From 8214470e310efc2f391ef12304149a2f54dc9c37 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: May 24 2017 00:47:55 +0000
Subject: Resolves: dogtag Pagure Issues #2618,2641,2655,2673,2674,2683,2684,2685,2690,2693,2694,2696,2701


- dogtagpki Pagure Issue #2618 - Allow CA to process pre-signed CMC renewal
  non-signing cert requests (cfu)
- dogtagpki Pagure Issue #2641 - Ensuring common audit log correctness
  (edewata)
- dogtagpki Pagure Issue #2655 - Adding serial number into
  CERT_REQUEST_PROCESSED audit event. (edewata)
- dogtagpki Pagure Issue #2673 - allow enrollment key signed CMC with identity
  proof (cfu)
- dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance
  creation (mharmsen)
- dogtagpki Pagure Issue #2683 - exception Invalid module "--ignore-banner"
  when defined in ~/.dogtag/pki.conf and run pki pkcs12-import --help
  (edewata)
- dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
  (jmagne)
- dogtagpki Pagure Issue #2685 - Add "is_fips_enabled()" method to Python
  pkispawn logic (mharmsen)
- dogtagpki Pagure Issue #2690 - Inconsistent CERT_REQUEST_PROCESSED event in
  ConnectorServlet. (edewata)
- dogtagpki Pagure Issue #2693 - Incorrect audit event outcome for
  agent-rejected cert request. (edewata)
- dogtagpki Pagure Issue #2694 -Incorrect audit event outcome for
  agent-canceled cert request. (edewata)
- dogtagpki Pagure Issue #2696 - CA CS.cfg shows default port (mharmsen)
- dogtagpki Pagure Issue #2701 - Unable to install IPA server due to pkispawn
  error (mharmsen)

---

diff --git a/.gitignore b/.gitignore
index 33c27f1..3a29af1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -44,3 +44,4 @@
 /pki-core-10.4.2.tar.gz
 /pki-core-10.4.3.tar.gz
 /pki-core-10.4.4.tar.gz
+/pki-core-10.4.5.tar.gz
diff --git a/pki-core-Always-check-FIPS-mode-at-installation-time.patch b/pki-core-Always-check-FIPS-mode-at-installation-time.patch
new file mode 100644
index 0000000..544c36d
--- /dev/null
+++ b/pki-core-Always-check-FIPS-mode-at-installation-time.patch
@@ -0,0 +1,26 @@
+From 3249ddc2c19f6f5ded11823b345c9c58bae4750b Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Tue, 23 May 2017 11:46:41 -0600
+Subject: [PATCH] Always check FIPS mode at installation time
+
+- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error
+---
+ base/server/python/pki/server/deployment/scriptlets/initialization.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py
+index 0e31543..4dc4e9a 100644
+--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py
++++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py
+@@ -42,6 +42,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+         # ALWAYS establish 'uid' and 'gid'
+         deployer.identity.set_uid(deployer.mdict['pki_user'])
+         deployer.identity.set_gid(deployer.mdict['pki_group'])
++        # ALWAYS check FIPS mode
++        deployer.fips.is_fips_enabled()
+         # ALWAYS initialize HSMs (when and if present)
+         deployer.hsm.initialize()
+         if config.str2bool(deployer.mdict['pki_skip_installation']):
+-- 
+1.8.3.1
+
diff --git a/pki-core.spec b/pki-core.spec
index 223962b..846fa50 100644
--- a/pki-core.spec
+++ b/pki-core.spec
@@ -64,8 +64,8 @@
 %define pki_homedir /usr/share/pki
 
 Name:             pki-core
-Version:          10.4.4
-Release:          1%{?dist}
+Version:          10.4.5
+Release:          2%{?dist}
 Summary:          Certificate System - PKI Core Components
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -226,6 +226,11 @@ Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{
 Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/%{name}-%{version}%{?prerel}.tar.gz
 %endif
 
+#######################
+## pki-core-10.4.5-2
+#######################
+Patch0:           pki-core-Always-check-FIPS-mode-at-installation-time.patch
+
 # Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
 #
 #     NOTE:  For "alpha" releases, will be ".a1", ".a2", etc.
@@ -578,6 +583,7 @@ Requires:    nuxwdog-client-java >= 1.0.3
 %endif
 
 Requires:         policycoreutils
+Requires:         procps-ng
 Requires:         openldap-clients
 Requires:         openssl
 Requires:         pki-base = %{version}-%{release}
@@ -893,6 +899,7 @@ This package is a part of the PKI Core used by the Certificate System.
 
 %prep
 %setup -q -n %{name}-%{version}%{?prerel}
+%patch0 -p1
 
 %clean
 %{__rm} -rf %{buildroot}
@@ -1391,6 +1398,36 @@ fi
 %endif # %{with server}
 
 %changelog
+* Tue May 23 2017 Dogtag Team <pki-devel@redhat.com> 10.4.5-2
+- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error
+  (mharmsen)
+
+* Mon May 22 2017 Dogtag Team <pki-devel@redhat.com> 10.4.5.1
+- dogtagpki Pagure Issue #2618 - Allow CA to process pre-signed CMC renewal
+  non-signing cert requests (cfu)
+- dogtagpki Pagure Issue #2641 - Ensuring common audit log correctness
+  (edewata)
+- dogtagpki Pagure Issue #2655 - Adding serial number into
+  CERT_REQUEST_PROCESSED audit event. (edewata)
+- dogtagpki Pagure Issue #2673 - allow enrollment key signed CMC with identity
+  proof (cfu)
+- dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance
+  creation (mharmsen)
+- dogtagpki Pagure Issue #2683 - exception Invalid module "--ignore-banner"
+  when defined in ~/.dogtag/pki.conf and run pki pkcs12-import --help
+  (edewata)
+- dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
+  (jmagne)
+- dogtagpki Pagure Issue #2685 - Add "is_fips_enabled()" method to Python
+  pkispawn logic (mharmsen)
+- dogtagpki Pagure Issue #2690 - Inconsistent CERT_REQUEST_PROCESSED event in
+  ConnectorServlet. (edewata)
+- dogtagpki Pagure Issue #2693 - Incorrect audit event outcome for
+  agent-rejected cert request. (edewata)
+- dogtagpki Pagure Issue #2694 -Incorrect audit event outcome for
+  agent-canceled cert request. (edewata)
+- dogtagpki Pagure Issue #2696 - CA CS.cfg shows default port (mharmsen)
+
 * Tue May  9 2017 Dogtag Team <pki-devel@redhat.com> 10.4.4-1
 - dogtagpki Pagure Issue #1663 - Add SCP03 support (jmagne)
 - dogtagpki Pagure Issue #2522 - cannot extract generated private key from
diff --git a/sources b/sources
index f60c1a8..2712f36 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (pki-core-10.4.4.tar.gz) = c83f406cde173a9b955116912eea50c5a449baf2aa3e80e759ecc137d6b2e812781520701a15cf28fb2a234e9fda8bb6d22e40ccef1a1f0a56a750b55125bc65
+SHA512 (pki-core-10.4.5.tar.gz) = dcd9382a293f9e21a1b7e083bcbd13db8fd4fcd5ddd5e7667f67575af91decb7ed207e608396e0af4499991b2f2d4e6055c80cf735d17183a983d9128a184577