rpms/softhsm
7
0
Fork 0
Code Issues Pull Requests Releases Activity
8aed476722
softhsm/softhsm.spec
Nikos Mavrogiannopoulos 8aed476722 use the sticky bit on %{_sharedstatedir}/softhsm/tokens 
That allows users in the group ods to save their keys in the shared
directory, without being them writable by other users in the group.
2017-06-27 08:07:09 +02:00

236 lines
8.7 KiB
RPMSpec
Raw Blame History

#global prever rc1
Summary: Software version of a PKCS#11 Hardware Security Module
Name: softhsm
Version: 2.2.0
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
License: BSD
Url: http://www.opendnssec.org/
Source: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz
Source1: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz.sig
# taken from coolkey which is not build on all arches we build on
Source3: softhsm2-pk11install.c
Patch0: softhsm-v2.2.0-no-stderr.patch
Group: Applications/System
BuildRequires: openssl-devel >= 1.0.1k-6, sqlite-devel >= 3.4.2, cppunit-devel
BuildRequires: gcc-c++, pkgconfig, p11-kit-devel, nss-devel
Requires(pre): shadow-utils
Requires: p11-kit, nss-tools
Requires: openssl-libs >= 1.0.1k-6
%global _hardened_build 1
%global softhsm_module "SoftHSM PKCS #11 Module"
%global nssdb %{_sysconfdir}/pki/nssdb
%description
OpenDNSSEC is providing a software implementation of a generic
cryptographic device with a PKCS#11 interface, the SoftHSM. SoftHSM is
designed to meet the requirements of OpenDNSSEC, but can also work together
with other cryptographic products because of the PKCS#11 interface.
%package devel
Summary: Development package of softhsm that includes the header files
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}, openssl-devel, sqlite-devel
%if 0%{?prever:1}
BuildRequires: autoconf, libtool, automake
%endif
%description devel
The devel package contains the libsofthsm include files
%prep
%setup -q -n %{name}-%{version}%{?prever}
%patch0 -p1
%if 0%{?prever:1}
autoreconf -fiv
%endif
# remove softhsm/ subdir auto-added to --libdir
sed -i "s:full_libdir/softhsm:full_libdir:g" configure
%if 0%{?prever:1}
sed -i 's:^full_libdir=":#full_libdir=":g' configure.ac
%endif
sed -i "s:libdir)/@PACKAGE@:libdir):" Makefile.in
%build
%configure --libdir=%{_libdir}/pkcs11 --with-openssl=%{_prefix} --enable-ecc --disable-gost \
--with-migrate --enable-visibility --with-p11-kit=%{_datadir}/p11-kit/modules/
make %{?_smp_mflags}
# install our copy of pk11install taken from coolkey package
cp %{SOURCE3} .
gcc $(pkg-config --cflags nss) %{optflags} -c softhsm2-pk11install.c
gcc $(pkg-config --libs nss) -lpthread -lsoftokn3 -ldl -lz %{optflags} softhsm2-pk11install.o -o softhsm2-pk11install
%check
# skip while cppunit is broken
#make check
%install
rm -rf %{buildroot}
make DESTDIR=%{buildroot} install
rm %{buildroot}/%{_sysconfdir}/softhsm2.conf.sample
rm -f %{buildroot}/%{_libdir}/pkcs11/*a
mkdir -p %{buildroot}%{_includedir}/softhsm
cp src/lib/*.h %{buildroot}%{_includedir}/softhsm
mkdir -p %{buildroot}/%{_sharedstatedir}/softhsm/tokens
install -m0755 -D softhsm2-pk11install %{buildroot}/%{_bindir}/softhsm2-pk11install
# leave a softlink where softhsm-1 installed its library. Programs like
# opendnssec have that filename in their configuration file.
mkdir -p %{buildroot}/%{_libdir}/softhsm/
ln -s ../pkcs11/libsofthsm2.so %{buildroot}/%{_libdir}/softhsm/libsofthsm.so
# rhbz#1272423 NSS needs it to be in the search path too
( cd %{buildroot}/%{_libdir} ; ln -s pkcs11/libsofthsm2.so)
%files
%config(noreplace) %{_sysconfdir}/softhsm2.conf
%{_bindir}/*
%dir %{_libdir}/softhsm
%{_libdir}/pkcs11/libsofthsm2.so
%{_libdir}/libsofthsm2.so
%{_libdir}/softhsm/libsofthsm.so
%attr(0664,root,root) %{_datadir}/p11-kit/modules/softhsm2.module
%attr(0750,ods,ods) %dir %{_sharedstatedir}/softhsm
%attr(1770,ods,ods) %dir %{_sharedstatedir}/softhsm/tokens
%doc LICENSE README.md NEWS
%{_mandir}/*/*
%files devel
%attr(0755,root,root) %dir %{_includedir}/softhsm
%{_includedir}/softhsm/*.h
%pre
getent group ods >/dev/null || groupadd -r ods
getent passwd ods >/dev/null || \
useradd -r -g ods -d %{_sharedstatedir}/softhsm -s /sbin/nologin \
-c "softhsm private keys owner" ods
exit 0
%post
isThere=`modutil -rawlist -dbdir %{nssdb} | grep %{softhsm_module} || echo NO`
if [ "$isThere" == "NO" ]; then
softhsm2-pk11install -p %{nssdb} 'name=%{softhsm_module} library=libsofthsm2.so'
fi
if [ $1 -eq 0 ]; then
modutil -delete %{softhsm_module} -dbdir %{nssdb} -force || :
fi
%triggerpostun -- softhsm < 2.0.0
if [ -f /var/softhsm/slot0.db ]; then
runuser -g ods ods -c 'softhsm2-migrate --db /var/softhsm/slot0.db --pin 1234 --slot 0' || :
fi
%changelog
* Thu Jun 22 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 2.2.0-1
- Rebased to latest upstream release
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Sep 23 2016 Paul Wouters <pwouters@redhat.com> - 2.1.0-2
- Resolves: rhbz#1378800 Module cleanup crash
* Mon May 16 2016 Paul Wouters <pwouters@redhat.com> - 2.1.0-1
- Resolves: rhbz#1244461 Updated to 2.1.0
- Resolves: rhbz#1272423 Softhsm PKCS#11 module not visible to NSS becasue it is not in the search path
- Resolves: rhbz#1177086 A marked as trusted certificate cannot be written in a softhsmv2 db
- Resolves: rhbz#1272453 - A marked as CA certificate cannot be written in a softhsmv2 db
- Removed merged in bug#162 patch
- Temporarily disable make check because cppunit is broken
* Thu Feb 25 2016 Paul Wouters <pwouters@redhat.com> - 2.0.0-2
- Resolves: rhbz#1272453 A marked as CA certificate cannot be written in a softhsmv2 db
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Sep 02 2015 Paul Wouters <pwouters@redhat.com> - 2.0.0-1
- Resolves: rhbz#1244461 Update to softhsm-2.0.0
- Resolves: rhbz#1177086 A marked as trusted certificate cannot be written in a softhsmv2 db
- Resolves: rhbz#1159827 Typo in homedir in /etc/passwd
- Added global prever to toggle snapshot vs full release build changes
* Fri Jun 26 2015 Petr Spacek <pspacek@redhat.com> - 2.0.0rc1-3
- Add dependency on OpenSSL with fixed AES wrapping support
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.0rc1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Jun 01 2015 Petr Spacek <pspacek@redhat.com> - 2.0.0rc1-1
- Rebase to latest upstream release
* Sat May 02 2015 Kalev Lember <kalevlember@gmail.com> - 2.0.0b1-4
- Rebuilt for GCC 5 C++11 ABI change
* Tue Sep 30 2014 Paul Wouters <pwouters@redhat.com> - 2.0.0b1-3
- Add support for CKM_RSA_PKCS_OAEP key un/wrapping [Petr Spacek]
- Use OpenSSL EVP interface for AES key wrapping [Petr Spacek]
- Fix softhsm2-pk11install buid and post call
- Do not use --with-objectstore-backend-db (causes issues on i686)
- Change install directory to /usr/lib*/pkcs11/
- Install pkcs11 module file
- Use official upstream tar ball
- Create ods user to own softhsm/token files
- Enable migration tools (for softhsm-v1 installs)
- Add softlink for softhsm-v1 .so (needed for opendnssec's conf.xml)
- Require p11-kit, nss-tools, for SoftHSM PKCS #11 Module file
- Copy pk11install.c from coolkey package
- Enable hardened build
- Add upstream official source url
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Fri Apr 18 2014 Paul Wouters <pwouters@redhat.com> - 1.3.6-1
- Updated to 1.3.6 (rhbz#1070196)
- Provide a p11-kit module file (rhbz#1085327)
* Sun Nov 03 2013 Paul Wouters <pwouters@redhat.com> - 1.3.5-1
- Updated to 1.3.5 (rhbz#987721)
* Tue Jul 30 2013 Paul Wouters <pwouters@redhat.com> - 1.3.3-4
- Rebuilt for new botan - requires --with-botan argument
* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Mon Jun 04 2012 Paul Wouters <pwouters@redhat.com> - 1.3.3-1
- Updated to 1.3.3
* Tue Apr 03 2012 Paul Wouters <pwouters@redhat.com> - 1.3.2-1
- Updated to 1.3.2.
- Changed user from opendnssec to ods, as used in the opendnssec package
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Thu Oct 27 2011 Paul Wouters <paul@xelerance.com> - 1.3.0-3
- Initial Fedora package
- Do not install the .a file
- Use a separate "opendnssec" user to own /var/sofhsm
* Tue Oct 25 2011 Paul Wouters <paul@xelerance.com> - 1.3.0-2
- Fix description texts w.r.t. include files
* Wed Oct 05 2011 Paul Wouters <paul@xelerance.com> - 1.3.0-1
- Upgraded to 1.3.0
* Thu Mar 3 2011 Paul Wouters <paul@xelerance.com> - 1.2.0-1
- Initial package for Fedora
Reference in New Issue View Git Blame Copy Permalink