diff --git a/.gitignore b/.gitignore
index 1f2da7b..d3cd1fe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/pki-10.9.2.tar.gz
+SOURCES/pki-10.9.3.tar.gz
diff --git a/.pki-core.metadata b/.pki-core.metadata
index 94b0c5c..312b81a 100644
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@@ -1 +1 @@
-0bb690cc30b9e8c358b4e818f640177a491cf504 SOURCES/pki-10.9.2.tar.gz
+5e3f638d903ce6bbc18d4c9de653a1793b7cbc31 SOURCES/pki-10.9.3.tar.gz
diff --git a/SOURCES/0002-Fix-permissions-when-installing-clone.patch b/SOURCES/0002-Fix-permissions-when-installing-clone.patch
deleted file mode 100644
index c2028ee..0000000
--- a/SOURCES/0002-Fix-permissions-when-installing-clone.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 1753780b47c6935816d5419dafcea667fb01fed4 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Fri, 21 Aug 2020 10:15:53 -0400
-Subject: [PATCH] Fix permissions when installing clone
-
-When pkispawn runs, it executes as root. However, rarely is PKI
-installed as root. The resulting permissions on ca.crt are 600,
-preventing later pki-server migrate command from running, as it
-runs as pkiuser, who doesn't have access to ca.crt. Fix the
-permissions when we initially create ca.crt to be owned by pkiuser.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- .../deployment/scriptlets/security_databases.py | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
-index 613ffdc17..80a5856e9 100644
---- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
-+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
-@@ -198,10 +198,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
- # Export CA certificate to PEM file; same command as in
- # PKIServer.setup_cert_authentication().
- # openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes -nokeys
-+ pki_ca_crt_path = os.path.join(pki_server_database_path, 'ca.crt')
- cmd_export_ca = [
- 'openssl', 'pkcs12',
- '-in', pki_clone_pkcs12_path,
-- '-out', os.path.join(pki_server_database_path, 'ca.crt'),
-+ '-out', pki_ca_crt_path,
- '-nodes',
- '-nokeys',
- '-passin', 'pass:' + pki_clone_pkcs12_password
-@@ -210,6 +211,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
- stderr=subprocess.STDOUT).decode('utf-8')
- logger.debug('Result of CA certificate export: %s', res_ca)
-
-+ # At this point, we're running as root. However, the subsystem
-+ # will eventually start up as non-root and will attempt to do a
-+ # migration. If we don't fix the permissions now, migration will
-+ # fail and subsystem won't start up.
-+ pki.util.chmod(pki_ca_crt_path, 0o644)
-+ pki.util.chown(pki_ca_crt_path, deployer.mdict['pki_uid'],
-+ deployer.mdict['pki_gid'])
-+
- ca_cert_path = deployer.mdict.get('pki_cert_chain_path')
- if ca_cert_path and os.path.exists(ca_cert_path):
- destination = os.path.join(instance.nssdb_dir, "ca.crt")
---
-2.26.2
-
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index 73994ff..45fd68a 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -12,8 +12,8 @@ License: GPLv2 and LGPLv2
# For development (unsupported) releases, use x.y.z-0.n.unstable with alpha/beta phase.
# For official (supported) releases, use x.y.z-r where r >=1 without alpha/beta phase.
-Version: 10.9.2
-Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
+Version: 10.9.3
+Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -a1
# To create a tarball from a version tag:
@@ -31,7 +31,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch
Patch1: 0001-Removed-dependency-on-pytest-runner.patch
-Patch2: 0002-Fix-permissions-when-installing-clone.patch
################################################################################
# NSS
@@ -54,6 +53,8 @@ Patch2: 0002-Fix-permissions-when-installing-clone.patch
################################################################################
%define java_home /usr/lib/jvm/jre-openjdk
+%define java_devel java-devel
+%define java_headless java-headless
%if 0%{?fedora} && 0%{?fedora} >= 33
%define min_java_version 1:11
@@ -166,7 +167,7 @@ BuildRequires: make
BuildRequires: cmake >= 3.0.2
BuildRequires: gcc-c++
BuildRequires: zip
-BuildRequires: java-devel >= %{min_java_version}
+BuildRequires: %java_devel >= %{min_java_version}
BuildRequires: javapackages-tools
BuildRequires: redhat-rpm-config
BuildRequires: ldapjdk >= 4.22.0
@@ -340,7 +341,7 @@ PKI consists of the following components:
Summary: PKI Symmetric Key Package
-Requires: java-headless >= %{min_java_version}
+Requires: %java_headless >= %{min_java_version}
Requires: jpackage-utils >= 0:1.7.5-10
Requires: jss >= 4.7.0
Requires: nss >= 3.38.0
@@ -408,7 +409,7 @@ This package contains PKI client library for Python 3.
Summary: PKI Base Java Package
BuildArch: noarch
-Requires: java-headless >= %{min_java_version}
+Requires: %java_headless >= %{min_java_version}
Requires: apache-commons-cli
Requires: apache-commons-codec
Requires: apache-commons-io
@@ -434,6 +435,11 @@ Requires: resteasy-core >= 3.0.17-1
Requires: resteasy-jackson2-provider >= 3.0.17-1
%endif
+%if 0%{?fedora} && 0%{?fedora} >= 33
+Requires: jaxb-impl >= 2.3.3
+Requires: jakarta-activation >= 1.2.2
+%endif
+
Requires: xalan-j2
Requires: xerces-j2
Requires: xml-commons-apis
@@ -501,6 +507,7 @@ Requires: tomcat >= 1:9.0.7
%endif
Requires: velocity
+Requires: sudo
Requires: systemd
Requires(post): systemd-units
Requires(preun): systemd-units
@@ -815,6 +822,13 @@ This package contains PKI test suite.
%build
################################################################################
+# get Java <major>.<minor> version number
+java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | sed -n 's/ *java.version *= *\([0-9]\+\.[0-9]\+\).*/\1/p'`
+
+# if <major> == 1, get <minor> version number
+# otherwise get <major> version number
+java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'`
+
# get Tomcat <major>.<minor> version number
tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'`
@@ -824,13 +838,17 @@ else
app_server=tomcat-$tomcat_version
fi
+%if 0%{?rhel}
%{__mkdir_p} build
cd build
+%endif
+
%cmake \
--no-warn-unused-cli \
-DVERSION=%{version}-%{release} \
-DVAR_INSTALL_DIR:PATH=/var \
-DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \
+ -DJAVA_VERSION=%{java_version} \
-DJAVA_HOME=%java_home \
-DPKI_JAVA_PATH=%java \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
@@ -848,7 +866,15 @@ cd build
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
-DTHEME=%{?with_theme:%{vendor_id}} \
+%if 0%{?rhel}
..
+%else
+ -B %{_vpath_builddir}
+%endif
+
+%if 0%{?fedora}
+cd %{_vpath_builddir}
+%endif
# Do not use _smp_mflags to preserve build order
%{__make} \
@@ -863,7 +889,11 @@ cd build
%install
################################################################################
+%if 0%{?rhel}
cd build
+%else
+cd %{_vpath_builddir}
+%endif
%{__make} \
VERBOSE=%{?_verbose} \
@@ -1328,6 +1358,10 @@ fi
################################################################################
%changelog
+* Thu Sep 03 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.3-1
+- Rebased to PKI 10.9.3
+- Bug #1869893 - Common certificates are missing in CS.cfg on shared PKI instance
+
* Tue Aug 18 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 10.9.2-2
- Bug #1871064 - Replica install failing during pki-ca component configuration