Accepting request 1318266 from security:idm

OBS-URL: https://build.opensuse.org/request/show/1318266
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/certmonger?expand=0&rev=12

0001-Update-tests-to-be-compatible-with-OpenSSL-3.2.patch

@@ -1,42 +0,0 @@
-From cccc01f7c3dbc3e9b30e50b86eeaaa7f1500fc94 Mon Sep 17 00:00:00 2001
-From: Otto Hollmann <otto.hollmann@suse.com>
-Date: Wed, 13 Dec 2023 10:23:39 +0100
-Subject: [PATCH] Update tests to be compatible with OpenSSL 3.2
-
----
- tests/003-csrgen-ec/run.sh                  | 4 ++--
- tests/038-ms-v2-template/extract-extdata.py | 3 ++-
- 2 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
-index cd9f9422..196b6d02 100755
---- a/tests/003-csrgen-ec/run.sh
-+++ b/tests/003-csrgen-ec/run.sh
-@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss.
- openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der
- # The RSA tests already verify the contents of the requests, so we really only
- # need to care about the signatures passing verification.
--openssl req   -verify -noout < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'
--openssl req   -verify -noout < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'
-+openssl req   -verify -noout -in csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'
-+openssl req   -verify -noout -in csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'
- openssl spkac -verify -noout < spkac.nss.$size 2>&1
- openssl spkac -verify -noout < spkac.openssl.$size 2>&1
- openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1
-diff --git a/tests/038-ms-v2-template/extract-extdata.py b/tests/038-ms-v2-template/extract-extdata.py
-index 8b6b14ff..e2f84a10 100755
---- a/tests/038-ms-v2-template/extract-extdata.py
-+++ b/tests/038-ms-v2-template/extract-extdata.py
-@@ -13,7 +13,8 @@ STATE_SEARCH, STATE_FOUND, STATE_DONE = range(3)
- state = STATE_SEARCH
- 
- for line in sys.stdin:
--    if state == STATE_SEARCH and ':1.3.6.1.4.1.311.21.7' in line:
-+    if state == STATE_SEARCH and (':Microsoft certificate template' in line
-+                                  or ':1.3.6.1.4.1.311.21.7' in line):
-         state = STATE_FOUND
-         continue
- 
--- 
-2.42.0
-

add_some_missing_tests.patch

@@ -0,0 +1,38 @@
+From 1b682f1069a79040ffc6f5de84c27b3160d7a53d Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Feb 06 2025 18:46:01 +0000
+Subject: Add some missing test files to dist
+
+
+SRPM misses some essential test files, causing failure during RPM
+build test phase.  Add the missing files.
+
+---
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index e20b6d8..e78a83d 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -279,6 +279,8 @@ EXTRA_DIST = \
+ 	025-casave-dbm/run.sh \
+ 	025-casave-sql/expected.out \
+ 	025-casave-sql/run.sh \
++	026-local/expected.openssl1 \
++	026-local/expected.openssl3 \
+ 	026-local/expected.out \
+ 	026-local/run.sh \
+ 	027-hooks/expected.out \
+@@ -356,6 +358,12 @@ EXTRA_DIST = \
+ 	038-ms-v2-template/extract-extdata.py \
+ 	038-ms-v2-template/run.sh \
+ 	039-fromfile/run.sh \
++	040-pem/bad.empty \
++	040-pem/bad.isrg-root-x1-cross-signed.der.b64 \
++	040-pem/expected.out \
++	040-pem/good.isrg-root-x1-cross-signed.pem \
++	040-pem/good.isrg-root-x1-cross-signed_cr.pem \
++	040-pem/good.lets_encrypt_chain.pem \
+ 	040-pem/run.sh
+ 
+ subdirs = \
+

certmonger-0.79.20.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:23645a5c1b284d73df448dbb97366c1b6e639223fc9465e7834fa5c5fef3f01e
+size 962445

certmonger.changes

@@ -1,3 +1,59 @@
+-------------------------------------------------------------------
+Thu Nov 13 09:26:01 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- Cleanup dbus dependencies: dbus-send is part of dbus-1-tools
+  and the %preun does not use any dbus tool nor sed.
+
+-------------------------------------------------------------------
+Wed Sep  3 09:38:31 UTC 2025 - Ana Guerrero <ana.guerrero@suse.com>
+
+- Disable failing tests with NSS 3.115.1: 007-certsave-dbm
+  and 007-certsave-sql 025-casave-dbm
+  * patch disable_some_tests.patch
+
+-------------------------------------------------------------------
+Mon Aug 25 08:20:51 UTC 2025 - Ana Guerrero <ana.guerrero@suse.com>
+
+- Update to 0.79.20
+  * Fix type error in cm_tdbusm_get_vn
+  * Adjust parameter type for util_EVP_PKEY_id
+  * Update tests to be compatible with OpenSSL 3.2
+  * Switch BR from /usr/include/popt.h to popt-devel
+  * getcert: return 2 when trying to create a duplicate entry
+  * getcert: add NULL check to duplicate string compare
+  * Use correct object path for 'ca' property of request objects in D-Bus API
+  * Move shell_escape function to util.c
+  * Add more environment variables to be passed on to the notification command
+  * Translated using Weblate (Chinese (Simplified) (zh_CN))
+  * Translated using Weblate (Georgian)
+  * Translated using Weblate (Russian)
+- Remove patches merged upstream
+  * 0001-Update-tests-to-be-compatible-with-OpenSSL-3.2.patch
+  * certmonger-c99-01.patch
+  * certmonger-c99-02.patch
+- New patch
+  * add_some_missing_tests.patch
+
+-------------------------------------------------------------------
+Thu Jul 11 17:22:28 UTC 2024 - David Mulder <david.mulder@suse.com>
+
+- Add cm_dont_restart_external.patch (a SUSE specific patch) which
+  prevents the restart of the cert request for an external ca
+  (bsc#1221406).
+
+-------------------------------------------------------------------
+Fri May 31 19:08:09 UTC 2024 - Martin Jambor <mjambor@suse.com>
+
+- Add certmonger-c99-01.patch and certmonger-c99-02.patch in order to
+  make the package buildable with GCC 14.  Patches originally by
+  Florian Weimer and from
+  https://pagure.io/certmonger/pull-request/265  [boo#1221683]
+
+-------------------------------------------------------------------
+Mon Mar 18 13:52:53 UTC 2024 - David Mulder <dmulder@suse.com>
+
+- HMAC build requires changes (these requires are missing in SLE).
+
 -------------------------------------------------------------------
 Wed Dec 13 08:48:02 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
 

certmonger.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package certmonger
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 # Copyright (c) 2020 Stasiek Michalski <stasiek@michalski.cc>.
 #
 # All modifications and additions to the file contributed by third parties
@@ -18,14 +18,16 @@
 
 
 Name:           certmonger
-Version:        0.79.19
+Version:        0.79.20
 Release:        0
 Summary:        Certificate status monitor and PKI enrollment client
 License:        GPL-3.0-or-later
 
 URL:            https://pagure.io/certmonger/
 Source0:        https://pagure.io/certmonger/archive/%{version}/certmonger-%{version}.tar.gz
-Patch0001:      0001-Update-tests-to-be-compatible-with-OpenSSL-3.2.patch
+Patch01:        cm_dont_restart_external.patch
+Patch02:        add_some_missing_tests.patch
+Patch03:        disable_some_tests.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -39,10 +41,10 @@ BuildRequires:  gcc
 BuildRequires:  gettext-devel
 BuildRequires:  krb5-devel
 BuildRequires:  libcurl-devel
-BuildRequires:  libfreebl3-hmac
+BuildRequires:  libfreebl3
 BuildRequires:  libidn2-devel
 BuildRequires:  libjansson-devel >= 2.12
-BuildRequires:  libsoftokn3-hmac
+BuildRequires:  libsoftokn3
 BuildRequires:  libtalloc-devel
 BuildRequires:  libtevent-devel
 BuildRequires:  libuuid-devel
@@ -65,10 +67,8 @@ BuildRequires:  pkgconfig(systemd)
 BuildRequires:  which
 BuildRequires:  xmlrpc-c-devel
 
-Requires:       dbus-1
-Requires(post): dbus-1
-Requires(preun):dbus-1
-Requires(preun):sed
+Requires:       dbus-1-tools
+Requires(post): dbus-1-tools
 
 BuildRequires:  systemd-rpm-macros
 %{?systemd_requires}

cm_dont_restart_external.patch

@@ -0,0 +1,26 @@
+--- certmonger-0.79.13-150400.3.3.1.x86_64/src/iterate.c	2020-10-20 21:39:55.000000000 +0200
++++ certmonger-0.79.13-150400.3.3.1.x86_64/src/iterate.c	2024-05-08 10:48:22.851568239 +0200
+@@ -2389,15 +2389,19 @@ 
+ 				case cm_ca_phase_renew_reqs:
+ 				case cm_ca_phase_capabilities:
+ 					if (emit_ca_changes != NULL) {
+-						cm_restart_entries_by_ca(context,
+-									 ca->cm_nickname);
++						if(ca->cm_ca_type != cm_ca_external) {
++							cm_restart_entries_by_ca(context,
++									 	ca->cm_nickname);
++						}
+ 					}
+ 					ca->cm_ca_state[state->cm_phase] = CM_CA_NEED_TO_ANALYZE;
+ 					break;
+ 				case cm_ca_phase_encryption_certs:
+ 					if (emit_ca_changes != NULL) {
+-						cm_restart_entries_by_ca(context,
+-									 ca->cm_nickname);
++						if(ca->cm_ca_type != cm_ca_external) {
++							cm_restart_entries_by_ca(context,
++										 ca->cm_nickname);
++						}
+ 					}
+ 					ca->cm_ca_state[state->cm_phase] = CM_CA_NEED_TO_ANALYZE;
+ 					break;

disable_some_tests.patch

@@ -0,0 +1,69 @@
+Disable failing tests with NSS 3.115.1: 007-certsave-dbm
+and 007-certsave-sql 025-casave-dbm
+  
+diff -Nrua certmonger-0.79.20.orig/tests/Makefile.am certmonger-0.79.20/tests/Makefile.am
+--- certmonger-0.79.20.orig/tests/Makefile.am	2025-09-03 12:20:43.586608570 +0200
++++ certmonger-0.79.20/tests/Makefile.am	2025-09-03 12:28:33.021626210 +0200
+@@ -36,10 +36,6 @@
+ 	006-serial/actual.err \
+ 	007-certsave/actual.out \
+ 	007-certsave/actual.err \
+-	007-certsave-dbm/actual.out \
+-	007-certsave-dbm/actual.err \
+-	007-certsave-sql/actual.out \
+-	007-certsave-sql/actual.err \
+ 	008-certread/actual.out \
+ 	008-certread/actual.err \
+ 	009-oiddict/actual.out \
+@@ -96,8 +92,6 @@
+ 	024-citerate/actual.err \
+ 	025-casave/actual.out \
+ 	025-casave/actual.err \
+-	025-casave-dbm/actual.out \
+-	025-casave-dbm/actual.err \
+ 	025-casave-sql/actual.out \
+ 	025-casave-sql/actual.err \
+ 	026-local/actual.out \
+@@ -183,12 +177,6 @@
+ 	007-certsave/prequal.sh \
+ 	007-certsave/run.sh \
+ 	007-certsave/expected.out \
+-	007-certsave-dbm/prequal.sh \
+-	007-certsave-dbm/run.sh \
+-	007-certsave-dbm/expected.out \
+-	007-certsave-sql/prequal.sh \
+-	007-certsave-sql/run.sh \
+-	007-certsave-sql/expected.out \
+ 	008-certread/run.sh \
+ 	008-certread/expected.out \
+ 	009-oiddict/run.sh \
+@@ -275,8 +263,6 @@
+ 	024-citerate/run.sh \
+ 	025-casave/expected.out \
+ 	025-casave/run.sh \
+-	025-casave-dbm/expected.out \
+-	025-casave-dbm/run.sh \
+ 	025-casave-sql/expected.out \
+ 	025-casave-sql/run.sh \
+ 	026-local/expected.openssl1 \
+@@ -405,20 +391,17 @@
+ if HAVE_DBM_NSSDB
+ subdirs += \
+ 	002-keygen-dbm \
+-	007-certsave-dbm \
+ 	011-dbinit-dbm \
+ 	012-dbadd-dbm \
+ 	013-enckey-dbm \
+ 	015-lockedkey-dbm \
+ 	017-notoken-dbm \
+-	025-casave-dbm \
+ 	034-perms-dbm
+ endif
+ 
+ if HAVE_SQL_NSSDB
+ subdirs += \
+ 	002-keygen-sql \
+-	007-certsave-sql \
+ 	011-dbinit-sql \
+ 	012-dbadd-sql \
+ 	013-enckey-sql \