From bf7ee128834d4ca40ea454142c1fb8e47ac505f5 Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: May 13 2014 17:49:49 +0000
Subject: * Tue May 13 2014 Paul Wouters <pwouters@redhat.com> - 0.11-21

- Enable full hardening (includig PIE)
- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size

---

diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index c1a3557..f0fb46a 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -1,7 +1,9 @@
+%global _hardened_build 1
+
 Summary: NetworkManager plugin to update/reconfigure DNSSEC resolving
 Name: dnssec-trigger
 Version: 0.11
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/downloads/dnssec-trigger/
 Source: http://www.nlnetlabs.nl/downloads/dnssec-trigger/%{name}-%{version}.tar.gz
@@ -53,9 +55,11 @@ sed -i "s/^dnssec-trigger-control/\/usr\/sbin\/dnssec-trigger-control/" 01-dnsse
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+# change default RSA key between deamon/control from 1536 to 3072
+sed -i "s/BITS=1536/BITS=3072/" dnssec-trigger-control-setup.sh.in
 
 %build
-export LDFLAGS="$LDFLAGS -Wl,-z,now"
+export LDFLAGS="$LDFLAGS -pie -Wl,-z,relro,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
 
 %configure  --with-keydir=/etc/dnssec-trigger 
 %{__make} %{?_smp_mflags}
@@ -138,6 +142,10 @@ fi
 %systemd_postun_with_restart %{name}d.service
 
 %changelog
+* Tue May 13 2014 Paul Wouters <pwouters@redhat.com> - 0.11-21
+- Enable full hardening (includig PIE)
+- Resolves: rhbz#1045689 dnssec-trigger creates long-time RSA key with inappropriate size
+
 * Wed Feb 19 2014 Tomas Hozza <thozza@redhat.com> - 0.11-20
 - Restart NM on dnssec-trigger shutdown (let NM handle the resolv.conf content)
 - HN-hook: Handle situation when connection does not have a device