From 287aa8ece1386757ea3e8b41804aad4b1dc1bf9bbb56e15048e3f2179787b568 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.com>
Date: Wed, 10 May 2017 09:23:36 +0000
Subject: [PATCH 1/8] Removed unnecessary dependency of libsapi0 to trousers.

Trousers is TPM 1.2, this here is about TPM 2, so having a dependency to it is
very wrong.

This was probably a copy/paste mistake during creation of the spec file.

OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=38
---
 tpm2-0-tss.spec | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tpm2-0-tss.spec b/tpm2-0-tss.spec
index 587ff90..ada0370 100644
--- a/tpm2-0-tss.spec
+++ b/tpm2-0-tss.spec
@@ -53,7 +53,6 @@ for accessing TPM 2.0 chips.
 %package -n libsapi0
 Summary:        TPM2 System API library
 Group:          System/Libraries
-Requires:       trousers
 # Non-SLPP package name from earlier
 Obsoletes:      libtss2 < %version-%release
 Provides:       libtss2 = %version-%release

From f0cbe8c4da0fdff2186505ce25830da9a342b726bd6f04a124ccc4fc34b4c00a Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.com>
Date: Wed, 10 May 2017 09:38:50 +0000
Subject: [PATCH 2/8] - remove unnecessary dependency of libsapi0 to trousers.
 trousers has nothing   to do with tpm2-tss.

OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=39
---
 tpm2-0-tss.changes | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tpm2-0-tss.changes b/tpm2-0-tss.changes
index e51ca5c..d2d8c38 100644
--- a/tpm2-0-tss.changes
+++ b/tpm2-0-tss.changes
@@ -1,6 +1,12 @@
 -------------------------------------------------------------------
 Tue Apr 11 14:26:14 UTC 2017 - meissner@suse.com
 
+- remove unnecessary dependency of libsapi0 to trousers. trousers has nothing
+  to do with tpm2-tss.
+
+-------------------------------------------------------------------
+Tue Apr 11 14:26:14 UTC 2017 - meissner@suse.com
+
 - fixed typo in resourcemgr.service (bsc#1031004)
 
 -------------------------------------------------------------------

From f8154f343edc0f99a00d5c5749143c6d2da9f0756beb6f4850eeb6d3f89d5cd8 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.com>
Date: Wed, 10 May 2017 11:33:35 +0000
Subject: [PATCH 3/8] fixed date line in changelog

OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=40
---
 tpm2-0-tss.changes | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tpm2-0-tss.changes b/tpm2-0-tss.changes
index d2d8c38..b4cc3d8 100644
--- a/tpm2-0-tss.changes
+++ b/tpm2-0-tss.changes
@@ -1,5 +1,5 @@
 -------------------------------------------------------------------
-Tue Apr 11 14:26:14 UTC 2017 - meissner@suse.com
+Wed May 10 13:33:16 CEST 2017 - mgerstner@suse.com
 
 - remove unnecessary dependency of libsapi0 to trousers. trousers has nothing
   to do with tpm2-tss.

From 9661aea8f5533780ede7ccb9bb570aae9fefe2d041d65e5ce029a0cd169bf09a Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.com>
Date: Thu, 11 May 2017 15:15:35 +0000
Subject: [PATCH 4/8] - create tss user account and install udev rule to fix
 startup of resourcemgr   (bnc#1038586)

OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=41
---
 tpm2-0-tss.changes |  6 ++++++
 tpm2-0-tss.spec    | 29 +++++++++++++++++++++++++++--
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/tpm2-0-tss.changes b/tpm2-0-tss.changes
index b4cc3d8..0c14825 100644
--- a/tpm2-0-tss.changes
+++ b/tpm2-0-tss.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu May 11 15:13:49 UTC 2017 - matthias.gerstner@suse.com
+
+- create tss user account and install udev rule to fix startup of resourcemgr
+  (bnc#1038586)
+
 -------------------------------------------------------------------
 Wed May 10 13:33:16 CEST 2017 - mgerstner@suse.com
 
diff --git a/tpm2-0-tss.spec b/tpm2-0-tss.spec
index ada0370..c7b241f 100644
--- a/tpm2-0-tss.spec
+++ b/tpm2-0-tss.spec
@@ -36,7 +36,10 @@ Requires(pre):  pwdutils
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
-The tpm2-0-tss package provides a TPM 2.0 TSS implementation.
+The tpm2-0-tss package provides a TPM 2.0 TSS implementation. This
+implementation is developed by INTEL. Note that the current resource manager
+imiplementation is considered deprecated (a prototype, probably buggy and
+insecure) by its developers.
 
 %package devel
 Summary:        Development headers for the Intel TSS library for TPM 2.0 chips
@@ -92,6 +95,7 @@ find %{buildroot} -type f -name "*.la" -delete -print
 install -D -m 0644 contrib/resourcemgr.service %{buildroot}/%{_unitdir}/resourcemgr.service
 sed -e 's#usr/local/sbin/#usr/sbin/#;' -i %{buildroot}/%{_unitdir}/resourcemgr.service
 ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
+install -D -m 0644 contrib/tpm-udev.rules %{buildroot}%{_udevrulesdir}/tpm-udev.rules
 
 %post -n libsapi0 -p /sbin/ldconfig
 %postun -n libsapi0 -p /sbin/ldconfig
@@ -101,6 +105,26 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
 %postun -n libtcti-socket0 -p /sbin/ldconfig
 
 %pre
+# the same user is employed by trousers:
+#
+# trousers just needs those accounts for dropping privileges to. The service
+# starts as root and uses set*id to drop to tss, after the tpm device has been
+# opened.
+#
+# resourcemgr has no set*id handling and thus requires /dev/tpm to be owned
+# by the tss user. Therefore we also need to install a udev rule file.
+#
+# trousers was here first and created the user like this, also giving it a
+# home in /var/lib/tpm. I don't think the home directory is used by any of
+# both packages ATM. Trousers is keeping state there, but the directory is
+# owned by root and files are opened before dropping privileges. The passwd
+# entry seems not to be evaluated.
+#
+# so I guess we can share the account between the two packages for now.
+%_bindir/getent group tss >/dev/null || %{_sbindir}/groupadd -g 98 tss || :
+%_bindir/getent passwd tss >/dev/null || \
+	%{_sbindir}/useradd -u 98 -o -g tss -s /bin/false -c "TSS daemon" \
+	-d %{_localstatedir}/lib/tpm tss || :
 %service_add_pre resourcemgr.service
 
 %post
@@ -118,6 +142,7 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
 %{_sbindir}/resourcemgr
 /%{_unitdir}/resourcemgr.service
 %{_sbindir}/rcresourcemgr
+%{_udevrulesdir}/tpm-udev.rules
 
 %files devel
 %defattr(-,root,root)
@@ -126,7 +151,7 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/*.pc
 ##only available in static form
-#%{_libdir}/libtddl.a
+#%%{_libdir}/libtddl.a
 
 %files -n libsapi0
 %defattr(-,root,root)

From 05ea2970749a03c984574c35042e146d2056523a70929686cff90739e996adcc Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.com>
Date: Fri, 12 May 2017 09:04:15 +0000
Subject: [PATCH 5/8] renamed the udev rule file to have a priority prefix like
 all other rule files

OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=42
---
 tpm2-0-tss.spec | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tpm2-0-tss.spec b/tpm2-0-tss.spec
index c7b241f..4498cf3 100644
--- a/tpm2-0-tss.spec
+++ b/tpm2-0-tss.spec
@@ -95,7 +95,8 @@ find %{buildroot} -type f -name "*.la" -delete -print
 install -D -m 0644 contrib/resourcemgr.service %{buildroot}/%{_unitdir}/resourcemgr.service
 sed -e 's#usr/local/sbin/#usr/sbin/#;' -i %{buildroot}/%{_unitdir}/resourcemgr.service
 ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
-install -D -m 0644 contrib/tpm-udev.rules %{buildroot}%{_udevrulesdir}/tpm-udev.rules
+%define udev_rule_file 90-tpm.rules
+install -D -m 0644 contrib/tpm-udev.rules %{buildroot}%{_udevrulesdir}/%{udev_rule_file}
 
 %post -n libsapi0 -p /sbin/ldconfig
 %postun -n libsapi0 -p /sbin/ldconfig
@@ -142,7 +143,7 @@ install -D -m 0644 contrib/tpm-udev.rules %{buildroot}%{_udevrulesdir}/tpm-udev.
 %{_sbindir}/resourcemgr
 /%{_unitdir}/resourcemgr.service
 %{_sbindir}/rcresourcemgr
-%{_udevrulesdir}/tpm-udev.rules
+%{_udevrulesdir}/%{udev_rule_file}
 
 %files devel
 %defattr(-,root,root)

From 9c3c7ac5c9e0645ce6ab5cbddd84e82ae188c6ef045f08d930c6fb145f7ced9f Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.com>
Date: Mon, 15 May 2017 11:53:42 +0000
Subject: [PATCH 6/8] fixed typo

OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=43
---
 tpm2-0-tss.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tpm2-0-tss.spec b/tpm2-0-tss.spec
index 4498cf3..1f8fc24 100644
--- a/tpm2-0-tss.spec
+++ b/tpm2-0-tss.spec
@@ -38,7 +38,7 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %description
 The tpm2-0-tss package provides a TPM 2.0 TSS implementation. This
 implementation is developed by INTEL. Note that the current resource manager
-imiplementation is considered deprecated (a prototype, probably buggy and
+implementation is considered deprecated (a prototype, probably buggy and
 insecure) by its developers.
 
 %package devel

From 71cab5af7cc062ee3fc4b5d5974a01293fecdfbff912a4ca1bbfbb253591c54b Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.com>
Date: Wed, 17 May 2017 09:32:24 +0000
Subject: [PATCH 7/8] Don't ignore errors when adding tss user/group see
 sr#494834

OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=44
---
 tpm2-0-tss.spec | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tpm2-0-tss.spec b/tpm2-0-tss.spec
index 1f8fc24..2f7e398 100644
--- a/tpm2-0-tss.spec
+++ b/tpm2-0-tss.spec
@@ -122,10 +122,10 @@ install -D -m 0644 contrib/tpm-udev.rules %{buildroot}%{_udevrulesdir}/%{udev_ru
 # entry seems not to be evaluated.
 #
 # so I guess we can share the account between the two packages for now.
-%_bindir/getent group tss >/dev/null || %{_sbindir}/groupadd -g 98 tss || :
+%_bindir/getent group tss >/dev/null || %{_sbindir}/groupadd -g 98 tss
 %_bindir/getent passwd tss >/dev/null || \
 	%{_sbindir}/useradd -u 98 -o -g tss -s /bin/false -c "TSS daemon" \
-	-d %{_localstatedir}/lib/tpm tss || :
+	-d %{_localstatedir}/lib/tpm tss
 %service_add_pre resourcemgr.service
 
 %post

From 4cbd149abbff463b67b77cac93d22b50c306ca26932cc437fd9f238eccb2173e Mon Sep 17 00:00:00 2001
From: Alexander Naumov <alexander_naumov@opensuse.org>
Date: Sat, 27 May 2017 21:39:27 +0000
Subject: [PATCH 8/8] Accepting request 498585 from
 home:bmwiedemann:branches:security

Add reproducible.patch to sort input files to make build reproducible
  (boo#1041090)

OBS-URL: https://build.opensuse.org/request/show/498585
OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=45
---
 reproducible.patch | 31 +++++++++++++++++++++++++++++++
 tpm2-0-tss.changes |  6 ++++++
 tpm2-0-tss.spec    |  3 +++
 3 files changed, 40 insertions(+)
 create mode 100644 reproducible.patch

diff --git a/reproducible.patch b/reproducible.patch
new file mode 100644
index 0000000..caa18d1
--- /dev/null
+++ b/reproducible.patch
@@ -0,0 +1,31 @@
+From 010ebd4a161e424e09e5d89a336a84a0a42c456e Mon Sep 17 00:00:00 2001
+From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
+Date: Sat, 27 May 2017 07:08:56 +0200
+Subject: [PATCH] sort input files
+
+when building packages (e.g. for openSUSE Linux)
+(random) filesystem order of input files
+influences ordering of functions in the output,
+thus without the patch, builds (in disposable VMs) would differ.
+
+See https://reproducible-builds.org/ for why this matters.
+---
+ bootstrap | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bootstrap b/bootstrap
+index 95a6dda..610e817 100755
+--- a/bootstrap
++++ b/bootstrap
+@@ -8,7 +8,7 @@ src_listvar () {
+     suffix=$2
+     var=$3
+ 
+-    find "${basedir}" -name "${suffix}" | tr '\n' ' ' | (echo -n "${var} = " && cat)
++    find "${basedir}" -name "${suffix}" | LC_ALL=C sort | tr '\n' ' ' | (echo -n "${var} = " && cat)
+     echo ""
+ }
+ 
+-- 
+2.12.0
+
diff --git a/tpm2-0-tss.changes b/tpm2-0-tss.changes
index 0c14825..6ae4cd3 100644
--- a/tpm2-0-tss.changes
+++ b/tpm2-0-tss.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sat May 27 05:07:22 UTC 2017 - bwiedemann@suse.com
+
+- Add reproducible.patch to sort input files to make build reproducible
+  (boo#1041090)
+
 -------------------------------------------------------------------
 Thu May 11 15:13:49 UTC 2017 - matthias.gerstner@suse.com
 
diff --git a/tpm2-0-tss.spec b/tpm2-0-tss.spec
index 2f7e398..9003237 100644
--- a/tpm2-0-tss.spec
+++ b/tpm2-0-tss.spec
@@ -26,6 +26,8 @@ Url:            https://github.com/01org/TPM2.0-TSS
 Source0:        https://github.com/01org/TPM2.0-TSS/archive/%{version}.tar.gz
 Source2:        baselibs.conf
 Patch0:         tpm2-0-tss-configure.patch
+# PATCH-FIX-UPSTREAM bmwiedemann https://github.com/01org/TPM2.0-TSS/pull/419
+Patch1:         reproducible.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  gcc-c++
@@ -83,6 +85,7 @@ TPM over a socket.
 %prep
 %setup -q -n TPM2.0-TSS-%{version}
 %patch0 -p1
+%patch1 -p1
 
 %build
 bash bootstrap