From 0207cb04dc78637e6e0ffb239d50f06a0cba5450 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 01 2019 17:06:18 +0000
Subject: import dnssec-trigger-0.15-4.el8


---

diff --git a/.dnssec-trigger.metadata b/.dnssec-trigger.metadata
new file mode 100644
index 0000000..802ea06
--- /dev/null
+++ b/.dnssec-trigger.metadata
@@ -0,0 +1 @@
+36fd7c2aefaf7b5f066ad993bdc948126f3bf21f SOURCES/dnssec-trigger-0.15.tar.gz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..30d03f7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/dnssec-trigger-0.15.tar.gz
diff --git a/SOURCES/0001-dnssec-trigger-script-port-to-libnm.patch b/SOURCES/0001-dnssec-trigger-script-port-to-libnm.patch
new file mode 100644
index 0000000..5891c2b
--- /dev/null
+++ b/SOURCES/0001-dnssec-trigger-script-port-to-libnm.patch
@@ -0,0 +1,108 @@
+From ef18b39abdb5e8bf870ada3c108ab7f083405d2c Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Thu, 15 Feb 2018 17:57:52 +0100
+Subject: [PATCH] dnssec-trigger-script: port to libnm
+
+The libnm-glib is depreacted for a long time already and is eventually
+going away.
+---
+ dnssec-trigger-script.in | 51 ++++++++++++++----------------------------------
+ 1 file changed, 15 insertions(+), 36 deletions(-)
+
+diff --git a/dnssec-trigger-script.in b/dnssec-trigger-script.in
+index 5f70580..14d9278 100644
+--- a/dnssec-trigger-script.in
++++ b/dnssec-trigger-script.in
+@@ -13,14 +13,13 @@ import glob
+ import subprocess
+ import logging
+ import logging.handlers
+-import socket
+ import struct
+ import signal
+ 
+ import gi
+-gi.require_version('NMClient', '1.0')
++gi.require_version('NM', '1.0')
+ 
+-from gi.repository import NMClient
++from gi.repository import NM
+ 
+ # Python compatibility stuff
+ if not hasattr(os, "O_CLOEXEC"):
+@@ -132,7 +131,7 @@ class ConnectionList:
+ 
+     def __init__(self, client, only_default=False, only_vpn=False, skip_wifi=False):
+         # Cache the active connection list in the class
+-        if not client.get_manager_running():
++        if not client.get_nm_running():
+             raise UserError("NetworkManager is not running.")
+         if self.nm_connections is None:
+             self.__class__.nm_connections = client.get_active_connections()
+@@ -208,40 +207,20 @@ class Connection:
+         self.uuid = connection.get_uuid()
+ 
+         self.zones = []
+-        try:
+-            self.zones += connection.get_ip4_config().get_domains()
+-        except AttributeError:
+-            pass
+-        try:
+-            self.zones += connection.get_ip6_config().get_domains()
+-        except AttributeError:
+-            pass
+-
+         self.servers = []
+-        try:
+-            self.servers += [self.ip4_to_str(server) for server in connection.get_ip4_config().get_nameservers()]
+-        except AttributeError:
+-            pass
+-        try:
+-            self.servers += [self.ip6_to_str(connection.get_ip6_config().get_nameserver(i))
+-                for i in range(connection.get_ip6_config().get_num_nameservers())]
+-        except AttributeError:
+-            pass
+-
+-    def __repr__(self):
+-        return "<Connection(uuid={uuid}, type={type}, default={is_default}, zones={zones}, servers={servers})>".format(**vars(self))
+ 
+-    @staticmethod
+-    def ip4_to_str(ip4):
+-        """Converts IPv4 address from integer to string."""
+-
+-        return socket.inet_ntop(socket.AF_INET, struct.pack("=I", ip4))
++        ip4_config = connection.get_ip4_config()
++        if ip4_config is not None:
++            self.zones += ip4_config.get_domains()
++            self.servers += ip4_config.get_nameservers()
+ 
+-    @staticmethod
+-    def ip6_to_str(ip6):
+-        """Converts IPv6 address from integer to string."""
++        ip6_config = connection.get_ip6_config()
++        if ip6_config is not None:
++            self.zones += ip6_config.get_domains()
++            self.servers += ip6_config.get_nameservers()
+ 
+-        return socket.inet_ntop(socket.AF_INET6, ip6)
++    def __repr__(self):
++        return "<Connection(uuid={uuid}, type={type}, default={is_default}, zones={zones}, servers={servers})>".format(**vars(self))
+ 
+     @property
+     def ignore(self):
+@@ -466,10 +445,10 @@ class Application:
+         except AttributeError:
+             self.usage()
+ 
+-        self.client = NMClient.Client().new()
++        self.client = NM.Client().new()
+ 
+     def nm_handles_resolv_conf(self):
+-        if not self.client.get_manager_running():
++        if not self.client.get_nm_running():
+             log.debug("NetworkManager is not running")
+             return False
+         try:
+-- 
+2.13.6
+
diff --git a/SOURCES/dnssec-trigger-default.conf b/SOURCES/dnssec-trigger-default.conf
new file mode 100644
index 0000000..cc18335
--- /dev/null
+++ b/SOURCES/dnssec-trigger-default.conf
@@ -0,0 +1,99 @@
+# Fedora/EPEL version of dnssec-trigger.conf
+
+# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
+# verbosity: 1
+
+# pidfile location
+pidfile: "/var/run/dnssec-triggerd.pid"
+
+# log to a file instead of syslog, default is to syslog
+# logfile: "/var/log/dnssec-trigger.log"
+
+# log to syslog, or (log to to stderr or a logfile if specified). yes or no.
+# use-syslog: yes
+
+# chroot to this directory
+# chroot: ""
+
+# the unbound-control binary if not found in PATH.
+# commandline options can be appended "unbound-control -c my.conf" if you wish.
+# unbound-control: "/usr/sbin/unbound-control"
+
+# where is resolv.conf to edit.
+# resolvconf: "/etc/resolv.conf"
+
+# the domain example.com line (if any) to add to resolv.conf(5). default none.
+# domain: ""
+
+# domain name search path to add to resolv.conf(5). default none.
+# the search path from DHCP is not picked up, it could be used to misdirect.
+# search: ""
+
+# the command to run to open login pages on hot spots, a web browser.
+# empty string runs no command.
+# login-command: "xdg-open"
+
+# the url to open to get hot spot login, it gets overridden by the hotspot.
+# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger"
+# should to be a ttl=0 entry
+login-location: "http://hotspot-nocache.fedoraproject.org/"
+
+# do not perform actions (unbound-control or resolv.conf), for a dry-run.
+# noaction: no
+
+# port number to use for probe daemon.
+# port: 8955
+
+# keys and certificates generated by the dnssec-trigger-keygen systemd service
+# (which called dnssec-trigger-control-setup)
+server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
+server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
+control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
+control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
+
+# check for updates, download and ask to install them (for Windows, OSX).
+# check-updates: no
+
+# webservers that are probed to see if internet access is possible.
+# They serve a simple static page over HTTP port 80.  It probes a random url:
+# after a space is the content expected on the page, (the page can contain
+# whitespace before and after this code).  Without urls it skips http probes.
+
+# provided by NLnetLabs
+# It is provided on a best effort basis, with no service guarantee.
+# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
+
+# provided by FedoraProject
+url: "http://fedoraproject.org/static/hotspot.txt OK"
+
+# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
+# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put
+# the following on one line: ssl443:<space><IP><space><HASHoutput>
+# hash is output of openssl x509 -sha256 -fingerprint -in server.pem
+# You can add more with extra config lines.
+
+# Provided by fedoraproject.org, #fedora-admin
+# It is provided on a best effort basis, with no service guarantee.
+ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  140.211.169.201
+ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  66.35.62.163 
+ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  152.19.134.150 
+ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9 
+
+# provided by Paul Wouters (pwouters@redhat.com)
+# It is provided on a best effort basis, with no service guarantee.
+# tcp80:  193.110.157.123
+# tcp80:  2001:888:2003:1004::123
+# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
+# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
+
+# provided by NLnetLabs (www.nlnetlabs.nl)
+# It is provided on a best effort basis, with no service guarantee.
+# tcp80: 213.154.224.3
+# tcp80: 2001:7b8:206:1:bb::
+# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+
diff --git a/SOURCES/dnssec-trigger-workstation.conf b/SOURCES/dnssec-trigger-workstation.conf
new file mode 100644
index 0000000..78b0cc6
--- /dev/null
+++ b/SOURCES/dnssec-trigger-workstation.conf
@@ -0,0 +1,101 @@
+# Fedora/EPEL version of dnssec-trigger.conf
+
+# logging detail, 0=only errors, 1=operations, 2=detail, 3,4 debug detail.
+# verbosity: 1
+
+# pidfile location
+pidfile: "/var/run/dnssec-triggerd.pid"
+
+# log to a file instead of syslog, default is to syslog
+# logfile: "/var/log/dnssec-trigger.log"
+
+# log to syslog, or (log to to stderr or a logfile if specified). yes or no.
+# use-syslog: yes
+
+# chroot to this directory
+# chroot: ""
+
+# the unbound-control binary if not found in PATH.
+# commandline options can be appended "unbound-control -c my.conf" if you wish.
+# unbound-control: "/usr/sbin/unbound-control"
+
+# where is resolv.conf to edit.
+# resolvconf: "/etc/resolv.conf"
+
+# the domain example.com line (if any) to add to resolv.conf(5). default none.
+# domain: ""
+
+# domain name search path to add to resolv.conf(5). default none.
+# the search path from DHCP is not picked up, it could be used to misdirect.
+# search: ""
+
+# the command to run to open login pages on hot spots, a web browser.
+# empty string runs no command.
+# login-command: "xdg-open"
+login-command: ""
+
+# the url to open to get hot spot login, it gets overridden by the hotspot.
+# login-location: "http://www.nlnetlabs.nl/projects/dnssec-trigger"
+# should to be a ttl=0 entry
+# login-location: "http://hotspot-nocache.fedoraproject.org/"
+
+# do not perform actions (unbound-control or resolv.conf), for a dry-run.
+# noaction: no
+
+# port number to use for probe daemon.
+# port: 8955
+
+# keys and certificates generated by the dnssec-trigger-keygen systemd service
+# (which called dnssec-trigger-control-setup)
+server-key-file: "/etc/dnssec-trigger/dnssec_trigger_server.key"
+server-cert-file: "/etc/dnssec-trigger/dnssec_trigger_server.pem"
+control-key-file: "/etc/dnssec-trigger/dnssec_trigger_control.key"
+control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
+
+# check for updates, download and ask to install them (for Windows, OSX).
+# check-updates: no
+
+# webservers that are probed to see if internet access is possible.
+# They serve a simple static page over HTTP port 80.  It probes a random url:
+# after a space is the content expected on the page, (the page can contain
+# whitespace before and after this code).  Without urls it skips http probes.
+
+# provided by NLnetLabs
+# It is provided on a best effort basis, with no service guarantee.
+# url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
+
+# provided by FedoraProject
+# on Workstation, the detection is turned off
+# url: "http://fedoraproject.org/static/hotspot.txt OK"
+
+# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
+# the ssl443 adds an ssl server IP, if you specify a hash it is checked, put
+# the following on one line: ssl443:<space><IP><space><HASHoutput>
+# hash is output of openssl x509 -sha256 -fingerprint -in server.pem
+# You can add more with extra config lines.
+
+# Provided by fedoraproject.org, #fedora-admin
+# It is provided on a best effort basis, with no service guarantee.
+ssl443: 140.211.169.201 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  140.211.169.201
+ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  66.35.62.163 
+ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  152.19.134.150 
+ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
+tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9 
+
+# provided by Paul Wouters (pwouters@redhat.com)
+# It is provided on a best effort basis, with no service guarantee.
+# tcp80:  193.110.157.123
+# tcp80:  2001:888:2003:1004::123
+# ssl443: 193.110.157.123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
+# ssl443: 2001:888:2003:1004::123 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
+
+# provided by NLnetLabs (www.nlnetlabs.nl)
+# It is provided on a best effort basis, with no service guarantee.
+# tcp80: 213.154.224.3
+# tcp80: 2001:7b8:206:1:bb::
+# ssl443: 213.154.224.3 DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+# ssl443: 2001:7b8:206:1:bb:: DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
+
diff --git a/SOURCES/dnssec-trigger.tmpfiles.d b/SOURCES/dnssec-trigger.tmpfiles.d
new file mode 100644
index 0000000..000d918
--- /dev/null
+++ b/SOURCES/dnssec-trigger.tmpfiles.d
@@ -0,0 +1 @@
+d /var/run/dnssec-trigger 0755 root root -
diff --git a/SPECS/dnssec-trigger.spec b/SPECS/dnssec-trigger.spec
new file mode 100644
index 0000000..8ea9254
--- /dev/null
+++ b/SPECS/dnssec-trigger.spec
@@ -0,0 +1,427 @@
+%global _hardened_build 1
+
+#%%global svn_snapshot 20150714
+
+Summary: Tool for dynamic reconfiguration of validating resolver Unbound
+Name: dnssec-trigger
+Version: 0.15
+Release: 4%{?svn_snapshot:.%{svn_snapshot}svn}%{?dist}
+License: BSD
+Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/
+
+%if 0%{?svn_snapshot:1}
+# generated using './makedist.sh -s' in the cloned upstream trunk
+Source0: %{name}-%{version}_%{svn_snapshot}.tar.gz
+%else
+Source0: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz
+%endif
+Source1: dnssec-trigger.tmpfiles.d
+Source2: dnssec-trigger-default.conf
+Source3: dnssec-trigger-workstation.conf
+
+# Patches
+Patch1: 0001-dnssec-trigger-script-port-to-libnm.patch
+
+# to obsolete the version in which the panel was in main package
+Obsoletes: %{name} < 0.12-22
+Suggests: %{name}-panel
+# Require a version of NetworkManager that doesn't forget to issue dhcp-change
+# https://bugzilla.redhat.com/show_bug.cgi?id=1112248
+%if 0%{?rhel} >= 7
+Requires: NetworkManager >= 0.9.9.1-13
+%else
+%if 0%{?fedora} >= 21
+Requires: NetworkManager >= 0.9.9.95-1
+%else
+Requires: NetworkManager >= 0.9.9.0-40
+%endif
+%endif
+Requires: ldns >= 1.6.10, NetworkManager-libnm, unbound
+# needed by /usr/sbin/dnssec-trigger-control-setup
+# otherwise it ends with error: /usr/sbin/dnssec-trigger-control-setup: line 180: openssl: command not found
+Requires: openssl
+# needed for /usr/bin/chattr
+Requires: e2fsprogs
+BuildRequires: openssl-devel, ldns-devel, python3-devel, gcc
+BuildRequires: NetworkManager-libnm-devel
+
+BuildRequires: systemd
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+
+# Provides Workstation specific configuration
+# - No captive portal detection and no action available on Captive portal (No UI)
+Provides: variant_config(Workstation)
+
+%description
+dnssec-trigger reconfigures the local Unbound DNS server. Unbound is a
+resolver performing DNSSEC validation. dnssec-trigger is a set of daemon
+and script. On every network configuration change dnssec-trigger performs
+set of tests and configures Unbound based on the current NetworkManager
+configuration, its own configuration and results of performed tests.
+
+
+%package panel
+Summary: Applet for interaction between the user and dnssec-trigger
+Requires: %{name} = %{version}-%{release}
+Obsoletes: %{name} < 0.12-22
+Requires: xdg-utils
+BuildRequires: gtk2-devel, desktop-file-utils
+
+%description panel
+This package provides the GTK panel for interaction between the user
+and dnssec-trigger daemon. It is able to show the current state and
+results of probing performed by dnssec-trigger daemon. Also in case
+some user input is needed, the panel creates a dialog window.
+
+
+%prep
+%setup -q %{?svn_snapshot:-n %{name}-%{version}_%{svn_snapshot}}
+
+%patch1 -p1 -b .libnm_port
+
+# don't use DNSSEC for forward zones for now
+sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zones=no/" dnssec.conf
+
+
+%build
+%configure  \
+    --with-keydir=%{_sysconfdir}/dnssec-trigger \
+    --with-hooks=networkmanager \
+    --with-python=%{__python3} \
+    --with-pidfile=%{_localstatedir}/run/%{name}d.pid
+
+%{__make} %{?_smp_mflags}
+
+
+%install
+rm -rf %{buildroot}
+%{__make} DESTDIR=%{buildroot} install
+
+install -d 0755 %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/%{name}/
+install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/
+
+mkdir -p %{buildroot}%{_libexecdir}
+
+desktop-file-install --dir=%{buildroot}%{_datadir}/applications dnssec-trigger-panel.desktop
+
+# install the configuration for /var/run/dnssec-trigger into tmpfiles.d dir
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/%{name}.conf
+# we must create the /var/run/dnssec-trigger directory
+mkdir -p %{buildroot}%{_localstatedir}/run
+install -d -m 0755 %{buildroot}%{_localstatedir}/run/%{name}
+
+# supress the panel name everywhere including the gnome3 panel at the bottom
+ln -s dnssec-trigger-panel %{buildroot}%{_bindir}/dnssec-trigger
+
+# Make dnssec-trigger.8 manpage available under names of all dnssec-trigger-*
+# executables
+for all in dnssec-trigger-control dnssec-trigger-control-setup dnssec-triggerd; do
+    ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/"$all".8
+done
+ln -s %{_mandir}/man8/dnssec-trigger.8 %{buildroot}/%{_mandir}/man8/dnssec-trigger.conf.8
+
+
+%post
+%systemd_post %{name}d.service
+
+%preun
+%systemd_preun %{name}d.service
+
+%postun
+%systemd_postun_with_restart %{name}d.service
+
+%posttrans
+# If we don't yet have a symlink or existing file for dnssec-trigger.conf,
+# create it..
+if [ ! -e %{_sysconfdir}/%{name}/dnssec-trigger.conf ]; then
+    # Import /etc/os-release to get the variant definition
+    . /etc/os-release || :
+
+    case "$VARIANT_ID" in
+        workstation)
+            ln -sf %{name}-workstation.conf %{_sysconfdir}/%{name}/dnssec-trigger.conf || :
+            ;;
+        *)
+            ln -sf %{name}-default.conf %{_sysconfdir}/%{name}/dnssec-trigger.conf || :
+            ;;
+        esac
+fi
+
+
+
+%files
+%license LICENSE
+%doc README
+%{_bindir}/dnssec-trigger
+%{_sbindir}/dnssec-trigger*
+%{_libexecdir}/dnssec-trigger-script
+%{_unitdir}/%{name}d.service
+%{_unitdir}/%{name}d-keygen.service
+%attr(0755,root,root) %{_sysconfdir}/NetworkManager/dispatcher.d/01-dnssec-trigger
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/dnssec.conf
+%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
+%attr(0644,root,root) %ghost %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-default.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-trigger-workstation.conf
+%dir %{_localstatedir}/run/%{name}
+%{_tmpfilesdir}/%{name}.conf
+%{_mandir}/man8/dnssec-trigger*
+
+%files panel
+%{_bindir}/dnssec-trigger-panel
+%attr(0755,root,root) %dir %{_datadir}/%{name}
+%attr(0644,root,root) %{_datadir}/%{name}/*
+%attr(0644,root,root) %{_datadir}/applications/dnssec-trigger-panel.desktop
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/xdg/autostart/dnssec-trigger-panel.desktop
+
+
+%changelog
+* Mon Feb 19 2018 Tomas Hozza <thozza@redhat.com> - 0.15-4
+- Added explicit BuildRequires on gcc as required by packaging guidelines
+- Added explicit Requires on e2fsprogs, so that /usr/bin/chattr is available
+- Remove redundant removal of immutable bit in %%preun scriptlet (#1542400)
+
+* Mon Feb 19 2018 Tomas Hozza <thozza@redhat.com> - 0.15-3
+- use NetworkManager-libnm instead of NetworkManager-glib
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.15-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Dec 11 2017 Tomas Hozza <thozza@redhat.com> - 0.15-1
+- Update to stable 0.15 upstream release
+
+* Fri Aug 18 2017 Petr Menšík <pemensik@redhat.com> - 0.13-6
+- Skip always failing kr.com, update root IPs (#1482939)
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Mar 08 2017 Tomas Hozza <thozza@redhat.com> - 0.13-3
+- Rebuild against new ldns
+
+* Wed Mar 01 2017 Tomas Hozza <thozza@redhat.com> - 0.13-2
+- Include fix for runtime issues with OpenSSL 1.1.0 (#1427561)
+
+* Fri Feb 17 2017 Tomas Hozza <thozza@redhat.com> - 0.13-1
+- Update to stable 0.13 upstream release
+- Dropped merged patches
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-0.6.20150714svn
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.13-0.5.20150714svn
+- Rebuild for Python 3.6
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.13-0.4.20150714svn
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
+
+* Mon Jul 20 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.2.20150714svn
+- Provide Workstation specific configuration
+
+* Wed Jul 15 2015 Tomas Hozza <thozza@redhat.com> - 0.13-0.1.20150714svn
+- split dnssec-trigger panel into separate subpackage (#1236363)
+- SPEC file cleanup based on rpmlint and fedora-review issues
+- implement some suggestions (#1236363)
+- rebase to the latest svn trunk snapshot 0.13_20150714
+- Script is not searching local user directories any more (#1213062)
+- Script now doesn't restart NM if version is >= 1.0.3, but sends just signal
+- Script now specifies the NMClient version for GI (#1242430)
+- Script now sets negative-cache-ttl in unbound to 5 seconds (#1229596)
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-21
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed Apr 08 2015 Tomas Hozza <thozza@redhat.com> - 0.12-20
+- Fix issue when installing private address range zone without global forwarders (#1205864)
+- Fix configuration of private address range zones (#1128310#c20)
+
+* Fri Mar 13 2015 Tomas Hozza <thozza@redhat.com> - 0.12-19
+- Fix typo in the dnssec-trigger-script (#1187371)
+- Use Python3 by default
+
+* Mon Jan 26 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-18
+- Resolves: #1185796, #1130502, #1105685, #1128310 – update
+
+* Tue Jan 20 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-17
+- Resolves: #1183975 - systemd cgroup check fails
+
+* Tue Jan 20 2015 Pavel Šimerda <psimerda@redhat.com> - 0.12-16
+- Resolves: #1165126, #1125267, #1089766, #1112248, #824219 - update
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.12-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Thu Aug 14 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-14
+- Resolves: #1125261 - dnssec-trigger-script: use fcntl.flock instead of
+  lockfile
+
+* Mon Aug 11 2014 Tomas Hozza <thozza@redhat.com> - 0.12-13
+- One Fedora fallback server changed IP address (#1125440)
+
+* Mon Jun 30 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-12
+- Resolves: #1112248 - require a version of NetworkManager with #1113122 fixed
+
+* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-11
+- Resolves: #1112248 - serialize the script instances
+
+* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-10
+- Resolves: #1112248 - fix a typo
+
+* Tue Jun 24 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-9
+- Resolves: #1112248 - fix systemd race condition
+
+* Mon Jun 23 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-8
+- Resolves: #1112248 - don't block on systemctl restart NetworkManager
+
+* Mon Jun 23 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-7
+- Resolves: #1112248, #1111143 - update dnssec-trigger-script and dnssec-triggerd.service
+
+* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-6
+- Resolves: #1111143 - fix for python2
+
+* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-5
+- Related: #842455 - remove a patch that is now redundant
+
+* Fri Jun 20 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-4
+- update dnssec-trigger-script to current development submitted upstream
+
+* Wed Jun 18 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-3
+- Resolves: #1105896 - the new script doesn't call dnssec-trigger-control submit
+
+* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 0.12-2
+- fix various dnssec-trigger-script issues
+
+* Fri May 23 2014 Tomas Hozza <thozza@redhat.com> - 0.12-1
+- Update to 0.12 version
+- Drop merged patches
+- Drop downstream files (systemd, dispatcher scripts)
+
+* Tue May 13 2014 Paul Wouters <pwouters@redhat.com> - 0.11-21
+- Enable full hardening (includig PIE)
+- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size
+
+* Wed Feb 19 2014 Tomas Hozza <thozza@redhat.com> - 0.11-20
+- Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content)
+- HN-hook: Handle situation when connection does not have a device
+
+* Wed Jan 29 2014 Tomas Hozza <thozza@redhat.com> - 0.11-19
+- Use new Python dispatcher script and ship /etc/dnssec.conf
+
+* Tue Jan 28 2014 Tomas Hozza <thozza@redhat.com> - 0.11-18
+- Use systemd macros instead of directly calling systemctl
+- simplify the systemd unit file for generating keys
+
+* Thu Nov 21 2013 Tomas Hozza <thozza@redhat.com> - 0.11-17
+- Add script to backup and restore resolv.conf on dnssec-trigger start/stop
+
+* Mon Nov 18 2013 Tomas Hozza <thozza@redhat.com> - 0.11-16
+- Improve GUI dialogs texts
+
+* Tue Nov 12 2013 Tomas Hozza <thozza@redhat.com> - 0.11-15
+- Fix NM dispatcher script to work with NM >= 0.9.9.0 (#1029571)
+
+* Mon Aug 26 2013 Tomas Hozza <thozza@redhat.com> - 0.11-14
+- Fix errors found by static analysis of source
+
+* Fri Aug 09 2013 Tomas Hozza <thozza@redhat.com> - 0.11-13
+- Use improved NM dispatcher script from upstream
+- Added tmpfiles.d config due to improved NM dispatcher script
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-11
+- link dnssec-trigger.conf.8 to dnssec-trigger.8
+- build dnssec-triggerd with full RELRO
+
+* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-10
+- remove deprecated "Application" keyword from desktop file
+
+* Mon Mar 04 2013 Adam Tkac <atkac redhat com> - 0.11-9
+- install various dnssec-trigger-* symlinks to dnssec-trigger.8 manpage
+
+* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Tue Jan 08 2013 Paul Wouters <pwouters@redhat.com> - 0.11-7
+- Use full path for systemd (rhbz#842455)
+
+* Tue Jul 24 2012 Paul Wouters <pwouters@redhat.com> - 0.11-6
+- Patched daemon to remove immutable attr (rhbz#842455) as the
+  systemd ExecStopPost= target does not seem to work
+
+* Tue Jul 24 2012 Paul Wouters <pwouters@redhat.com> - 0.11-5
+- On service stop, remove immutable attr from resolv.conf (rhbz#842455)
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.11-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Thu Jun 28 2012 Paul Wouters <pwouters@redhat.com> - 0.11-3
+- Fix DHCP hook for f17+ version of nmcli (rhbz#835298)
+
+* Sun Jun 17 2012 Paul Wouters <pwouters@redhat.com> - 0.11-2
+- Small textual changes to some popup windows
+
+* Fri Jun 15 2012 Paul Wouters <pwouters@redhat.com> - 0.11-1
+- Updated to 0.11
+- http Hotspot detection via fedoraproject.org/static/hotspot.html
+- http Hotspot Login page via uses hotspot-nocache.fedoraproject.org
+
+* Thu Feb 23 2012 Paul Wouters <pwouters@redhat.com> - 0.10-4
+- Require: unbound
+
+* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-3
+- Fix the systemd startup to require unbound
+- dnssec-triggerd no longer forks, giving systemd more control
+- Fire NM dispatcher in ExecStartPost of dnssec-triggerd.service
+- Fix tcp80 entries in dnssec-triggerd.conf
+- symlink dnssec-trigger-panel to dnssec-trigger to supress the
+  "-panel" in the applet name shown in gnome3
+
+
+* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-2
+- The NM hook was not modified at the right time during build
+
+* Wed Feb 22 2012 Paul Wouters <pwouters@redhat.com> - 0.10-1
+- Updated to 0.10
+- The NM hook lacks /usr/sbin in path, resulting in empty resolv.conf on hotspot
+
+* Wed Feb 08 2012 Paul Wouters <pwouters@redhat.com> - 0.9-4
+- Updated tls443 / tls80 resolver instances supplied by Fedora Hosted
+
+* Mon Feb 06 2012 Paul Wouters <pwouters@redhat.com> - 0.9-3
+- Convert from SysV to systemd for initial Fedora release
+- Moved configs and pem files to /etc/dnssec-trigger/
+- No more /var/run/dnssec-triggerd/
+- Fix Build-requires
+- Added commented tls443 port80 entries of pwouters resolvers
+- On uninstall ensure there is no immutable bit on /etc/resolv.conf
+
+* Sat Jan 07 2012 Paul Wouters <paul@xelerance.com> - 0.9-2
+- Added LICENCE to doc section
+
+* Mon Dec 19 2011 Paul Wouters <paul@xelerance.com> - 0.9-1
+- Upgraded to 0.9
+
+* Fri Oct 28 2011 Paul Wouters <paul@xelerance.com> - 0.7-1
+- Upgraded to 0.7
+
+* Fri Sep 23 2011 Paul Wouters <paul@xelerance.com> - 0.4-1
+- Upgraded to 0.4
+
+* Sat Sep 17 2011 Paul Wouters <paul@xelerance.com> - 0.3-5
+- Start 01-dnssec-trigger-hook in daemon start
+- Ensure dnssec-triggerd starts after NetworkManager
+
+* Fri Sep 16 2011 Paul Wouters <paul@xelerance.com> - 0.3-4
+- Initial package