easy-rsa/easy-rsa.spec

#
# spec file for package easy-rsa
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2015 Stefan Jakobs.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#


%define         pname EasyRSA
Name:           easy-rsa
Version:        3.2.2
Release:        0
Summary:        CLI utility to build and manage a PKI CA
License:        GPL-2.0-or-later
URL:            https://github.com/OpenVPN/easy-rsa
Source:         %{url}/releases/download/v%{version}/%{pname}-%{version}.tgz
Source1:        %{url}/releases/download/v%{version}/%{pname}-%{version}.tgz.sig
Source2:        https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6f4056821152f03b6b24f2fcf8489f839d7367f3#/%{name}.keyring
Patch100:       suse-packaging.patch
BuildArch:      noarch

%description
easy-rsa is a CLI utility to build and manage a Public Key Infrastructure
(PKI). Once the Certificate Authority (CA) is created, you can request and sign
certificates, including sub-CAs, and create Certificate Revokation Lists (CRL).

%prep
%autosetup -p1 -n %{pname}-%{version}

%build

%install
install -dm0755 %{buildroot}/%{_sysconfdir}/%{name}/
install -dm0755 %{buildroot}/%{_sysconfdir}/%{name}/x509-types
install -Dm0644 vars.example %{buildroot}/%{_sysconfdir}/%{name}/
install -Dm0644 openssl-easyrsa.cnf %{buildroot}/%{_sysconfdir}/%{name}/
install -Dm0644 x509-types/* %{buildroot}/%{_sysconfdir}/%{name}/x509-types/
install -Dm0755 easyrsa %{buildroot}/%{_bindir}/easyrsa

%files
%doc ChangeLog README.md README.quickstart.md
%doc doc/*
%license COPYING.md gpl-2.0.txt
%{_bindir}/easyrsa
%config(noreplace) %{_sysconfdir}/%{name}

%changelog
Accepting request 1227414 from home:rrahl0 - update to 3.2.1: * inline: Add decimal value for cert. serial * Always exit with error for unknown command options * ntegrate Easy-RSA TLS-Key for use with 'init-pki soft' * easyrsa-tools.lib, show-expire: Add CA certificate to report * inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 * easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 * easyrsa-tools.lib: expire_status_v2() (show-expire version 2) * sign-req: Require 128bit serial number * Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut * Windows secure_session(): Ensure $secured_session dir is created * Switch to '-f' for file existence * inline: Move auto-inline from build_full() to sign_req() * gen-crl: Create additional CRL in DER format * self-sign: Allow Edwards Curve based keys * Re-enable command 'renew' (version 2): Requires EasyRSA Tools * bug-fix: revoke: Pass the correct certificate location * vars.example: Add flags for auto-SAN and X509 critical attribute * Global option --eku-crit: Mark X509 extendedKeyUsage as critical * sign-req: Add critical and pathlen details to confirmation * export-p12: Automatically generate inline file * Introduce global option --auto-san, use commonName as SAN * Introduce global option --san-crit, mark SAN critical * Introduce new global options: --ku-crit and --bc-crit * gen-req: Always check for existing request file * revoke/revoke-expired/-renewed: Keep duplicate certificate * revoke-expired/-renewed: Keep req/key files for resigning * revoke: Add abbreviations for optional 'reason' * build-ca: Allow use of --req-cn without batch mode * gen-req: Re-enable use of --req-cn * write: Change syntax, target as file, not directory - update to 3.2.0: * Revert ca76697: Restore escape_hazard() * New X509 Type: 'selfsign' Internal only * New commands: self-sign-server and self-sign-client * build-ca: Command 'req', remove SSL option '-keyout' * Remove escape_hazard(), obsolete * Remove command and function display_cn(), unused * docs: Update EasyRSA-Renew-and-Revoke.md * Remove all 'renew' code; replaced by 'expire' code * Introduce commands: 'expire' and 'revoke-expired' * Keep request files [CSR] when revoking certificates * Restrict use of --req-cn to build-ca * Remove command 'display-san' (Code removed in 5a06f94) * Move Status Reports to 'easyrsa-tools.lib' * export-p12, OpenSSL v1.x: Upgrade PBE and MAC options * LibreSSL: Add fix for missing 'x509' option '-ext' * Variable heredoc expansion for SSL/Safe Config file * Always use here-doc version of openssl-easyrsa.cnf * export-p12: New command option 'legacy'. OpenSSL V3 Only * export-p12: Always set 'friendlyName' to file-name-base * As of Easy-RSA version 3.2.0-beta1, the configuration files vars.example, openssl-eayrsa.cnf and all files in x509-types directory are no longer required * Rename X509-type file code-signing to codeSigning * init-pki: Always write vars.example file to fresh PKI * New command 'write': Write 'legacy' files to stdout or files * Remove command 'make-safe-ssl': Replaced by command 'write safe-cnf' * New Command 'rand': Expose easyrsa_random() to the command line * Remove function 'set_pass_legacy()' * Remove command 'rewind-renew' * Remove command 'rebuild' * Remove command 'upgrade' * Remove EASYRSA_NO_VARS; Allow graceful use without a vars file * New diagnostic command 'display-cn' * Expand renewable certificate types to include code-signing - attach a source to keyring OBS-URL: https://build.opensuse.org/request/show/1227414 OBS-URL: https://build.opensuse.org/package/show/network:vpn/easy-rsa?expand=0&rev=46 2024-11-30 03:08:14 +00:00			`#`
			`# spec file for package easy-rsa`
			`#`
- update to 3.2.2: * Remove redundant file: index.txt.attr * sign-req: Allow custom X509 Types * Add LibreSSL version 4 to supported SSL Libraries * Revoke remove private inline * Easyrsa disable inline * easyrsa-tools.lib: renew SAN, remove excess word 'Address' * easyrsa-tls.lib: renew, make sed regex for 'IP Address' greedy * Show expire allow zero days * easyrsa-tools.lib: New command 'renew ca' * Improve CRL expiration details * Tools move to easyrsa3 * vars.example: Remove $EASYRSA_PKI * Introduce new command revoke-issued * Bugfix renew ca and renew * Always use locate_support_files() after secure_session() * revoke: Make check for conflicting files less intrusive * Forbid a self-signed certificate from being expired/renewed/revoked * V321 minor final * op-test.sh: Disable download ossl3 and shellcheck binaries * Revert: Do not remove index.txt.attr * Fold easyrsa-tools.lib into easyrsa OBS-URL: https://build.opensuse.org/package/show/network:vpn/easy-rsa?expand=0&rev=48 2025-02-01 14:56:35 +00:00			`# Copyright (c) 2025 SUSE LLC`
Accepting request 1227414 from home:rrahl0 - update to 3.2.1: * inline: Add decimal value for cert. serial * Always exit with error for unknown command options * ntegrate Easy-RSA TLS-Key for use with 'init-pki soft' * easyrsa-tools.lib, show-expire: Add CA certificate to report * inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 * easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 * easyrsa-tools.lib: expire_status_v2() (show-expire version 2) * sign-req: Require 128bit serial number * Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut * Windows secure_session(): Ensure $secured_session dir is created * Switch to '-f' for file existence * inline: Move auto-inline from build_full() to sign_req() * gen-crl: Create additional CRL in DER format * self-sign: Allow Edwards Curve based keys * Re-enable command 'renew' (version 2): Requires EasyRSA Tools * bug-fix: revoke: Pass the correct certificate location * vars.example: Add flags for auto-SAN and X509 critical attribute * Global option --eku-crit: Mark X509 extendedKeyUsage as critical * sign-req: Add critical and pathlen details to confirmation * export-p12: Automatically generate inline file * Introduce global option --auto-san, use commonName as SAN * Introduce global option --san-crit, mark SAN critical * Introduce new global options: --ku-crit and --bc-crit * gen-req: Always check for existing request file * revoke/revoke-expired/-renewed: Keep duplicate certificate * revoke-expired/-renewed: Keep req/key files for resigning * revoke: Add abbreviations for optional 'reason' * build-ca: Allow use of --req-cn without batch mode * gen-req: Re-enable use of --req-cn * write: Change syntax, target as file, not directory - update to 3.2.0: * Revert ca76697: Restore escape_hazard() * New X509 Type: 'selfsign' Internal only * New commands: self-sign-server and self-sign-client * build-ca: Command 'req', remove SSL option '-keyout' * Remove escape_hazard(), obsolete * Remove command and function display_cn(), unused * docs: Update EasyRSA-Renew-and-Revoke.md * Remove all 'renew' code; replaced by 'expire' code * Introduce commands: 'expire' and 'revoke-expired' * Keep request files [CSR] when revoking certificates * Restrict use of --req-cn to build-ca * Remove command 'display-san' (Code removed in 5a06f94) * Move Status Reports to 'easyrsa-tools.lib' * export-p12, OpenSSL v1.x: Upgrade PBE and MAC options * LibreSSL: Add fix for missing 'x509' option '-ext' * Variable heredoc expansion for SSL/Safe Config file * Always use here-doc version of openssl-easyrsa.cnf * export-p12: New command option 'legacy'. OpenSSL V3 Only * export-p12: Always set 'friendlyName' to file-name-base * As of Easy-RSA version 3.2.0-beta1, the configuration files vars.example, openssl-eayrsa.cnf and all files in x509-types directory are no longer required * Rename X509-type file code-signing to codeSigning * init-pki: Always write vars.example file to fresh PKI * New command 'write': Write 'legacy' files to stdout or files * Remove command 'make-safe-ssl': Replaced by command 'write safe-cnf' * New Command 'rand': Expose easyrsa_random() to the command line * Remove function 'set_pass_legacy()' * Remove command 'rewind-renew' * Remove command 'rebuild' * Remove command 'upgrade' * Remove EASYRSA_NO_VARS; Allow graceful use without a vars file * New diagnostic command 'display-cn' * Expand renewable certificate types to include code-signing - attach a source to keyring OBS-URL: https://build.opensuse.org/request/show/1227414 OBS-URL: https://build.opensuse.org/package/show/network:vpn/easy-rsa?expand=0&rev=46 2024-11-30 03:08:14 +00:00			`# Copyright (c) 2015 Stefan Jakobs.`
			`#`
			`# All modifications and additions to the file contributed by third parties`
			`# remain the property of their copyright owners, unless otherwise agreed`
			`# upon. The license for this file, and modifications and additions to the`
			`# file, is the same license as for the pristine package itself (unless the`
			`# license for the pristine package is not an Open Source License, in which`
			`# case the license is the MIT License). An "Open Source License" is a`
			`# license that conforms to the Open Source Definition (Version 1.9)`
			`# published by the Open Source Initiative.`

			`# Please submit bugfixes or comments via https://bugs.opensuse.org/`
			`#`


			`%define pname EasyRSA`
			`Name: easy-rsa`
- update to 3.2.2: * Remove redundant file: index.txt.attr * sign-req: Allow custom X509 Types * Add LibreSSL version 4 to supported SSL Libraries * Revoke remove private inline * Easyrsa disable inline * easyrsa-tools.lib: renew SAN, remove excess word 'Address' * easyrsa-tls.lib: renew, make sed regex for 'IP Address' greedy * Show expire allow zero days * easyrsa-tools.lib: New command 'renew ca' * Improve CRL expiration details * Tools move to easyrsa3 * vars.example: Remove $EASYRSA_PKI * Introduce new command revoke-issued * Bugfix renew ca and renew * Always use locate_support_files() after secure_session() * revoke: Make check for conflicting files less intrusive * Forbid a self-signed certificate from being expired/renewed/revoked * V321 minor final * op-test.sh: Disable download ossl3 and shellcheck binaries * Revert: Do not remove index.txt.attr * Fold easyrsa-tools.lib into easyrsa OBS-URL: https://build.opensuse.org/package/show/network:vpn/easy-rsa?expand=0&rev=48 2025-02-01 14:56:35 +00:00			`Version: 3.2.2`
Accepting request 1227414 from home:rrahl0 - update to 3.2.1: * inline: Add decimal value for cert. serial * Always exit with error for unknown command options * ntegrate Easy-RSA TLS-Key for use with 'init-pki soft' * easyrsa-tools.lib, show-expire: Add CA certificate to report * inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 * easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 * easyrsa-tools.lib: expire_status_v2() (show-expire version 2) * sign-req: Require 128bit serial number * Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut * Windows secure_session(): Ensure $secured_session dir is created * Switch to '-f' for file existence * inline: Move auto-inline from build_full() to sign_req() * gen-crl: Create additional CRL in DER format * self-sign: Allow Edwards Curve based keys * Re-enable command 'renew' (version 2): Requires EasyRSA Tools * bug-fix: revoke: Pass the correct certificate location * vars.example: Add flags for auto-SAN and X509 critical attribute * Global option --eku-crit: Mark X509 extendedKeyUsage as critical * sign-req: Add critical and pathlen details to confirmation * export-p12: Automatically generate inline file * Introduce global option --auto-san, use commonName as SAN * Introduce global option --san-crit, mark SAN critical * Introduce new global options: --ku-crit and --bc-crit * gen-req: Always check for existing request file * revoke/revoke-expired/-renewed: Keep duplicate certificate * revoke-expired/-renewed: Keep req/key files for resigning * revoke: Add abbreviations for optional 'reason' * build-ca: Allow use of --req-cn without batch mode * gen-req: Re-enable use of --req-cn * write: Change syntax, target as file, not directory - update to 3.2.0: * Revert ca76697: Restore escape_hazard() * New X509 Type: 'selfsign' Internal only * New commands: self-sign-server and self-sign-client * build-ca: Command 'req', remove SSL option '-keyout' * Remove escape_hazard(), obsolete * Remove command and function display_cn(), unused * docs: Update EasyRSA-Renew-and-Revoke.md * Remove all 'renew' code; replaced by 'expire' code * Introduce commands: 'expire' and 'revoke-expired' * Keep request files [CSR] when revoking certificates * Restrict use of --req-cn to build-ca * Remove command 'display-san' (Code removed in 5a06f94) * Move Status Reports to 'easyrsa-tools.lib' * export-p12, OpenSSL v1.x: Upgrade PBE and MAC options * LibreSSL: Add fix for missing 'x509' option '-ext' * Variable heredoc expansion for SSL/Safe Config file * Always use here-doc version of openssl-easyrsa.cnf * export-p12: New command option 'legacy'. OpenSSL V3 Only * export-p12: Always set 'friendlyName' to file-name-base * As of Easy-RSA version 3.2.0-beta1, the configuration files vars.example, openssl-eayrsa.cnf and all files in x509-types directory are no longer required * Rename X509-type file code-signing to codeSigning * init-pki: Always write vars.example file to fresh PKI * New command 'write': Write 'legacy' files to stdout or files * Remove command 'make-safe-ssl': Replaced by command 'write safe-cnf' * New Command 'rand': Expose easyrsa_random() to the command line * Remove function 'set_pass_legacy()' * Remove command 'rewind-renew' * Remove command 'rebuild' * Remove command 'upgrade' * Remove EASYRSA_NO_VARS; Allow graceful use without a vars file * New diagnostic command 'display-cn' * Expand renewable certificate types to include code-signing - attach a source to keyring OBS-URL: https://build.opensuse.org/request/show/1227414 OBS-URL: https://build.opensuse.org/package/show/network:vpn/easy-rsa?expand=0&rev=46 2024-11-30 03:08:14 +00:00			`Release: 0`
			`Summary: CLI utility to build and manage a PKI CA`
			`License: GPL-2.0-or-later`
			`URL: https://github.com/OpenVPN/easy-rsa`
			`Source: %{url}/releases/download/v%{version}/%{pname}-%{version}.tgz`
			`Source1: %{url}/releases/download/v%{version}/%{pname}-%{version}.tgz.sig`
			`Source2: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6f4056821152f03b6b24f2fcf8489f839d7367f3#/%{name}.keyring`
			`Patch100: suse-packaging.patch`
			`BuildArch: noarch`

			`%description`
			`easy-rsa is a CLI utility to build and manage a Public Key Infrastructure`
			`(PKI). Once the Certificate Authority (CA) is created, you can request and sign`
			`certificates, including sub-CAs, and create Certificate Revokation Lists (CRL).`

			`%prep`
			`%autosetup -p1 -n %{pname}-%{version}`

			`%build`

			`%install`
			`install -dm0755 %{buildroot}/%{_sysconfdir}/%{name}/`
			`install -dm0755 %{buildroot}/%{_sysconfdir}/%{name}/x509-types`
			`install -Dm0644 vars.example %{buildroot}/%{_sysconfdir}/%{name}/`
			`install -Dm0644 openssl-easyrsa.cnf %{buildroot}/%{_sysconfdir}/%{name}/`
			`install -Dm0644 x509-types/* %{buildroot}/%{_sysconfdir}/%{name}/x509-types/`
			`install -Dm0755 easyrsa %{buildroot}/%{_bindir}/easyrsa`

			`%files`
			`%doc ChangeLog README.md README.quickstart.md`
			`%doc doc/*`
			`%license COPYING.md gpl-2.0.txt`
			`%{_bindir}/easyrsa`
			`%config(noreplace) %{_sysconfdir}/%{name}`

			`%changelog`