File obs-signd.spec of Package obs-signd
#
# spec file for package obs-signd
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: obs-signd
Summary: The sign daemon
License: GPL-2.0-only
Group: Productivity/Networking/Web/Utilities
Version: 2.8.4
Release: 0
URL: http://en.opensuse.org/Build_Service
Source: obs-sign-%version.tar.xz
Source1: obs-signd-rpmlintrc
Source2: obs-signd.tmpfiles.d
Source3: %{name}.sysusers
Source4: README.runas-user
Source5: runas-user-systemd-override.conf
Requires: user(obsrun)
%if 0%{?suse_version}
PreReq: %fillup_prereq
PreReq: permissions
%endif
%if ! %{defined _fillupdir}
%define _fillupdir /var/adm/fillup-templates
%endif
BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-shadow
BuildRequires: sysuser-tools
# the following build requires are needed for the testsuite
%if 0%{?suse_version}
BuildRequires: gpg2
%else
BuildRequires: gpg
%endif
BuildRequires: make
BuildRequires: openssl
%description
The openSUSE Build Service sign client and daemon.
This daemon can be used to sign anything via gpg, but it speaks with a remote server
to avoid the need to host the private key on the same server.
%package runas-user
Summary: Run signd as user obs-signd:obs-signd instead of root:obs-run
Requires: %{name} = %{version}
%{?sysusers_requires}
%description runas-user
The openSUSE Build Service sign client and daemon.
This daemon can be used to sign anything via gpg, but it speaks with a remote server
to avoid the need to host the private key on the same server.
This package provides an obs-signd:obs-signd user and directories.
%prep
%setup -n obs-sign-%version
cp %{SOURCE4} .
%build
make CFLAGS="$RPM_OPT_FLAGS -fpie -D_FILE_OFFSET_BITS=64" LDFLAGS="-pie"
%sysusers_generate_pre %{SOURCE3} %{name} %{name}.conf
%check
make test
%install
# run level script
mkdir -p %{buildroot}%{_unitdir}
install -D -m 0644 dist/signd.service %{buildroot}%{_unitdir}/obssignd.service
install -d -m 0755 %{buildroot}%{_sbindir}
ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rcobssignd
# man pages
install -d -m 0755 %{buildroot}%{_mandir}/man{5,8}
install -d -m 0755 %{buildroot}/usr/bin
for j in `ls sig*.{5,8}`; do
gzip -9 ${j}
done
for k in 5 8; do
install -m 0644 sig*.${k}.gz %{buildroot}%{_mandir}/man${k}/
done
# binaries and configuration
install -d -m 0755 %{buildroot}/etc/permissions.d
install -m 0755 signd %{buildroot}/usr/sbin/
install -m 0750 sign %{buildroot}/usr/bin/
install -m 0644 sign.conf %{buildroot}/etc/
install -m 0644 dist/sign.permission %{buildroot}/etc/permissions.d/sign
# install fillups
FILLUP_DIR=%{buildroot}%{_fillupdir}
install -d -m 755 $FILLUP_DIR
install -m 0644 dist/sysconfig.signd $FILLUP_DIR/
## runas-user stuff
# systemd integration and user
install -D -m 0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf
install -D -m 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/obssignd.service.d/runas-user.conf
# data dir
install -D -m 0750 -d %{buildroot}/srv/obs-signd
install -D -m 0750 -d %{buildroot}/srv/obs-signd/keycache
install -D -m 0750 -d \
%{buildroot}/srv/obs-signd/{default,privileged,restricted,system}/ \
%{buildroot}/srv/obs-signd/{default,privileged,restricted}/aliases
install -D -m 0700 -d \
%{buildroot}/srv/obs-signd/{default,privileged,restricted,system}/gnupg \
%{buildroot}/srv/obs-signd/{default,privileged,restricted,system}/gnupg/openpgp-revocs.d \
%{buildroot}/srv/obs-signd/{default,privileged,restricted,system}/gnupg/private-keys-v1.d \
%{buildroot}/srv/obs-signd/{default,privileged,restricted}/phrases \
%{buildroot}/srv/obs-signd/default/enckeys
# home dir
install -D -m 0750 -d %{buildroot}/var/lib/obs-signd
## /runas-user stuff
%pre
%service_add_pre obssignd.service
%preun
%service_del_preun obssignd.service
%post
%service_add_post obssignd.service
%set_permissions /etc/permissions.d/sign
%fillup_only -n signd
%postun
%service_del_postun obssignd.service
%pre runas-user -f %{name}.pre
%post runas-user
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
%postun runas-user
%service_del_postun obssignd.service
%files
%defattr(-,root,root)
%config(noreplace) /etc/sign.conf
%verify(not mode) %attr(4750,root,obsrun) /usr/bin/sign
%attr(0755,root,root) /usr/sbin/signd
%attr(0755,root,root) /usr/sbin/rcobssignd
%attr(0644,root,root) %{_unitdir}/obssignd.service
%{_fillupdir}/sysconfig.signd
%config /etc/permissions.d/sign
%doc %{_mandir}/man*/*
%files runas-user
%defattr(-,root,root)
%doc README.runas-user
%{_sysusersdir}/%{name}.conf
%{_tmpfilesdir}/%{name}.conf
%dir %{_unitdir}/obssignd.service.d/
%{_unitdir}/obssignd.service.d/runas-user.conf
%ghost %dir %attr(0750,obs-signd,obs-signd) /run/signd
%dir %attr(0750,obs-signd,obs-signd) /srv/obs-signd
%dir %attr(0700,obs-signd,obs-signd) /srv/obs-signd/default
%if 0%{?suse_version} > 1315
%dir %attr(0750,obs-signd,obs-signd) /srv/obs-signd/{privileged,restricted,system}/
%dir %attr(0700,obs-signd,obs-signd) /srv/obs-signd/{default,privileged,restricted,system}/gnupg
%dir %attr(0700,obs-signd,obs-signd) /srv/obs-signd/{default,privileged,restricted,system}/gnupg/openpgp-revocs.d
%dir %attr(0700,obs-signd,obs-signd) /srv/obs-signd/{default,privileged,restricted,system}/gnupg/private-keys-v1.d
%dir %attr(0750,obs-signd,obs-signd) /srv/obs-signd/{default,restricted}/aliases
%dir %attr(0700,obs-signd,obs-signd) /srv/obs-signd/{default,restricted}/phrases
%endif
%dir %attr(0700,obs-signd,obs-signd) /srv/obs-signd/default/enckeys
%dir %attr(0750,obs-signd,obs-signd) /srv/obs-signd/keycache
%dir %attr(0750,obs-signd,obs-signd) /var/lib/obs-signd
%changelog
