Blame SPECS/certmonger.spec

398fc5
%global systemd 1
398fc5
%global	sysvinit 0
398fc5
398fc5
%global systemdsysv 0
398fc5
398fc5
%global tmpfiles 1
398fc5
398fc5
%global sysvinitdir %{_initddir}
398fc5
beb083
%bcond_without xmlrpc
beb083
398fc5
Name:		certmonger
beb083
Version:	0.79.13
beb083
Release:	2%{?dist}
398fc5
Summary:	Certificate status monitor and PKI enrollment client
398fc5
398fc5
Group:		System Environment/Daemons
398fc5
License:	GPLv3+
398fc5
URL:		http://pagure.io/certmonger/
398fc5
Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
398fc5
beb083
Patch0001:	0001-Don-t-run-the-002-keygen-tests-when-root.patch
beb083
Patch0002:	0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
beb083
398fc5
BuildRequires:	autoconf
398fc5
BuildRequires:	automake
398fc5
BuildRequires:	gettext-devel
398fc5
BuildRequires:	gcc
398fc5
BuildRequires:	openldap-devel
398fc5
BuildRequires:	libidn2-devel
398fc5
BuildRequires:	python3-dbus
398fc5
BuildRequires:	dbus-devel
398fc5
BuildRequires:	nspr-devel
398fc5
BuildRequires:	nss-devel
398fc5
BuildRequires:	openssl-devel
398fc5
BuildRequires:	libuuid-devel
398fc5
BuildRequires:	libtalloc-devel, libtevent-devel
398fc5
BuildRequires:	libcurl-devel
beb083
BuildRequires:	libxml2-devel
beb083
%if %{with xmlrpc}
beb083
BuildRequires:	xmlrpc-c-devel
beb083
%endif
beb083
BuildRequires:	jansson-devel
398fc5
# Required for 'make check':
398fc5
#  for diff and cmp
398fc5
BuildRequires:	diffutils
398fc5
#  for expect
398fc5
BuildRequires:	expect
398fc5
#  for certutil and pk12util
398fc5
BuildRequires:	nss-tools
398fc5
#  for openssl
398fc5
BuildRequires:	openssl
398fc5
#  for dbus-launch
398fc5
BuildRequires:	/usr/bin/dbus-launch
398fc5
#  for dos2unix
398fc5
BuildRequires:	/usr/bin/dos2unix
398fc5
BuildRequires:	/usr/bin/unix2dos
398fc5
#  for which
398fc5
BuildRequires:	/usr/bin/which
398fc5
BuildRequires:	popt-devel
398fc5
#  for make check
398fc5
BuildRequires:	python3-devel
beb083
BuildRequires:	krb5-devel
398fc5
398fc5
# we need a running system bus
398fc5
Requires:	dbus
398fc5
Requires(post):	%{_bindir}/dbus-send
398fc5
398fc5
%if %{systemd}
398fc5
BuildRequires:	systemd-units
398fc5
Requires(post):	systemd-units
398fc5
Requires(preun):	systemd-units, dbus, sed
398fc5
Requires(postun):	systemd-units
398fc5
%endif
398fc5
398fc5
%if %{systemdsysv}
398fc5
Requires(post):	systemd-sysv
398fc5
%global systemdsysvsave \
398fc5
# Save the current service runlevel info, in case the user wants \
398fc5
# to apply the enabled status manually later, by running \
398fc5
#   "systemd-sysv-convert --apply certmonger". \
398fc5
%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||:
398fc5
%else
398fc5
%global systemdsysvsave %{nil}
398fc5
%endif
398fc5
398fc5
%if %{sysvinit}
398fc5
Requires(post):	/sbin/chkconfig, /sbin/service
398fc5
Requires(preun):	/sbin/chkconfig, /sbin/service, dbus, sed
398fc5
%endif
398fc5
398fc5
398fc5
%description
398fc5
Certmonger is a service which is primarily concerned with getting your
398fc5
system enrolled with a certificate authority (CA) and keeping it enrolled.
398fc5
398fc5
%prep
beb083
%autosetup -p1
398fc5
398fc5
%build
398fc5
autoreconf -i -f
398fc5
%configure \
398fc5
%if %{systemd}
398fc5
	--enable-systemd \
398fc5
%endif
398fc5
%if %{sysvinit}
398fc5
	--enable-sysvinit=%{sysvinitdir} \
398fc5
%endif
398fc5
%if %{tmpfiles}
398fc5
	--enable-tmpfiles \
398fc5
%endif
f0b236
	--with-homedir=/run/certmonger \
beb083
%if %{with xmlrpc}
beb083
	--with-xmlrpc \
beb083
%endif
f0b236
	--with-tmpdir=/run/certmonger --enable-pie --enable-now
beb083
%if %{with xmlrpc}
398fc5
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
398fc5
# tell us about libxmlrpc_client, but we need more.  Work around.
398fc5
make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
beb083
%else
beb083
make %{?_smp_mflags}
beb083
%endif
398fc5
398fc5
%install
398fc5
rm -rf $RPM_BUILD_ROOT
398fc5
make install DESTDIR=$RPM_BUILD_ROOT
398fc5
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/certmonger/{cas,requests}
f0b236
install -m755 -d $RPM_BUILD_ROOT/run/certmonger
398fc5
%{find_lang} %{name}
398fc5
398fc5
%check
398fc5
# Seed then openssl RNG if not set
398fc5
if [ ! -e $HOME/.rnd ] ; then
398fc5
	openssl rand -writerand $HOME/.rnd
398fc5
fi
398fc5
make check
398fc5
398fc5
%post
398fc5
if test $1 -eq 1 ; then
398fc5
	%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
398fc5
fi
beb083
%if %{without xmlrpc}
beb083
# remove any existing certmaster CA configuration
beb083
if test $1 -gt 1 ; then
beb083
	%{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
beb083
fi
beb083
%endif
398fc5
%if %{systemd}
398fc5
if test $1 -eq 1 ; then
398fc5
	/bin/systemctl daemon-reload >/dev/null 2>&1 || :
398fc5
fi
398fc5
%endif
398fc5
%if %{sysvinit}
398fc5
/sbin/chkconfig --add certmonger
398fc5
%endif
398fc5
398fc5
%triggerin -- certmonger < 0.58
398fc5
if test $1 -gt 1 ; then
398fc5
	# If the daemon is running, remove knowledge of the dogtag renewer.
398fc5
	objpath=`dbus-send --system --reply-timeout=10000 --dest=org.fedorahosted.certmonger --print-reply=o /org/fedorahosted/certmonger org.fedorahosted.certmonger.find_ca_by_nickname string:dogtag-ipa-renew-agent 2> /dev/null | sed -r 's,^ +,,g' || true`
398fc5
	if test -n "$objpath" ; then
398fc5
		dbus-send --system --dest=org.fedorahosted.certmonger --print-reply /org/fedorahosted/certmonger org.fedorahosted.certmonger.remove_known_ca objpath:"$objpath" >/dev/null 2> /dev/null
398fc5
	fi
398fc5
	# Remove the data file, in case it isn't running.
398fc5
	for cafile in %{_localstatedir}/lib/certmonger/cas/* ; do
398fc5
		if grep -q '^id=dogtag-ipa-renew-agent$' "$cafile" ; then
398fc5
			rm -f "$cafile"
398fc5
		fi
398fc5
	done
398fc5
fi
398fc5
exit 0
398fc5
398fc5
%postun
398fc5
%if %{systemd}
398fc5
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
398fc5
if [ $1 -ge 1 ] ; then
398fc5
	/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || :
398fc5
fi
398fc5
%endif
398fc5
%if %{sysvinit}
398fc5
if test $1 -gt 0 ; then
398fc5
	/sbin/service certmonger condrestart 2>&1 > /dev/null
398fc5
fi
398fc5
%endif
398fc5
exit 0
398fc5
398fc5
%preun
398fc5
%if %{systemd}
398fc5
if test $1 -eq 0 ; then
398fc5
	/bin/systemctl --no-reload disable certmonger.service > /dev/null 2>&1 || :
398fc5
	/bin/systemctl stop certmonger.service > /dev/null 2>&1 || :
398fc5
fi
398fc5
%endif
398fc5
%if %{sysvinit}
398fc5
if test $1 -eq 0 ; then
398fc5
	/sbin/service certmonger stop 2>&1 > /dev/null
398fc5
	/sbin/chkconfig --del certmonger
398fc5
fi
398fc5
%endif
398fc5
exit 0
398fc5
398fc5
%if %{systemd}
398fc5
%triggerun -- certmonger < 0.43
398fc5
%{systemdsysvsave}
398fc5
# Do this because the old package's %%postun doesn't know we need to do it.
398fc5
/sbin/chkconfig --del certmonger >/dev/null 2>&1 || :
398fc5
# Do this because the old package's %%postun wouldn't have tried.
398fc5
/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || :
398fc5
exit 0
398fc5
%endif
398fc5
398fc5
%files -f %{name}.lang
398fc5
%defattr(-,root,root,-)
398fc5
%doc README.md LICENSE STATUS doc/*.txt
398fc5
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/*
398fc5
%{_datadir}/dbus-1/services/*
398fc5
%dir %{_sysconfdir}/certmonger
398fc5
%config(noreplace) %{_sysconfdir}/certmonger/certmonger.conf
f0b236
%dir /run/certmonger
398fc5
%{_bindir}/*
398fc5
%{_sbindir}/certmonger
398fc5
%{_mandir}/man*/*
398fc5
%{_libexecdir}/%{name}
398fc5
%{_localstatedir}/lib/certmonger
398fc5
%if %{sysvinit}
398fc5
%{sysvinitdir}/certmonger
398fc5
%endif
398fc5
%if %{tmpfiles}
398fc5
%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/certmonger.conf
398fc5
%endif
398fc5
%if %{systemd}
398fc5
%{_unitdir}/*
398fc5
%{_datadir}/dbus-1/system-services/*
398fc5
%endif
398fc5
398fc5
%changelog
beb083
* Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2
beb083
- Rebuild with xmlrpc-c support enabled (#1687698)
beb083
beb083
* Wed Oct 28 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1
beb083
- Rebase to 0.79.13 (#1891743)
beb083
 
0284a7
* Thu Jul 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-15
0284a7
- Replace the previous fix for dbus restarting with PartOf in the
0284a7
  certmonger systemd service file to link the two (#1687698)
0284a7
8bf71a
* Tue Jun  2 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-14
8bf71a
- Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1843009)
8bf71a
f0b236
* Mon May 18 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-13
f0b236
- Exit gracefully if dbus is restarted (#1687698)
f0b236
f0b236
* Thu May 14 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-12
f0b236
- Add long command-line options to man pages and help output (#1782838)
f0b236
f0b236
* Mon May  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-11
f0b236
- Fix test failure in 039-fromfile
f0b236
f0b236
* Mon May  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-10
f0b236
- Ensure that files read in have a trailing new-line (#1829490)
f0b236
f0b236
* Thu Apr 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-9
f0b236
- Call the secport equivalent of PR_ErrorToString
f0b236
- Remove a couple of unused varaibles found by coverity
f0b236
f0b236
* Mon Apr 13 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-8
f0b236
- Move systemd tmpfiles from /var/run to /run (#1804928)
f0b236
- Improve logging in the SCEP helper (#1807691)
f0b236
- Fix sort order of certificates passed into PKCS7_verify (#1808052)
f0b236
- Add -N option to SCEP helper to separate web server chain from
f0b236
  SCEP issuer chain (#1808613)
f0b236
- Add template profile, MS v2 template and issuer to getcert list
f0b236
  output (#1734451)
f0b236
f0b236
* Tue Dec 17 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-7
f0b236
- Update gating requirements
f0b236
398fc5
* Mon Dec 16 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-6
398fc5
- Rebuild
398fc5
398fc5
* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-5
398fc5
- Fix use-after-free issue when retrieving CA chain (#1710632)
398fc5
398fc5
* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-4
398fc5
- Optimize closing of file descriptors on fork (#1763745)
398fc5
- Remove NOMODDB flag flag from context init, look for full tokens (#1746543)
398fc5
- Retrieve full IPA CA chain (#1710632)
398fc5
398fc5
* Tue May 14 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
398fc5
- Rebuild for new annobin (#1708095)
398fc5
398fc5
* Fri May 10 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-2
398fc5
- Rebuild for new annobin (#1708095)
398fc5
398fc5
* Thu May  9 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.79.7-1
398fc5
- Rebase to 0.79.7 (#1708095)
398fc5
398fc5
* Mon Oct  8 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-5
398fc5
- Address more issues uncovered by static analysis (#1632449)
398fc5
398fc5
* Tue Oct  2 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-4
398fc5
- Improve handling of NSS tokens (#1624930)
398fc5
- Pull in upstream fixes discovered in coverity and clang (#1632449)
398fc5
398fc5
* Mon Aug 13 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-3
398fc5
- Add BuildRequires on python3-devel (#1615507)
398fc5
398fc5
* Thu Aug  2 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-2
398fc5
- Fix test failure on some platforms
398fc5
398fc5
* Wed Aug  1 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-1
398fc5
- Update to upstream 0.79.6
398fc5
- Fix unit tests to work with python 3
398fc5
398fc5
* Fri Feb 23 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-6
398fc5
- Fix unit tests. NSS crypto policy disallows keys < 1024
398fc5
398fc5
* Wed Feb 21 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-5
398fc5
- Add BuildRequires on gcc
398fc5
398fc5
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.5-4
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
398fc5
398fc5
* Wed Jan 10 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-3
398fc5
- Remove BR on mktemp. It is now provided by coreutils.
398fc5
- Patch to fix NSS handling of keys in sqlite databases
398fc5
- Patches to fix tests now that sqlite is the NSS default.
398fc5
398fc5
* Wed Oct  4 2017 Rob Crittenden <rcritten@redhat.com> 0.79.5-2
398fc5
- Switch BR from /usr/include/popt.h to popt-devel
398fc5
398fc5
* Fri Sep  1 2017 Rob Crittenden <rcritten@redhat.com> 0.79.5-1
398fc5
- update to 0.79.5:
398fc5
   - getcert start-tracking: use issuer option when specified
398fc5
   - add support for specifying the MS certificate template
398fc5
   - Reformat certificates returned by Dogtag to strip extra newline
398fc5
398fc5
* Wed Aug 16 2017 Rob Crittenden <rcritten@redhat.com> 0.79.4-2
398fc5
- Reformat certificates returned by Dogtag. Dogtag was including
398fc5
  a spurious newline before -----END CERTIFICATE-----
398fc5
398fc5
* Mon Aug  7 2017 Rob Crittenden <rcritten@redhat.com> 0.79.4-1
398fc5
- update to 0.79.4
398fc5
  - fix CA option name for ipa cert-request
398fc5
  - fix minor memory leak
398fc5
  - fix build warnings
398fc5
  - fix an incorrect date in the .spec changelog
398fc5
  - bump gettext version to avoid warning
398fc5
398fc5
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.3-3
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
398fc5
398fc5
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.3-2
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
398fc5
398fc5
* Tue Feb 28 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.3-1
398fc5
- update to 0.79.3:
398fc5
  - fix self-signing self-test cases that used DSA or EC keys
398fc5
398fc5
* Mon Feb 27 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.2-2
398fc5
- update %%docs list because README is now README.md
398fc5
398fc5
* Mon Feb 27 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.2-1
398fc5
- update to 0.79.2:
398fc5
  - fix 'make distcheck' target
398fc5
398fc5
* Sun Feb 19 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.1-1
398fc5
- update to 0.79.1:
398fc5
  - update translations
398fc5
  - fix 'make archive' target
398fc5
398fc5
* Sun Feb 19 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79-1
398fc5
- update to 0.79:
398fc5
  - getcert now offers an option (-X) for requesting processing by a particular
398fc5
    CA if the server we're contacting is running more than one
398fc5
  - getcert also offers options (--for-ca, --not-for-ca, --ca-path-length) for
398fc5
    requesting BasicConstraints values
398fc5
  - getcert now displays times in local time instead of UTC, which was
398fc5
    previously the only way they were displayed; the --utc option can often be
398fc5
    used to switch back to its previous behavior
398fc5
  - the SCEP enrollment helper now correctly issues GetCACertChain requests to
398fc5
    SCEP servers, instead of issuing a GetCAChain request, which isn't part of
398fc5
    the protocol; from report by Jason Garland
398fc5
  - when issuing SCEP requests, the ID of the CA included in the HTTP request
398fc5
    is now URL-encoded, as it should be
398fc5
  - renewal or notification-of-impending-expiration logic is now triggered
398fc5
    closer to TTL thresholds rather than waiting for a periodic check to pass a
398fc5
    threshold
398fc5
  - properly builds with OpenSSL 1.1, thanks to Lukas Slebodnik and Tomas Mraz
398fc5
    for a lot of the legwork
398fc5
- resync .spec file with Fedora
398fc5
- upstream project migrated from fedorahosted.org to pagure.io
398fc5
398fc5
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.78.6-6
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
398fc5
398fc5
* Sat Jan 21 2017 Igor Gnatenko <ignatenko@redhat.com> - 0.78.6-5
398fc5
- Rebuild for xmlrpc-c
398fc5
398fc5
* Wed Jul  6 2016 Nalin Dahyabhai <nalin@redhat.com> 0.78.6-4
398fc5
- add backported fix to wait a reasonable amount of time after calling the
398fc5
  'resubmit' method for a new certificate to be issued when we're exercising
398fc5
  the D-Bus API during tests (Jan Cholasta, #1351052)
398fc5
398fc5
* Wed Jul  6 2016 Nalin Dahyabhai <nalin@redhat.com> 0.78.6-3
398fc5
- instead of using killall to send a SIGHUP to the system bus daemon in %%post
398fc5
  to get it to reload its configuration, use dbus-send to send a ReloadConfig
398fc5
  request over the bus (should fix #1277573)
398fc5
398fc5
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.78.6-2
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
398fc5
398fc5
* Wed Jan 13 2016 Nalin Dahyabhai <nalin@redhat.com> 0.78.6-1
398fc5
- document the -R, -N, -o, and -t flags for dogtag-ipa-renew-agent-submit
398fc5
- stop checking that we can generate 512 bit keys during self-tests
398fc5
398fc5
* Thu Nov 12 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.5-1
398fc5
- fix a possible uninitialized memory read (possibly #1260871)
398fc5
- log a diagnostic error when we fail to initialize libkrb5
398fc5
398fc5
* Tue Aug  4 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.4-1
398fc5
- fix the "getcert start-tracking" -L and -l options (#1249753)
398fc5
- output diagnostics about the second request when scep-submit encounters an
398fc5
  error during a second request to the SCEP server
398fc5
398fc5
* Mon Jul 20 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.3-1
398fc5
- call poptGetOptArg() correctly, to fix parsing of the -R flag to scep-submit
398fc5
  and the -O and -o flags to dogtag-submit (#1244914)
398fc5
398fc5
* Thu Jul  9 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.2-1
398fc5
- tweak initialization so that we set up for providing our D-Bus API before we
398fc5
  register our name with the bus, so that we can handle any requests that
398fc5
  arrive before the acknowledgement of that registration
398fc5
- on systems that run systemd, add the right data file so that the service gets
398fc5
  started when someone tries to talk to the daemon (ticket #38)
398fc5
- correctly check for error responses when sending GetCAChain requests to SCEP
398fc5
  servers
398fc5
398fc5
* Sun Jun 21 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.1-1
398fc5
- self-tests: assume that certutil won't generate DSA keys with more than 1024
398fc5
  bits, and will often short us by a few
398fc5
398fc5
* Sat Jun 20 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78-1
398fc5
- switch to using popt for parsing command line arguments, continuing to
398fc5
  use old help text for now so that we can catch up with translations (print
398fc5
  old text for --help, new text (with longopts!) for -H)
398fc5
- add some plumbing for eventually receiving per-certificate roots in
398fc5
  addition to issued certificates and chain certificates
398fc5
- add a "rekey" command to getcert, for triggering enrollment using a new
398fc5
  key pair (#1087932)
398fc5
- scep-submit: check for the Renewal capability, and default to taking
398fc5
  advantage of it during rekeying, unless the new -n flag is specified to it
398fc5
- dogtag-submit: add flags for passing user names, UDNs, passwords, and PINs
398fc5
  to the helper (part of ticket #12)
398fc5
- dogtag-submit: add a flag for using the agent creds to do TLS client auth
398fc5
  while submitting enrollment requests (more of ticket #12)
398fc5
- dogtag-submit: handle cases where we submit a request and the server
398fc5
  returns a success code rather than just queuing the request (#12 again)
398fc5
- ipa-submit: pass requested profile names to the server as an argument
398fc5
  named "profile_id"; if the server gives us an "unrecognized argument"
398fc5
  error, retry without it for compatibility's sake (part of IPA ticket #57)
398fc5
- keygen: fix a possible crash if keygen fails to return a key from NSS
398fc5
- correct the certmonger(8) man page's description of the -c flag, which it
398fc5
  used to call the -C flag
398fc5
- add logic for setting ownership and permissions on certificates and keys
398fc5
  when saving them to disk
398fc5
- add configuration options "max_key_lifetime" and "max_key_use_count" for
398fc5
  making automatic renewal prefer rekeying
398fc5
398fc5
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.77.5-2
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
398fc5
398fc5
* Thu May 28 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.5-1
398fc5
- pass $CERTMONGER_REQ_IP_ADDRESS to enrollment helpers if the signing request
398fc5
  includes IP address subjectAltName values
398fc5
- correctly verify signatures on SCEP server replies when the signer is neither
398fc5
  the top-level CA nor the RA (feedback in #1161768)
398fc5
- correctly verify signatures on SCEP server replies when there is more than
398fc5
  one certificate in the chain between the RA and the top-level CA (feedback in
398fc5
  #1161768)
398fc5
398fc5
* Fri May 15 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.4-1
398fc5
- don't display PINs in "getcert list" output (#42)
398fc5
- clean up launching of a private instance in "getcert"
398fc5
- expand on the don't-delete-private-key fix from 0.77.3 by letting NSS's
398fc5
  own safety checks have an effect
398fc5
- backport record-keeping of key generation dates and counts of how many
398fc5
  times we've gotten certificates using a given key pair
398fc5
398fc5
* Thu May  7 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.3-1
398fc5
- fix a data loss bug when saving renewed certificates to NSS databases - the
398fc5
  private key could be removed in error since 0.77
398fc5
- fixes for bugs found by static analysis
398fc5
- fix self-tests when built with OpenSSL 1.0.2
398fc5
398fc5
* Tue Apr 14 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.2-1
398fc5
- expose the certificate's not-valid-before and not-valid-after dates as a
398fc5
  property over D-Bus (ticket #41)
398fc5
- give the local signer its own configuration option to set the lifetime
398fc5
  of its signing certificate, falling back to the lifetime configured for
398fc5
  the self-signer as a default to match the previous behavior
398fc5
- fix a potential read segfault parsing the output of an enrollment helper,
398fc5
  introduced in 0.77 (thanks to Steve Neuharth)
398fc5
- read the ns-certtype extension value in certificates
398fc5
- request an enrollment certtype extension to CSRs if we have a profile name
398fc5
  that we want to use (ticket #17, possibly part of IPA ticket #57)
398fc5
398fc5
* Fri Feb 27 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.1-1
398fc5
- update to 0.77
398fc5
  - add initial, still rough, SCEP support (#1140241,#1161768)
398fc5
    - add an scep-submit helper to handle part of it
398fc5
  - getcert: add add-ca/add-scep-ca/modify-ca/remove-ca commands
398fc5
  - getcert: add -l, -L flags to request/resubmit/start-tracking commands
398fc5
    to provide a way to set a ChallengePassword in signing requests
398fc5
  - lay some groundwork for rekeying support
398fc5
  - bundled dogtag enrollment helpers now output debugging info to stderr (#)
398fc5
  - ipa-getcert: fix a crash when using DNS discovery to locate servers (#39)
398fc5
  - getcert: fix displaying of pre-request pre-/post-save commands (#1178190,
398fc5
    #1181022, patch by David Kupka)
398fc5
  - use Zanata for translations
398fc5
  - getcert list: list the certificate's profile name, if it contains one
398fc5
398fc5
* Tue Nov 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.8-1
398fc5
- dogtag-submit: accept additional options to pass to the server when
398fc5
  approving requests using agent creds (#1165155, patch by Jan Cholasta)
398fc5
- getcert: print help output when 'status' isn't given any args (#1163541)
398fc5
398fc5
* Tue Nov 11 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.7-1
398fc5
- correctly read CA not-valid-after dates on 32-bit machines (also reported by
398fc5
  Natxo Asenjo), so that we don't spin on polling them (#1163023)
398fc5
398fc5
* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.6-1
398fc5
- don't discard the priority value in DNS SRV records
398fc5
398fc5
* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.5-1
398fc5
- avoid premature exit on CA data analysis failures (should fix an issue
398fc5
  reported by Natxo Asenjo)
398fc5
398fc5
* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.4-1
398fc5
- fix a failure in self-tests
398fc5
398fc5
* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.3-1
398fc5
- fixes for bugs found by static analysis
398fc5
- handle IDN correctly when doing service location using SRV records
398fc5
- documentation updates
398fc5
398fc5
* Wed Nov  5 2014 Nalin Dahyabhai <nalin@redhat.com>
398fc5
- rework the state machine so that we save an issued certificate's associated
398fc5
  CA certificates, then re-read the certificate, then run the post hook and
398fc5
  issue notifications, in that order, instead of saving CA certificates after
398fc5
  running the post hook, which was always a surprising order (#1131700)
398fc5
- add a generic dogtag-submit helper that doesn't include any IPA defaults,
398fc5
  to make it easier to know the difference between paramenters it requires
398fc5
  and parameters which are optional (#12)
398fc5
398fc5
* Tue Nov  4 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.2-1
398fc5
- ipa-submit: when we fail to locate/contact LDAP or XML-RPC servers,
398fc5
  use discovery to find them (#1136900)
398fc5
398fc5
* Fri Oct 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.1-1
398fc5
- allow for 'certmonger -P abstract:...' to work, too
398fc5
398fc5
* Fri Oct 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76-1
398fc5
- require a single certificate to be specified to 'getcert status' (#1148001,
398fc5
  #1163541, #1163539)
398fc5
- shorten the default help message which getcert prints when it's not given
398fc5
  a specific command (#1131704)
398fc5
- add private listener (-l, -L, -P) mode to certmonger, to allow it to listen
398fc5
  for connections directly from clients running under the same UID
398fc5
- add a command mode (-c) to certmonger, in which once it's started, it
398fc5
  launches a specified command, and after that command exits, the daemon exits
398fc5
- when getcert is invoked with no bus running, if it's running as root, run
398fc5
  certmonger in private listener mode with the same invocation of getcert as
398fc5
  the command to start and wait for (#1134497)
398fc5
398fc5
* Thu Aug 28 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.14-1
398fc5
- make pathname canonicalization slightly smarter, to handle ".." in
398fc5
  locations (#1131758)
398fc5
- updates to self-tests (#1144082)
398fc5
398fc5
* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 0.75.13-2
398fc5
- Rebuild for rpm bug 1131960
398fc5
398fc5
* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.13-1
398fc5
- add a missing test case file (whoops)
398fc5
398fc5
* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.12-1
398fc5
- correct encoding/decoding of variant-typed data which we receive and send
398fc5
  as part of the org.freedesktop.DBus.Properties interface over the bus, and
398fc5
  add some tests for them (based on patch from David Kupka, ticket #36)
398fc5
398fc5
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.75.10-2
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
398fc5
398fc5
* Tue Aug 12 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.11-1
398fc5
- when getcert is passed a -a flag, to indicate that CA root certificates
398fc5
  should be stored in the specified database, don't ignore locations which
398fc5
  don't include a storage scheme (#1129537)
398fc5
- when called to 'start-tracking' with the -a or -F flags, if we have
398fc5
  applicable certificates on-hand for a CA that we're either told to use
398fc5
  or which we decide is the correct one, save the certificates (#1129696)
398fc5
398fc5
* Tue Aug  5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.10-1
398fc5
- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in
398fc5
  default.conf, and no "host" is set either, try to construct the server URI
398fc5
  using the "server" setting (#1126985)
398fc5
398fc5
* Thu Jul 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.9-1
398fc5
- avoid potential use-after-free after a CA is removed dynamically (thanks to
398fc5
  Keenan Brock) (#1125342)
398fc5
- add a "external-helper" property to CA objects
398fc5
398fc5
* Mon Jul 21 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.8-1
398fc5
- add a 'refresh' option to the getcert command
398fc5
- add a '-a' flag to the getcert command's 'refresh-ca' option
398fc5
398fc5
* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-2
398fc5
- reintroduce package Requires: on systemd-sysv on F19 and EL6 and older,
398fc5
  conditionalized it so that it's ignored on newer releases, and make
398fc5
  whether or not we call systemd-sysv-convert in triggers depend on that,
398fc5
  too (#1104138)
398fc5
398fc5
* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-1
398fc5
- fix an inconsistency in how we parse cookie values returned by CA helpers,
398fc5
  in that single-line values would lose the end-of-line after a daemon
398fc5
  restart, but not before
398fc5
- handle timeout values and exit status values when calling CA helpers
398fc5
  in non-SUBMIT, non-POLL modes (#1118468)
398fc5
- rework how we save CA certificates so that we save CA certificates associated
398fc5
  with end-entity certificates when we save that end-entity certificate, which
398fc5
  requires running all of the involved pre- and post-save commands
398fc5
- drop package Requires: on systemd-sysv (#1104138)
398fc5
398fc5
* Thu Jun 26 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.6-1
398fc5
- avoid potential use-after-free and read overrun after a CA is added
398fc5
  dynamically (thanks to Jan Cholasta)
398fc5
398fc5
* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.5-1
398fc5
- documentation updates
398fc5
398fc5
* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-2
398fc5
- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA
398fc5
  when we detect certmonger versions prior to 0.58 being installed, to
398fc5
  avoid cases where some older versions choke on CAs with nicknames that
398fc5
  contain characters that can't legally be part of a D-Bus name (#948993)
398fc5
398fc5
* Thu Jun 19 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-1
398fc5
- fix creation and packaging of the "local" CA's data directory
398fc5
398fc5
* Wed Jun 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.3-1
398fc5
- read and cache whether or not we saw a noOCSPcheck extension in certificates
398fc5
- documentation updates
398fc5
398fc5
* Mon Jun 16 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.2-1
398fc5
- when generating keys using OpenSSL, if key generation fails, try
398fc5
  again with the default key size, in case we're in FIPS mode
398fc5
- documentation updates
398fc5
398fc5
* Sat Jun 14 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.1-1
398fc5
- log the state in 'getcert status' verbose mode
398fc5
398fc5
* Fri Jun 13 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75-1
398fc5
- add a -w (wait) flag to the getcert's request/resubmit/start-tracking
398fc5
  commands, and add a non-waiting status command
398fc5
398fc5
* Wed Jun 11 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.96-1
398fc5
- make the trust settings we apply to CA-supplied certificates while
398fc5
  saving them to NSS databases run-time configurable
398fc5
- fix compiling against EL5-era OpenSSL
398fc5
- when saving CA certificates we pull from an IPA server, nickname
398fc5
  it using the realm name with " IPA CA" appended rather than just
398fc5
  naming it "IPA CA"
398fc5
- fix the local signer so that when it issues itself a new certificate,
398fc5
  it uses the same subject name
398fc5
- add a -w flag to getcert's request, resubmit, and start-tracking
398fc5
  commands, telling it to wait until either the certificate is issued,
398fc5
  we get to a state where we know that we won't be able to get one, or
398fc5
  we are waiting for a CA
398fc5
398fc5
* Mon Jun  9 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.95-1
398fc5
- add the "local" signer, a local toy CA that signs anything you'll
398fc5
  ask it to sign
398fc5
398fc5
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.74-2
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
398fc5
398fc5
* Fri Jun  6 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.94-1
398fc5
- fix self-test errors that we trigger with new OpenSSL
398fc5
- fix a build error that would sometimes happen when we're told to
398fc5
  build PIE binaries
398fc5
- quiet a compile warning
398fc5
398fc5
* Thu Jun  5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.93-1
398fc5
- add some self-tests
398fc5
- simplify the internal submit-to-CA logic
398fc5
- fixes for more problems found through static analysis
398fc5
398fc5
* Tue Jun  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.92-1
398fc5
- retrieve CA information from CAs, if the helpers can do so, and
398fc5
  add a command to explicitly refresh that data: "getcert refresh-ca"
398fc5
- offer to save CA certificates to files and databases, when specified with
398fc5
  new -a and -F flags to getcert request/resubmit/start-tracking (#1098208,
398fc5
  trac #31)
398fc5
- add IP address subject alternate names when getcert request/resubmit
398fc5
  is passed the -A option (trac #35)
398fc5
- read and cache the freshestCRL extension in certificates
398fc5
- properly interpret KDC-unreachable errors encountered in the IPA
398fc5
  submission error as a server-unreachable error that we will retry,
398fc5
  rather than a misconfiguration error which we won't
398fc5
- don't let tests get tripped up by new formatting used in dos2unix status
398fc5
  messages (#1099080)
398fc5
- updated translations
398fc5
- be explicit that we are going to use bashisms in test scripts by calling
398fc5
  the shell interpreter as 'bash' rather than 'sh' (trac #27)
398fc5
398fc5
* Thu Apr  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74-1
398fc5
- also save state when we exit due to SIGHUP
398fc5
- don't get tripped up when enrollment helpers hand us certificates which
398fc5
  include CRLF line terminators (ticket #25)
398fc5
- be tolerant of certificate issuer names, subject names, DNS, email, and
398fc5
  Kerberos principal namem subjectAltNames, and crl distribution point URLs
398fc5
  that contain newlines
398fc5
- read and cache the certificate template extension in certificates
398fc5
- enforce different minimum key sizes depending on the type of key we're
398fc5
  trying to generate
398fc5
- store DER versions of subject, issuer and template subject, if we have
398fc5
  them (Jan Cholasta, ticket #26)
398fc5
- when generating signing requests with subject names that don't quite parse
398fc5
  as subject names, encode what we're given as PrintableString rather than
398fc5
  as a UTF8String
398fc5
- always chdir() to a known location at startup, even if we're not becoming
398fc5
  a daemon
398fc5
- fix a couple of memory leaks (static analysis)
398fc5
- add missing buildrequires: on which
398fc5
398fc5
* Thu Feb 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.73-1
398fc5
- updates to 0.73
398fc5
  - getcert no longer claims to be stuck when a CA is unreachable,
398fc5
    because the daemon isn't actually stuck
398fc5
398fc5
* Mon Feb 17 2014 Nalin Dahyabhai <nalin@redhat.com>
398fc5
- updates to 0.73
398fc5
  - also pass the key type to enrollment helpers in the environment as
398fc5
    a the value of "CERTMONGER_KEY_TYPE"
398fc5
398fc5
* Mon Feb 10 2014 Nalin Dahyabhai <nalin@redhat.com>
398fc5
- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir},
398fc5
  where it belongs (#1180978)
398fc5
398fc5
* Mon Feb 10 2014 Nalin Dahyabhai <nalin@redhat.com>
398fc5
- updates for 0.73
398fc5
  - set the flag to encode EC public key parameters using named curves
398fc5
    instead of the default of all-the-details when using OpenSSL
398fc5
  - don't break when NSS supports secp521r1 but OpenSSL doesn't
398fc5
  - also pass the CA nickname to enrollment helpers in the environment as
398fc5
    a text value in "CERTMONGER_CA_NICKNAME", so they can use that value
398fc5
    when reading configuration settings
398fc5
  - also pass the SPKAC value to enrollment helpers in the environment as
398fc5
    a base64 value in "CERTMONGER_SPKAC"
398fc5
  - also pass the request's SubjectPublicKeyInfo value to enrollment helpers
398fc5
    in the environment as a base64 value in "CERTMONGER_SPKI" (part of #16)
398fc5
  - when generating signing requests using NSS, be more accommodating of
398fc5
    requested subject names that don't parse properly
398fc5
398fc5
* Mon Feb  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.72-1
398fc5
- update to 0.72
398fc5
  - support generating DSA parameters and keys on sufficiently-new OpenSSL
398fc5
    and NSS
398fc5
  - support generating EC keys when OpenSSL and NSS support it, using key
398fc5
    size to select the curve to use from among secp256r1, secp384r1,
398fc5
    secp521r1 (which are the ones that are usually available, though
398fc5
    secp521r1 isn't always, even if the other two are)
398fc5
  - stop trying to cache public key parameters at all and instead cache public
398fc5
    key info properly
398fc5
  - encode the friendlyName attribute in signing requests as a BMPString,
398fc5
    not as a PrintableString
398fc5
  - catch more filesystem permissions problems earlier (more of #996581)
398fc5
398fc5
* Mon Jan 27 2014 Nalin Dahyabhai <nalin@redhat.com> 0.71-1
398fc5
- check for cases where we fail to allocate memory while reading a request
398fc5
  or CA entry from disk (John Haxby)
398fc5
- only handle one watch at a time, which should avoid abort() during
398fc5
  attempts to reconnect to the message bus after losing our connection
398fc5
  to it (#1055521)
398fc5
398fc5
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.70-2
398fc5
- Mass rebuild 2014-01-24
398fc5
398fc5
* Thu Jan  2 2014 Nalin Dahyabhai <nalin@redhat.com> 0.70-1
398fc5
- add a --with-homedir option to configure, and use it, since subprocesses
398fc5
  which we run and which use NSS may attempt to write to $HOME/.pki, and
398fc5
  0.69's strategy of setting that to "/" was rightly hitting SELinux policy
398fc5
  denials (#1047798)
398fc5
398fc5
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.69-2
398fc5
- Mass rebuild 2013-12-27
398fc5
398fc5
* Mon Dec  9 2013 Nalin Dahyabhai <nalin@redhat.com> 0.69-1
398fc5
- tweak how we decide whether we're on the master or a minion when we're
398fc5
  told to use certmaster as a CA
398fc5
- clean up one of the tests so that it doesn't have to work around internal
398fc5
  logging producing duplicate messages
398fc5
- when logging errors while setting up to contact xmlrpc servers, explicitly
398fc5
  note that the error is client-side
398fc5
- don't abort() due to incorrect locking when an attempt to save an issued
398fc5
  certificate to the designated location fails (part of #1032760/#1033333,
398fc5
  ticket #22)
398fc5
- when reading an issued certificate from an enrollment helper, ignore
398fc5
  noise before or after the certificate itself (more of #1032760/1033333,
398fc5
  ticket #22)
398fc5
- run subprocesses in a cleaned-up environment (more of #1032760/1033333,
398fc5
  ticket #22)
398fc5
- clear the ca-error that we saved when we had an error talking to the CA if we
398fc5
  subsequently succeed in talking to the CA
398fc5
- various other static-analysis fixes
398fc5
398fc5
* Thu Aug 29 2013 Nalin Dahyabhai <nalin@redhat.com> 0.68-1
398fc5
- notice when the OpenSSL RNG isn't seeded
398fc5
- notice when saving certificates or keys fails due to filesystem-related
398fc5
  permission denial (#996581)
398fc5
398fc5
* Tue Aug  6 2013 Nalin Dahyabhai <nalin@redhat.com> 0.67-3
398fc5
- pull up a patch from master to adapt self-tests to certutil's diagnostic
398fc5
  output having changed (#992050)
398fc5
398fc5
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.67-2
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
398fc5
398fc5
* Mon Mar 11 2013 Nalin Dahyabhai <nalin@redhat.com> 0.67-1
398fc5
- when saving certificates to NSS databases, try to preserve the trust
398fc5
  value assigned to a previously-present certificate with the same nickname
398fc5
  and subject, if one is found
398fc5
- when saving certificates to NSS databases, also prune certificates from
398fc5
  the database which have both the same nickname and subject as the one
398fc5
  we're adding, to avoid tripping up tools that only fetch one certificate
398fc5
  by nickname
398fc5
398fc5
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.65-2
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
398fc5
398fc5
* Wed Jan 23 2013 Nalin Dahyabhai <nalin@redhat.com> 0.66-1
398fc5
- build as position-independent executables with early binding (#883966)
398fc5
- also don't tag the unit file as a configuration file (internal tooling)
398fc5
398fc5
* Wed Jan 23 2013 Nalin Dahyabhai <nalin@redhat.com> 0.65-2
398fc5
- don't tag the D-Bus session .service file as a configuration file (internal
398fc5
  tooling)
398fc5
398fc5
* Tue Jan  8 2013 Nalin Dahyabhai <nalin@redhat.com> 0.65-1
398fc5
- fix a crash in the self-tests
398fc5
398fc5
* Tue Jan  8 2013 Nalin Dahyabhai <nalin@redhat.com> 0.64-1
398fc5
- at startup, if we resume the state machine for a given certificate to a state
398fc5
  which expects to have the newly-added lock already acquired, acquire it
398fc5
  before moving on with the certificate's work (still aimed at fixing #883484)
398fc5
398fc5
* Tue Dec 18 2012 Nalin Dahyabhai <nalin@redhat.com> 0.63-1
398fc5
- serialize access to NSS databases and the running of pre- and post-save
398fc5
  commands which might also access them (possibly fixing part of #883484)
398fc5
398fc5
* Thu Nov 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.62-1
398fc5
- add a -u flag to getcert to enable requesting a keyUsage extension value
398fc5
- request subjectKeyIdentifier extensions from CAs, and include them in
398fc5
  self-signed certificates
398fc5
- request basicConstraints from CAs, defaulting to requests for end-entity
398fc5
  certificates
398fc5
- when requesting CA certificates, also request authorityKeyIdentifier
398fc5
- add support for requesting CRL distribution point and authorityInfoAccess
398fc5
  extensions that specify OCSP responder locations
398fc5
- don't crash when OpenSSL can't build a template certificate from a request
398fc5
  when we're in FIPS mode
398fc5
- put NSS in FIPS mode, when the system booted that way, except when we're
398fc5
  trying to write certificates to a database
398fc5
- fix CSR generation and self-signing in FIPS mode with NSS
398fc5
- fix self-signing in FIPS mode with OpenSSL
398fc5
- new languages from the translation team: mai, ml, nn, ga
398fc5
398fc5
* Tue Nov 27 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-3
398fc5
- backport change from git to not choke if X509_REQ_to_X509() fails when we're
398fc5
  self-signing using OpenSSL
398fc5
- backport another change from git to represent this as a CA-rejected error
398fc5
398fc5
* Mon Sep 24 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-1
398fc5
- fix a regression in reading old request tracking files where the
398fc5
  request was in state NEED_TO_NOTIFY or NOTIFYING
398fc5
398fc5
* Wed Sep  5 2012 Nalin Dahyabhai <nalin@redhat.com> 0.60-1
398fc5
- adjust internals of logic for talking to dogtag to at least have a
398fc5
  concept of non-agent cases
398fc5
- when talking to an IPA server's internal Dogtag instance, infer which
398fc5
  ports the CA is listening on from the "dogtag_version" setting in the
398fc5
  IPA configuration (Ade Lee)
398fc5
- send a notification (or log a message, whatever) when we save a new
398fc5
  certificate (#766167)
398fc5
398fc5
* Mon Jul 30 2012 Nalin Dahyabhai <nalin@redhat.com>
398fc5
- fix a bad %%preun scriptlet
398fc5
398fc5
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.59-2
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
398fc5
398fc5
* Fri Jun 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.59-1
398fc5
- mostly documentation updates
398fc5
398fc5
* Fri Jun 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.58-1
398fc5
- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using
398fc5
  an IPA server's internal Dogtag instance
398fc5
- export the requested profile and old certificate to enrollment helpers
398fc5
- make libxml and libcurl into hard build-time requirements
398fc5
- serialize all pre/save/post sequences to make sure that stop/save/start
398fc5
  doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping
398fc5
  a service while we muck with more than one of its certificates
398fc5
398fc5
* Fri Jun 15 2012 Nalin Dahyabhai <nalin@redhat.com>
398fc5
- add a command option (-T) to getcert for specifying which enrollment
398fc5
  profile to tell a CA that we're using, in case it cares (#10)
398fc5
398fc5
* Thu Jun 14 2012 Nalin Dahyabhai <nalin@redhat.com> 0.57-1
398fc5
- clarify that the command passed to getcert -C is a "post"-save command
398fc5
- add a "pre"-save command option to getcert, specified with the -B flag (#9)
398fc5
- after we notify of an impending not-valid-after approaching, don't do it
398fc5
  again immediately
398fc5
398fc5
* Sat Mar  3 2012 Nalin Dahyabhai <nalin@redhat.com> 0.56-1
398fc5
- when a caller sets the is-default flag on a CA, and another CA is no longer
398fc5
  the default, emit the PropertiesChanged signal on the CA which is not the
398fc5
  default, instead on the new default a second time
398fc5
- drop some dead code from the D-Bus message handlers (static analysis,
398fc5
  #796813)
398fc5
- cache public keys when we read private keys
398fc5
- go back to printing an error indicating that we're missing a required
398fc5
  argument when we're missing a required argument, not that the option is
398fc5
  invalid (broken since 0.51, #796542)
398fc5
398fc5
* Wed Feb 15 2012 Nalin Dahyabhai <nalin@redhat.com> 0.55-1
398fc5
- allow root to use our implementation of org.freedesktop.DBus.Properties
398fc5
- take more care to not emit useless PropertiesChanged signals
398fc5
398fc5
* Wed Feb 15 2012 Nalin Dahyabhai <nalin@redhat.com> 0.54-1
398fc5
- fix setting the group ID when spawning the post-save command
398fc5
398fc5
* Tue Feb 14 2012 Nalin Dahyabhai <nalin@redhat.com> 0.53-1
398fc5
- large changes to the D-Bus glue, exposing a lot of data which we were
398fc5
  providing via D-Bus getter methods as properties, and providing more
398fc5
  accurate introspection data
398fc5
- emit a signal when the daemon saves a certificate to the destination
398fc5
  location, and provide an option to have the daemon spawn an arbitrary
398fc5
  command at that point, too (#766167)
398fc5
- enable starting the service by default on RHEL (#765600)
398fc5
398fc5
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.52-2
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
398fc5
398fc5
* Fri Dec 16 2011 Nalin Dahyabhai <nalin@redhat.com> 0.52-1
398fc5
- note that SELinux usually confines us to writing only to cert_t in
398fc5
  doc/getting-started.txt (#765599)
398fc5
- fix crashes when we add a request during our first run when we're
398fc5
  populating the hard-coded CA list
398fc5
- properly deal with cases where a path is passed to us is "./XXX"
398fc5
- in session mode, create our data directories as we go
398fc5
398fc5
* Tue Dec  6 2011 Nalin Dahyabhai <nalin@redhat.com> 0.51-1
398fc5
- api: lift restrictions on characters used in request and CA nicknames by
398fc5
  making their object names not incorporate their nicknames
398fc5
- api: add find_request_by_nickname and find_ca_by_nickname
398fc5
- certmonger-ipa-submit.8: list -k, -K, -t in the summary, document -K
398fc5
- getcert: print "invalid option" error messages ourselves (#756291)
398fc5
- ipa-submit: supply a Referer: header when submitting requests to IPA
398fc5
  (#750617, needed for #747710)
398fc5
398fc5
* Fri Oct 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.50-1
398fc5
- really fix these this time:
398fc5
 - getcert: error out when "list -c" finds no matching CA (#743488)
398fc5
 - getcert: error out when "list -i" finds no matching request (#743485)
398fc5
398fc5
* Wed Oct 12 2011 Nalin Dahyabhai <nalin@redhat.com> 0.49-1
398fc5
- when using an NSS database, skip loading the module database (#743042)
398fc5
- when using an NSS database, skip loading root certs
398fc5
- generate SPKAC values when generating CSRs, though we don't do anything
398fc5
  with SPKAC values yet
398fc5
- internally maintain and use challenge passwords, if we have them
398fc5
- behave better when certificates have shorter lifetimes
398fc5
- add/recognize/handle notification type "none"
398fc5
- getcert: error out when "list -c" finds no matching CA (#743488)
398fc5
- getcert: error out when "list -i" finds no matching request (#743485)
398fc5
398fc5
* Thu Sep 29 2011 Nalin Dahyabhai <nalin@redhat.com> 0.48-1
398fc5
- don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated
398fc5
  array (#742348)
398fc5
398fc5
* Tue Sep 27 2011 Nalin Dahyabhai <nalin@redhat.com> 0.47-1
398fc5
- getcert: distinguish between {stat() succeeds but isn't a directory} and
398fc5
  {stat() failed} when printing an error message (#739903)
398fc5
- getcert resubmit/start-tracking: when we're looking for an existing request
398fc5
  by ID, and we don't find one, note that specifically (#741262)
398fc5
398fc5
* Mon Aug 29 2011 Stephen Gallagher <sgallagh@redhat.com> - 0.46-1.1
398fc5
- Rebuild against fixed libtevent version
398fc5
398fc5
* Mon Aug 15 2011 Nalin Dahyabhai <nalin@redhat.com> 0.46-1
398fc5
- treat the ability to access keys in an NSS database without using a PIN,
398fc5
  when we've been told we need one, as an error (#692766, really this time)
398fc5
398fc5
* Thu Aug 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.45-1
398fc5
- modify the systemd .service file to be a proper 'dbus' service (more
398fc5
  of #718172)
398fc5
398fc5
* Thu Aug 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.44-1
398fc5
- check specifically for cases where a specified token that we need to
398fc5
  use just isn't present for whatever reason (#697058)
398fc5
398fc5
* Wed Aug 10 2011 Nalin Dahyabhai <nalin@redhat.com> 0.43-1
398fc5
- add a -K option to ipa-submit, to use the current ccache, which makes
398fc5
  it easier to test
398fc5
398fc5
* Fri Aug  5 2011 Nalin Dahyabhai <nalin@redhat.com>
398fc5
- if xmlrpc-c's struct xmlrpc_curl_xportparms has a gss_delegate field, set
398fc5
  it to TRUE when we're doing Negotiate auth (#727864, #727863, #727866)
398fc5
398fc5
* Wed Jul 13 2011 Nalin Dahyabhai <nalin@redhat.com>
398fc5
- treat the ability to access keys in an NSS database without using a PIN,
398fc5
  when we've been told we need one, as an error (#692766)
398fc5
- when handling "getcert resubmit" requests, if we don't have a key yet,
398fc5
  make sure we go all the way back to generating one (#694184)
398fc5
- getcert: try to clean up tests for NSS and PEM file locations (#699059)
398fc5
- don't try to set reconnect-on-exit policy unless we managed to connect
398fc5
  to the bus (#712500)
398fc5
- handle cases where we specify a token but the storage token isn't
398fc5
  known (#699552)
398fc5
- getcert: recognize -i and storage options to narrow down which requests
398fc5
  the user wants to know about (#698772)
398fc5
- output hints when the daemon has startup problems, too (#712075)
398fc5
- add flags to specify whether we're bus-activated or not, so that we can
398fc5
  exit if we have nothing to do after handling a request received over
398fc5
  the bus if some specified amount of time has passed
398fc5
- explicitly disallow non-root access in the D-Bus configuration (#712072)
398fc5
- migrate to systemd on releases newer than Fedora 15 or RHEL 6 (#718172)
398fc5
- fix a couple of incorrect calls to talloc_asprintf() (#721392)
398fc5
398fc5
* Wed Apr 13 2011 Nalin Dahyabhai <nalin@redhat.com> 0.42-1
398fc5
- getcert: fix a buffer overrun preparing a request for the daemon when
398fc5
  there are more parameters to encode than space in the array (#696185)
398fc5
- updated translations: de, es, id, pl, ru, uk
398fc5
398fc5
* Mon Apr 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.41-1
398fc5
- read information about the keys we've just generated before proceeding
398fc5
  to generating a CSR (part of #694184, part of #695675)
398fc5
- when processing a "resubmit" request from getcert, go back to key
398fc5
  generation if we don't have keys yet, else go back to CSR generation as
398fc5
  before (#694184, #695675)
398fc5
- configure with --with-tmpdir=/var/run/certmonger and own /var/run/certmonger
398fc5
  (#687899), and add a systemd tmpfiles.d control file for creating
398fc5
  /var/run/certmonger on Fedora 15 and later
398fc5
- let session instances exit when they get disconnected from the bus
398fc5
- use a lock file to make sure there's only one session instance messing
398fc5
  around with the user's files at a time
398fc5
- fix errors saving certificates to NSS databases when there's already a
398fc5
  certificate there with the same nickname (#695672)
398fc5
- make key and certificate location output from 'getcert list' more properly
398fc5
  translatable (#7)
398fc5
398fc5
* Mon Mar 28 2011 Nalin Dahyabhai <nalin@redhat.com> 0.40-1
398fc5
- update to 0.40
398fc5
  - fix validation check on EKU OIDs in getcert (#691351)
398fc5
  - get session bus mode sorted
398fc5
  - add a list of recognized EKU values to the getcert-request man page
398fc5
398fc5
* Fri Mar 25 2011 Nalin Dahyabhai <nalin@redhat.com> 0.39-1
398fc5
- update to 0.39
398fc5
  - fix use of an uninitialized variable in the xmlrpc-based submission
398fc5
    helpers (#690886)
398fc5
398fc5
* Thu Mar 24 2011 Nalin Dahyabhai <nalin@redhat.com> 0.38-1
398fc5
- update to 0.38
398fc5
  - catch cases where we can't read a PIN file, but we never have to log
398fc5
    in to the token to access the private key (more of #688229)
398fc5
398fc5
* Tue Mar 22 2011 Nalin Dahyabhai <nalin@redhat.com> 0.37-1
398fc5
- update to 0.37
398fc5
  - be more careful about checking if we can read a PIN file successfully
398fc5
    before we even call an API that might need us to try (#688229)
398fc5
  - fix strict aliasing warnings
398fc5
398fc5
* Tue Mar 22 2011 Nalin Dahyabhai <nalin@redhat.com> 0.36-1
398fc5
- update to 0.36
398fc5
  - fix some use-after-free bugs in the daemon (#689776)
398fc5
  - fix a copy/paste error in certmonger-ipa-submit(8)
398fc5
  - getcert now suppresses error details when not given its new -v option
398fc5
    (#683926, more of #681641/#652047)
398fc5
  - updated translations
398fc5
    - de, es, pl, ru, uk
398fc5
    - indonesian translation is now for "id" rather than "in"
398fc5
398fc5
* Wed Mar  2 2011 Nalin Dahyabhai <nalin@redhat.com> 0.35.1-1
398fc5
- fix a self-test that broke because one-year-from-now is now a day's worth
398fc5
  of seconds further out than it was a few days ago
398fc5
398fc5
* Mon Feb 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.35-1
398fc5
- update to 0.35
398fc5
  - self-test fixes to rebuild properly in mock (#670322)
398fc5
398fc5
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.34-2
398fc5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
398fc5
398fc5
* Fri Jan 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.34-1
398fc5
- update to 0.34
398fc5
  - explicitly note the number of requests we're tracking in the output of
398fc5
    "getcert list" (#652049)
398fc5
  - try to offer some suggestions when we get certain specific errors back
398fc5
    in "getcert" (#652047)
398fc5
  - updated translations
398fc5
    - es
398fc5
398fc5
* Thu Dec 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.33-1
398fc5
- update to 0.33
398fc5
  - new translations
398fc5
    - id by Okta Purnama Rahadian!
398fc5
  - updated translations
398fc5
    - pl, uk
398fc5
  - roll up assorted fixes for defects
398fc5
398fc5
* Fri Nov 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.32-2
398fc5
- depend on the e2fsprogs libuuid on Fedora and RHEL releases where it's
398fc5
  not part of util-linux-ng
398fc5
398fc5
* Wed Oct 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.32-1
398fc5
- oops, rfc5280 says we shouldn't be populating unique identifiers, so
398fc5
  make it a configuration option and default the behavior to off
398fc5
398fc5
* Tue Oct 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.31-1
398fc5
- start populating the optional unique identifier fields in self-signed
398fc5
  certificates
398fc5
398fc5
* Thu Sep 30 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-4
398fc5
- explicitly require "dbus" to try to ensure we have a running system bus
398fc5
  when we get started (#639126)
398fc5
398fc5
* Wed Sep 29 2010 jkeating - 0.30-3
398fc5
- Rebuilt for gcc bug 634757
398fc5
398fc5
* Thu Sep 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-2
398fc5
- try to SIGHUP the messagebus daemon at first install so that it'll
398fc5
  let us claim our service name if it isn't restarted before we are
398fc5
  first started (#636876)
398fc5
398fc5
* Wed Aug 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-1
398fc5
- update to 0.30
398fc5
  - fix errors computing the time at the end of an interval that were
398fc5
    caught by self-tests
398fc5
398fc5
* Mon Aug 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.29-1
398fc5
- update to 0.29
398fc5
  - fix 64-bit cleanliness issue using libdbus
398fc5
  - actually include the full set of tests in tarballs
398fc5
398fc5
* Tue Aug 17 2010 Nalin Dahyabhai <nalin@redhat.com> 0.28-1
398fc5
- update to 0.28
398fc5
  - fix self-signing certificate notBefore and notAfter values on 32-bit
398fc5
    machines
398fc5
398fc5
* Tue Aug 17 2010 Nalin Dahyabhai <nalin@redhat.com> 0.27-1
398fc5
- update to 0.27
398fc5
  - portability and test fixes
398fc5
398fc5
* Fri Aug 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.26-1
398fc5
- update to 0.26
398fc5
  - when canceling a submission request that's being handled by a helper,
398fc5
    reap the child process's status after killing it (#624120)
398fc5
398fc5
* Fri Aug 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.25-1
398fc5
- update to 0.25
398fc5
  - new translations
398fc5
    - in by Okta Purnama Rahadian!
398fc5
  - fix detection of cases where we can't access a private key in an NSS
398fc5
    database because we don't have the PIN
398fc5
  - teach '*getcert start-tracking' about the -p and -P options which the
398fc5
    '*getcert request' commands already understand (#621670), and also
398fc5
    the -U, -K, -E, and -D flags
398fc5
  - double-check that the nicknames of keys we get back from
398fc5
    PK11_ListPrivKeysInSlot() match the desired nickname before accepting
398fc5
    them as matches, so that our tests won't all blow up on EL5
398fc5
  - fix dynamic addition and removal of CAs implemented through helpers
398fc5
398fc5
* Mon Jun 28 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-4
398fc5
- init script: ensure that the subsys lock is created whenever we're called to
398fc5
  "start" when we're already running (even more of #596719)
398fc5
398fc5
* Tue Jun 15 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-3
398fc5
- more gracefully handle manual daemon startups and cleaning up of unexpected
398fc5
  crashes (still more of #596719)
398fc5
398fc5
* Thu Jun 10 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-2
398fc5
- don't create the daemon pidfile until after we've connected to the D-Bus
398fc5
  (still more of #596719)
398fc5
398fc5
* Tue Jun  8 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-1
398fc5
- update to 0.24
398fc5
  - keep the lock on the pid file, if we have one, when we fork, and cancel
398fc5
    daemon startup if we can't gain ownership of the lock (the rest of #596719)
398fc5
  - make the man pages note which external configuration files we consult when
398fc5
    submitting requests to certmaster and ipa CAs
398fc5
398fc5
* Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com> 0.23-1
398fc5
- update to 0.23
398fc5
  - new translations
398fc5
    - pl by Piotr Drąg!
398fc5
  - cancel daemon startup if we can't gain ownership of our well-known
398fc5
    service name on the DBus (#596719)
398fc5
398fc5
* Fri May 14 2010 Nalin Dahyabhai <nalin@redhat.com> 0.22-1
398fc5
- update to 0.22
398fc5
  - new translations
398fc5
    - de by Fabian Affolter!
398fc5
  - certmaster-submit: don't fall over when we can't find a certmaster.conf
398fc5
    or a minion.conf (i.e., certmaster isn't installed) (#588932)
398fc5
  - when reading extension values from certificates, prune out duplicate
398fc5
    principal names, email addresses, and hostnames
398fc5
398fc5
* Tue May  4 2010 Nalin Dahyabhai <nalin@redhat.com> 0.21-1
398fc5
- update to 0.21
398fc5
  - getcert/*-getcert: relay the desired CA to the local service, whether
398fc5
    specified on the command line (in getcert) or as a built-in hard-wired
398fc5
    default (in *-getcert) (#584983)
398fc5
  - flesh out the default certmonger.conf so that people can get a feel for
398fc5
    the expected formatting (Jenny Galipeau)
398fc5
398fc5
* Wed Apr 21 2010 Nalin Dahyabhai <nalin@redhat.com> 0.20-1
398fc5
- update to 0.20
398fc5
  - correctly parse certificate validity periods given in years (spotted by
398fc5
    Stephen Gallagher)
398fc5
  - setup for translation
398fc5
    - es by Héctor Daniel Cabrera!
398fc5
    - ru by Yulia Poyarkova!
398fc5
    - uk by Yuri Chornoivan!
398fc5
  - fix unpreprocessed defaults in certmonger.conf's man page
398fc5
  - tweak the IPA-specific message that indicates a principal name also needs
398fc5
    to be specified if we're not using the default subject name (#579542)
398fc5
  - make the validity period of self-signed certificates into a configuration
398fc5
    setting and not a piece of the state information we track about the signer
398fc5
  - init script: exit with status 2 instead of 1 when invoked with an
398fc5
    unrecognized argument (#584517)
398fc5
398fc5
* Tue Mar 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.19-1
398fc5
- update to 0.19
398fc5
  - correctly initialize NSS databases that need to be using a PIN
398fc5
  - add certmonger.conf, for customizing notification timings and settings,
398fc5
    and use of digests other than the previously-hard-coded SHA256, and
398fc5
    drop those settings from individual requests
398fc5
  - up the default self-sign validity interval from 30 days to 365 days
398fc5
  - drop the first default notification interval from 30 days to 28 days
398fc5
    (these two combined to create a fun always-reissuing loop earlier)
398fc5
  - record the token which contains the key or certificate when we're
398fc5
    storing them in an NSS database, and report it
398fc5
  - improve handling of cases where we're supposed to use a PIN but we
398fc5
    either don't have one or we have the wrong one
398fc5
  - teach getcert to accept a PIN file's name or a PIN value when adding
398fc5
    a new entry
398fc5
  - update the IPA submission helper to use the new 'request_cert' signature
398fc5
    that's landing soon
398fc5
  - more tests
398fc5
398fc5
* Fri Feb 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.18-1
398fc5
- update to 0.18
398fc5
  - add support for using encrypted storage for keys, using PIN values
398fc5
    supplied directly or read from files whose names are supplied
398fc5
  - don't choke on NSS database locations that use the "sql:" or "dbm:"
398fc5
    prefix
398fc5
398fc5
* Mon Jan 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.17-2
398fc5
- make the D-Bus configuration file (noreplace) (#541072)
398fc5
- make the %%check section and the deps we have just for it conditional on
398fc5
  the same macro (#541072)
398fc5
398fc5
* Wed Jan  6 2010 Nalin Dahyabhai <nalin@redhat.com> 0.17-1
398fc5
- update to 0.17
398fc5
  - fix a hang in the daemon (Rob Crittenden)
398fc5
  - documentation updates
398fc5
  - fix parsing of submission results from IPA (Rob Crittenden)
398fc5
398fc5
* Fri Dec 11 2009 Nalin Dahyabhai <nalin@redhat.com> 0.16-1
398fc5
- update to 0.16
398fc5
  - set a umask at startup (Dan Walsh)
398fc5
398fc5
* Tue Dec  8 2009 Nalin Dahyabhai <nalin@redhat.com> 0.15-1
398fc5
- update to 0.15
398fc5
  - notice that a directory with a trailing '/' is the same location as the
398fc5
    directory without it
398fc5
  - fix handling of the pid file when we write one (by actually giving it
398fc5
    contents)
398fc5
398fc5
* Wed Nov 25 2009 Nalin Dahyabhai <nalin@redhat.com> 0.14-1
398fc5
- update to 0.14
398fc5
  - check key and certificate location at add-time to make sure they're
398fc5
    absolute paths to files or directories, as appropriate
398fc5
  - IPA: dig into the 'result' item if the named result value we're looking
398fc5
    for isn't in the result struct
398fc5
398fc5
* Tue Nov 24 2009 Nalin Dahyabhai <nalin@redhat.com> 0.13-1
398fc5
- update to 0.13
398fc5
  - change the default so that we default to trying to auto-refresh
398fc5
    certificates unless told otherwise
398fc5
  - preemptively enforce limitations on request nicknames so that they
398fc5
    make valid D-Bus object path components
398fc5
398fc5
* Tue Nov 24 2009 Nalin Dahyabhai <nalin@redhat.com> 0.12-1
398fc5
- update to 0.12
398fc5
  - add a crucial bit of error reporting when CAs reject our requests
398fc5
  - count the number of configured CAs correctly
398fc5
398fc5
* Mon Nov 23 2009 Nalin Dahyabhai <nalin@redhat.com> 0.11-1
398fc5
- update to 0.11
398fc5
  - add XML-RPC submission for certmaster and IPA
398fc5
  - prune entries with duplicate names from the data store
398fc5
398fc5
* Fri Nov 13 2009 Nalin Dahyabhai <nalin@redhat.com> 0.10-1
398fc5
- update to 0.10
398fc5
  - add some compiler warnings and then fix them
398fc5
398fc5
* Fri Nov 13 2009 Nalin Dahyabhai <nalin@redhat.com> 0.9-1
398fc5
- update to 0.9
398fc5
  - run external submission helpers correctly
398fc5
  - fix signing of signing requests generated for keys stored in files
398fc5
  - only care about new interface and route notifications from netlink,
398fc5
    and ignore notifications that don't come from pid 0
398fc5
  - fix logic for determining expiration status
398fc5
  - correct the version number in self-signed certificates
398fc5
398fc5
* Tue Nov 10 2009 Nalin Dahyabhai <nalin@redhat.com> 0.8-1
398fc5
- update to 0.8
398fc5
  - encode windows UPN values in requests correctly
398fc5
  - watch for netlink routing changes and restart stalled submission requests
398fc5
  - 'getcert resubmit' can force a regeneration of the CSR and submission
398fc5
398fc5
* Fri Nov  6 2009 Nalin Dahyabhai <nalin@redhat.com> 0.7-1
398fc5
- update to 0.7
398fc5
  - first cut at a getting-started document
398fc5
  - refactor some internal key handling with NSS
398fc5
  - check for duplicate request nicknames at add-time
398fc5
398fc5
* Tue Nov  3 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6-1
398fc5
- update to 0.6
398fc5
  - man pages
398fc5
  - 'getcert stop-tracking' actually makes the server forget now
398fc5
  - 'getcert request -e' was redundant, dropped the -e option
398fc5
  - 'getcert request -i' now sets the request nickname
398fc5
  - 'getcert start-tracking -i' now sets the request nickname
398fc5
398fc5
* Mon Nov  2 2009 Nalin Dahyabhai <nalin@redhat.com> 0.5-1
398fc5
- update to 0.5
398fc5
  - packaging fixes
398fc5
  - add a selfsign-getcert client
398fc5
  - self-signed certs now get basic constraints and their own serial numbers
398fc5
  - accept id-ms-kp-sc-logon as a named EKU value in a request
398fc5
398fc5
* Thu Oct 29 2009 Nalin Dahyabhai <nalin@redhat.com> 0.4-1
398fc5
- update to 0.4
398fc5
398fc5
* Thu Oct 22 2009 Nalin Dahyabhai <nalin@redhat.com> 0.1-1
398fc5
- update to 0.1
398fc5
398fc5
* Sun Oct 18 2009 Nalin Dahyabhai <nalin@redhat.com> 0.0-1
398fc5
- initial package