#1 Update to new upstream version 2.5.3
Merged 2 months ago by msuchy. Opened 3 months ago by frostyx.
rpms/ frostyx/obs-signd master  into  master

file modified
+1 -2

@@ -1,4 +1,3 @@ 

- /obs-signd-2.2.1.tar.bz2

- /obs-sign-65f9cab.tar.gz

  /0001-Rename-option-files-are-digests-to-file-is-digest.patch

  /0002-fixes-user-id-matching-to-provide-unique-results.patch

+ /obs-sign-c3d5984.tar.gz

@@ -1,4 +1,4 @@ 

- From 0ad6341f992c3fd837482ce1b4b7d8aecfa48b74 Mon Sep 17 00:00:00 2001

+ From 8903fa0f189147c8d53093eceb308309d13d8ba0 Mon Sep 17 00:00:00 2001

  From: Josef Stribny <jstribny@redhat.com>

  Date: Tue, 27 May 2014 12:20:35 +0200

  Subject: [PATCH 1/2] Rename option --files-are-digests to --file-is-digest

@@ -9,23 +9,29 @@ 

   2 files changed, 3 insertions(+), 3 deletions(-)

  

  diff --git a/signd b/signd

- index 4f03bba..5b07c91 100755

+ index 9478a7b..b6615b5 100755

  --- a/signd

  +++ b/signd

- @@ -731,9 +731,9 @@ if ($cmd eq 'sign' || $cmd eq 'privsign') {

-        $argv[2] = substr($argv[2], 0, -10)."0000000000";

+ @@ -820,7 +820,7 @@ sub cmd_privsign {

+        $classtime = $1;

+        $args[0] = substr($args[0], 0, -10)."0000000000";

       }

-      if (@keyargs) {

- -      ($status, $lout, $lerr) = rungpg('/dev/null', ["$tmpdir/privkey.$$", "$tmpdir/pubkey.$$"], $gpg, "--batch", "--force-v3-sigs", "--files-are-digests", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", @keyargs, "-sbo", "-", $argv[2]);

- +      ($status, $lout, $lerr) = rungpg('/dev/null', ["$tmpdir/privkey.$$", "$tmpdir/pubkey.$$"], $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", @keyargs, "-sbo", "-", $argv[2]);

-      } else {

- -      ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--files-are-digests", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $argv[2]);

- +      ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $argv[2]);

+ -    ($status, $lout, $lerr) = rungpg('/dev/null', undef, $gpg, "--batch", "--force-v3-sigs", "--files-are-digests", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-sbo", "-", $args[0]);

+ +    ($status, $lout, $lerr) = rungpg('/dev/null', undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-sbo", "-", $args[0]);

+      $lout = patchclasstime($lout, $classtime) if $classtime && !$status;

+      shift @args;

+      push @out, $lout;

+ @@ -846,7 +846,7 @@ sub cmd_sign {

+        $classtime = $1;

+        $args[0] = substr($args[0], 0, -10)."0000000000";

       }

+ -    ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--files-are-digests", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $args[0]);

+ +    ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $args[0]);

       $lout = patchclasstime($lout, $classtime) if $classtime && !$status;

-      splice(@argv, 2, 1);

+      shift @args;

+      push @out, $lout;

  diff --git a/signd.8 b/signd.8

- index f5c3215..23ca2d0 100644

+ index 2ba6bf9..0b95068 100644

  --- a/signd.8

  +++ b/signd.8

  @@ -14,7 +14,7 @@ to another signd. The -f option makes signd fork on startup.

@@ -36,7 +42,7 @@ 

  +"--file-is-digest" option to work correctly.

   

   .SH SECURITY

-  signd allows only connections from reserved ports and ip

+  Unless the allow-unprivileged-ports option is set to true in

  -- 

- 2.17.1

+ 2.21.0

  

@@ -1,4 +1,4 @@ 

- From 3c649460f96700a8844ad548ae8abafe5ec4a058 Mon Sep 17 00:00:00 2001

+ From 03130f8295b5efbd700abf6b60b190df98e54b9b Mon Sep 17 00:00:00 2001

  From: clime <clime@redhat.com>

  Date: Mon, 2 May 2016 21:05:43 +0200

  Subject: [PATCH 2/2] fixes user-id matching to provide unique results

@@ -50,45 +50,45 @@ 

   1 file changed, 4 insertions(+), 4 deletions(-)

  

  diff --git a/signd b/signd

- index 5b07c91..6db2940 100755

+ index b6615b5..2564a87 100755

  --- a/signd

  +++ b/signd

- @@ -575,7 +575,7 @@ if (! -d $tmpdir) {

+ @@ -702,7 +702,7 @@ sub cmd_keygen {

   

-  if ($cmd eq 'pubkey') {

-    die("pubkey: one argument expected\n") if @argv != 2;

- -  my $pubkey = rungpg_fatal('/dev/null', undef, $gpg, '--export', '-a', $user);

- +  my $pubkey = rungpg_fatal('/dev/null', undef, $gpg, '--export', '-a', "<$user>");

-    if (!$oldproto) {

-      $pubkey = pack('nn', 1, length($pubkey)).$pubkey;

-    }

- @@ -621,7 +621,7 @@ if ($cmd eq 'keygen') {

-    $keyid = $keyid[0];

-  

-    # add user sig to pubkey

- -  rungpg_fatal("$phrases/$user", ["$tmpdir/pubkey.$$", "$tmpdir/privkey.$$"], $gpg, '--batch', '--no-secmem-warning', "--keyring=$tmpdir/pubkey.$$", "--passphrase-fd=0", "-u", $user, '--yes', '--trustdb-name', "$tmpdir/trustdb.$$", '--default-cert-level', '3', '--edit-key', $keyid, 'sign', 'save');

- +  rungpg_fatal("$phrases/$user", ["$tmpdir/pubkey.$$", "$tmpdir/privkey.$$"], $gpg, '--batch', '--no-secmem-warning', "--keyring=$tmpdir/pubkey.$$", "--passphrase-fd=0", "-u", "<$user>", '--yes', '--trustdb-name', "$tmpdir/trustdb.$$", '--default-cert-level', '3', '--edit-key', $keyid, 'sign', 'save');

-    unlink("$tmpdir/pubkey.$$~");

-    unlink("$tmpdir/trustdb.$$");

-  

- @@ -630,7 +630,7 @@ if ($cmd eq 'keygen') {

-    unlink("$tmpdir/pubkey.$$");

+    rungpg_fatal("$phrases/$user", $tdir, $gpg, '--batch', '--no-secmem-warning',

+          "--passphrase-fd=0", "--yes",

+ -        "-u", $user,

+ +        "-u", "<$user>",

+          '--default-cert-level', '3',

+          "--keyring", $pubring,

+          '--edit-key', $keyid,

+ @@ -722,7 +722,7 @@ sub cmd_keygen {

+    close(F) || die("privkey close error\n");

   

-    # encrypt privkey

- -  my $privkey = rungpg_fatal('/dev/null', ["$tmpdir/privkey.$$"], $gpg, '--batch', '--encrypt', '--no-verbose', '--no-secmem-warning', '--trust-model', 'always', '-o-', '-r', "$user", "$tmpdir/privkey.$$");

- +  my $privkey = rungpg_fatal('/dev/null', ["$tmpdir/privkey.$$"], $gpg, '--batch', '--encrypt', '--no-verbose', '--no-secmem-warning', '--trust-model', 'always', '-o-', '-r', "<$user>", "$tmpdir/privkey.$$");

-    unlink("$tmpdir/privkey.$$");

+    $ENV{GNUPGHOME} = $org_gnupghome;

+ -  my $privkey = rungpg_fatal('/dev/null', $tdir, $gpg, '--batch', '--encrypt', '--no-verbose', '--no-secmem-warning', '--trust-model', 'always', '-o-', '-r', "$user", "$tdir/privkey");

+ +  my $privkey = rungpg_fatal('/dev/null', $tdir, $gpg, '--batch', '--encrypt', '--no-verbose', '--no-secmem-warning', '--trust-model', 'always', '-o-', '-r', "<$user>", "$tdir/privkey");

+    remove_tree($tdir);

   

     # send back

- @@ -733,7 +733,7 @@ if ($cmd eq 'sign' || $cmd eq 'privsign') {

-      if (@keyargs) {

-        ($status, $lout, $lerr) = rungpg('/dev/null', ["$tmpdir/privkey.$$", "$tmpdir/pubkey.$$"], $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", @keyargs, "-sbo", "-", $argv[2]);

-      } else {

- -      ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $argv[2]);

- +      ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", "<$user>", "-sbo", "-", $argv[2]);

+ @@ -783,7 +783,7 @@ EOL

+  sub cmd_pubkey {

+    my ($cmd, $user, $hashalgo, @args) = @_;

+    die("pubkey: one argument expected\n") if @args;

+ -  my $pubkey = rungpg_fatal('/dev/null', undef, $gpg, '--export', '-a', $user);

+ +  my $pubkey = rungpg_fatal('/dev/null', undef, $gpg, '--export', '-a', "<$user>");

+    return (0, '', $pubkey);

+  }

+  

+ @@ -846,7 +846,7 @@ sub cmd_sign {

+        $classtime = $1;

+        $args[0] = substr($args[0], 0, -10)."0000000000";

       }

+ -    ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $args[0]);

+ +    ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", "<$user>", "-sbo", "-", $args[0]);

       $lout = patchclasstime($lout, $classtime) if $classtime && !$status;

-      splice(@argv, 2, 1);

+      shift @args;

+      push @out, $lout;

  -- 

- 2.17.1

+ 2.21.0

  

file modified
+9 -5

@@ -1,16 +1,16 @@ 

  # http://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#PIE

  %global _hardened_build 1

- %global commit 65f9cab3937822234e214e4ed5442db73f640f0c

+ %global commit c3d59841ac2457435c80b2f38e396512de37ae6d

  %global shortcommit %(c=%{commit}; echo ${c:0:7})

- %global snapdate 20180614

+ %global snapdate 20190613

  %global snapshotrel .%{snapdate}git%{shortcommit}

  

  Name:             obs-signd

  Summary:          The OBS sign daemon

  License:          GPLv2

  Url:              https://github.com/openSUSE/obs-sign

- Version:          2.4.2

- Release:          6%{?snapshotrel}%{?dist}

+ Version:          2.5.3

+ Release:          1%{?snapshotrel}%{?dist}

  Source0:          https://github.com/openSUSE/obs-sign/archive/%{commit}/obs-sign-%{shortcommit}.tar.gz

  # We renamed the option in gnupg2 to 'file-is-digest'

  Patch0:           0001-Rename-option-files-are-digests-to-file-is-digest.patch

@@ -36,7 +36,7 @@ 

  %autosetup -n obs-sign-%{commit}

  

  %build

- gcc %{optflags} -fPIC -pie -o sign sign.c

+ %make_build CFLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}" sign

  

  %install

  mkdir -p %{buildroot}%{_sbindir} %{buildroot}%{_sysconfdir}

@@ -83,6 +83,10 @@ 

  %doc %{_mandir}/man*/*

  

  %changelog

+ * Mon Jun 24 2019 Jakub Kadlčík <jkadlcik@redhat.com> - 2.5.3-1.20180614gitc3d5984

+ - update to new upstream version 2.5.3

+ - use Makefile that is provided by upstream nowadays

+ 

  * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.2-6.20180614git65f9cab

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

  

file modified
+1 -3

@@ -1,3 +1,1 @@ 

- SHA512 (obs-sign-65f9cab.tar.gz) = 11af12f6e3823b8261bc9aed773d1a04fc6e1f688096c292e2a506e3c1c50fda29aa55a6d20043862486d10ef9ea3a8a2faf072b25de180f7abf84edd7c0b23c

- SHA512 (0001-Rename-option-files-are-digests-to-file-is-digest.patch) = 78ed45a6462574690115ec75f07c330cbbbd777c0f7a680bd5740716e0253f5aaf9dda8a99730693a47b7d994427190cb18cfc751429a8575358a001ece26dd5

- SHA512 (0002-fixes-user-id-matching-to-provide-unique-results.patch) = 73df840e51c6bfc955200b5a733f70db7f27e4235b28f3f5a1135aea542b54adf7fd0d3324a44082511d8f42e2e466bf6d11c9d778e69904dcf35608d9949ed9

+ SHA512 (obs-sign-c3d5984.tar.gz) = c5740ed98ceef2f7edae94c5c47729f55990e04b53686a7e40f3d277ae6ba97ec522460d5683e880d302e607deb0addd36d1c00b98b45b6cdb099703107be637

I am creating a pull request on src.fedoraproject.org for the first time, so I am not sure, whether I am doing it right. Particularly I am not sure about

  1. Should I create pull requests also for f30 and f29 branches?
  2. Should I somehow also upload the new sources and request them in the PR?

Anyway, please take a look.

You shouldn't turn debug packages off for c packages.

there's possible to use %make_build sign, ... this very likely removed %optflags, so the package is not hardened now

That said, if you switch to make now ... you should probably start using %set_build_flags and check those flags are really used.

Should I create pull requests also for f30 and f29 branches?

Probably not, PRs are usually just convenient way to review the code, and leverage the simple-koji-ci badge.

Should I somehow also upload the new sources and request them in the PR?

Yes, by fedpkg new-sources.

3 new commits added

  • Upload new sources
  • Don't disable debug package
  • Update snapdate to the 2.5.3 commit date
3 months ago

You shouldn't turn debug packages off for c packages.

I've been doing it for all my packages because rpmbuild always failed with

error: Empty %files file /../debugsourcefiles.list

but now I've finally found out, that it is because gcc needs to be called with -g parameter.
So, I've changed it, what do you think now?

Yes, by fedpkg new-sources.

Yea, it required kinit and was paranoid that it will upload the sources not to the fork, but to the original project (since I have permissions to do so). But it worked fine, thanks!

What do you think about the PR now? We will need to squash all those commits into one, but I would like to do that after review, right before merging, so you don't have to review all the change all over again, but only new commits.

You can drop the old files, and keep only the new line (and obs-sign-*.tar.gz may be used).

I'd prefer LDFLAGS="%build_ldflags" here as well.

The last line is not valid now.

What do you think about the PR now?

Looks fine to me now (few nits, but still).

We will need to squash all those commits into one

Feel free to go ahead and push.

few nits, but still).

Everything updated, thank you for the review @praiskup!

@msuchy?

rebased onto 4ce1758

2 months ago

Pull-Request has been merged by msuchy

2 months ago