{release} +Provides: pki-base-python3 = %{version}-%{release} + %if 0%{?fedora} || 0%{?rhel} > 8 %{?python_provide:%python_provide python3-pki} %endif -Requires: pki-base = %{version}-%{release} +Requires: %{product_id}-base = %{version}-%{release} Requires: python3 >= 3.5 Requires: python3-cryptography Requires: python3-ldap @@ -394,16 +391,19 @@ Requires: python3-lxml Requires: python3-requests >= 2.6.0 Requires: python3-six -%description -n python3-pki -This package contains PKI client library for Python 3. +%description -n python3-%{product_id} +This package provides common and client library for Python 3. ################################################################################ -%package -n pki-base-java +%package -n %{product_id}-base-java ################################################################################ -Summary: PKI Base Java Package +Summary: %{product_name} Base Java Package BuildArch: noarch +Obsoletes: pki-base-java < %{version}-%{release} +Provides: pki-base-java = %{version}-%{release} + Requires: %{java_headless} Requires: apache-commons-cli Requires: apache-commons-codec @@ -416,13 +416,12 @@ Requires: slf4j-jdk14 Requires: jpackage-utils >= 0:1.7.5-10 Requires: jss >= 5.0.0 Requires: ldapjdk >= 5.0.0 -Requires: pki-base = %{version}-%{release} +Requires: %{product_id}-base = %{version}-%{release} %if 0%{?rhel} && 0%{?rhel} <= 8 Requires: resteasy >= 3.0.26 %else Requires: resteasy-client >= 3.0.17-1 -Requires: resteasy-jaxb-provider >= 3.0.17-1 Requires: resteasy-core >= 3.0.17-1 Requires: resteasy-jackson2-provider >= 3.0.17-1 %endif @@ -431,48 +430,53 @@ Requires: xalan-j2 Requires: xerces-j2 Requires: xml-commons-resolver -%description -n pki-base-java -The PKI Base Java Package contains the common and client libraries and utilities -written in Java. +%description -n %{product_id}-base-java +This package provides common and client libraries for Java. ################################################################################ -%package -n pki-tools +%package -n %{product_id}-tools ################################################################################ -Summary: PKI Tools Package +Summary: %{product_name} Tools Package + +Obsoletes: pki-tools < %{version}-%{release} +Provides: pki-tools = %{version}-%{release} Requires: openldap-clients Requires: nss-tools >= 3.36.1 -Requires: pki-base-java = %{version}-%{release} +Requires: %{product_id}-base-java = %{version}-%{release} Requires: p11-kit-trust # PKICertImport depends on certutil and openssl Requires: nss-tools Requires: openssl -%description -n pki-tools -This package contains PKI executables that can be used to help make -Certificate System into a more complete and robust PKI solution. +%description -n %{product_id}-tools +This package provides tools that can be used to help make +%{product_name} into a more complete and robust PKI solution. # with base %endif %if %{with server} ################################################################################ -%package -n pki-server +%package -n %{product_id}-server ################################################################################ -Summary: PKI Server Package +Summary: %{product_name} Server Package BuildArch: noarch +Obsoletes: pki-server < %{version}-%{release} +Provides: pki-server = %{version}-%{release} + Requires: hostname Requires: policycoreutils Requires: procps-ng Requires: openldap-clients Requires: openssl -Requires: pki-symkey = %{version}-%{release} -Requires: pki-tools = %{version}-%{release} +Requires: %{product_id}-symkey = %{version}-%{release} +Requires: %{product_id}-tools = %{version}-%{release} Requires: keyutils @@ -492,7 +496,6 @@ Requires: tomcat >= 1:9.0.7 Requires: systemd Requires(post): systemd-units -Requires(preun): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils Requires: tomcatjss >= 8.0.0 @@ -518,25 +521,27 @@ Provides: bundled(js-jquery-i18n-properties) = 1.2.7 Provides: bundled(js-patternfly) = 3.59.2 Provides: bundled(js-underscore) = 1.9.2 -%description -n pki-server -The PKI Server Package contains libraries and utilities needed by other -PKI subsystems. +%description -n %{product_id}-server +This package provides libraries and utilities needed by %{product_name} services. # with server %endif %if %{with acme} ################################################################################ -%package -n pki-acme +%package -n %{product_id}-acme ################################################################################ -Summary: PKI ACME Package +Summary: %{product_name} ACME Package BuildArch: noarch -Requires: pki-server = %{version}-%{release} +Obsoletes: pki-acme < %{version}-%{release} +Provides: pki-acme = %{version}-%{release} -%description -n pki-acme -The PKI ACME responder is a service that provides an automatic certificate +Requires: %{product_id}-server = %{version}-%{release} + +%description -n %{product_id}-acme +%{product_name} ACME responder is a service that provides an automatic certificate management via ACME v2 protocol defined in RFC 8555. # with acme @@ -544,19 +549,21 @@ management via ACME v2 protocol defined in RFC 8555. %if %{with ca} ################################################################################ -%package -n pki-ca +%package -n %{product_id}-ca ################################################################################ -Summary: PKI CA Package +Summary: %{product_name} CA Package BuildArch: noarch -Requires: pki-server = %{version}-%{release} +Obsoletes: pki-ca < %{version}-%{release} +Provides: pki-ca = %{version}-%{release} + +Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units -Requires(preun): systemd-units Requires(postun): systemd-units -%description -n pki-ca -The Certificate Authority (CA) is a required PKI subsystem which issues, +%description -n %{product_id}-ca +%{product_name} Certificate Authority (CA) is a required subsystem which issues, renews, revokes, and publishes certificates as well as compiling and publishing Certificate Revocation Lists (CRLs). @@ -569,19 +576,21 @@ where it obtains its own signing certificate from a public CA. %if %{with kra} ################################################################################ -%package -n pki-kra +%package -n %{product_id}-kra ################################################################################ -Summary: PKI KRA Package +Summary: %{product_name} KRA Package BuildArch: noarch -Requires: pki-server = %{version}-%{release} +Obsoletes: pki-kra < %{version}-%{release} +Provides: pki-kra = %{version}-%{release} + +Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units -Requires(preun): systemd-units Requires(postun): systemd-units -%description -n pki-kra -The Key Recovery Authority (KRA) is an optional PKI subsystem that can act +%description -n %{product_id}-kra +%{product_name} Key Recovery Authority (KRA) is an optional subsystem that can act as a key archival facility. When configured in conjunction with the Certificate Authority (CA), the KRA stores private encryption keys as part of the certificate enrollment process. The key archival mechanism is triggered @@ -600,19 +609,21 @@ since such archival would undermine non-repudiation properties of signing keys. %if %{with ocsp} ################################################################################ -%package -n pki-ocsp +%package -n %{product_id}-ocsp ################################################################################ -Summary: PKI OCSP Package +Summary: %{product_name} OCSP Package BuildArch: noarch -Requires: pki-server = %{version} +Obsoletes: pki-ocsp < %{version}-%{release} +Provides: pki-ocsp = %{version}-%{release} + +Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units -Requires(preun): systemd-units Requires(postun): systemd-units -%description -n pki-ocsp -The Online Certificate Status Protocol (OCSP) Manager is an optional PKI +%description -n %{product_id}-ocsp +%{product_name} Online Certificate Status Protocol (OCSP) Manager is an optional subsystem that can act as a stand-alone OCSP service. The OCSP Manager performs the task of an online certificate validation authority by enabling OCSP-compliant clients to do real-time verification of certificates. Note @@ -638,19 +649,21 @@ whenever they are issued or updated. %if %{with tks} ################################################################################ -%package -n pki-tks +%package -n %{product_id}-tks ################################################################################ -Summary: PKI TKS Package +Summary: %{product_name} TKS Package BuildArch: noarch -Requires: pki-server = %{version} +Obsoletes: pki-tks < %{version}-%{release} +Provides: pki-tks = %{version}-%{release} + +Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units -Requires(preun): systemd-units Requires(postun): systemd-units -%description -n pki-tks -The Token Key Service (TKS) is an optional PKI subsystem that manages the +%description -n %{product_id}-tks +%{product_name} Token Key Service (TKS) is an optional subsystem that manages the master key(s) and the transport key(s) required to generate and distribute keys for hardware tokens. TKS provides the security between tokens and an instance of Token Processing System (TPS), where the security relies upon the @@ -670,14 +683,16 @@ behind the firewall with restricted access. %if %{with tps} ################################################################################ -%package -n pki-tps +%package -n %{product_id}-tps ################################################################################ -Summary: PKI TPS Package +Summary: %{product_name} TPS Package -Requires: pki-server = %{version} +Obsoletes: pki-tps < %{version}-%{release} +Provides: pki-tps = %{version}-%{release} + +Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units -Requires(preun): systemd-units Requires(postun): systemd-units # additional runtime requirements needed to run native 'tpsclient' @@ -686,8 +701,8 @@ Requires(postun): systemd-units Requires: nss-tools >= 3.36.1 Requires: openldap-clients -%description -n pki-tps -The Token Processing System (TPS) is an optional PKI subsystem that acts +%description -n %{product_id}-tps +%{product_name} Token Processing System (TPS) is an optional subsystem that acts as a Registration Authority (RA) for authenticating and processing enrollment requests, PIN reset requests, and formatting requests from the Enterprise Security Client (ESC). @@ -711,77 +726,78 @@ smart card. %if %{with javadoc} ################################################################################ -%package -n pki-javadoc +%package -n %{product_id}-javadoc ################################################################################ -Summary: PKI Javadoc Package +Summary: %{product_name} Javadoc Package BuildArch: noarch +Obsoletes: pki-javadoc < %{version}-%{release} +Provides: pki-javadoc = %{version}-%{release} + # Ensure we end up with a useful installation Conflicts: pki-base < %{version} Conflicts: pki-symkey < %{version} Conflicts: pki-server-theme < %{version} -%if %{with console} -Conflicts: pki-console-theme < %{version} -%endif -%description -n pki-javadoc -This package contains PKI API documentation. +%description -n %{product_id}-javadoc +This package provides %{product_name} API documentation. # with javadoc %endif %if %{with console} ################################################################################ -%package -n pki-console +%package -n %{product_id}-console ################################################################################ -Summary: PKI Console Package +Summary: %{product_name} Console Package BuildArch: noarch -BuildRequires: idm-console-framework >= 1.2.0 +BuildRequires: idm-console-framework >= 2.0 -Requires: idm-console-framework >= 1.2.0 -Requires: pki-base-java = %{version} -Requires: pki-console-theme = %{version} +Obsoletes: pki-console < %{version}-%{release} +Provides: pki-console = %{version}-%{release} -%description -n pki-console -The PKI Console is a Java application used to administer PKI server. +Requires: idm-console-framework >= 2.0 +Requires: %{product_id}-base-java = %{version}-%{release} +Requires: %{product_id}-console-theme = %{version}-%{release} + +%description -n %{product_id}-console +%{product_name} Console is a Java application used to administer %{product_name} Server. # with console %endif %if %{with theme} ################################################################################ -%package -n %{vendor_id}-pki-server-theme +%package -n %{product_id}-server-theme ################################################################################ -Summary: %{brand} PKI Server Theme Package +Summary: %{product_name} Server Theme Package BuildArch: noarch -Provides: pki-server-theme = %{version} +Obsoletes: pki-server-theme < %{version}-%{release} +Provides: pki-server-theme = %{version}-%{release} # Ensure we end up with a useful installation Conflicts: pki-base < %{version} Conflicts: pki-symkey < %{version} -%if %{with console} -Conflicts: pki-console-theme < %{version} -%endif Conflicts: pki-javadoc < %{version} -%description -n %{vendor_id}-pki-server-theme -This PKI Server Theme Package contains -%{brand} textual and graphical user interface for PKI Server. +%description -n %{product_id}-server-theme +This package provides theme files for %{product_name} Server. %if %{with console} ################################################################################ -%package -n %{vendor_id}-pki-console-theme +%package -n %{product_id}-console-theme ################################################################################ -Summary: %{brand} PKI Console Theme Package +Summary: %{product_name} Console Theme Package BuildArch: noarch -Provides: pki-console-theme = %{version} +Obsoletes: pki-console-theme < %{version}-%{release} +Provides: pki-console-theme = %{version}-%{release} # Ensure we end up with a useful installation Conflicts: pki-base < %{version} @@ -789,9 +805,8 @@ Conflicts: pki-symkey < %{version} Conflicts: pki-server-theme < %{version} Conflicts: pki-javadoc < %{version} -%description -n %{vendor_id}-pki-console-theme -This PKI Console Theme Package contains -%{brand} textual and graphical user interface for PKI Console. +%description -n %{product_id}-console-theme +This package provides theme files for %{product_name} Console. # with console %endif @@ -801,14 +816,20 @@ This PKI Console Theme Package contains %if %{with tests} ################################################################################ -%package -n pki-tests +%package -n %{product_id}-tests ################################################################################ -Summary: PKI Tests +Summary: %{product_name} Tests BuildArch: noarch -%description -n pki-tests -This package contains PKI test suite. +Obsoletes: pki-tests < %{version}-%{release} +Provides: pki-tests = %{version}-%{release} + +Requires: python3-pylint +Requires: python3-flake8 + +%description -n %{product_id}-tests +This package provides test suite for %{product_name}. # with tests %endif @@ -866,7 +887,7 @@ cd build -DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \ -DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \ -DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \ - -DTHEME=%{?with_theme:%{vendor_id}} \ + -DTHEME=%{?with_theme:%{theme}} \ %if 0%{?rhel} && 0%{?rhel} <= 8 .. %else @@ -913,7 +934,7 @@ ctest --output-on-failure cat > %{buildroot}%{_datadir}/doc/pki/README << EOF This package is a "meta-package" whose dependencies pull in all of the -packages comprising the %{brand} Public Key Infrastructure (PKI) Suite. +packages comprising the %{product_name} Suite. EOF # with meta @@ -953,7 +974,7 @@ fi %if %{with server} -%pre -n pki-server +%pre -n %{product_id}-server getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname} if ! getent passwd %{pki_username} >/dev/null ; then useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username} @@ -965,7 +986,7 @@ exit 0 %if %{with base} -%post -n pki-base +%post -n %{product_id}-base if [ $1 -eq 1 ] then @@ -979,7 +1000,7 @@ else echo >> /var/log/pki/pki-upgrade-%{version}.log fi -%postun -n pki-base +%postun -n %{product_id}-base if [ $1 -eq 0 ] then @@ -992,11 +1013,7 @@ fi %if %{with server} -%post -n pki-server -## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem -## from EITHER 'sysVinit' OR previous 'systemd' processes to the new -## PKI deployment process - +%post -n %{product_id}-server # CVE-2021-3551 # Remove world access from existing installation logs find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \; @@ -1007,24 +1024,13 @@ then systemctl daemon-reload fi -## preun -n pki-server -## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem -## from EITHER 'sysVinit' OR previous 'systemd' processes to the new -## PKI deployment process - - -## postun -n pki-server -## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem -## from EITHER 'sysVinit' OR previous 'systemd' processes to the new -## PKI deployment process - # with server %endif %if %{with meta} -%if "%{name}" != "%{vendor_id}-pki" +%if "%{name}" != "%{product_id}" ################################################################################ -%files -n %{vendor_id}-pki +%files -n %{product_id} ################################################################################ %else %files @@ -1037,7 +1043,7 @@ fi %if %{with base} ################################################################################ -%files -n pki-symkey +%files -n %{product_id}-symkey ################################################################################ %license base/symkey/LICENSE @@ -1045,7 +1051,7 @@ fi %{_libdir}/symkey/ ################################################################################ -%files -n pki-base +%files -n %{product_id}-base ################################################################################ %license base/common/LICENSE @@ -1071,7 +1077,7 @@ fi %{_mandir}/man8/pki-upgrade.8.gz ################################################################################ -%files -n pki-base-java +%files -n %{product_id}-base-java ################################################################################ %license base/common/LICENSE @@ -1083,7 +1089,7 @@ fi %{_javadir}/pki/pki-certsrv.jar ################################################################################ -%files -n python3-pki +%files -n python3-%{product_id} ################################################################################ %license base/common/LICENSE @@ -1094,12 +1100,13 @@ fi %{python3_sitelib}/pki ################################################################################ -%files -n pki-tools +%files -n %{product_id}-tools ################################################################################ %license base/tools/LICENSE %doc base/tools/doc/README %{_bindir}/p7tool +%{_bindir}/p12tool %{_bindir}/pistool %{_bindir}/pki %{_bindir}/revoker @@ -1168,7 +1175,7 @@ fi %if %{with server} ################################################################################ -%files -n pki-server +%files -n %{product_id}-server ################################################################################ %license base/common/THIRD_PARTY_LICENSES @@ -1229,7 +1236,7 @@ fi %if %{with acme} ################################################################################ -%files -n pki-acme +%files -n %{product_id}-acme ################################################################################ %{_javadir}/pki/pki-acme.jar @@ -1240,7 +1247,7 @@ fi %if %{with ca} ################################################################################ -%files -n pki-ca +%files -n %{product_id}-ca ################################################################################ %license base/ca/LICENSE @@ -1252,7 +1259,7 @@ fi %if %{with kra} ################################################################################ -%files -n pki-kra +%files -n %{product_id}-kra ################################################################################ %license base/kra/LICENSE @@ -1264,7 +1271,7 @@ fi %if %{with ocsp} ################################################################################ -%files -n pki-ocsp +%files -n %{product_id}-ocsp ################################################################################ %license base/ocsp/LICENSE @@ -1276,7 +1283,7 @@ fi %if %{with tks} ################################################################################ -%files -n pki-tks +%files -n %{product_id}-tks ################################################################################ %license base/tks/LICENSE @@ -1288,7 +1295,7 @@ fi %if %{with tps} ################################################################################ -%files -n pki-tps +%files -n %{product_id}-tps ################################################################################ %license base/tps/LICENSE @@ -1310,17 +1317,17 @@ fi %if %{with javadoc} ################################################################################ -%files -n pki-javadoc +%files -n %{product_id}-javadoc ################################################################################ -%{_javadocdir}/pki-%{version}/ +%{_javadocdir}/pki/ # with javadoc %endif %if %{with console} ################################################################################ -%files -n pki-console +%files -n %{product_id}-console ################################################################################ %license base/console/LICENSE @@ -1332,10 +1339,10 @@ fi %if %{with theme} ################################################################################ -%files -n %{vendor_id}-pki-server-theme +%files -n %{product_id}-server-theme ################################################################################ -%license themes/%{vendor_id}/common-ui/LICENSE +%license themes/%{theme}/common-ui/LICENSE %dir %{_datadir}/pki %{_datadir}/pki/CS_SERVER_VERSION %{_datadir}/pki/common-ui/ @@ -1351,10 +1358,10 @@ fi %if %{with console} ################################################################################ -%files -n %{vendor_id}-pki-console-theme +%files -n %{product_id}-console-theme ################################################################################ -%license themes/%{vendor_id}/console-ui/LICENSE +%license themes/%{theme}/console-ui/LICENSE %{_javadir}/pki/pki-console-theme.jar # with console @@ -1365,7 +1372,7 @@ fi %if %{with tests} ################################################################################ -%files -n pki-tests +%files -n %{product_id}-tests ################################################################################ %{_datadir}/pki/tests/ @@ -1375,6 +1382,10 @@ fi ################################################################################ %changelog +* Thu Sep 30 2021 Red Hat PKI Team - 11.0.0-0.6.beta1 +- Rebase to PKI 11.0.0-beta1 +- Bug #1999052 - pki instance creation fails for IPA server + * Thu Sep 09 2021 Red Hat PKI Team - 11.0.0-0.5.alpha1 - Drop BuildRequires and Requires on glassfish-jaxb-api and jaxb-impl Resolves #2002594 diff --git a/sources b/sources index 28bbe6b..d2f5d6f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (pki-11.0.0-alpha1.tar.gz) = 7dd458897d63a2aaba7e8cf62f74537cc7ba7798b5a5f6df5b6b3bee15ff00e1f6397540a23556eb25e86da3562d9723f66a14c619c25014e542a664023769d5 +SHA512 (pki-11.0.0-beta1.tar.gz) = 66762825f9120d65712e33708199be4f9951fe1328e924d134b89e47b440bb862b8bbfe1dfa025d1e532439324c4a46ca2fd0e2451fc433ff6d5c9a61613ed61