From 0485438d22a28c775b23068910e75174c9ee0b64 Mon Sep 17 00:00:00 2001
From: Kashyap Chamarthy <kchamart@redhat.com>
Date: Fri, 21 Mar 2025 20:47:30 +0100
Subject: [PATCH 1/8] Add a RISC-V Koji config file

I named it "riscv" (instead of "risc-v", or "riscv64") because the Koji
URLs begins with it: https://riscv-koji.fedoraproject.org/koji.

Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
---
 fedora-packager.spec |  3 +++
 riscv.conf           | 16 ++++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 riscv.conf

diff --git a/fedora-packager.spec b/fedora-packager.spec
index 94ae68d..eca5462 100644
--- a/fedora-packager.spec
+++ b/fedora-packager.spec
@@ -19,6 +19,7 @@ Source13:       fedoraproject_org
 Source14:       stg_fedoraproject_org
 Source15:       fedoraproject_ipa_ca.crt
 Source16:       stg_fedoraproject_ipa_ca.crt
+Source17:       riscv.conf
 
 BuildRequires:  python3-devel
 
@@ -89,6 +90,7 @@ install -D %{SOURCE3} %{buildroot}%{_bindir}/rpmbuild-md5
 install -D %{SOURCE4} %{buildroot}%{_bindir}/s390-koji
 install -D %{SOURCE4} %{buildroot}%{_bindir}/stg-koji
 install -D %{SOURCE5} %{buildroot}%{_bindir}/fkinit
+install -D %{SOURCE17} %{buildroot}%{_bindir}/riscv-koji
 
 install -m0644 -Dt %{buildroot}%{_sysconfdir}/koji.conf.d/ \
   %{SOURCE10} %{SOURCE11} %{SOURCE12}
@@ -102,6 +104,7 @@ install -m0644 -Dt %{buildroot}%{_sysconfdir}/pki/ipa/ \
 %{_bindir}/pkgname
 %{_bindir}/rpmbuild-md5
 %{_bindir}/s390-koji
+%{_bindir}/riscv-koji
 %{_bindir}/stg-koji
 %config(noreplace) %{_sysconfdir}/koji.conf.d/*
 
diff --git a/riscv.conf b/riscv.conf
new file mode 100644
index 0000000..42c66db
--- /dev/null
+++ b/riscv.conf
@@ -0,0 +1,16 @@
+[riscv]
+
+;configuration for koji cli tool
+
+;url of XMLRPC server
+server = https://riscv-koji.fedoraproject.org/kojihub
+
+;url of web interface
+weburl = https://riscv-koji.fedoraproject.org/koji
+
+;url of package download site
+topurl = https://riscv-kojipkgs.fedoraproject.org/
+
+authtype = kerberos
+
+use_fast_upload = yes

From 45ef3873ef4778f42b2c3bd67ef6e18556541c5e Mon Sep 17 00:00:00 2001
From: Neal Gompa <ngompa@fedoraproject.org>
Date: Tue, 10 Jun 2025 06:33:59 -0400
Subject: [PATCH 2/8] fkinit: Add support for ~/.fedora.upn

This is the known file for setting the FAS user for Fedora infrastructure
client tools to use when the local Unix user does not match the FAS user.

Adding support for this with fkinit makes it easier to use in containerized
environments.
---
 fkinit | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fkinit b/fkinit
index d2add1a..d8b1e17 100755
--- a/fkinit
+++ b/fkinit
@@ -36,7 +36,7 @@ print_help()
 {
 	printf '%s\n' "Acquire a Kerberos ticket-granting ticket for Fedora"
 	printf 'Usage: %s [-u|--user <arg>] [--(no-)staging] [-h|--help]\n' "$0"
-	printf '\t%s\n' "-u, --user: Fedora account name (default: '$USER')"
+	printf '\t%s\n' "-u, --user: Fedora account name (default: value in ~/.fedora.upn if exists, otherwise '$USER')"
 	printf '\t%s\n' "--staging, --no-staging: Use the staging infrastructure (off by default)"
 	printf '\t%s\n' "-h, --help: Prints help"
 	printf '\n%s\n' "If the environment variable \$FKINIT_OTP is set, it will be read for the one-time password instead of prompting for it."
@@ -97,6 +97,10 @@ set -e
 armorcache=$(mktemp)
 trap finalize EXIT
 
+if [ -f "$HOME/.fedora.upn" ] && [ -z "$_arg_user" ]; then
+	$_arg_user=$(<"$HOME/.fedora.upn")
+fi
+
 if [ "$_arg_staging" == "on" ]; then
     domain=STG.FEDORAPROJECT.ORG
 else

From 6ee74af2e444e97daa8eac42c4b021721fc10efb Mon Sep 17 00:00:00 2001
From: Jens Petersen <petersen@redhat.com>
Date: Fri, 27 Jun 2025 15:21:27 +0800
Subject: [PATCH 3/8] fixup riscv.conf to live in config dir not bindir

---
 fedora-packager.spec | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fedora-packager.spec b/fedora-packager.spec
index eca5462..3308ddd 100644
--- a/fedora-packager.spec
+++ b/fedora-packager.spec
@@ -90,10 +90,9 @@ install -D %{SOURCE3} %{buildroot}%{_bindir}/rpmbuild-md5
 install -D %{SOURCE4} %{buildroot}%{_bindir}/s390-koji
 install -D %{SOURCE4} %{buildroot}%{_bindir}/stg-koji
 install -D %{SOURCE5} %{buildroot}%{_bindir}/fkinit
-install -D %{SOURCE17} %{buildroot}%{_bindir}/riscv-koji
 
 install -m0644 -Dt %{buildroot}%{_sysconfdir}/koji.conf.d/ \
-  %{SOURCE10} %{SOURCE11} %{SOURCE12}
+  %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE17}
 install -m0644 -Dt %{buildroot}%{_sysconfdir}/krb5.conf.d/ \
   %{SOURCE13} %{SOURCE14}
 install -m0644 -Dt %{buildroot}%{_sysconfdir}/pki/ipa/ \
@@ -104,7 +103,6 @@ install -m0644 -Dt %{buildroot}%{_sysconfdir}/pki/ipa/ \
 %{_bindir}/pkgname
 %{_bindir}/rpmbuild-md5
 %{_bindir}/s390-koji
-%{_bindir}/riscv-koji
 %{_bindir}/stg-koji
 %config(noreplace) %{_sysconfdir}/koji.conf.d/*
 

From 73574f51d595c8c4ba6fa7c325adf4dc9c3524a1 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sun, 6 Jul 2025 15:44:20 -0700
Subject: [PATCH 4/8] Drop old s390 koji config and add a wrapper for riscv

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 fedora-packager.spec | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fedora-packager.spec b/fedora-packager.spec
index 3308ddd..a645e2a 100644
--- a/fedora-packager.spec
+++ b/fedora-packager.spec
@@ -87,8 +87,8 @@ Requires:       krb5-pkinit
 install -D %{SOURCE0} %{buildroot}%{_licensedir}/%{name}/COPYING
 install -D %{SOURCE2} %{buildroot}%{_bindir}/pkgname
 install -D %{SOURCE3} %{buildroot}%{_bindir}/rpmbuild-md5
-install -D %{SOURCE4} %{buildroot}%{_bindir}/s390-koji
 install -D %{SOURCE4} %{buildroot}%{_bindir}/stg-koji
+install -D %{SOURCE4} %{buildroot}%{_bindir}/riscv-koji
 install -D %{SOURCE5} %{buildroot}%{_bindir}/fkinit
 
 install -m0644 -Dt %{buildroot}%{_sysconfdir}/koji.conf.d/ \
@@ -102,7 +102,7 @@ install -m0644 -Dt %{buildroot}%{_sysconfdir}/pki/ipa/ \
 %license %{_licensedir}/%{name}/
 %{_bindir}/pkgname
 %{_bindir}/rpmbuild-md5
-%{_bindir}/s390-koji
+%{_bindir}/riscv-koji
 %{_bindir}/stg-koji
 %config(noreplace) %{_sysconfdir}/koji.conf.d/*
 

From 8221f339a63d8b97fd7b803b27a1a1a94ab10636 Mon Sep 17 00:00:00 2001
From: Fedora Release Engineering <releng@fedoraproject.org>
Date: Wed, 23 Jul 2025 20:26:34 +0000
Subject: [PATCH 5/8] Rebuilt for
 https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild


From 6cccdb38075b6472792b388a6546b8bac489b829 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 22 Sep 2025 11:19:05 +0300
Subject: [PATCH 6/8] krb5 configurations: add auto_fast_armor = true

MIT Kerberos build gained capability to obtain Anonymous PKINIT ticket
automatically and use it to build a FAST channel armor during initial
ticket acquisition. This allows automatic enablement of passwordless
pre-authentication methods provided by FreeIPA.

The option is ignored by the Kerberos builds which do not have such
support. Once Kerberos packages upgraded, users will be able to see
requests for their OTP tokens in bare kinit command:

  $ kinit user
  Enter OTP token value:

  instead of using

  $ kinit -c fast.ccache -n @FEDORAPROJECT.ORG
  $ kinit -T fast.ccache user
  Enter OTP token value:

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
 fedoraproject_org     | 1 +
 stg_fedoraproject_org | 1 +
 2 files changed, 2 insertions(+)

diff --git a/fedoraproject_org b/fedoraproject_org
index 4f2dd10..5f8732a 100644
--- a/fedoraproject_org
+++ b/fedoraproject_org
@@ -2,6 +2,7 @@
  FEDORAPROJECT.ORG = {
         kdc = https://id.fedoraproject.org/KdcProxy
         pkinit_anchors = FILE:/etc/pki/ipa/fedoraproject_ipa_ca.crt
+        auto_fast_armor = true
  }
 [domain_realm]
  .fedoraproject.org = FEDORAPROJECT.ORG
diff --git a/stg_fedoraproject_org b/stg_fedoraproject_org
index 940422e..7ad7c0c 100644
--- a/stg_fedoraproject_org
+++ b/stg_fedoraproject_org
@@ -2,6 +2,7 @@
  STG.FEDORAPROJECT.ORG = {
         kdc = https://id.stg.fedoraproject.org/KdcProxy
         pkinit_anchors = FILE:/etc/pki/ipa/stg_fedoraproject_ipa_ca.crt
+        auto_fast_armor = true
  }
 [domain_realm]
  .stg.fedoraproject.org = STG.FEDORAPROJECT.ORG

From f16a03c6042d8831edcec60e1b02edebab917652 Mon Sep 17 00:00:00 2001
From: Jens Petersen <petersen@redhat.com>
Date: Sat, 11 Oct 2025 14:32:23 +0800
Subject: [PATCH 7/8] fkinit: disable the timeouts for systemd-ask-password

---
 fkinit | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fkinit b/fkinit
index d8b1e17..7df469b 100755
--- a/fkinit
+++ b/fkinit
@@ -109,8 +109,8 @@ fi
 
 kinit -n @$domain -c FILE:$armorcache
 
-F_PASSWORD=$(systemd-ask-password "FAS password:")
-F_OTP=${FKINIT_OTP:-$(systemd-ask-password "FAS OTP (leave blank if not configured):")}
+F_PASSWORD=$(systemd-ask-password --timeout=0 "FAS password:")
+F_OTP=${FKINIT_OTP:-$(systemd-ask-password --timeout=0 "FAS OTP (leave blank if not configured):")}
 
 kinit -T FILE:$armorcache $_arg_user@$domain <<< "${F_PASSWORD}${F_OTP}" >/dev/null
 unset F_PASSWORD

From c6eed73137a93167267b0226a7293edd982dd436 Mon Sep 17 00:00:00 2001
From: Cristian Le <git@lecris.dev>
Date: Wed, 13 Aug 2025 13:53:15 +0200
Subject: [PATCH 8/8] Move fkinit user default check

Otherwise the check for .fedora.upn does not apply
---
 fkinit | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/fkinit b/fkinit
index 7df469b..537edc0 100755
--- a/fkinit
+++ b/fkinit
@@ -28,8 +28,12 @@ begins_with_short_option()
 }
 
 # THE DEFAULTS INITIALIZATION - OPTIONALS
-_arg_user="$USER"
 _arg_staging="off"
+if [ -f "$HOME/.fedora.upn" ]; then
+	_arg_user=$(<"$HOME/.fedora.upn")
+else
+	_arg_user="$USER"
+fi
 
 
 print_help()
@@ -97,10 +101,6 @@ set -e
 armorcache=$(mktemp)
 trap finalize EXIT
 
-if [ -f "$HOME/.fedora.upn" ] && [ -z "$_arg_user" ]; then
-	$_arg_user=$(<"$HOME/.fedora.upn")
-fi
-
 if [ "$_arg_staging" == "on" ]; then
     domain=STG.FEDORAPROJECT.ORG
 else