c0501f
%if 0%{?fedora} > 15 || 0%{?rhel} > 6
c0501f
%global systemd 1
c0501f
%global	sysvinit 0
c0501f
%else
c0501f
%global systemd 0
c0501f
%global	sysvinit 1
c0501f
%endif
c0501f
c0501f
%if 0%{?fedora} > 15 && 0%{?fedora} < 20
c0501f
%global systemdsysv 1
c0501f
%else
c0501f
%global systemdsysv 0
c0501f
%endif
c0501f
c0501f
%if 0%{?fedora} > 14 || 0%{?rhel} > 6
c0501f
%global tmpfiles 1
c0501f
%else
c0501f
%global tmpfiles 0
c0501f
%endif
c0501f
c0501f
%if 0%{?fedora} > 9 || 0%{?rhel} > 5
c0501f
%global sysvinitdir %{_initddir}
c0501f
%else
c0501f
%global sysvinitdir %{_initrddir}
c0501f
%endif
c0501f
c0501f
%bcond_with xmlrpc
c0501f
c0501f
Name:		certmonger
16e082
Version:	0.79.17
16e082
Release:	1%{?dist}
c0501f
Summary:	Certificate status monitor and PKI enrollment client
c0501f
c0501f
License:	GPLv3+
c0501f
URL:		http://pagure.io/certmonger/
c0501f
Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
c0501f
#Source1:	http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
c0501f
c0501f
c0501f
BuildRequires:	autoconf
c0501f
BuildRequires:	automake
c0501f
BuildRequires:	gettext-devel
c0501f
BuildRequires:	gcc
c0501f
BuildRequires:	openldap-devel
c0501f
BuildRequires:	krb5-devel
c0501f
BuildRequires:	libidn2-devel
c0501f
BuildRequires:	dbus-devel, nspr-devel, nss-devel, openssl-devel
c0501f
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
c0501f
BuildRequires:	libuuid-devel
c0501f
%else
c0501f
BuildRequires:	e2fsprogs-devel
c0501f
%endif
c0501f
BuildRequires:	libtalloc-devel, libtevent-devel
c0501f
%if 0%{?rhel} >= 6 || 0%{?fedora} >= 9
c0501f
BuildRequires:	libcurl-devel
c0501f
%else
c0501f
BuildRequires:	curl-devel
c0501f
%endif
c0501f
BuildRequires:	libxml2-devel
c0501f
%if %{with xmlrpc}
c0501f
BuildRequires:  xmlrpc-c-devel
c0501f
%endif
c0501f
BuildRequires:  jansson-devel
c0501f
%if 0%{?rhel} && 0%{?rhel} < 6
c0501f
BuildRequires:	bind-libbind-devel
c0501f
BuildRequires:	mktemp
c0501f
%endif
c0501f
# Required for 'make check':
c0501f
#  for diff and cmp
c0501f
BuildRequires:	diffutils
c0501f
#  for expect
c0501f
BuildRequires:	expect
c0501f
#  for certutil and pk12util
c0501f
BuildRequires:	nss-tools
c0501f
#  for openssl
c0501f
BuildRequires:	openssl
c0501f
#  for dbus-launch
c0501f
BuildRequires:	/usr/bin/dbus-launch
c0501f
#  for dos2unix
c0501f
BuildRequires:	/usr/bin/dos2unix
c0501f
BuildRequires:	/usr/bin/unix2dos
c0501f
#  for which
c0501f
BuildRequires:	/usr/bin/which
c0501f
#  for dbus tests
c0501f
BuildRequires:	python3-dbus
c0501f
BuildRequires:	popt-devel
68c1c4
BuildRequires:	sed
c0501f
c0501f
# we need a running system bus
c0501f
Requires:	dbus
c0501f
Requires(post):	%{_bindir}/dbus-send
c0501f
c0501f
%if %{systemd}
c0501f
BuildRequires:	systemd-units
c0501f
BuildRequires: make
c0501f
Requires(post):	systemd-units
c0501f
Requires(preun):	systemd-units, dbus, sed
c0501f
Requires(postun):	systemd-units
c0501f
%endif
c0501f
c0501f
%if %{systemdsysv}
c0501f
Requires(post):	systemd-sysv
c0501f
%global systemdsysvsave \
c0501f
# Save the current service runlevel info, in case the user wants \
c0501f
# to apply the enabled status manually later, by running \
c0501f
#   "systemd-sysv-convert --apply certmonger". \
c0501f
%{_bindir}/systemd-sysv-convert --save certmonger >/dev/null 2>&1 ||:
c0501f
%else
c0501f
%global systemdsysvsave %{nil}
c0501f
%endif
c0501f
c0501f
%if %{sysvinit}
c0501f
Requires(post):	/sbin/chkconfig, /sbin/service
c0501f
Requires(preun):	/sbin/chkconfig, /sbin/service, dbus, sed
c0501f
%endif
c0501f
c0501f
%if 0%{?fedora} >= 15
c0501f
# Certain versions of libtevent have incorrect internal ABI versions.
c0501f
Conflicts: libtevent < 0.9.13
c0501f
%endif
c0501f
c0501f
%description
c0501f
Certmonger is a service which is primarily concerned with getting your
c0501f
system enrolled with a certificate authority (CA) and keeping it enrolled.
c0501f
c0501f
%prep
c0501f
%autosetup -p1
c0501f
c0501f
%if 0%{?rhel} > 0
c0501f
# Enabled by default for RHEL for bug #765600, still disabled by default for
c0501f
# Fedora pending a similar bug report there.
c0501f
sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
c0501f
%endif
c0501f
c0501f
%build
c0501f
autoreconf -i -f
c0501f
%configure \
c0501f
%if %{systemd}
c0501f
	--enable-systemd \
c0501f
%endif
c0501f
%if %{sysvinit}
c0501f
	--enable-sysvinit=%{sysvinitdir} \
c0501f
%endif
c0501f
%if %{tmpfiles}
c0501f
	--enable-tmpfiles \
c0501f
%endif
c0501f
	--with-homedir=/run/certmonger \
c0501f
%if %{with xmlrpc}
c0501f
    --with-xmlrpc \
c0501f
%endif
cebf48
	--disable-dsa \
c0501f
	--with-tmpdir=/run/certmonger --enable-pie --enable-now
c0501f
%if %{with xmlrpc}
c0501f
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
c0501f
# tell us about libxmlrpc_client, but we need more.  Work around.
c0501f
make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
c0501f
%else
c0501f
make %{?_smp_mflags}
c0501f
%endif
c0501f
c0501f
%install
c0501f
rm -rf $RPM_BUILD_ROOT
c0501f
make install DESTDIR=$RPM_BUILD_ROOT
c0501f
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/certmonger/{cas,requests}
c0501f
install -m755 -d $RPM_BUILD_ROOT/run/certmonger
c0501f
%{find_lang} %{name}
c0501f
c0501f
%check
c0501f
make check
c0501f
c0501f
%post
c0501f
if test $1 -eq 1 ; then
c0501f
	%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
c0501f
fi
c0501f
%if %{without xmlrpc}
c0501f
# remove any existing certmaster CA configuration
c0501f
if test $1 -gt 1 ; then
c0501f
    %{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
c0501f
fi
c0501f
%endif
c0501f
%if %{systemd}
c0501f
if test $1 -eq 1 ; then
c0501f
	/bin/systemctl daemon-reload >/dev/null 2>&1 || :
c0501f
fi
c0501f
%endif
c0501f
%if %{sysvinit}
c0501f
/sbin/chkconfig --add certmonger
c0501f
%endif
c0501f
c0501f
%triggerin -- certmonger < 0.58
c0501f
if test $1 -gt 1 ; then
c0501f
	# If the daemon is running, remove knowledge of the dogtag renewer.
c0501f
	objpath=`dbus-send --system --reply-timeout=10000 --dest=org.fedorahosted.certmonger --print-reply=o /org/fedorahosted/certmonger org.fedorahosted.certmonger.find_ca_by_nickname string:dogtag-ipa-renew-agent 2> /dev/null | sed -r 's,^ +,,g' || true`
c0501f
	if test -n "$objpath" ; then
c0501f
		dbus-send --system --dest=org.fedorahosted.certmonger --print-reply /org/fedorahosted/certmonger org.fedorahosted.certmonger.remove_known_ca objpath:"$objpath" >/dev/null 2> /dev/null
c0501f
	fi
c0501f
	# Remove the data file, in case it isn't running.
c0501f
	for cafile in %{_localstatedir}/lib/certmonger/cas/* ; do
c0501f
		if grep -q '^id=dogtag-ipa-renew-agent$' "$cafile" ; then
c0501f
			rm -f "$cafile"
c0501f
		fi
c0501f
	done
c0501f
fi
c0501f
exit 0
c0501f
c0501f
%postun
c0501f
%if %{systemd}
c0501f
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
c0501f
if [ $1 -ge 1 ] ; then
c0501f
	/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || :
c0501f
fi
c0501f
%endif
c0501f
%if %{sysvinit}
c0501f
if test $1 -gt 0 ; then
c0501f
	/sbin/service certmonger condrestart 2>&1 > /dev/null
c0501f
fi
c0501f
%endif
c0501f
exit 0
c0501f
c0501f
%preun
c0501f
%if %{systemd}
c0501f
if test $1 -eq 0 ; then
c0501f
	/bin/systemctl --no-reload disable certmonger.service > /dev/null 2>&1 || :
c0501f
	/bin/systemctl stop certmonger.service > /dev/null 2>&1 || :
c0501f
fi
c0501f
%endif
c0501f
%if %{sysvinit}
c0501f
if test $1 -eq 0 ; then
c0501f
	/sbin/service certmonger stop 2>&1 > /dev/null
c0501f
	/sbin/chkconfig --del certmonger
c0501f
fi
c0501f
%endif
c0501f
exit 0
c0501f
c0501f
%if %{systemd}
c0501f
%triggerun -- certmonger < 0.43
c0501f
%{systemdsysvsave}
c0501f
# Do this because the old package's %%postun doesn't know we need to do it.
c0501f
/sbin/chkconfig --del certmonger >/dev/null 2>&1 || :
c0501f
# Do this because the old package's %%postun wouldn't have tried.
c0501f
/bin/systemctl try-restart certmonger.service >/dev/null 2>&1 || :
c0501f
exit 0
c0501f
%endif
c0501f
c0501f
%files -f %{name}.lang
c0501f
%doc README.md LICENSE STATUS doc/*.txt
c0501f
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/*
c0501f
%{_datadir}/dbus-1/services/*
c0501f
%dir %{_sysconfdir}/certmonger
c0501f
%config(noreplace) %{_sysconfdir}/certmonger/certmonger.conf
c0501f
%dir /run/certmonger
c0501f
%{_bindir}/*
c0501f
%{_sbindir}/certmonger
c0501f
%{_mandir}/man*/*
c0501f
%{_libexecdir}/%{name}
c0501f
%{_localstatedir}/lib/certmonger
c0501f
%if %{sysvinit}
c0501f
%{sysvinitdir}/certmonger
c0501f
%endif
c0501f
%if %{tmpfiles}
c0501f
%attr(0644,root,root) %config(noreplace) %{_tmpfilesdir}/certmonger.conf
c0501f
%endif
c0501f
%if %{systemd}
c0501f
%{_unitdir}/*
c0501f
%{_datadir}/dbus-1/system-services/*
c0501f
%endif
c0501f
c0501f
%changelog
16e082
* Tue Dec  6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1
16e082
- Update to upstream 0.79.17
16e082
cebf48
* Thu Apr 07 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.14-7
cebf48
- Disable DSA (#2066439)
cebf48
cebf48
* Thu Mar 17 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.14-6
cebf48
- Certificate format validation when adding the SCEP server's CA
cebf48
  (#1492112)
cebf48
- Replace some SHA1 usages with SHA256 in the unit tests
cebf48
68c1c4
* Thu Oct 07 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-5
68c1c4
- Certmonger SCEP renewal should not use old challenges (#1990926)
68c1c4
- Certmonger certificates stuck in NEED_GUIDANCE (#2001082)
68c1c4
- certmonger creates CSRs with invalid DER syntax for X509v3 extensions
68c1c4
  with critical=FALSE (#2012261)
68c1c4
68c1c4
* Tue Sep 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-4
68c1c4
- Fix FTBFS due to change in OpenSSL 3.0.0-beta2 API (#2008451)
68c1c4
c0501f
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.79.14-3
c0501f
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
c0501f
  Related: rhbz#1991688
c0501f
c0501f
* Wed Jul 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-2
c0501f
- Re-enable LTO (#1986099)
c0501f
c0501f
* Thu Jun 17 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-1
c0501f
- Update to upstream 0.79.14 (#1969537)
c0501f
c0501f
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.79.13-6
c0501f
- Rebuilt for RHEL 9 BETA for openssl 3.0
c0501f
  Related: rhbz#1971065
c0501f
c0501f
* Wed May 19 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-5
c0501f
- Port to OpenSSL 3.0 (#1952930)
c0501f
c0501f
* Wed Apr 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-4
c0501f
- Fix local CA to work under FIPS (#1954618)
c0501f
c0501f
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.79.13-3
c0501f
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
c0501f
c0501f
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.13-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
c0501f
c0501f
* Tue Oct 20 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1
c0501f
- Update to upstream 0.79.13
c0501f
c0501f
* Mon Oct  5 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.12-1
c0501f
- Update to upstream 0.79.12
c0501f
c0501f
* Fri Sep 18 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-4
c0501f
- Don't send SIGKILL to child processes to terminate them
c0501f
- Switch to JSON for communication with IPA
c0501f
c0501f
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.11-3
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
c0501f
c0501f
* Tue Jun 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-2
c0501f
- Fix for an unnecessary free() which can cause core dump.
c0501f
c0501f
* Tue Jun 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-1
c0501f
- Update to upstream 0.79.11
c0501f
c0501f
* Thu Jun 25 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.10-1
c0501f
- Update to upstream 0.79.10
c0501f
c0501f
* Thu Jan 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.9-1
c0501f
- Update to upstream 0.79.9
c0501f
c0501f
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.8-4
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
c0501f
c0501f
* Wed Oct 30 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.8-3
c0501f
- Change python2-dbus build dependency to python3
c0501f
- Convert tests to pass under python 3
c0501f
- Skip DSA tests because it is disabled by default crypto policy
c0501f
c0501f
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.8-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
c0501f
c0501f
* Wed Jul 17 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.8-1
c0501f
- Update to upstream 0.79.8
c0501f
c0501f
* Wed May 22 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
c0501f
- Add BuildRequires for krb5-devel, the buildroot changed.
c0501f
c0501f
* Mon May 20 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-2
c0501f
- Move systemd tmpfiles from /var/run to /run (upstream #111)
c0501f
- Change /var/run -> /run in systemd service file
c0501f
c0501f
* Mon Feb 18 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-1
c0501f
- Update to upstream 0.79.7
c0501f
c0501f
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.6-5
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
c0501f
c0501f
* Thu Oct  4 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-4
c0501f
- Pull in upstream fixes discovered in coverity and clang.
c0501f
c0501f
* Mon Oct  1 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-3
c0501f
- Improve NSS token handling. The updated NSS crypto-policy enables all
c0501f
  tokens which broke requesting certificates due to the way that tokens
c0501f
  were managed.
c0501f
c0501f
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.6-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
c0501f
c0501f
* Tue May  8 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-1
c0501f
- Update to upstream 0.79.6
c0501f
c0501f
* Wed Mar 14 2018 Iryna Shcherbina <ishcherb@redhat.com> - 0.79.5-7
c0501f
- Update Python 2 dependency declarations to new packaging standards
c0501f
  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
c0501f
c0501f
* Fri Feb 23 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-6
c0501f
- Fix unit tests. NSS crypto policy disallows keys < 1024
c0501f
c0501f
* Wed Feb 21 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-5
c0501f
- Add BuildRequires on gcc
c0501f
c0501f
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.5-4
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
c0501f
c0501f
* Wed Jan 10 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-3
c0501f
- Remove BR on mktemp. It is now provided by coreutils.
c0501f
- Patch to fix NSS handling of keys in sqlite databases
c0501f
- Patches to fix tests now that sqlite is the NSS default.
c0501f
c0501f
* Wed Oct  4 2017 Rob Crittenden <rcritten@redhat.com> 0.79.5-2
c0501f
- Switch BR from /usr/include/popt.h to popt-devel
c0501f
c0501f
* Fri Sep  1 2017 Rob Crittenden <rcritten@redhat.com> 0.79.5-1
c0501f
- update to 0.79.5:
c0501f
   - getcert start-tracking: use issuer option when specified
c0501f
   - add support for specifying the MS certificate template
c0501f
   - Reformat certificates returned by Dogtag to strip extra newline
c0501f
c0501f
* Wed Aug 16 2017 Rob Crittenden <rcritten@redhat.com> 0.79.4-2
c0501f
- Reformat certificates returned by Dogtag. Dogtag was including
c0501f
  a spurious newline before -----END CERTIFICATE-----
c0501f
c0501f
* Mon Aug  7 2017 Rob Crittenden <rcritten@redhat.com> 0.79.4-1
c0501f
- update to 0.79.4
c0501f
  - fix CA option name for ipa cert-request
c0501f
  - fix minor memory leak
c0501f
  - fix build warnings
c0501f
  - fix an incorrect date in the .spec changelog
c0501f
  - bump gettext version to avoid warning
c0501f
c0501f
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.3-3
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
c0501f
c0501f
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.3-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
c0501f
c0501f
* Tue Feb 28 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.3-1
c0501f
- update to 0.79.3:
c0501f
  - fix self-signing self-test cases that used DSA or EC keys
c0501f
c0501f
* Mon Feb 27 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.2-2
c0501f
- update %%docs list because README is now README.md
c0501f
c0501f
* Mon Feb 27 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.2-1
c0501f
- update to 0.79.2:
c0501f
  - fix 'make distcheck' target
c0501f
c0501f
* Sun Feb 19 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79.1-1
c0501f
- update to 0.79.1:
c0501f
  - update translations
c0501f
  - fix 'make archive' target
c0501f
c0501f
* Sun Feb 19 2017 Nalin Dahyabhai <nalin@redhat.com> 0.79-1
c0501f
- update to 0.79:
c0501f
  - getcert now offers an option (-X) for requesting processing by a particular
c0501f
    CA if the server we're contacting is running more than one
c0501f
  - getcert also offers options (--for-ca, --not-for-ca, --ca-path-length) for
c0501f
    requesting BasicConstraints values
c0501f
  - getcert now displays times in local time instead of UTC, which was
c0501f
    previously the only way they were displayed; the --utc option can often be
c0501f
    used to switch back to its previous behavior
c0501f
  - the SCEP enrollment helper now correctly issues GetCACertChain requests to
c0501f
    SCEP servers, instead of issuing a GetCAChain request, which isn't part of
c0501f
    the protocol; from report by Jason Garland
c0501f
  - when issuing SCEP requests, the ID of the CA included in the HTTP request
c0501f
    is now URL-encoded, as it should be
c0501f
  - renewal or notification-of-impending-expiration logic is now triggered
c0501f
    closer to TTL thresholds rather than waiting for a periodic check to pass a
c0501f
    threshold
c0501f
  - properly builds with OpenSSL 1.1, thanks to Lukas Slebodnik and Tomas Mraz
c0501f
    for a lot of the legwork
c0501f
- resync .spec file with Fedora
c0501f
- upstream project migrated from fedorahosted.org to pagure.io
c0501f
c0501f
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.78.6-6
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
c0501f
c0501f
* Sat Jan 21 2017 Igor Gnatenko <ignatenko@redhat.com> - 0.78.6-5
c0501f
- Rebuild for xmlrpc-c
c0501f
c0501f
* Wed Jul  6 2016 Nalin Dahyabhai <nalin@redhat.com> 0.78.6-4
c0501f
- add backported fix to wait a reasonable amount of time after calling the
c0501f
  'resubmit' method for a new certificate to be issued when we're exercising
c0501f
  the D-Bus API during tests (Jan Cholasta, #1351052)
c0501f
c0501f
* Wed Jul  6 2016 Nalin Dahyabhai <nalin@redhat.com> 0.78.6-3
c0501f
- instead of using killall to send a SIGHUP to the system bus daemon in %%post
c0501f
  to get it to reload its configuration, use dbus-send to send a ReloadConfig
c0501f
  request over the bus (should fix #1277573)
c0501f
c0501f
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.78.6-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
c0501f
c0501f
* Wed Jan 13 2016 Nalin Dahyabhai <nalin@redhat.com> 0.78.6-1
c0501f
- document the -R, -N, -o, and -t flags for dogtag-ipa-renew-agent-submit
c0501f
- stop checking that we can generate 512 bit keys during self-tests
c0501f
c0501f
* Thu Nov 12 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.5-1
c0501f
- fix a possible uninitialized memory read (possibly #1260871)
c0501f
- log a diagnostic error when we fail to initialize libkrb5
c0501f
c0501f
* Tue Aug  4 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.4-1
c0501f
- fix the "getcert start-tracking" -L and -l options (#1249753)
c0501f
- output diagnostics about the second request when scep-submit encounters an
c0501f
  error during a second request to the SCEP server
c0501f
c0501f
* Mon Jul 20 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.3-1
c0501f
- call poptGetOptArg() correctly, to fix parsing of the -R flag to scep-submit
c0501f
  and the -O and -o flags to dogtag-submit (#1244914)
c0501f
c0501f
* Thu Jul  9 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.2-1
c0501f
- tweak initialization so that we set up for providing our D-Bus API before we
c0501f
  register our name with the bus, so that we can handle any requests that
c0501f
  arrive before the acknowledgement of that registration
c0501f
- on systems that run systemd, add the right data file so that the service gets
c0501f
  started when someone tries to talk to the daemon (ticket #38)
c0501f
- correctly check for error responses when sending GetCAChain requests to SCEP
c0501f
  servers
c0501f
c0501f
* Sun Jun 21 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78.1-1
c0501f
- self-tests: assume that certutil won't generate DSA keys with more than 1024
c0501f
  bits, and will often short us by a few
c0501f
c0501f
* Sat Jun 20 2015 Nalin Dahyabhai <nalin@redhat.com> 0.78-1
c0501f
- switch to using popt for parsing command line arguments, continuing to
c0501f
  use old help text for now so that we can catch up with translations (print
c0501f
  old text for --help, new text (with longopts!) for -H)
c0501f
- add some plumbing for eventually receiving per-certificate roots in
c0501f
  addition to issued certificates and chain certificates
c0501f
- add a "rekey" command to getcert, for triggering enrollment using a new
c0501f
  key pair (#1087932)
c0501f
- scep-submit: check for the Renewal capability, and default to taking
c0501f
  advantage of it during rekeying, unless the new -n flag is specified to it
c0501f
- dogtag-submit: add flags for passing user names, UDNs, passwords, and PINs
c0501f
  to the helper (part of ticket #12)
c0501f
- dogtag-submit: add a flag for using the agent creds to do TLS client auth
c0501f
  while submitting enrollment requests (more of ticket #12)
c0501f
- dogtag-submit: handle cases where we submit a request and the server
c0501f
  returns a success code rather than just queuing the request (#12 again)
c0501f
- ipa-submit: pass requested profile names to the server as an argument
c0501f
  named "profile_id"; if the server gives us an "unrecognized argument"
c0501f
  error, retry without it for compatibility's sake (part of IPA ticket #57)
c0501f
- keygen: fix a possible crash if keygen fails to return a key from NSS
c0501f
- correct the certmonger(8) man page's description of the -c flag, which it
c0501f
  used to call the -C flag
c0501f
- add logic for setting ownership and permissions on certificates and keys
c0501f
  when saving them to disk
c0501f
- add configuration options "max_key_lifetime" and "max_key_use_count" for
c0501f
  making automatic renewal prefer rekeying
c0501f
c0501f
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.77.5-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
c0501f
c0501f
* Thu May 28 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.5-1
c0501f
- pass $CERTMONGER_REQ_IP_ADDRESS to enrollment helpers if the signing request
c0501f
  includes IP address subjectAltName values
c0501f
- correctly verify signatures on SCEP server replies when the signer is neither
c0501f
  the top-level CA nor the RA (feedback in #1161768)
c0501f
- correctly verify signatures on SCEP server replies when there is more than
c0501f
  one certificate in the chain between the RA and the top-level CA (feedback in
c0501f
  #1161768)
c0501f
c0501f
* Fri May 15 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.4-1
c0501f
- don't display PINs in "getcert list" output (#42)
c0501f
- clean up launching of a private instance in "getcert"
c0501f
- expand on the don't-delete-private-key fix from 0.77.3 by letting NSS's
c0501f
  own safety checks have an effect
c0501f
- backport record-keeping of key generation dates and counts of how many
c0501f
  times we've gotten certificates using a given key pair
c0501f
c0501f
* Thu May  7 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.3-1
c0501f
- fix a data loss bug when saving renewed certificates to NSS databases - the
c0501f
  private key could be removed in error since 0.77
c0501f
- fixes for bugs found by static analysis
c0501f
- fix self-tests when built with OpenSSL 1.0.2
c0501f
c0501f
* Tue Apr 14 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.2-1
c0501f
- expose the certificate's not-valid-before and not-valid-after dates as a
c0501f
  property over D-Bus (ticket #41)
c0501f
- give the local signer its own configuration option to set the lifetime
c0501f
  of its signing certificate, falling back to the lifetime configured for
c0501f
  the self-signer as a default to match the previous behavior
c0501f
- fix a potential read segfault parsing the output of an enrollment helper,
c0501f
  introduced in 0.77 (thanks to Steve Neuharth)
c0501f
- read the ns-certtype extension value in certificates
c0501f
- request an enrollment certtype extension to CSRs if we have a profile name
c0501f
  that we want to use (ticket #17, possibly part of IPA ticket #57)
c0501f
c0501f
* Fri Feb 27 2015 Nalin Dahyabhai <nalin@redhat.com> 0.77.1-1
c0501f
- update to 0.77
c0501f
  - add initial, still rough, SCEP support (#1140241,#1161768)
c0501f
    - add an scep-submit helper to handle part of it
c0501f
  - getcert: add add-ca/add-scep-ca/modify-ca/remove-ca commands
c0501f
  - getcert: add -l, -L flags to request/resubmit/start-tracking commands
c0501f
    to provide a way to set a ChallengePassword in signing requests
c0501f
  - lay some groundwork for rekeying support
c0501f
  - bundled dogtag enrollment helpers now output debugging info to stderr (#)
c0501f
  - ipa-getcert: fix a crash when using DNS discovery to locate servers (#39)
c0501f
  - getcert: fix displaying of pre-request pre-/post-save commands (#1178190,
c0501f
    #1181022, patch by David Kupka)
c0501f
  - use Zanata for translations
c0501f
  - getcert list: list the certificate's profile name, if it contains one
c0501f
c0501f
* Tue Nov 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.8-1
c0501f
- dogtag-submit: accept additional options to pass to the server when
c0501f
  approving requests using agent creds (#1165155, patch by Jan Cholasta)
c0501f
- getcert: print help output when 'status' isn't given any args (#1163541)
c0501f
c0501f
* Tue Nov 11 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.7-1
c0501f
- correctly read CA not-valid-after dates on 32-bit machines (also reported by
c0501f
  Natxo Asenjo), so that we don't spin on polling them (#1163023)
c0501f
c0501f
* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.6-1
c0501f
- don't discard the priority value in DNS SRV records
c0501f
c0501f
* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.5-1
c0501f
- avoid premature exit on CA data analysis failures (should fix an issue
c0501f
  reported by Natxo Asenjo)
c0501f
c0501f
* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.4-1
c0501f
- fix a failure in self-tests
c0501f
c0501f
* Mon Nov 10 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.3-1
c0501f
- fixes for bugs found by static analysis
c0501f
- handle IDN correctly when doing service location using SRV records
c0501f
- documentation updates
c0501f
c0501f
* Wed Nov  5 2014 Nalin Dahyabhai <nalin@redhat.com>
c0501f
- rework the state machine so that we save an issued certificate's associated
c0501f
  CA certificates, then re-read the certificate, then run the post hook and
c0501f
  issue notifications, in that order, instead of saving CA certificates after
c0501f
  running the post hook, which was always a surprising order (#1131700)
c0501f
- add a generic dogtag-submit helper that doesn't include any IPA defaults,
c0501f
  to make it easier to know the difference between paramenters it requires
c0501f
  and parameters which are optional (#12)
c0501f
c0501f
* Tue Nov  4 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.2-1
c0501f
- ipa-submit: when we fail to locate/contact LDAP or XML-RPC servers,
c0501f
  use discovery to find them (#1136900)
c0501f
c0501f
* Fri Oct 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76.1-1
c0501f
- allow for 'certmonger -P abstract:...' to work, too
c0501f
c0501f
* Fri Oct 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.76-1
c0501f
- require a single certificate to be specified to 'getcert status' (#1148001,
c0501f
  #1163541, #1163539)
c0501f
- shorten the default help message which getcert prints when it's not given
c0501f
  a specific command (#1131704)
c0501f
- add private listener (-l, -L, -P) mode to certmonger, to allow it to listen
c0501f
  for connections directly from clients running under the same UID
c0501f
- add a command mode (-c) to certmonger, in which once it's started, it
c0501f
  launches a specified command, and after that command exits, the daemon exits
c0501f
- when getcert is invoked with no bus running, if it's running as root, run
c0501f
  certmonger in private listener mode with the same invocation of getcert as
c0501f
  the command to start and wait for (#1134497)
c0501f
c0501f
* Thu Aug 28 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.14-1
c0501f
- make pathname canonicalization slightly smarter, to handle ".." in
c0501f
  locations (#1131758)
c0501f
- updates to self-tests (#1144082)
c0501f
c0501f
* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 0.75.13-2
c0501f
- Rebuild for rpm bug 1131960
c0501f
c0501f
* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.13-1
c0501f
- add a missing test case file (whoops)
c0501f
c0501f
* Mon Aug 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.12-1
c0501f
- correct encoding/decoding of variant-typed data which we receive and send
c0501f
  as part of the org.freedesktop.DBus.Properties interface over the bus, and
c0501f
  add some tests for them (based on patch from David Kupka, ticket #36)
c0501f
c0501f
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.75.10-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
c0501f
c0501f
* Tue Aug 12 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.11-1
c0501f
- when getcert is passed a -a flag, to indicate that CA root certificates
c0501f
  should be stored in the specified database, don't ignore locations which
c0501f
  don't include a storage scheme (#1129537)
c0501f
- when called to 'start-tracking' with the -a or -F flags, if we have
c0501f
  applicable certificates on-hand for a CA that we're either told to use
c0501f
  or which we decide is the correct one, save the certificates (#1129696)
c0501f
c0501f
* Tue Aug  5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.10-1
c0501f
- when attempting to contact an IPA LDAP server, if no "ldap_uri" is set in
c0501f
  default.conf, and no "host" is set either, try to construct the server URI
c0501f
  using the "server" setting (#1126985)
c0501f
c0501f
* Thu Jul 31 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.9-1
c0501f
- avoid potential use-after-free after a CA is removed dynamically (thanks to
c0501f
  Keenan Brock) (#1125342)
c0501f
- add a "external-helper" property to CA objects
c0501f
c0501f
* Mon Jul 21 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.8-1
c0501f
- add a 'refresh' option to the getcert command
c0501f
- add a '-a' flag to the getcert command's 'refresh-ca' option
c0501f
c0501f
* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-2
c0501f
- reintroduce package Requires: on systemd-sysv on F19 and EL6 and older,
c0501f
  conditionalized it so that it's ignored on newer releases, and make
c0501f
  whether or not we call systemd-sysv-convert in triggers depend on that,
c0501f
  too (#1104138)
c0501f
c0501f
* Thu Jul 17 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.7-1
c0501f
- fix an inconsistency in how we parse cookie values returned by CA helpers,
c0501f
  in that single-line values would lose the end-of-line after a daemon
c0501f
  restart, but not before
c0501f
- handle timeout values and exit status values when calling CA helpers
c0501f
  in non-SUBMIT, non-POLL modes (#1118468)
c0501f
- rework how we save CA certificates so that we save CA certificates associated
c0501f
  with end-entity certificates when we save that end-entity certificate, which
c0501f
  requires running all of the involved pre- and post-save commands
c0501f
- drop package Requires: on systemd-sysv (#1104138)
c0501f
c0501f
* Thu Jun 26 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.6-1
c0501f
- avoid potential use-after-free and read overrun after a CA is added
c0501f
  dynamically (thanks to Jan Cholasta)
c0501f
c0501f
* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.5-1
c0501f
- documentation updates
c0501f
c0501f
* Fri Jun 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-2
c0501f
- add a %%trigger to remove knowledge of the "dogtag-ipa-renew-agent" CA
c0501f
  when we detect certmonger versions prior to 0.58 being installed, to
c0501f
  avoid cases where some older versions choke on CAs with nicknames that
c0501f
  contain characters that can't legally be part of a D-Bus name (#948993)
c0501f
c0501f
* Thu Jun 19 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.4-1
c0501f
- fix creation and packaging of the "local" CA's data directory
c0501f
c0501f
* Wed Jun 18 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.3-1
c0501f
- read and cache whether or not we saw a noOCSPcheck extension in certificates
c0501f
- documentation updates
c0501f
c0501f
* Mon Jun 16 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.2-1
c0501f
- when generating keys using OpenSSL, if key generation fails, try
c0501f
  again with the default key size, in case we're in FIPS mode
c0501f
- documentation updates
c0501f
c0501f
* Sat Jun 14 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75.1-1
c0501f
- log the state in 'getcert status' verbose mode
c0501f
c0501f
* Fri Jun 13 2014 Nalin Dahyabhai <nalin@redhat.com> 0.75-1
c0501f
- add a -w (wait) flag to the getcert's request/resubmit/start-tracking
c0501f
  commands, and add a non-waiting status command
c0501f
c0501f
* Wed Jun 11 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.96-1
c0501f
- make the trust settings we apply to CA-supplied certificates while
c0501f
  saving them to NSS databases run-time configurable
c0501f
- fix compiling against EL5-era OpenSSL
c0501f
- when saving CA certificates we pull from an IPA server, nickname
c0501f
  it using the realm name with " IPA CA" appended rather than just
c0501f
  naming it "IPA CA"
c0501f
- fix the local signer so that when it issues itself a new certificate,
c0501f
  it uses the same subject name
c0501f
- add a -w flag to getcert's request, resubmit, and start-tracking
c0501f
  commands, telling it to wait until either the certificate is issued,
c0501f
  we get to a state where we know that we won't be able to get one, or
c0501f
  we are waiting for a CA
c0501f
c0501f
* Mon Jun  9 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.95-1
c0501f
- add the "local" signer, a local toy CA that signs anything you'll
c0501f
  ask it to sign
c0501f
c0501f
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.74-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
c0501f
c0501f
* Fri Jun  6 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.94-1
c0501f
- fix self-test errors that we trigger with new OpenSSL
c0501f
- fix a build error that would sometimes happen when we're told to
c0501f
  build PIE binaries
c0501f
- quiet a compile warning
c0501f
c0501f
* Thu Jun  5 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.93-1
c0501f
- add some self-tests
c0501f
- simplify the internal submit-to-CA logic
c0501f
- fixes for more problems found through static analysis
c0501f
c0501f
* Tue Jun  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74.92-1
c0501f
- retrieve CA information from CAs, if the helpers can do so, and
c0501f
  add a command to explicitly refresh that data: "getcert refresh-ca"
c0501f
- offer to save CA certificates to files and databases, when specified with
c0501f
  new -a and -F flags to getcert request/resubmit/start-tracking (#1098208,
c0501f
  trac #31)
c0501f
- add IP address subject alternate names when getcert request/resubmit
c0501f
  is passed the -A option (trac #35)
c0501f
- read and cache the freshestCRL extension in certificates
c0501f
- properly interpret KDC-unreachable errors encountered in the IPA
c0501f
  submission error as a server-unreachable error that we will retry,
c0501f
  rather than a misconfiguration error which we won't
c0501f
- don't let tests get tripped up by new formatting used in dos2unix status
c0501f
  messages (#1099080)
c0501f
- updated translations
c0501f
- be explicit that we are going to use bashisms in test scripts by calling
c0501f
  the shell interpreter as 'bash' rather than 'sh' (trac #27)
c0501f
c0501f
* Thu Apr  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.74-1
c0501f
- also save state when we exit due to SIGHUP
c0501f
- don't get tripped up when enrollment helpers hand us certificates which
c0501f
  include CRLF line terminators (ticket #25)
c0501f
- be tolerant of certificate issuer names, subject names, DNS, email, and
c0501f
  Kerberos principal namem subjectAltNames, and crl distribution point URLs
c0501f
  that contain newlines
c0501f
- read and cache the certificate template extension in certificates
c0501f
- enforce different minimum key sizes depending on the type of key we're
c0501f
  trying to generate
c0501f
- store DER versions of subject, issuer and template subject, if we have
c0501f
  them (Jan Cholasta, ticket #26)
c0501f
- when generating signing requests with subject names that don't quite parse
c0501f
  as subject names, encode what we're given as PrintableString rather than
c0501f
  as a UTF8String
c0501f
- always chdir() to a known location at startup, even if we're not becoming
c0501f
  a daemon
c0501f
- fix a couple of memory leaks (static analysis)
c0501f
- add missing buildrequires: on which
c0501f
c0501f
* Thu Feb 20 2014 Nalin Dahyabhai <nalin@redhat.com> 0.73-1
c0501f
- updates to 0.73
c0501f
  - getcert no longer claims to be stuck when a CA is unreachable,
c0501f
    because the daemon isn't actually stuck
c0501f
c0501f
* Mon Feb 17 2014 Nalin Dahyabhai <nalin@redhat.com>
c0501f
- updates to 0.73
c0501f
  - also pass the key type to enrollment helpers in the environment as
c0501f
    a the value of "CERTMONGER_KEY_TYPE"
c0501f
c0501f
* Mon Feb 10 2014 Nalin Dahyabhai <nalin@redhat.com>
c0501f
- move the tmpfiles.d file from /etc/tmpfiles.d to %%{_tmpfilesdir},
c0501f
  where it belongs (#1180978)
c0501f
c0501f
* Mon Feb 10 2014 Nalin Dahyabhai <nalin@redhat.com>
c0501f
- updates for 0.73
c0501f
  - set the flag to encode EC public key parameters using named curves
c0501f
    instead of the default of all-the-details when using OpenSSL
c0501f
  - don't break when NSS supports secp521r1 but OpenSSL doesn't
c0501f
  - also pass the CA nickname to enrollment helpers in the environment as
c0501f
    a text value in "CERTMONGER_CA_NICKNAME", so they can use that value
c0501f
    when reading configuration settings
c0501f
  - also pass the SPKAC value to enrollment helpers in the environment as
c0501f
    a base64 value in "CERTMONGER_SPKAC"
c0501f
  - also pass the request's SubjectPublicKeyInfo value to enrollment helpers
c0501f
    in the environment as a base64 value in "CERTMONGER_SPKI" (part of #16)
c0501f
  - when generating signing requests using NSS, be more accommodating of
c0501f
    requested subject names that don't parse properly
c0501f
c0501f
* Mon Feb  3 2014 Nalin Dahyabhai <nalin@redhat.com> 0.72-1
c0501f
- update to 0.72
c0501f
  - support generating DSA parameters and keys on sufficiently-new OpenSSL
c0501f
    and NSS
c0501f
  - support generating EC keys when OpenSSL and NSS support it, using key
c0501f
    size to select the curve to use from among secp256r1, secp384r1,
c0501f
    secp521r1 (which are the ones that are usually available, though
c0501f
    secp521r1 isn't always, even if the other two are)
c0501f
  - stop trying to cache public key parameters at all and instead cache public
c0501f
    key info properly
c0501f
  - encode the friendlyName attribute in signing requests as a BMPString,
c0501f
    not as a PrintableString
c0501f
  - catch more filesystem permissions problems earlier (more of #996581)
c0501f
c0501f
* Mon Jan 27 2014 Nalin Dahyabhai <nalin@redhat.com> 0.71-1
c0501f
- check for cases where we fail to allocate memory while reading a request
c0501f
  or CA entry from disk (John Haxby)
c0501f
- only handle one watch at a time, which should avoid abort() during
c0501f
  attempts to reconnect to the message bus after losing our connection
c0501f
  to it (#1055521)
c0501f
c0501f
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.70-2
c0501f
- Mass rebuild 2014-01-24
c0501f
c0501f
* Thu Jan  2 2014 Nalin Dahyabhai <nalin@redhat.com> 0.70-1
c0501f
- add a --with-homedir option to configure, and use it, since subprocesses
c0501f
  which we run and which use NSS may attempt to write to $HOME/.pki, and
c0501f
  0.69's strategy of setting that to "/" was rightly hitting SELinux policy
c0501f
  denials (#1047798)
c0501f
c0501f
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.69-2
c0501f
- Mass rebuild 2013-12-27
c0501f
c0501f
* Mon Dec  9 2013 Nalin Dahyabhai <nalin@redhat.com> 0.69-1
c0501f
- tweak how we decide whether we're on the master or a minion when we're
c0501f
  told to use certmaster as a CA
c0501f
- clean up one of the tests so that it doesn't have to work around internal
c0501f
  logging producing duplicate messages
c0501f
- when logging errors while setting up to contact xmlrpc servers, explicitly
c0501f
  note that the error is client-side
c0501f
- don't abort() due to incorrect locking when an attempt to save an issued
c0501f
  certificate to the designated location fails (part of #1032760/#1033333,
c0501f
  ticket #22)
c0501f
- when reading an issued certificate from an enrollment helper, ignore
c0501f
  noise before or after the certificate itself (more of #1032760/1033333,
c0501f
  ticket #22)
c0501f
- run subprocesses in a cleaned-up environment (more of #1032760/1033333,
c0501f
  ticket #22)
c0501f
- clear the ca-error that we saved when we had an error talking to the CA if we
c0501f
  subsequently succeed in talking to the CA
c0501f
- various other static-analysis fixes
c0501f
c0501f
* Thu Aug 29 2013 Nalin Dahyabhai <nalin@redhat.com> 0.68-1
c0501f
- notice when the OpenSSL RNG isn't seeded
c0501f
- notice when saving certificates or keys fails due to filesystem-related
c0501f
  permission denial (#996581)
c0501f
c0501f
* Tue Aug  6 2013 Nalin Dahyabhai <nalin@redhat.com> 0.67-3
c0501f
- pull up a patch from master to adapt self-tests to certutil's diagnostic
c0501f
  output having changed (#992050)
c0501f
c0501f
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.67-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
c0501f
c0501f
* Mon Mar 11 2013 Nalin Dahyabhai <nalin@redhat.com> 0.67-1
c0501f
- when saving certificates to NSS databases, try to preserve the trust
c0501f
  value assigned to a previously-present certificate with the same nickname
c0501f
  and subject, if one is found
c0501f
- when saving certificates to NSS databases, also prune certificates from
c0501f
  the database which have both the same nickname and subject as the one
c0501f
  we're adding, to avoid tripping up tools that only fetch one certificate
c0501f
  by nickname
c0501f
c0501f
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.65-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
c0501f
c0501f
* Wed Jan 23 2013 Nalin Dahyabhai <nalin@redhat.com> 0.66-1
c0501f
- build as position-independent executables with early binding (#883966)
c0501f
- also don't tag the unit file as a configuration file (internal tooling)
c0501f
c0501f
* Wed Jan 23 2013 Nalin Dahyabhai <nalin@redhat.com> 0.65-2
c0501f
- don't tag the D-Bus session .service file as a configuration file (internal
c0501f
  tooling)
c0501f
c0501f
* Tue Jan  8 2013 Nalin Dahyabhai <nalin@redhat.com> 0.65-1
c0501f
- fix a crash in the self-tests
c0501f
c0501f
* Tue Jan  8 2013 Nalin Dahyabhai <nalin@redhat.com> 0.64-1
c0501f
- at startup, if we resume the state machine for a given certificate to a state
c0501f
  which expects to have the newly-added lock already acquired, acquire it
c0501f
  before moving on with the certificate's work (still aimed at fixing #883484)
c0501f
c0501f
* Tue Dec 18 2012 Nalin Dahyabhai <nalin@redhat.com> 0.63-1
c0501f
- serialize access to NSS databases and the running of pre- and post-save
c0501f
  commands which might also access them (possibly fixing part of #883484)
c0501f
c0501f
* Thu Nov 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.62-1
c0501f
- add a -u flag to getcert to enable requesting a keyUsage extension value
c0501f
- request subjectKeyIdentifier extensions from CAs, and include them in
c0501f
  self-signed certificates
c0501f
- request basicConstraints from CAs, defaulting to requests for end-entity
c0501f
  certificates
c0501f
- when requesting CA certificates, also request authorityKeyIdentifier
c0501f
- add support for requesting CRL distribution point and authorityInfoAccess
c0501f
  extensions that specify OCSP responder locations
c0501f
- don't crash when OpenSSL can't build a template certificate from a request
c0501f
  when we're in FIPS mode
c0501f
- put NSS in FIPS mode, when the system booted that way, except when we're
c0501f
  trying to write certificates to a database
c0501f
- fix CSR generation and self-signing in FIPS mode with NSS
c0501f
- fix self-signing in FIPS mode with OpenSSL
c0501f
- new languages from the translation team: mai, ml, nn, ga
c0501f
c0501f
* Tue Nov 27 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-3
c0501f
- backport change from git to not choke if X509_REQ_to_X509() fails when we're
c0501f
  self-signing using OpenSSL
c0501f
- backport another change from git to represent this as a CA-rejected error
c0501f
c0501f
* Mon Sep 24 2012 Nalin Dahyabhai <nalin@redhat.com> 0.61-1
c0501f
- fix a regression in reading old request tracking files where the
c0501f
  request was in state NEED_TO_NOTIFY or NOTIFYING
c0501f
c0501f
* Wed Sep  5 2012 Nalin Dahyabhai <nalin@redhat.com> 0.60-1
c0501f
- adjust internals of logic for talking to dogtag to at least have a
c0501f
  concept of non-agent cases
c0501f
- when talking to an IPA server's internal Dogtag instance, infer which
c0501f
  ports the CA is listening on from the "dogtag_version" setting in the
c0501f
  IPA configuration (Ade Lee)
c0501f
- send a notification (or log a message, whatever) when we save a new
c0501f
  certificate (#766167)
c0501f
c0501f
* Mon Jul 30 2012 Nalin Dahyabhai <nalin@redhat.com>
c0501f
- fix a bad %%preun scriptlet
c0501f
c0501f
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.59-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
c0501f
c0501f
* Fri Jun 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.59-1
c0501f
- mostly documentation updates
c0501f
c0501f
* Fri Jun 29 2012 Nalin Dahyabhai <nalin@redhat.com> 0.58-1
c0501f
- add a "dogtag-ipa-renew-agent" CA so that we can renew certificates using
c0501f
  an IPA server's internal Dogtag instance
c0501f
- export the requested profile and old certificate to enrollment helpers
c0501f
- make libxml and libcurl into hard build-time requirements
c0501f
- serialize all pre/save/post sequences to make sure that stop/save/start
c0501f
  doesn't become stop1/save1/stop2/start1/save2/start2 when we're stopping
c0501f
  a service while we muck with more than one of its certificates
c0501f
c0501f
* Fri Jun 15 2012 Nalin Dahyabhai <nalin@redhat.com>
c0501f
- add a command option (-T) to getcert for specifying which enrollment
c0501f
  profile to tell a CA that we're using, in case it cares (#10)
c0501f
c0501f
* Thu Jun 14 2012 Nalin Dahyabhai <nalin@redhat.com> 0.57-1
c0501f
- clarify that the command passed to getcert -C is a "post"-save command
c0501f
- add a "pre"-save command option to getcert, specified with the -B flag (#9)
c0501f
- after we notify of an impending not-valid-after approaching, don't do it
c0501f
  again immediately
c0501f
c0501f
* Sat Mar  3 2012 Nalin Dahyabhai <nalin@redhat.com> 0.56-1
c0501f
- when a caller sets the is-default flag on a CA, and another CA is no longer
c0501f
  the default, emit the PropertiesChanged signal on the CA which is not the
c0501f
  default, instead on the new default a second time
c0501f
- drop some dead code from the D-Bus message handlers (static analysis,
c0501f
  #796813)
c0501f
- cache public keys when we read private keys
c0501f
- go back to printing an error indicating that we're missing a required
c0501f
  argument when we're missing a required argument, not that the option is
c0501f
  invalid (broken since 0.51, #796542)
c0501f
c0501f
* Wed Feb 15 2012 Nalin Dahyabhai <nalin@redhat.com> 0.55-1
c0501f
- allow root to use our implementation of org.freedesktop.DBus.Properties
c0501f
- take more care to not emit useless PropertiesChanged signals
c0501f
c0501f
* Wed Feb 15 2012 Nalin Dahyabhai <nalin@redhat.com> 0.54-1
c0501f
- fix setting the group ID when spawning the post-save command
c0501f
c0501f
* Tue Feb 14 2012 Nalin Dahyabhai <nalin@redhat.com> 0.53-1
c0501f
- large changes to the D-Bus glue, exposing a lot of data which we were
c0501f
  providing via D-Bus getter methods as properties, and providing more
c0501f
  accurate introspection data
c0501f
- emit a signal when the daemon saves a certificate to the destination
c0501f
  location, and provide an option to have the daemon spawn an arbitrary
c0501f
  command at that point, too (#766167)
c0501f
- enable starting the service by default on RHEL (#765600)
c0501f
c0501f
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.52-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
c0501f
c0501f
* Fri Dec 16 2011 Nalin Dahyabhai <nalin@redhat.com> 0.52-1
c0501f
- note that SELinux usually confines us to writing only to cert_t in
c0501f
  doc/getting-started.txt (#765599)
c0501f
- fix crashes when we add a request during our first run when we're
c0501f
  populating the hard-coded CA list
c0501f
- properly deal with cases where a path is passed to us is "./XXX"
c0501f
- in session mode, create our data directories as we go
c0501f
c0501f
* Tue Dec  6 2011 Nalin Dahyabhai <nalin@redhat.com> 0.51-1
c0501f
- api: lift restrictions on characters used in request and CA nicknames by
c0501f
  making their object names not incorporate their nicknames
c0501f
- api: add find_request_by_nickname and find_ca_by_nickname
c0501f
- certmonger-ipa-submit.8: list -k, -K, -t in the summary, document -K
c0501f
- getcert: print "invalid option" error messages ourselves (#756291)
c0501f
- ipa-submit: supply a Referer: header when submitting requests to IPA
c0501f
  (#750617, needed for #747710)
c0501f
c0501f
* Fri Oct 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.50-1
c0501f
- really fix these this time:
c0501f
 - getcert: error out when "list -c" finds no matching CA (#743488)
c0501f
 - getcert: error out when "list -i" finds no matching request (#743485)
c0501f
c0501f
* Wed Oct 12 2011 Nalin Dahyabhai <nalin@redhat.com> 0.49-1
c0501f
- when using an NSS database, skip loading the module database (#743042)
c0501f
- when using an NSS database, skip loading root certs
c0501f
- generate SPKAC values when generating CSRs, though we don't do anything
c0501f
  with SPKAC values yet
c0501f
- internally maintain and use challenge passwords, if we have them
c0501f
- behave better when certificates have shorter lifetimes
c0501f
- add/recognize/handle notification type "none"
c0501f
- getcert: error out when "list -c" finds no matching CA (#743488)
c0501f
- getcert: error out when "list -i" finds no matching request (#743485)
c0501f
c0501f
* Thu Sep 29 2011 Nalin Dahyabhai <nalin@redhat.com> 0.48-1
c0501f
- don't incorrectly assume that CERT_ImportCerts() returns a NULL-terminated
c0501f
  array (#742348)
c0501f
c0501f
* Tue Sep 27 2011 Nalin Dahyabhai <nalin@redhat.com> 0.47-1
c0501f
- getcert: distinguish between {stat() succeeds but isn't a directory} and
c0501f
  {stat() failed} when printing an error message (#739903)
c0501f
- getcert resubmit/start-tracking: when we're looking for an existing request
c0501f
  by ID, and we don't find one, note that specifically (#741262)
c0501f
c0501f
* Mon Aug 29 2011 Stephen Gallagher <sgallagh@redhat.com> - 0.46-1.1
c0501f
- Rebuild against fixed libtevent version
c0501f
c0501f
* Mon Aug 15 2011 Nalin Dahyabhai <nalin@redhat.com> 0.46-1
c0501f
- treat the ability to access keys in an NSS database without using a PIN,
c0501f
  when we've been told we need one, as an error (#692766, really this time)
c0501f
c0501f
* Thu Aug 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.45-1
c0501f
- modify the systemd .service file to be a proper 'dbus' service (more
c0501f
  of #718172)
c0501f
c0501f
* Thu Aug 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.44-1
c0501f
- check specifically for cases where a specified token that we need to
c0501f
  use just isn't present for whatever reason (#697058)
c0501f
c0501f
* Wed Aug 10 2011 Nalin Dahyabhai <nalin@redhat.com> 0.43-1
c0501f
- add a -K option to ipa-submit, to use the current ccache, which makes
c0501f
  it easier to test
c0501f
c0501f
* Fri Aug  5 2011 Nalin Dahyabhai <nalin@redhat.com>
c0501f
- if xmlrpc-c's struct xmlrpc_curl_xportparms has a gss_delegate field, set
c0501f
  it to TRUE when we're doing Negotiate auth (#727864, #727863, #727866)
c0501f
c0501f
* Wed Jul 13 2011 Nalin Dahyabhai <nalin@redhat.com>
c0501f
- treat the ability to access keys in an NSS database without using a PIN,
c0501f
  when we've been told we need one, as an error (#692766)
c0501f
- when handling "getcert resubmit" requests, if we don't have a key yet,
c0501f
  make sure we go all the way back to generating one (#694184)
c0501f
- getcert: try to clean up tests for NSS and PEM file locations (#699059)
c0501f
- don't try to set reconnect-on-exit policy unless we managed to connect
c0501f
  to the bus (#712500)
c0501f
- handle cases where we specify a token but the storage token isn't
c0501f
  known (#699552)
c0501f
- getcert: recognize -i and storage options to narrow down which requests
c0501f
  the user wants to know about (#698772)
c0501f
- output hints when the daemon has startup problems, too (#712075)
c0501f
- add flags to specify whether we're bus-activated or not, so that we can
c0501f
  exit if we have nothing to do after handling a request received over
c0501f
  the bus if some specified amount of time has passed
c0501f
- explicitly disallow non-root access in the D-Bus configuration (#712072)
c0501f
- migrate to systemd on releases newer than Fedora 15 or RHEL 6 (#718172)
c0501f
- fix a couple of incorrect calls to talloc_asprintf() (#721392)
c0501f
c0501f
* Wed Apr 13 2011 Nalin Dahyabhai <nalin@redhat.com> 0.42-1
c0501f
- getcert: fix a buffer overrun preparing a request for the daemon when
c0501f
  there are more parameters to encode than space in the array (#696185)
c0501f
- updated translations: de, es, id, pl, ru, uk
c0501f
c0501f
* Mon Apr 11 2011 Nalin Dahyabhai <nalin@redhat.com> 0.41-1
c0501f
- read information about the keys we've just generated before proceeding
c0501f
  to generating a CSR (part of #694184, part of #695675)
c0501f
- when processing a "resubmit" request from getcert, go back to key
c0501f
  generation if we don't have keys yet, else go back to CSR generation as
c0501f
  before (#694184, #695675)
c0501f
- configure with --with-tmpdir=/var/run/certmonger and own /var/run/certmonger
c0501f
  (#687899), and add a systemd tmpfiles.d control file for creating
c0501f
  /var/run/certmonger on Fedora 15 and later
c0501f
- let session instances exit when they get disconnected from the bus
c0501f
- use a lock file to make sure there's only one session instance messing
c0501f
  around with the user's files at a time
c0501f
- fix errors saving certificates to NSS databases when there's already a
c0501f
  certificate there with the same nickname (#695672)
c0501f
- make key and certificate location output from 'getcert list' more properly
c0501f
  translatable (#7)
c0501f
c0501f
* Mon Mar 28 2011 Nalin Dahyabhai <nalin@redhat.com> 0.40-1
c0501f
- update to 0.40
c0501f
  - fix validation check on EKU OIDs in getcert (#691351)
c0501f
  - get session bus mode sorted
c0501f
  - add a list of recognized EKU values to the getcert-request man page
c0501f
c0501f
* Fri Mar 25 2011 Nalin Dahyabhai <nalin@redhat.com> 0.39-1
c0501f
- update to 0.39
c0501f
  - fix use of an uninitialized variable in the xmlrpc-based submission
c0501f
    helpers (#690886)
c0501f
c0501f
* Thu Mar 24 2011 Nalin Dahyabhai <nalin@redhat.com> 0.38-1
c0501f
- update to 0.38
c0501f
  - catch cases where we can't read a PIN file, but we never have to log
c0501f
    in to the token to access the private key (more of #688229)
c0501f
c0501f
* Tue Mar 22 2011 Nalin Dahyabhai <nalin@redhat.com> 0.37-1
c0501f
- update to 0.37
c0501f
  - be more careful about checking if we can read a PIN file successfully
c0501f
    before we even call an API that might need us to try (#688229)
c0501f
  - fix strict aliasing warnings
c0501f
c0501f
* Tue Mar 22 2011 Nalin Dahyabhai <nalin@redhat.com> 0.36-1
c0501f
- update to 0.36
c0501f
  - fix some use-after-free bugs in the daemon (#689776)
c0501f
  - fix a copy/paste error in certmonger-ipa-submit(8)
c0501f
  - getcert now suppresses error details when not given its new -v option
c0501f
    (#683926, more of #681641/#652047)
c0501f
  - updated translations
c0501f
    - de, es, pl, ru, uk
c0501f
    - indonesian translation is now for "id" rather than "in"
c0501f
c0501f
* Wed Mar  2 2011 Nalin Dahyabhai <nalin@redhat.com> 0.35.1-1
c0501f
- fix a self-test that broke because one-year-from-now is now a day's worth
c0501f
  of seconds further out than it was a few days ago
c0501f
c0501f
* Mon Feb 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.35-1
c0501f
- update to 0.35
c0501f
  - self-test fixes to rebuild properly in mock (#670322)
c0501f
c0501f
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.34-2
c0501f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
c0501f
c0501f
* Fri Jan 14 2011 Nalin Dahyabhai <nalin@redhat.com> 0.34-1
c0501f
- update to 0.34
c0501f
  - explicitly note the number of requests we're tracking in the output of
c0501f
    "getcert list" (#652049)
c0501f
  - try to offer some suggestions when we get certain specific errors back
c0501f
    in "getcert" (#652047)
c0501f
  - updated translations
c0501f
    - es
c0501f
c0501f
* Thu Dec 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.33-1
c0501f
- update to 0.33
c0501f
  - new translations
c0501f
    - id by Okta Purnama Rahadian!
c0501f
  - updated translations
c0501f
    - pl, uk
c0501f
  - roll up assorted fixes for defects
c0501f
c0501f
* Fri Nov 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.32-2
c0501f
- depend on the e2fsprogs libuuid on Fedora and RHEL releases where it's
c0501f
  not part of util-linux-ng
c0501f
c0501f
* Wed Oct 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.32-1
c0501f
- oops, rfc5280 says we shouldn't be populating unique identifiers, so
c0501f
  make it a configuration option and default the behavior to off
c0501f
c0501f
* Tue Oct 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.31-1
c0501f
- start populating the optional unique identifier fields in self-signed
c0501f
  certificates
c0501f
c0501f
* Thu Sep 30 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-4
c0501f
- explicitly require "dbus" to try to ensure we have a running system bus
c0501f
  when we get started (#639126)
c0501f
c0501f
* Wed Sep 29 2010 jkeating - 0.30-3
c0501f
- Rebuilt for gcc bug 634757
c0501f
c0501f
* Thu Sep 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-2
c0501f
- try to SIGHUP the messagebus daemon at first install so that it'll
c0501f
  let us claim our service name if it isn't restarted before we are
c0501f
  first started (#636876)
c0501f
c0501f
* Wed Aug 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.30-1
c0501f
- update to 0.30
c0501f
  - fix errors computing the time at the end of an interval that were
c0501f
    caught by self-tests
c0501f
c0501f
* Mon Aug 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.29-1
c0501f
- update to 0.29
c0501f
  - fix 64-bit cleanliness issue using libdbus
c0501f
  - actually include the full set of tests in tarballs
c0501f
c0501f
* Tue Aug 17 2010 Nalin Dahyabhai <nalin@redhat.com> 0.28-1
c0501f
- update to 0.28
c0501f
  - fix self-signing certificate notBefore and notAfter values on 32-bit
c0501f
    machines
c0501f
c0501f
* Tue Aug 17 2010 Nalin Dahyabhai <nalin@redhat.com> 0.27-1
c0501f
- update to 0.27
c0501f
  - portability and test fixes
c0501f
c0501f
* Fri Aug 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.26-1
c0501f
- update to 0.26
c0501f
  - when canceling a submission request that's being handled by a helper,
c0501f
    reap the child process's status after killing it (#624120)
c0501f
c0501f
* Fri Aug 13 2010 Nalin Dahyabhai <nalin@redhat.com> 0.25-1
c0501f
- update to 0.25
c0501f
  - new translations
c0501f
    - in by Okta Purnama Rahadian!
c0501f
  - fix detection of cases where we can't access a private key in an NSS
c0501f
    database because we don't have the PIN
c0501f
  - teach '*getcert start-tracking' about the -p and -P options which the
c0501f
    '*getcert request' commands already understand (#621670), and also
c0501f
    the -U, -K, -E, and -D flags
c0501f
  - double-check that the nicknames of keys we get back from
c0501f
    PK11_ListPrivKeysInSlot() match the desired nickname before accepting
c0501f
    them as matches, so that our tests won't all blow up on EL5
c0501f
  - fix dynamic addition and removal of CAs implemented through helpers
c0501f
c0501f
* Mon Jun 28 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-4
c0501f
- init script: ensure that the subsys lock is created whenever we're called to
c0501f
  "start" when we're already running (even more of #596719)
c0501f
c0501f
* Tue Jun 15 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-3
c0501f
- more gracefully handle manual daemon startups and cleaning up of unexpected
c0501f
  crashes (still more of #596719)
c0501f
c0501f
* Thu Jun 10 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-2
c0501f
- don't create the daemon pidfile until after we've connected to the D-Bus
c0501f
  (still more of #596719)
c0501f
c0501f
* Tue Jun  8 2010 Nalin Dahyabhai <nalin@redhat.com> 0.24-1
c0501f
- update to 0.24
c0501f
  - keep the lock on the pid file, if we have one, when we fork, and cancel
c0501f
    daemon startup if we can't gain ownership of the lock (the rest of #596719)
c0501f
  - make the man pages note which external configuration files we consult when
c0501f
    submitting requests to certmaster and ipa CAs
c0501f
c0501f
* Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com> 0.23-1
c0501f
- update to 0.23
c0501f
  - new translations
c0501f
    - pl by Piotr Drąg!
c0501f
  - cancel daemon startup if we can't gain ownership of our well-known
c0501f
    service name on the DBus (#596719)
c0501f
c0501f
* Fri May 14 2010 Nalin Dahyabhai <nalin@redhat.com> 0.22-1
c0501f
- update to 0.22
c0501f
  - new translations
c0501f
    - de by Fabian Affolter!
c0501f
  - certmaster-submit: don't fall over when we can't find a certmaster.conf
c0501f
    or a minion.conf (i.e., certmaster isn't installed) (#588932)
c0501f
  - when reading extension values from certificates, prune out duplicate
c0501f
    principal names, email addresses, and hostnames
c0501f
c0501f
* Tue May  4 2010 Nalin Dahyabhai <nalin@redhat.com> 0.21-1
c0501f
- update to 0.21
c0501f
  - getcert/*-getcert: relay the desired CA to the local service, whether
c0501f
    specified on the command line (in getcert) or as a built-in hard-wired
c0501f
    default (in *-getcert) (#584983)
c0501f
  - flesh out the default certmonger.conf so that people can get a feel for
c0501f
    the expected formatting (Jenny Galipeau)
c0501f
c0501f
* Wed Apr 21 2010 Nalin Dahyabhai <nalin@redhat.com> 0.20-1
c0501f
- update to 0.20
c0501f
  - correctly parse certificate validity periods given in years (spotted by
c0501f
    Stephen Gallagher)
c0501f
  - setup for translation
c0501f
    - es by Héctor Daniel Cabrera!
c0501f
    - ru by Yulia Poyarkova!
c0501f
    - uk by Yuri Chornoivan!
c0501f
  - fix unpreprocessed defaults in certmonger.conf's man page
c0501f
  - tweak the IPA-specific message that indicates a principal name also needs
c0501f
    to be specified if we're not using the default subject name (#579542)
c0501f
  - make the validity period of self-signed certificates into a configuration
c0501f
    setting and not a piece of the state information we track about the signer
c0501f
  - init script: exit with status 2 instead of 1 when invoked with an
c0501f
    unrecognized argument (#584517)
c0501f
c0501f
* Tue Mar 23 2010 Nalin Dahyabhai <nalin@redhat.com> 0.19-1
c0501f
- update to 0.19
c0501f
  - correctly initialize NSS databases that need to be using a PIN
c0501f
  - add certmonger.conf, for customizing notification timings and settings,
c0501f
    and use of digests other than the previously-hard-coded SHA256, and
c0501f
    drop those settings from individual requests
c0501f
  - up the default self-sign validity interval from 30 days to 365 days
c0501f
  - drop the first default notification interval from 30 days to 28 days
c0501f
    (these two combined to create a fun always-reissuing loop earlier)
c0501f
  - record the token which contains the key or certificate when we're
c0501f
    storing them in an NSS database, and report it
c0501f
  - improve handling of cases where we're supposed to use a PIN but we
c0501f
    either don't have one or we have the wrong one
c0501f
  - teach getcert to accept a PIN file's name or a PIN value when adding
c0501f
    a new entry
c0501f
  - update the IPA submission helper to use the new 'request_cert' signature
c0501f
    that's landing soon
c0501f
  - more tests
c0501f
c0501f
* Fri Feb 12 2010 Nalin Dahyabhai <nalin@redhat.com> 0.18-1
c0501f
- update to 0.18
c0501f
  - add support for using encrypted storage for keys, using PIN values
c0501f
    supplied directly or read from files whose names are supplied
c0501f
  - don't choke on NSS database locations that use the "sql:" or "dbm:"
c0501f
    prefix
c0501f
c0501f
* Mon Jan 25 2010 Nalin Dahyabhai <nalin@redhat.com> 0.17-2
c0501f
- make the D-Bus configuration file (noreplace) (#541072)
c0501f
- make the %%check section and the deps we have just for it conditional on
c0501f
  the same macro (#541072)
c0501f
c0501f
* Wed Jan  6 2010 Nalin Dahyabhai <nalin@redhat.com> 0.17-1
c0501f
- update to 0.17
c0501f
  - fix a hang in the daemon (Rob Crittenden)
c0501f
  - documentation updates
c0501f
  - fix parsing of submission results from IPA (Rob Crittenden)
c0501f
c0501f
* Fri Dec 11 2009 Nalin Dahyabhai <nalin@redhat.com> 0.16-1
c0501f
- update to 0.16
c0501f
  - set a umask at startup (Dan Walsh)
c0501f
c0501f
* Tue Dec  8 2009 Nalin Dahyabhai <nalin@redhat.com> 0.15-1
c0501f
- update to 0.15
c0501f
  - notice that a directory with a trailing '/' is the same location as the
c0501f
    directory without it
c0501f
  - fix handling of the pid file when we write one (by actually giving it
c0501f
    contents)
c0501f
c0501f
* Wed Nov 25 2009 Nalin Dahyabhai <nalin@redhat.com> 0.14-1
c0501f
- update to 0.14
c0501f
  - check key and certificate location at add-time to make sure they're
c0501f
    absolute paths to files or directories, as appropriate
c0501f
  - IPA: dig into the 'result' item if the named result value we're looking
c0501f
    for isn't in the result struct
c0501f
c0501f
* Tue Nov 24 2009 Nalin Dahyabhai <nalin@redhat.com> 0.13-1
c0501f
- update to 0.13
c0501f
  - change the default so that we default to trying to auto-refresh
c0501f
    certificates unless told otherwise
c0501f
  - preemptively enforce limitations on request nicknames so that they
c0501f
    make valid D-Bus object path components
c0501f
c0501f
* Tue Nov 24 2009 Nalin Dahyabhai <nalin@redhat.com> 0.12-1
c0501f
- update to 0.12
c0501f
  - add a crucial bit of error reporting when CAs reject our requests
c0501f
  - count the number of configured CAs correctly
c0501f
c0501f
* Mon Nov 23 2009 Nalin Dahyabhai <nalin@redhat.com> 0.11-1
c0501f
- update to 0.11
c0501f
  - add XML-RPC submission for certmaster and IPA
c0501f
  - prune entries with duplicate names from the data store
c0501f
c0501f
* Fri Nov 13 2009 Nalin Dahyabhai <nalin@redhat.com> 0.10-1
c0501f
- update to 0.10
c0501f
  - add some compiler warnings and then fix them
c0501f
c0501f
* Fri Nov 13 2009 Nalin Dahyabhai <nalin@redhat.com> 0.9-1
c0501f
- update to 0.9
c0501f
  - run external submission helpers correctly
c0501f
  - fix signing of signing requests generated for keys stored in files
c0501f
  - only care about new interface and route notifications from netlink,
c0501f
    and ignore notifications that don't come from pid 0
c0501f
  - fix logic for determining expiration status
c0501f
  - correct the version number in self-signed certificates
c0501f
c0501f
* Tue Nov 10 2009 Nalin Dahyabhai <nalin@redhat.com> 0.8-1
c0501f
- update to 0.8
c0501f
  - encode windows UPN values in requests correctly
c0501f
  - watch for netlink routing changes and restart stalled submission requests
c0501f
  - 'getcert resubmit' can force a regeneration of the CSR and submission
c0501f
c0501f
* Fri Nov  6 2009 Nalin Dahyabhai <nalin@redhat.com> 0.7-1
c0501f
- update to 0.7
c0501f
  - first cut at a getting-started document
c0501f
  - refactor some internal key handling with NSS
c0501f
  - check for duplicate request nicknames at add-time
c0501f
c0501f
* Tue Nov  3 2009 Nalin Dahyabhai <nalin@redhat.com> 0.6-1
c0501f
- update to 0.6
c0501f
  - man pages
c0501f
  - 'getcert stop-tracking' actually makes the server forget now
c0501f
  - 'getcert request -e' was redundant, dropped the -e option
c0501f
  - 'getcert request -i' now sets the request nickname
c0501f
  - 'getcert start-tracking -i' now sets the request nickname
c0501f
c0501f
* Mon Nov  2 2009 Nalin Dahyabhai <nalin@redhat.com> 0.5-1
c0501f
- update to 0.5
c0501f
  - packaging fixes
c0501f
  - add a selfsign-getcert client
c0501f
  - self-signed certs now get basic constraints and their own serial numbers
c0501f
  - accept id-ms-kp-sc-logon as a named EKU value in a request
c0501f
c0501f
* Thu Oct 29 2009 Nalin Dahyabhai <nalin@redhat.com> 0.4-1
c0501f
- update to 0.4
c0501f
c0501f
* Thu Oct 22 2009 Nalin Dahyabhai <nalin@redhat.com> 0.1-1
c0501f
- update to 0.1
c0501f
c0501f
* Sun Oct 18 2009 Nalin Dahyabhai <nalin@redhat.com> 0.0-1
c0501f
- initial package