From 8317a615b0705ab4dc0f1540e6e8e610c7c1a1f9 Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Tue, 12 Nov 2024 14:14:36 +0100 Subject: [PATCH 1/3] Add Sequoia signing support back It turns out the subpackage itself is fine, we just need to adjust the affected Beaker tests and make them cover the Sequoia backend as well. This reverts commit 40c682ecfcbdf781e59b6ce89103396d93f681ed. Related: RHEL-56363 --- macros.rpmsign-sequoia | 23 +++++++++++++++++++++++ rpm.spec | 27 ++++++++++++++++++++++----- 2 files changed, 45 insertions(+), 5 deletions(-) create mode 100644 macros.rpmsign-sequoia diff --git a/macros.rpmsign-sequoia b/macros.rpmsign-sequoia new file mode 100644 index 0000000..dcb9d55 --- /dev/null +++ b/macros.rpmsign-sequoia @@ -0,0 +1,23 @@ +#============================================================================== +# ---- Sequoia signature macros. +# The signature to use and the location of configuration files for +# signing packages with Sequoia. +# +# Unlike GnuPG, Sequoia doesn't support specifying the signer key by +# email or name match, you need to supply the hex fingerprint (or keyid) +#%_gpg_name +#%_gpg_path + +%__gpg /usr/bin/sq + +# Macro(s) to hold the arguments passed to Sequoia for package +# signing. Expansion result is parsed by popt, so be sure to use +# %{shescape} where needed. +# + +%__gpg_sign_cmd %{__gpg} %{__gpg} sign \ + %{?_gpg_sign_cmd_extra_args} \ + %{?_gpg_name:--signer-key %{_gpg_name}} \ + --detached --output %{shescape:%{?__signature_filename}} \ + %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}} + diff --git a/rpm.spec b/rpm.spec index 44b8ff3..ce78dcc 100644 --- a/rpm.spec +++ b/rpm.spec @@ -27,7 +27,7 @@ %global rpmver 4.19.1.1 #global snapver rc1 -%global baserelease 7 +%global baserelease 8 %global sover 10 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -46,6 +46,7 @@ Source10: rpmdb-rebuild.service Source20: rpmdb-migrate.service Source21: rpmdb_migrate +Source30: macros.rpmsign-sequoia Source31: macros.rpmsign-gnupg Requires: coreutils @@ -137,7 +138,7 @@ rpm-4.9.90-no-man-dirs.patch rpm-4.18.92-disable-sysusers.patch rpm-4.18.90-weak-user-group.patch -# We supply gpg config separately, remove gpg stuff from main macros +# We supply gpg/sq config separately, remove gpg stuff from main macros rpm-4.19.1.1-nogpg.patch # Patches already upstream: @@ -183,7 +184,7 @@ This package contains the RPM shared libraries for building packages. %package sign-libs Summary: Libraries for signing RPM packages Requires: rpm-libs%{_isa} = %{version}-%{release} -Requires(meta): rpm-sign-gnupg +Requires(meta): (rpm-sign-gnupg or rpm-sign-sequoia) %description sign-libs This package contains the RPM shared libraries for signing packages. @@ -192,10 +193,20 @@ This package contains the RPM shared libraries for signing packages. Summary: Support for signing RPM packages using GnuPG Requires: gnupg2 Requires(meta): rpm-sign-libs%{_isa} >= %{version}-%{release} +Conflicts: rpm-sign-sequoia %description sign-gnupg This package provides configuration for signing RPM packages using GnuPG. +%package sign-sequoia +Summary: Support for signing RPM packages using Sequoia +Requires: sequoia-sq +Requires(meta): rpm-sign-libs%{_isa} >= %{version}-%{release} +Conflicts: rpm-sign-gnupg + +%description sign-sequoia +This package provides configuration for signing RPM packages using Sequoia. + %package devel Summary: Development files for manipulating RPM packages License: GPL-2.0-or-later OR LGPL-2.1-or-later @@ -440,8 +451,8 @@ rm -rf $RPM_BUILD_ROOT/var/tmp # workaround for https://github.com/rpm-software-management/rpm/issues/2811 rm $RPM_BUILD_ROOT/%{_defaultdocdir}/rpm/README.md -# Signing macros for GnuPG -install -m 644 %{SOURCE31} $RPM_BUILD_ROOT/%{rpmhome}/macros.d +# Signing macros for Sequoia and GnuPG +install -m 644 %{SOURCE30} %{SOURCE31} $RPM_BUILD_ROOT/%{rpmhome}/macros.d %pre # Symlink all rpmdb files to the new location if we're still using /var/lib/rpm @@ -580,6 +591,9 @@ fi %{_libdir}/librpmsign.so.%{sover} %{_libdir}/librpmsign.so.%{sover}.* +%files sign-sequoia +%{rpmhome}/macros.d/macros.rpmsign-sequoia + %files sign-gnupg %{rpmhome}/macros.d/macros.rpmsign-gnupg @@ -639,6 +653,9 @@ fi %doc %{_defaultdocdir}/rpm/API/ %changelog +* Tue Nov 12 2024 Michal Domonkos - 4.19.1.1-8 +- Add Sequoia signing support back + * Tue Oct 29 2024 Troy Dawson - 4.19.1.1-7 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018 From 33815947f5dede0a6ce4f712d73bdd85a776fdfc Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Wed, 4 Dec 2024 12:04:16 +0200 Subject: [PATCH 2/3] Revert the gnupg/sequoia signing sub-packages, too much headache Ship the Sequoia signing macros as a %doc you can easily just copy to /etc/rpm to enable, this is much less hassle for what is more of a tech-preview feature at this time. Obsolete rpm-sign-gnupg and -sequoia in case somebody had these installed on the stream, but these haven't been part of any official (pre)release so we can drop them before GA. Related: RHEL-56363 --- macros.rpmsign-gnupg | 22 --------------- macros.rpmsign-sequoia | 3 ++ rpm-4.19.1.1-nogpg.patch | 59 ---------------------------------------- rpm.spec | 43 ++++++++--------------------- 4 files changed, 14 insertions(+), 113 deletions(-) delete mode 100644 macros.rpmsign-gnupg delete mode 100644 rpm-4.19.1.1-nogpg.patch diff --git a/macros.rpmsign-gnupg b/macros.rpmsign-gnupg deleted file mode 100644 index 110ef26..0000000 --- a/macros.rpmsign-gnupg +++ /dev/null @@ -1,22 +0,0 @@ -#============================================================================== -# ---- GPG signature macros. -# The signature to use and the location of configuration files for -# signing packages with GNU gpg. -# -#%_gpg_name -#%_gpg_path - -%__gpg /usr/bin/gpg2 - -# Macro(s) to hold the arguments passed to GPG/PGP for package -# signing. Expansion result is parsed by popt, so be sure to use -# %{shescape} where needed. -# -%__gpg_sign_cmd %{shescape:%{__gpg}} \ - gpg --no-verbose --no-armor --no-secmem-warning \ - %{?_gpg_digest_algo:--digest-algo=%{_gpg_digest_algo}} \ - %{?_gpg_sign_cmd_extra_args} \ - %{?_gpg_name:-u %{shescape:%{_gpg_name}}} \ - -sbo %{shescape:%{?__signature_filename}} \ - %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}} - diff --git a/macros.rpmsign-sequoia b/macros.rpmsign-sequoia index dcb9d55..13d8ece 100644 --- a/macros.rpmsign-sequoia +++ b/macros.rpmsign-sequoia @@ -3,6 +3,9 @@ # The signature to use and the location of configuration files for # signing packages with Sequoia. # +# To enable signing with sequoia-sq, just copy this file to /etc/rpm: +# cp /usr/share/doc/rpm/macros.rpmsign-sequoia /etc/rpm/ +# # Unlike GnuPG, Sequoia doesn't support specifying the signer key by # email or name match, you need to supply the hex fingerprint (or keyid) #%_gpg_name diff --git a/rpm-4.19.1.1-nogpg.patch b/rpm-4.19.1.1-nogpg.patch deleted file mode 100644 index 8d21d4a..0000000 --- a/rpm-4.19.1.1-nogpg.patch +++ /dev/null @@ -1,59 +0,0 @@ -diff -up rpm-4.19.1.1/macros.in.nogpg rpm-4.19.1.1/macros.in ---- rpm-4.19.1.1/macros.in.nogpg 2024-10-14 10:01:22.265773552 +0300 -+++ rpm-4.19.1.1/macros.in 2024-10-14 10:02:32.245317535 +0300 -@@ -30,7 +30,6 @@ - %__chown @__CHOWN@ - %__cp @__CP@ - %__file @__FILE@ --%__gpg @__GPG@ - %__grep @__GREP@ - %__gzip @__GZIP@ - %__id @__ID@ -@@ -321,12 +320,6 @@ Supplements: (%{name} = %{version}-%{r - # marked as %doc should be installed. - #%_excludedocs - --# The signature to use and the location of configuration files for --# signing packages with GNU gpg. --# --#%_gpg_name --#%_gpg_path -- - # The port and machine name of an HTTP proxy host (used for FTP/HTTP). - # - #%_httpport -@@ -595,10 +588,10 @@ Supplements: (%{name} = %{version}-%{r - %_fileattrsdir %{_rpmconfigdir}/fileattrs - - # This macro defines how much space (in bytes) in package should be --# reserved for gpg signatures during building of a package. If this space is --# big enough for gpg signatures to fit into it then signing of the packages is -+# reserved for OpenPGP signatures during building of a package. If this space -+# big enough for the signature to fit into it then signing of the packages is - # very quick because it is not necessary to rewrite the whole package to make --# some space for gpg signatures. -+# some space for the signature. - %__gpg_reserved_space 4096 - - #============================================================================== -@@ -613,20 +606,6 @@ Supplements: (%{name} = %{version}-%{r - %_db_backend @DB_BACKEND@ - - #============================================================================== --# ---- GPG/PGP/PGP5 signature macros. --# Macro(s) to hold the arguments passed to GPG/PGP for package --# signing. Expansion result is parsed by popt, so be sure to use --# %{shescape} where needed. --# --%__gpg_sign_cmd %{shescape:%{__gpg}} \ -- gpg --no-verbose --no-armor --no-secmem-warning \ -- %{?_gpg_digest_algo:--digest-algo=%{_gpg_digest_algo}} \ -- %{?_gpg_sign_cmd_extra_args} \ -- %{?_gpg_name:-u %{shescape:%{_gpg_name}}} \ -- -sbo %{shescape:%{?__signature_filename}} \ -- %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}} -- --#============================================================================== - # ---- Transaction macros. - # Macro(s) used to parameterize transactions. - # diff --git a/rpm.spec b/rpm.spec index ce78dcc..5153625 100644 --- a/rpm.spec +++ b/rpm.spec @@ -27,7 +27,7 @@ %global rpmver 4.19.1.1 #global snapver rc1 -%global baserelease 8 +%global baserelease 9 %global sover 10 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -47,7 +47,6 @@ Source20: rpmdb-migrate.service Source21: rpmdb_migrate Source30: macros.rpmsign-sequoia -Source31: macros.rpmsign-gnupg Requires: coreutils Requires: popt%{_isa} >= 1.10.2.1 @@ -138,9 +137,6 @@ rpm-4.9.90-no-man-dirs.patch rpm-4.18.92-disable-sysusers.patch rpm-4.18.90-weak-user-group.patch -# We supply gpg/sq config separately, remove gpg stuff from main macros -rpm-4.19.1.1-nogpg.patch - # Patches already upstream: 0001-Fix-potential-use-of-uninitialized-pipe-array.patch 0001-Fix-potential-use-of-uninitialized-pgp-struct.patch @@ -184,29 +180,13 @@ This package contains the RPM shared libraries for building packages. %package sign-libs Summary: Libraries for signing RPM packages Requires: rpm-libs%{_isa} = %{version}-%{release} -Requires(meta): (rpm-sign-gnupg or rpm-sign-sequoia) +# in case somebody on the stream had these installed +Obsoletes: rpm-sign-gnupg < 4.19.1.1-9.el10 +Obsoletes: rpm-sign-sequoia < 4.19.1.1-9.el10 %description sign-libs This package contains the RPM shared libraries for signing packages. -%package sign-gnupg -Summary: Support for signing RPM packages using GnuPG -Requires: gnupg2 -Requires(meta): rpm-sign-libs%{_isa} >= %{version}-%{release} -Conflicts: rpm-sign-sequoia - -%description sign-gnupg -This package provides configuration for signing RPM packages using GnuPG. - -%package sign-sequoia -Summary: Support for signing RPM packages using Sequoia -Requires: sequoia-sq -Requires(meta): rpm-sign-libs%{_isa} >= %{version}-%{release} -Conflicts: rpm-sign-gnupg - -%description sign-sequoia -This package provides configuration for signing RPM packages using Sequoia. - %package devel Summary: Development files for manipulating RPM packages License: GPL-2.0-or-later OR LGPL-2.1-or-later @@ -451,8 +431,8 @@ rm -rf $RPM_BUILD_ROOT/var/tmp # workaround for https://github.com/rpm-software-management/rpm/issues/2811 rm $RPM_BUILD_ROOT/%{_defaultdocdir}/rpm/README.md -# Signing macros for Sequoia and GnuPG -install -m 644 %{SOURCE30} %{SOURCE31} $RPM_BUILD_ROOT/%{rpmhome}/macros.d +# Signing macros for Sequoia +install -m 644 %{SOURCE30} $RPM_BUILD_ROOT/%{_defaultdocdir}/rpm/ %pre # Symlink all rpmdb files to the new location if we're still using /var/lib/rpm @@ -591,12 +571,6 @@ fi %{_libdir}/librpmsign.so.%{sover} %{_libdir}/librpmsign.so.%{sover}.* -%files sign-sequoia -%{rpmhome}/macros.d/macros.rpmsign-sequoia - -%files sign-gnupg -%{rpmhome}/macros.d/macros.rpmsign-gnupg - %files build %{_bindir}/rpmbuild %{_bindir}/gendiff @@ -624,6 +598,7 @@ fi %files sign %{_bindir}/rpmsign %{_mandir}/man8/rpmsign.8* +%doc %{_defaultdocdir}/rpm/macros.rpmsign-sequoia %files -n python3-%{name} %dir %{python3_sitearch}/rpm @@ -653,6 +628,10 @@ fi %doc %{_defaultdocdir}/rpm/API/ %changelog +* Wed Dec 04 2024 Panu Matilainen - 4.19.1.1-9 +- Revert the gnupg/sequoia sub-packages, too much headache +- Ship sequoia-signing enablement macros as documentation instead + * Tue Nov 12 2024 Michal Domonkos - 4.19.1.1-8 - Add Sequoia signing support back From 4783f4455ffd058683a0c6bddce74e1b25e26ed1 Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Wed, 4 Dec 2024 12:07:56 +0200 Subject: [PATCH 3/3] Generate binary signatures with Sequoia too Fix an oversight when introducing this: Sequoia defaults to ASCII armor signatures whereas GnuPG defaults to binary signatures. We should create binary signatures with sq too for consistency. Related: RHEL-56363 --- macros.rpmsign-sequoia | 2 +- rpm.spec | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/macros.rpmsign-sequoia b/macros.rpmsign-sequoia index 13d8ece..7476887 100644 --- a/macros.rpmsign-sequoia +++ b/macros.rpmsign-sequoia @@ -21,6 +21,6 @@ %__gpg_sign_cmd %{__gpg} %{__gpg} sign \ %{?_gpg_sign_cmd_extra_args} \ %{?_gpg_name:--signer-key %{_gpg_name}} \ - --detached --output %{shescape:%{?__signature_filename}} \ + --binary --detached --output %{shescape:%{?__signature_filename}} \ %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}} diff --git a/rpm.spec b/rpm.spec index 5153625..29a3e59 100644 --- a/rpm.spec +++ b/rpm.spec @@ -631,6 +631,7 @@ fi * Wed Dec 04 2024 Panu Matilainen - 4.19.1.1-9 - Revert the gnupg/sequoia sub-packages, too much headache - Ship sequoia-signing enablement macros as documentation instead +- Generate binary signatures with Sequoia too * Tue Nov 12 2024 Michal Domonkos - 4.19.1.1-8 - Add Sequoia signing support back