From 32b6c1ee92312275bd988fa38b9b1c239fcd6aa5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Wed, 28 Feb 2024 14:41:24 +0100 Subject: [PATCH 1/7] fix: filter uneeded crates when vendoring MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use `cargo-vendor-filtering`[1] to filter uneeded crates when vendoring. [1] https://github.com/coreos/cargo-vendor-filterer Signed-off-by: Miguel Martín --- make-vendored-tarfile.sh | 43 +++++++++++++------ ...-git-fork-for-aws-nitro-enclaves-cos.patch | 0 .../0002-fix-aws-nitro-enclaves-cose.patch | 25 +++++++++++ 3 files changed, 55 insertions(+), 13 deletions(-) rename 0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch => patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch (100%) create mode 100644 patches/0002-fix-aws-nitro-enclaves-cose.patch diff --git a/make-vendored-tarfile.sh b/make-vendored-tarfile.sh index c2f5279a0..42b7d9746 100755 --- a/make-vendored-tarfile.sh +++ b/make-vendored-tarfile.sh @@ -1,14 +1,31 @@ -#/bin/bash +#! /bin/bash + set -x -ver=$1 -cargo vendor -# Various vendor cleanups -pushd vendor -# cleanup windows files -rm -rf winapi/src/* -touch winapi/src/lib.rs -rm -rf winapi-x86_64-pc-windows-gnu/lib/* -rm -rf winapi-i686-pc-windows-gnu/lib/* -rm -rf vcpkg/test-data -popd #vendor -tar cJf fido-device-onboard-rs-$ver-vendor-patched.tar.xz vendor/ +VER=${1:-$(git rev-parse HEAD)} +shift +PLATFORMS=$* + +[ -n "$PLATFORMS" ] || PLATFORMS=$(echo {x86_64,aarch64,powerpc64le,s390x}-unknown-linux-gnu) + +for PLATFORM in $PLATFORMS; do + ARGS+="--platform ${PLATFORM} " +done + +# Clean vendor dir or the filterer will refuse to do the job +rm -rf vendor + +# We need v0.5.7 because of RHEL rust version +cargo install --quiet cargo-vendor-filterer@0.5.7 + +# Use the official crate version +git apply patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch +# Filter the vendor files for the given platforms +cargo vendor-filterer ${ARGS} +# Reapply the crate patch so cargo build keeps working +git apply -R patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch + +# Patch the official crate so the build works. +git apply patches/0002-fix-aws-nitro-enclaves-cose.patch +tar cJf "fido-device-onboard-rs-${VER}-vendor-patched.tar.xz" vendor/ +# Remove previous patch and leave the official crate as it was. +git apply -R patches/0002-fix-aws-nitro-enclaves-cose.patch diff --git a/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch b/patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch similarity index 100% rename from 0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch rename to patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch diff --git a/patches/0002-fix-aws-nitro-enclaves-cose.patch b/patches/0002-fix-aws-nitro-enclaves-cose.patch new file mode 100644 index 000000000..6fa09e4f6 --- /dev/null +++ b/patches/0002-fix-aws-nitro-enclaves-cose.patch @@ -0,0 +1,25 @@ +Backport of https://github.com/awslabs/aws-nitro-enclaves-cose/pull/66 + +diff --git a/vendor/aws-nitro-enclaves-cose/.cargo-checksum.json b/vendor/aws-nitro-enclaves-cose/.cargo-checksum.json +index dd788a8..1035b7b 100644 +--- a/vendor/aws-nitro-enclaves-cose/.cargo-checksum.json ++++ b/vendor/aws-nitro-enclaves-cose/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"CHANGELOG.md":"182c816f6cdcf13b370be9e712a0e7cf5b7c6b6612dc81c3b3d477abfca58e86","CODE_OF_CONDUCT.md":"34b6c98d5c23127ae6769e95e483e5bf6d3704ae1f0d3ae4e69d15f4ede118b6","CONTRIBUTING.md":"b050a75d5f6d2236ed40ad91dc53c4a4b30da184f9298f6f18507beae5fd7cb7","Cargo.toml":"d3ba98a34c9dcbff42da7e04d123b1687840738851e0630035e1f6e620a6fd98","LICENSE":"09e8a9bcec8067104652c168685ab0931e7868f9c8284b66f5ae6edae5f1130b","NOTICE":"d4290ed64c2edd0fce1d84e3f9dfb2881240fe534def76b8cd29ed6af683e287","README.md":"b16c142f4056384bb274fa7c9d0c2d73faf573cc2123a0bf4825970f88a67fc4","src/crypto/mod.rs":"a509e065cd0c3ed4c05484af9a7c45397ebf2a8b3f0d22578410f22484ffc33c","src/crypto/openssl_pkey.rs":"e9344a26ba101925a8e1c82960ff3d20a3df603be43132671bb15846ee96e829","src/crypto/tpm.rs":"2f8ec59523020319a4f63ca1e4bf3a4ae20c3acf8ca8ffd38e53ccd99611af3f","src/encrypt.rs":"ba89d5f221f0e4379d6f67dd946a00b183639b00bcf6918a4d3c441c4328894d","src/error.rs":"48fd4b84f9b4a7f5fc7ac52c2ce792d258c257908609270bf7751938082e19b7","src/header_map.rs":"88b3d7575ea4fd8eaaf4497a9d3c27ff43ec4da0213994aecf1ec9b5b89553c0","src/lib.rs":"8dbe7fe8206cfc76f46324c25418b37d0daf1ce23fc8b3219e1d89043c8e00de","src/sign.rs":"5a45658fa820ac9b5285c0987b66a58eb4f5b4373ab1aa07a73240848de098b2"},"package":"4e2fe3e862758ef5bb5d89868141ab28781d96347522b60eb6abeaf7f9acd4bc"} +\ No newline at end of file ++{"files":{},"package":"4e2fe3e862758ef5bb5d89868141ab28781d96347522b60eb6abeaf7f9acd4bc"} +diff --git a/vendor/aws-nitro-enclaves-cose/src/sign.rs b/vendor/aws-nitro-enclaves-cose/src/sign.rs +index 6426ac0..93f59ec 100644 +--- a/vendor/aws-nitro-enclaves-cose/src/sign.rs ++++ b/vendor/aws-nitro-enclaves-cose/src/sign.rs +@@ -135,8 +135,10 @@ pub struct SigStructure( + #[serde(skip_serializing_if = "Option::is_none")] + Option, + /// external_aad : bstr, ++ #[serde(default)] + ByteBuf, + /// payload : bstr ++ #[serde(default)] + ByteBuf, + ); + From 7111aa748329873e5d02c041abf5535bc106c8f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Wed, 28 Feb 2024 14:53:24 +0100 Subject: [PATCH 2/7] fix: add missing patch to SOURCES dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add missing patch to `rpmbuild/SOURCES` dir that makes the build to fail in Fedora and do not copy unneeded files. Signed-off-by: Miguel Martín --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index e89492da0..37562b184 100644 --- a/Makefile +++ b/Makefile @@ -46,8 +46,8 @@ $(RPM_SPECFILE): $(RPM_TARBALL): mkdir -p $(CURDIR)/rpmbuild/SOURCES + cp ./patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch rpmbuild/SOURCES/; git archive --prefix=fido-device-onboard-rs-$(COMMIT)/ --format=tar.gz HEAD > $(RPM_TARBALL) - cp ./make-vendored-tarfile.sh rpmbuild/SOURCES/make-vendored-tarfile.sh $(VENDOR_TARBALL): ./make-vendored-tarfile.sh $(COMMIT) From 475fb1b448322cfbf3c13815cfedd335a959a108 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Wed, 28 Feb 2024 15:20:33 +0100 Subject: [PATCH 3/7] fix: use %autosetup instead of %setup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use %autosetup macro to uncompress all the sources and apply patches automatically when needed. Signed-off-by: Miguel Martín --- Makefile | 2 +- fido-device-onboard.spec | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 37562b184..f2e1da56b 100644 --- a/Makefile +++ b/Makefile @@ -42,7 +42,7 @@ VENDOR_TARBALL=rpmbuild/SOURCES/fido-device-onboard-rs-$(COMMIT)-vendor-patched. $(RPM_SPECFILE): mkdir -p $(CURDIR)/rpmbuild/SPECS - sed "s/%{url}\/archive\/v%{version}\/%{name}-rs-%{version}.tar.gz/%{name}-rs-$(COMMIT).tar.gz/; s/%{name}-rs-%{version}-vendor-patched.tar.xz/%{name}-rs-$(COMMIT)-vendor-patched.tar.xz/; s/%autosetup -p1 -n %{name}-rs-%{version}/%autosetup -p1 -n %{name}-rs-$(COMMIT)/" fido-device-onboard.spec > $(RPM_SPECFILE) + sed -e "s/^Version:.*/Version: $(COMMIT)/;" fido-device-onboard.spec > $(RPM_SPECFILE) $(RPM_TARBALL): mkdir -p $(CURDIR)/rpmbuild/SOURCES diff --git a/fido-device-onboard.spec b/fido-device-onboard.spec index 5e0d1d4b6..88d430982 100644 --- a/fido-device-onboard.spec +++ b/fido-device-onboard.spec @@ -35,17 +35,19 @@ BuildRequires: tpm2-tss-devel %{summary}. %prep -%setup -q -n %{name}-rs-%{version} %if 0%{?rhel} -tar xf %{SOURCE1} +%autosetup -p1 -a1 -n %{name}-rs-%{version} +rm -f Cargo.lock %if 0%{?rhel} >= 10 %cargo_prep -v vendor %else %cargo_prep -V 1 %endif -%else -%patch -P1 -p1 +%endif + +%if 0%{?fedora} +%autosetup -p1 -n %{name}-rs-%{version} %cargo_prep %generate_buildrequires %cargo_generate_buildrequires -a From b8e15be37b6262805d3f3a243174c2c54ab978b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Wed, 28 Feb 2024 14:55:54 +0100 Subject: [PATCH 4/7] fix: generate the vendor tar file only when needed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Generate the vendor tar file only for RHEL/CentOS builds and remove `Source1` and the comment above in fedora as we don't need vendoring in this case. Signed-off-by: Miguel Martín --- .packit.yaml | 55 +++++++++++++++++++++++++++------------------------- Makefile | 11 +++++++++-- 2 files changed, 38 insertions(+), 28 deletions(-) diff --git a/.packit.yaml b/.packit.yaml index 3ccf207fe..cd89afdd4 100644 --- a/.packit.yaml +++ b/.packit.yaml @@ -1,3 +1,4 @@ +--- # https://packit.dev/docs/configuration/ specfile_path: fido-device-onboard.spec @@ -13,33 +14,35 @@ upstream_tag_template: v{version} copy_upstream_release_description: true srpm_build_deps: -- cargo + - cargo actions: - create-archive: - - bash -c "sed -i -r \"s/Source0:.+/Source0:\ fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}.tar/\" fido-device-onboard.spec" - - bash -c "sed -i \"/Source1/d\" fido-device-onboard.spec" - - bash -c "git archive --prefix=fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}/ --format=tar HEAD > fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}.tar" - - bash -c "tar -xvf fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}.tar" - - bash -c "ls -1 ./fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}.tar" - fix-spec-file: - - "cat fido-device-onboard.spec" + create-archive: + - bash -c "sed -i -r \"s/^Version:.*/Version:\ ${PACKIT_PROJECT_VERSION}/\" fido-device-onboard.spec" + - bash -c "sed -i '/Source1/d ; /^# See make-vendored-tarfile.sh in upstream repo/d ;' fido-device-onboard.spec" + - bash -c "cp ./patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch ." + - bash -c "git archive --prefix=fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}/ --format=tar HEAD > fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}.tar" + - bash -c "tar -xvf fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}.tar" + - bash -c "ls -1 ./fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}.tar" + fix-spec-file: + - "cat fido-device-onboard.spec" jobs: -- job: copr_build - trigger: pull_request - targets: - - fedora-development-aarch64 - - fedora-development - - fedora-latest - - fedora-latest-aarch64 -- job: copr_build - trigger: commit - branch: main - owner: "@fedora-iot" # copr repo namespace - project: fedora-iot # copr repo name so you can consume the builds - targets: - - fedora-development-aarch64 - - fedora-development - - fedora-latest - - fedora-latest-aarch64 + - job: copr_build + trigger: pull_request + targets: + - fedora-development-aarch64 + - fedora-development + - fedora-latest + - fedora-latest-aarch64 + - job: copr_build + trigger: commit + branch: main + owner: "@fedora-iot" # copr repo namespace + project: fedora-iot # copr repo name so you can consume the builds + targets: + - fedora-development-aarch64 + - fedora-development + - fedora-latest + - fedora-latest-aarch64 +... diff --git a/Makefile b/Makefile index f2e1da56b..228a75783 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,5 @@ +include /etc/os-release + SRCDIR ?= . COMMIT = $(shell (cd "$(SRCDIR)" && git rev-parse HEAD)) @@ -43,6 +45,9 @@ VENDOR_TARBALL=rpmbuild/SOURCES/fido-device-onboard-rs-$(COMMIT)-vendor-patched. $(RPM_SPECFILE): mkdir -p $(CURDIR)/rpmbuild/SPECS sed -e "s/^Version:.*/Version: $(COMMIT)/;" fido-device-onboard.spec > $(RPM_SPECFILE) + if [ "$(ID)" = "fedora" ] && [ $(VARIANT_ID) != "eln" ]; then \ + sed -i "/Source1/d ; /^# See make-vendored-tarfile.sh in upstream repo/d ;" $(RPM_SPECFILE); \ + fi $(RPM_TARBALL): mkdir -p $(CURDIR)/rpmbuild/SOURCES @@ -50,8 +55,10 @@ $(RPM_TARBALL): git archive --prefix=fido-device-onboard-rs-$(COMMIT)/ --format=tar.gz HEAD > $(RPM_TARBALL) $(VENDOR_TARBALL): - ./make-vendored-tarfile.sh $(COMMIT) - cp fido-device-onboard-rs-$(COMMIT)-vendor-patched.tar.xz rpmbuild/SOURCES + [ "$(ID)" = "fedora" ] && [ $(VARIANT_ID) != "eln" ] || ( \ + mkdir -p $(CURDIR)/rpmbuild/SOURCES ; \ + ./make-vendored-tarfile.sh $(COMMIT) ; \ + mv fido-device-onboard-rs-$(COMMIT)-vendor-patched.tar.xz rpmbuild/SOURCES ;) .PHONY: srpm srpm: $(RPM_SPECFILE) $(RPM_TARBALL) $(VENDOR_TARBALL) From 40b5dcbd21bf5a3ac2b55ec093150f4d33e71a31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Wed, 28 Feb 2024 15:26:17 +0100 Subject: [PATCH 5/7] feat: install builddep before building MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Install the build depencencies for `fido-device-onboard` package so the build does not fail. Signed-off-by: Miguel Martín --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 228a75783..4c0646df2 100644 --- a/Makefile +++ b/Makefile @@ -68,6 +68,7 @@ srpm: $(RPM_SPECFILE) $(RPM_TARBALL) $(VENDOR_TARBALL) .PHONY: rpm rpm: $(RPM_SPECFILE) $(RPM_TARBALL) $(VENDOR_TARBALL) + sudo dnf builddep -y fido-device-onboard rpmbuild -bb \ --define "_topdir $(CURDIR)/rpmbuild" \ $(RPM_SPECFILE) From 0928e751fc6fdbd69c095aa1ffb6efa62b4a3925 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Tue, 12 Mar 2024 11:57:46 +0100 Subject: [PATCH 6/7] fix: add missing RPM build dependency MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add the missing `sqlite-devel` RPM build dependency. Signed-off-by: Miguel Martín --- fido-device-onboard.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/fido-device-onboard.spec b/fido-device-onboard.spec index 88d430982..89dfcfa05 100644 --- a/fido-device-onboard.spec +++ b/fido-device-onboard.spec @@ -28,6 +28,7 @@ BuildRequires: device-mapper-devel BuildRequires: libpq-devel BuildRequires: golang BuildRequires: openssl-devel >= 3.0.1-12 +BuildRequires: sqlite-devel BuildRequires: systemd-rpm-macros BuildRequires: tpm2-tss-devel From e7f7d1f94dd2ffcb06ff2eb3ed78821114b5412d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Tue, 12 Mar 2024 12:01:03 +0100 Subject: [PATCH 7/7] fix: `file listed twice` and `absolute symlink` rpm build warnings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix RPM build warnings: File listed twice: /etc/fdo/keys absolute symlink: /usr/libexec/fdo/fdo-owner-tool -> /usr/bin/fdo-owner-tool absolute symlink: /usr/libexec/fdo/fdo-admin-tool -> /usr/bin/fdo-admin-tool Signed-off-by: Miguel Martín --- fido-device-onboard.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fido-device-onboard.spec b/fido-device-onboard.spec index 89dfcfa05..20953ed89 100644 --- a/fido-device-onboard.spec +++ b/fido-device-onboard.spec @@ -83,8 +83,9 @@ install -D -m 0644 -t %{buildroot}%{_docdir}/fdo/migrations/migrations_owner_onb install -D -m 0644 -t %{buildroot}%{_docdir}/fdo/migrations/migrations_rendezvous_server_postgres migrations/migrations_rendezvous_server_postgres/2023-10-03-152801_create_db/* install -D -m 0644 -t %{buildroot}%{_docdir}/fdo/migrations/migrations_rendezvous_server_sqlite migrations/migrations_rendezvous_server_sqlite/2023-10-03-152801_create_db/* # duplicates as needed by AIO command so link them -ln -s %{_bindir}/fdo-owner-tool %{buildroot}%{_libexecdir}/fdo/fdo-owner-tool -ln -s %{_bindir}/fdo-admin-tool %{buildroot}%{_libexecdir}/fdo/fdo-admin-tool +mkdir -p %{buildroot}%{_bindir} +ln -sr %{buildroot}%{_bindir}/fdo-owner-tool %{buildroot}%{_libexecdir}/fdo/fdo-owner-tool +ln -sr %{buildroot}%{_bindir}/fdo-admin-tool %{buildroot}%{_libexecdir}/fdo/fdo-admin-tool # Create directories needed by the various services so we own them mkdir -p %{buildroot}%{_sysconfdir}/fdo mkdir -p %{buildroot}%{_sysconfdir}/fdo/keys @@ -216,7 +217,6 @@ Requires: openssl-libs >= 3.0.1-12 %dir %{_sysconfdir}/fdo %dir %{_sysconfdir}/fdo/keys %dir %{_sysconfdir}/fdo/manufacturing-server.conf.d -%dir %{_sysconfdir}/fdo/keys %dir %{_sysconfdir}/fdo/stores %dir %{_sysconfdir}/fdo/stores/manufacturer_keys %dir %{_sysconfdir}/fdo/stores/manufacturing_sessions