diff --git a/.gitignore b/.gitignore
index 1772253..4213bcd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/opendnssec-1.4.6.tar.gz
+SOURCES/opendnssec-1.4.7.tar.gz
diff --git a/.opendnssec.metadata b/.opendnssec.metadata
index 7deff2d..4bcb647 100644
--- a/.opendnssec.metadata
+++ b/.opendnssec.metadata
@@ -1 +1 @@
-2318b31546d0d4118cd03b9591ba76d259e1b0b0 SOURCES/opendnssec-1.4.6.tar.gz
+c8a5808d68a50db8ed7edf806a58f54428ad7aa8 SOURCES/opendnssec-1.4.7.tar.gz
diff --git a/SOURCES/0000-add-libhsm-configuration-option-AllowExtraction.patch b/SOURCES/0000-add-libhsm-configuration-option-AllowExtraction.patch
deleted file mode 100644
index 6875041..0000000
--- a/SOURCES/0000-add-libhsm-configuration-option-AllowExtraction.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 672d2c75ccd3cd5f2317bb76af4c9cc4e5aa4a37 Mon Sep 17 00:00:00 2001
-From: Petr Spacek <pspacek@redhat.com>
-Date: Fri, 18 Jul 2014 16:19:36 +0200
-Subject: [PATCH] add libhsm configuration option <AllowExtraction/>
-
-This option allows user to generate private keys with CKA_EXTRACTABLE
-flag set to TRUE. Defaults to FALSE.
----
- NEWS | 5 +++++
- conf/conf.rnc | 5 ++++-
- conf/conf.xml.in | 3 +++
- libhsm/src/lib/libhsm.c | 15 ++++++++++++---
- libhsm/src/lib/libhsm.h | 1 +
- 5 files changed, 25 insertions(+), 4 deletions(-)
-
-diff --git a/NEWS b/NEWS
-index 4db7038..2efa176 100644
---- a/NEWS
-+++ b/NEWS
-@@ -1,3 +1,8 @@
-+* Enforcer: New repository option <AllowExtraction/> allows to generate keys
-+ with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
-+ and extracted from HSM.
-+
-+
- OpenDNSSEC 1.4.6 - 2014-07-21
-
- * Signer Engine: Print secondary server address when logging notify reply
-diff --git a/conf/conf.rnc b/conf/conf.rnc
-index 71d527f..65f837e 100644
---- a/conf/conf.rnc
-+++ b/conf/conf.rnc
-@@ -50,7 +50,10 @@ start = element Configuration {
- element RequireBackup { empty }?,
-
- # Do not maintain public keys in the repository (optional)
-- element SkipPublicKey { empty }?
-+ element SkipPublicKey { empty }?,
-+
-+ # Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
-+ element AllowExtraction { empty }?
- }*
- },
-
-diff --git a/conf/conf.xml.in b/conf/conf.xml.in
-index 0ef2ab9..0536681 100644
---- a/conf/conf.xml.in
-+++ b/conf/conf.xml.in
-@@ -9,6 +9,9 @@
- <TokenLabel>OpenDNSSEC</TokenLabel>
- <PIN>1234</PIN>
- <SkipPublicKey/>
-+ <!--
-+ <AllowExtraction/>
-+ -->
- </Repository>
-
- <!--
-diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
-index d723b31..1f9720e 100644
---- a/libhsm/src/lib/libhsm.c
-+++ b/libhsm/src/lib/libhsm.c
-@@ -504,6 +504,7 @@ static void
- hsm_config_default(hsm_config_t *config)
- {
- config->use_pubkey = 1;
-+ config->allow_extract = 0;
- }
-
- /* creates a session_t structure, and automatically adds and initializes
-@@ -2054,6 +2055,8 @@ hsm_open(const char *config,
- module_pin = (char *) xmlNodeGetContent(curNode);
- if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
- module_config.use_pubkey = 0;
-+ if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
-+ module_config.allow_extract = 1;
- curNode = curNode->next;
- }
-
-@@ -2341,10 +2344,12 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
- CK_BBOOL ctrue = CK_TRUE;
- CK_BBOOL cfalse = CK_FALSE;
- CK_BBOOL ctoken = CK_TRUE;
-+ CK_BBOOL cextractable = CK_FALSE;
-
- if (!ctx) ctx = _hsm_ctx;
- session = hsm_find_repository_session(ctx, repository);
- if (!session) return NULL;
-+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
-
- /* check whether this key doesn't happen to exist already */
- do {
-@@ -2380,7 +2385,7 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
- { CKA_SENSITIVE, &ctrue, sizeof (ctrue) },
- { CKA_TOKEN, &ctrue, sizeof (ctrue) },
- { CKA_PRIVATE, &ctrue, sizeof (ctrue) },
-- { CKA_EXTRACTABLE, &cfalse, sizeof (cfalse) }
-+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
- };
-
- rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
-@@ -2420,6 +2425,7 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
- CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
- CK_BBOOL ctrue = CK_TRUE;
- CK_BBOOL cfalse = CK_FALSE;
-+ CK_BBOOL cextractable = CK_FALSE;
-
- /* ids we create are 16 bytes of data */
- unsigned char id[16];
-@@ -2466,12 +2472,13 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
- { CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
- { CKA_TOKEN, &ctrue, sizeof(ctrue) },
- { CKA_PRIVATE, &ctrue, sizeof(ctrue) },
-- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
-+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
- };
-
- if (!ctx) ctx = _hsm_ctx;
- session = hsm_find_repository_session(ctx, repository);
- if (!session) return NULL;
-+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
-
- /* check whether this key doesn't happen to exist already */
-
-@@ -2533,6 +2540,7 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
- CK_OBJECT_HANDLE publicKey, privateKey;
- CK_BBOOL ctrue = CK_TRUE;
- CK_BBOOL cfalse = CK_FALSE;
-+ CK_BBOOL cextractable = CK_FALSE;
-
- /* ids we create are 16 bytes of data */
- unsigned char id[16];
-@@ -2569,12 +2577,13 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
- { CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
- { CKA_TOKEN, &ctrue, sizeof(ctrue) },
- { CKA_PRIVATE, &ctrue, sizeof(ctrue) },
-- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
-+ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
- };
-
- if (!ctx) ctx = _hsm_ctx;
- session = hsm_find_repository_session(ctx, repository);
- if (!session) return NULL;
-+ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
-
- /* check whether this key doesn't happen to exist already */
-
-diff --git a/libhsm/src/lib/libhsm.h b/libhsm/src/lib/libhsm.h
-index 45d110a..08224b8 100644
---- a/libhsm/src/lib/libhsm.h
-+++ b/libhsm/src/lib/libhsm.h
-@@ -75,6 +75,7 @@
- /*! HSM configuration */
- typedef struct {
- unsigned int use_pubkey; /*!< Maintain public keys in HSM */
-+ unsigned int allow_extract; /*!< Generate CKA_EXTRACTABLE private keys */
- } hsm_config_t;
-
- /*! Data type to describe an HSM */
---
-1.9.3
-
diff --git a/SOURCES/ods-signerd.service b/SOURCES/ods-signerd.service
index f8a097c..a7b7034 100644
--- a/SOURCES/ods-signerd.service
+++ b/SOURCES/ods-signerd.service
@@ -1,13 +1,12 @@
[Unit]
Description=OpenDNSSEC signer daemon
-After=syslog.target network.target
+After=syslog.target network.target ods-enforcerd
[Service]
Type=simple
PIDFile=/var/run/opendnssec/signerd.pid
EnvironmentFile=-/etc/sysconfig/ods
ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT
-After=ods-enforcerd
[Install]
WantedBy=multi-user.target
diff --git a/SOURCES/opendnssec-1.4.7-1204100-extract.patch b/SOURCES/opendnssec-1.4.7-1204100-extract.patch
new file mode 100644
index 0000000..dddc030
--- /dev/null
+++ b/SOURCES/opendnssec-1.4.7-1204100-extract.patch
@@ -0,0 +1,156 @@
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rnc opendnssec-1.4.7/conf/conf.rnc
+--- opendnssec-1.4.7-orig/conf/conf.rnc 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rnc 2014-12-08 22:49:16.100212010 -0500
+@@ -50,7 +50,10 @@
+ element RequireBackup { empty }?,
+
+ # Do not maintain public keys in the repository (optional)
+- element SkipPublicKey { empty }?
++ element SkipPublicKey { empty }?,
++
++ # Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
++ element AllowExtraction { empty }?
+ }*
+ },
+
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rng opendnssec-1.4.7/conf/conf.rng
+--- opendnssec-1.4.7-orig/conf/conf.rng 2014-12-04 10:18:39.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rng 2014-12-08 22:49:16.105212137 -0500
+@@ -71,6 +71,12 @@
+ <empty/>
+ </element>
+ </optional>
++ <optional>
++ <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
++ <element name="AllowExtraction">
++ <empty/>
++ </element>
++ </optional>
+ </element>
+ </zeroOrMore>
+ </element>
+diff -Naur opendnssec-1.4.7-orig/conf/conf.xml.in opendnssec-1.4.7/conf/conf.xml.in
+--- opendnssec-1.4.7-orig/conf/conf.xml.in 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.xml.in 2014-12-08 22:49:16.101212036 -0500
+@@ -9,6 +9,9 @@
+ <TokenLabel>OpenDNSSEC</TokenLabel>
+ <PIN>1234</PIN>
+ <SkipPublicKey/>
++ <!--
++ <AllowExtraction/>
++ -->
+ </Repository>
+
+ <!--
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c opendnssec-1.4.7/libhsm/src/lib/libhsm.c
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/libhsm/src/lib/libhsm.c 2014-12-08 22:49:16.102212061 -0500
+@@ -504,6 +504,7 @@
+ hsm_config_default(hsm_config_t *config)
+ {
+ config->use_pubkey = 1;
++ config->allow_extract = 0;
+ }
+
+ /* creates a session_t structure, and automatically adds and initializes
+@@ -2054,6 +2055,8 @@
+ module_pin = (char *) xmlNodeGetContent(curNode);
+ if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
+ module_config.use_pubkey = 0;
++ if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
++ module_config.allow_extract = 1;
+ curNode = curNode->next;
+ }
+
+@@ -2341,10 +2344,12 @@
+ CK_BBOOL ctrue = CK_TRUE;
+ CK_BBOOL cfalse = CK_FALSE;
+ CK_BBOOL ctoken = CK_TRUE;
++ CK_BBOOL cextractable = CK_FALSE;
+
+ if (!ctx) ctx = _hsm_ctx;
+ session = hsm_find_repository_session(ctx, repository);
+ if (!session) return NULL;
++ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+
+ /* check whether this key doesn't happen to exist already */
+ do {
+@@ -2380,7 +2385,7 @@
+ { CKA_SENSITIVE, &ctrue, sizeof (ctrue) },
+ { CKA_TOKEN, &ctrue, sizeof (ctrue) },
+ { CKA_PRIVATE, &ctrue, sizeof (ctrue) },
+- { CKA_EXTRACTABLE, &cfalse, sizeof (cfalse) }
++ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
+ };
+
+ rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
+@@ -2420,6 +2425,7 @@
+ CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
+ CK_BBOOL ctrue = CK_TRUE;
+ CK_BBOOL cfalse = CK_FALSE;
++ CK_BBOOL cextractable = CK_FALSE;
+
+ /* ids we create are 16 bytes of data */
+ unsigned char id[16];
+@@ -2466,12 +2472,13 @@
+ { CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
+ { CKA_TOKEN, &ctrue, sizeof(ctrue) },
+ { CKA_PRIVATE, &ctrue, sizeof(ctrue) },
+- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
++ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
+ };
+
+ if (!ctx) ctx = _hsm_ctx;
+ session = hsm_find_repository_session(ctx, repository);
+ if (!session) return NULL;
++ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+
+ /* check whether this key doesn't happen to exist already */
+
+@@ -2533,6 +2540,7 @@
+ CK_OBJECT_HANDLE publicKey, privateKey;
+ CK_BBOOL ctrue = CK_TRUE;
+ CK_BBOOL cfalse = CK_FALSE;
++ CK_BBOOL cextractable = CK_FALSE;
+
+ /* ids we create are 16 bytes of data */
+ unsigned char id[16];
+@@ -2569,12 +2577,13 @@
+ { CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
+ { CKA_TOKEN, &ctrue, sizeof(ctrue) },
+ { CKA_PRIVATE, &ctrue, sizeof(ctrue) },
+- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
++ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
+ };
+
+ if (!ctx) ctx = _hsm_ctx;
+ session = hsm_find_repository_session(ctx, repository);
+ if (!session) return NULL;
++ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+
+ /* check whether this key doesn't happen to exist already */
+
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h opendnssec-1.4.7/libhsm/src/lib/libhsm.h
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/libhsm/src/lib/libhsm.h 2014-12-08 22:49:16.102212061 -0500
+@@ -75,6 +75,7 @@
+ /*! HSM configuration */
+ typedef struct {
+ unsigned int use_pubkey; /*!< Maintain public keys in HSM */
++ unsigned int allow_extract; /*!< Generate CKA_EXTRACTABLE private keys */
+ } hsm_config_t;
+
+ /*! Data type to describe an HSM */
+diff -Naur opendnssec-1.4.7-orig/NEWS opendnssec-1.4.7/NEWS
+--- opendnssec-1.4.7-orig/NEWS 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/NEWS 2014-12-08 22:50:00.560342544 -0500
+@@ -1,3 +1,9 @@
++
++
++* Enforcer: New repository option <AllowExtraction/> allows to generate keys
++ with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
++ and extracted from HSM.
++
+ OpenDNSSEC 1.4.7 - 2014-12-04
+
+ Bugfixes:
diff --git a/SPECS/opendnssec.spec b/SPECS/opendnssec.spec
index 26e6d36..9d49088 100644
--- a/SPECS/opendnssec.spec
+++ b/SPECS/opendnssec.spec
@@ -3,7 +3,7 @@
Summary: DNSSEC key and zone management software
Name: opendnssec
-Version: 1.4.6
+Version: 1.4.7
Release: 3%{?prever}%{?dist}
License: BSD
Url: http://www.opendnssec.org/
@@ -15,7 +15,7 @@ Source4: conf.xml
Source5: tmpfiles-opendnssec.conf
Source6: opendnssec.cron
-Patch0: 0000-add-libhsm-configuration-option-AllowExtraction.patch
+Patch0: opendnssec-1.4.7-1204100-extract.patch
Patch1: 0001-use-system-trang.patch
Patch2: 0002-get-started.patch
@@ -88,10 +88,10 @@ mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
%{_unitdir}/ods-enforcerd.service
%{_unitdir}/ods-signerd.service
%config(noreplace) %{_sysconfdir}/tmpfiles.d/opendnssec.conf
-%attr(0750,root,ods) %dir %{_sysconfdir}/opendnssec
-%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec
+%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec
+%attr(0775,root,ods) %dir %{_localstatedir}/opendnssec
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
-%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signed
+%attr(0775,root,ods) %dir %{_localstatedir}/opendnssec/signed
%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
@@ -127,6 +127,15 @@ ods-ksmutil update all >/dev/null 2>/dev/null ||:
%systemd_postun_with_restart ods-signerd.service
%changelog
+* Thu Sep 10 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-3
+- Resolves: rhbz#1261530 /etc/opendnssec is not writeable by ods user
+
+* Thu Jun 11 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-2
+- Resolves: rhbz#1230287 ods-signerd.service Unknown lvalue 'After'
+
+* Tue Mar 31 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-1
+- Resolves: rhbz#1204100 Rebase to opendnssec 1.4.7+
+
* Tue Sep 30 2014 Petr Spacek <pspacek@redhat.com> - 1.4.6-3
- Updated spec to build platform-indepent conf.xml