#global prever rcX

%global _hardened_build 1

Summary: DNSSEC key and zone management software

Name: opendnssec

Version: 1.4.9

Release: 3%{?prever}%{?dist}

License: BSD

Url: http://www.opendnssec.org/

Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz

Source1: ods-enforcerd.service

Source2: ods-signerd.service

Source3: ods.sysconfig

Source4: conf.xml

Source5: tmpfiles-opendnssec.conf

Source6: opendnssec.cron

Group: Applications/System

Requires: opencryptoki, softhsm, systemd-units

Requires: libxml2, libxslt sqlite

BuildRequires: ldns-devel >= 1.6.12, sqlite-devel , openssl-devel

BuildRequires: libxml2-devel CUnit-devel, doxygen

# It tests for pkill/killall and would use /bin/false if not found

BuildRequires: procps-ng

BuildRequires: systemd-units

Requires(pre): shadow-utils

Requires(post): systemd-units

Requires(preun): systemd-units

Requires(postun): systemd-units

%if 0%{?prever:1}

#For building snapshots

Buildrequires: autoconf, automake, libtool, java

%endif

%description

OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.

It secures zone data just before it is published in an authoritative

name server. It requires a PKCS#11 crypto module library, such as softhsm

%prep

%setup -q -n %{name}-%{version}%{?prever}

# bump default policy ZSK keysize to 2048

sed -i "s/1024/2048/" conf/kasp.xml.in

%build

export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"

export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"

export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"

%configure --with-ldns=%{_libdir}

make %{?_smp_mflags}

%check

# Requires sample db not shipped with upstream

# make check

%install

rm -rf %{buildroot}

make DESTDIR=%{buildroot} install

mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf}

install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/

install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec

rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample

install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig

install -d -m 0755 %{buildroot}%{_unitdir}

install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/

install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/

install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods

install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/

mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/

install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/tmpfiles.d/opendnssec.conf

mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec

cp enforcer/utils/migrate_1_4_8.sqlite3 %{buildroot}%{_datadir}/%{name}/

%files

%{_unitdir}/ods-enforcerd.service

%{_unitdir}/ods-signerd.service

%config(noreplace) %{_sysconfdir}/tmpfiles.d/opendnssec.conf

%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec

%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec

%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp

%attr(0775,root,ods) %dir %{_localstatedir}/opendnssec/signed

%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf

%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml

%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods

%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec

%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec

%doc NEWS README.md LICENSE

%{_mandir}/*/*

%{_sbindir}/*

%{_bindir}/*

%attr(0755,root,root) %dir %{_datadir}/%{name}

%{_datadir}/%{name}/*

%pre

getent group ods >/dev/null || groupadd -r ods

getent passwd ods >/dev/null || \

useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \

-c "opendnssec daemon account" ods

exit 0

%post

# Initialise a slot on the softhsm on first install

if [ "$1" -eq 1 ]; then

   %{_sbindir}/runuser -u ods -- %{_bindir}/softhsm2-util --init-token \

                --slot 0 --label "OpenDNSSEC" --pin 1234 --so-pin 1234

   if [ ! -s %{_localstatedir}opendnssec/kasp.db ]; then

      echo y | %{_bindir}/ods-ksmutil setup

   fi

fi

# Migrate version 3 db to version 4 db

if [ "`%{_bindir}/sqlite3 %{_localstatedir}/%{name}/kasp.db 'select version from dbadmin;'`" != "4" ]; then

   %{_bindir}/sqlite3 %{_localstatedir}/%{name}/kasp.db < %{_datadir}/%{name}/migrate_1_4_8.sqlite3

fi

# in case we update any xml conf file

ods-ksmutil update all >/dev/null 2>/dev/null ||:

%systemd_post ods-enforcerd.service

%systemd_post ods-signerd.service

%preun

%systemd_preun ods-enforcerd.service

%systemd_preun ods-signerd.service

%postun

%systemd_postun_with_restart ods-enforcerd.service

%systemd_postun_with_restart ods-signerd.service

%changelog

* Thu Feb 18 2016 Paul Wouters <pwouters@redhat.com> - 1.4.9-3

- Resolves: rbz#1303965 upgrade to opendnssec-1.4.9-1.fc23 breaks old installations

- On initial install, after token init, also run ods-ksmutil setup

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Mon Feb 01 2016 Paul Wouters <pwouters@redhat.com> - 1.4.9-1

- Updated to 1.4.9

- Removed merged in patch

* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.7-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Tue Jun 09 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-2

- Resolves rhbz#1219746 ods-signerd.service misplaced After= in section Service

- Resolves rhbz#1220443 OpenDNSSEC fails to initialise a slot in softhsm on first install

* Tue Dec 09 2014 Paul Wouters <pwouters@redhat.com> - 1.4.7-1

- Updated to 1.4.7 (fix zone update can get stuck, crash on retransfer cmd)

* Wed Oct 15 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-4

- Change /etc/opendnssec to be ods group writable

* Wed Oct 08 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-3

- Added Petr Spacek's patch that adds the config option <AllowExtraction/> (rhbz#1123354)

* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.6-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Mon Jul 28 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-1

- Updated to 1.4.6

- Removed incorporated patch upstream

- Remove Wants= from ods-signerd.service (rhbz#1098205)

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.5-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Fri Apr 18 2014 Paul Wouters <pwouters@redhat.com> - 1.4.5-2

- Updated to 1.4.5

- Added patch for serial 0 bug in XFR adapter

* Tue Apr 01 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-3

- Add buildrequires for ods-kasp2html (rhbz#1073313)

* Sat Mar 29 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-2

- Add requires for ods-kasp2html (rhbz#1073313)

* Thu Mar 27 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-1

- Updated to 1.4.4 (compatibility with non RFC 5155 errata 3441)

- Change the default ZSK policy from 1024 to 2048 bit RSA keys

- Fix post to be quiet when upgrading opendnssec

* Thu Jan 09 2014 Paul Wouters <pwouters@redhat.com> - 1.4.3-1

- Updated to 1.4.3 (rhel#1048449) - minor bugfixes, minor feature enhancements

- rhel#1025985 OpenDNSSEC signer cannot be started due to a typo in service file

* Wed Sep 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.2-1

- Updated to 1.4.2, bugfix release

* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Fri Jun 28 2013 Paul Wouters <pwouters@redhat.com> - 1.4.1-1

- Updated to 1.4.1. NSEC3 handling and serial number handling fixes

- Add BuildRequire for systemd-units

* Sat May 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.0-1

- Updated to 1.4.0

* Fri Apr 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-0.8.rc3

- Updated to 1.4.0rc3

- Enabled hardened compile, full relzo/pie

* Fri Jan 25 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.7.rc2

- Updated to 1.4.0rc2, which includes svn r6952

* Fri Jan 18 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.6.rc1

- Updated to 1.4.0rc1

- Applied opendnssec-ksk-premature-retirement.patch (svn r6952)

* Tue Dec 18 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.5.b2

- Updated to 1.4.0b2

- All patches have been merged upstream

- cron job should be marked as config file

* Tue Oct 30 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.4.b1

- Added BuildRequires: procps-ng for bug OPENDNSSEC-345

- Change RRSIG inception offset to -2h to avoid possible

  daylight saving issues on resolvers

- Patch to prevent removal of occluded data

* Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.3.b1

- Just an EVR fix to the proper standard

- Cleanup of spec file

- Introduce new systemd-rpm macros (rhbz#850242)

* Wed Sep 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.b1.1

- Updated to 1.4.0b1

- Patch for NSEC3PARAM TTL

- Cron job to assist narrowing ods-enforcerd timing differences

* Wed Aug 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a3.1

- Updated to 1.4.0a3

- Patch to more aggressively try to resign

- Patch to fix locking issue eating up cpu

* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.0-0.a2.2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Tue Jun 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a2.1

- Updated to 1.4.0a2

- ksm-utils patch for ods-ksmutil to die sooner when it can't lock

  the HSM.

* Wed May 16 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.3

- Patch for crasher with deleted RRsets and NSEC3/OPTOUT chains

* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.2

- Added opendnssec LICENSE file from trunk (Thanks Jakob!)

* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.1

- Fix macros in comment

- Added missing -m to install target

* Sun Mar 25 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1

- The 1.4.x branch no longer needs ruby, as the auditor has been removed

- Added missing openssl-devel BuildRequire

- Comment out <SkipPublicKey/> so keys generated by ods can be used by bind

* Fri Feb 24 2012 Paul Wouters <pwouters@redhat.com> - 1.3.6-3

- Requires rubygem-soap4r when using ruby-1.9

- Don't ghost /var/run/opendnssec

- Converted initd to systemd

* Thu Nov 24 2011 root - 1.3.2-6

- Added rubygem-dnsruby requires as rpm does not pick it up automatically

* Tue Nov 22 2011 root - 1.3.2-5

- Added /var/opendnssec/signconf/ /as this temp dir is needed

* Mon Nov 21 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-4

- Added /var/opendnssec/signed/ as this is the default output dir

* Sun Nov 20 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-3

- Add ods user for opendnssec tasks

- Added initscripts and services for ods-signerd and ods-enforcerd

- Initialise OpenDNSSEC softhsm token on first install

* Wed Oct 05 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-1

- Updated to 1.3.2

- Added dependancies on opencryptoki and softhsm

- Don't install duplicate unreadable .sample files

- Fix upstream conf.xml to point to actually used library paths

* Thu Mar  3 2011 Paul Wouters <paul@xelerance.com> - 1.2.0-1

- Initial package for Fedora