# Add generation of HMAC checksums of the final stripped binaries. # %%define with lazy expansion is used here intentionally, because # this needs to be expanded inside of a higher level macro that # gets expanded itself. %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ fipshmac %{buildroot}%{_bindir}/%{name} \\\ %{buildroot}%{_libexecdir}/%{name} \\\ %{buildroot}%{_datadir}/%{name}/openssl.cnf \ c="%{buildroot}%{_datadir}/%{name}/config.json" \ if [[ -f ${c} ]]; then \ fipshmac ${c} \ fi \ %{nil} # Always do out-of-source builds with CMake. %{?__cmake_in_source_build:%undefine __cmake_in_source_build} # Do not build non-lto objects to reduce build time significantly. %global optflags %(echo '%{optflags}' | sed -e 's!-ffat-lto-objects!-fno-fat-lto-objects!g') # Build and package Doxygen documentation? %bcond_without doxy # Do we build with Qt6? %if 0%{?fedora} || 0%{?rhel} >= 9 %global qt6_build 1 %else %global qt6_build 0 %endif # Package summary. Gets overwritten by subpackages otherwise. %global pkg_sum Online identification with German ID card (Personalausweis) Name: AusweisApp2 Version: 1.24.4 Release: 1%{?dist} Summary: %{pkg_sum} License: EUPL 1.2 URL: https://www.ausweisapp.bund.de/en # Url to releases on github. %global rel_url https://github.com/Governikus/%{name}/releases/download/%{version} # Generate gpg-keyring: # gpg2 --keyserver keyserver.ubuntu.com --recv-keys 699BF3055B0A49224EFDE7C72D7479A531451088 # gpg2 --export --export-options export-minimal 699BF3055B0A49224EFDE7C72D7479A531451088 > %%{name}-pubring.gpg Source0000: %{rel_url}/%{name}-%{version}.tar.gz Source0001: %{rel_url}/%{name}-%{version}.tar.gz.asc Source0002: %{name}-pubring.gpg Source0003: %{rel_url}/%{name}-%{version}.tar.gz.sha256 Source0004: https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/2020-03/EUPL-1.2%%20EN.txt#/EUPL-12_EN.txt Source1000: gen_openssl_cnf.py # Downstream. Patch01000: %{name}-1.24.1-use_Qt_TranslationsPath.patch Patch01001: %{name}-1.24.4-no_brainpool_curves.patch BuildRequires: cmake BuildRequires: crypto-policies BuildRequires: desktop-file-utils BuildRequires: gcc-c++ BuildRequires: gnupg2 BuildRequires: help2man BuildRequires: http-parser-devel BuildRequires: libappstream-glib BuildRequires: libudev-devel BuildRequires: libxkbcommon-devel BuildRequires: ninja-build BuildRequires: openssl-devel BuildRequires: pcsc-lite-devel BuildRequires: python3-devel %if 0%{?qt6_build} BuildRequires: qt6-qtbase-devel BuildRequires: qt6-qtbase-private-devel BuildRequires: qt6-qtscxml-devel BuildRequires: qt6-qtshadertools-devel BuildRequires: qt6-qtsvg-devel BuildRequires: qt6-qttools-devel BuildRequires: qt6-qtwebsockets-devel %else BuildRequires: qt5-linguist BuildRequires: qt5-qtbase-devel BuildRequires: qt5-qtconnectivity-devel BuildRequires: qt5-qtdeclarative-devel BuildRequires: qt5-qtquickcontrols2-devel BuildRequires: qt5-qtsvg-devel BuildRequires: qt5-qtwebsockets-devel %endif BuildRequires: %{_bindir}/sha256sum BuildRequires: %{_bindir}/fipshmac # Lowercase package name. %global lc_name %{lua:print(string.lower(rpm.expand("%{name}")))} # Make sure this package automatically replaces the security hazard # built in some COPR. Obsoletes: %{name} < 1.20.1 Obsoletes: %{lc_name} < 1.20.1 # Provide the lowercase name for convenience as well. Provides: %{lc_name} = %{version}-%{release} Provides: %{lc_name}%{?_isa} = %{version}-%{release} # Do not raise conflicts about shared license files. Requires: %{name}-data = %{version}-%{release} Requires: (%{name}-doc = %{version}-%{release} if %{name}-doc) %if 0%{?qt6_build} # We are linking against qt6-qtbase-private. %{?_qt6:Requires: %{_qt6}%{?_isa} = %{_qt6_version}} %else # RHBZ#1885310 # Needed for the GUI to show up on startup. Requires: qt5-qtquickcontrols2%{?_isa} %endif # Needed for running fipscheck on application startup. # Requires: fipscheck %description The AusweisApp2 is a software to identify yourself online with your ID card (Personalausweis) or your electronic residence permit (Aufenthalts- / Niederlassungserlaubis). The AusweisApp2 also offers you an integrated self-assessment in which you are able to view your data that is stored on the online ID. %package data Summary: Architecture-independent files used by %{name} BuildArch: noarch Requires: %{name} = %{version}-%{release} Requires: hicolor-icon-theme %description data This package contains the architecture-independent files used by %{name}. %package doc Summary: User and API documentation for %{name} BuildArch: noarch %if %{with doxy} BuildRequires: doxygen BuildRequires: graphviz %endif BuildRequires: hardlink BuildRequires: python3-sphinx BuildRequires: python3-sphinx_rtd_theme # Do not raise conflicts about shared license files. Requires: (%{name} = %{version}-%{release} if %{name}) # The doc-api package is faded, since we can ship the # Doxygen documentation noarch'ed as well now. Obsoletes: %{name}-doc-api < 1.20.1-2 Provides: %{name}-doc-api = %{version}-%{release} %description doc This package contains the user and API documentation for %{name}. %prep # Verify tarball integrity. %{gpgverify} \ --keyring='%{SOURCE2}' \ --signature='%{SOURCE1}' \ --data='%{SOURCE0}' pushd %{_sourcedir} sha256sum -c %{SOURCE3} popd %autosetup -p 1 install -pm 0644 %{SOURCE4} LICENSE.en.txt # Generate application specific OpenSSL configuration. # See the comments in the resulting file for further information. %{__python3} %{SOURCE1000} resources/config.json.in \ > fedora_%{name}_openssl.cnf # Create the shell wrapper. cat << EOF > fedora_%{name}_wrapper.sh #!/bin/sh # /usr/bin/fipscheck \\ # %{_bindir}/%{name} \\ # %{_libexecdir}/%{name} \\ # %{_datadir}/%{name}/config.json \\ # %{_datadir}/%{name}/openssl.cnf \\ # || exit \$?; OPENSSL_CONF=%{_datadir}/%{name}/openssl.cnf \\ %{_libexecdir}/%{name} "\$@"; EOF %build # The project does not ship any libraries that are meant to be # consumed externally. Thus we disable shared libs explicitly. # See: https://github.com/Governikus/AusweisApp2/pull/24 # and: https://github.com/Governikus/AusweisApp2/pull/26 %cmake \ -DBUILD_SHARED_LIBS:BOOL=OFF \ -DBUILD_TESTING:BOOL=OFF \ -DCMAKE_BUILD_TYPE:STRING=Release \ -DINTEGRATED_SDK:BOOL=OFF \ -DPYTHON_EXECUTABLE:STRING=%{__python3} \ -DSELFPACKER:BOOL=OFF \ -DUSE_SMARTEID:BOOL=ON \ -G Ninja %cmake_build %if (0%{?fedora} || 0%{?rhel} > 8) # Documentation. %cmake_build --target inst inte notes sdk %if %{with doxy} %cmake_build --target doxy %endif %else # Documentation. %ninja_build -C %{_vpath_builddir} inst inte notes sdk %if %{with doxy} %ninja_build -C %{_vpath_builddir} doxy %endif %endif %install %cmake_install # Relocate the application binary so we can call it through # a shell wrapper and move installed files to proper locations. mkdir -p %{buildroot}{%{_libexecdir},%{_qt5_translationdir}} mv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_libexecdir}/%{name} # Install the shell wrapper and custom OpenSSL configuration. install -pm 0755 fedora_%{name}_wrapper.sh %{buildroot}%{_bindir}/%{name} install -pm 0644 fedora_%{name}_openssl.cnf \ %{buildroot}%{_datadir}/%{name}/openssl.cnf # Move translation in proper location. %if !(0%{?qt6_build}) mv %{buildroot}%{_datadir}/%{name}/translations/* \ %{buildroot}%{_qt5_translationdir} rm -fr %{buildroot}%{_datadir}/%{name}/translations %endif # Generate man-page. mkdir -p %{buildroot}%{_mandir}/man1 help2man \ --no-discard-stderr --no-info \ --manual="%{name}" --name="%{pkg_sum}" --section=1 \ --help-option="--platform offscreen --help-all" \ --version-option="--platform offscreen --version" \ --output=%{buildroot}%{_mandir}/man1/%{name}.1 \ %{buildroot}%{_libexecdir}/%{name} # Excessive docs. mkdir -p %{buildroot}%{_pkgdocdir}/{installation,integration,notes,sdk} install -pm 0644 README.rst %{buildroot}%{_pkgdocdir} %if %{with doxy} mkdir -p %{buildroot}%{_pkgdocdir}/doxy cp -a %{_vpath_builddir}/doc/html/* %{buildroot}%{_pkgdocdir}/doxy %endif cp -a %{_vpath_builddir}/docs/inst/html/* %{buildroot}%{_pkgdocdir}/installation cp -a %{_vpath_builddir}/docs/inte/html/* %{buildroot}%{_pkgdocdir}/integration cp -a %{_vpath_builddir}/docs/notes/html/* %{buildroot}%{_pkgdocdir}/notes cp -a %{_vpath_builddir}/docs/sdk/html/* %{buildroot}%{_pkgdocdir}/sdk find %{buildroot}%{_pkgdocdir} -type d -print0 | xargs -0 chmod -c 0755 find %{buildroot}%{_pkgdocdir} -type f -print0 | xargs -0 chmod -c 0644 find %{buildroot}%{_pkgdocdir} -type f -name '.*' -delete -print hardlink -cfv %{buildroot}%{_pkgdocdir} # Find installed icons. find %{buildroot}%{_datadir}/icons/hicolor -type f -print | \ sed -e 's!^%{buildroot}!!g' > %{lc_name}.icons # Find translation files. %if !(0%{?qt6_build}) %find_lang %{lc_name} --with-qt %endif %check appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/*.metainfo.xml desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %files %dir %{_pkgdocdir} %doc %{_pkgdocdir}/README.rst %license AUTHORS %license LICENSE.en.txt %license LICENSE.txt %{_bindir}/.%{name}.hmac %{_bindir}/%{name} %{_datadir}/applications/com.governikus.%{lc_name}.desktop %{_libexecdir}/.%{name}.hmac %{_libexecdir}/%{name} %{_mandir}/man1/%{name}.1* %{_metainfodir}/com.governikus.%{lc_name}.metainfo.xml %if 0%{?qt6_build} %files data -f %{lc_name}.icons %else %files data -f %{lc_name}.icons -f %{lc_name}.lang %endif %{_datadir}/%{name} %files doc %doc %{_pkgdocdir} %license %{_licensedir}/%{name}* %changelog * Sun Nov 06 2022 Björn Esser - 1.24.4-1 - New upstream release * Fri Sep 02 2022 Björn Esser - 1.24.1-1 - New upstream release * Wed Jul 20 2022 Fedora Release Engineering - 1.22.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild * Wed Jan 26 2022 Björn Esser - 1.22.3-1 - New upstream release - Explicitly BR '/usr/bin/fipshmac' instead of fipscheck package * Wed Jan 19 2022 Fedora Release Engineering - 1.22.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild * Tue Sep 14 2021 Sahana Prasad - 1.22.2-4 - Rebuilt with OpenSSL 3.0.0 * Tue Aug 31 2021 Björn Esser - 1.22.2-3 - Drop forge-macros and perform tarbal verification during %%prep * Tue Aug 31 2021 Björn Esser - 1.22.2-2 - Add a patch to disable use of Brainpool Elliptic Curves * Sun Aug 22 2021 Björn Esser - 1.22.2-1 - New upstream release - Disable enforcing of FIPS mode for OpenSSL * Wed Jul 21 2021 Fedora Release Engineering - 1.20.2-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild * Mon Jan 25 2021 Fedora Release Engineering - 1.20.2-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Sun Nov 15 08:50:35 CET 2020 Björn Esser - 1.20.2-10 - Add runtime dependency on qt5-qtquickcontrols2 * Sat Oct 3 12:51:03 CEST 2020 Björn Esser - 1.20.2-9 - Disable fipscheck in shell wrapper as it does not work in Fedora 33+ * Sat Sep 26 2020 Björn Esser - 1.20.2-8 - Make shell wrapper exit with the exit code of fipscheck on failure * Sat Sep 26 2020 Björn Esser - 1.20.2-7 - Calculate fipshmac for config files and shell wrapper - Run fipscheck in shell wrapper before application starts * Fri Sep 25 2020 Björn Esser - 1.20.2-6 - Use a python script to generate a tailored OpenSSL configuration * Thu Sep 24 2020 Björn Esser - 1.20.2-5 - Some small spec file optimizations * Thu Sep 24 2020 Björn Esser - 1.20.2-4 - Use a more elaborate application specific OpenSSL configuration This also re-enables SHA384 hashes in ciphers * Wed Sep 23 2020 Björn Esser - 1.20.2-3 - Do not enable SHA384 ciphers in custom OpenSSL configuration * Wed Sep 23 2020 Björn Esser - 1.20.2-2 - Use application specific OpenSSL config through a shell wrapper * Mon Sep 07 2020 Björn Esser - 1.20.2-1 - New upstream release * Mon Aug 24 2020 Björn Esser - 1.20.1-3 - Add a patch to load translations from Qt5 TranslationsPath - Move translation files to proper location - Drop invokation of ctest, as we cannot run the testsuite from a release build - Replace patch adding English license with the actual license file * Fri Aug 21 2020 Björn Esser - 1.20.1-2 - Add a patch to exclude the build directory in the Doxyfile - Merge doc-api package with the doc package, since the Doxygen API documentation can be shipped noarch'ed as well now * Wed Aug 19 2020 Björn Esser - 1.20.1-1 - Initial import (#1851205) * Fri Jul 17 2020 Björn Esser - 1.20.1-0.11 - Use %%cmake_{build,install} macros on newer distributions * Sat Jul 04 2020 Björn Esser - 1.20.1-0.10 - Add license text in English language * Fri Jun 26 2020 Björn Esser - 1.20.1-0.9 - Also obsolete package with %%{name} previous to this package version * Fri Jun 26 2020 Björn Esser - 1.20.1-0.8 - Ensure archful packages always require equal architecture * Fri Jun 26 2020 Björn Esser - 1.20.1-0.7 - Make sure permissions of the documentation files are correct - Remove hidden files in documentation - Drop 'LICENSE.officially.txt', as it only applies to binary copies, which are distributed on behalf of the federal government of Germany * Thu Jun 25 2020 Björn Esser - 1.20.1-0.6 - Use '--help-all' option when generating man-page - Split build of Doxygen API docs from building user docs * Thu Jun 25 2020 Björn Esser - 1.20.1-0.5 - Add generated man-page * Thu Jun 25 2020 Björn Esser - 1.20.1-0.4 - Use a macro for lowercase package name * Thu Jun 25 2020 Björn Esser - 1.20.1-0.3 - Use ninja-build instead of GNU Make to speed up the build a bit * Thu Jun 25 2020 Björn Esser - 1.20.1-0.2 - Adaptions for building on EPEL * Wed Jun 24 2020 Björn Esser - 1.20.1-0.1 - Initial spec file for review