pool/rage-encryption
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rage-encryption/rage-encryption.spec
c unix a817f0b2f2 - Fixes GHSA-4fg7-vxc8-qx5w 
- Update to version 0.11.1+0:
  * Fixed a security vulnerability that could allow an attacker to
    execute an arbitrary binary under certain conditions. Plugin
    names are now required to only contain alphanumeric characters
    or the four special characters +-._.
  * Replace the test `NoCallbacks` with the library version
  * Restrict set of valid characters for plugin names
  * Add tests for invalid plugin name chars
- Update to 0.11.0+0:
  Added:
  * Partial French translation!
  Fixed:
  * [Unix] Files can now be encrypted with rage --passphrase when
    piped over stdin, without requiring an explicit - argument as
    INPUT.
- bsc#1229959 - RUSTSEC-2024-0006 - CVE-2024-43806
  - rust-shlex: Multiple issues involving quote API
- bsc#1229959 - RUSTSEC-2024-0006 - rust-shlex: Multiple issues involving quote API
- Enable tests
- Install all language manpages
- Fix -keygen installing to -mount
- Switch from obsoleted practices to modern ones:
  * %setup is now %autosetup
  * cargo_config is now part of vendor file
  * disabledrun is now manualrun
- Update to version 0.10.0+0:
  Added:
  * Russian translation
  * rage-keygen -y IDENTITY_FILE to convert identity files to
    recipients.
  Changed:
  * MSRV is now 1.65.0.
  * Migrated from gumdrop to clap for argument parsing.
  * -R/--recipients-file and -i/--identity now support "read-once"
    files, like those used by process substitution (-i
    <(other_binary get-age-identity)) and named pipes.
  * The filename - (hyphen) is now treated as an explicit request
    to read from standard input when used with -R/--recipients-file
    or -i/--identity. It must only occur once across the
    -R/--recipients-file and -i/--identity flags, and the input
    file. It cannot be used if the input file is omitted.
  Fixed:
  * OpenSSH private keys passed to -i/--identity that contain
    invalid public keys are no longer ignored when encrypting, and
    instead cause an error.
  * Weak ssh-rsa public keys that are smaller than 2048 bits are
    now rejected.
  * rage-keygen no longer overwrites existing key files with the
    -o/--output flag. This was its behaviour prior to 0.6.0, but
    was unintentionally changed when rage was modified to overwrite
    existing files. Key file overwriting can still be achieved by
    omitting -o/--output and instead piping stdout to the file.
  * rage-keygen now prints fatal errors directly instead of them
    being hidden behind the RUST_LOG=error environment variable. It
    also now sets its return code appropriately instead of always
    returning 0.
- bsc#1215657 - chosen ciphertext attack possible against aes-gcm
  * update vendor.tar.zst to contain aes-gcm >= 0.10.3
- Update to version 0.9.2+0:
  * CI: Ensure `apt` repository is up-to-date before installing build deps
  * CI: Build Linux releases using `ubuntu-20.04` runner
  * CI: Remove most uses of `actions-rs` actions
- Update to version 0.9.2+0:
  * v0.9.2
  * Fix changelog bugs and add missing entry
  * Document `PINENTRY_PROGRAM` environment variable
  * age: Add `Decryptor::new_async_buffered`
  * age: `impl AsyncBufRead for ArmoredReader`
  * Pre-initialize vectors when the capacity is known, or use arrays
  * Use `PINENTRY_PROGRAM` as environment variable for `pinentry`
  * Document why `impl AsyncWrite for StreamWriter` doesn't loop indefinitely
  * cargo update
  * cargo vet prune
  * Migrate to `cargo-vet 0.7`
  * build(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.1
  * Correct spelling in documentation
  * build(deps): bump codecov/codecov-action from 3.1.1 to 3.1.4
  * StreamWriter AsyncWrite: fix usage with futures::io::copy()
  * rage: Use `Decryptor::new_buffered`
  * age: Add `Decryptor::new_buffered`
  * age: `impl BufRead for ArmoredReader`
  * Update Homebrew formula to v0.9.1
  * feat/pinentry: Use env var to define pinentry binary
- As per https://en.opensuse.org/openSUSE:Package_description_guidelines
  mention distinctive characteristics that offset this solution
  from e.g. gpg.
- Update to version 0.9.1+0:
  * ssh: Fix parsing of OpenSSH private key format
  * ssh: Support `aes256-gcm@openssh.com` ciphers for encrypted keys
  * ssh: Add `aes256-gcm@openssh.com` cipher to test cases
  * ssh: Extract common key material derivation logic for encrypted keys
  * ssh: Use associated constants for key and IV sizes
  * ssh: Add test cases for encrypted keys
- Add shell completions for fish and zsh.
- bsc#1207039 - CVE-2023-22895 - update bzip2 crate
- Update of vendored dependencies
- Update of vendored dependencies
- Do not have the main package recommend the bash-completion
  sub-package, but rather have the subpackage supplement the
  combination of tage-encryption and bash-completion.
- Update to version 0.9.0+0:
  * v0.9.0
  * use pkcs1 crate to parse RSAPrivateKey ASN.1 object
  * qa: Add workflow that runs `cargo vet --locked`
  * qa: Import `cargo vet` audits from Firefox and zcashd
  * qa: Add `crypto-reviewed` criteria or `cargo vet`
  * qa: `cargo vet init`
- Set minimum rust requirement to 1.59
- Update to version 0.8.1+0:
  * v0.8.1
  * Revert updates to `dashmap` and `indexmap`
  * cargo update
  * age: Add passphrase to scrypt_work_factor_23 testkit test file
  * age: Reject invalid or non-canonical X25519 recipient stanzas
  * age: Require "contributory" behaviour for X25519 recipient stanzas
  * age: Add testkit test files from reference impl
  * Update Homebrew formula to v0.8.0
- Update to version 0.8.0+0:
  * v0.8.0
  * age: Allow ciphertexts that encrypt the empty plaintext
  * Update Italian translation
  * Don't allow -i/--identity with passphrase-encrypted files
  * age: Require the last STREAM chunk to be non-empty
  * age: Return correct response encoding for `confirm` command
  * age: Base64-decode metadata arguments to "confirm" message
  * age: Extract "confirm" command handling into a helper function
- Automatic update of vendored dependencies
- Update to resolve bsc#1196972 CVE-2022-24713 - Regex DOS
- switched to vendored_licenses_packager as build dependency
- define macro "rust_tier1_arches" if undefined
- Add specific lock file path to _service for cargo audit to prevent
  confusion with the lock files in the fuzz folders.
- Update to version 0.7.1
  * Fixed a bug where non-canonical recipient stanza bodies in an age
    file header would cause rage to crash instead of being rejected
  * vendor.tar.xz updated from source code Cargo.lock file
- Added:
  * binary rage-mount
  * bash-completion for rage, rage-keygen and rage-mount
  * manual pages for rage, rage-keygen and rage-mount
  * Licenses files
  * Licenses files of vendored crates extracted
    with script "vendored_licenses_packager.sh"
  * README and CHANGELOG files
  * possibility to build without cargo-packaging for "older" distros
- Update to version 0.7.0~git0.c93b914:
  * v0.7.0
  * cargo update fuzz*
  * Update lockfiles for fuzzers
  * rage: Pin clap to 3.0.0-beta.2
  * CI: Add bitrot check to ensure examples and benchmarks still compile
  * console 0.15
  * age: Re-export `secrecy` crate
  * age-core: Improve crate documentation
  * age-core: Re-export `secrecy` crate
  * age-core: Add `plugin::Error` enum
- Initial commit of rage

OBS-URL: https://build.opensuse.org/package/show/security/rage-encryption?expand=0&rev=39
2025-01-05 15:35:00 +00:00

157 lines
5.0 KiB
RPMSpec
Raw Blame History

#
# spec file for package rage-encryption
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%{?!rust_tier1_arches:%global rust_tier1_arches x86_64 aarch64}
Name: rage-encryption
# This will be set by osc services, that will run after this.
Version: 0.11.1+0
Release: 0
Summary: X25519-based, simple, modern, and secure file encryption tool
# If you know the license, put it's SPDX string here.
# Alternately, you can use cargo lock2rpmprovides to help generate this.
License: (0BSD OR MIT OR Apache-2.0) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND (MIT OR Unlicense) AND (Apache-2.0 OR Zlib OR MIT) AND Apache-2.0 AND BSD-3-Clause AND CDDL-1.0 AND MIT
# Select a group from this link:
# https://en.opensuse.org/openSUSE:Package_group_guidelines
Group: Productivity/Security
URL: https://github.com/str4d/rage
Source0: rage-%{version}.tar.gz
Source1: vendor.tar.zst
%if %{suse_version} > 1500
BuildRequires: cargo-packaging
%endif
# Requires >1.59 for thread::available_parallelism
BuildRequires: cargo >= 1.59
BuildRequires: libzstd-devel
BuildRequires: vendored_licenses_packager
# for feature mount
BuildRequires: fuse-devel
Recommends: pinentry
BuildRequires: zstd
Conflicts: rage
ExclusiveArch: %{rust_tier1_arches}
%description
Rage is a simple, modern, and secure file encryption tool, using the
age format. It features small explicit keys, no config options, and
UNIX-style composability.
Keys are based on X25519 which are similar to the ones used by SSH.
rage-encryption can also use ssh-ed25519 and ssh-rsa keys as
alternatives to age1 keys.
%package bash-completion
Summary: Bash completion for %{name}
Group: Productivity/Security
BuildArch: noarch
Requires: %{name}
Requires: bash-completion
Supplements: (%{name} and bash-completion)
Conflicts: rage
%description bash-completion
Bash command line completion support for %{name}
%package fish-completion
Summary: Fish Completion for %{name}
Group: Productivity/Security
Supplements: (%{name} and fish)
Requires: fish
BuildArch: noarch
%description fish-completion
Fish command-line completion support for %{name}.
%package zsh-completion
Summary: Zsh Completion for %{name}
Group: Productivity/Security
Supplements: (%{name} and zsh)
Requires: zsh
BuildArch: noarch
%description zsh-completion
Zsh command-line completion support for %{name}.
%prep
%autosetup -a 1 -n rage-%{version}
%vendored_licenses_packager_prep
%build
%define build_args --manifest-path rage/Cargo.toml --features "mount" --release %{?_smp_mflags}
%if %{suse_version} > 1500
%{cargo_build} --features "mount"
%else
cargo build %{build_args}
%endif
%check
%if %{suse_version} > 1500
%{cargo_test} --features "mount"
%else
cargo test %{build_args}
%endif
%install
pushd target/release
# Install each part of the tool and their respective completions.
for i in "" -keygen -mount; do
install -D -m 0755 rage$i %{buildroot}%{_bindir}/rage$i
install -D -p -m 644 completions/rage$i.bash %{buildroot}%{_datadir}/bash-completion/completions/rage$i
install -D -p -m 644 completions/_rage$i %{buildroot}%{_datadir}/zsh/site-functions/_rage$i
install -D -p -m 644 completions/rage$i.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/rage$i.fish
done
pushd manpages
mv es_AR es # es_AR doesn't seem to be a correct manpage locale
find . -name "*.1.gz" -exec install -Dpm644 {} %{buildroot}%{_mandir}/{} \;
popd
popd
%vendored_licenses_packager_install
%find_lang rage{,-keygen,-mount} rage.lang --with-man --all-name
%files -f rage.lang
%{_bindir}/rage
%{_bindir}/rage-keygen
%{_bindir}/rage-mount
%doc README.md rage/CHANGELOG.md
# accept duplicates here
%license LICENSE-APACHE LICENSE-MIT
%vendored_licenses_packager_files
%{_mandir}/man1/rage*.1%{?ext_man}
%files bash-completion
%license LICENSE-APACHE LICENSE-MIT
%{_datadir}/bash-completion/completions/rage*
%files fish-completion
%license LICENSE-APACHE LICENSE-MIT
%dir %{_datadir}/fish
%dir %{_datadir}/fish/vendor_completions.d
%{_datadir}/fish/vendor_completions.d/rage*.fish
%files zsh-completion
%license LICENSE-APACHE LICENSE-MIT
%dir %{_datadir}/zsh
%dir %{_datadir}/zsh/site-functions
%{_datadir}/zsh/site-functions/_rage*
%changelog
Reference in New Issue View Git Blame Copy Permalink