#3 rawhide: use GPG-based source file verification, use %pypi_source macro
Closed 2 months ago by elyscape. Opened 2 months ago by fschwarz.
rpms/ fschwarz/certbot master  into  master

file modified
+39 -29

@@ -1,21 +1,30 @@ 

  %global oldpkg letsencrypt

  %global srcname certbot

  

- %if 0%{?fedora}

+ # by default build Python 3 packages on Fedora and (RHEL >= 8)

+ %if 0%{?fedora} || (0%{?rhel} && 0%{?rhel} >= 8)

  %bcond_without python3

  %else

  %bcond_with python3

  %endif

  

- %if 0%{?fedora} && 0%{?fedora} >= 30

+ # by default build NO Python 2 packages on (Fedora > 30) and (RHEL >= 8)

+ %if (0%{?fedora} && 0%{?fedora} >= 30) || (0%{?rhel} && 0%{?rhel} >= 8)

  %bcond_with python2

  %else

  %bcond_without python2

  %endif

  

+ # by default build docs but not on RHEL 8

+ %if (0%{?rhel} && 0%{?rhel} == 8)

+ %bcond_with docs

+ %else

+ %bcond_without docs

+ %endif

+ 

  Name:           certbot

- Version:        0.39.0

- Release:        2%{?dist}

+ Version:        0.40.1

+ Release:        4%{?dist}

  Summary:        A free, automated certificate authority client

  

  License:        ASL 2.0

@@ -32,9 +41,15 @@ 

  Source12:       certbot-sysconfig-certbot

  Source13:       certbot-README.fedora

  

+ # https://github.com/certbot/certbot/issues/6604

+ Patch0:         certbot-remove-mock-runtime-dependency.patch

+ 

  BuildArch:      noarch

  

  BuildRequires:  gnupg2

+ %if 0%{?rhel}

+ BuildRequires:  epel-rpm-macros

+ %endif

  %if %{with python2}

  BuildRequires:  python2-acme >= 0.29.0

  BuildRequires:  python2-configargparse

@@ -65,10 +80,7 @@ 

  BuildRequires:  python2-zope-interface

  %endif

  

- # TODO Remove this once python-parsedatetime adds it as a dependency

- BuildRequires:  python2-future

- 

- %if 0%{?fedora}

+ %if %{with docs}

  # Required for documentation

  BuildRequires:  python2-repoze-sphinx-autointerface

  BuildRequires:  python2-sphinx >= 1.2.0

@@ -93,14 +105,13 @@ 

  BuildRequires:  python3-zope-component

  BuildRequires:  python3-zope-interface

  

- # TODO Remove this once python-parsedatetime adds it as a dependency

- BuildRequires:  python3-future

- 

+ %if %{with docs}

  # Required for documentation

  BuildRequires:  python3-repoze-sphinx-autointerface

  BuildRequires:  python3-sphinx >= 1.2.0

  BuildRequires:  python3-sphinx_rtd_theme

  %endif

+ %endif

  

  # For the systemd macros

  %{?systemd_requires}

@@ -112,8 +123,8 @@ 

  Requires(post): %{_sbindir}/semanage

  %endif

  

- # On F26+ use python3

- %if 0%{?fedora} >= 26

+ # On F26+ and RHEL 8 use python3

+ %if (0%{?fedora} >= 26) || (0%{?rhel} && 0%{?rhel} >= 8)

  Requires: python3-certbot = %{version}-%{release}

  %else

  Requires: python2-certbot = %{version}-%{release}

@@ -171,21 +182,6 @@ 

  

  %if %{with python3}

  %package -n python3-certbot

- Requires:       python3-acme >= 0.29.0

- Requires:       python3-configargparse

- Requires:       python3-configobj

- Requires:       python3-cryptography

- Requires:       python3-distro

- Requires:       python3-josepy >= 1.1.0

- Requires:       python3-mock

- Requires:       python3-parsedatetime

- Requires:       python3-pyrfc3339

- Requires:       python3-pytz

- Requires:       python3-zope-component

- Requires:       python3-zope-interface

- 

- # TODO Remove this once python-parsedatetime adds it as a dependency

- Requires:       python3-future

  

  Summary:    Python 3 libraries used by certbot

  %{?python_provide:%python_provide python3-certbot}

@@ -254,6 +250,8 @@ 

  %if %{with python3}

  grep -q %{__python3} %{buildroot}%{_bindir}/certbot-3

  %endif

+ rm -rf %{buildroot}%{python3_sitelib}/%{name}/tests

+ 

  

  # The base selinux policies don't handle the certbot directories yet so set them up manually

  %post

@@ -267,7 +265,7 @@ 

  %doc README.rst README.fedora CHANGELOG.md

  %{_bindir}/certbot

  %{_bindir}/%{oldpkg}

- # %doc %attr(0644,root,root) %{_mandir}/man1/%{name}*

+ # %%doc %%attr(0644,root,root) %%{_mandir}/man1/%%{name}*

  %dir %{_sysconfdir}/%{oldpkg}

  %dir %{_sharedstatedir}/%{oldpkg}

  %config(noreplace) %{_sysconfdir}/sysconfig/certbot

@@ -293,6 +291,18 @@ 

  %endif

  

  %changelog

+ * Mon Dec 02 2019 Felix Schwarz <fschwarz@fedoraproject.org> 0.40.1-4

+ - remove runtime dependency on mock

+ 

+ * Mon Dec 02 2019 Felix Schwarz <fschwarz@fedoraproject.org> 0.40.1-3

+ - prevent macro expansion in comment (COPR build failure)

+ 

+ * Mon Dec 02 2019 Felix Schwarz <fschwarz@fedoraproject.org> 0.40.1-2

+ - remove python2 dependency for certbot on RHEL 8

+ 

+ * Sat Nov 30 2019 Felix Schwarz <fschwarz@fedoraproject.org> 0.40.1-1

+ - Update to 0.40.1

+ 

  * Thu Nov 21 2019 Felix Schwarz <fschwarz@fedoraproject.org> 0.39.0-2

  - use GPG source file verification

  

This adds GPG source file verification to make it harder injecting compromised sources into Fedora.

Please note that I did not upload the .asc file in the lookaside cache. I just added it to "sources" so you can double-check its sha512 hash.

@fschwarz Apologies for the delay on this. I'll be taking a look shortly.

@fschwarz This looks good. I won't be merging it just yet, as I'm going to want to make similar changes to the numerous other certbot packages when I do. Thanks for your work on this.

6 new commits added

  • remove runtime dependency on mock
  • require "epel-rpm-macros" to fix COPR
  • prevent macro expansion in comment (COPR build failure)
  • remove python2 dependency for certbot on RHEL 8
  • adapt conditions for RHEL 8
  • update to 0.40.1
2 months ago

sorry for the spam - auto-updating of pull requests is really annoying. Probably the GPG verification is simple to redo but if you like I can also create a new PR with just the GPG verification.

No worries. I'll pull in just the GPG-related stuff to start.

rebased onto edc2458

2 months ago

Pull-Request has been closed by elyscape

2 months ago

GPG signature validation pulled in manually.