Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openCryptoki for openSUSE:Factory checked in at 2023-05-26 20:15:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openCryptoki (Old) and /work/SRC/openSUSE:Factory/.openCryptoki.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openCryptoki" Fri May 26 20:15:43 2023 rev:68 rq:1089152 version:3.21.0 Changes: -------- --- /work/SRC/openSUSE:Factory/openCryptoki/openCryptoki.changes 2023-02-16 16:57:24.956345402 +0100 +++ /work/SRC/openSUSE:Factory/.openCryptoki.new.1533/openCryptoki.changes 2023-05-26 20:15:58.352441143 +0200 @@ -1,0 +2,22 @@ +Fri May 26 06:55:10 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorgu...@suse.com> + +- Update to version 3.21 (jsc#PED-3360, jsc#PED-3361) + * openCryptoki 3.21 + - EP11 and CCA: Support concurrent HSM master key changes + - CCA: protected-key option + - pkcsslotd: no longer run as root user and further hardening + - p11sak: Add support for additional key types (DH, DSA, generic secret) + - p11sak: Allow wildcards in label filter + - p11sak: Allow to specify hex value for CKA_ID attribute + - p11sak: Support sorting when listing keys + - p11sak: New commands: set-key-attr, copy-key to modify and copy keys + - p11sak: New commands: import-key, export-key to import and export keys + - Remove support for --disable-locks (transactional memory) + - Updates to harden against RSA timing attacks + - Bug fixes +- Amended a new patch to fit the version 3.21 + * ocki-3.21-remove-make-install-chgrp.patch +- Removed the old patch for the version 3.20 + * ocki-3.20-remove-make-install-chgrp.patch + +------------------------------------------------------------------- Old: ---- ocki-3.20-remove-make-install-chgrp.patch openCryptoki-3.20.0.tar.gz New: ---- ocki-3.21-remove-make-install-chgrp.patch openCryptoki-3.21.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openCryptoki.spec ++++++ --- /var/tmp/diff_new_pack.fVJQzM/_old 2023-05-26 20:15:58.876444267 +0200 +++ /var/tmp/diff_new_pack.fVJQzM/_new 2023-05-26 20:15:58.884444314 +0200 @@ -26,20 +26,19 @@ %define oc_cvs_tag opencryptoki Name: openCryptoki -Version: 3.20.0 +Version: 3.21.0 Release: 0 Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware License: CPL-1.0 Group: Productivity/Security URL: https://github.com/opencryptoki/opencryptoki -# Source: https://github.com/opencryptoki/%{oc_cvs_tag}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source: https://github.com/opencryptoki/%{oc_cvs_tag}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: openCryptoki.pkcsslotd Source2: openCryptoki-TFAQ.html Source3: openCryptoki-rpmlintrc -# Patch 1 is needed because group pkcs11 doesn't exist in the build environment +# Patch 0 is needed because group pkcs11 doesn't exist in the build environment # and because we don't want(?) various file and directory permissions to be 0700. -Patch001: ocki-3.20-remove-make-install-chgrp.patch +Patch000: ocki-3.21-remove-make-install-chgrp.patch # # BuildRequires: bison @@ -56,6 +55,8 @@ BuildRequires: pkgconfig(systemd) Requires(pre): %{_sbindir}/groupadd Requires(pre): %{_sbindir}/usermod +### +BuildRequires: libcap-devel # IBM maintains openCryptoki on these architectures: ExclusiveArch: %{openCryptoki_32bit_arch} %{openCryptoki_64bit_arch} @@ -130,7 +131,7 @@ %prep # setup -q -n %{oc_cvs_tag}-%{version} -%autosetup -p 1 -n %{oc_cvs_tag}-%{version} +%autosetup -p 0 -n %{oc_cvs_tag}-%{version} cp %{SOURCE2} . @@ -235,8 +236,8 @@ # configuration directory %dir %{_sysconfdir}/opencryptoki %config %{_sysconfdir}/opencryptoki/opencryptoki.conf -%config %attr(640,root,pkcs11) %{_sysconfdir}/opencryptoki/strength.conf -%config %attr(640,root,pkcs11) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf +%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/strength.conf +%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf %ifarch s390 s390x %config %{_sysconfdir}/opencryptoki/ccatok.conf %config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf @@ -260,22 +261,22 @@ %dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki/stdll # State and lock directories -%dir %attr(755,root,pkcs11) %{_localstatedir}/lib/opencryptoki +%dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki %ifarch s390 s390x -%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok -%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ %endif -%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok -%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ -%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/tpm -%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/icsf +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/tpm +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/icsf %ifarch s390 s390x -%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ep11tok -%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ -%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/lite -%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ %endif -%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki/ +%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/log/opencryptoki/ %{_mandir}/man*/* %files devel @@ -283,6 +284,8 @@ %dir %{_libdir}/opencryptoki/stdll %{_includedir}/opencryptoki %{_libdir}/pkgconfig/opencryptoki.pc +### +%{_sbindir}/pkcshsm_mk_change %ifarch %{openCryptoki_32bit_arch} %files 32bit ++++++ ocki-3.20-remove-make-install-chgrp.patch -> ocki-3.21-remove-make-install-chgrp.patch ++++++ --- /work/SRC/openSUSE:Factory/openCryptoki/ocki-3.20-remove-make-install-chgrp.patch 2023-02-16 16:57:24.876345055 +0100 +++ /work/SRC/openSUSE:Factory/.openCryptoki.new.1533/ocki-3.21-remove-make-install-chgrp.patch 2023-05-26 20:15:58.316440929 +0200 @@ -1,105 +1,119 @@ ---- opencryptoki-3.20.0/Makefile.am 2023-02-13 03:22:42.000000000 -0500 -+++ opencryptoki-3.20.0/Makefile.am 2023-02-13 10:40:14.561790695 -0500 -@@ -39,7 +39,6 @@ +--- Makefile.am 2023-05-15 14:42:55.000000000 +0200 ++++ Makefile-3.21.am 2023-05-25 17:13:36.266936832 +0200 +@@ -39,14 +39,9 @@ include doc/doc.mk install-data-hook: -- getent group pkcs11 > /dev/null || $(GROUPADD) -r pkcs11 +- getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group) +- getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user) + $(MKDIR_P) $(DESTDIR)/run/opencryptoki/ +- $(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)/run/opencryptoki/ +- $(CHGRP) $(pkcs_group) $(DESTDIR)/run/opencryptoki/ + $(CHMOD) 0710 $(DESTDIR)/run/opencryptoki/ + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki if ENABLE_LIBRARY $(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll - $(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11 -@@ -60,12 +59,9 @@ +@@ -66,19 +61,15 @@ + endif + if ENABLE_PKCSHSM_MK_CHANGE + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE + endif + if ENABLE_CCATOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_cca.so PKCS11_CCA.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok $(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/ccatok $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/cca_stdll/ccatok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || true -@@ -74,12 +70,9 @@ +@@ -87,12 +78,9 @@ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_ep11.so PKCS11_EP11.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok $(MKDIR_P) $(DESTDIR)$(lockdir)/ep11tok -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ep11tok +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/ep11tok $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true -@@ -87,30 +80,24 @@ +@@ -100,30 +88,24 @@ endif if ENABLE_P11SAK test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true -- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g pkcs11 -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true -+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true endif if ENABLE_ICATOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_ica.so PKCS11_ICA.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite $(MKDIR_P) $(DESTDIR)$(lockdir)/lite -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/lite +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/lite $(CHMOD) 0770 $(DESTDIR)$(lockdir)/lite endif if ENABLE_SWTOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_sw.so PKCS11_SW.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok $(MKDIR_P) $(DESTDIR)$(lockdir)/swtok -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/swtok +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/swtok $(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok endif if ENABLE_TPMTOK -@@ -118,10 +105,8 @@ +@@ -131,10 +113,8 @@ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_tpm.so PKCS11_TPM.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm $(MKDIR_P) $(DESTDIR)$(lockdir)/tpm -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/tpm +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/tpm $(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm endif if ENABLE_ICSFTOK -@@ -129,16 +114,14 @@ +@@ -142,16 +122,14 @@ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_icsf.so PKCS11_ICSF.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf $(MKDIR_P) $(DESTDIR)$(lockdir)/icsf -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/icsf +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/icsf $(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf endif if ENABLE_DAEMON test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true -- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g pkcs11 -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true endif $(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d echo "$(libdir)/opencryptoki" >\ -@@ -149,7 +132,6 @@ +@@ -162,7 +140,6 @@ @echo "Remember you must run ldconfig before using the above settings" @echo "--------------------------------------------------------------" $(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) $(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) ++++++ openCryptoki-3.20.0.tar.gz -> openCryptoki-3.21.0.tar.gz ++++++ ++++ 46194 lines of diff (skipped)