[obs-signd/f21] Initial commit

Josef Stribny jstribny at fedoraproject.org
Wed Aug 27 07:54:48 UTC 2014 

commit 1c55c07c08ae8dd18d14951e165b9e607d267566
Author: Josef Stribny <jstribny at redhat.com>
Date:   Wed Aug 27 09:39:45 2014 +0200

    Initial commit

 .gitignore                                         |    1 +
 ...ption-files-are-digests-to-file-is-digest.patch |   54 +++++++++++
 obs-signd.spec                                     |   98 ++++++++++++++++++++
 signd.service                                      |    9 ++
 sources                                            |    1 +
 5 files changed, 163 insertions(+), 0 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e69de29..bb061aa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/obs-signd-2.2.1.tar.bz2
diff --git a/obs-sign-rename-option-files-are-digests-to-file-is-digest.patch b/obs-sign-rename-option-files-are-digests-to-file-is-digest.patch
new file mode 100644
index 0000000..e44c0ea
--- /dev/null
+++ b/obs-sign-rename-option-files-are-digests-to-file-is-digest.patch
@@ -0,0 +1,54 @@
+From 56587e4c1938e2310ffc48210b2eca237bf03ee3 Mon Sep 17 00:00:00 2001
+From: Josef Stribny <jstribny at redhat.com>
+Date: Tue, 27 May 2014 12:20:35 +0200
+Subject: [PATCH] Rename option --files-are-digests to --file-is-digest
+
+---
+ signd | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/signd b/signd
+index 1e30f58..1f9f302 100755
+--- a/signd
++++ b/signd
+@@ -734,9 +734,9 @@ if ($cmd eq 'sign' || $cmd eq 'privsign') {
+       $argv[2] = substr($argv[2], 0, -10)."0000000000";
+     }
+     if (@keyargs) {
+-      ($status, $lout, $lerr) = rungpg('/dev/null', ["$tmpdir/privkey.$$", "$tmpdir/pubkey.$$"], $gpg, "--batch", "--force-v3-sigs", "--files-are-digests", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--passphrase-fd=0", @keyargs, "-sbo", "-", $argv[2]);
++      ($status, $lout, $lerr) = rungpg('/dev/null', ["$tmpdir/privkey.$$", "$tmpdir/pubkey.$$"], $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--passphrase-fd=0", @keyargs, "-sbo", "-", $argv[2]);
+     } else {
+-      ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--files-are-digests", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $argv[2]);
++      ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $argv[2]);
+     }
+     $lout = patchclasstime($lout, $classtime) if $classtime && !$status;
+     splice(@argv, 2, 1);
+-- 
+1.8.3.1
+
+From 9a873338117cfd8f76c6b7d1aa7baab8c6a07c41 Mon Sep 17 00:00:00 2001
+From: Josef Stribny <jstribny at redhat.com>
+Date: Tue, 27 May 2014 12:44:48 +0200
+Subject: [PATCH] Fix man page to feature --file-is-digest
+
+---
+ signd.8 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+
+diff --git a/signd.8 b/signd.8
+index f5c3215..23ca2d0 100644
+--- a/signd.8
++++ b/signd.8
+@@ -14,7 +14,7 @@ to another signd. The -f option makes signd fork on startup.
+ 
+ signd uses the same configuration used for sign, /etc/sign.conf.
+ It needs a gpg implementation that understands the
+-"--files-are-digests" option to work correctly.
++"--file-is-digest" option to work correctly.
+ 
+ .SH SECURITY
+ signd allows only connections from reserved ports and ip
+-- 
+1.8.3.1
+
diff --git a/obs-signd.spec b/obs-signd.spec
new file mode 100644
index 0000000..a1712a1
--- /dev/null
+++ b/obs-signd.spec
@@ -0,0 +1,98 @@
+# http://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#PIE
+%global _hardened_build 1
+
+Name:             obs-signd
+Summary:          The OBS sign daemon
+License:          GPLv2
+Group:            Applications/System
+Url:              https://github.com/openSUSE/obs-sign
+Version:          2.2.1
+Release:          4%{?dist}
+# Taken from upstream git
+# git clone https://github.com/openSUSE/obs-sign && cd obs-sign
+# git checkout 2.2.1
+# tar czvf obs-signd-2.2.1.tar.bz2 \
+#   sign.8  sign.c  sign.conf  sign.conf.5  signd signd.8 obssignd
+Source0:          obs-signd-%version.tar.bz2
+# Upstream doesn't provide systemd service file
+Source1:          signd.service
+# We renamed the option in gnupg2 to 'file-is-digest'
+Patch0:           obs-sign-rename-option-files-are-digests-to-file-is-digest.patch
+Requires:         gnupg2
+Requires(post):   systemd
+Requires(preun):  systemd
+Requires(postun): systemd
+BuildRequires:    systemd
+
+%description
+The OpenSUSE Build Service sign client and daemon.
+
+This daemon can be used to sign anything via gpg by communicating
+with a remote server to avoid the need to host the private key
+on the same server.
+
+%prep
+%setup -q -c -n obs-signd-%version
+
+%patch0 -p1
+
+%build
+gcc %{optflags} -fPIC -pie -o sign sign.c
+
+%install
+mkdir -p %{buildroot}%{_sbindir} %{buildroot}%{_sysconfdir}
+install -d -m 0755 %{buildroot}%{_bindir}
+
+# binaries and configuration
+mkdir -p %{buildroot}%{_sbindir} %{buildroot}%{_bindir} %{buildroot}%{_sysconfdir}
+install -m 0755 signd %{buildroot}%{_sbindir}
+install -m 0750 sign %{buildroot}%{_bindir}
+install -m 0644 sign.conf %{buildroot}%{_sysconfdir}
+
+# systemd service
+mkdir -p %{buildroot}%{_unitdir}
+install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}
+
+# man pages
+install -d -m 0755 %{buildroot}%{_mandir}/man{5,8}
+
+for f in 5 8; do
+  install -m 0644 sig*.${f} %{buildroot}%{_mandir}/man${f}/
+done
+
+%pre
+getent group obsrun >/dev/null || %{_sbindir}/groupadd -r obsrun
+getent passwd obsrun >/dev/null || \
+  %{_sbindir}/useradd -r -s /bin/false -c "User for Open Build Service backend" \
+                         -d %{_libdir}/obs -g obsrun obsrun
+exit 0
+
+%post
+%systemd_post signd.service
+
+%preun
+%systemd_preun signd.service
+
+%postun
+%systemd_postun_with_restart signd.service
+
+%files
+%config(noreplace) %{_sysconfdir}/sign.conf
+%verify(not mode) %attr(4750,root,obsrun) %{_bindir}/sign
+%{_sbindir}/signd
+%{_unitdir}/signd.service
+%doc %{_mandir}/man*/*
+
+%changelog
+* Tue Aug 26 2014 Josef Stribny <jstribny at redhat.com> - 2.2.1-4
+- Enable Position-independent code (PIC)
+
+* Mon Aug 25 2014 Josef Stribny <jstribny at redhat.com> - 2.2.1-3
+- Create group or user only if it doesn't exist yet
+- Remove explicit gzip of man pages
+
+* Fri Aug 22 2014 Josef Stribny <jstribny at redhat.com> - 2.2.1-2
+- Use macros where possible
+
+* Fri May 23 2014 Josef Stribny <jstribny at redhat.com> 2.2.1-1
+- Initial package
diff --git a/signd.service b/signd.service
new file mode 100644
index 0000000..cab5bef
--- /dev/null
+++ b/signd.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=GPG Sign Daemon
+After=syslog.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/signd.pid
+ExecStart=/usr/sbin/signd -f
+Restart=on-abort
diff --git a/sources b/sources
index e69de29..07621cd 100644
--- a/sources
+++ b/sources
@@ -0,0 +1 @@
+e0cb694689c99627ee7ffb16705a05dc  obs-signd-2.2.1.tar.bz2

More information about the scm-commits mailing list