Blame SPECS/certmonger.spec

47f397
%if 0%{?fedora} > 15 || 0%{?rhel} > 6
47f397
%global systemd 1
47f397
%global	sysvinit 0
47f397
%else
47f397
%global systemd 0
47f397
%global	sysvinit 1
47f397
%endif
47f397
ed3c5e
%if 0%{?fedora} > 15 && 0%{?fedora} < 20
ed3c5e
%global systemdsysv 1
ed3c5e
%else
ed3c5e
%global systemdsysv 0
ed3c5e
%endif
ed3c5e
47f397
%if 0%{?fedora} > 14 || 0%{?rhel} > 6
47f397
%global tmpfiles 1
47f397
%else
47f397
%global tmpfiles 0
47f397
%endif
47f397
47f397
%if 0%{?fedora} > 9 || 0%{?rhel} > 5
47f397
%global sysvinitdir %{_initddir}
47f397
%else
47f397
%global sysvinitdir %{_initrddir}
47f397
%endif
47f397
47f397
Name:		certmonger
3eac4d
Version:	0.78.4
3eac4d
Release:	1%{?dist}
47f397
Summary:	Certificate status monitor and PKI enrollment client
47f397
47f397
Group:		System Environment/Daemons
47f397
License:	GPLv3+
47f397
URL:		http://certmonger.fedorahosted.org
47f397
Source0:	http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz
47f397
Source1:	http://fedorahosted.org/released/certmonger/certmonger-%{version}.tar.gz.sig
47f397
BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
3eac4d
3eac4d
Patch1001:	1001-Remove-rekey-feature.patch
47f397
ed3c5e
BuildRequires:	openldap-devel
ed3c5e
BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn-devel
47f397
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
47f397
BuildRequires:  libuuid-devel
47f397
%else
47f397
BuildRequires:  e2fsprogs-devel
47f397
%endif
47f397
BuildRequires:	libtalloc-devel, libtevent-devel
47f397
%if 0%{?rhel} >= 6 || 0%{?fedora} >= 9
47f397
BuildRequires:	libcurl-devel
47f397
%else
47f397
BuildRequires:	curl-devel
47f397
%endif
47f397
BuildRequires:	libxml2-devel, xmlrpc-c-devel
3eac4d
%if 0%{?rhel} < 6
3eac4d
BuildRequires:	bind-libbind-devel
3eac4d
%endif
47f397
# Required for 'make check':
47f397
#  for diff and cmp
47f397
BuildRequires:	diffutils
47f397
#  for expect
47f397
BuildRequires:	expect
47f397
#  for mktemp, which was absorbed into coreutils at some point
47f397
BuildRequires:	mktemp
47f397
#  for certutil and pk12util
47f397
BuildRequires:	nss-tools
47f397
#  for openssl
47f397
BuildRequires:	openssl
47f397
#  for dbus-launch
47f397
BuildRequires:	/usr/bin/dbus-launch
47f397
#  for dos2unix
47f397
BuildRequires:	/usr/bin/dos2unix
47f397
BuildRequires:	/usr/bin/unix2dos
ed3c5e
#  for which
ed3c5e
BuildRequires:	/usr/bin/which
ed3c5e
#  for dbus tests
ed3c5e
BuildRequires:	dbus-python
3eac4d
#  for popt or popt-devel, depending on the build environment
3eac4d
BuildRequires: /usr/include/popt.h
47f397
47f397
# we need a running system bus
47f397
Requires:	dbus
47f397
47f397
%if %{systemd}
47f397
BuildRequires:	systemd-units
47f397
Requires(post):	systemd-units
ed3c5e
Requires(preun):	systemd-units, dbus, sed
47f397
Requires(postun):	systemd-units
ed3c5e
%endif
ed3c5e
ed3c5e
%if %{systemdsysv}
47f397
Requires(post):	systemd-sysv
ed3c5e
%global systemdsysvsave \
ed3c5e
# Save the current service runlevel info, in case the user wants \
ed3c5e
# to apply the enabled status manually later, by running \
ed3c5e
#   "systemd-sysv-convert --apply certmonger". \
ed3c5e
%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||:
ed3c5e
%else
ed3c5e
%global systemdsysvsave %{nil}
47f397
%endif
47f397
47f397
%if %{sysvinit}
47f397
Requires(post):	/sbin/chkconfig, /sbin/service
ed3c5e
Requires(preun):	/sbin/chkconfig, /sbin/service, dbus, sed
47f397
%endif
47f397
47f397
%if 0%{?fedora} >= 15
47f397
# Certain versions of libtevent have incorrect internal ABI versions.
47f397
Conflicts: libtevent < 0.9.13
47f397
%endif
47f397
47f397
%description
47f397
Certmonger is a service which is primarily concerned with getting your
47f397
system enrolled with a certificate authority (CA) and keeping it enrolled.
47f397
47f397
%prep
3eac4d
%autosetup -p1
3eac4d
47f397
%if 0%{?rhel} > 0
47f397
# Enabled by default for RHEL for bug #765600, still disabled by default for
47f397
# Fedora pending a similar bug report there.
47f397
sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
47f397
%endif
47f397
47f397
%build
47f397
%configure \
47f397
%if %{systemd}
47f397
	--enable-systemd \
47f397
%endif
47f397
%if %{sysvinit}
47f397
	--enable-sysvinit=%{sysvinitdir} \
47f397
%endif
47f397
%if %{tmpfiles}
47f397
	--enable-tmpfiles \
47f397
%endif
a9bce2
	--with-homedir=/var/run/certmonger \
47f397
	--with-tmpdir=/var/run/certmonger --enable-pie --enable-now
47f397
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
47f397
# tell us about libxmlrpc_client, but we need more.  Work around.
47f397
make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
47f397
47f397
%install
47f397
rm -rf $RPM_BUILD_ROOT
47f397
make install DESTDIR=$RPM_BUILD_ROOT
47f397
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/certmonger/{cas,requests}
47f397
install -m755 -d $RPM_BUILD_ROOT/var/run/certmonger
47f397
%{find_lang} %{name}
47f397
47f397
%check
47f397
make check
47f397
47f397
%clean
47f397
rm -rf $RPM_BUILD_ROOT
47f397
47f397
%post
47f397
if test $1 -eq 1 ; then
47f397
	killall -HUP dbus-daemon 2>&1 > /dev/null
47f397
fi
47f397
%if %{systemd}
47f397
if test $1 -eq 1 ; then
47f397
	/bin/systemctl daemon-reload >/dev/null 2>&1 || :
47f397
fi
47f397
%endif
47f397
%if %{sysvinit}
47f397
/sbin/chkconfig --add certmonger
47f397
%endif
47f397
ed3c5e
%triggerin -- certmonger < 0.58
ed3c5e
if test $1 -gt 1 ; then
ed3c5e
	# If the daemon is running, remove knowledge of the dogtag renewer.
ed3c5e
	objpath=`dbus-send --system --reply-timeout=10000 --dest=org.fedorahosted.certmonger --print-reply=o /org/fedorahosted/certmonger org.fedorahosted.certmonger.find_ca_by_nickname string:dogtag-ipa-renew-agent 2> /dev/null | sed -r 's,^ +,,g' || true`
ed3c5e
	if test -n "$objpath" ; then
ed3c5e
		dbus-send --system --dest=org.fedorahosted.certmonger --print-reply /org/fedorahosted/certmonger org.fedorahosted.certmonger.remove_known_ca objpath:"$objpath" >/dev/null 2> /dev/null
ed3c5e
	fi
ed3c5e
	# Remove the data file, in case it isn't running.
ed3c5e
	for cafile in %{_localstatedir}/lib/certmonger/cas/* ; do
ed3c5e
		if grep -q '^id=dogtag-ipa-renew-agent$' "$cafile" ; then
ed3c5e
			rm -f "$cafile"
ed3c5e
		fi
ed3c5e
	done
ed3c5e
fi
ed3c5e
exit 0
ed3c5e
47f397
%postun
47f397
%if %{systemd}
47f397
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
47f397
if [ $1 -ge 1 ] ; then
47f397
	/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || :
47f397
fi
47f397
%endif
47f397
%if %{sysvinit}
47f397
if test $1 -gt 0 ; then
47f397
	/sbin/service certmonger condrestart 2>&1 > /dev/null
47f397
fi
47f397
%endif
47f397
exit 0
47f397
47f397
%preun
47f397
%if %{systemd}
47f397
if test $1 -eq 0 ; then
47f397
	/bin/systemctl --no-reload disable certmonger.service > /dev/null 2>&1 || :
47f397
	/bin/systemctl stop certmonger.service > /dev/null 2>&1 || :
47f397
fi
47f397
%endif
47f397
%if %{sysvinit}
47f397
if test $1 -eq 0 ; then
47f397
	/sbin/service certmonger stop 2>&1 > /dev/null
47f397
	/sbin/chkconfig --del certmonger
47f397
fi
47f397
%endif
47f397
exit 0
47f397
47f397
%if %{systemd}
47f397
%triggerun -- certmonger < 0.43
ed3c5e
%{systemdsysvsave}
47f397
# Do this because the old package's %%postun doesn't know we need to do it.
47f397
/sbin/chkconfig --del certmonger >/dev/null 2>&1 || :
47f397
# Do this because the old package's %%postun wouldn't have tried.
47f397
/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || :
47f397
exit 0
47f397
%endif
47f397
47f397
%files -f %{name}.lang
47f397
%defattr(-,root,root,-)
47f397
%doc README LICENSE STATUS doc/*.txt
47f397
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/*
47f397
%{_datadir}/dbus-1/services/*
47f397
%dir %{_sysconfdir}/certmonger
47f397
%config(noreplace) %{_sysconfdir}/certmonger/certmonger.conf
47f397
%dir /var/run/certmonger
47f397
%{_bindir}/*
47f397
%{_sbindir}/certmonger
47f397
%{_mandir}/man*/*
47f397
%{_libexecdir}/%{name}
47f397
%{_localstatedir}/lib/certmonger
47f397
%if %{sysvinit}
47f397
%{sysvinitdir}/certmonger
47f397
%endif
47f397
%if %{tmpfiles}
ed3c5e
%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/certmonger.conf
47f397
%endif
47f397
%if %{systemd}
47f397
%{_unitdir}/*
3eac4d
%{_datadir}/dbus-1/system-services/*
47f397
%endif
47f397
47f397
%changelog
3eac4d
* Mon Aug 10 2015 Jan Cholasta <jcholast@redhat.com> - 0.78.4-1
3eac4d
- Resolves: #1249753 challenge password not added in csr using start-tracking
3eac4d
- Resolves: #1250397 Remove certmonger rekey feature in 7.2
3eac4d
  - Remove rekey feature
3eac4d
- Related:  #1205756 Rebase certmonger to 0.77 or later
3eac4d
  - Update to upstream 0.78.4
3eac4d
3eac4d
* Fri Jul 24 2015 Jan Cholasta <jcholast@redhat.com> - 0.78.3-1
3eac4d
- Resolves: #1244914 scep ca helper does not parse command line options
3eac4d
  correctly
3eac4d
- Related:  #1205756 Rebase certmonger to 0.77 or later
3eac4d
  - Update to upstream 0.78.3
3eac4d
3eac4d
* Mon Jun 22 2015 Jan Cholasta <jcholast@redhat.com> - 0.78.1-1
3eac4d
- Resolves: #1140241 RFE: Add SCEP support to certmonger
3eac4d
- Resolves: #1148001 ipa-getcert killed by SIGABRT
3eac4d
- Resolves: #1205756 Rebase certmonger to 0.77 or later
3eac4d
  - Update to upstream 0.78.1
3eac4d
ed3c5e
* Tue Jan 13 2015 Jan Cholasta <jcholast@redhat.com> - 0.75.14-3
ed3c5e
- backport change from git to correctly retrieve string values from DBus
ed3c5e
  property interface replies (#1181022)
ed3c5e
ed3c5e
* Wed Nov 19 2014 Jan Cholasta <jcholast@redhat.com> - 0.75.14-2
ed3c5e
- backport dogtag-submit: accept additional options to pass to the server when
ed3c5e
  approving requests using agent creds (#1165155)
ed3c5e
ed3c5e
* Thu Aug 28 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.14-1
ed3c5e
- make pathname canonicalization slightly smarter, to handle ".." in
3eac4d
  locations (#1131758)
3eac4d
- updates to self-tests (#1144082)
ed3c5e
ed3c5e
* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 0.75.13-2
ed3c5e
- Rebuild for rpm bug 1131960
ed3c5e
ed3c5e
* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.13-1
ed3c5e
- add a missing test case file (whoops)
ed3c5e
ed3c5e
* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.12-1
ed3c5e
- correct encoding/decoding of variant-typed data which we receive and send
ed3c5e
  as part of the org.freedesktop.DBus.Properties interface over the bus, and
ed3c5e
  add some tests for them (based on patch from David Kupka, ticket #36)
ed3c5e
ed3c5e
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.75.10-2
ed3c5e
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
ed3c5e
ed3c5e
* Tue Aug 12 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.11-1
ed3c5e
- when getcert is passed a -a flag, to indicate that CA root certificates
ed3c5e
  should be stored in the specified database, don't ignore locations which
ed3c5e
  don't include a storage scheme (#1129537)
ed3c5e
- when called to 'start-tracking' with the -a or -F flags, if we have
ed3c5e
  applicable certificates on-hand for a CA that we're either told to use
ed3c5e
  or which we decide is the correct one, save the certificates (#1129696)
ed3c5e
ed3c5e
* Tue Aug  5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.10-1
ed3c5e
- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in
ed3c5e
  default.conf, and no "host" is set either, try to construct the server URI
ed3c5e
  using the "server" setting (#1126985)
ed3c5e
ed3c5e
* Thu Jul 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.9-1
ed3c5e
- avoid potential use-after-free after a CA is removed dynamically (thanks to
ed3c5e
  Keenan Brock) (#1125342)
ed3c5e
- add a "external-helper" property to CA objects
ed3c5e
ed3c5e
* Mon Jul 21 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.8-1
ed3c5e
- add a 'refresh' option to the getcert command
ed3c5e
- add a '-a' flag to the getcert command's 'refresh-ca' option
ed3c5e
ed3c5e
* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-2
ed3c5e
- reintroduce package Requires: on systemd-sysv on F19 and EL6 and older,
ed3c5e
  conditionalized it so that it's ignored on newer releases, and make
ed3c5e
  whether or not we call systemd-sysv-convert in triggers depend on that,
ed3c5e
  too (#1104138)
ed3c5e
ed3c5e
* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-1
ed3c5e
- fix an inconsistency in how we parse cookie values returned by CA helpers,
ed3c5e
  in that single-line values would lose the end-of-line after a daemon
ed3c5e
  restart, but not before
ed3c5e
- handle timeout values and exit status values when calling CA helpers
ed3c5e
  in non-SUBMIT, non-POLL modes (#1118468)
ed3c5e
- rework how we save CA certificates so that we save CA certificates associated
ed3c5e
  with end-entity certificates when we save that end-entity certificate, which
ed3c5e
  requires running all of the involved pre- and post-save commands
ed3c5e
- drop package Requires: on systemd-sysv (#1104138)
ed3c5e
ed3c5e
* Thu Jun 26 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.6-1
ed3c5e
- avoid potential use-after-free and read overrun after a CA is added
ed3c5e
  dynamically (thanks to Jan Cholasta)
ed3c5e
ed3c5e
* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.5-1
ed3c5e
- documentation updates
ed3c5e
ed3c5e
* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-2
ed3c5e
- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA
ed3c5e
  when we detect certmonger versions prior to 0.58 being installed, to
ed3c5e
  avoid cases where some older versions choke on CAs with nicknames that
ed3c5e
  contain characters that can't legally be part of a D-Bus name (#948993)
ed3c5e
ed3c5e
* Thu Jun 19 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-1
ed3c5e
- fix creation and packaging of the "local" CA's data directory
ed3c5e
ed3c5e
* Wed Jun 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.3-1
ed3c5e
- read and cache whether or not we saw a noOCSPcheck extension in certificates
ed3c5e
- documentation updates
ed3c5e
ed3c5e
* Mon Jun 16 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.2-1
ed3c5e
- when generating keys using OpenSSL, if key generation fails, try
ed3c5e
  again with the default key size, in case we're in FIPS mode
ed3c5e
- documentation updates
ed3c5e
ed3c5e
* Sat Jun 14 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.1-1
ed3c5e
- log the state in 'getcert status' verbose mode
ed3c5e
ed3c5e
* Fri Jun 13 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75-1
ed3c5e
- add a -w (wait) flag to the getcert's request/resubmit/start-tracking
ed3c5e
  commands, and add a non-waiting status command
ed3c5e
ed3c5e
* Wed Jun 11 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.96-1
ed3c5e
- make the trust settings we apply to CA-supplied certificates while
ed3c5e
  saving them to NSS databases run-time configurable
ed3c5e
- fix compiling against EL5-era OpenSSL
ed3c5e
- when saving CA certificates we pull from an IPA server, nickname
ed3c5e
  it using the realm name with " IPA CA" appended rather than just
ed3c5e
  naming it "IPA CA"
ed3c5e
- fix the local signer so that when it issues itself a new certificate,
ed3c5e
  it uses the same subject name
ed3c5e
- add a -w flag to getcert's request, resubmit, and start-tracking
ed3c5e
  commands, telling it to wait until either the certificate is issued,
ed3c5e
  we get to a state where we know that we won't be able to get one, or
ed3c5e
  we are waiting for a CA
ed3c5e
ed3c5e
* Mon Jun  9 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.95-1
ed3c5e
- add the "local" signer, a local toy CA that signs anything you'll
ed3c5e
  ask it to sign
ed3c5e
ed3c5e
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.74-2
ed3c5e
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
ed3c5e
ed3c5e
* Fri Jun  6 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.94-1
ed3c5e
- fix self-test errors that we trigger with new OpenSSL
ed3c5e
- fix a build error that would sometimes happen when we're told to
ed3c5e
  build PIE binaries
ed3c5e
- quiet a compile warning
ed3c5e
ed3c5e
* Thu Jun  5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.93-1
ed3c5e
- add some self-tests
ed3c5e
- simplify the internal submit-to-CA logic
ed3c5e
- fixes for more problems found through static analysis
ed3c5e
ed3c5e
* Tue Jun  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.92-1
ed3c5e
- retrieve CA information from CAs, if the helpers can do so, and
ed3c5e
  add a command to explicitly refresh that data: "getcert refresh-ca"
ed3c5e
- offer to save CA certificates to files and databases, when specified with
ed3c5e
  new -a and -F flags to getcert request/resubmit/start-tracking (#1098208,
ed3c5e
  trac #31)
ed3c5e
- add IP address subject alternate names when getcert request/resubmit
ed3c5e
  is passed the -A option (trac #35)
ed3c5e
- read and cache the freshestCRL extension in certificates
ed3c5e
- properly interpret KDC-unreachable errors encountered in the IPA
ed3c5e
  submission error as a server-unreachable error that we will retry,
ed3c5e
  rather than a misconfiguration error which we won't
ed3c5e
- don't let tests get tripped up by new formatting used in dos2unix status
ed3c5e
  messages (#1099080)
ed3c5e
- updated translations
ed3c5e
- be explicit that we are going to use bashisms in test scripts by calling
ed3c5e
  the shell interpreter as 'bash' rather than 'sh' (trac #27)
ed3c5e
ed3c5e
* Thu Apr  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74-1
ed3c5e
- also save state when we exit due to SIGHUP
ed3c5e
- don't get tripped up when enrollment helpers hand us certificates which
ed3c5e
  include CRLF line terminators (ticket #25)
ed3c5e
- be tolerant of certificate issuer names, subject names, DNS, email, and
ed3c5e
  Kerberos principal namem subjectAltNames, and crl distribution point URLs
ed3c5e
  that contain newlines
ed3c5e
- read and cache the certificate template extension in certificates
ed3c5e
- enforce different minimum key sizes depending on the type of key we're
ed3c5e
  trying to generate
ed3c5e
- store DER versions of subject, issuer and template subject, if we have
ed3c5e
  them (Jan Cholasta, ticket #26)
ed3c5e
- when generating signing requests with subject names that don't quite parse
ed3c5e
  as subject names, encode what we're given as PrintableString rather than
ed3c5e
  as a UTF8String
ed3c5e
- always chdir() to a known location at startup, even if we're not becoming
ed3c5e
  a daemon
ed3c5e
- fix a couple of memory leaks (static analysis)
ed3c5e
- add missing buildrequires: on which
ed3c5e
ed3c5e
* Thu Feb 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.73-1
ed3c5e
- updates to 0.73
ed3c5e
  - getcert no longer claims to be stuck when a CA is unreachable,
ed3c5e
    because the daemon isn't actually stuck
ed3c5e
ed3c5e
* Mon Feb 17 2014 Nalin Dahyabhai <nalin@redhat.com>
ed3c5e
- updates to 0.73
ed3c5e
  - also pass the key type to enrollment helpers in the environment as
ed3c5e
    a the value of "CERTMONGER_KEY_TYPE"
ed3c5e
ed3c5e
* Mon Feb 10 2014 Nalin Dahyabhai <nalin@redhat.com>
ed3c5e
- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir},
3eac4d
  where it belongs (#1180978)
ed3c5e
ed3c5e
* Mon Feb 10 2014 Nalin Dahyabhai <nalin@redhat.com>
ed3c5e
- updates for 0.73
ed3c5e
  - set the flag to encode EC public key parameters using named curves
ed3c5e
    instead of the default of all-the-details when using OpenSSL
ed3c5e
  - don't break when NSS supports secp521r1 but OpenSSL doesn't
ed3c5e
  - also pass the CA nickname to enrollment helpers in the environment as
ed3c5e
    a text value in "CERTMONGER_CA_NICKNAME", so they can use that value
ed3c5e
    when reading configuration settings
ed3c5e
  - also pass the SPKAC value to enrollment helpers in the environment as
ed3c5e
    a base64 value in "CERTMONGER_SPKAC"
ed3c5e
  - also pass the request's SubjectPublicKeyInfo value to enrollment helpers
3eac4d
    in the environment as a base64 value in "CERTMONGER_SPKI" (part of #16)
ed3c5e
  - when generating signing requests using NSS, be more accommodating of
ed3c5e
    requested subject names that don't parse properly
ed3c5e
ed3c5e
* Mon Feb  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.72-1
ed3c5e
- update to 0.72
ed3c5e
  - support generating DSA parameters and keys on sufficiently-new OpenSSL
ed3c5e
    and NSS
ed3c5e
  - support generating EC keys when OpenSSL and NSS support it, using key
ed3c5e
    size to select the curve to use from among secp256r1, secp384r1,
ed3c5e
    secp521r1 (which are the ones that are usually available, though
ed3c5e
    secp521r1 isn't always, even if the other two are)
ed3c5e
  - stop trying to cache public key parameters at all and instead cache public
ed3c5e
    key info properly
ed3c5e
  - encode the friendlyName attribute in signing requests as a BMPString,
ed3c5e
    not as a PrintableString
ed3c5e
  - catch more filesystem permissions problems earlier (more of #996581)
ed3c5e
ed3c5e
* Mon Jan 27 2014 Nalin Dahyabhai <nalin@redhat.com> 0.71-1
ed3c5e
- check for cases where we fail to allocate memory while reading a request
ed3c5e
  or CA entry from disk (John Haxby)
ed3c5e
- only handle one watch at a time, which should avoid abort() during
ed3c5e
  attempts to reconnect to the message bus after losing our connection
ed3c5e
  to it (#1055521)
ed3c5e
a9bce2
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.70-2
a9bce2
- Mass rebuild 2014-01-24
a9bce2
a9bce2
* Thu Jan  2 2014 Nalin Dahyabhai <nalin@redhat.com> 0.70-1
a9bce2
- add a --with-homedir option to configure, and use it, since subprocesses
a9bce2
  which we run and which use NSS may attempt to write to $HOME/.pki, and
a9bce2
  0.69's strategy of setting that to "/" was rightly hitting SELinux policy
a9bce2
  denials (#1047798)
a9bce2
a9bce2
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.69-2
a9bce2
- Mass rebuild 2013-12-27
a9bce2
a9bce2
* Mon Dec  9 2013 Nalin Dahyabhai <nalin@redhat.com> 0.69-1
a9bce2
- tweak how we decide whether we're on the master or a minion when we're
a9bce2
  told to use certmaster as a CA
a9bce2
- clean up one of the tests so that it doesn't have to work around internal
a9bce2
  logging producing duplicate messages
a9bce2
- when logging errors while setting up to contact xmlrpc servers, explicitly
a9bce2
  note that the error is client-side
a9bce2
- don't abort() due to incorrect locking when an attempt to save an issued
a9bce2
  certificate to the designated location fails (part of #1032760/#1033333,
a9bce2
  ticket #22)
a9bce2
- when reading an issued certificate from an enrollment helper, ignore
a9bce2
  noise before or after the certificate itself (more of #1032760/1033333,
a9bce2
  ticket #22)
a9bce2
- run subprocesses in a cleaned-up environment (more of #1032760/1033333,
a9bce2
  ticket #22)
a9bce2
- clear the ca-error that we saved when we had an error talking to the CA if we
a9bce2
  subsequently succeed in talking to the CA
a9bce2
- various other static-analysis fixes
a9bce2
47f397
* Thu Aug 29 2013 Nalin Dahyabhai <nalin@redhat.com> 0.68-1
47f397
- notice when the OpenSSL RNG isn't seeded
47f397
- notice when saving certificates or keys fails due to filesystem-related
47f397
  permission denial (#996581)
47f397
47f397
* Tue Aug  6 2013 Nalin Dahyabhai <nalin@redhat.com> 0.67-3
47f397
- pull up a patch from master to adapt self-tests to certutil's diagnostic
47f397
  output having changed (#992050)
47f397
47f397
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.67-2
47f397
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
47f397
47f397
* Mon Mar 11 2013 Nalin Dahyabhai <nalin@redhat.com> 0.67-1
47f397
- when saving certificates to NSS databases, try to preserve the trust
47f397
  value assigned to a previously-present certificate with the same nickname
47f397
  and subject, if one is found
47f397
- when saving certificates to NSS databases, also prune certificates from
47f397
  the database which have both the same nickname and subject as the one
47f397
  we're adding, to avoid tripping up tools that only fetch one certificate
47f397
  by nickname
47f397
47f397
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.65-2
47f397
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
47f397
47f397
* Wed Jan 23 2013 Nalin Dahyabhai <nalin@redhat.com> 0.66-1
47f397
- build as position-independent executables with early binding (#883966)
47f397
- also don't tag the unit file as a configuration file (internal tooling)
47f397
47f397
* Wed Jan 23 2013 Nalin Dahyabhai <nalin@redhat.com> 0.65-2
47f397
- don't tag the D-Bus session .service file as a configuration file (internal
47f397
  tooling)
47f397
47f397
* Tue Jan  8 2013 Nalin Dahyabhai <nalin@redhat.com> 0.65-1
47f397
- fix a crash in the self-tests
47f397
47f397
* Tue Jan  8 2013 Nalin Dahyabhai <nalin@redhat.com> 0.64-1
47f397
- at startup, if we resume the state machine for a given certificate to a state
47f397
  which expects to have the newly-added lock already acquired, acquire it
47f397
  before moving on with the certificate's work (still aimed at fixing #883484)
47f397
47f397
* Tue Dec 18 2012 Nalin Dahyabhai <nalin@redhat.com> 0.63-1
47f397
- serialize access to NSS databases and the running of pre- and post-save
47f397
  commands which might also access them (possibly fixing part of #883484)
47f397
47f397
* Thu Nov 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.62-1
47f397
- add a -u flag to getcert to enable requesting a keyUsage extension value
47f397
- request subjectKeyIdentifier extensions from CAs, and include them in
47f397
  self-signed certificates
47f397
- request basicConstraints from CAs, defaulting to requests for end-entity
47f397
  certificates
47f397
- when requesting CA certificates, also request authorityKeyIdentifier
47f397
- add support for requesting CRL distribution point and authorityInfoAccess
47f397
  extensions that specify OCSP responder locations
47f397
- don't crash when OpenSSL can't build a template certificate from a request
47f397
  when we're in FIPS mode
47f397
- put NSS in FIPS mode, when the system booted that way, except when we're
47f397
  trying to write certificates to a database
47f397
- fix CSR generation and self-signing in FIPS mode with NSS
47f397
- fix self-signing in FIPS mode with OpenSSL
47f397
- new languages from the translation team: mai, ml, nn, ga
47f397
47f397
* Tue Nov 27 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-3
47f397
- backport change from git to not choke if X509_REQ_to_X509() fails when we're
47f397
  self-signing using OpenSSL
47f397
- backport another change from git to represent this as a CA-rejected error
47f397
47f397
* Mon Sep 24 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-1
47f397
- fix a regression in reading old request tracking files where the
47f397
  request was in state NEED_TO_NOTIFY or NOTIFYING
47f397
47f397
* Wed Sep  5 2012 Nalin Dahyabhai <nalin@redhat.com> 0.60-1
47f397
- adjust internals of logic for talking to dogtag to at least have a
47f397
  concept of non-agent cases
47f397
- when talking to an IPA server's internal Dogtag instance, infer which
47f397
  ports the CA is listening on from the "dogtag_version" setting in the
47f397
  IPA configuration (Ade Lee)
47f397
- send a notification (or log a message, whatever) when we save a new
47f397
  certificate (#766167)
47f397
47f397
* Mon Jul 30 2012 Nalin Dahyabhai <nalin@redhat.com>
47f397
- fix a bad %%preun scriptlet
47f397
47f397
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.59-2
47f397
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
47f397
47f397
* Fri Jun 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.59-1
47f397
- mostly documentation updates
47f397
47f397
* Fri Jun 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.58-1
47f397
- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using
47f397
  an IPA server's internal Dogtag instance
47f397
- export the requested profile and old certificate to enrollment helpers
47f397
- make libxml and libcurl into hard build-time requirements
47f397
- serialize all pre/save/post sequences to make sure that stop/save/start
47f397
  doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping
47f397
  a service while we muck with more than one of its certificates
47f397
47f397
* Fri Jun 15 2012 Nalin Dahyabhai <nalin@redhat.com>
47f397
- add a command option (-T) to getcert for specifying which enrollment
47f397
  profile to tell a CA that we're using, in case it cares (#10)
47f397
47f397
* Thu Jun 14 2012 Nalin Dahyabhai <nalin@redhat.com> 0.57-1
47f397
- clarify that the command passed to getcert -C is a "post"-save command
47f397
- add a "pre"-save command option to getcert, specified with the -B flag (#9)
47f397
- after we notify of an impending not-valid-after approaching, don't do it
47f397
  again immediately
47f397
47f397
* Sat Mar  3 2012 Nalin Dahyabhai <nalin@redhat.com> 0.56-1
47f397
- when a caller sets the is-default flag on a CA, and another CA is no longer
47f397
  the default, emit the PropertiesChanged signal on the CA which is not the
47f397
  default, instead on the new default a second time
47f397
- drop some dead code from the D-Bus message handlers (static analysis,
47f397
  #796813)
47f397
- cache public keys when we read private keys
47f397
- go back to printing an error indicating that we're missing a required
47f397
  argument when we're missing a required argument, not that the option is
47f397
  invalid (broken since 0.51, #796542)
47f397
47f397
* Wed Feb 15 2012 Nalin Dahyabhai <nalin@redhat.com> 0.55-1
47f397
- allow root to use our implementation of org.freedesktop.DBus.Properties
47f397
- take more care to not emit useless PropertiesChanged signals
47f397
47f397
* Wed Feb 15 2012 Nalin Dahyabhai <nalin@redhat.com> 0.54-1
47f397
- fix setting the group ID when spawning the post-save command
47f397
47f397
* Tue Feb 14 2012 Nalin Dahyabhai <nalin@redhat.com> 0.53-1
47f397
- large changes to the D-Bus glue, exposing a lot of data which we were
47f397
  providing via D-Bus getter methods as properties, and providing more
47f397
  accurate introspection data
47f397
- emit a signal when the daemon saves a certificate to the destination
47f397
  location, and provide an option to have the daemon spawn an arbitrary
47f397
  command at that point, too (#766167)
47f397
- enable starting the service by default on RHEL (#765600)
47f397
47f397
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.52-2
47f397
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
47f397
47f397
* Fri Dec 16 2011 Nalin Dahyabhai <nalin@redhat.com> 0.52-1
47f397
- note that SELinux usually confines us to writing only to cert_t in
47f397
  doc/getting-started.txt (#765599)
47f397
- fix crashes when we add a request during our first run when we're
47f397
  populating the hard-coded CA list
47f397
- properly deal with cases where a path is passed to us is "./XXX"
47f397
- in session mode, create our data directories as we go
47f397
47f397
* Tue Dec  6 2011 Nalin Dahyabhai <nalin@redhat.com> 0.51-1
47f397
- api: lift restrictions on characters used in request and CA nicknames by
47f397
  making their object names not incorporate their nicknames
47f397
- api: add find_request_by_nickname and find_ca_by_nickname
47f397
- certmonger-ipa-submit.8: list -k, -K, -t in the summary, document -K
47f397
- getcert: print "invalid option" error messages ourselves (#756291)
47f397
- ipa-submit: supply a Referer: header when submitting requests to IPA
47f397
  (#750617, needed for #747710)
47f397
47f397
* Fri Oct 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.50-1
47f397
- really fix these this time:
47f397
 - getcert: error out when "list -c" finds no matching CA (#743488)
47f397
 - getcert: error out when "list -i" finds no matching request (#743485)
47f397
47f397
* Wed Oct 12 2011 Nalin Dahyabhai <nalin@redhat.com> 0.49-1
47f397
- when using an NSS database, skip loading the module database (#743042)
47f397
- when using an NSS database, skip loading root certs
47f397
- generate SPKAC values when generating CSRs, though we don't do anything
47f397
  with SPKAC values yet
47f397
- internally maintain and use challenge passwords, if we have them
47f397
- behave better when certificates have shorter lifetimes
47f397
- add/recognize/handle notification type "none"
47f397
- getcert: error out when "list -c" finds no matching CA (#743488)
47f397
- getcert: error out when "list -i" finds no matching request (#743485)
47f397
47f397
* Thu Sep 29 2011 Nalin Dahyabhai <nalin@redhat.com> 0.48-1
47f397
- don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated
47f397
  array (#742348)
47f397
47f397
* Tue Sep 27 2011 Nalin Dahyabhai <nalin@redhat.com> 0.47-1
47f397
- getcert: distinguish between {stat() succeeds but isn't a directory} and
47f397
  {stat() failed} when printing an error message (#739903)
47f397
- getcert resubmit/start-tracking: when we're looking for an existing request
47f397
  by ID, and we don't find one, note that specifically (#741262)
47f397
47f397
* Mon Aug 29 2011 Stephen Gallagher <sgallagh@redhat.com> - 0.46-1.1
47f397
- Rebuild against fixed libtevent version
47f397
47f397
* Mon Aug 15 2011 Nalin Dahyabhai <nalin@redhat.com> 0.46-1
47f397
- treat the ability to access keys in an NSS database without using a PIN,
47f397
  when we've been told we need one, as an error (#692766, really this time)
47f397
47f397
* Thu Aug 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.45-1
47f397
- modify the systemd .service file to be a proper 'dbus' service (more
47f397
  of #718172)
47f397
47f397
* Thu Aug 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.44-1
47f397
- check specifically for cases where a specified token that we need to
47f397
  use just isn't present for whatever reason (#697058)
47f397
47f397
* Wed Aug 10 2011 Nalin Dahyabhai <nalin@redhat.com> 0.43-1
47f397
- add a -K option to ipa-submit, to use the current ccache, which makes
47f397
  it easier to test
47f397
47f397
* Fri Aug  5 2011 Nalin Dahyabhai <nalin@redhat.com>
47f397
- if xmlrpc-c's struct xmlrpc_curl_xportparms has a gss_delegate field, set
47f397
  it to TRUE when we're doing Negotiate auth (#727864, #727863, #727866)
47f397
47f397
* Wed Jul 13 2011 Nalin Dahyabhai <nalin@redhat.com>
47f397
- treat the ability to access keys in an NSS database without using a PIN,
47f397
  when we've been told we need one, as an error (#692766)
47f397
- when handling "getcert resubmit" requests, if we don't have a key yet,
47f397
  make sure we go all the way back to generating one (#694184)
47f397
- getcert: try to clean up tests for NSS and PEM file locations (#699059)
47f397
- don't try to set reconnect-on-exit policy unless we managed to connect
47f397
  to the bus (#712500)
47f397
- handle cases where we specify a token but the storage token isn't
47f397
  known (#699552)
47f397
- getcert: recognize -i and storage options to narrow down which requests
47f397
  the user wants to know about (#698772)
47f397
- output hints when the daemon has startup problems, too (#712075)
47f397
- add flags to specify whether we're bus-activated or not, so that we can
47f397
  exit if we have nothing to do after handling a request received over
47f397
  the bus if some specified amount of time has passed
47f397
- explicitly disallow non-root access in the D-Bus configuration (#712072)
47f397
- migrate to systemd on releases newer than Fedora 15 or RHEL 6 (#718172)
47f397
- fix a couple of incorrect calls to talloc_asprintf() (#721392)
47f397
47f397
* Wed Apr 13 2011 Nalin Dahyabhai <nalin@redhat.com> 0.42-1
47f397
- getcert: fix a buffer overrun preparing a request for the daemon when
47f397
  there are more parameters to encode than space in the array (#696185)
47f397
- updated translations: de, es, id, pl, ru, uk
47f397
47f397
* Mon Apr 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.41-1
47f397
- read information about the keys we've just generated before proceeding
47f397
  to generating a CSR (part of #694184, part of #695675)
47f397
- when processing a "resubmit" request from getcert, go back to key
47f397
  generation if we don't have keys yet, else go back to CSR generation as
47f397
  before (#694184, #695675)
47f397
- configure with --with-tmpdir=/var/run/certmonger and own /var/run/certmonger
47f397
  (#687899), and add a systemd tmpfiles.d control file for creating
47f397
  /var/run/certmonger on Fedora 15 and later
47f397
- let session instances exit when they get disconnected from the bus
47f397
- use a lock file to make sure there's only one session instance messing
47f397
  around with the user's files at a time
47f397
- fix errors saving certificates to NSS databases when there's already a
47f397
  certificate there with the same nickname (#695672)
47f397
- make key and certificate location output from 'getcert list' more properly
47f397
  translatable (#7)
47f397
47f397
* Mon Mar 28 2011 Nalin Dahyabhai <nalin@redhat.com> 0.40-1
47f397
- update to 0.40
47f397
  - fix validation check on EKU OIDs in getcert (#691351)
47f397
  - get session bus mode sorted
47f397
  - add a list of recognized EKU values to the getcert-request man page
47f397
47f397
* Fri Mar 25 2011 Nalin Dahyabhai <nalin@redhat.com> 0.39-1
47f397
- update to 0.39
47f397
  - fix use of an uninitialized variable in the xmlrpc-based submission
47f397
    helpers (#690886)
47f397
47f397
* Thu Mar 24 2011 Nalin Dahyabhai <nalin@redhat.com> 0.38-1
47f397
- update to 0.38
47f397
  - catch cases where we can't read a PIN file, but we never have to log
47f397
    in to the token to access the private key (more of #688229)
47f397
47f397
* Tue Mar 22 2011 Nalin Dahyabhai <nalin@redhat.com> 0.37-1
47f397
- update to 0.37
47f397
  - be more careful about checking if we can read a PIN file successfully
47f397
    before we even call an API that might need us to try (#688229)
47f397
  - fix strict aliasing warnings
47f397
47f397
* Tue Mar 22 2011 Nalin Dahyabhai <nalin@redhat.com> 0.36-1
47f397
- update to 0.36
47f397
  - fix some use-after-free bugs in the daemon (#689776)
47f397
  - fix a copy/paste error in certmonger-ipa-submit(8)
47f397
  - getcert now suppresses error details when not given its new -v option
47f397
    (#683926, more of #681641/#652047)
47f397
  - updated translations
47f397
    - de, es, pl, ru, uk
47f397
    - indonesian translation is now for "id" rather than "in"
47f397
47f397
* Wed Mar  2 2011 Nalin Dahyabhai <nalin@redhat.com> 0.35.1-1
47f397
- fix a self-test that broke because one-year-from-now is now a day's worth
47f397
  of seconds further out than it was a few days ago
47f397
47f397
* Mon Feb 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.35-1
47f397
- update to 0.35
47f397
  - self-test fixes to rebuild properly in mock (#670322)
47f397
47f397
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.34-2
47f397
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
47f397
47f397
* Fri Jan 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.34-1
47f397
- update to 0.34
47f397
  - explicitly note the number of requests we're tracking in the output of
47f397
    "getcert list" (#652049)
47f397
  - try to offer some suggestions when we get certain specific errors back
47f397
    in "getcert" (#652047)
47f397
  - updated translations
47f397
    - es
47f397
47f397
* Thu Dec 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.33-1
47f397
- update to 0.33
47f397
  - new translations
47f397
    - id by Okta Purnama Rahadian!
47f397
  - updated translations
47f397
    - pl, uk
47f397
  - roll up assorted fixes for defects
47f397
47f397
* Fri Nov 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.32-2
47f397
- depend on the e2fsprogs libuuid on Fedora and RHEL releases where it's
47f397
  not part of util-linux-ng
47f397
47f397
* Wed Oct 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.32-1
47f397
- oops, rfc5280 says we shouldn't be populating unique identifiers, so
47f397
  make it a configuration option and default the behavior to off
47f397
47f397
* Tue Oct 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.31-1
47f397
- start populating the optional unique identifier fields in self-signed
47f397
  certificates
47f397
47f397
* Thu Sep 30 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-4
47f397
- explicitly require "dbus" to try to ensure we have a running system bus
47f397
  when we get started (#639126)
47f397
47f397
* Wed Sep 29 2010 jkeating - 0.30-3
47f397
- Rebuilt for gcc bug 634757
47f397
47f397
* Thu Sep 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-2
47f397
- try to SIGHUP the messagebus daemon at first install so that it'll
47f397
  let us claim our service name if it isn't restarted before we are
47f397
  first started (#636876)
47f397
47f397
* Wed Aug 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-1
47f397
- update to 0.30
47f397
  - fix errors computing the time at the end of an interval that were
47f397
    caught by self-tests
47f397
47f397
* Mon Aug 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.29-1
47f397
- update to 0.29
47f397
  - fix 64-bit cleanliness issue using libdbus
47f397
  - actually include the full set of tests in tarballs
47f397
47f397
* Tue Aug 17 2010 Nalin Dahyabhai <nalin@redhat.com> 0.28-1
47f397
- update to 0.28
47f397
  - fix self-signing certificate notBefore and notAfter values on 32-bit
47f397
    machines
47f397
47f397
* Tue Aug 17 2010 Nalin Dahyabhai <nalin@redhat.com> 0.27-1
47f397
- update to 0.27
47f397
  - portability and test fixes
47f397
47f397
* Fri Aug 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.26-1
47f397
- update to 0.26
47f397
  - when canceling a submission request that's being handled by a helper,
47f397
    reap the child process's status after killing it (#624120)
47f397
47f397
* Fri Aug 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.25-1
47f397
- update to 0.25
47f397
  - new translations
47f397
    - in by Okta Purnama Rahadian!
47f397
  - fix detection of cases where we can't access a private key in an NSS
47f397
    database because we don't have the PIN
47f397
  - teach '*getcert start-tracking' about the -p and -P options which the
47f397
    '*getcert request' commands already understand (#621670), and also
47f397
    the -U, -K, -E, and -D flags
47f397
  - double-check that the nicknames of keys we get back from
47f397
    PK11_ListPrivKeysInSlot() match the desired nickname before accepting
47f397
    them as matches, so that our tests won't all blow up on EL5
47f397
  - fix dynamic addition and removal of CAs implemented through helpers
47f397
47f397
* Mon Jun 28 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-4
47f397
- init script: ensure that the subsys lock is created whenever we're called to
47f397
  "start" when we're already running (even more of #596719)
47f397
47f397
* Tue Jun 15 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-3
47f397
- more gracefully handle manual daemon startups and cleaning up of unexpected
47f397
  crashes (still more of #596719)
47f397
47f397
* Thu Jun 10 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-2
47f397
- don't create the daemon pidfile until after we've connected to the D-Bus
47f397
  (still more of #596719)
47f397
47f397
* Tue Jun  8 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-1
47f397
- update to 0.24
47f397
  - keep the lock on the pid file, if we have one, when we fork, and cancel
47f397
    daemon startup if we can't gain ownership of the lock (the rest of #596719)
47f397
  - make the man pages note which external configuration files we consult when
47f397
    submitting requests to certmaster and ipa CAs
47f397
47f397
* Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com> 0.23-1
47f397
- update to 0.23
47f397
  - new translations
47f397
    - pl by Piotr Drąg!
47f397
  - cancel daemon startup if we can't gain ownership of our well-known
47f397
    service name on the DBus (#596719)
47f397
47f397
* Fri May 14 2010 Nalin Dahyabhai <nalin@redhat.com> 0.22-1
47f397
- update to 0.22
47f397
  - new translations
47f397
    - de by Fabian Affolter!
47f397
  - certmaster-submit: don't fall over when we can't find a certmaster.conf
47f397
    or a minion.conf (i.e., certmaster isn't installed) (#588932)
47f397
  - when reading extension values from certificates, prune out duplicate
47f397
    principal names, email addresses, and hostnames
47f397
47f397
* Tue May  4 2010 Nalin Dahyabhai <nalin@redhat.com> 0.21-1
47f397
- update to 0.21
47f397
  - getcert/*-getcert: relay the desired CA to the local service, whether
47f397
    specified on the command line (in getcert) or as a built-in hard-wired
47f397
    default (in *-getcert) (#584983)
47f397
  - flesh out the default certmonger.conf so that people can get a feel for
47f397
    the expected formatting (Jenny Galipeau)
47f397
47f397
* Wed Apr 21 2010 Nalin Dahyabhai <nalin@redhat.com> 0.20-1
47f397
- update to 0.20
47f397
  - correctly parse certificate validity periods given in years (spotted by
47f397
    Stephen Gallagher)
47f397
  - setup for translation
47f397
    - es by Héctor Daniel Cabrera!
47f397
    - ru by Yulia Poyarkova!
47f397
    - uk by Yuri Chornoivan!
47f397
  - fix unpreprocessed defaults in certmonger.conf's man page
47f397
  - tweak the IPA-specific message that indicates a principal name also needs
47f397
    to be specified if we're not using the default subject name (#579542)
47f397
  - make the validity period of self-signed certificates into a configuration
47f397
    setting and not a piece of the state information we track about the signer
47f397
  - init script: exit with status 2 instead of 1 when invoked with an
47f397
    unrecognized argument (#584517)
47f397
47f397
* Tue Mar 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.19-1
47f397
- update to 0.19
47f397
  - correctly initialize NSS databases that need to be using a PIN
47f397
  - add certmonger.conf, for customizing notification timings and settings,
47f397
    and use of digests other than the previously-hard-coded SHA256, and
47f397
    drop those settings from individual requests
47f397
  - up the default self-sign validity interval from 30 days to 365 days
47f397
  - drop the first default notification interval from 30 days to 28 days
47f397
    (these two combined to create a fun always-reissuing loop earlier)
47f397
  - record the token which contains the key or certificate when we're
47f397
    storing them in an NSS database, and report it
47f397
  - improve handling of cases where we're supposed to use a PIN but we
47f397
    either don't have one or we have the wrong one
47f397
  - teach getcert to accept a PIN file's name or a PIN value when adding
47f397
    a new entry
47f397
  - update the IPA submission helper to use the new 'request_cert' signature
47f397
    that's landing soon
47f397
  - more tests
47f397
47f397
* Fri Feb 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.18-1
47f397
- update to 0.18
47f397
  - add support for using encrypted storage for keys, using PIN values
47f397
    supplied directly or read from files whose names are supplied
47f397
  - don't choke on NSS database locations that use the "sql:" or "dbm:"
47f397
    prefix
47f397
47f397
* Mon Jan 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.17-2
47f397
- make the D-Bus configuration file (noreplace) (#541072)
47f397
- make the %%check section and the deps we have just for it conditional on
47f397
  the same macro (#541072)
47f397
47f397
* Wed Jan  6 2010 Nalin Dahyabhai <nalin@redhat.com> 0.17-1
47f397
- update to 0.17
47f397
  - fix a hang in the daemon (Rob Crittenden)
47f397
  - documentation updates
47f397
  - fix parsing of submission results from IPA (Rob Crittenden)
47f397
47f397
* Fri Dec 11 2009 Nalin Dahyabhai <nalin@redhat.com> 0.16-1
47f397
- update to 0.16
47f397
  - set a umask at startup (Dan Walsh)
47f397
47f397
* Tue Dec  8 2009 Nalin Dahyabhai <nalin@redhat.com> 0.15-1
47f397
- update to 0.15
47f397
  - notice that a directory with a trailing '/' is the same location as the
47f397
    directory without it
47f397
  - fix handling of the pid file when we write one (by actually giving it
47f397
    contents)
47f397
47f397
* Wed Nov 25 2009 Nalin Dahyabhai <nalin@redhat.com> 0.14-1
47f397
- update to 0.14
47f397
  - check key and certificate location at add-time to make sure they're
47f397
    absolute paths to files or directories, as appropriate
47f397
  - IPA: dig into the 'result' item if the named result value we're looking
47f397
    for isn't in the result struct
47f397
47f397
* Tue Nov 24 2009 Nalin Dahyabhai <nalin@redhat.com> 0.13-1
47f397
- update to 0.13
47f397
  - change the default so that we default to trying to auto-refresh
47f397
    certificates unless told otherwise
47f397
  - preemptively enforce limitations on request nicknames so that they
47f397
    make valid D-Bus object path components
47f397
47f397
* Tue Nov 24 2009 Nalin Dahyabhai <nalin@redhat.com> 0.12-1
47f397
- update to 0.12
47f397
  - add a crucial bit of error reporting when CAs reject our requests
47f397
  - count the number of configured CAs correctly
47f397
47f397
* Mon Nov 23 2009 Nalin Dahyabhai <nalin@redhat.com> 0.11-1
47f397
- update to 0.11
47f397
  - add XML-RPC submission for certmaster and IPA
47f397
  - prune entries with duplicate names from the data store
47f397
47f397
* Fri Nov 13 2009 Nalin Dahyabhai <nalin@redhat.com> 0.10-1
47f397
- update to 0.10
47f397
  - add some compiler warnings and then fix them
47f397
47f397
* Fri Nov 13 2009 Nalin Dahyabhai <nalin@redhat.com> 0.9-1
47f397
- update to 0.9
47f397
  - run external submission helpers correctly
47f397
  - fix signing of signing requests generated for keys stored in files
47f397
  - only care about new interface and route notifications from netlink,
47f397
    and ignore notifications that don't come from pid 0
47f397
  - fix logic for determining expiration status
47f397
  - correct the version number in self-signed certificates
47f397
47f397
* Tue Nov 10 2009 Nalin Dahyabhai <nalin@redhat.com> 0.8-1
47f397
- update to 0.8
47f397
  - encode windows UPN values in requests correctly
47f397
  - watch for netlink routing changes and restart stalled submission requests
47f397
  - 'getcert resubmit' can force a regeneration of the CSR and submission
47f397
47f397
* Fri Nov  6 2009 Nalin Dahyabhai <nalin@redhat.com> 0.7-1
47f397
- update to 0.7
47f397
  - first cut at a getting-started document
47f397
  - refactor some internal key handling with NSS
47f397
  - check for duplicate request nicknames at add-time
47f397
47f397
* Tue Nov  3 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6-1
47f397
- update to 0.6
47f397
  - man pages
47f397
  - 'getcert stop-tracking' actually makes the server forget now
47f397
  - 'getcert request -e' was redundant, dropped the -e option
47f397
  - 'getcert request -i' now sets the request nickname
47f397
  - 'getcert start-tracking -i' now sets the request nickname
47f397
47f397
* Mon Nov  2 2009 Nalin Dahyabhai <nalin@redhat.com> 0.5-1
47f397
- update to 0.5
47f397
  - packaging fixes
47f397
  - add a selfsign-getcert client
47f397
  - self-signed certs now get basic constraints and their own serial numbers
47f397
  - accept id-ms-kp-sc-logon as a named EKU value in a request
47f397
47f397
* Thu Oct 29 2009 Nalin Dahyabhai <nalin@redhat.com> 0.4-1
47f397
- update to 0.4
47f397
47f397
* Thu Oct 22 2009 Nalin Dahyabhai <nalin@redhat.com> 0.1-1
47f397
- update to 0.1
47f397
47f397
* Sun Oct 18 2009 Nalin Dahyabhai <nalin@redhat.com> 0.0-1
47f397
- initial package