Sync from SUSE:SLFO:Main shibboleth-sp revision 5a8c9d541c4a7b0615a7d3aa7d4c7fd8

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

shibboleth-sp-2.5.5-doxygen_timestamp.patch

@@ -0,0 +1,12 @@
+Index: shibboleth-sp-2.5.5/doxygen.cfg
+===================================================================
+--- shibboleth-sp-2.5.5.orig/doxygen.cfg
++++ shibboleth-sp-2.5.5/doxygen.cfg
+@@ -140,6 +140,7 @@ HTML_OUTPUT            = html
+ HTML_FILE_EXTENSION    = .html
+ HTML_HEADER            = 
+ HTML_FOOTER            = 
++HTML_TIMESTAMP         = NO
+ HTML_STYLESHEET        = 
+ HTML_ALIGN_MEMBERS     = YES
+ GENERATE_HTMLHELP      = $(GENERATE_CHM)

shibboleth-sp-3.5.0.tar.bz2.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmcPtzUACgkQN4uEVAIn
+eWKBUBAAwL+ce9b9RoxH51KicisZo3rwJu/UUU55jbRa96Cqoev37I9ibRXaElRG
+5ALoFwzcLGLnHUVH6XooPYTTK70UsmUUZUhV0BwdIkYeKUZcjp/08Xo3S4EqKGxM
+YHc13iueDRksRIKpma0JaEdzp0QMVdNqb6laLn+v7QoVoBjKS50WGk9eIudw9Sb9
+vMfxTjfez1ObFEOwk1+PeceaBKz8kciK5p3V4++GtEYvPg47va4TgAVOIuFFKSUp
+BuNDtwNs3RbZe2ZuuOU7zOeCBUEeA82qBttjVh0EWLczZkRA39oTkGi+FpTQRBOz
+vgppYmvQ1qDQ0gAQ65M+dLoNUEvPA/yTlbXIHIYrWrEpOMqWR1/eRiM3xi984mdc
+/GswbWb7rQAj7Up06oiX9HDw/3C2jrP+pxdsJVZBtIQsjSpeAnRYziQi0YTRwq4j
+GmedAXyPfbRc4hlXWz0f9jOXl49+ObQmXXNZ5bDzv9TjNe4tYQHiUOiZ1bCcdKQr
++OVB7RMBLKzAQkYOMkbkWrPKxytRYMoGPqdT8joqL8LquE/cxj9OJb9bdRX5Ehe9
+FZ+4YmfQ/hN7771pIa1TWgiP1TsCEfm304coDoHwwohpxgNpibVvNZwJpBtoeIIa
+TnmOETpOcm+71KhCFUaGMSz/ZCuycerdHkyrDY3C6XPm1bRm9Qo=
+=asUQ
+-----END PGP SIGNATURE-----

shibboleth-sp.changes

@@ -0,0 +1,231 @@
+-------------------------------------------------------------------
+Wed Nov  6 21:16:56 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
+
+- Update to 3.5.0:
+  * This is a small update to address a few bugs, update a number of libraries,
+    and implement a correction to the default signing algorithm used when
+    issuing signed requests via the SAML POST binding. This was inadvertently
+    still defaulting to RSA-SHA1 and should have been using RSA-SHA256.
+    There is the unlikely possibility of this causing interoperability issues
+    with badly out of date Identity Providers, so is another reason for
+    releasing it as a minor update.
+
+-------------------------------------------------------------------
+Fri Feb  9 10:58:52 UTC 2024 - Daniel Molkentin <daniel@molkentin.de>
+
+- create correct user name runuser, not realname 
+
+-------------------------------------------------------------------
+Mon Feb  5 12:01:14 UTC 2024 - Daniel Molkentin <daniel@molkentin.de>
+
+- Update to use sysuser pattern
+- Fix build warnings 
+
+-------------------------------------------------------------------
+Tue Jan 17 08:57:09 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.4.1:
+  * Reinforcing the xmltooling library (V3.2.3, included in this Windows release)
+    to block an unnecessary XML Encryption construct, related to the advisory
+    issued for the IdP recently. The SP is not believed to be vulnerable, but this
+    is a defensive measure.
+  * A warning has been added to the log when systems do not configure an explicit
+    value for the redirectLimit setting. The default for this setting remains
+    liberal for compatibility, so the warning was requested to highlight that
+    fact. 
+
+-------------------------------------------------------------------
+Thu Nov 17 16:56:40 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Updaet to 3.4.0:
+  * Add a new setting suggested controlling retries when TCP connections
+   to shibd are used.
+- Change libraries soname from 10 to 11
+
+-------------------------------------------------------------------
+Wed Dec  1 09:32:43 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Update to 3.3.0:
+  * This is a minor update that contains a small number of fixes,
+    one small feature addition, and a number of additional deprecation
+    warnings for at risk features.
+
+-------------------------------------------------------------------
+Wed Nov 17 08:21:48 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+  * shibd.service
+
+-------------------------------------------------------------------
+Tue Jul 13 16:07:01 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Update to 3.2.3:
+  * This is a minor update that includes some minimal new functionality and addresses some bugs.
+  * Fix two different security bugs (secadv_20210317 and secadv_20210426)
+- Run spec-cleaner
+- Change library soname from 9 to 10
+- Change lite library soname from 8 to 10
+
+-------------------------------------------------------------------
+Tue Dec  1 13:27:30 UTC 2020 - Kristyna Streitova <kstreitova@suse.com>
+
+- Update to 3.1.0
+  * list of fixes and enhancements
+    https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes
+- Update xmltooling and opensaml versions in "Requires"
+- Change library soname from 8 to 9
+
+-------------------------------------------------------------------
+Wed Aug 19 11:27:22 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Rely on the distro-provided macros for tmpfilesdir. All half-way
+  current distros define this already.
+
+-------------------------------------------------------------------
+Wed Jan  8 11:40:04 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
+  Allow OBS to shortcut through the -mini flavors.
+
+-------------------------------------------------------------------
+Mon Dec  2 10:36:30 UTC 2019 - Kristyna Streitova <kstreitova@suse.com>
+
+- remove fixing of the ownership of log files as this allows shibd
+  to escalate to root [bsc#1157471] [CVE-2019-19191]
+- generate two keys on new installs instead of just one
+
+-------------------------------------------------------------------
+Fri Apr 26 10:46:00 UTC 2019 - mvetter@suse.com
+
+- bsc#1130588: Require shadow instead of old pwdutils
+
+-------------------------------------------------------------------
+Wed Mar 20 13:06:50 UTC 2019 - Kristýna Streitová <kstreitova@suse.com>
+
+- update to 3.0.4
+  * list of fixes and enhancements
+    https://issues.shibboleth.net/jira/browse/SSPCPP-851?filter=12771
+- update xmltooling and opensaml versions in "Requires"
+
+-------------------------------------------------------------------
+Mon Feb 11 19:02:26 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
+
+- Trim redundancies from summary
+
+-------------------------------------------------------------------
+Mon Feb 11 13:42:19 UTC 2019 - kstreitova@suse.com
+
+- update to 3.0.3
+ * list of fixes and enhancements
+   https://issues.shibboleth.net/jira/browse/SSPCPP-845?filter=12573
+
+-------------------------------------------------------------------
+Wed Nov 28 13:24:28 UTC 2018 - kstreitova@suse.com
+
+- update to 3.0.2
+  * list of fixes and enhancements
+    https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes
+- remove shibboleth-sp-2.5.6-libsystemd-daemon.patch that is no
+  longer needed
+- update package filelist
+- change library soname from 7 to 8
+- update dependencies versions
+
+-------------------------------------------------------------------
+Wed Nov 15 12:50:45 UTC 2017 - kstreitova@suse.com
+
+- update to 2.6.1
+  * list of fixes and enhancements
+    https://issues.shibboleth.net/jira/browse/SSPCPP-760?filter=12270
+  * fixes [bsc#1068689] [CVE-2017-16852]
+
+-------------------------------------------------------------------
+Thu Sep 21 16:34:48 UTC 2017 - kstreitova@suse.com
+
+- update to 2.6.0
+  * list of fixes and enhancements
+    https://issues.shibboleth.net/jira/browse/SSPCPP-716?filter=11475
+- update soname for libshibsp from 6 to 7
+- adjust BuildRequires of boost
+  * libboost_headers-devel for openSUSE:Factory
+  * boost-devel for older distros
+- update versions of BuildRequires for opensaml (>= 2.6.0) and
+  libxmltooling (>= 1.6.0)
+- shibd.service: increase TimeoutStartSec to 150s (as upstream did)
+- remove %{_sysconfdir}/%{realname}/*.xsl from filelist (it is no
+  longer present)
+- run spec-cleaner
+
+-------------------------------------------------------------------
+Thu Mar 16 11:12:11 UTC 2017 - kstreitova@suse.com
+
+- fix build for openSUSE:Leap:42.1 by adding %define for
+  tmpfiles_create as this macro doesn't exist there
+
+-------------------------------------------------------------------
+Tue Feb 14 14:57:07 UTC 2017 - kstreitova@suse.com
+
+- add shibboleth-sp-2.5.6-libsystemd-daemon.patch to fix configure
+  to use libsystemd instead of obsolete libsystemd-daemon.
+  Regenerate configure via autoreconf and add autoconf and automake
+  BuildRequires.
+
+-------------------------------------------------------------------
+Tue Jul 19 18:11:33 UTC 2016 - dimstar@opensuse.org
+
+- Use %tmpfiles_create macro: gracefully fails in case of missing
+  binaries (e.g. container setups).
+
+-------------------------------------------------------------------
+Wed May 11 13:34:20 UTC 2016 - kstreitova@suse.com
+
+- build libmemcached support
+
+-------------------------------------------------------------------
+Fri Apr  8 12:08:41 UTC 2016 - kstreitova@suse.com
+
+- update to shibboleth-sp 2.5.6
+  * Update solution file after loading into VS2015
+  * SSPCPP-669 - cached samlds.json files prematurely removed w/ multiple
+  * applicationIds
+  * SSPCPP-671 - Handling of partial success in LogoutResponse needs work
+  * Fix line feeds again, VS is also broken
+  * SSPCPP-670 - Session Cleanup for Database Session Storage can cause performance issues
+  * Re-convert linefeeds to undo Eclipse's handiwork
+  * SSPCPP-675 - configuration sample cites "federation.org"
+  * Clean up ignores
+  * Apply typo fixes provided by Debian packagers
+  * Update library/software version
+  * Update MSI names to carry patch version
+  * SSPCPP-665 - Use of systemd breaks on reboot
+
+-------------------------------------------------------------------
+Wed Aug  5 18:09:37 UTC 2015 - mpluskal@suse.com
+
+- Add gpg signature
+
+-------------------------------------------------------------------
+Thu Jul 30 13:51:20 UTC 2015 - kstreitova@suse.com
+
+- fix some warnings
+- add service as a separate file
+- remove command line switches for conditional package builds
+- remove *.dist files and unused *.config files
+- remove unused conditionals
+- move libraries to the subpackages
+
+-------------------------------------------------------------------
+Mon Jul 27 16:30:58 UTC 2015 - kstreitova@suse.com
+
+- use spec-cleaner
+- package cleaning
+- add shibboleth-sp-2.5.5-doxygen_timestamp.patch to remove
+  timestamps in a documentation generated by Doxygen and avoid
+  RPMLINT warnings (file-contains-date-and-time).
+- add the macro %{realname} and change a name to "shibboleth-sp"
+- fix Source address
+
+-------------------------------------------------------------------
+Fri Jul 24 14:44:04 UTC 2015 - kstreitova@suse.com
+
+- initial revision

shibboleth-sp.keyring

@@ -0,0 +1,100 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBE56gwwBEADI6Y7tBIdYr8t0zfHU2hRbD7GfuanIkn4Fhf/CZ7ICN+SfA/XP
+JAx3HDRkM/nc65U2mKG7vG3zlNOcKgeFoCwqhlLc4sSGP6DDoPYKtZOLEHwA/sIy
+Lldw3re5KbCFIElnbBW/0av15IGHXgyylmG24jhlY/ufjLd53Qm4agxv51kdYdgH
+cI0djzLqvMWTabWhw8QtmitPZSKdqOwTqkIt6bYAdOvc9r5bvAzemw6IO01L9aX7
+/yFIVJAYySL/UpbEtLcl3B/qXUXwhiq2bAUtvdmV+35FSMrAgfD25bYv+dVoJdtX
+Gb4tQcPteSRDIQYswT+bilEtGOOu9vqLvko3hSHOK2Yqc8SufDakrOlCWO1R00Sw
+QHGSkPKgA5O3RpOz3qbuPN6sDt/7FgqyzB6VqF9445bTqWDfIihXEAFr97gf28Xg
+ngAn2Tp8ZZ6zTzYWv3/GGvCedCcrHrIG/nKf0Z0/1q9Uf8P7crv2udGuZjs3bMtY
+RQNKzki/wKRuGnZ7HjgOEDIe8E+QMs+568i5vYqdaNrmCxUodRFjwkZ/0aRuHzxo
+JNQaB/r2Ckj5X/yEX6f45D0hiwBmIFz2+VUnis7RAPelcUl1X/kT4p/3gvKSsFE0
+Ti7JWCY9e+ntnzcsb4ywisFen9tQQPP4G++qnhGyApz323LfDVPJkFWWJwARAQAB
+tB9TY290dCBDYW50b3IgPGNhbnRvci4yQG9zdS5lZHU+iEYEEBECAAYFAk6DTO8A
+CgkQ70D8KeoogrukNwCdGX5zZOsC44CjV2AopI8KoMFJto4AoMH+qA35GIBUkEt8
+IoRVFs1rp3TGiEYEEBEKAAYFAk6ApGIACgkQpXtW80eQXRUgxwCePIV9LehYh+Ji
+o8mtQ74I/NWvfDQAoLmXTfmKAganE+r/FcCcwykzj70ViQEcBBABAgAGBQJOfS4a
+AAoJEH8LUwap169VyrAH/1lrWiCJarm8eFLNlajcDt5TR5ZpanZVUbuzAp9Jk8Xt
+BkCMssnuzcqqSbGmq3P6CuaSTx0BybBOhRgC+UCb/DCS0TGomJYUTcG7e7MyJZC4
+ocarORGURABk1UK/fkgEBn+9o2jdDlf7bm7JHlZJ8huLjiAq5fapzp5WhTUAcreH
+jYieTS5umt01yxFatxhqiTbNXzs1c7Hc19rW4cTLREm6YQUNwTIxqJ2hHyDfU13e
+phowv1DpoAwLXdHAsNy/C8RKRlr0Qc4snihVkGevLNWatYK4HP6M0tEvGX9CpnTX
+pOsLZkfp96RMtE2TEvMEEA0HVoZPE7/kCyYR5DForeqJARwEEAECAAYFAlQtSU8A
+CgkQWcpz+XPnY1H5dQgA4p+myZvcKjMAfhgvQZtEeqeSloZIcyYF1NyWJp0WAUUK
+pZKdYYauaxPVd9l+iqz0dBlVotx5CHuymbqnj6JiX55kfKsbClWcDUs0wE6NGH3m
+evosr55/17u01yFGw2KhbevdpgO5i+rNAliFe5LkZ+50CEzWcO0Io2ZhXy+qYpcz
+Oy71ezwstgTJG2guH5BpbcIKku75dauPkD106wmSSswA+D95nXiJ5CFSdK3c4+Q2
+GDbXoIxJtKECb0c6tsjhU1TSPgc/XeeWqAaH/z4u8S5QlQCrMYHOMmvi8ExIrZG3
+3ba8qvB4RhSMKq+5GeJ3Gsgytp/Kc7UnVo09XFYkYokCHAQQAQIABgUCToOQYAAK
+CRCagE6X1wecd5lDD/9ChSLSg/WWnsyNsUoai8KIJBTWoTRgQMemSQPHCP/KgYrf
+KU4Z3fat6DPdO6hXgA/tkXt5m+shexUHmnZvwUvgiQEmL39xdQl1n5zL/QJ3u+K9
+3jycQFM1m8c2TIrKMVbz8VwTYjLKUkhv1pxXZadmAap84ynyT+UpzN/M1ppXcUVV
+jXlDVDuF5JSICh/zn93EA6hbSLWPt2ZE0QpEciZ7S/vVC/4nvXhz3m6ODV3zeshr
+m5V8P8R4Fsmf1a9FY7s49jKWG7Ike6u29DYIkv39FQveYixo3FMfB5d8q4uzJigi
+RAvsekMgYOlnmM8yu9JJ4//zCBj81Q2teFixUrTQON369X3bnEOt0Djqk0QXgXCU
+vhYUdmAa6s/EZgngxeV5axDbW3vQa9Mki3UWsXnlpi4clx/nH7xWKcba27WkImDl
+v3g4n2SbUFj/GOCc3DFp+qmWwFV8yMs300zSPbAqr+CXO0GAitoqpmhxCLmiauaG
+ImnWqt051YWFG0hjaQLKhfjzXfsVuyEDD870RMXqnkS4oQd35OOy1OFbqgghxtJX
+o8oCL2fRwvlREv0ko7X6rpCxPhiyy6LFoHRt+4X0G5h2/LbGjIV4oPi436pJyozb
+83kCh5yGP1oh+GrKFfgTHxakp3MTNXzil8a+9aTyQRlARIevaFlGrKSR0umqaokC
+HAQQAQIABgUCTpRR2wAKCRCgs8sJ0rNzUwVbD/4ufRZKllrocevu/7MEiNPyBYo1
+xOHhBjXXBKZqZmYUnoWmcp8mxAGdLDmHrKFni4v6mv9eHOcNkljKF1Heei9qbKsF
+9UkeSlCNzELzRoQJ2wjP7enW80QoEWcAN7P3SBRwVE1XF3zBo5mwN/RXBGy7xy/6
+6Yy378uunCwnPyZabNTWrMhOIAw3Qhd2fMCoDt86sVm9x8CfQzJI8YPJOFSwbSuX
+YMkfx/Va9sO5A9LDaX79abafHAHiwJBiGeu8W7VwJYh5acr/lTUQbUW8Hlco5IKz
+3Rjd8t7qfCWpcALR2pOPYJaii97lEonrtT9Hx+iL9gma9PN1D80ty7bMYYtOdMsk
+udH8XD0FBKEi0ViT83lzl2Wz3T/2INdJsuHLhLMo+R2wrE9M4jLsp6P4qRJ3NVpj
+DkNe3CXwVQgQ6Q+EjtXGb541MvZY1442pHPE7c6eTDIgw5P7LpH0Jcim/iXQdpPW
+apdLB1zxntmCRyYyDYhd0KNvWNDRsr+PAE2XK82KD8fF2r3m8eULm4buGA8tf2sq
+uQ5K2okLlZT1NLIXmgThSDgSBjy/iFUz95AmtYdy2eqT5oRgXAsJDKMCl+nO5/1s
+IRA1sRHaXCnPczQkiXhKidiVOuRpkThx3mMxYhIV2wYCG/pEpoeCHkuUMiBDSRpG
+DaxucQQJR9r83xK5JIkCHAQTAQIABgUCTnvvowAKCRD6QbX3MKI2LppVEACA4l4N
+BK1m38ziJZ0IBlWBKgXi4v0LK0jv1WrsrQzLWijoHSaLMt9wzbXjDyAlugxq+8Gf
+PXr3bmV5Zyo6MeJiybLzQCXzbsPhpN3iT7tRAnU5EX7Qef390oWHB9GSTr2jE8yw
+3dmx3UGFuP4ELmHIyxYvWSdSjGTPROVONRruR6/yVCrzy/51VPY4vw59Iv+JxbjY
+5iE00TNtaXNcH2M9K7xnwrjSAGE4cViHpV12gqRdD94X8F/xKCxPD+kJCaAIKD2u
+fGcdanabU6lM+UyrscNvnpXjDUFHdldE245yfdBgbm8RLWzJJKz9ETz/rYto+A6F
+NZPRocbaeSv0A1J6v5MkmqNVISORxyCznhu+30s2Knw2Mn02quM/CxadxrrN/3ZW
+Gcat29R3KG7OF9qEMV+5NJ84MHNqmUdCYSjdKrh4VGZcvA/+KrxDdlKmuk5Lj5Qt
+b3QAv0ql6cUEEJ+ekunzQmW8UHz4XOwJ5r3OI1wuGdPShK6ItLls2W3Hxu3vDRFW
+2trbj5/GHn67aJCRqkLtxRpgN4o9YPvC8kdj8WO/iMw10w7OfprEA8S1CjnOwkZw
+Q6Mqr+JZZk/MKFHAeywIiLE1i1VPel2s4o7NXaaFthoFR33RIW3LMGFUsyfqyL/t
+RGzDG3fso5VOy/4fiGulJ8YrWW9KjXGudQIb3IkCNwQTAQoAIQUCTnqDDAIbAwUL
+CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRA3i4RUAid5Yun8D/9dC3GDJEIVzg3j
+tvkJD08TNVTMUwSQozN2V+WaQgglKJSboR5ajZY6SVMeqtlT+1LzcdU9c3lpQq0n
+B1GZ8WkugYdFk8/0njXTI9Tw1i2Xhp/hKJEUzUkcx1NlyYHZ1EQjW/KVnq0rhPAb
+qDDlyET/qo/38SrzZqOauMye8uT+aqUElF8W3U7l4t4C7ollnwychRrOaOJjSAwL
+tK1WJIneDqLxzDv+bVmoZL+7Vw7iry4xwYovZ+7CpaZsicTJMYvo/CXG2qhyrvJ0
+DcxEIdhk0KiPkiP7Nd3b52vA4Z30yjfwqkoC1XlpzeD4v7il+L6HdcOigl4PDr85
+Uhoo//5SB654tmTL2a32w8GnCK/b8ySu6XwlUISiUABKGerycBeThz65c8Ud67Hi
+P9QDK7+sEpqANxuX1IfwhCAnvdDKc96Y8kO8aC4pfO/bTFhhkyARMW98CVyP4XCy
+wPXQQ75w5ekS/wecgKzYk/4S4aH1vErtDeY3WF5IDNTAOau747vgbf8nz0gxBwWg
+Kdlwh11zslKV1fLPML7tiVyT2id2pGGOO3gUJ5Bu4LeUkLndQZeERZwWcd0IhDsE
+JWIazg0lbEWCLtW7Cf/B0/X6MT9wq8aq64UMksnOU6iI91ZkH3mj2I8Ty+nl+ZXU
+t1cVgj+AyYdyHIWLHfZkQLvkH5oJ5rkCDQROeoMMARAAtzb8+leM9ELMiTgwb4EG
+KwY7wNt6mWOcrlvwp+mnGN4VPJa0ftDn/kFyPxtFkg4oVlHlmPUGk5RukRrl9K3q
+zHMuWa+NqhjM69Fw9hZlvCcL0bqqq/CKB0GyJX/bn2V/WRgAuVQAL8P4fAQ/t8Sf
+80lTTQ40ImE6F//n52AFsK0S5+gG71iCANY6DuMz4GUPbwTV1FKZqaYVdiz4Erxd
+/qaurPDcgcaqtiSQnOf6qrYIX/LZqwQrpEmruj8l5xP1N8eTLtx0iW/mB0AXYyH2
+eXmtclHTYHjvoPgZajSO2obnLdDngqJ5zHZXkCX4RLFgCq/3A4NvxLOtVDYyiID3
+HcQ167aDbpjMHetleUKXMWIA4/6o+WZs9bhbgf6xDa73Qqug8RP4VX7FBrEe2s0x
+cc9d15YbA8rGrq4jvGB3hUEw/tK/3uVuft+mRrHqNFEjKs49MKTc8vu4CyxQN21O
+6dfrp/84MD93VjQUkYUrL2zxbJcBvQTA5SuE0mqBR/e8IH8UBYmuM4nWdUuHNTsw
+KqzRsAqdPfZ1bNnfo9empNFEl2me2IXhNgiBpbpGEFWY02bEXdtCId/hpMNhE3y6
+pxJwTtxqj1Kw+u32qcL0lswz5tCF0CrW5ha9UDzO5xH3kY19/NXUnb2WFNqViy02
+KwpbHG5jQcQ206Amwo/Fun0AEQEAAYkCHwQYAQoACQUCTnqDDAIbDAAKCRA3i4RU
+Aid5YjyED/9vz1JX0q4TEFVxzgla8BbhVwlaXoOmbJcOxw8ne2qO3NZ+ecnoWS0d
+DRe1AJLcaAgC2hwpDpZ3Or5bCpQSUBlwdA/rxOMJom7GKYO9oGp54V+cjNlzJpb1
+1cKuYzj6HdmVGKbzo65G8tYUK0fDTsjWWU4Mh7HAztZH9Umh0e9103DfkGf2uS8e
+A8WVc2sBwCtlfJTilyJ7LxVO+vfodb9RKTPx0PGbQBNbFaxmK64Sz4xjVUTZiHn9
+j329rTDv7yzQuCiO+CWSy7Ti789bRcUgPWv2bbg4UlTPn40OIfAUb/s1P39J3lID
+g4GstZcBjGNTa5o65tF3m0+s2mDbDAToGqzqv0fHE6iDDvctudFZoUbgJ/5DSqsA
+5Xe5VCRRvwR3S9t7OJS4eQdxDYWxgPGhoovNdzPePTbdIfkWBw+Wwokj0rsAUKfx
+7jXZtjYXfG6NJdEHqGQLYeW23kMmxIdoY1jjWOEJwdD0q8p7M2aum9Ncjn1sW/RU
+PPLu+U3rtjc6fhf4VWpvp6NVp7a8/6cgSTZL4eavYIOuXDCa44KsnGhWpPBOJNeZ
+WvCkgGNCUbzArnre3iDTnf6iJ1aMrXToN838IV2svifkAvEnMkhYfjUgDIFOMOrs
+fLhRULAR6zzyXiJiznT6rjlxlixsKazyy9dLC3qlwC4pCIpol0QKbQ==
+=96Mf
+-----END PGP PUBLIC KEY BLOCK-----

shibboleth-sp.spec

@@ -0,0 +1,263 @@
+#
+# spec file for package shibboleth-sp
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define libvers 12
+%define libvers_lite 12
+%define runuser shibd
+%define realname shibboleth
+%define pkgdocdir %{_docdir}/%{realname}
+Name:           shibboleth-sp
+Version:        3.5.0
+Release:        0
+Summary:        System for attribute-based Web Single Sign On
+License:        Apache-2.0
+Group:          Productivity/Networking/Security
+URL:            https://shibboleth.net/
+Source0:        https://shibboleth.net/downloads/service-provider/%{version}/%{name}-%{version}.tar.bz2
+Source1:        https://shibboleth.net/downloads/service-provider/%{version}/%{name}-%{version}.tar.bz2.asc
+Source2:        %{name}.keyring
+Source3:        shibd.service
+Patch0:         shibboleth-sp-2.5.5-doxygen_timestamp.patch
+BuildRequires:  apache2-devel
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  doxygen
+BuildRequires:  gcc-c++
+BuildRequires:  krb5-devel
+BuildRequires:  libboost_headers-devel
+BuildRequires:  liblog4shib-devel >= 2
+BuildRequires:  libmemcached-devel
+BuildRequires:  libsaml-devel >= 3.1.0
+BuildRequires:  libtool
+BuildRequires:  libxerces-c-devel >= 3.2
+BuildRequires:  libxml-security-c-devel >= 2.0.0
+BuildRequires:  libxmltooling-devel >= 3.1.0
+BuildRequires:  pkgconfig
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  sysuser-shadow
+BuildRequires:  sysuser-tools
+BuildRequires:  unixODBC-devel
+BuildRequires:  zlib-devel
+BuildRequires:  pkgconfig(libsystemd)
+Requires:       openssl
+Requires(pre):  opensaml-schemas >= 3.1.0
+Requires(pre):  xmltooling-schemas >= 3.1.0
+Requires(pre):  shadow
+Obsoletes:      shibboleth-sp = 2.5.0
+%{?systemd_requires}
+
+%description
+Shibboleth is a Web Single Sign-On implementations based on OpenSAML
+that supports multiple protocols, federated identity, and the extensible
+exchange of rich attributes subject to privacy controls.
+
+This package contains the Shibboleth Service Provider runtime libraries,
+daemon, default plugins, and Apache module.
+
+%package -n libshibsp%{libvers}
+Summary:        Shared Library for Shibboleth
+Group:          Productivity/Networking/Security
+
+%description -n libshibsp%{libvers}
+Shibboleth is a Web Single Sign-On implementations based on OpenSAML
+that supports multiple protocols, federated identity, and the extensible
+exchange of rich attributes subject to privacy controls.
+
+This package contains just the shared library.
+
+%package -n libshibsp-lite%{libvers_lite}
+Summary:        Shared Library for Shibboleth
+Group:          Productivity/Networking/Security
+
+%description -n libshibsp-lite%{libvers_lite}
+Shibboleth is a Web Single Sign-On implementations based on OpenSAML
+that supports multiple protocols, federated identity, and the extensible
+exchange of rich attributes subject to privacy controls.
+
+This package contains just the shared library.
+
+%package devel
+Summary:        Shibboleth Development Headers
+Group:          Development/Libraries/C and C++
+Requires:       %{name} = %{version}-%{release}
+Requires:       liblog4shib-devel >= 2
+Requires:       libsaml-devel >= 3.1.0
+Requires:       libshibsp%{libvers} = %{version}-%{release}
+Requires:       libshibsp-lite%{libvers_lite} = %{version}-%{release}
+Requires:       libxerces-c-devel >= 3.2
+Requires:       libxml-security-c-devel >= 2.0.0
+Requires:       libxmltooling-devel >= 3.1.0
+Obsoletes:      shibboleth-sp-devel = 2.5.0
+
+%description devel
+Shibboleth is a Web Single Sign-On implementations based on OpenSAML
+that supports multiple protocols, federated identity, and the extensible
+exchange of rich attributes subject to privacy controls.
+
+This package includes files needed for development with Shibboleth.
+
+%prep
+%autosetup -p1
+
+%build
+export CXXFLAGS="%{optflags} --std=c++11"
+autoreconf -f -i
+%configure --with-gssapi --enable-systemd --with-memcached
+%make_build pkgdocdir=%{pkgdocdir}
+
+%install
+%make_install NOKEYGEN=1 pkgdocdir=%{pkgdocdir}
+
+install -D -m 644 %{SOURCE3} %{buildroot}%{_unitdir}/shibd.service
+ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcshibd
+
+sed -i "s|/var/log/httpd|/var/log/apache2|g" \
+		%{buildroot}%{_sysconfdir}/%{realname}/native.logger
+
+sed -i "s|%{_bindir}/env bash|%{_bindir}/bash|" \
+		%{buildroot}%{_sysconfdir}/%{realname}/metagen.sh
+
+# Delete unnecessary files
+pushd %{buildroot}/%{_sysconfdir}/%{realname}
+rm shibd-debian shibd-redhat shibd-amazon shibd-suse shibd-osx.plist apache.config apache2.config apache22.config shibd-systemd
+rm *.dist
+popd
+find %{buildroot} -type f -name "*.la" -delete -print
+
+# Plug the SP into the Apache
+touch rpm.filelist
+APACHE_CONFIG="no"
+if [ -f %{buildroot}%{_libdir}/%{realname}/mod_shib_24.so ] ; then
+	APACHE_CONFIG="apache24.config"
+fi
+
+if [ "$APACHE_CONFIG" != "no" ] ; then
+	APACHE_CONFD="no"
+	if [ -d %{_sysconfdir}/apache2/conf.d ] ; then
+		APACHE_CONFD="%{_sysconfdir}/apache2/conf.d"
+	fi
+	if [ "$APACHE_CONFD" != "no" ] ; then
+		mkdir -p $RPM_BUILD_ROOT$APACHE_CONFD
+		cp -p %{buildroot}%{_sysconfdir}/%{realname}/$APACHE_CONFIG $RPM_BUILD_ROOT$APACHE_CONFD/shib.conf
+		echo "%config(noreplace) $APACHE_CONFD/shib.conf" >> rpm.filelist
+	fi
+fi
+
+# Get run directory created at boot time.
+mkdir -p %{buildroot}%{_tmpfilesdir}
+echo "%attr(0444,-,-) %{_tmpfilesdir}/%{realname}.conf" >> rpm.filelist
+cat > %{buildroot}%{_tmpfilesdir}/%{realname}.conf <<EOF
+d /run/%{realname} 755 %{runuser} %{runuser} -
+EOF
+
+cat > %{realname}.sysusers << EOF
+u %{runuser} - "Shibboleth SP daemon" /run/%{realname} /dev/nologin
+EOF
+%sysusers_generate_pre %{realname}.sysusers %{name} %{name}.conf
+
+install -Dpm0644 %{realname}.sysusers %{buildroot}%{_sysusersdir}/%{name}.conf
+
+%check
+%make_build check
+
+%pre -f %{name}.pre
+%service_add_pre shibd.service
+exit 0
+
+%post -n libshibsp%{libvers} -p /sbin/ldconfig
+%post -n libshibsp-lite%{libvers_lite} -p /sbin/ldconfig
+
+%post
+
+# Generate two keys on new installs.
+if [ $1 -eq 1 ] ; then
+        cd %{_sysconfdir}/shibboleth
+        /bin/sh ./keygen.sh -b -n sp-signing -u %{runuser} -g %{runuser}
+        /bin/sh ./keygen.sh -b -n sp-encrypt -u %{runuser} -g %{runuser}
+fi
+
+%service_add_post shibd.service
+
+%tmpfiles_create %{_tmpfilesdir}/%{realname}.conf
+
+%preun
+# On final removal, stop shibd and remove service, restart Apache if running.
+%service_del_preun shibd.service
+if [ $1 -eq 0 ] ; then
+	/sbin/service apache2 status 1>/dev/null && /sbin/service apache2 restart 1>/dev/null
+fi
+exit 0
+
+%postun -n libshibsp%{libvers} -p /sbin/ldconfig
+%postun -n libshibsp-lite%{libvers_lite} -p /sbin/ldconfig
+
+%postun
+%service_del_postun shibd.service
+%restart_on_update apache2
+
+%posttrans
+# One-time extra restart of shibd and Apache to work around
+# SUSE bug that breaks old %%restart_on_update macro.
+# If we remove, upgrades from pre-systemd to post-systemd
+# will stop doing the final restart.
+%{_bindir}/systemctl try-restart shibd >/dev/null 2>&1 || :
+%{_bindir}/systemctl try-restart apache2 >/dev/null 2>&1 || :
+exit 0
+
+%files -f rpm.filelist
+%{_sbindir}/shibd
+%{_sbindir}/rcshibd
+%{_bindir}/mdquery
+%{_bindir}/resolvertest
+%dir %{_libdir}/%{realname}
+%{_libdir}/%{realname}/*
+%{_unitdir}/shibd.service
+%{_sysusersdir}/%{name}.conf
+%attr(0750,%{runuser},%{runuser}) %dir %{_localstatedir}/log/%{realname}
+%attr(0755,%{runuser},%{runuser}) %dir %{_localstatedir}/cache/%{realname}
+%ghost %attr(0755,%{runuser},%{runuser}) %dir /run/%{realname}
+%dir %{_datadir}/xml/%{realname}
+%{_datadir}/xml/%{realname}/*
+%dir %{_datadir}/%{realname}
+%{_datadir}/%{realname}/*
+%dir %{_sysconfdir}/%{realname}
+%config(noreplace) %{_sysconfdir}/%{realname}/*.xml
+%config(noreplace) %{_sysconfdir}/%{realname}/*.html
+%config(noreplace) %{_sysconfdir}/%{realname}/*.logger
+%{_tmpfilesdir}/%{realname}.conf
+%{_sysconfdir}/%{realname}/apache24.config
+%attr(0755,root,root) %{_sysconfdir}/%{realname}/keygen.sh
+%attr(0755,root,root) %{_sysconfdir}/%{realname}/metagen.sh
+%attr(0755,root,root) %{_sysconfdir}/%{realname}/seckeygen.sh
+%doc %{pkgdocdir}
+%exclude %{pkgdocdir}/api
+
+%files -n libshibsp%{libvers}
+%{_libdir}/libshibsp.so.*
+
+%files -n libshibsp-lite%{libvers_lite}
+%{_libdir}/libshibsp-lite.so.*
+
+%files devel
+%{_includedir}/*
+%{_libdir}/libshibsp.so
+%{_libdir}/libshibsp-lite.so
+%{_libdir}/pkgconfig/*.pc
+%doc %{pkgdocdir}/api
+
+%changelog

shibd.service

@@ -0,0 +1,33 @@
+[Unit]
+Description=Shibboleth Service Provider Daemon
+After=network.target
+Before=apache2.service
+
+[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+Type=notify
+NotifyAccess=main
+User=shibd
+ExecStart=/usr/sbin/shibd -f -F
+StandardInput=null
+StandardOutput=null
+StandardError=journal
+TimeoutStopSec=5s
+TimeoutStartSec=150s
+Restart=on-failure
+RestartSec=30s
+
+[Install]
+WantedBy=multi-user.target