diff --git a/.gitignore b/.gitignore
index a16c0d3..d9c4942 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/pki-10.10.4.tar.gz
+SOURCES/pki-10.11.0.tar.gz
diff --git a/.pki-core.metadata b/.pki-core.metadata
index fb7b485..e5fd7ce 100644
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@@ -1 +1 @@
-d50ec310c6584bd0eb1448b6d40614954827a73d SOURCES/pki-10.10.4.tar.gz
+f125333c7e88d7aae11f51527681018319bba19c SOURCES/pki-10.11.0.tar.gz
diff --git a/SOURCES/0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch b/SOURCES/0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch
new file mode 100644
index 0000000..f0ec3e0
--- /dev/null
+++ b/SOURCES/0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch
@@ -0,0 +1,30 @@
+From 63cf2895f5d5a37bb09f3e889b8584b0bb0dce06 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Wed, 11 Aug 2021 09:19:59 -0700
+Subject: [PATCH] Bug 1992337 - Double issuance of non-CA subsystem certs at
+ installation
+
+This patch removes an extra profile.submit() call that was accidentally left
+off during manual cherry-picking of another bug (1905374):
+commit 8e78a2b912e7c3bd015e4da1f1630d0f35145104 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
+
+fixes https://bugzilla.redhat.com/show_bug.cgi?id=1905374
+---
+ .../main/java/com/netscape/cms/servlet/cert/CertProcessor.java | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java b/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java
+index a5626d032..849d6b368 100644
+--- a/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java
++++ b/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java
+@@ -250,7 +250,6 @@ public class CertProcessor extends CAProcessor {
+
+ logger.info("CertProcessor: Submitting certificate request to " + profile.getId() + " profile");
+
+- profile.submit(authToken, req);
+ profile.submit(authToken, req, explicitApprovalRequired);
+
+ req.setRequestStatus(RequestStatus.COMPLETE);
+--
+2.31.1
+
diff --git a/SOURCES/0001-Removed-dependency-on-pytest-runner.patch b/SOURCES/0001-Removed-dependency-on-pytest-runner.patch
deleted file mode 100644
index 5d5c1b1..0000000
--- a/SOURCES/0001-Removed-dependency-on-pytest-runner.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From ab8b87af09b26c3c7ec257e0fb8e5ae931153120 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sat, 8 Feb 2020 21:56:41 -0600
-Subject: [PATCH] Removed dependency on pytest-runner
-
----
- base/server/healthcheck/setup.py | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/base/server/healthcheck/setup.py b/base/server/healthcheck/setup.py
-index 22db8bd0f..c629e34c0 100644
---- a/base/server/healthcheck/setup.py
-+++ b/base/server/healthcheck/setup.py
-@@ -32,6 +32,5 @@ setup(
- 'Programming Language :: Python :: 3.6',
- ],
- python_requires='!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*',
-- setup_requires=['pytest-runner'],
- tests_require=['pytest'],
- )
---
-2.21.0
-
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index ecd5d9e..0664616 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -12,9 +12,9 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
-Version: 10.10.4
-Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
-#global _phase -beta1
+Version: 10.11.0
+Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
+#global _phase -alpha1
# To create a tarball from a version tag:
# $ git archive \
@@ -30,12 +30,15 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# <version tag> \
# > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch
-
-# Do not remove this!! pytest-runner isn't available on RHEL. Removing this
-# patch will break RHEL builds. The error message is:
-# BUILDSTDERR: Download error on https://pypi.org/simple/pytest-runner/:
-# [Errno 111] Connection refused -- Some packages may not be found!
-Patch1: 0001-Removed-dependency-on-pytest-runner.patch
+Patch1: 0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch
+
+# md2man isn't available on i686. Additionally, we aren't generally multi-lib
+# compatible (https://fedoraproject.org/wiki/Packaging:Java)
+# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems
+# safest.
+%if ! 0%{?rhel} || 0%{?rhel} > 8
+ExcludeArch: i686
+%endif
################################################################################
# NSS
@@ -47,7 +50,7 @@ Patch1: 0001-Removed-dependency-on-pytest-runner.patch
# Python
################################################################################
-%if 0%{?rhel}
+%if 0%{?rhel} && 0%{?rhel} <= 8
%global python_executable /usr/libexec/platform-python
%else
%global python_executable /usr/bin/python3
@@ -57,15 +60,14 @@ Patch1: 0001-Removed-dependency-on-pytest-runner.patch
# Java
################################################################################
-%define java_devel java-devel
-%define java_headless java-headless
-
-%if 0%{?fedora} && 0%{?fedora} >= 33
-%define min_java_version 1:11
-%define java_home /usr/lib/jvm/java-11-openjdk
+%if 0%{?fedora} && 0%{?fedora} <= 32 || 0%{?rhel} && 0%{?rhel} <= 8
+%define java_devel java-1.8.0-openjdk-devel
+%define java_headless java-1.8.0-openjdk-headless
+%define java_home /usr/lib/jvm/jre-1.8.0-openjdk
%else
-%define min_java_version 1:1.8.0
-%define java_home /usr/lib/jvm/java-1.8.0-openjdk
+%define java_devel java-11-openjdk-devel
+%define java_headless java-11-openjdk-headless
+%define java_home /usr/lib/jvm/jre-11-openjdk
%endif
################################################################################
@@ -82,8 +84,7 @@ Patch1: 0001-Removed-dependency-on-pytest-runner.patch
# By default the build will execute unit tests unless --without test
# option is specified.
-# bcond_without test
-%global with_test 1
+%bcond_without test
# By default all packages will be built except the ones specified with
# --without <package> option (exclusion method).
@@ -131,8 +132,6 @@ Patch1: 0001-Removed-dependency-on-pytest-runner.patch
%define debug_package %{nil}
%endif
-%bcond_without sdnotify
-
# ignore unpackaged files from native 'tpsclient'
# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app
%define _unpackaged_files_terminate_build 0
@@ -170,23 +169,20 @@ fi;
# Build Dependencies
################################################################################
-# autosetup
-BuildRequires: git
BuildRequires: make
-
BuildRequires: cmake >= 3.0.2
BuildRequires: gcc-c++
BuildRequires: zip
-BuildRequires: %java_devel >= %{min_java_version}
+BuildRequires: %{java_devel}
BuildRequires: javapackages-tools
BuildRequires: redhat-rpm-config
-BuildRequires: ldapjdk >= 4.22.0
+BuildRequires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0
BuildRequires: apache-commons-cli
BuildRequires: apache-commons-codec
BuildRequires: apache-commons-io
BuildRequires: apache-commons-lang3 >= 3.2
+BuildRequires: apache-commons-logging
BuildRequires: apache-commons-net
-BuildRequires: jakarta-commons-httpclient
BuildRequires: glassfish-jaxb-api
BuildRequires: slf4j
BuildRequires: slf4j-jdk14
@@ -200,22 +196,10 @@ BuildRequires: policycoreutils
BuildRequires: python3-lxml
BuildRequires: python3-sphinx
-BuildRequires: velocity
BuildRequires: xalan-j2
BuildRequires: xerces-j2
-%if 0%{?rhel}
BuildRequires: resteasy >= 3.0.26
-%else
-BuildRequires: jboss-annotations-1.2-api
-BuildRequires: jboss-jaxrs-2.0-api
-BuildRequires: jboss-logging
-BuildRequires: resteasy-atom-provider >= 3.0.17-1
-BuildRequires: resteasy-client >= 3.0.17-1
-BuildRequires: resteasy-jaxb-provider >= 3.0.17-1
-BuildRequires: resteasy-core >= 3.0.17-1
-BuildRequires: resteasy-jackson2-provider >= 3.0.17-1
-%endif
BuildRequires: python3 >= 3.5
BuildRequires: python3-devel
@@ -224,28 +208,17 @@ BuildRequires: python3-cryptography
BuildRequires: python3-lxml
BuildRequires: python3-ldap
BuildRequires: python3-libselinux
-BuildRequires: python3-nss
BuildRequires: python3-requests >= 2.6.0
BuildRequires: python3-six
-%if 0%{?rhel}
-# no python3-pytest-runner
-%else
-BuildRequires: python3-pytest-runner
-%endif
-
BuildRequires: junit
BuildRequires: jpackage-utils >= 0:1.7.5-10
-BuildRequires: jss >= 4.8.1
-BuildRequires: tomcatjss >= 7.6.1
+BuildRequires: jss >= 4.9.0, jss < 5.0.0
+BuildRequires: tomcatjss >= 7.7.0, tomcatjss < 8.0.0
-# JNA is used to bind to libsystemd
-%if %{with sdnotify}
-BuildRequires: jna
-%endif
BuildRequires: systemd-units
-%if 0%{?rhel}
+%if 0%{?rhel} && ! 0%{?eln}
BuildRequires: pki-servlet-engine
%else
BuildRequires: tomcat >= 1:9.0.7
@@ -263,7 +236,7 @@ BuildRequires: zlib
BuildRequires: zlib-devel
# build dependency to build man pages
-%if 0%{?fedora} && 0%{?fedora} <= 30 || 0%{?rhel}
+%if 0%{?fedora} && 0%{?fedora} <= 30 || 0%{?rhel} && 0%{?rhel} <= 8
BuildRequires: go-md2man
%else
BuildRequires: golang-github-cpuguy83-md2man
@@ -309,26 +282,28 @@ Summary: %{brand} PKI Package
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI theme packages
-Requires: %{vendor_id}-pki-server-theme = %{version}
-Requires: %{vendor_id}-pki-console-theme = %{version}
+Requires: %{vendor_id}-pki-server-theme = %{version}-%{release}
+Requires: %{vendor_id}-pki-console-theme = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s)
# of ALL PKI core packages
-Requires: pki-acme = %{version}
-Requires: pki-ca = %{version}
-Requires: pki-kra = %{version}
-Requires: pki-ocsp = %{version}
-Requires: pki-tks = %{version}
-Requires: pki-tps = %{version}
+Requires: pki-acme = %{version}-%{release}
+Requires: pki-ca = %{version}-%{release}
+Requires: pki-kra = %{version}-%{release}
+Requires: pki-ocsp = %{version}-%{release}
+Requires: pki-tks = %{version}-%{release}
+Requires: pki-tps = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s)
# of PKI console
-Requires: pki-console = %{version}
-Requires: pki-javadoc = %{version}
+Requires: pki-console = %{version}-%{release}
+Requires: pki-javadoc = %{version}-%{release}
# Make certain that this 'meta' package requires the latest version(s)
-# of ALL PKI clients
+# of ALL PKI clients -- except for s390/s390x where 'esc' is not built
+%ifnarch s390 s390x
Requires: esc >= 1.1.1
+%endif
# description for top-level package (unless there is a separate meta package)
%if "%{name}" == "%{vendor_id}-pki"
@@ -359,9 +334,9 @@ PKI consists of the following components:
Summary: PKI Symmetric Key Package
-Requires: %java_headless >= %{min_java_version}
+Requires: %{java_headless}
Requires: jpackage-utils >= 0:1.7.5-10
-Requires: jss >= 4.8.0
+Requires: jss >= 4.9.0, jss < 5.0.0
Requires: nss >= 3.38.0
# Ensure we end up with a useful installation
@@ -404,8 +379,8 @@ Summary: PKI Python 3 Package
BuildArch: noarch
Obsoletes: pki-base-python3 < %{version}
-Provides: pki-base-python3 = %{version}
-%if 0%{?fedora}
+Provides: pki-base-python3 = %{version}-%{release}
+%if 0%{?fedora} || 0%{?rhel} > 8
%{?python_provide:%python_provide python3-pki}
%endif
@@ -414,9 +389,11 @@ Requires: python3 >= 3.5
Requires: python3-cryptography
Requires: python3-ldap
Requires: python3-lxml
-Requires: python3-nss
Requires: python3-requests >= 2.6.0
Requires: python3-six
+%if 0%{?rhel} < 9 || 0%{?fedora} < 34
+Recommends: python3-nss
+%endif
%description -n python3-pki
This package contains PKI client library for Python 3.
@@ -428,33 +405,31 @@ This package contains PKI client library for Python 3.
Summary: PKI Base Java Package
BuildArch: noarch
-Requires: %java_headless >= %{min_java_version}
+Requires: %{java_headless}
Requires: apache-commons-cli
Requires: apache-commons-codec
Requires: apache-commons-io
Requires: apache-commons-lang3 >= 3.2
Requires: apache-commons-logging
Requires: apache-commons-net
-Requires: jakarta-commons-httpclient
Requires: glassfish-jaxb-api
Requires: slf4j
Requires: slf4j-jdk14
Requires: jpackage-utils >= 0:1.7.5-10
-Requires: jss >= 4.7.0
-Requires: ldapjdk >= 4.22.0
+Requires: jss >= 4.9.0, jss < 5.0.0
+Requires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0
Requires: pki-base = %{version}-%{release}
-%if 0%{?rhel}
+%if 0%{?rhel} && 0%{?rhel} <= 8
Requires: resteasy >= 3.0.26
%else
-Requires: resteasy-atom-provider >= 3.0.17-1
Requires: resteasy-client >= 3.0.17-1
Requires: resteasy-jaxb-provider >= 3.0.17-1
Requires: resteasy-core >= 3.0.17-1
Requires: resteasy-jackson2-provider >= 3.0.17-1
%endif
-%if 0%{?fedora} && 0%{?fedora} >= 33
+%if 0%{?fedora} >= 33 || 0%{?rhel} > 8
Requires: jaxb-impl >= 2.3.3
Requires: jakarta-activation >= 1.2.2
%endif
@@ -517,25 +492,19 @@ Requires: python3-policycoreutils
Requires: selinux-policy-targeted >= 3.13.1-159
-%if 0%{?rhel}
-Requires: pki-servlet-engine >= 1:9.0.7
+%if 0%{?rhel} && ! 0%{?eln}
+Requires: pki-servlet-engine
%else
Requires: tomcat >= 1:9.0.7
%endif
-Requires: velocity
Requires: sudo
Requires: systemd
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires(pre): shadow-utils
-Requires: tomcatjss >= 7.6.1
-
-# JNA is used to bind to libsystemd
-%if %{with sdnotify}
-Requires: jna
-%endif
+Requires: tomcatjss >= 7.7.0, tomcatjss < 8.0.0
# pki-healthcheck depends on the following library
%if 0%{?rhel}
@@ -646,7 +615,7 @@ since such archival would undermine non-repudiation properties of signing keys.
Summary: PKI OCSP Package
BuildArch: noarch
-Requires: pki-server = %{version}
+Requires: pki-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@@ -684,7 +653,7 @@ whenever they are issued or updated.
Summary: PKI TKS Package
BuildArch: noarch
-Requires: pki-server = %{version}
+Requires: pki-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@@ -715,7 +684,7 @@ behind the firewall with restricted access.
Summary: PKI TPS Package
-Requires: pki-server = %{version}
+Requires: pki-server = %{version}-%{release}
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@@ -780,8 +749,8 @@ BuildArch: noarch
BuildRequires: idm-console-framework >= 1.2.0
Requires: idm-console-framework >= 1.2.0
-Requires: pki-base-java = %{version}
-Requires: pki-console-theme = %{version}
+Requires: pki-base-java = %{version}-%{release}
+Requires: pki-console-theme = %{version}-%{release}
%description -n pki-console
The PKI Console is a Java application used to administer PKI server.
@@ -797,7 +766,7 @@ The PKI Console is a Java application used to administer PKI server.
Summary: %{brand} PKI Server Theme Package
BuildArch: noarch
-Provides: pki-server-theme = %{version}
+Provides: pki-server-theme = %{version}-%{release}
# Ensure we end up with a useful installation
Conflicts: pki-base < %{version}
@@ -816,7 +785,7 @@ This PKI Server Theme Package contains
Summary: %{brand} PKI Console Theme Package
BuildArch: noarch
-Provides: pki-console-theme = %{version}
+Provides: pki-console-theme = %{version}-%{release}
# Ensure we end up with a useful installation
Conflicts: pki-base < %{version}
@@ -849,7 +818,7 @@ This package contains PKI test suite.
%prep
################################################################################
-%autosetup -n pki-%{version}%{?_phase} -p 1 -S git
+%autosetup -n pki-%{version}%{?_phase} -p 1
################################################################################
%build
@@ -862,16 +831,10 @@ java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | se
# otherwise get <major> version number
java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'`
-# get Tomcat <major>.<minor> version number
-tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'`
-
-if [ $tomcat_version == "9.0" ]; then
- app_server=tomcat-8.5
-else
- app_server=tomcat-$tomcat_version
-fi
+# assume tomcat app_server
+app_server=tomcat-9.0
-%if 0%{?rhel}
+%if 0%{?rhel} && 0%{?rhel} <= 8
%{__mkdir_p} build
cd build
%endif
@@ -882,8 +845,8 @@ cd build
-DVAR_INSTALL_DIR:PATH=/var \
-DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \
-DJAVA_VERSION=${java_version} \
- -DJAVA_HOME=%java_home \
- -DPKI_JAVA_PATH=%java_home/bin/java \
+ -DJAVA_HOME=%{java_home} \
+ -DPKI_JAVA_PATH=%{java_home}/bin/java \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
-DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
-DAPP_SERVER=$app_server \
@@ -901,18 +864,17 @@ cd build
-DWITH_TKS:BOOL=%{?with_tks:ON}%{!?with_tks:OFF} \
-DWITH_TPS:BOOL=%{?with_tps:ON}%{!?with_tps:OFF} \
-DWITH_ACME:BOOL=%{?with_acme:ON}%{!?with_acme:OFF} \
- -DWITH_SYSTEMD_NOTIFICATION:BOOL=%{?with_sdnotify:ON}%{!?with_sdnotify:OFF} \
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
-DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
-DTHEME=%{?with_theme:%{vendor_id}} \
-%if 0%{?rhel}
+%if 0%{?rhel} && 0%{?rhel} <= 8
..
%else
-B %{_vpath_builddir}
%endif
-%if 0%{?fedora}
+%if 0%{?fedora} || 0%{?rhel} > 8
cd %{_vpath_builddir}
%endif
@@ -929,7 +891,7 @@ cd %{_vpath_builddir}
%install
################################################################################
-%if 0%{?rhel}
+%if 0%{?rhel} && 0%{?rhel} <= 8
cd build
%else
cd %{_vpath_builddir}
@@ -943,7 +905,7 @@ cd %{_vpath_builddir}
--no-print-directory \
install
-%if %{with_test}
+%if %{with test}
ctest --output-on-failure
%endif
@@ -960,14 +922,22 @@ EOF
# Customize client library links in /usr/share/pki/lib
ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/lib/jboss-logging.jar
+%if 0%{?fedora} && 0%{?fedora} <= 34 || 0%{?rhel} && 0%{?rhel} <= 8
ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/lib/jboss-annotations-api_1.2_spec.jar
+%else
+ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroot}%{_datadir}/pki/lib/jakarta.annotation-api.jar
+%endif
%if %{with server}
# Customize server common library links in /usr/share/pki/server/common/lib
ln -sf %{jaxrs_api_jar} %{buildroot}%{_datadir}/pki/server/common/lib/jboss-jaxrs-2.0-api.jar
ln -sf /usr/share/java/jboss-logging/jboss-logging.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-logging.jar
+%if 0%{?fedora} && 0%{?fedora} <= 34 || 0%{?rhel} && 0%{?rhel} <= 8
ln -sf /usr/share/java/jboss-annotations-1.2-api/jboss-annotations-api_1.2_spec.jar %{buildroot}%{_datadir}/pki/server/common/lib/jboss-annotations-api_1.2_spec.jar
+%else
+ln -sf /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar %{buildroot}%{_datadir}/pki/server/common/lib/jakarta.annotation-api.jar
+%endif
# with server
%endif
@@ -1018,6 +988,10 @@ fi
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
## PKI deployment process
+# CVE-2021-3551
+# Remove world access from existing installation logs
+find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
+
# Reload systemd daemons on upgrade only
if [ "$1" == "2" ]
then
@@ -1197,9 +1171,8 @@ fi
%{_sbindir}/pkidestroy
%{_sbindir}/pki-server
%{_sbindir}/pki-server-upgrade
-%{python3_sitelib}/pki/server/
%{_sbindir}/pki-healthcheck
-%{python3_sitelib}/pki/server/healthcheck/
+%{python3_sitelib}/pki/server/
%{python3_sitelib}/pkihealthcheck-*.egg-info/
%config(noreplace) %{_sysconfdir}/pki/healthcheck.conf
@@ -1242,10 +1215,6 @@ fi
%{_datadir}/pki/setup/
%{_datadir}/pki/server/
-%if %{with sdnotify}
-%{_javadir}/pki/pki-systemd.jar
-%endif
-
# with server
%endif
@@ -1255,7 +1224,6 @@ fi
################################################################################
%{_javadir}/pki/pki-acme.jar
-%dir %{_datadir}/pki/acme
%{_datadir}/pki/acme/
# with acme
@@ -1268,7 +1236,6 @@ fi
%license base/ca/LICENSE
%{_javadir}/pki/pki-ca.jar
-%dir %{_datadir}/pki/ca
%{_datadir}/pki/ca/
# with ca
@@ -1281,7 +1248,6 @@ fi
%license base/kra/LICENSE
%{_javadir}/pki/pki-kra.jar
-%dir %{_datadir}/pki/kra
%{_datadir}/pki/kra/
# with kra
@@ -1294,7 +1260,6 @@ fi
%license base/ocsp/LICENSE
%{_javadir}/pki/pki-ocsp.jar
-%dir %{_datadir}/pki/ocsp
%{_datadir}/pki/ocsp/
# with ocsp
@@ -1307,7 +1272,6 @@ fi
%license base/tks/LICENSE
%{_javadir}/pki/pki-tks.jar
-%dir %{_datadir}/pki/tks
%{_datadir}/pki/tks/
# with tks
@@ -1320,7 +1284,6 @@ fi
%license base/tps/LICENSE
%{_javadir}/pki/pki-tps.jar
-%dir %{_datadir}/pki/tps
%{_datadir}/pki/tps/
%{_mandir}/man5/pki-tps-connector.5.gz
%{_mandir}/man5/pki-tps-profile.5.gz
@@ -1399,6 +1362,21 @@ fi
################################################################################
%changelog
+* Thu Aug 12 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-2
+- Bug 1992337 - Double issuance of non-CA subsystem certs at installation
+
+* Mon Jul 26 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-1
+- Rebase to PKI 10.11.0
+
+* Mon Jun 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.3
+- Rebase to PKI 10.11.0-alpha3
+
+* Thu Jun 03 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.2
+- Fix JAVA_HOME
+
+* Wed Jun 02 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.1
+- Rebase to PKI 10.11.0-alpha2
+
* Mon Feb 08 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.4-1
- Rebase to PKI 10.10.4
- Bug 1664435 - Error instantiating class for challenge_password with SCEP request