Workaround to RHEL9 compatible patch application

Minimize changes to default config
Use built-in defaults modified for Fedora instead. (cherry picked from commit 581364d032)
2023-07-25 21:58:00 +02:00 · 2023-07-25 21:24:03 +02:00 · 2023-07-25 21:24:03 +02:00 · 2023-07-25 21:24:03 +02:00 · 2023-07-25 21:24:03 +02:00 · 2023-07-25 21:24:03 +02:00
4 changed files with 2 additions and 101 deletions
--- a/3
+++ b/3
@ -1,6 +1,3 @@
-* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
 * Thu Jun 15 2023 Todd Zullinger <tmz@pobox.com> - 0.17-11
 - Remove execute bit on ssh_config.d snippet

--- a/dnssec-trigger-0.17-openssl-3.2.patch
+++ b/dnssec-trigger-0.17-openssl-3.2.patch
@ -1,34 +0,0 @@
-From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Tue, 10 Sep 2024 16:22:07 +0200
-Subject: [PATCH] Mark explicitly server cert with CA flag
-
-Since OpenSSL 3.2 it did not connect from control to server cert. Create
-server with indication is it CA.
-
-Also use clientAuth trust for CA cert. That allows control cert to be
-used for client authentication.
---
- dnssec-trigger-control-setup.sh.in | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in
-index 7cc305a..eede665 100644
--- a/dnssec-trigger-control-setup.sh.in
-+++ b/dnssec-trigger-control-setup.sh.in
-@@ -200,9 +200,9 @@ EOF
- test -f request.cfg || error "could not create request.cfg"
- 
- echo "create $SVR_BASE.pem (self signed certificate)"
-openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
-# create trusted usage pem
-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
-+openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
-+# create trusted usage pem for CA, what are signed certs allowed to do?
-+openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem"
- 
- # create client request and sign it, piped
- cat >request.cfg <<EOF
-- 
-2.46.0
-
--- a/dnssec-trigger-0.17-server-recipe.patch
+++ b/dnssec-trigger-0.17-server-recipe.patch
@ -1,59 +0,0 @@
-From f6b4cd17294d8faa8fd4d70110ac9da9916e7d61 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Wed, 20 Nov 2024 16:58:48 +0100
-Subject: [PATCH] Add recipe for adding own server
-
-Until someone adds nice support for using just CA bundle and server
-name, allow specification by fingerprint obtained manually. Do not rely
-only on server provided by upstream.
---
- dnssec.conf     | 4 ++--
- example.conf.in | 6 +++++-
- 2 files changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/dnssec.conf b/dnssec.conf
-index bf896d3..4726ca1 100644
--- a/dnssec.conf
-+++ b/dnssec.conf
-@@ -38,7 +38,7 @@
- #
- #  - See also security notes on the `add_wifi_provided_zones` option.
- #
-# validate_connection_provided_zones=yes
-+# validate_connection_provided_zones=no
- #
- #  - Connection provided zones will be configured in Unbound as secure forward
- #    zones, validated using DNSSEC.
-@@ -63,7 +63,7 @@
- #    Turning this option off has security implications, See the security
- #    notice above.
- #
-validate_connection_provided_zones=yes
-+validate_connection_provided_zones=no
- 
- # add_wifi_provided_zones:
- # ------------------------
-diff --git a/example.conf.in b/example.conf.in
-index dafd35d..f7e8a54 100644
--- a/example.conf.in
-+++ b/example.conf.in
-@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67
- ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
- ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
- 
-+# How to add your own record:
-+# openssl s_client -connect example.com:443 -showcerts </dev/null > /tmp/dns.crt
-+# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256
-+# Append returned sha256 Fingerprint after ssl443: IP-address section.
-+
- # Use VPN servers for all traffic
- # use-vpn-forwarders: no
- 
-@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:
- 
- # Add domains provided by VPN connections into Unbound forward zones
- # add-wifi-provided-zones: no
-
-- 
-2.47.0
-
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@ -33,9 +33,6 @@ Patch4: 0004-Add-options-edns0-and-trust-ad.patch
 Patch5: dnssec-trigger-configure-c99.patch
 # https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
 Patch6: dnssec-trigger-0.17-allowed-characters.patch
-Patch7: dnssec-trigger-0.17-openssl-3.2.patch
-# https://github.com/NLnetLabs/dnssec-trigger/pull/15
-Patch8: dnssec-trigger-0.17-server-recipe.patch

 # to obsolete the version in which the panel was in main package
 Obsoletes: %{name} < 0.12-22
@ -120,9 +117,9 @@ sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zo

 %make_build

-%autopatch -p1 2
+%autopatch -p1 -m 2 -M 2
 cp -p example.conf dnssec-trigger-workstation.conf
-%autopatch -p1 1
+%autopatch -p1 -m 1 -M 1


 %install
Author	SHA1	Message	Date
Petr Menšík	578c7b6f64	Workaround to RHEL9 compatible patch application	2023-07-25 21:58:00 +02:00
Petr Menšík	299eb2b0f5	Minimize changes to default config Use built-in defaults modified for Fedora instead. (cherry picked from commit `581364d032`)	2023-07-25 21:24:03 +02:00
Petr Menšík	8bf6546c18	Do not require whole systemd Systemd is not strictly required. Ensure just macros for its building are present, but do not require whole systemd for building. (cherry picked from commit `0c43f2ef12`)	2023-07-25 21:24:03 +02:00
Petr Menšík	3845a0c8e0	Always use xdg-open as login tool Do not rely on autodetection at build-time. Instead set explicitly default tool. (cherry picked from commit `97da47c209`)	2023-07-25 21:24:03 +02:00
Petr Menšík	b09a33e276	Modify default configuration just with few changes Since we no longer provide special servers, use just modification to upstream example.conf to create default and workstation variants of configuration files. (cherry picked from commit `c3df26f3bd`)	2023-07-25 21:24:03 +02:00
Petr Menšík	4380886baf	Reuse common parts in test [skip changelog] (cherry picked from commit `8e10af3061`)	2023-07-25 21:24:03 +02:00
Petr Menšík	7eaf9ed98d	Fix error in HTTP and HTTPS workaround modes (cherry picked from commit `3237bd51fd`)	2023-07-25 20:16:43 +02:00
Petr Menšík	cc313ed5b5	Make test_http and test_ssl working again Correct configuration were not allowed into unbound by error, which were already fixed upstream. Backport the fix too. (cherry picked from commit `5cfc17cd87`)	2023-07-25 20:16:43 +02:00
Petr Menšík	bcd7c6b223	Include basic test for dnssec-trigger Should ensure fallbacks provided in configuration are working. Actually discovered regression in our version. [skip changelog] (cherry picked from commit `f2afacc02b`)	2023-07-25 20:16:43 +02:00
Petr Menšík	26dfee1c4b	Update upstream servers to zus.nlnetlabs.nl. Upstream servers no longer have the original IP addresses or that hash. Fix addresses to working set actually instead of uncommenting the very old set. The set were changed in 2014 by upstream commit bafdcd5.	2023-07-25 10:57:07 +02:00
Petr Menšík	417bf7426e	Remove Paul's servers They seem to be offline as well.	2023-07-25 09:14:16 +02:00
Petr Menšík	4093e15260	Modernize spec a bit, use SPDX licenses	2023-07-25 09:14:16 +02:00
Petr Menšík	163db54af4	Convert to %autorelease and %autochangelog [skip changelog]	2023-07-25 09:14:13 +02:00
Petr Menšík	1c7856199c	Remove fedora specific servers These servers had not been actively maintained for years. Because we even haven't found some of them had too strict firewall. Direct few users that need them to upstream provided servers.	2023-07-25 09:12:59 +02:00