From c52edc300e1f7985af2375c3bcff979f8fd0affe Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 25 Jun 2021 19:26:18 -0500 Subject: [PATCH] Rebase to PKI 11.0.0-alpha1 Resolves: #1975905 --- .gitignore | 1 + pki-core.spec | 244 ++++++++++++-------------------------------------- sources | 2 +- 3 files changed, 61 insertions(+), 186 deletions(-) diff --git a/.gitignore b/.gitignore index daf9561..9805149 100644 --- a/.gitignore +++ b/.gitignore @@ -81,3 +81,4 @@ /pki-10.10.3.tar.gz /pki-10.10.5.tar.gz /pki-10.11.0-alpha1.tar.gz +/pki-11.0.0-alpha1.tar.gz diff --git a/pki-core.spec b/pki-core.spec index 21475de..2a15758 100644 --- a/pki-core.spec +++ b/pki-core.spec @@ -12,8 +12,8 @@ License: GPLv2 and LGPLv2 # For development (i.e. unsupported) releases, use x.y.z-0.n.. # For official (i.e. supported) releases, use x.y.z-r where r >=1. -Version: 10.11.0 -Release: 0.2.alpha1%{?_timestamp}%{?_commit_id}%{?dist} +Version: 11.0.0 +Release: 0.1.alpha1%{?_timestamp}%{?_commit_id}%{?dist} %global _phase -alpha1 # To create a tarball from a version tag: @@ -59,16 +59,9 @@ ExcludeArch: i686 # Java ################################################################################ -%define java_devel java-devel -%define java_headless java-headless - -%if 0%{?fedora} >= 33 || 0%{?rhel} > 8 -%define min_java_version 1:11 -%define java_home /usr/lib/jvm/java-11-openjdk -%else -%define min_java_version 1:1.8.0 -%define java_home /usr/lib/jvm/java-1.8.0-openjdk -%endif +%define java_devel java-11-openjdk-devel +%define java_headless java-11-openjdk-headless +%define java_home /usr/lib/jvm/jre-11-openjdk ################################################################################ # RESTEasy @@ -81,11 +74,11 @@ ExcludeArch: i686 # PKI ################################################################################ -# By default the build will execute unit tests unless --without test -# option is specified. +# Execute unit tests unless --without test is specified. +%bcond_without test -# bcond_without test -%global with_test 1 +# Don't build console unless --with console is specified. +%bcond_with console # By default all packages will be built except the ones specified with # --without option (exclusion method). @@ -122,12 +115,11 @@ ExcludeArch: i686 # package_option tks # package_option tps # package_option javadoc -# package_option console # package_option theme # package_option meta # package_option tests +%global with_tests 1 # package_option debug -%global with_debug 1 %if ! %{with debug} %define debug_package %{nil} @@ -170,21 +162,18 @@ fi; # Build Dependencies ################################################################################ -# autosetup -BuildRequires: git BuildRequires: make - BuildRequires: cmake >= 3.0.2 BuildRequires: gcc-c++ BuildRequires: zip -BuildRequires: %java_devel >= %{min_java_version} +BuildRequires: %{java_devel} BuildRequires: javapackages-tools BuildRequires: redhat-rpm-config -BuildRequires: ldapjdk >= 4.22.0 BuildRequires: apache-commons-cli BuildRequires: apache-commons-codec BuildRequires: apache-commons-io BuildRequires: apache-commons-lang3 >= 3.2 +BuildRequires: apache-commons-logging BuildRequires: apache-commons-net BuildRequires: glassfish-jaxb-api BuildRequires: slf4j @@ -202,17 +191,7 @@ BuildRequires: python3-sphinx BuildRequires: xalan-j2 BuildRequires: xerces-j2 -%if 0%{?rhel} && ! 0%{?eln} BuildRequires: resteasy >= 3.0.26 -%else -BuildRequires: jboss-annotations-1.2-api -BuildRequires: jboss-jaxrs-2.0-api -BuildRequires: jboss-logging -BuildRequires: resteasy-client >= 3.0.17-1 -BuildRequires: resteasy-jaxb-provider >= 3.0.17-1 -BuildRequires: resteasy-core >= 3.0.17-1 -BuildRequires: resteasy-jackson2-provider >= 3.0.17-1 -%endif BuildRequires: python3 >= 3.5 BuildRequires: python3-devel @@ -226,8 +205,9 @@ BuildRequires: python3-six BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 4.9.0 -BuildRequires: tomcatjss >= 7.6.1 +BuildRequires: jss >= 5.0.0 +BuildRequires: tomcatjss >= 8.0.0 +BuildRequires: ldapjdk >= 5.0.0 BuildRequires: systemd-units @@ -296,7 +276,9 @@ Summary: %{brand} PKI Package # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI theme packages Requires: %{vendor_id}-pki-server-theme = %{version} +%if %{with console} Requires: %{vendor_id}-pki-console-theme = %{version} +%endif # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI core packages @@ -309,7 +291,9 @@ Requires: pki-tps = %{version} # Make certain that this 'meta' package requires the latest version(s) # of PKI console +%if %{with console} Requires: pki-console = %{version} +%endif Requires: pki-javadoc = %{version} # Make certain that this 'meta' package requires the latest version(s) @@ -347,16 +331,18 @@ PKI consists of the following components: Summary: PKI Symmetric Key Package -Requires: %java_headless >= %{min_java_version} +Requires: %{java_headless} Requires: jpackage-utils >= 0:1.7.5-10 -Requires: jss >= 4.9.0 +Requires: jss >= 5.0.0 Requires: nss >= 3.38.0 # Ensure we end up with a useful installation Conflicts: pki-symkey < %{version} Conflicts: pki-javadoc < %{version} Conflicts: pki-server-theme < %{version} +%if %{with console} Conflicts: pki-console-theme < %{version} +%endif %description -n pki-symkey The PKI Symmetric Key Java Package supplies various native @@ -378,7 +364,9 @@ Requires(post): python3-pki = %{version}-%{release} Conflicts: pki-symkey < %{version} Conflicts: pki-javadoc < %{version} Conflicts: pki-server-theme < %{version} +%if %{with console} Conflicts: pki-console-theme < %{version} +%endif %description -n pki-base The PKI Base Package contains the common and client libraries and utilities @@ -415,7 +403,7 @@ This package contains PKI client library for Python 3. Summary: PKI Base Java Package BuildArch: noarch -Requires: %java_headless >= %{min_java_version} +Requires: %{java_headless} Requires: apache-commons-cli Requires: apache-commons-codec Requires: apache-commons-io @@ -426,8 +414,8 @@ Requires: glassfish-jaxb-api Requires: slf4j Requires: slf4j-jdk14 Requires: jpackage-utils >= 0:1.7.5-10 -Requires: jss >= 4.9.0 -Requires: ldapjdk >= 4.22.0 +Requires: jss >= 5.0.0 +Requires: ldapjdk >= 5.0.0 Requires: pki-base = %{version}-%{release} %if 0%{?rhel} && 0%{?rhel} <= 8 @@ -441,7 +429,6 @@ Requires: resteasy-jackson2-provider >= 3.0.17-1 %if 0%{?fedora} >= 33 || 0%{?rhel} > 8 Requires: jaxb-impl >= 2.3.3 -Requires: jakarta-activation >= 1.2.2 %endif Requires: xalan-j2 @@ -513,7 +500,7 @@ Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils -Requires: tomcatjss >= 7.6.1 +Requires: tomcatjss >= 8.0.0 # pki-healthcheck depends on the following library %if 0%{?rhel} @@ -739,7 +726,9 @@ BuildArch: noarch Conflicts: pki-base < %{version} Conflicts: pki-symkey < %{version} Conflicts: pki-server-theme < %{version} +%if %{with console} Conflicts: pki-console-theme < %{version} +%endif %description -n pki-javadoc This package contains PKI API documentation. @@ -780,13 +769,16 @@ Provides: pki-server-theme = %{version} # Ensure we end up with a useful installation Conflicts: pki-base < %{version} Conflicts: pki-symkey < %{version} +%if %{with console} Conflicts: pki-console-theme < %{version} +%endif Conflicts: pki-javadoc < %{version} %description -n %{vendor_id}-pki-server-theme This PKI Server Theme Package contains %{brand} textual and graphical user interface for PKI Server. +%if %{with console} ################################################################################ %package -n %{vendor_id}-pki-console-theme ################################################################################ @@ -806,6 +798,9 @@ Conflicts: pki-javadoc < %{version} This PKI Console Theme Package contains %{brand} textual and graphical user interface for PKI Console. +# with console +%endif + # with theme %endif @@ -827,7 +822,7 @@ This package contains PKI test suite. %prep ################################################################################ -%autosetup -n pki-%{version}%{?_phase} -p 1 -S git +%autosetup -n pki-%{version}%{?_phase} -p 1 ################################################################################ %build @@ -854,8 +849,8 @@ cd build -DVAR_INSTALL_DIR:PATH=/var \ -DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \ -DJAVA_VERSION=${java_version} \ - -DJAVA_HOME=%java_home \ - -DPKI_JAVA_PATH=%java_home/bin/java \ + -DJAVA_HOME=%{java_home} \ + -DPKI_JAVA_PATH=%{java_home}/bin/java \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \ -DAPP_SERVER=$app_server \ @@ -914,7 +909,7 @@ cd %{_vpath_builddir} --no-print-directory \ install -%if %{with_test} +%if %{with test} ctest --output-on-failure %endif @@ -931,14 +926,22 @@ EOF # Customize client library links in /usr/share/pki/lib ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/lib/jboss-logging.jar +%if 0%{?fedora} && 0%{?fedora} <= 34 ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar +%else +ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroot}%{_datadir}/pki/lib/jakarta.annotation-api.jar +%endif %if %{with server} # Customize server common library links in /usr/share/pki/server/common/lib ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar +%if 0%{?fedora} && 0%{?fedora} <= 34 ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar +%else +ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroot}%{_datadir}/pki/server/common/lib/jakarta.annotation-api.jar +%endif # with server %endif @@ -989,6 +992,10 @@ fi ## from EITHER 'sysVinit' OR previous 'systemd' processes to the new ## PKI deployment process +# CVE-2021-3551 +# Remove world access from existing installation logs +find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \; + # Reload systemd daemons on upgrade only if [ "$1" == "2" ] then @@ -1337,6 +1344,7 @@ fi %{_datadir}/pki/server/webapps/pki/pki.properties %{_datadir}/pki/server/webapps/pki/tks +%if %{with console} ################################################################################ %files -n %{vendor_id}-pki-console-theme ################################################################################ @@ -1344,6 +1352,9 @@ fi %license themes/%{vendor_id}/console-ui/LICENSE %{_javadir}/pki/pki-console-theme.jar +# with console +%endif + # with theme %endif @@ -1359,142 +1370,5 @@ fi ################################################################################ %changelog -* Tue Jun 22 2021 Mohan Boddu - 10.11.0-0.2.alpha1 -- Rebuilt for RHEL 9 BETA for openssl 3.0 - Related: rhbz#1971065 - -* Tue May 18 2021 Red Hat PKI Team 10.11.0-0.1 -- Rebase to PKI 10.11.0-alpha1 - -* Thu Apr 29 2021 Red Hat PKI Team 10.10.5-9 -- Disable non-core packages - -* Wed Apr 28 2021 Red Hat PKI Team 10.10.5-8 -- Add DT_RPATH waiver - -* Fri Apr 16 2021 Mohan Boddu 10.10.5-7 -- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - -* Fri Mar 12 2021 Dogtag PKI Team 10.10.5-6 -- Drop i686 due to lack of md2man and multilib Java - -* Fri Mar 12 2021 Dogtag PKI Team 10.10.5-5 -- Fix renewal profile approval process - Resolves: CVE-2021-20179 - -* Thu Mar 11 2021 Dogtag PKI Team 10.10.5-4 -- Use JDK 11 for ELN and RHEL 9 builds - -* Wed Mar 10 2021 Dogtag PKI Team 10.10.5-3 -- Drop dependency on esc for s390(x) architectures - -* Wed Mar 10 2021 Dogtag PKI Team 10.10.5-2 -- Use tomcat instead of pki-servlet-engine in ELN - -* Thu Feb 25 2021 Alexander Scheel 10.10.5-1 -- Update to latest stable release 10.10.5 - Resolves: rh-bz#1929940 - -* Wed Jan 27 2021 Fedora Release Engineering 10.10.3-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Tue Jan 19 2021 Alexander Scheel 10.10.3-3 -- Sync spec between upstream and Fedora - -* Tue Jan 19 2021 Alexander Scheel 10.10.3-2 -- Remove dependency on jakarta-commons-httpclient - -* Thu Jan 14 2021 Dogtag PKI Team 10.10.3-1 -- Rebase to upstream stable v10.10.3-1 release - -* Thu Nov 05 2020 Dogtag PKI Team 10.10.0-2 -- Add missing pki-acme package -- Add workaround for missing capture_output in Python 3.6 -- Fix JSS initialization in pki-server -user-cert-add -- Fix NPE in UGSubsystem.findUsersByKeyword() - -* Wed Oct 28 2020 Dogtag PKI Team 10.10.0-1 -- Rebase to upstream stable v10.10.0-1 release - -* Thu Oct 22 2020 Dogtag PKI Team 10.10.0-0.2 -- Rebase to upstream beta v10.10.0-b2 release - -* Fri Sep 18 2020 Dogtag PKI Team 10.9.4-3 -- Fix issue with JAXB JAR linking -- update .spec file - -* Fri Sep 18 2020 Dogtag PKI Team 10.9.4-2 -- Fix issue with JAXB JAR linking - -* Fri Sep 11 2020 Dogtag PKI Team 10.9.4-1 -- Rebase to stable upstream v10.9.4 release - -* Tue Sep 08 2020 Dogtag PKI Team 10.9.2-3 -- Fix Fedora 31/32 to Fedora 33/rawhide upgrade path - Resolves: rh-bz#1871990 - -* Tue Aug 18 2020 Dogtag PKI Team 10.9.2-2 -- Fix permission issue during clone installation; reported by FreeIPA - -* Tue Aug 18 2020 Dogtag PKI Team 10.9.2-1 -- Second attempt at JDK11 Support - -* Tue Aug 18 2020 Dogtag PKI Team 10.9.1-3 -- Force JDK8 at runtime as well - -* Tue Aug 18 2020 Dogtag PKI Team 10.9.1-2 -- Rebuilt to fix packaging issues introduced upstream - -* Mon Aug 17 2020 Dogtag PKI Team 10.9.1-1 -- Rebuilt with v10.9.1 and patches to fix JDK11 build issues - -* Sat Aug 01 2020 Fedora Release Engineering 10.9.0-0.7 -- Second attempt - Rebuilt for - https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jul 28 2020 Fedora Release Engineering 10.9.0-0.6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Mon Jul 20 2020 Dogtag PKI Team 10.9.0-0.5 -- Rebuild -b2 with Java 11 changes - -* Tue Jun 30 2020 Dogtag PKI Team 10.9.0-0.4 -- Rebase to match upstream beta version v10.9.0-b2 -- pki password fix for FIPS - -* Wed Jun 10 2020 Dogtag PKI Team 10.9.0-0.2 -- Rebase to match upstream alpha version 10.9.0-a2 - -* Tue May 26 2020 Miro Hrončok 10.8.3-3 -- Rebuilt for Python 3.9 - -* Mon Apr 27 2020 Dinesh Prasanth M K 10.8.3-2 -- Fix bz#1814242 / dogtag issue #3168: Fix EC admin certificate profile upgrade - -* Thu Mar 05 2020 Dinesh Prasanth M K 10.8.3-1 -- Rebase to latest upstream version -- Spec cleanup to match with upstream spec - - -* Thu Jan 30 2020 Fedora Release Engineering 10.7.3-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Thu Oct 03 2019 Miro Hrončok 10.7.3-5 -- Rebuilt for Python 3.8.0rc1 (#1748018) - -* Mon Aug 19 2019 Miro Hrončok 10.7.3-4 -- Rebuilt for Python 3.8 - -* Wed Aug 14 2019 Dogtag PKI Team 10.7.3-3 -- Rebuild with patches applied - -* Wed Aug 14 2019 Dogtag PKI Team 10.7.3-2 -- Fix URL redirection for KRA and OCSP web UI - -* Thu Aug 08 2019 Dogtag PKI Team 10.7.3-1 -- Rebased to PKI 10.7.3 - -* Fri Jul 26 2019 Fedora Release Engineering 10.7.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Mon May 06 2019 Dogtag PKI Team 10.7.0-1 -- Rebased to PKI 10.7.0 +* Fri Jun 25 2021 Red Hat PKI Team - 11.0.0-0.1 +- Rebase to PKI 11.0.0-alpha1 diff --git a/sources b/sources index 2fdc29f..28bbe6b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (pki-10.11.0-alpha1.tar.gz) = 4f4c9b29dc9126c91de9258063f370a05591447cbae76109e6841bdb2ea502994e945a4dd9d00ee85d3b783021b25a7bb243acc060b88901eb4e6b4c01c4f7db +SHA512 (pki-11.0.0-alpha1.tar.gz) = 7dd458897d63a2aaba7e8cf62f74537cc7ba7798b5a5f6df5b6b3bee15ff00e1f6397540a23556eb25e86da3562d9723f66a14c619c25014e542a664023769d5