From 3913b45078f902369843b81122774d197d42e388 Mon Sep 17 00:00:00 2001 From: Florian Festi Date: Fri, 5 May 2023 13:34:13 +0200 Subject: [PATCH] Rebase to the 4.19 alpha release (4.18.90) This uses the new cmake build scripts so several pieces of the package had to be adjusted. --- .gitignore | 1 + ...gpVerifySignature2-and-pgpPrtParams2.patch | 186 +++++++++++++----- ...oleted-crypto-needed-by-current-libd.patch | 139 +++++++++++++ ...nd-share-dir-from-infodir-and-mandir.patch | 31 +++ rpm-4.18.90-disable-sysusers.patch | 11 ++ rpm-4.18.90-weak-user-group.patch | 11 ++ rpm-4.18.x-ldflags.patch | 7 +- rpm-4.18.x-revert-pandoc-cond.patch | 12 -- rpm.spec | 113 ++++++----- sources | 2 +- 10 files changed, 401 insertions(+), 112 deletions(-) create mode 100644 0001-Forward-port-obsoleted-crypto-needed-by-current-libd.patch create mode 100644 0001-Remove-second-share-dir-from-infodir-and-mandir.patch create mode 100644 rpm-4.18.90-disable-sysusers.patch create mode 100644 rpm-4.18.90-weak-user-group.patch delete mode 100644 rpm-4.18.x-revert-pandoc-cond.patch diff --git a/.gitignore b/.gitignore index 41a57b5..f2a1beb 100644 --- a/.gitignore +++ b/.gitignore @@ -56,3 +56,4 @@ /rpm-4.18.0-rc1.tar.bz2 /rpm-4.18.0.tar.bz2 /rpm-4.18.1.tar.bz2 +/rpm-4.18.90.tar.bz2 diff --git a/0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch b/0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch index b00d377..a8c32df 100644 --- a/0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch +++ b/0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch @@ -1,5 +1,4 @@ -From e75ae70ef1a152dac9a066506cafd2bbf7b2565e Mon Sep 17 00:00:00 2001 -Message-Id: +From 87b9e0c28c3df3937f6676ee1b4164d6154dd9d3 Mon Sep 17 00:00:00 2001 From: "Neal H. Walfield" Date: Wed, 12 Apr 2023 17:56:19 +0200 Subject: [PATCH] Add pgpVerifySignature2() and pgpPrtParams2() @@ -16,37 +15,36 @@ and https://github.com/rpm-software-management/rpm/issues/2127#issuecomment-1482646398 Fixes #2483. - -This is a backport of commit 87b9e0c28c3df3937f6676ee1b4164d6154dd9d3 --- - configure.ac | 2 +- - include/rpm/rpmpgp.h | 23 +++++++++++++++++++++++ - lib/rpmvs.c | 19 ++++++++++++++++--- - rpmio/rpmkeyring.c | 7 ++++++- - rpmio/rpmpgp_internal.c | 15 +++++++++++++++ - rpmio/rpmpgp_sequoia.c | 7 +++++++ - tests/rpmi.at | 10 ++++++++-- - tests/rpmsigdig.at | 20 +++++++++++++++++--- - 9 files changed, 95 insertions(+), 10 deletions(-) + ci/Dockerfile | 2 ++ + include/rpm/rpmpgp.h | 23 +++++++++++++++++++ + lib/rpmvs.c | 19 +++++++++++++--- + rpmio/CMakeLists.txt | 2 +- + rpmio/rpmkeyring.c | 7 +++++- + rpmio/rpmpgp_internal.c | 15 +++++++++++++ + rpmio/rpmpgp_sequoia.c | 7 ++++++ + tests/rpmi.at | 10 +++++++-- + tests/rpmsigdig.at | 50 +++++++++++++++++++++++++++++++---------- + 9 files changed, 116 insertions(+), 19 deletions(-) -diff --git a/configure.ac b/configure.ac -index e6676c581..1d173e4e2 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -384,7 +384,7 @@ AC_SUBST(WITH_LIBGCRYPT_LIB) - WITH_RPM_SEQUOIA_INCLUDE= - WITH_RPM_SEQUOIA_LIB= - if test "$with_crypto" = sequoia ; then -- PKG_CHECK_MODULES([RPM_SEQUOIA], [rpm-sequoia], [have_rpm_sequoia=yes], [have_rpm_sequoia=no]) -+ PKG_CHECK_MODULES([RPM_SEQUOIA], [rpm-sequoia >= 1.4.0], [have_rpm_sequoia=yes], [have_rpm_sequoia=no]) - if test "$have_rpm_sequoia" = "yes"; then - WITH_RPM_SEQUOIA_INCLUDE="$RPM_SEQUOIA_CFLAGS" - WITH_RPM_SEQUOIA_LIB="$RPM_SEQUOIA_LIBS" +diff --git a/ci/Dockerfile b/ci/Dockerfile +index d8f808962..552934fcd 100644 +--- a/ci/Dockerfile ++++ b/ci/Dockerfile +@@ -7,6 +7,8 @@ RUN sed -i -e "s:^enabled=.$:enabled=0:g" /etc/yum.repos.d/*openh264.repo + # dummy for controlling per-repo gpgcheck via Semaphore setup + RUN sed -i -e "s:^gpgcheck=.$:gpgcheck=1:g" /etc/yum.repos.d/*.repo + RUN dnf -y update ++# until 1.4.0 lands in stable ++RUN dnf -y --enablerepo=updates-testing install "rpm-sequoia-devel >= 1.4.0" + RUN dnf -y install \ + autoconf \ + cmake \ diff --git a/include/rpm/rpmpgp.h b/include/rpm/rpmpgp.h -index a3238a643..3352129b8 100644 +index 87a2a5bd2..675cbad73 100644 --- a/include/rpm/rpmpgp.h +++ b/include/rpm/rpmpgp.h -@@ -1013,6 +1013,18 @@ int pgpPubkeyKeyID(const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid); +@@ -1009,6 +1009,18 @@ int pgpPubkeyKeyID(const uint8_t * pkt, size_t pktlen, pgpKeyID_t keyid); int pgpPrtParams(const uint8_t *pkts, size_t pktlen, unsigned int pkttype, pgpDigParams * ret); @@ -65,9 +63,9 @@ index a3238a643..3352129b8 100644 /** \ingroup rpmpgp * Parse subkey parameters from OpenPGP packet(s). * @param pkts OpenPGP packet(s) -@@ -1191,6 +1203,17 @@ const uint8_t *pgpDigParamsSignID(pgpDigParams digp); +@@ -1186,6 +1198,17 @@ pgpDigParams pgpDigParamsFree(pgpDigParams digp); */ - const char *pgpDigParamsUserID(pgpDigParams digp); + rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx); +/** \ingroup rpmpgp + * Verify a PGP signature and return a error message or lint. @@ -81,8 +79,8 @@ index a3238a643..3352129b8 100644 + char **lints); + /** \ingroup rpmpgp - * Retrieve the object's version. - * + * Return the type of a PGP signature. If `sig` is NULL, or is not a signature, + * returns -1. diff --git a/lib/rpmvs.c b/lib/rpmvs.c index a1425ea17..9b2106927 100644 --- a/lib/rpmvs.c @@ -114,11 +112,24 @@ index a1425ea17..9b2106927 100644 } sinfo->hashalgo = pgpDigParamsAlgo(sinfo->sig, PGPVAL_HASHALGO); sinfo->keyid = pgpGrab(pgpDigParamsSignID(sinfo->sig)+4, 4); +diff --git a/rpmio/CMakeLists.txt b/rpmio/CMakeLists.txt +index 2fb5794b0..6aa9ab1f1 100644 +--- a/rpmio/CMakeLists.txt ++++ b/rpmio/CMakeLists.txt +@@ -21,7 +21,7 @@ if (WITH_INTERNAL_OPENPGP) + target_link_libraries(librpmio PRIVATE PkgConfig::LIBGCRYPT) + endif() + else() +- pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.3.0) ++ pkg_check_modules(RPMSEQUOIA REQUIRED IMPORTED_TARGET rpm-sequoia>=1.4.0) + target_sources(librpmio PRIVATE rpmpgp_sequoia.c) + target_link_libraries(librpmio PRIVATE PkgConfig::RPMSEQUOIA) + endif() diff --git a/rpmio/rpmkeyring.c b/rpmio/rpmkeyring.c -index db72892d9..712004bc8 100644 +index 166ee43a2..e3eb9e6ea 100644 --- a/rpmio/rpmkeyring.c +++ b/rpmio/rpmkeyring.c -@@ -328,7 +328,12 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx) +@@ -276,7 +276,12 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx) pgpkey = key->pgpkey; /* We call verify even if key not found for a signature sanity check */ @@ -133,10 +144,10 @@ index db72892d9..712004bc8 100644 if (keyring) diff --git a/rpmio/rpmpgp_internal.c b/rpmio/rpmpgp_internal.c -index 0fcd220e4..a049c09b2 100644 +index ce1d3c27d..82972bcc8 100644 --- a/rpmio/rpmpgp_internal.c +++ b/rpmio/rpmpgp_internal.c -@@ -1095,6 +1095,14 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, +@@ -1043,6 +1043,14 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, return rc; } @@ -151,8 +162,8 @@ index 0fcd220e4..a049c09b2 100644 int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen, pgpDigParams mainkey, pgpDigParams **subkeys, int *subkeysCount) -@@ -1264,6 +1272,13 @@ rpmRC pgpVerifySig(pgpDig dig, DIGEST_CTX hashctx) - pgpDigGetParams(dig, PGPTAG_SIGNATURE), hashctx); +@@ -1179,6 +1187,13 @@ exit: + } +rpmRC pgpVerifySignature2(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx, char **lints) @@ -166,7 +177,7 @@ index 0fcd220e4..a049c09b2 100644 { const char * enc = NULL; diff --git a/rpmio/rpmpgp_sequoia.c b/rpmio/rpmpgp_sequoia.c -index e01acd0e9..2141bbf30 100644 +index c6434270a..d0b673953 100644 --- a/rpmio/rpmpgp_sequoia.c +++ b/rpmio/rpmpgp_sequoia.c @@ -36,6 +36,9 @@ W(uint32_t, pgpDigParamsCreationTime, (pgpDigParams digp), (digp)) @@ -191,10 +202,10 @@ index e01acd0e9..2141bbf30 100644 (const uint8_t *pkts, size_t pktlen, pgpDigParams mainkey, pgpDigParams **subkeys, diff --git a/tests/rpmi.at b/tests/rpmi.at -index 7c8f25eff..d67185d5b 100644 +index 9d74cf689..423d97bca 100644 --- a/tests/rpmi.at +++ b/tests/rpmi.at -@@ -254,7 +254,7 @@ AT_CLEANUP +@@ -342,7 +342,7 @@ AT_CLEANUP AT_SETUP([rpm -U ]) AT_KEYWORDS([install]) @@ -203,7 +214,7 @@ index 7c8f25eff..d67185d5b 100644 RPMDB_INIT pkg="hello-2.0-1.x86_64-signed.rpm" -@@ -267,7 +267,13 @@ runroot rpm -U --ignorearch --ignoreos --nodeps \ +@@ -355,7 +355,13 @@ runroot rpm -U --ignorearch --ignoreos --nodeps \ ], [1], [], @@ -219,10 +230,93 @@ index 7c8f25eff..d67185d5b 100644 ]) AT_CLEANUP diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at -index 5b1c6c4a6..e5482735a 100644 +index 9fb3febc9..df1f669e4 100644 --- a/tests/rpmsigdig.at +++ b/tests/rpmsigdig.at -@@ -539,7 +539,7 @@ AT_CLEANUP +@@ -386,17 +386,17 @@ AT_CHECK([ + RPMDB_INIT + + echo Checking package before importing key: +-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $? ++runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $? + echo Importing key: +-runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc; echo $? ++runroot rpmkeys --quiet --import /data/keys/alice-expired-subkey.asc 2>&1; echo $? + echo Checking for key: + runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1 + echo Checking package after importing key: +-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $? ++runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $? + echo Checking package after importing key, no digest: +-runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $? ++runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $? + echo Checking package after importing key, no signature: +-runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $? ++runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $? + ], + [0], + [[Checking package before importing key: +@@ -416,6 +416,10 @@ Checking for key: + Version : eb04e625 + Checking package after importing key: + /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm: ++error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice ): ++ Key 1F71177215217EE0 invalid: key is not alive ++ because: The subkey is not live ++ because: Expired on 2022-04-12T00:00:15Z + Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED + Header DSA signature: NOTFOUND + Header SHA256 digest: OK +@@ -427,6 +431,10 @@ Checking package after importing key: + 1 + Checking package after importing key, no digest: + /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm: ++error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice ): ++ Key 1F71177215217EE0 invalid: key is not alive ++ because: The subkey is not live ++ because: Expired on 2022-04-12T00:00:15Z + Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED + Header DSA signature: NOTFOUND + RSA signature: NOTFOUND +@@ -455,15 +463,15 @@ RPMDB_INIT + echo Checking package before importing key: + runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $? + echo Importing key: +-runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc; echo $? ++runroot rpmkeys --quiet --import /data/keys/alice-revoked-subkey.asc 2>&1; echo $? + echo Checking for key: + runroot rpm -qi gpg-pubkey-eb04e625-* | grep Version | head -n1 + echo Checking package after importing key: +-runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $? ++runroot rpmkeys --define '_pkgverify_level all' -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $? + echo Checking package after importing key, no digest: +-runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $? ++runroot rpmkeys --define '_pkgverify_level all' -Kv --nodigest /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $? + echo Checking package after importing key, no signature: +-runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm; echo $? ++runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm 2>&1; echo $? + ], + [0], + [[Checking package before importing key: +@@ -483,6 +491,8 @@ Checking for key: + Version : eb04e625 + Checking package after importing key: + /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm: ++error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice ): ++ Key 1F71177215217EE0 is invalid: key is revoked + Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED + Header DSA signature: NOTFOUND + Header SHA256 digest: OK +@@ -494,6 +504,8 @@ Checking package after importing key: + 1 + Checking package after importing key, no digest: + /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm: ++error: Verifying a signature using certificate B6542F92F30650C36B6F41BCB3A771BFEB04E625 (Alice ): ++ Key 1F71177215217EE0 is invalid: key is revoked + Header V4 RSA/SHA512 Signature, key ID 15217ee0: NOTTRUSTED + Header DSA signature: NOTFOUND + RSA signature: NOTFOUND +@@ -740,7 +752,7 @@ AT_CLEANUP # Test pre-built corrupted package verification (corrupted signature) AT_SETUP([rpmkeys -Kv 1]) AT_KEYWORDS([rpmkeys digest signature]) @@ -231,7 +325,7 @@ index 5b1c6c4a6..e5482735a 100644 RPMDB_INIT pkg="hello-2.0-1.x86_64-signed.rpm" -@@ -553,14 +553,28 @@ runroot rpmkeys -Kv /tmp/${pkg} +@@ -754,14 +766,28 @@ runroot rpmkeys -Kv /tmp/${pkg} ], [1], [/tmp/hello-2.0-1.x86_64-signed.rpm: @@ -263,5 +357,5 @@ index 5b1c6c4a6..e5482735a 100644 Header SHA1 digest: OK Payload SHA256 digest: OK -- -2.40.0 +2.40.1 diff --git a/0001-Forward-port-obsoleted-crypto-needed-by-current-libd.patch b/0001-Forward-port-obsoleted-crypto-needed-by-current-libd.patch new file mode 100644 index 0000000..11f4519 --- /dev/null +++ b/0001-Forward-port-obsoleted-crypto-needed-by-current-libd.patch @@ -0,0 +1,139 @@ +From 9a9514e665c30554a4d72c7c79475af315b83dc3 Mon Sep 17 00:00:00 2001 +Message-Id: <9a9514e665c30554a4d72c7c79475af315b83dc3.1683531413.git.pmatilai@redhat.com> +From: Panu Matilainen +Date: Mon, 8 May 2023 09:26:46 +0300 +Subject: [PATCH] Forward-port obsoleted crypto needed by current libdnf + +Provide the minimum required bits to allow the old PackageKit-inherited +signature in libdnf to work until the switch to dnf5 happens, allegedly +during this release cycle. +--- + include/rpm/rpmkeyring.h | 4 ++++ + include/rpm/rpmpgp.h | 15 ++++++++++++ + rpmio/rpmkeyring.c | 52 ++++++++++++++++++++++++++++++++++++++++ + rpmio/rpmpgp_sequoia.c | 11 +++++++++ + 4 files changed, 82 insertions(+) + +diff --git a/include/rpm/rpmkeyring.h b/include/rpm/rpmkeyring.h +index 3d8d55773..c84292ff8 100644 +--- a/include/rpm/rpmkeyring.h ++++ b/include/rpm/rpmkeyring.h +@@ -101,6 +101,10 @@ char * rpmPubkeyBase64(rpmPubkey key); + */ + pgpDigParams rpmPubkeyPgpDigParams(rpmPubkey key); + ++/* Obsolete APIs required by libdnf, do not use */ ++rpmRC rpmKeyringLookup(rpmKeyring keyring, pgpDig sig); ++pgpDig rpmPubkeyDig(rpmPubkey key); ++ + #ifdef __cplusplus + } + #endif +diff --git a/include/rpm/rpmpgp.h b/include/rpm/rpmpgp.h +index 675cbad73..f83642c18 100644 +--- a/include/rpm/rpmpgp.h ++++ b/include/rpm/rpmpgp.h +@@ -1225,6 +1225,21 @@ int pgpSignatureType(pgpDigParams sig); + */ + char *pgpIdentItem(pgpDigParams digp); + ++/* Obsolete APIs required by libdnf, do not use */ ++typedef struct pgpDig_s * pgpDig; ++ ++RPM_GNUC_DEPRECATED ++pgpDig pgpNewDig(void); ++ ++RPM_GNUC_DEPRECATED ++pgpDig pgpFreeDig(pgpDig dig); ++ ++RPM_GNUC_DEPRECATED ++pgpDigParams pgpDigGetParams(pgpDig dig, unsigned int pkttype); ++ ++RPM_GNUC_DEPRECATED ++int pgpPrtPkts(const uint8_t *pkts, size_t pktlen, pgpDig dig, int printing); ++ + #ifdef __cplusplus + } + #endif +diff --git a/rpmio/rpmkeyring.c b/rpmio/rpmkeyring.c +index e3eb9e6ea..464163895 100644 +--- a/rpmio/rpmkeyring.c ++++ b/rpmio/rpmkeyring.c +@@ -289,3 +289,55 @@ rpmRC rpmKeyringVerifySig(rpmKeyring keyring, pgpDigParams sig, DIGEST_CTX ctx) + + return rc; + } ++ ++rpmRC rpmKeyringLookup(rpmKeyring keyring, pgpDig sig) ++{ ++ pthread_rwlock_rdlock(&keyring->lock); ++ ++ rpmRC res = RPMRC_NOKEY; ++ pgpDigParams sigp = pgpDigGetParams(sig, PGPTAG_SIGNATURE); ++ rpmPubkey key = findbySig(keyring, sigp); ++ ++ if (key) { ++ /* ++ * Callers expect sig to have the key data parsed into pgpDig ++ * on (successful) return, sigh. No need to check for return ++ * here as this is validated at rpmPubkeyNew() already. ++ */ ++ pgpPrtPkts(key->pkt, key->pktlen, sig, _print_pkts); ++ res = RPMRC_OK; ++ } ++ ++ pthread_rwlock_unlock(&keyring->lock); ++ return res; ++} ++ ++pgpDig rpmPubkeyDig(rpmPubkey key) ++{ ++ pgpDig dig = NULL; ++ static unsigned char zeros[] = ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; ++ int rc; ++ if (key == NULL) ++ return NULL; ++ ++ dig = pgpNewDig(); ++ ++ pthread_rwlock_rdlock(&key->lock); ++ rc = pgpPrtPkts(key->pkt, key->pktlen, dig, _print_pkts); ++ pthread_rwlock_unlock(&key->lock); ++ ++ if (rc == 0) { ++ pgpDigParams pubp = pgpDigGetParams(dig, PGPTAG_PUBLIC_KEY); ++ if (!pubp || !memcmp(pgpDigParamsSignID(pubp), zeros, sizeof(zeros)) || ++ pgpDigParamsCreationTime(pubp) == 0 || ++ pgpDigParamsUserID(pubp) == NULL) { ++ rc = -1; ++ } ++ } ++ ++ if (rc) ++ dig = pgpFreeDig(dig); ++ ++ return dig; ++} +diff --git a/rpmio/rpmpgp_sequoia.c b/rpmio/rpmpgp_sequoia.c +index d0b673953..0c1c848dc 100644 +--- a/rpmio/rpmpgp_sequoia.c ++++ b/rpmio/rpmpgp_sequoia.c +@@ -80,3 +80,14 @@ W(int, rpmDigestUpdate, (DIGEST_CTX ctx, const void * data, size_t len), + W(int, rpmDigestFinal, + (DIGEST_CTX ctx, void ** datap, size_t *lenp, int asAscii), + (ctx, datap, lenp, asAscii)) ++ ++// Minimal backport of APIs required by libdnf until dnf5 takes over ++W(int, pgpPrtPkts, ++ (const uint8_t *pkts, size_t pktlen, pgpDig dig, int printing), ++ (pkts, pktlen, dig, printing)) ++W(pgpDig, pgpNewDig, (void), ()) ++W(pgpDig, pgpFreeDig, (pgpDig dig), (dig)) ++W(pgpDigParams, pgpDigGetParams, ++ (pgpDig dig, unsigned int pkttype), ++ (dig, pkttype)) ++ +-- +2.40.1 + diff --git a/0001-Remove-second-share-dir-from-infodir-and-mandir.patch b/0001-Remove-second-share-dir-from-infodir-and-mandir.patch new file mode 100644 index 0000000..bdfc2a7 --- /dev/null +++ b/0001-Remove-second-share-dir-from-infodir-and-mandir.patch @@ -0,0 +1,31 @@ +From 33702961f45567a599bc0f0dac055604dc204fb1 Mon Sep 17 00:00:00 2001 +From: Florian Festi +Date: Tue, 2 May 2023 09:03:50 +0200 +Subject: [PATCH] Remove second share/ dir from infodir and mandir + +cmake variables and the derived macros. + +CMAKE_INSTALL_INFODIR and CMAKE_INSTALL_MANDIR already include the +datarootdir. So just prepending the prefix is sufficient. +--- + CMakeLists.txt | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 230d18d1f..9718505bf 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -67,8 +67,8 @@ function(makemacros) + set(libdir "\${prefix}/=LIB=") + set(includedir "\${prefix}/${CMAKE_INSTALL_INCLUDEDIR}") + set(oldincludedir "${CMAKE_INSTALL_FULL_OLDINCLUDEDIR}") +- set(infodir "\${datarootdir}/${CMAKE_INSTALL_INFODIR}") +- set(mandir "\${datarootdir}/${CMAKE_INSTALL_MANDIR}") ++ set(infodir "\${prefix}/${CMAKE_INSTALL_INFODIR}") ++ set(mandir "\${prefix}/${CMAKE_INSTALL_MANDIR}") + set(RUNDIR /run) + + set(acutils +-- +2.40.1 + diff --git a/rpm-4.18.90-disable-sysusers.patch b/rpm-4.18.90-disable-sysusers.patch new file mode 100644 index 0000000..edf8f4f --- /dev/null +++ b/rpm-4.18.90-disable-sysusers.patch @@ -0,0 +1,11 @@ +--- rpm-4.18.90/macros.in.orig 2023-04-17 14:44:14.186653076 +0200 ++++ rpm-4.18.90/macros.in 2023-04-17 14:46:25.190322631 +0200 +@@ -133,7 +133,7 @@ + %_keyringpath %{_dbpath}/pubkeys/ + + # sysusers helper binary or script, uncomment to disable +-%__systemd_sysusers %{_bindir}/systemd-sysusers ++# %__systemd_sysusers %{_bindir}/systemd-sysusers + + # + # Path to script that creates debug symbols in a /usr/lib/debug diff --git a/rpm-4.18.90-weak-user-group.patch b/rpm-4.18.90-weak-user-group.patch new file mode 100644 index 0000000..3ba6f29 --- /dev/null +++ b/rpm-4.18.90-weak-user-group.patch @@ -0,0 +1,11 @@ +--- rpm-4.18.90/macros.in.orig 2023-04-17 14:48:14.802719586 +0200 ++++ rpm-4.18.90/macros.in 2023-04-17 14:48:25.268852972 +0200 +@@ -236,7 +236,7 @@ + %clamp_mtime_to_source_date_epoch 0 + + # If enabled, dilute user() and group() requires into recommends +-#%_use_weak_usergroup_deps 1 ++%_use_weak_usergroup_deps 1 + + # The directory where newly built binary packages will be written. + %_rpmdir %{_topdir}/RPMS diff --git a/rpm-4.18.x-ldflags.patch b/rpm-4.18.x-ldflags.patch index 8f62c45..594627c 100644 --- a/rpm-4.18.x-ldflags.patch +++ b/rpm-4.18.x-ldflags.patch @@ -1,7 +1,7 @@ diff -up rpm-4.18.1/macros.in.orig rpm-4.18.1/macros.in --- rpm-4.18.1/macros.in.orig 2023-03-15 13:57:06.385361527 +0100 +++ rpm-4.18.1/macros.in 2023-03-15 13:58:09.613971713 +0100 -@@ -727,10 +727,11 @@ package or when debugging this package.\ +@@ -750,11 +750,12 @@ package or when debugging this package.\ RPM_SOURCE_DIR=\"%{_sourcedir}\"\ RPM_BUILD_DIR=\"%{_builddir}\"\ RPM_OPT_FLAGS=\"%{optflags}\"\ @@ -9,8 +9,9 @@ diff -up rpm-4.18.1/macros.in.orig rpm-4.18.1/macros.in RPM_ARCH=\"%{_arch}\"\ RPM_OS=\"%{_os}\"\ RPM_BUILD_NCPUS=\"%{_smp_build_ncpus}\"\ -- export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS\ -+ export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS RPM_LD_FLAGS\ + RPM_SPECPARTS_DIR=\"%{specpartsdir}\"\ +- export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS RPM_SPECPARTS_DIR\ ++ export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS RPM_SPECPARTS_DIR RPM_LD_FLAGS\ RPM_DOC_DIR=\"%{_docdir}\"\ export RPM_DOC_DIR\ RPM_PACKAGE_NAME=\"%{NAME}\"\ diff --git a/rpm-4.18.x-revert-pandoc-cond.patch b/rpm-4.18.x-revert-pandoc-cond.patch deleted file mode 100644 index 7b67c9b..0000000 --- a/rpm-4.18.x-revert-pandoc-cond.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up rpm-4.18.1/docs/Makefile.am.orig rpm-4.18.1/docs/Makefile.am ---- rpm-4.18.1/docs/Makefile.am.orig 2023-03-15 14:48:27.955720807 +0100 -+++ rpm-4.18.1/docs/Makefile.am 2023-03-15 14:48:43.634626934 +0100 -@@ -1,8 +1,6 @@ - ## Process this file with automake to produce Makefile.in - --if PANDOC - SUBDIRS = man --endif - - EXTRA_DIST = - diff --git a/rpm.spec b/rpm.spec index e650700..f0b08d6 100644 --- a/rpm.spec +++ b/rpm.spec @@ -30,10 +30,10 @@ %define rpmhome /usr/lib/rpm -%global rpmver 4.18.1 +%global rpmver 4.18.90 #global snapver rc1 -%global baserelease 3 -%global sover 9 +%global baserelease 1 +%global sover 10 %global srcver %{rpmver}%{?snapver:-%{snapver}} %global srcdir %{?snapver:testing}%{!?snapver:rpm-%(echo %{rpmver} | cut -d'.' -f1-2).x} @@ -69,6 +69,7 @@ BuildRequires: debugedit >= 0.3 BuildRequires: redhat-rpm-config >= 94 BuildRequires: systemd-rpm-macros BuildRequires: gcc make +BuildRequires: cmake >= 3.18 BuildRequires: gawk BuildRequires: elfutils-devel >= 0.112 BuildRequires: elfutils-libelf-devel @@ -95,6 +96,15 @@ BuildRequires: libzstd-devel BuildRequires: sqlite-devel %endif +# Needed for re-building the documentation and man pages +# normally those are shipped in the tarball pre-build +# but need re-building if sources are patched +%if 0 +BuildRequires: pandoc +BuildRequires: doxygen +%endif + + %if %{with sequoia} %global crypto sequoia BuildRequires: rpm-sequoia-devel >= 1.4.0 @@ -132,17 +142,22 @@ rpm-4.17.x-rpm_dbpath.patch rpm-4.18.x-siteconfig.patch # In current Fedora, man-pages pkg owns all the localized man directories rpm-4.9.90-no-man-dirs.patch +# Disable new user/group handling +rpm-4.18.90-disable-sysusers.patch +rpm-4.18.90-weak-user-group.patch # Patches already upstream: +# ... +0001-Remove-second-share-dir-from-infodir-and-mandir.patch 0001-Add-pgpVerifySignature2-and-pgpPrtParams2.patch # These are not yet upstream rpm-4.7.1-geode-i686.patch # Probably to be upstreamed in slightly different form rpm-4.18.x-ldflags.patch -# We either need pandoc in buildroot or this patch in order for man pages to -# actually be installed, choose the latter -rpm-4.18.x-revert-pandoc-cond.patch + +# Needed until dnf catches up +0001-Forward-port-obsoleted-crypto-needed-by-current-libd.patch %description The RPM Package Manager (RPM) is a powerful command line driven @@ -288,12 +303,14 @@ Requires: rpm-libs%{_isa} = %{version}-%{release} This plugin blocks systemd from entering idle, sleep or shutdown while an rpm transaction is running using the systemd-inhibit mechanism. +%if %{with libimaevm} %package plugin-ima Summary: Rpm plugin ima file signatures Requires: rpm-libs%{_isa} = %{version}-%{release} %description plugin-ima %{summary}. +%endif %package plugin-prioreset Summary: Rpm plugin for resetting scriptlet priorities for SysV init @@ -351,44 +368,35 @@ change. %build %set_build_flags -autoreconf -i -f - -# Hardening hack taken from macro %%configure defined in redhat-rpm-config -for i in $(find . -name ltmain.sh) ; do - %{__sed} -i.backup -e 's~compiler_flags=$~compiler_flags="%{_hardened_ldflags}"~' $i -done; - -# Using configure macro has some unwanted side-effects on rpm platform -# setup, use the old-fashioned way for now only defining minimal paths. -./configure \ - --prefix=%{_usr} \ - --sysconfdir=%{_sysconfdir} \ - --localstatedir=%{_var} \ - --sharedstatedir=%{_var}/lib \ - --libdir=%{_libdir} \ - --build=%{_target_platform} \ - --host=%{_target_platform} \ - --with-vendor=redhat \ - %{!?with_plugins: --disable-plugins} \ - --with-lua \ - --with-selinux \ - --with-cap \ - --with-acl \ - --with-fapolicyd \ - %{?with_ndb: --enable-ndb} \ - %{?with_libimaevm: --with-imaevm} \ - %{?with_fsverity: --with-fsverity} \ - %{?with_zstd: --enable-zstd} \ - %{?with_sqlite: --enable-sqlite} \ - %{?with_bdb_ro: --enable-bdb-ro} \ - --enable-python \ - --with-crypto=%{crypto} +mkdir _build +cd _build +cmake \ + -DCMAKE_INSTALL_PREFIX=%{_usr} \ + %{?with_bdb_ro:-DENABLE_BDB_RO=ON} \ + %{!?with_ndb:-DENABLE_NDB=OFF} \ + %{!?with_sqlite:-DENABLE_SQLITE=OFF} \ + %{!?with_plugins:-DENABLE_PLUGINS=OFF} \ + %{?with_fsverity:-DWITH_FSVERITY=ON} \ + %{?with_libimaevm:-DWITH_IMAEVM=ON} \ + %{!?with_libarchive:-DWITH_ARCHIVE=OFF} \ + %{!?with_check:-DENABLE_TESTSUITE=OFF} \ + %{!?with_sequoia:-DWITH_INTERNAL_OPENPGP=ON} \ + %{!?with_sequoia:-DWITH_OPENSSL=ON } \ + -DRPM_VENDOR=redhat \ + .. %make_build %install +cd _build %make_install +# temporarily remove useser handling fileattr +# as it is currently in systemd-rpm-macros +rm $RPM_BUILD_ROOT%{_rpmconfigdir}/fileattrs/sysusers.attr + +cd .. + mkdir -p $RPM_BUILD_ROOT%{_unitdir} install -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir} install -m 644 %{SOURCE20} $RPM_BUILD_ROOT/%{_unitdir} @@ -406,10 +414,12 @@ install -m 644 scripts/rpm.log ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/rpm mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rpm mkdir -p $RPM_BUILD_ROOT%{rpmhome}/macros.d mkdir -p $RPM_BUILD_ROOT/usr/lib/sysimage/rpm +cd _build # init an empty database for %ghost'ing for all supported backends for be in %{?with_ndb:ndb} %{?with_sqlite:sqlite}; do - ./rpmdb --define "_db_backend ${be}" --dbpath=${PWD}/${be} --initdb + mkdir ${be} + ./rpmdb --rcfile rpmrc --define "_db_backend ${be}" --dbpath=${PWD}/${be} --initdb cp -va ${be}/. $RPM_BUILD_ROOT/usr/lib/sysimage/rpm/ done @@ -427,6 +437,7 @@ rm -rf $RPM_BUILD_ROOT/var/tmp %if %{with check} %check +cd _build make check TESTSUITEFLAGS=-j%{_smp_build_ncpus} || (cat tests/rpmtests.log; exit 1) # rpm >= 4.16.0 testsuite leaves a read-only tree behind, clean it up make clean @@ -457,9 +468,13 @@ if [ ! -d /var/lib/rpm ] && [ -d /usr/lib/sysimage/rpm ] && [ ! -f /usr/lib/sysi touch /usr/lib/sysimage/rpm/.rpmdbdirsymlink_created fi -%files -f rpm.lang +%files -f _build/rpm.lang %license COPYING %doc CREDITS docs/manual/[a-z]* +%doc %{_defaultdocdir}/rpm/CONTRIBUTING.md +%doc %{_defaultdocdir}/rpm/COPYING +%doc %{_defaultdocdir}/rpm/INSTALL +%doc %{_defaultdocdir}/rpm/README %{_unitdir}/rpmdb-rebuild.service %{_unitdir}/rpmdb-migrate.service @@ -477,6 +492,7 @@ fi %{_bindir}/rpmkeys %{_bindir}/rpmquery %{_bindir}/rpmverify +%{_bindir}/rpmsort %{_mandir}/man8/rpm.8* %{_mandir}/man8/rpmdb.8* @@ -484,16 +500,9 @@ fi %{_mandir}/man8/rpm2archive.8* %{_mandir}/man8/rpm2cpio.8* %{_mandir}/man8/rpm-misc.8* +%{_mandir}/man8/rpmsort.8* %{_mandir}/man8/rpm-plugins.8* -# XXX this places translated manuals to wrong package wrt eg rpmbuild -%lang(fr) %{_mandir}/fr/man[18]/*.[18]* -%lang(ko) %{_mandir}/ko/man[18]/*.[18]* -%lang(ja) %{_mandir}/ja/man[18]/*.[18]* -%lang(pl) %{_mandir}/pl/man[18]/*.[18]* -%lang(ru) %{_mandir}/ru/man[18]/*.[18]* -%lang(sk) %{_mandir}/sk/man[18]/*.[18]* - %attr(0755, root, root) %dir %{rpmhome} %{rpmhome}/macros %{rpmhome}/macros.d @@ -532,9 +541,11 @@ fi %{_libdir}/rpm-plugins/systemd_inhibit.so %{_mandir}/man8/rpm-plugin-systemd-inhibit.8* +%if %{with libimaevm} %files plugin-ima %{_libdir}/rpm-plugins/ima.so %{_mandir}/man8/rpm-plugin-ima.8* +%endif %files plugin-fsverity %{_libdir}/rpm-plugins/fsverity.so @@ -586,7 +597,6 @@ fi %{rpmhome}/*deps* %{rpmhome}/*.prov %{rpmhome}/*.req -%{rpmhome}/mkinstalldirs %{rpmhome}/fileattrs/* %{rpmhome}/find-debuginfo.sh %{rpmhome}/rpmuncompress @@ -615,9 +625,12 @@ fi %files apidocs %license COPYING -%doc docs/librpm/html/* +%doc %{_defaultdocdir}/rpm/API/ %changelog +* Thu May 04 2023 Florian Festi - 4.18.90-1 +- Update to 4.19 alpha + * Tue Apr 25 2023 Miro HronĨok - 4.18.1-3 - Explicitly require rpm-sequoia >= 1.4.0 on runtime to avoid rpm: symbol lookup error: /lib64/librpmio.so.9: undefined symbol: _pgpVerifySignature2 diff --git a/sources b/sources index fee455b..27d14eb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (rpm-4.18.1.tar.bz2) = 0ede2138b9b4c3b50d7e914cf82655507fcc207ba67804c749ea17560002976cb26b95801e9138a51589b60459494a991213a1131dbef5af2eca9b5050a4f29c +SHA512 (rpm-4.18.90.tar.bz2) = 2d1a499fe053c5f3497b0ae4c133ef3b05b4b87e12ee5d349ad8c34dbfaebc20c1b3e6727143c152040ed1e132047bcf95afcbbe4a8cb2c4f91900b536d7821c