From 63af910eccf37b496d145aabe16a9032998ce526 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 05 2020 19:04:42 +0000 Subject: import pki-core-10.9.3-1.module+el8.3.0+7928+ce88aa94 --- diff --git a/.gitignore b/.gitignore index 1f2da7b..d3cd1fe 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-10.9.2.tar.gz +SOURCES/pki-10.9.3.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index 94b0c5c..312b81a 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -0bb690cc30b9e8c358b4e818f640177a491cf504 SOURCES/pki-10.9.2.tar.gz +5e3f638d903ce6bbc18d4c9de653a1793b7cbc31 SOURCES/pki-10.9.3.tar.gz diff --git a/SOURCES/0002-Fix-permissions-when-installing-clone.patch b/SOURCES/0002-Fix-permissions-when-installing-clone.patch deleted file mode 100644 index c2028ee..0000000 --- a/SOURCES/0002-Fix-permissions-when-installing-clone.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 1753780b47c6935816d5419dafcea667fb01fed4 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Fri, 21 Aug 2020 10:15:53 -0400 -Subject: [PATCH] Fix permissions when installing clone - -When pkispawn runs, it executes as root. However, rarely is PKI -installed as root. The resulting permissions on ca.crt are 600, -preventing later pki-server migrate command from running, as it -runs as pkiuser, who doesn't have access to ca.crt. Fix the -permissions when we initially create ca.crt to be owned by pkiuser. - -Signed-off-by: Alexander Scheel ---- - .../deployment/scriptlets/security_databases.py | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py -index 613ffdc17..80a5856e9 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py -+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py -@@ -198,10 +198,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # Export CA certificate to PEM file; same command as in - # PKIServer.setup_cert_authentication(). - # openssl pkcs12 -in -out /tmp/auth.pem -nodes -nokeys -+ pki_ca_crt_path = os.path.join(pki_server_database_path, 'ca.crt') - cmd_export_ca = [ - 'openssl', 'pkcs12', - '-in', pki_clone_pkcs12_path, -- '-out', os.path.join(pki_server_database_path, 'ca.crt'), -+ '-out', pki_ca_crt_path, - '-nodes', - '-nokeys', - '-passin', 'pass:' + pki_clone_pkcs12_password -@@ -210,6 +211,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - stderr=subprocess.STDOUT).decode('utf-8') - logger.debug('Result of CA certificate export: %s', res_ca) - -+ # At this point, we're running as root. However, the subsystem -+ # will eventually start up as non-root and will attempt to do a -+ # migration. If we don't fix the permissions now, migration will -+ # fail and subsystem won't start up. -+ pki.util.chmod(pki_ca_crt_path, 0o644) -+ pki.util.chown(pki_ca_crt_path, deployer.mdict['pki_uid'], -+ deployer.mdict['pki_gid']) -+ - ca_cert_path = deployer.mdict.get('pki_cert_chain_path') - if ca_cert_path and os.path.exists(ca_cert_path): - destination = os.path.join(instance.nssdb_dir, "ca.crt") --- -2.26.2 - diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index 73994ff..45fd68a 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -12,8 +12,8 @@ License: GPLv2 and LGPLv2 # For development (unsupported) releases, use x.y.z-0.n.unstable with alpha/beta phase. # For official (supported) releases, use x.y.z-r where r >=1 without alpha/beta phase. -Version: 10.9.2 -Release: 2%{?_timestamp}%{?_commit_id}%{?dist} +Version: 10.9.3 +Release: 1%{?_timestamp}%{?_commit_id}%{?dist} #global _phase -a1 # To create a tarball from a version tag: @@ -31,7 +31,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch Patch1: 0001-Removed-dependency-on-pytest-runner.patch -Patch2: 0002-Fix-permissions-when-installing-clone.patch ################################################################################ # NSS @@ -54,6 +53,8 @@ Patch2: 0002-Fix-permissions-when-installing-clone.patch ################################################################################ %define java_home /usr/lib/jvm/jre-openjdk +%define java_devel java-devel +%define java_headless java-headless %if 0%{?fedora} && 0%{?fedora} >= 33 %define min_java_version 1:11 @@ -166,7 +167,7 @@ BuildRequires: make BuildRequires: cmake >= 3.0.2 BuildRequires: gcc-c++ BuildRequires: zip -BuildRequires: java-devel >= %{min_java_version} +BuildRequires: %java_devel >= %{min_java_version} BuildRequires: javapackages-tools BuildRequires: redhat-rpm-config BuildRequires: ldapjdk >= 4.22.0 @@ -340,7 +341,7 @@ PKI consists of the following components: Summary: PKI Symmetric Key Package -Requires: java-headless >= %{min_java_version} +Requires: %java_headless >= %{min_java_version} Requires: jpackage-utils >= 0:1.7.5-10 Requires: jss >= 4.7.0 Requires: nss >= 3.38.0 @@ -408,7 +409,7 @@ This package contains PKI client library for Python 3. Summary: PKI Base Java Package BuildArch: noarch -Requires: java-headless >= %{min_java_version} +Requires: %java_headless >= %{min_java_version} Requires: apache-commons-cli Requires: apache-commons-codec Requires: apache-commons-io @@ -434,6 +435,11 @@ Requires: resteasy-core >= 3.0.17-1 Requires: resteasy-jackson2-provider >= 3.0.17-1 %endif +%if 0%{?fedora} && 0%{?fedora} >= 33 +Requires: jaxb-impl >= 2.3.3 +Requires: jakarta-activation >= 1.2.2 +%endif + Requires: xalan-j2 Requires: xerces-j2 Requires: xml-commons-apis @@ -501,6 +507,7 @@ Requires: tomcat >= 1:9.0.7 %endif Requires: velocity +Requires: sudo Requires: systemd Requires(post): systemd-units Requires(preun): systemd-units @@ -815,6 +822,13 @@ This package contains PKI test suite. %build ################################################################################ +# get Java . version number +java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | sed -n 's/ *java.version *= *\([0-9]\+\.[0-9]\+\).*/\1/p'` + +# if == 1, get version number +# otherwise get version number +java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'` + # get Tomcat . version number tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'` @@ -824,13 +838,17 @@ else app_server=tomcat-$tomcat_version fi +%if 0%{?rhel} %{__mkdir_p} build cd build +%endif + %cmake \ --no-warn-unused-cli \ -DVERSION=%{version}-%{release} \ -DVAR_INSTALL_DIR:PATH=/var \ -DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \ + -DJAVA_VERSION=%{java_version} \ -DJAVA_HOME=%java_home \ -DPKI_JAVA_PATH=%java \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ @@ -848,7 +866,15 @@ cd build -DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \ -DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \ -DTHEME=%{?with_theme:%{vendor_id}} \ +%if 0%{?rhel} .. +%else + -B %{_vpath_builddir} +%endif + +%if 0%{?fedora} +cd %{_vpath_builddir} +%endif # Do not use _smp_mflags to preserve build order %{__make} \ @@ -863,7 +889,11 @@ cd build %install ################################################################################ +%if 0%{?rhel} cd build +%else +cd %{_vpath_builddir} +%endif %{__make} \ VERBOSE=%{?_verbose} \ @@ -1328,6 +1358,10 @@ fi ################################################################################ %changelog +* Thu Sep 03 2020 Red Hat PKI Team 10.9.3-1 +- Rebased to PKI 10.9.3 +- Bug #1869893 - Common certificates are missing in CS.cfg on shared PKI instance + * Tue Aug 18 2020 Red Hat PKI Team 10.9.2-2 - Bug #1871064 - Replica install failing during pki-ca component configuration