diff --git a/bind.spec b/bind.spec index d10e7ff..5745128 100644 --- a/bind.spec +++ b/bind.spec @@ -7,9 +7,6 @@ # bcond_with is built only when --with X is passed to build %bcond_with SYSTEMTEST %bcond_without GSSTSIG -# it is not possible to build the package without PKCS11 sub-package -# due to extensive changes to Makefiles -%bcond_with PKCS11 # TODO: Remove %bcond_without JSON # FIXME: Not ready. Should it be worked on? %bcond_without DLZ @@ -92,7 +89,6 @@ Source42: generate-rndc-key.sh Source43: named.rwtab Source44: named-chroot-setup.service Source46: named-setup-rndc.service -Source47: named-pkcs11.service Source48: setup-named-softhsm.sh Source49: named-chroot.files @@ -111,6 +107,7 @@ Requires(post): grep Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: %{name}-utils %{name}-dnssec-utils %upname_compat %{upname} +Obsoletes: %{name}-pkcs11 < 32:9.18.4-2 BuildRequires: gcc, make BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel @@ -131,7 +128,7 @@ BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-d # make unit dependencies BuildRequires: libcmocka-devel %endif -%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST}) +%if %{with UNITTEST} || %{with SYSTEMTEST} BuildRequires: softhsm %endif %if %{with SYSTEMTEST} @@ -175,60 +172,12 @@ which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. -%if %{with PKCS11} -%package pkcs11 -Summary: Bind with native PKCS#11 functionality for crypto -Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} -Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} -Recommends: softhsm - -%description pkcs11 -This is a version of BIND server built with native PKCS#11 functionality. -It is important to have SoftHSM v2+ installed and some token initialized. -For other supported HSM modules please check the BIND documentation. - -# TODO: Those utils can be used also without pkcs11 variant, but are not? -%package pkcs11-utils -Summary: Bind tools with native PKCS#11 for using DNSSEC -Obsoletes: %{name}-pkcs11 < 32:9.9.4-16.P2 -Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release} -%if %{with PKCS11} -Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} -%endif - -%description pkcs11-utils -This is a set of PKCS#11 utilities that when used together create rsa -keys in a PKCS11 keystore. -%if %{with PKCS11} -Also utilities for working with DNSSEC -compiled with native PKCS#11 functionality are included. -%endif - -%package pkcs11-libs -Summary: Bind libraries compiled with native PKCS#11 -Requires: %{name}-license = %{epoch}:%{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} - -%description pkcs11-libs -This is a set of BIND libraries (dns, isc) compiled with native PKCS#11 -functionality. - -%package pkcs11-devel -Summary: Development files for Bind libraries compiled with native PKCS#11 -Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} -Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release} - -%description pkcs11-devel -This a set of development files for BIND libraries (dns, isc) compiled -with native PKCS#11 functionality. -%endif - %package libs Summary: Libraries used by the BIND DNS packages Requires: %{name}-license = %{epoch}:%{version}-%{release} Provides: %{name}-libs-lite = %{epoch}:%{version}-%{release} Obsoletes: %{name}-libs-lite < 32:9.16.13 +Obsoletes: %{name}-pkcs11-libs < 32:9.18.4-2 %description libs Contains heavyweight version of BIND suite libraries used by both named DNS @@ -246,6 +195,7 @@ Summary: Utilities for querying DNS name servers Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} # For compatibility with Debian package Provides: dnsutils = %{epoch}:%{version}-%{release} +Obsoletes: %{name}-pkcs11-utils < 32:9.18.4-2 %upname_compat %{upname}-utils %description utils @@ -262,8 +212,8 @@ servers. Summary: DNSSEC keys and zones management utilities Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} Recommends: %{name}-utils -Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release} Obsoletes: python3-%{name} < 32:9.18.0 +Obsoletes: %{name}-dnssec-doc < 32:9.18.4 %upname_compat %{upname}-dnssec-utils %description dnssec-utils @@ -274,14 +224,6 @@ revocation and verification of keys and DNSSEC signatures in zone files. You should install %{name}-dnssec-utils if you need to sign a DNS zone or maintain keys for it. -%package dnssec-doc -Summary: Manual pages of DNSSEC utilities -Requires: %{name}-license = %{epoch}:%{version}-%{release} -BuildArch:noarch - -%description dnssec-doc -%{name}-dnssec-doc contains manual pages for %{name}-dnssec-utils. - %package devel Summary: Header files and libraries needed for bind-dyndb-ldap Provides: %{name}-lite-devel = %{epoch}:%{version}-%{release} @@ -441,10 +383,6 @@ export LIBDIR_SUFFIX %if %{with GEOIP2} --with-maxminddb \ %endif -%if %{with PKCS11} - --enable-native-pkcs11 \ - --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \ -%endif %if %{with GSSTSIG} --with-gssapi=yes \ %endif @@ -499,7 +437,7 @@ popd # build %systemtest_prepare_build build %check -%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST}) +%if %{with UNITTEST} || %{with SYSTEMTEST} # Tests require initialization of pkcs11 token eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")" %endif @@ -594,17 +532,11 @@ install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir} install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir} -%if %{with PKCS11} -install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir} -%endif - mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir} install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh -%if %{with PKCS11} install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh -%endif install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig @@ -639,22 +571,6 @@ popd # Remove libtool .la files: find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; -# PKCS11 versions manpages -%if %{with PKCS11} -pushd ${RPM_BUILD_ROOT}%{_mandir}/man8 -ln -s named.8.gz named-pkcs11.8.gz -ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz -ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz -ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz -ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz -ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz -ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz -ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz -ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz -ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz -popd -%endif - # 9.16.4 installs even manual pages for tools not generated %if %{without DNSTAP} rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true @@ -770,20 +686,6 @@ fi # Package upgrade, not uninstall %systemd_postun_with_restart named.service -%if %{with PKCS11} -%post pkcs11 -# Initial installation -%systemd_post named-pkcs11.service - -%preun pkcs11 -# Package removal, not upgrade -%systemd_preun named-pkcs11.service - -%postun pkcs11 -# Package upgrade, not uninstall -%systemd_postun_with_restart named-pkcs11.service -%endif - # Fix permissions on existing device files on upgrade %define chroot_fix_devices() \ if [ $1 -gt 1 ]; then \ @@ -813,10 +715,6 @@ fi %ldconfig_scriptlets libs -%if %{with PKCS11} -%ldconfig_scriptlets pkcs11-libs -%endif - %post chroot %systemd_post named-chroot.service %chroot_fix_devices %{chroot_prefix} @@ -859,6 +757,7 @@ fi; %{_sbindir}/rndc* %{_sbindir}/named-checkconf %{_libexecdir}/generate-rndc-key.sh +%{_libexecdir}/setup-named-softhsm.sh %{_mandir}/man1/mdig.1* %{_mandir}/man1/named-rrchecker.1* %{_mandir}/man5/named.conf.5* @@ -947,15 +846,7 @@ fi; %files dnssec-utils %{_bindir}/dnssec* -%if %{with PKCS11} -%exclude %{_sbindir}/dnssec*pkcs11 -%endif - -%files dnssec-doc %{_mandir}/man1/dnssec*.1* -%if %{with PKCS11} -%exclude %{_mandir}/man1/dnssec*-pkcs11.1* -%endif %files devel %{_libdir}/libbind9.so @@ -1012,33 +903,6 @@ fi; %dir %{chroot_prefix}/run/named %{chroot_prefix}%{_localstatedir}/run -%if %{with PKCS11} -%files pkcs11 -%{_sbindir}/named-pkcs11 -%{_unitdir}/named-pkcs11.service -%{_mandir}/man8/named-pkcs11.8* -%{_libexecdir}/setup-named-softhsm.sh - -%files pkcs11-utils -%{_bindir}/pkcs11-destroy -%{_bindir}/pkcs11-keygen -%{_bindir}/pkcs11-list -%{_bindir}/pkcs11-tokens -%{_mandir}/man1/pkcs11-*.1* -%if %{with PKCS11} -%{_bindir}/dnssec*pkcs11 -%{_mandir}/man1/dnssec*-pkcs11.1* -%endif - -%files pkcs11-libs -%{_libdir}/libdns-pkcs11-%{version}*.so -%{_libdir}/libns-pkcs11-%{version}*.so - -%files pkcs11-devel -%{_libdir}/libdns-pkcs11.so -%{_libdir}/libns-pkcs11.so -%endif - %if %{with DLZ} %files dlz-filesystem %{_libdir}/{named,bind}/dlz_filesystem_dynamic.so @@ -1072,6 +936,7 @@ fi; * Wed Jul 20 2022 Petr Menšík - 32:9.18.4-2 - Stop enabling selinux booleans on every upgrade - Deprecate python3-bind for smooth upgrade +- Remove PKCS1111 native utilities, libs and daemon * Wed Jul 20 2022 Petr Menšík - 32:9.18.4-1 - Update to 9.18.4 (#2057493) diff --git a/named-pkcs11.service b/named-pkcs11.service deleted file mode 100644 index 241cb7d..0000000 --- a/named-pkcs11.service +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=Berkeley Internet Name Domain (DNS) with native PKCS#11 -Wants=nss-lookup.target -Wants=named-setup-rndc.service -Before=nss-lookup.target -After=network.target -After=named-setup-rndc.service - -[Service] -Type=forking -Environment=NAMEDCONF=/etc/named.conf -EnvironmentFile=-/etc/sysconfig/named -Environment=KRB5_KTNAME=/etc/named.keytab -PIDFile=/run/named/named.pid - -ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' -ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS - -ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' - -ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' - -PrivateTmp=true - -[Install] -WantedBy=multi-user.target