From dd3346a020052dba871c30cf07efe4f4a5de01e4 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 05 2015 13:27:36 +0000
Subject: import opendnssec-1.4.6-3.el7


---

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..1772253
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/opendnssec-1.4.6.tar.gz
diff --git a/.opendnssec.metadata b/.opendnssec.metadata
new file mode 100644
index 0000000..7deff2d
--- /dev/null
+++ b/.opendnssec.metadata
@@ -0,0 +1 @@
+2318b31546d0d4118cd03b9591ba76d259e1b0b0 SOURCES/opendnssec-1.4.6.tar.gz
diff --git a/README.md b/README.md
deleted file mode 100644
index 98f42b4..0000000
--- a/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/0000-add-libhsm-configuration-option-AllowExtraction.patch b/SOURCES/0000-add-libhsm-configuration-option-AllowExtraction.patch
new file mode 100644
index 0000000..6875041
--- /dev/null
+++ b/SOURCES/0000-add-libhsm-configuration-option-AllowExtraction.patch
@@ -0,0 +1,162 @@
+From 672d2c75ccd3cd5f2317bb76af4c9cc4e5aa4a37 Mon Sep 17 00:00:00 2001
+From: Petr Spacek <pspacek@redhat.com>
+Date: Fri, 18 Jul 2014 16:19:36 +0200
+Subject: [PATCH] add libhsm configuration option <AllowExtraction/>
+
+This option allows user to generate private keys with CKA_EXTRACTABLE
+flag set to TRUE. Defaults to FALSE.
+---
+ NEWS                    |  5 +++++
+ conf/conf.rnc           |  5 ++++-
+ conf/conf.xml.in        |  3 +++
+ libhsm/src/lib/libhsm.c | 15 ++++++++++++---
+ libhsm/src/lib/libhsm.h |  1 +
+ 5 files changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 4db7038..2efa176 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,3 +1,8 @@
++* Enforcer: New repository option <AllowExtraction/> allows to generate keys
++  with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
++  and extracted from HSM.
++
++
+ OpenDNSSEC 1.4.6 - 2014-07-21
+ 
+ * Signer Engine: Print secondary server address when logging notify reply
+diff --git a/conf/conf.rnc b/conf/conf.rnc
+index 71d527f..65f837e 100644
+--- a/conf/conf.rnc
++++ b/conf/conf.rnc
+@@ -50,7 +50,10 @@ start = element Configuration {
+ 			element RequireBackup { empty }?,
+ 
+ 			# Do not maintain public keys in the repository (optional)
+-			element SkipPublicKey { empty }?
++			element SkipPublicKey { empty }?,
++
++			# Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
++			element AllowExtraction { empty }?
+ 		}*
+ 	},
+ 
+diff --git a/conf/conf.xml.in b/conf/conf.xml.in
+index 0ef2ab9..0536681 100644
+--- a/conf/conf.xml.in
++++ b/conf/conf.xml.in
+@@ -9,6 +9,9 @@
+ 			<TokenLabel>OpenDNSSEC</TokenLabel>
+ 			<PIN>1234</PIN>
+ 			<SkipPublicKey/>
++			<!--
++			<AllowExtraction/>
++			-->
+ 		</Repository>
+ 
+ <!--
+diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
+index d723b31..1f9720e 100644
+--- a/libhsm/src/lib/libhsm.c
++++ b/libhsm/src/lib/libhsm.c
+@@ -504,6 +504,7 @@ static void
+ hsm_config_default(hsm_config_t *config)
+ {
+     config->use_pubkey = 1;
++    config->allow_extract = 0;
+ }
+ 
+ /* creates a session_t structure, and automatically adds and initializes
+@@ -2054,6 +2055,8 @@ hsm_open(const char *config,
+                     module_pin = (char *) xmlNodeGetContent(curNode);
+                 if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
+                     module_config.use_pubkey = 0;
++                if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
++                    module_config.allow_extract = 1;
+                 curNode = curNode->next;
+             }
+ 
+@@ -2341,10 +2344,12 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
+     CK_BBOOL ctoken = CK_TRUE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+     do {
+@@ -2380,7 +2385,7 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,   &ctrue,   sizeof (ctrue) },
+         { CKA_TOKEN,       &ctrue,   sizeof (ctrue)  },
+         { CKA_PRIVATE,     &ctrue,   sizeof (ctrue)  },
+-        { CKA_EXTRACTABLE, &cfalse,  sizeof (cfalse) }
++        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
+@@ -2420,6 +2425,7 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
+     CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2466,12 +2472,13 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
++        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+@@ -2533,6 +2540,7 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
+     CK_OBJECT_HANDLE publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2569,12 +2577,13 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
++        { CKA_EXTRACTABLE,         &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+diff --git a/libhsm/src/lib/libhsm.h b/libhsm/src/lib/libhsm.h
+index 45d110a..08224b8 100644
+--- a/libhsm/src/lib/libhsm.h
++++ b/libhsm/src/lib/libhsm.h
+@@ -75,6 +75,7 @@
+ /*! HSM configuration */
+ typedef struct {
+     unsigned int use_pubkey;     /*!< Maintain public keys in HSM */
++    unsigned int allow_extract;  /*!< Generate CKA_EXTRACTABLE private keys */
+ } hsm_config_t;
+ 
+ /*! Data type to describe an HSM */
+-- 
+1.9.3
+
diff --git a/SOURCES/0001-use-system-trang.patch b/SOURCES/0001-use-system-trang.patch
new file mode 100644
index 0000000..127c16f
--- /dev/null
+++ b/SOURCES/0001-use-system-trang.patch
@@ -0,0 +1,24 @@
+diff -r -u3 opendnssec-1.4.6/conf/Makefile.am opendnssec-1.4.6.trang/conf/Makefile.am
+--- opendnssec-1.4.6/conf/Makefile.am	2014-07-21 11:30:06.000000000 +0200
++++ opendnssec-1.4.6.trang/conf/Makefile.am	2014-09-22 22:48:32.000000000 +0200
+@@ -29,7 +29,7 @@
+ .rnc.rng:
+ 	@test -x "${JAVA}" || \
+ 		(echo "java is required for converting RelaxNG Compact to RelaxNG"; false)
+-	${JAVA} -jar ${TRANG} $< $@
++	trang $< $@
+ 
+ regress: $(RNG)
+ 	@test -x "${XMLLINT}" || \
+diff -r -u3 opendnssec-1.4.6/conf/Makefile.in opendnssec-1.4.6.trang/conf/Makefile.in
+--- opendnssec-1.4.6/conf/Makefile.in	2014-07-21 11:32:01.000000000 +0200
++++ opendnssec-1.4.6.trang/conf/Makefile.in	2014-09-22 22:48:55.000000000 +0200
+@@ -551,7 +617,7 @@
+ .rnc.rng:
+ 	@test -x "${JAVA}" || \
+ 		(echo "java is required for converting RelaxNG Compact to RelaxNG"; false)
+-	${JAVA} -jar ${TRANG} $< $@
++	trang $< $@
+ 
+ regress: $(RNG)
+ 	@test -x "${XMLLINT}" || \
diff --git a/SOURCES/0002-get-started.patch b/SOURCES/0002-get-started.patch
new file mode 100644
index 0000000..caed0f1
--- /dev/null
+++ b/SOURCES/0002-get-started.patch
@@ -0,0 +1,26 @@
+diff -rNu3 opendnssec-1.4.6/GETSTARTED opendnssec-1.4.6.new/GETSTARTED
+--- opendnssec-1.4.6/GETSTARTED	1970-01-01 01:00:00.000000000 +0100
++++ opendnssec-1.4.6.new/GETSTARTED	2014-09-23 08:20:07.000000000 +0200
+@@ -0,0 +1,22 @@
++For detailed instructions please see
++https://wiki.opendnssec.org/display/DOCS/Getting+Started
++
++Quick start:
++1. Get HSM module with PKCS#11 interface. You can use SoftHSM package.
++
++2. Configure SoftHSM v2:
++2.1. Check /etc/softhsm2.conf and optionally change paths if necessary
++2.2. Make up your own PIN and SO PIN!
++2.3. Initialize SoftHSM token:
++$ softhsm2-util --init-token --slot 0 --label "OpenDNSSEC" \
++    --pin 5678 --so-pin 9012
++2.4. Allow OpenDNSSEC user to access SoftHSM data:
++    $ chown -R ods: <path from /etc/softhsm2.conf>
++
++3. Configure OpenDNSSEC:
++3.1. Write token PIN to /etc/opendnssec/conf.xml
++3.2. Review and modify Key and Signing Policy in /etc/opendnssec/kasp.xml
++3.3. Initialize OpenDNSSEC database:
++    $ ods-ksmutil setup
++
++4. Use OpenDNSSEC - see man ods-ksmutil
diff --git a/SOURCES/conf.xml b/SOURCES/conf.xml
new file mode 100644
index 0000000..2a3a92e
--- /dev/null
+++ b/SOURCES/conf.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<Configuration>
+
+	<RepositoryList>
+
+		<Repository name="SoftHSM">
+			<Module>/usr/lib64/pkcs11/libsofthsm2.so</Module>
+			<TokenLabel>OpenDNSSEC</TokenLabel>
+			<PIN>1234</PIN>
+<!--
+			# Disabled so it stores the public key in the HSM too,
+			# so bind's dnssec-signzone can be used as well
+			<SkipPublicKey/>
+-->
+		</Repository>
+
+<!--
+		<Repository name="sca6000">
+			<Module>/usr/lib64/opencryptoki/PKCS11_API.so</Module>
+			<TokenLabel>Sun Metaslot</TokenLabel>
+			<PIN>test:1234</PIN>
+			<Capacity>255</Capacity>
+			<RequireBackup/>
+			<SkipPublicKey/>
+		</Repository>
+-->
+
+	</RepositoryList>
+
+	<Common>
+		<Logging>
+			<Syslog><Facility>local0</Facility></Syslog>
+		</Logging>
+		
+		<PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile>
+		<ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile>
+
+	<!--
+		<ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>
+	-->
+	</Common>
+
+	<Enforcer>
+		<Privileges>
+			<User>ods</User>
+			<Group>ods</Group>
+		</Privileges>
+
+		<Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore>
+		<Interval>PT3600S</Interval>
+		<!-- <ManualKeyGeneration/> -->
+		<!-- <RolloverNotification>P14D</RolloverNotification> -->
+		
+		<!-- the <DelegationSignerSubmitCommand> will get all current
+		     DNSKEYs (as a RRset) on standard input
+		-->
+		<!-- <DelegationSignerSubmitCommand>/usr/sbin/eppclient</DelegationSignerSubmitCommand> -->
+	</Enforcer>
+
+	<Signer>
+		<Privileges>
+			<User>ods</User>
+			<Group>ods</Group>
+		</Privileges>
+
+		<WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory>
+		<WorkerThreads>4</WorkerThreads>
+<!--
+		<SignerThreads>4</SignerThreads>
+-->
+
+		<!-- the <NotifyCommmand> will expand the following variables:
+
+		     %zone      the name of the zone that was signed
+		     %zonefile  the filename of the signed zone
+		<NotifyCommand>sudo systemctl reload nsd.service</NotifyCommand>
+		-->
+<!--
+		<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
+-->
+	</Signer>
+
+</Configuration>
diff --git a/SOURCES/ods-enforcerd.service b/SOURCES/ods-enforcerd.service
new file mode 100644
index 0000000..b660d86
--- /dev/null
+++ b/SOURCES/ods-enforcerd.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenDNSSEC Enforcer daemon
+After=syslog.target network.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/opendnssec/enforcerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/ods-signerd.service b/SOURCES/ods-signerd.service
new file mode 100644
index 0000000..f8a097c
--- /dev/null
+++ b/SOURCES/ods-signerd.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=OpenDNSSEC signer daemon
+After=syslog.target network.target
+
+[Service]
+Type=simple
+PIDFile=/var/run/opendnssec/signerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT
+After=ods-enforcerd
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/ods.sysconfig b/SOURCES/ods.sysconfig
new file mode 100644
index 0000000..1cf67f2
--- /dev/null
+++ b/SOURCES/ods.sysconfig
@@ -0,0 +1,2 @@
+ODS_SIGNERD_OPT=""
+ODS_ENFORCERD_OPT=""
diff --git a/SOURCES/opendnssec.cron b/SOURCES/opendnssec.cron
new file mode 100644
index 0000000..776de9b
--- /dev/null
+++ b/SOURCES/opendnssec.cron
@@ -0,0 +1,4 @@
+# Ensure multiple ods-enforcerd's on different system roll at the same time
+# independant of when the daemon was started. Since TLDs often update their
+# zone "on the hour" we do the key rollover checks just before the hour.
+50,20 * * * * root test -f /var/lock/subsys/ods-enforcerd && kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null
diff --git a/SOURCES/tmpfiles-opendnssec.conf b/SOURCES/tmpfiles-opendnssec.conf
new file mode 100644
index 0000000..aa50e89
--- /dev/null
+++ b/SOURCES/tmpfiles-opendnssec.conf
@@ -0,0 +1 @@
+D /var/run/opendnssec 0700 ods ods -
diff --git a/SPECS/opendnssec.spec b/SPECS/opendnssec.spec
new file mode 100644
index 0000000..26e6d36
--- /dev/null
+++ b/SPECS/opendnssec.spec
@@ -0,0 +1,140 @@
+#global prever rcX
+%global _hardened_build 1
+
+Summary: DNSSEC key and zone management software
+Name: opendnssec
+Version: 1.4.6
+Release: 3%{?prever}%{?dist}
+License: BSD
+Url: http://www.opendnssec.org/
+Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
+Source1: ods-enforcerd.service
+Source2: ods-signerd.service
+Source3: ods.sysconfig
+Source4: conf.xml
+Source5: tmpfiles-opendnssec.conf
+Source6: opendnssec.cron
+
+Patch0: 0000-add-libhsm-configuration-option-AllowExtraction.patch
+Patch1: 0001-use-system-trang.patch
+Patch2: 0002-get-started.patch
+
+Group: Applications/System
+Requires: opencryptoki, softhsm >= 2.0.0b1-2, systemd-units
+BuildRequires: libxml2, libxslt
+Requires: libxml2, libxslt
+BuildRequires: ldns-devel >= 1.6.12, sqlite-devel , openssl-devel
+BuildRequires: libxml2-devel, doxygen, trang
+# It tests for pkill/killall and would use /bin/false if not found
+BuildRequires: procps-ng
+BuildRequires: systemd-units
+BuildRequires: sed
+Requires(pre): shadow-utils
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+%if 0%{?prever:1}
+#For building snapshots
+Buildrequires: autoconf, automake, libtool, java
+%endif
+
+%description
+OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
+It secures zone data just before it is published in an authoritative
+name server. It requires a PKCS#11 crypto module library, such as softhsm.
+
+This is UNSUPPORTED EXPERIMENTAL package.
+
+%prep
+%setup -q -n %{name}-%{version}%{?prever}
+# bump default policy ZSK keysize to 2048
+sed -i "s/1024/2048/" conf/kasp.xml.in
+%patch0 -p1 -b .p0.allow_extraction
+%patch1 -p1 -b .p0.system_trang
+%patch2 -p1
+# fix platform-specific paths in conf.xml
+sed -i 's:<Module>/usr/lib64:<Module>%{_libdir}:' %{SOURCE4}
+
+%build
+export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
+export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
+export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
+%configure --with-ldns=%{_libdir} --without-cunit
+make %{?_smp_mflags}
+
+%check
+# Requires sample db not shipped with upstream
+# It also requires CUnit-devel package which is not in RHEL
+# make check
+
+%install
+rm -rf %{buildroot}
+make DESTDIR=%{buildroot} install
+mkdir -p %{buildroot}/var/opendnssec/{tmp,signed,signconf}
+install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
+install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
+rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
+install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig 
+install -d -m 0755 %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
+install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
+mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/
+install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/tmpfiles.d/opendnssec.conf
+mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
+
+%files 
+%{_unitdir}/ods-enforcerd.service
+%{_unitdir}/ods-signerd.service
+%config(noreplace) %{_sysconfdir}/tmpfiles.d/opendnssec.conf
+%attr(0750,root,ods) %dir %{_sysconfdir}/opendnssec
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signed
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
+%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
+%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec
+%doc NEWS README.md LICENSE GETSTARTED
+%{_mandir}/*/*
+%{_sbindir}/*
+%{_bindir}/*
+%attr(0770,root,ods) %dir %{_datadir}/%{name}
+%{_datadir}/%{name}/*
+
+%pre
+getent group ods >/dev/null || groupadd -r ods
+getent passwd ods >/dev/null || \
+useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
+-c "opendnssec daemon account" ods
+exit 0
+
+%post
+# in case we update any xml conf file
+ods-ksmutil update all >/dev/null 2>/dev/null ||:
+%systemd_post ods-enforcerd.service
+%systemd_post ods-signerd.service
+
+
+%preun
+%systemd_preun ods-enforcerd.service
+%systemd_preun ods-signerd.service
+
+%postun
+%systemd_postun_with_restart ods-enforcerd.service
+%systemd_postun_with_restart ods-signerd.service
+
+%changelog
+* Tue Sep 30 2014 Petr Spacek <pspacek@redhat.com> - 1.4.6-3
+- Updated spec to build platform-indepent conf.xml
+
+* Tue Sep 30 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-2
+- Changed conf.xml to reference softhsm at /usr/lib64/pkcs11/libsofthsm2.so
+- Updated Requires: to softhsm >= 2.0.0b1-2
+
+* Mon Sep 22 2014 Petr Spacek <pspacek redhat com> - 1.4.6-1
+- Imported version 1.4.6
+- Added patch which adds configuration option <AllowExtraction/>
+