Pull PQC crypto to sq

This includes some related fixes from upstream, such as better FIPS
mode integration and fixes to the --password-file CLI.

Resolves: RHEL-85985, RHEL-101905, RHEL-86640

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,3 +1,9 @@
-capnproto-c++-1.0.1.tar.gz
-rust-sequoia-sq-1.3.0-vendor.tar.xz
-sequoia-sq-1.3.0.crate
+/sequoia-sq-0.37.0.crate
+/rust-sequoia-sq-0.37.0-vendor.tar.xz
+/capnproto-c++-1.0.1.tar.gz
+/sequoia-sq-1.1.0.crate
+/rust-sequoia-sq-1.1.0-vendor.tar.xz
+/sequoia-sq-1.3.0.crate
+/rust-sequoia-sq-1.3.0-vendor.tar.xz
+/sequoia-sq-vendor-1.3.1.1.tar.gz
+/sequoia-sq-1.3.1.1.tar.gz

changelog

@@ -0,0 +1,14 @@
+* Tue Feb 15 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.25.0-5
+- Rebuild with package notes
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.25.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.25.0-3
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.25.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu Apr 08 2021 Fabio Valentini <decathorpe@gmail.com> - 0.25.0-1
+- Initial package

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

gating.yaml

@@ -0,0 +1,9 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-enabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-enabled-buildroot-disabled.functional}

plans/ci.fmf

@@ -0,0 +1,23 @@
+/fips-disabled-buildroot-disabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/rust-sequoia-sq
+      name: /plans/ci/fips-disabled-buildroot-disabled
+
+/fips-disabled-buildroot-enabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/rust-sequoia-sq
+      name: /plans/ci/fips-disabled-buildroot-enabled
+
+/fips-enabled-buildroot-disabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/rust-sequoia-sq
+      name: /plans/ci/fips-enabled-buildroot-disabled
+
+/fips-enabled-buildroot-enabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/rust-sequoia-sq
+      name: /plans/ci/fips-enabled-buildroot-enabled

rust-sequoia-sq.spec

@@ -1,52 +1,36 @@
-## START: Set by rpmautospec
-## (rpmautospec version 0.6.5)
-## RPMAUTOSPEC: autorelease, autochangelog
-%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 2;
-    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
-    print(release_number + base_release_number - 1);
-}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
-## END: Set by rpmautospec
-
 # Generated by rust2rpm 27
 %bcond check 1
 
 %global crate sequoia-sq
 
 %if 0%{?rhel}
-# RHEL: Use bundled deps as it doesn't ship Rust libraries
-%global bundled_rust_deps 1
 %global __brp_mangle_shebangs_exclude_from ^/usr/src/debug/.*$
-%bcond_without bundled_capnproto
-%else
-# Fedora: Use only system Rust libraries
-%global bundled_rust_deps 0
-%bcond_with bundled_capnproto
 %endif
 
+
 Name:           rust-sequoia-sq
-Version:        1.3.0
+Version:        1.3.1.1
 Release:        %autorelease
 Summary:        Command-line frontends for Sequoia
 
 License:        LGPL-2.0-or-later
 URL:            https://crates.io/crates/sequoia-sq
-Source0:        %{crates_source}
+# The version 1.3.1 upstream + patches from justus/pqc branch
+# Generated using:
+#  git archive --format=tar.gz --prefix sequoia-sq-1.3.1.1/ -o sequoia-sq-1.3.1.1.tar.gz justus/pqc
+Source0:        %{crate}-%{version}.tar.gz
 
 # Generated using cargo-vendor-filterer:
-#   cargo download %%{crate}==%%{version} > %%{crate}-%%{version}.crate
-#   tar xf %%{crate}-%%{version}.crate
-#   cargo update ... # optional, if you want to update specific dependencies
-#   pushd %%{crate}-%%{version}
 #   cargo vendor-filterer --platform x86_64-unknown-linux-gnu \
 #                         --platform powerpc64le-unknown-linux-gnu \
 #                         --platform aarch64-unknown-linux-gnu \
 #                         --platform i686-unknown-linux-gnu \
 #                         --platform s390x-unknown-linux-gnu \
 #                         --all-features
-#   tar -cJf ../rust-%%{crate}-%%{version}-vendor.tar.xz vendor
-Source1:        %{name}-%{version}-vendor.tar.xz
+#   tar -czf ../%%{crate}-vendor-%%{version}.tar.gz vendor
+Source1:        %{crate}-vendor-%{version}.tar.gz
 Source2:        capnproto-c++-1.0.1.tar.gz
+Source3:        vendor.toml
 # Manually created patch for downstream crate metadata changes
 # * switch crypto backend from Nettle to OpenSSL
 # * exclude files that are only useful for upstream development
@@ -54,20 +38,19 @@ Source2:        capnproto-c++-1.0.1.tar.gz
 # * drop features for unsupported crypto backends
 Patch:          sequoia-sq-fix-metadata.diff
 
-%if 0%{?bundled_rust_deps}
+%if 0%{?rhel}
 BuildRequires:  rust-toolset
-# vendored openssl-sys
-BuildRequires:  openssl-devel
-# vendored rustqlite
-BuildRequires:  sqlite-devel
 %else
 BuildRequires:  cargo-rpm-macros >= 24
 %endif
 
-%if %{with bundled_capnproto}
+# vendored openssl-sys
+BuildRequires:  openssl-devel
+# vendored rustqlite
+BuildRequires:  sqlite-devel
+
 BuildRequires:  gcc-c++
 BuildRequires:  cmake >= 3.1
-%endif
 
 %global _description %{expand:
 Command-line frontends for Sequoia.}
@@ -119,59 +102,56 @@ License:        %{shrink:
 %files       -n %{crate}
 %license LICENSE.txt
 %license LICENSE.dependencies
+%license cargo-vendor.txt
 %doc README.md
 %{_bindir}/sq
 %{_mandir}/man1/sq*
+%if 0%{?rhel} > 9
 %{bash_completions_dir}/sq.bash
 %{fish_completions_dir}/sq.fish
 %{zsh_completions_dir}/_sq
-
-%prep
-%autosetup -n %{crate}-%{version} -N %{?bundled_rust_deps:-a1}
-%autopatch -M 99 -p1
-%if 0%{?bundled_rust_deps}
-%cargo_prep -v vendor
-
-# drop broken integration tests
-rm -vr subplot/
-rm -v tests/sq-subplot.rs
-# don't lock the dependencies
-rm -f Cargo.lock
-%else
-%cargo_prep
-# drop broken integration tests
-rm -vr subplot/
-rm -v tests/sq-subplot.rs
-
-%generate_buildrequires
-%cargo_generate_buildrequires
 %endif
 
-%if %{with bundled_capnproto}
+%prep
+%autosetup -n %{crate}-%{version} -N -a1
+%autopatch -M 99 -p1
+%cargo_prep -N
+# include full configuration for vendored dependencies
+cat %{SOURCE3} >> .cargo/config.toml
+
+# drop broken integration tests
+rm -vr subplot/
+rm -v tests/sq-subplot.rs
+
 mkdir -p bundled_capnproto
 pushd bundled_capnproto
 tar --strip-components=1 -xf %{SOURCE2}
 popd
-%endif
 
 %build
 export ASSET_OUT_DIR=target/assets
-%if %{with bundled_capnproto}
 pushd bundled_capnproto
 %cmake -DBUILD_TESTING=OFF
 %cmake_build
 export PATH="$PWD/%{__cmake_builddir}/src/capnp:$PATH"
 popd
-%endif
+
 %cargo_build
 %{cargo_license_summary}
 %{cargo_license} > LICENSE.dependencies
+%{cargo_vendor_manifest}
+# replace un-parseable git snapshot dependency information
+sed 's/\(.*\) (.*#\(.*\))/\1+git\2/' -i cargo-vendor.txt
 
 %install
-%cargo_install
+# for some reason, cargo install does not work
+# with vendored dependncies from git branch
+#%%cargo_install
+install -Dpm 0755 target/rpm/sq -t %{buildroot}/%{_bindir}
 # install manual pages
 mkdir -p %{buildroot}/%{_mandir}/man1
 cp -pav target/assets/man-pages/sq*.1 %{buildroot}/%{_mandir}/man1/
+%if 0%{?rhel} > 9
 # install shell completions
 install -Dpm 0644 target/assets/shell-completions/sq.bash \
     %{buildroot}/%{bash_completions_dir}/sq.bash
@@ -179,6 +159,8 @@ install -Dpm 0644 target/assets/shell-completions/sq.fish \
     %{buildroot}/%{fish_completions_dir}/sq.fish
 install -Dpm 0644 target/assets/shell-completions/_sq \
     %{buildroot}/%{zsh_completions_dir}/_sq
+%endif
+
 
 %if %{with check}
 %check
@@ -186,44 +168,4 @@ install -Dpm 0644 target/assets/shell-completions/_sq \
 %endif
 
 %changelog
-## START: Generated by rpmautospec
-* Thu Mar 27 2025 Jakub Jelen <jjelen@redhat.com> - 1.3.0-2
-- Make installation of shell completions and man pages more robust
-
-* Wed Mar 19 2025 Jakub Jelen <jjelen@redhat.com> - 1.3.0-1
-- Update to 1.3.0
-
-* Tue Jan 14 2025 Fabio Valentini <decathorpe@gmail.com> - 1.1.0-2
-- Stop skipping tests that no longer need to be skipped
-
-* Mon Jan 06 2025 Daiki Ueno <dueno@redhat.com> - 1.1.0-1
-- Update to 1.1.0 upstream release
-
-* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.37.0-5
-- Bump release for October 2024 mass rebuild:
-
-* Mon Aug 26 2024 Daiki Ueno <dueno@redhat.com> - 0.37.0-4
-- Update vendored openssl, sequoia-openpgp and zerovec crates
-
-* Thu Aug 22 2024 Stanislav Zidek <szidek@redhat.com> - 0.37.0-3
-- initial CI and gating setup
-
-* Tue Aug 20 2024 Daiki Ueno <dueno@redhat.com> - 0.37.0-2
-- Don't compile capnproto in %%prep
-
-* Tue Feb 15 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.25.0-5
-- Rebuild with package notes
-
-* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.25.0-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.25.0-3
-- Rebuilt with OpenSSL 3.0.0
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.25.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Thu Apr 08 2021 Fabio Valentini <decathorpe@gmail.com> - 0.25.0-1
-- Initial package
-
-## END: Generated by rpmautospec
+%autochangelog

rust2rpm.toml

@@ -0,0 +1,39 @@
+[package]
+cargo-toml-patch-comments = [
+    "switch crypto backend from Nettle to OpenSSL",
+    "exclude files that are only useful for upstream development",
+    "drop automated generation of upstream integration tests",
+    "drop features for unsupported crypto backends",
+]
+extra-files = [
+    "%{_mandir}/man1/sq*",
+    "%{bash_completions_dir}/sq.bash",
+    "%{fish_completions_dir}/sq.fish",
+    "%{zsh_completions_dir}/_sq",
+]
+doc-files.exclude = [
+    "sq-subplot.md",
+]
+
+[scripts]
+prep.post = [
+    "# drop broken integration tests",
+    "rm -vr subplot/",
+    "rm -v tests/sq-subplot.rs",
+]
+build.pre = [
+    "export ASSET_OUT_DIR=target/assets",
+]
+install.post = [
+    "# install manual pages",
+    "mkdir -p %{buildroot}/%{_mandir}/man1",
+    "cp -pav target/assets/man-pages/sq*.1 %{buildroot}/%{_mandir}/man1/",
+    "# install shell completions",
+    "install -Dpm 0644 target/assets/shell-completions/sq.bash \\",
+    "    %{buildroot}/%{bash_completions_dir}/sq.bash",
+    "install -Dpm 0644 target/assets/shell-completions/sq.fish \\",
+    "    %{buildroot}/%{fish_completions_dir}/sq.fish",
+    "install -Dpm 0644 target/assets/shell-completions/_sq \\",
+    "    %{buildroot}/%{zsh_completions_dir}/_sq",
+]
+

sequoia-sq-fix-metadata.diff

@@ -1,9 +1,10 @@
---- sequoia-sq-1.3.0/Cargo.toml	1970-01-01T00:00:01+00:00
-+++ sequoia-sq-1.3.0/Cargo.toml	2025-03-08T12:37:34.404402+00:00
-@@ -49,6 +49,12 @@
- ]
+diff -up a/Cargo.toml.orig b/Cargo.toml
+--- a/Cargo.toml.orig	2025-06-19 18:18:08.225290250 +0200
++++ b/Cargo.toml	2025-06-19 18:20:29.142344871 +0200
+@@ -23,6 +23,12 @@ categories = ["cryptography", "authentic
  license = "LGPL-2.0-or-later"
- repository = "https://gitlab.com/sequoia-pgp/sequoia-sq"
+ edition = "2021"
+ rust-version = "1.79"
 +exclude = [
 +    "/deny.toml",
 +    "/Dockerfile",
@@ -11,70 +12,52 @@
 +    "/sq-subplot.md",
 +]
  
- [badges.gitlab]
- repository = "sequoia-pgp/sequoia-sq"
-@@ -57,18 +63,10 @@
- status = "actively-developed"
+ [badges]
+ gitlab = { repository = "sequoia-pgp/sequoia-sq" }
+@@ -66,11 +72,6 @@ termcolor = "1.2.0"
+ textwrap = { version = ">=0.15, <0.17", default-features = false, features = ["smawk", "unicode-width"] }
+ typenum = "1"
  
- [features]
--crypto-botan = ["sequoia-openpgp/crypto-botan"]
--crypto-botan2 = ["sequoia-openpgp/crypto-botan2"]
--crypto-cng = ["sequoia-openpgp/crypto-cng"]
- crypto-nettle = ["sequoia-openpgp/crypto-nettle"]
- crypto-openssl = ["sequoia-openpgp/crypto-openssl"]
- crypto-rust = ["sequoia-openpgp/crypto-rust"]
--default = ["crypto-nettle"]
--subplot = [
--    "culpa",
--    "subplot-build",
--    "subplotlib",
--]
-+default = ["crypto-openssl"]
+-# This is for subplot only.  If you don't enable the subplot feature,
+-# feel free to patch it out.
+-subplotlib = { version = ">=0.11, <0.13", optional = true }
+-culpa = { version = "1", optional = true }
+-
+ [build-dependencies]
+ anyhow = "1.0.18"
+ buffered-reader = { version = "1.4", default-features = false, features = ["compression"] }
+@@ -90,10 +91,6 @@ typenum = "1"
+ cfg-if = "1"
+ terminal_size = ">=0.2.6, <0.5"
  
- [[bin]]
- name = "sq"
-@@ -79,11 +77,6 @@
- name = "integration"
- path = "tests/integration.rs"
+-# This is for subplot only.  If you don't enable the subplot feature,
+-# feel free to patch it out.
+-subplot-build = { version = ">=0.11, <0.13", optional = true }
+-
+ [dev-dependencies]
+ assert_cmd = "2"
+ predicates = ">=2, <4"
+@@ -105,22 +102,13 @@ name = "sq"
+ path = "src/main.rs"
+ bench = false
  
 -[[test]]
 -name = "sq-subplot"
 -path = "tests/sq-subplot.rs"
 -required-features = ["subplot"]
 -
- [dependencies.aho-corasick]
- version = "1"
- 
-@@ -111,10 +104,6 @@
- version = "0.7"
- default-features = false
- 
--[dependencies.culpa]
--version = "1"
--optional = true
--
- [dependencies.dirs]
- version = "5"
- 
-@@ -192,10 +181,6 @@
- [dependencies.serde]
- version = "1.0.137"
- features = ["derive"]
--
--[dependencies.subplotlib]
--version = ">=0.11, <0.13"
--optional = true
- 
- [dependencies.tempfile]
- version = "3.1"
-@@ -298,10 +283,6 @@
- version = "1.0.137"
- features = ["derive"]
- 
--[build-dependencies.subplot-build]
--version = ">=0.11, <0.13"
--optional = true
--
- [build-dependencies.terminal_size]
- version = ">=0.2.6, <0.5"
+ [features]
+ default = [
+-    "crypto-nettle",
++    "crypto-openssl",
+ ]
+ crypto-nettle = ["sequoia-openpgp/crypto-nettle"]
+ crypto-openssl = ["sequoia-openpgp/crypto-openssl"]
+-crypto-botan = ["sequoia-openpgp/crypto-botan"]
+-crypto-botan2 = ["sequoia-openpgp/crypto-botan2"]
+-crypto-cng = ["sequoia-openpgp/crypto-cng"]
+ crypto-rust = ["sequoia-openpgp/crypto-rust"]
+-subplot = ["culpa", "subplot-build", "subplotlib"]
  
+ [profile.release]
+ debug = true

sources

@@ -1,3 +1,3 @@
+SHA512 (sequoia-sq-vendor-1.3.1.1.tar.gz) = 7e23b5466f8b951b4324c64d5a04807d5d2865d80b11c9be52ea48564984378e69501e8d67f387fa66bef0a874bb1588f31be63423a3f5ad2f04632f737e2fd8
+SHA512 (sequoia-sq-1.3.1.1.tar.gz) = 652549f83aba9e3dbe95b9bf16824e1bd0ac12922a14b5d5c78af88da6d333ea43b7f1922a1c12d4b4ccf659c7e2f731c1ad2fb42c91410f17fbb6a3e4d779bc
 SHA512 (capnproto-c++-1.0.1.tar.gz) = c60291f433eea15a51e480e1679a4b9b3b5e67edebc445e371a7a32fce6ec5a7e4b440b17b2adc0565519ec369e3dae8ea727ae790a082a53ecd0d245b5275a9
-SHA512 (rust-sequoia-sq-1.3.0-vendor.tar.xz) = 2af724ef29cb9fc5faf4e0488b29285d74b3bbc23288536fc1aeeaba705beb483ab90dd941ff0b7881cf6b9da146e411f5541d675a2053eedb03386747e4d2cf
-SHA512 (sequoia-sq-1.3.0.crate) = b4e6822aa717a790278a6e4f5afe287214e5777bdfac42882629834ef6b10ae20ac37086823aa01edc69f4a5f094f429671849871e64027473cfb5f297133082

vendor.toml

@@ -0,0 +1,21 @@
+[source.crates-io]
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/teythoon/rust-openssl?branch=justus/pqc"]
+git = "https://github.com/teythoon/rust-openssl"
+branch = "justus/pqc"
+replace-with = "vendored-sources"
+
+[source."git+https://gitlab.com/sequoia-pgp/sequoia-policy-config?branch=justus/pqc"]
+git = "https://gitlab.com/sequoia-pgp/sequoia-policy-config"
+branch = "justus/pqc"
+replace-with = "vendored-sources"
+
+[source."git+https://gitlab.com/sequoia-pgp/sequoia?branch=justus/pqc"]
+git = "https://gitlab.com/sequoia-pgp/sequoia"
+branch = "justus/pqc"
+replace-with = "vendored-sources"
+
+[source.vendored-sources]
+directory = "vendor"
+