Compare commits
No commits in common. "b25678312b9ee0904952c4acfcf1a75feb206614" and "a7fe5623347334721549073db01c1b49231ef0fa" have entirely different histories.
b25678312b
...
a7fe562334
Binary file not shown.
BIN
crypto-policies-git781bbd4.tar.gz
Normal file
BIN
crypto-policies-git781bbd4.tar.gz
Normal file
Binary file not shown.
@ -1,10 +1,10 @@
|
|||||||
%global git_date 20230614
|
%global git_date 20200619
|
||||||
%global git_commit 5f3458e619628288883f22695f3311f1ccd6a39f
|
%global git_commit 781bbd45b7286408502ec47b5acc8ae85c604a68
|
||||||
%global git_commit_hash 5f3458e
|
%global git_commit_hash 781bbd4
|
||||||
|
|
||||||
Name: crypto-policies
|
Name: crypto-policies
|
||||||
Version: %{git_date}
|
Version: %{git_date}
|
||||||
Release: 2.git%{git_commit_hash}
|
Release: 1.git%{git_commit_hash}
|
||||||
Summary: Crypto policies package for Fedora
|
Summary: Crypto policies package for Fedora
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
@ -19,18 +19,13 @@ BuildRequires: asciidoc
|
|||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
BuildRequires: openssl
|
BuildRequires: openssl
|
||||||
BuildRequires: gnutls-utils >= 3.6.0
|
BuildRequires: gnutls-utils >= 3.6.0
|
||||||
BuildRequires: java-21-openjdk-devel
|
BuildRequires: java-1.8.0-openjdk-devel
|
||||||
BuildRequires: bind
|
BuildRequires: bind
|
||||||
BuildRequires: perl-interpreter
|
BuildRequires: perl-interpreter
|
||||||
BuildRequires: perl-generators
|
BuildRequires: perl-generators
|
||||||
BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
|
BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
|
||||||
BuildRequires: perl(File::Which)
|
BuildRequires: perl(File::Which)
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
BuildRequires: openssh-clients
|
|
||||||
|
|
||||||
Conflicts: openssl-libs < 3.0.2
|
|
||||||
Conflicts: openssh < 9.0p1
|
|
||||||
Conflicts: gnutls < 3.7.3
|
|
||||||
|
|
||||||
# used by update-crypto-policies
|
# used by update-crypto-policies
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
@ -68,21 +63,13 @@ The package also provides a tool fips-mode-setup, which can be used
|
|||||||
to enable or disable the system FIPS mode.
|
to enable or disable the system FIPS mode.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1 -n fedora-%{name}-%{git_commit_hash}-%{git_commit}
|
%setup -q -n fedora-%{name}-%{git_commit_hash}-%{git_commit}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# Drop pre-generated GOST-ONLY policies
|
|
||||||
rm -rf policies/GOST-ONLY.pol
|
|
||||||
|
|
||||||
# Drop FEDORA policies
|
|
||||||
rm -rf policies/FEDORA38.pol
|
|
||||||
rm -rf policies/TEST-FEDORA39.pol
|
|
||||||
|
|
||||||
make %{?_smp_mflags}
|
make %{?_smp_mflags}
|
||||||
|
|
||||||
%install
|
%install
|
||||||
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
|
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/
|
||||||
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/
|
|
||||||
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
|
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/
|
||||||
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/
|
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/state/
|
||||||
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
|
mkdir -p -m 755 %{buildroot}%{_sysconfdir}/crypto-policies/local.d/
|
||||||
@ -92,34 +79,23 @@ mkdir -p -m 755 %{buildroot}%{_bindir}
|
|||||||
|
|
||||||
make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
|
make DESTDIR=%{buildroot} DIR=%{_datarootdir}/crypto-policies MANDIR=%{_mandir} %{?_smp_mflags} install
|
||||||
install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
|
install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/config
|
||||||
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
|
|
||||||
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
|
|
||||||
|
|
||||||
# Create back-end configs for mounting with read-only /etc/
|
# Create back-end configs for mounting with read-only /etc/
|
||||||
for d in LEGACY DEFAULT FUTURE FIPS ; do
|
for d in LEGACY DEFAULT FUTURE FIPS ; do
|
||||||
mkdir -p -m 755 %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d
|
|
||||||
for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
|
for f in %{buildroot}%{_datarootdir}/crypto-policies/$d/* ; do
|
||||||
ln $f %{buildroot}%{_datarootdir}/crypto-policies/back-ends/$d/$(basename $f .txt).config
|
ln -s $(basename $f) $(dirname $f)/$(basename $f .txt).config
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
for f in %{buildroot}%{_datarootdir}/crypto-policies/DEFAULT/* ; do
|
|
||||||
ln -sf %{_datarootdir}/crypto-policies/DEFAULT/$(basename $f) %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/$(basename $f .txt).config
|
|
||||||
done
|
|
||||||
|
|
||||||
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
|
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
|
||||||
|
|
||||||
%check
|
%check
|
||||||
# Don't diff FEDORA38 policies, it's deleted
|
|
||||||
sed -i '/diff\ policies\/DEFAULT.pol\ policies\/FEDORA38.pol/d' Makefile
|
|
||||||
# Don't check GOST-ONLY policies, it's deleted
|
|
||||||
sed -i '/\ GOST-ONLY\ /d' Makefile
|
|
||||||
|
|
||||||
make check %{?_smp_mflags}
|
make check %{?_smp_mflags}
|
||||||
|
|
||||||
%posttrans scripts
|
%post
|
||||||
%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
|
%{_bindir}/update-crypto-policies --no-check >/dev/null 2>/dev/null || :
|
||||||
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
|
|
||||||
%dir %{_sysconfdir}/crypto-policies/
|
%dir %{_sysconfdir}/crypto-policies/
|
||||||
@ -132,40 +108,33 @@ make check %{?_smp_mflags}
|
|||||||
|
|
||||||
%config(noreplace) %{_sysconfdir}/crypto-policies/config
|
%config(noreplace) %{_sysconfdir}/crypto-policies/config
|
||||||
|
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
|
%ghost %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
|
%ghost %{_sysconfdir}/crypto-policies/back-ends/openssl.config
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
|
%ghost %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
|
%ghost %{_sysconfdir}/crypto-policies/back-ends/openssh.config
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
|
%ghost %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
|
%ghost %{_sysconfdir}/crypto-policies/back-ends/nss.config
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
|
%ghost %{_sysconfdir}/crypto-policies/back-ends/bind.config
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
|
%ghost %{_sysconfdir}/crypto-policies/back-ends/java.config
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
|
%ghost %{_sysconfdir}/crypto-policies/back-ends/krb5.config
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
|
%ghost %{_sysconfdir}/crypto-policies/back-ends/openjdk.config
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
|
%ghost %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
|
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/sequoia.config
|
|
||||||
%config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/rpm-sequoia.config
|
|
||||||
|
|
||||||
%ghost %{_sysconfdir}/crypto-policies/state/current
|
|
||||||
%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
|
|
||||||
|
|
||||||
|
%{_bindir}/update-crypto-policies
|
||||||
%{_mandir}/man7/crypto-policies.7*
|
%{_mandir}/man7/crypto-policies.7*
|
||||||
|
%{_mandir}/man8/update-crypto-policies.8*
|
||||||
%{_datarootdir}/crypto-policies/LEGACY/*
|
%{_datarootdir}/crypto-policies/LEGACY/*
|
||||||
%{_datarootdir}/crypto-policies/DEFAULT/*
|
%{_datarootdir}/crypto-policies/DEFAULT/*
|
||||||
|
%{_datarootdir}/crypto-policies/NEXT/*
|
||||||
%{_datarootdir}/crypto-policies/FUTURE/*
|
%{_datarootdir}/crypto-policies/FUTURE/*
|
||||||
%{_datarootdir}/crypto-policies/FIPS/*
|
%{_datarootdir}/crypto-policies/FIPS/*
|
||||||
%{_datarootdir}/crypto-policies/EMPTY/*
|
%{_datarootdir}/crypto-policies/EMPTY/*
|
||||||
%{_datarootdir}/crypto-policies/back-ends/*
|
|
||||||
%{_datarootdir}/crypto-policies/default-config
|
%{_datarootdir}/crypto-policies/default-config
|
||||||
%{_datarootdir}/crypto-policies/reload-cmds.sh
|
%{_datarootdir}/crypto-policies/reload-cmds.sh
|
||||||
%{_datarootdir}/crypto-policies/policies
|
%{_datarootdir}/crypto-policies/policies
|
||||||
|
|
||||||
%files scripts
|
|
||||||
%{_bindir}/update-crypto-policies
|
|
||||||
%{_mandir}/man8/update-crypto-policies.8*
|
|
||||||
%{_datarootdir}/crypto-policies/python
|
%{_datarootdir}/crypto-policies/python
|
||||||
|
|
||||||
|
%files scripts
|
||||||
%{_bindir}/fips-mode-setup
|
%{_bindir}/fips-mode-setup
|
||||||
%{_bindir}/fips-finish-install
|
%{_bindir}/fips-finish-install
|
||||||
%{_mandir}/man8/fips-mode-setup.8*
|
%{_mandir}/man8/fips-mode-setup.8*
|
||||||
@ -175,33 +144,6 @@ make check %{?_smp_mflags}
|
|||||||
%license COPYING.LESSER
|
%license COPYING.LESSER
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Mar 21 2024 duyiwei <duyiwei@kylinos.cn> - 20230614-2.git5f3458e
|
|
||||||
- package pruning to minimize dependencies
|
|
||||||
|
|
||||||
* Fri Jan 26 2024 yixiangzhike <yixiangzhike007@163.com> - 20230614-1.git5f3458e
|
|
||||||
- update version to 20230614
|
|
||||||
- DEFAULT policy drop DH<2048bits,TLS1.0,TLS1.1,SHA-1
|
|
||||||
- Remove the CBC ciphers from DEFAULT policy in openssh
|
|
||||||
- FIPS policy drop the CBC ciphersuites
|
|
||||||
- Enable RSA-PSK algorithms in DEFAULT and LEGACY policies
|
|
||||||
- Add the diffie-hellman-group14-sha256 to libssh
|
|
||||||
- Add --check option to update-crypto-policies
|
|
||||||
- Add AES-192 algorithms support
|
|
||||||
- Use allowlisting config for gnutls
|
|
||||||
- Enable SHAKE algorithms for gnutls,java and nss
|
|
||||||
- Openssl disable SHA-1 signatures in FUTURE policy
|
|
||||||
- Openssh add HostbasedAcceptedAlgorithms and RequiresRSASize config options
|
|
||||||
|
|
||||||
* Mon Feb 27 2023 yixiangzhike <yixiangzhike007@163.com> - 20200619-4.git781bbd4
|
|
||||||
- Makefile support overriding asciidoc executable name
|
|
||||||
- update Makefile for asciidoc 10
|
|
||||||
|
|
||||||
* Thu Oct 20 2022 yixiangzhike <yixiangzhike007@163.com> - 20200619-3.git781bbd4
|
|
||||||
- backport upstream patch to add more notes for crypto-policies exceptions
|
|
||||||
|
|
||||||
* Fri Jan 7 2022 yixiangzhike <yixiangzhike007@163.com> - 20200619-2.git781bbd4
|
|
||||||
- add new algorithms in nss's config file to support nss >= 3.59 (ECDSA RSA-PSS RSA-PKCS)
|
|
||||||
|
|
||||||
* Tue Aug 11 2020 yang_zhuang_zhuang <yangzhuangzhuang1@huawei.com> - 20200619-1.git781bbd4
|
* Tue Aug 11 2020 yang_zhuang_zhuang <yangzhuangzhuang1@huawei.com> - 20200619-1.git781bbd4
|
||||||
- downgrade version to 20200619
|
- downgrade version to 20200619
|
||||||
|
|
||||||
@ -453,4 +395,5 @@ make check %{?_smp_mflags}
|
|||||||
- Updated spec based on comments by Petr Lautrbach.
|
- Updated spec based on comments by Petr Lautrbach.
|
||||||
|
|
||||||
* Mon May 19 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9-1-20140519gitf15621a
|
* Mon May 19 2014 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.9-1-20140519gitf15621a
|
||||||
- Initial package build
|
- Initial package build
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user