%global commit 3f69a2245fddf5c63e2325c30d68c324e32dcdda %global shortcommit %(c=%{commit}; echo ${c:0:7}) # work in progress - still needs some hardening / fixes and cap-ng droppig of privs %global _hardened_build 1 Summary: Secure parasitic rdate replacement Name: tlsdate Version: 0.0.7 Release: 0.3%{?dist} License: BSD Url: https://www.github.com/ioerror/tlsdate/ Source: https://github.com/ioerror/tlsdate/archive/%{commit}/%{name}-%{version}-%{shortcommit}.tar.gz Source1: tlsdated.conf Source2: tmpfiles-tlsdate.conf Source3: tlsdated.service Group: System Environment/Daemons BuildRequires: openssl-devel, dbus-devel BuildRequires: systemd Requires: ca-certificates Requires(post): systemd Requires(preun): systemd Requires(postun): systemd Requires(pre): shadow-utils # for prerelease Buildrequires: automake autoconf libtool %description tlsdate sets the local clock by securely connecting with TLS to remote servers and extracting the remote time out of the secure handshake. Unlike ntpdate, tlsdate uses TCP, for instance connecting to a remote HTTPS or TLS enabled service, and provides some protection against adversaries that try to feed you malicious time information. %prep %setup -qn %{name}-%{commit} %build export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld" export CFLAGS="%{optflags} -fPIE -pie -Wextra -Wformat-nonliteral -Wformat-security" # for pre-release WARNINGS="all,error" autoreconf --install --verbose --force %configure --docdir=%{_defaultdocdir}/%{name} \ --with-unpriv-group=tlsdated --with-unpriv-user=tlsdated \ --with-dbus-group=nobody --disable-silent-rules # correct hardcoded bad defaults for f in ./man/tlsdate.1 ./src/tlsdate.h; do sed -i 's/www.ptb.de/fedoraproject.org/g' $f; done sed -i "s/PACKAGE_BUGREPORT = .*$/PACKAGE_BUGREPORT = tlsdate@fedoraproject.org/" Makefile sed -i "s:certdir = .*$:certdir = /etc/pki/tls/certs:" Makefile sed -i "s:cert_DATA = .*$:cert_DATA = /etc/pki/tls/certs/ca-bundle.trust.crt:" Makefile make %{?_smp_mflags} %install make DESTDIR=%{buildroot} install # until upstream moves to sbin mkdir -p %{buildroot}%{_sbindir} %{buildroot}%{_sysconfdir}/%{name} install -p %{SOURCE1} %{buildroot}%{_sysconfdir}/%{name}/ mkdir -p %{buildroot}%{_localstatedir}/cache/%{name}d %{buildroot}%{_unitdir} # remove the custom CA certs they install and point to our own system version rm -rf %{buildroot}/%{_sysconfdir}/%{name}/ca-roots/ rm -rf %{buildroot}/%{_sysconfdir}/pki # Install tlsdated service install -p -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/ # Install tmpfiles.d config install -d -m 0755 %{buildroot}%{_sysconfdir}/tmpfiles.d/ install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/tmpfiles.d/tlsdated.conf mkdir -p %{buildroot}%{_localstatedir}/run/tlsdated %files %doc LICENSE README HACKING.md AUTHORS %{_unitdir}/%{name}d.service %attr(0775,root,tlsdated) %dir %{_localstatedir}/run/tlsdated %config(noreplace) %{_sysconfdir}/tmpfiles.d/tlsdated.conf %attr(0755,root,root) %dir %{_sysconfdir}/%{name} %attr(0755,tlsdated,tlsdated) %dir %{_localstatedir}/cache/%{name}d %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/tlsdated.conf %{_sbindir}/tlsdated %{_bindir}/tlsdate* %{_mandir}/man?/* %pre getent group tlsdated >/dev/null || groupadd -r tlsdated getent passwd tlsdated >/dev/null || \ useradd -r -g tlsdated -d %{_sysconfdir}/tlsdated -s /sbin/nologin \ -c "tlsdated server" tlsdated exit 0 %post %systemd_post tlsdated.service %preun %systemd_preun tlsdated.service %postun %systemd_postun_with_restart tlsdated.service %changelog * Sun Oct 27 2013 Paul Wouters - 0.0.7-0.3 - Unversioned doc dir for f20 - Don't mix macro styles, don't macro 'make' - Fix systemd dependancies * Mon Jun 03 2013 Paul Wouters - 0.0.7-0.2 - Use github packaging guidlines for upstream source * Tue May 07 2013 Paul Wouters - 0.0.7-0.1 - Initial package - Updated from github, but still missing proper tags for tar ball download :( - Remove work around for tlsdated install location as usptream fixed it - Use our own tlsdate.conf pointing to the TLS server of fedoraproject.org