From e94e7db12f2173524ebba3eb3758544c6228130f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 4 Jul 2025 11:52:29 +0200
Subject: [PATCH] Pull PQC crypto to sq

This includes some related fixes from upstream, such as better FIPS
mode integration and fixes to the --password-file CLI.

Resolves: RHEL-85985, RHEL-101905, RHEL-86640
---
 .gitignore                   |   2 +
 rust-sequoia-sq.spec         |  86 +++++++++++++--------------
 sequoia-sq-fix-metadata.diff | 109 +++++++++++++++--------------------
 sources                      |   4 +-
 vendor.toml                  |  21 +++++++
 5 files changed, 110 insertions(+), 112 deletions(-)
 create mode 100644 vendor.toml

diff --git a/.gitignore b/.gitignore
index a9cc472..7c9a87b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@
 /rust-sequoia-sq-1.1.0-vendor.tar.xz
 /sequoia-sq-1.3.0.crate
 /rust-sequoia-sq-1.3.0-vendor.tar.xz
+/sequoia-sq-vendor-1.3.1.1.tar.gz
+/sequoia-sq-1.3.1.1.tar.gz
diff --git a/rust-sequoia-sq.spec b/rust-sequoia-sq.spec
index f5c0c3d..2f91d2c 100644
--- a/rust-sequoia-sq.spec
+++ b/rust-sequoia-sq.spec
@@ -4,39 +4,33 @@
 %global crate sequoia-sq
 
 %if 0%{?rhel}
-# RHEL: Use bundled deps as it doesn't ship Rust libraries
-%global bundled_rust_deps 1
 %global __brp_mangle_shebangs_exclude_from ^/usr/src/debug/.*$
-%bcond_without bundled_capnproto
-%else
-# Fedora: Use only system Rust libraries
-%global bundled_rust_deps 0
-%bcond_with bundled_capnproto
 %endif
 
+
 Name:           rust-sequoia-sq
-Version:        1.3.0
+Version:        1.3.1.1
 Release:        %autorelease
 Summary:        Command-line frontends for Sequoia
 
 License:        LGPL-2.0-or-later
 URL:            https://crates.io/crates/sequoia-sq
-Source0:        %{crates_source}
+# The version 1.3.1 upstream + patches from justus/pqc branch
+# Generated using:
+#  git archive --format=tar.gz --prefix sequoia-sq-1.3.1.1/ -o sequoia-sq-1.3.1.1.tar.gz justus/pqc
+Source0:        %{crate}-%{version}.tar.gz
 
 # Generated using cargo-vendor-filterer:
-#   cargo download %%{crate}==%%{version} > %%{crate}-%%{version}.crate
-#   tar xf %%{crate}-%%{version}.crate
-#   cargo update ... # optional, if you want to update specific dependencies
-#   pushd %%{crate}-%%{version}
 #   cargo vendor-filterer --platform x86_64-unknown-linux-gnu \
 #                         --platform powerpc64le-unknown-linux-gnu \
 #                         --platform aarch64-unknown-linux-gnu \
 #                         --platform i686-unknown-linux-gnu \
 #                         --platform s390x-unknown-linux-gnu \
 #                         --all-features
-#   tar -cJf ../rust-%%{crate}-%%{version}-vendor.tar.xz vendor
-Source1:        %{name}-%{version}-vendor.tar.xz
+#   tar -czf ../%%{crate}-vendor-%%{version}.tar.gz vendor
+Source1:        %{crate}-vendor-%{version}.tar.gz
 Source2:        capnproto-c++-1.0.1.tar.gz
+Source3:        vendor.toml
 # Manually created patch for downstream crate metadata changes
 # * switch crypto backend from Nettle to OpenSSL
 # * exclude files that are only useful for upstream development
@@ -44,20 +38,19 @@ Source2:        capnproto-c++-1.0.1.tar.gz
 # * drop features for unsupported crypto backends
 Patch:          sequoia-sq-fix-metadata.diff
 
-%if 0%{?bundled_rust_deps}
+%if 0%{?rhel}
 BuildRequires:  rust-toolset
-# vendored openssl-sys
-BuildRequires:  openssl-devel
-# vendored rustqlite
-BuildRequires:  sqlite-devel
 %else
 BuildRequires:  cargo-rpm-macros >= 24
 %endif
 
-%if %{with bundled_capnproto}
+# vendored openssl-sys
+BuildRequires:  openssl-devel
+# vendored rustqlite
+BuildRequires:  sqlite-devel
+
 BuildRequires:  gcc-c++
 BuildRequires:  cmake >= 3.1
-%endif
 
 %global _description %{expand:
 Command-line frontends for Sequoia.}
@@ -109,59 +102,56 @@ License:        %{shrink:
 %files       -n %{crate}
 %license LICENSE.txt
 %license LICENSE.dependencies
+%license cargo-vendor.txt
 %doc README.md
 %{_bindir}/sq
 %{_mandir}/man1/sq*
+%if 0%{?rhel} > 9
 %{bash_completions_dir}/sq.bash
 %{fish_completions_dir}/sq.fish
 %{zsh_completions_dir}/_sq
-
-%prep
-%autosetup -n %{crate}-%{version} -N %{?bundled_rust_deps:-a1}
-%autopatch -M 99 -p1
-%if 0%{?bundled_rust_deps}
-%cargo_prep -v vendor
-
-# drop broken integration tests
-rm -vr subplot/
-rm -v tests/sq-subplot.rs
-# don't lock the dependencies
-rm -f Cargo.lock
-%else
-%cargo_prep
-# drop broken integration tests
-rm -vr subplot/
-rm -v tests/sq-subplot.rs
-
-%generate_buildrequires
-%cargo_generate_buildrequires
 %endif
 
-%if %{with bundled_capnproto}
+%prep
+%autosetup -n %{crate}-%{version} -N -a1
+%autopatch -M 99 -p1
+%cargo_prep -N
+# include full configuration for vendored dependencies
+cat %{SOURCE3} >> .cargo/config.toml
+
+# drop broken integration tests
+rm -vr subplot/
+rm -v tests/sq-subplot.rs
+
 mkdir -p bundled_capnproto
 pushd bundled_capnproto
 tar --strip-components=1 -xf %{SOURCE2}
 popd
-%endif
 
 %build
 export ASSET_OUT_DIR=target/assets
-%if %{with bundled_capnproto}
 pushd bundled_capnproto
 %cmake -DBUILD_TESTING=OFF
 %cmake_build
 export PATH="$PWD/%{__cmake_builddir}/src/capnp:$PATH"
 popd
-%endif
+
 %cargo_build
 %{cargo_license_summary}
 %{cargo_license} > LICENSE.dependencies
+%{cargo_vendor_manifest}
+# replace un-parseable git snapshot dependency information
+sed 's/\(.*\) (.*#\(.*\))/\1+git\2/' -i cargo-vendor.txt
 
 %install
-%cargo_install
+# for some reason, cargo install does not work
+# with vendored dependncies from git branch
+#%%cargo_install
+install -Dpm 0755 target/rpm/sq -t %{buildroot}/%{_bindir}
 # install manual pages
 mkdir -p %{buildroot}/%{_mandir}/man1
 cp -pav target/assets/man-pages/sq*.1 %{buildroot}/%{_mandir}/man1/
+%if 0%{?rhel} > 9
 # install shell completions
 install -Dpm 0644 target/assets/shell-completions/sq.bash \
     %{buildroot}/%{bash_completions_dir}/sq.bash
@@ -169,6 +159,8 @@ install -Dpm 0644 target/assets/shell-completions/sq.fish \
     %{buildroot}/%{fish_completions_dir}/sq.fish
 install -Dpm 0644 target/assets/shell-completions/_sq \
     %{buildroot}/%{zsh_completions_dir}/_sq
+%endif
+
 
 %if %{with check}
 %check
diff --git a/sequoia-sq-fix-metadata.diff b/sequoia-sq-fix-metadata.diff
index 1e93560..21b6e22 100644
--- a/sequoia-sq-fix-metadata.diff
+++ b/sequoia-sq-fix-metadata.diff
@@ -1,9 +1,10 @@
---- sequoia-sq-1.3.0/Cargo.toml	1970-01-01T00:00:01+00:00
-+++ sequoia-sq-1.3.0/Cargo.toml	2025-03-08T12:37:34.404402+00:00
-@@ -49,6 +49,12 @@
- ]
+diff -up a/Cargo.toml.orig b/Cargo.toml
+--- a/Cargo.toml.orig	2025-06-19 18:18:08.225290250 +0200
++++ b/Cargo.toml	2025-06-19 18:20:29.142344871 +0200
+@@ -23,6 +23,12 @@ categories = ["cryptography", "authentic
  license = "LGPL-2.0-or-later"
- repository = "https://gitlab.com/sequoia-pgp/sequoia-sq"
+ edition = "2021"
+ rust-version = "1.79"
 +exclude = [
 +    "/deny.toml",
 +    "/Dockerfile",
@@ -11,70 +12,52 @@
 +    "/sq-subplot.md",
 +]
  
- [badges.gitlab]
- repository = "sequoia-pgp/sequoia-sq"
-@@ -57,18 +63,10 @@
- status = "actively-developed"
+ [badges]
+ gitlab = { repository = "sequoia-pgp/sequoia-sq" }
+@@ -66,11 +72,6 @@ termcolor = "1.2.0"
+ textwrap = { version = ">=0.15, <0.17", default-features = false, features = ["smawk", "unicode-width"] }
+ typenum = "1"
  
- [features]
--crypto-botan = ["sequoia-openpgp/crypto-botan"]
--crypto-botan2 = ["sequoia-openpgp/crypto-botan2"]
--crypto-cng = ["sequoia-openpgp/crypto-cng"]
- crypto-nettle = ["sequoia-openpgp/crypto-nettle"]
- crypto-openssl = ["sequoia-openpgp/crypto-openssl"]
- crypto-rust = ["sequoia-openpgp/crypto-rust"]
--default = ["crypto-nettle"]
--subplot = [
--    "culpa",
--    "subplot-build",
--    "subplotlib",
--]
-+default = ["crypto-openssl"]
+-# This is for subplot only.  If you don't enable the subplot feature,
+-# feel free to patch it out.
+-subplotlib = { version = ">=0.11, <0.13", optional = true }
+-culpa = { version = "1", optional = true }
+-
+ [build-dependencies]
+ anyhow = "1.0.18"
+ buffered-reader = { version = "1.4", default-features = false, features = ["compression"] }
+@@ -90,10 +91,6 @@ typenum = "1"
+ cfg-if = "1"
+ terminal_size = ">=0.2.6, <0.5"
  
- [[bin]]
- name = "sq"
-@@ -79,11 +77,6 @@
- name = "integration"
- path = "tests/integration.rs"
+-# This is for subplot only.  If you don't enable the subplot feature,
+-# feel free to patch it out.
+-subplot-build = { version = ">=0.11, <0.13", optional = true }
+-
+ [dev-dependencies]
+ assert_cmd = "2"
+ predicates = ">=2, <4"
+@@ -105,22 +102,13 @@ name = "sq"
+ path = "src/main.rs"
+ bench = false
  
 -[[test]]
 -name = "sq-subplot"
 -path = "tests/sq-subplot.rs"
 -required-features = ["subplot"]
 -
- [dependencies.aho-corasick]
- version = "1"
- 
-@@ -111,10 +104,6 @@
- version = "0.7"
- default-features = false
- 
--[dependencies.culpa]
--version = "1"
--optional = true
--
- [dependencies.dirs]
- version = "5"
- 
-@@ -192,10 +181,6 @@
- [dependencies.serde]
- version = "1.0.137"
- features = ["derive"]
--
--[dependencies.subplotlib]
--version = ">=0.11, <0.13"
--optional = true
- 
- [dependencies.tempfile]
- version = "3.1"
-@@ -298,10 +283,6 @@
- version = "1.0.137"
- features = ["derive"]
- 
--[build-dependencies.subplot-build]
--version = ">=0.11, <0.13"
--optional = true
--
- [build-dependencies.terminal_size]
- version = ">=0.2.6, <0.5"
+ [features]
+ default = [
+-    "crypto-nettle",
++    "crypto-openssl",
+ ]
+ crypto-nettle = ["sequoia-openpgp/crypto-nettle"]
+ crypto-openssl = ["sequoia-openpgp/crypto-openssl"]
+-crypto-botan = ["sequoia-openpgp/crypto-botan"]
+-crypto-botan2 = ["sequoia-openpgp/crypto-botan2"]
+-crypto-cng = ["sequoia-openpgp/crypto-cng"]
+ crypto-rust = ["sequoia-openpgp/crypto-rust"]
+-subplot = ["culpa", "subplot-build", "subplotlib"]
  
+ [profile.release]
+ debug = true
diff --git a/sources b/sources
index 34072f3..3253e4b 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (sequoia-sq-1.3.0.crate) = b4e6822aa717a790278a6e4f5afe287214e5777bdfac42882629834ef6b10ae20ac37086823aa01edc69f4a5f094f429671849871e64027473cfb5f297133082
-SHA512 (rust-sequoia-sq-1.3.0-vendor.tar.xz) = 2af724ef29cb9fc5faf4e0488b29285d74b3bbc23288536fc1aeeaba705beb483ab90dd941ff0b7881cf6b9da146e411f5541d675a2053eedb03386747e4d2cf
+SHA512 (sequoia-sq-vendor-1.3.1.1.tar.gz) = 7e23b5466f8b951b4324c64d5a04807d5d2865d80b11c9be52ea48564984378e69501e8d67f387fa66bef0a874bb1588f31be63423a3f5ad2f04632f737e2fd8
+SHA512 (sequoia-sq-1.3.1.1.tar.gz) = 652549f83aba9e3dbe95b9bf16824e1bd0ac12922a14b5d5c78af88da6d333ea43b7f1922a1c12d4b4ccf659c7e2f731c1ad2fb42c91410f17fbb6a3e4d779bc
 SHA512 (capnproto-c++-1.0.1.tar.gz) = c60291f433eea15a51e480e1679a4b9b3b5e67edebc445e371a7a32fce6ec5a7e4b440b17b2adc0565519ec369e3dae8ea727ae790a082a53ecd0d245b5275a9
diff --git a/vendor.toml b/vendor.toml
new file mode 100644
index 0000000..8333382
--- /dev/null
+++ b/vendor.toml
@@ -0,0 +1,21 @@
+[source.crates-io]
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/teythoon/rust-openssl?branch=justus/pqc"]
+git = "https://github.com/teythoon/rust-openssl"
+branch = "justus/pqc"
+replace-with = "vendored-sources"
+
+[source."git+https://gitlab.com/sequoia-pgp/sequoia-policy-config?branch=justus/pqc"]
+git = "https://gitlab.com/sequoia-pgp/sequoia-policy-config"
+branch = "justus/pqc"
+replace-with = "vendored-sources"
+
+[source."git+https://gitlab.com/sequoia-pgp/sequoia?branch=justus/pqc"]
+git = "https://gitlab.com/sequoia-pgp/sequoia"
+branch = "justus/pqc"
+replace-with = "vendored-sources"
+
+[source.vendored-sources]
+directory = "vendor"
+