Include the patched version of aws-nitro-enclaves-cose in the repo and packit enhancements

.github/workflows/analysis.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@v1
         with:
-          ignore-globs: '**/examples/**'
+          ignore-globs: '**/examples/** **/external/**'
 
       - name: Upload DevSkim scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3

.github/workflows/ci.yml

@@ -37,7 +37,7 @@ jobs:
           check_filenames: true
           check_hidden: true
           ignore_words_file: .github/spellcheck-ignore
-          skip: "./docs/Gemfile.lock,./docs/_config.yml,./.github,./.git"
+          skip: "./docs/Gemfile.lock,./docs/_config.yml,./.github,./.git,./external"
 
   fmt:
     name: Rustfmt

.gitignore

@@ -11,4 +11,13 @@
 /docs/_site/
 /docs/.jekyll-cache/
 /docs/Gemfile.lock
+
+# RPM build directory
 /rpmbuild
+
+# Vendor directory
+/vendor
+
+# Source and vendor tar files
+fido-device-onboard-rs-*.tar.gz
+fido-device-onboard-rs-*-vendor.tar.xz

.packit.yaml

@@ -3,20 +3,22 @@
 
 specfile_path: fido-device-onboard.spec
 
-files_to_sync:
-    - src:
-      - patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch
-      - .packit.yaml
-      - fido-device-onboard.spec
-      - "fido-device-onboard-rs-*-vendor-patched.tar.xz"
-      dest: .
-
 upstream_package_name: fido-device-onboard
 downstream_package_name: fido-device-onboard
 
 upstream_tag_template: v{version}
 copy_upstream_release_description: true
 
+actions:
+    create-archive:
+        - bash -c "make VERSION=${PACKIT_PROJECT_VERSION} packit-create-archive"
+        - bash -c "ls -1 fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}.tar.gz"
+
+files_to_sync:
+    - ".packit.yaml"
+    - "fido-device-onboard.spec"
+    - "fido-device-onboard-rs-*-vendor.tar.xz"
+
 srpm_build_deps:
     - cargo
     - openssl-devel
@@ -30,37 +32,46 @@ packages:
         upstream_package_name: fido-device-onboard
         pkg_tool: centpkg
 
-actions:
-    pre-sync:
-        - bash -c "./make-vendored-tarfile.sh ${PACKIT_PROJECT_VERSION}"
-        - bash -c "git restore Cargo.lock"
-    create-archive:
-        - bash -c "cp ./patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch ."
-        - bash -c "git archive --prefix=fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}/ --format=tar HEAD > fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}.tar"
-        - bash -c "./make-vendored-tarfile.sh ${PACKIT_PROJECT_VERSION}"
-        - bash -c "tar -xvf fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}.tar"
-        - bash -c "ls -1 ./fido-device-onboard-rs-${PACKIT_PROJECT_VERSION}.tar"
-
 jobs:
-    - &fdo_copr_build
+    - &fdo_copr_build_fedora
       job: copr_build
+      packages: [fido-device-onboard-fedora]
       trigger: pull_request
-      targets:
-          centos-stream-9: {}
-          fedora-latest-stable: {}
-          fedora-latest: {}
-          fedora-rawhide: {}
+      targets: ["fedora-latest-stable", "fedora-latest", "fedora-rawhide"]
+
+    - <<: *fdo_copr_build_fedora
+      trigger: commit
+      branch: main
+      owner: "@fedora-iot"
+      project: fedora-iot
+
+    - &fdo_copr_build_centos
+      job: copr_build
+      packages: [fido-device-onboard-centos]
+      trigger: pull_request
+      targets: ["centos-stream-9", "centos-stream-10"]
+
+    - <<: *fdo_copr_build_centos
+      trigger: commit
+      branch: main
+      owner: "@fedora-iot"
+      project: fedora-iot
 
     - job: tests
       trigger: pull_request
-      identifier: onboarding
+      identifier: onboarding-centos
       fmf_path: test/fmf
       tmt_plan: plans/onboarding
-      targets:
-          centos-stream-9: {}
-          fedora-latest-stable: {}
-          fedora-latest: {}
-          fedora-rawhide: {}
+      packages: [fido-device-onboard-centos]
+      targets: ["centos-stream-9", "centos-stream-10"]
+
+    - job: tests
+      trigger: pull_request
+      identifier: onboarding-fedora
+      fmf_path: test/fmf
+      tmt_plan: plans/onboarding
+      packages: [fido-device-onboard-fedora]
+      targets: ["fedora-latest-stable", "fedora-latest", "fedora-rawhide"]
 
     - job: sync_from_downstream
       trigger: commit
@@ -69,33 +80,27 @@ jobs:
       trigger: release
       packages: [fido-device-onboard-fedora]
       dist_git_branches:
-        - fedora-development
-        - fedora-latest-stable
+          - fedora-development
+          - fedora-latest-stable
 
     - job: propose_downstream
       trigger: release
       packages: [fido-device-onboard-centos]
       dist_git_branches:
-        - c10s
-        - c9s
+          - c10s
+          - c9s
 
     - job: koji_build
       trigger: commit
       allowed_pr_authors: [all_committers]
       dist_git_branches:
-        - fedora-development
-        - fedora-latest-stable
+          - fedora-development
+          - fedora-latest-stable
 
     - job: bodhi_update
       trigger: commit
       allowed_builders: [all_committers]
       dist_git_branches:
-        - fedora-development
-        - fedora-latest-stable
-
-    - <<: *fdo_copr_build
-      trigger: commit
-      branch: main
-      owner: "@fedora-iot"  # copr repo namespace
-      project: fedora-iot   # copr repo name so you can consume the builds
+          - fedora-development
+          - fedora-latest-stable
 ...

Makefile

@@ -1,7 +1,9 @@
 include /etc/os-release
 
 SRCDIR ?= .
-COMMIT = $(shell (cd "$(SRCDIR)" && git rev-parse HEAD))
+VENDOR ?= false
+VERSION = $(shell (cd "$(SRCDIR)" &&  git describe --tags | sed -e 's/^v//' -e 's/-/./'))
+PLATFORMS = $(shell (echo {x86_64,aarch64,powerpc64le,s390x}-unknown-linux-gnu))
 
 #
 # Generic Targets
@@ -23,9 +25,44 @@ help:
 	@echo "The following targets are available:"
 	@echo
 	@echo "    help:               Print this usage information."
+	@echo "    source:             Generate source tar file in the current directory."
+	@echo "    vendor:             Generate vendor tar file in the current directory."
 	@echo "    rpm:                Generate RPM."
+	@echo "    srpm:               Generate SRPM."
 	@echo "    man:                Generate man pages."
 
+#
+# Generating sources and vendor tar files
+#
+
+SOURCE_TARBALL=fido-device-onboard-rs-$(VERSION).tar.gz
+
+$(SOURCE_TARBALL):
+	git archive --prefix=fido-device-onboard-rs-$(VERSION)/ --format=tar.gz HEAD > $(SOURCE_TARBALL)
+
+.PHONY: source
+source: $(SOURCE_TARBALL)
+
+VENDOR_TARBALL=fido-device-onboard-rs-$(VERSION)-vendor.tar.xz
+
+$(VENDOR_TARBALL):
+	vendor_filterer_cmd=$$(command -v cargo-vendor-filterer||:)
+	[ -z "$$vendor_filterer_cmd" ] || rm -f $${vendor_filterer_cmd}
+	# We need v0.5.7 because of RHEL rust version
+	cargo install --quiet [email protected];
+	for platform in $(PLATFORMS); do  \
+		args+="--platform $${platform} "; \
+	done
+	# https://issues.redhat.com/browse/RHEL-65521
+	args+="--exclude-crate-path idna#tests "
+	rm -rf vendor
+	cargo vendor-filterer $${args}
+	tar cJf $(VENDOR_TARBALL) vendor
+	rm -rf vendor
+
+.PHONY: vendor
+vendor: $(VENDOR_TARBALL)
+
 #
 # Building packages
 #
@@ -38,41 +75,45 @@ help:
 # ./rpmbuild, using rpmbuild's usual directory structure.
 #
 
-RPM_SPECFILE=rpmbuild/SPECS/fido-device-onboard-rs-$(COMMIT).spec
-RPM_TARBALL=rpmbuild/SOURCES/fido-device-onboard-rs-$(COMMIT).tar.gz
-VENDOR_TARBALL=rpmbuild/SOURCES/fido-device-onboard-rs-$(COMMIT)-vendor-patched.tar.xz
+SPEC_FILE=./fido-device-onboard.spec
+RPM_TOP_DIR=$(CURDIR)/rpmbuild
+RPMS_SPECS_DIR=$(RPM_TOP_DIR)/SPECS
+RPMS_SOURCES_DIR=$(RPM_TOP_DIR)/SOURCES
+RPM_SPECFILE=$(RPMS_SPECS_DIR)/fido-device-onboard-rs-$(VERSION).spec
+RPM_TARBALL=$(RPMS_SOURCES_DIR)/fido-device-onboard-rs-$(VERSION).tar.gz
+RPM_VENDOR_TARBALL=${RPMS_SOURCES_DIR}/$(VENDOR_TARBALL)
 
 $(RPM_SPECFILE):
-	mkdir -p $(CURDIR)/rpmbuild/SPECS
-	sed -e "s/^Version:.*/Version: $(COMMIT)/;" fido-device-onboard.spec > $(RPM_SPECFILE)
-	if [ "$(ID)" = "fedora" ] && [ $(VARIANT_ID) != "eln" ]; then \
-		sed -i "/Source1/d ; /^# See make-vendored-tarfile.sh in upstream repo/d ;" $(RPM_SPECFILE); \
-	fi
+	mkdir -p $(RPMS_SPECS_DIR)
+	sed -e "s/^Version:.*/Version:        $(VERSION)/;" \
+	    -e "s|%{url}/archive/v%{version}/||;" \
+	    $(SPEC_FILE) > $(RPM_SPECFILE)
 
-$(RPM_TARBALL):
-	mkdir -p $(CURDIR)/rpmbuild/SOURCES
-	cp ./patches/0001-Revert-chore-use-git-fork-for-aws-nitro-enclaves-cos.patch rpmbuild/SOURCES/;
-	git archive --prefix=fido-device-onboard-rs-$(COMMIT)/ --format=tar.gz HEAD > $(RPM_TARBALL)
-
-$(VENDOR_TARBALL):
-	[ "$(ID)" = "fedora" ] && [ $(VARIANT_ID) != "eln" ] || ( \
-	mkdir -p $(CURDIR)/rpmbuild/SOURCES ; \
-	./make-vendored-tarfile.sh $(COMMIT) ; \
-	mv fido-device-onboard-rs-$(COMMIT)-vendor-patched.tar.xz rpmbuild/SOURCES ;)
+$(RPM_TARBALL): $(SOURCE_TARBALL) $(VENDOR_TARBALL)
+	mkdir -p $(RPMS_SOURCES_DIR)
+	mv $(SOURCE_TARBALL) $(RPM_TARBALL)
+	mv $(VENDOR_TARBALL) $(RPM_VENDOR_TARBALL);
 
 .PHONY: srpm
-srpm: $(RPM_SPECFILE) $(RPM_TARBALL) $(VENDOR_TARBALL)
+srpm: $(RPM_SPECFILE) $(RPM_TARBALL)
 	rpmbuild -bs \
-		--define "_topdir $(CURDIR)/rpmbuild" \
+		--define "_topdir $(RPM_TOP_DIR)" \
 		$(RPM_SPECFILE)
 
 .PHONY: rpm
-rpm: $(RPM_SPECFILE) $(RPM_TARBALL) $(VENDOR_TARBALL)
-	sudo dnf builddep -y fido-device-onboard
+rpm: $(RPM_SPECFILE) $(RPM_TARBALL)
+	sudo dnf builddep -y $(RPM_SPECFILE)
 	rpmbuild -bb \
-		--define "_topdir $(CURDIR)/rpmbuild" \
+		--define "_topdir $(RPM_TOP_DIR)" \
 		$(RPM_SPECFILE)
 
+#
+# Packit target
+#
+
+.PHONY: packit-create-archive
+packit-create-archive: $(SOURCE_TARBALL) $(VENDOR_TARBALL)
+
 #
 # Generating man pages
 #

client-linuxapp/src/main.rs

@@ -1231,7 +1231,8 @@ async fn main() -> Result<()> {
         Command::new("systemctl")
             .arg("reboot")
             .spawn()
-            .expect("Reboot failed");
+            .expect("Reboot failed")
+            .wait()?;
     }
     Ok(())
 }

client-linuxapp/src/serviceinfo.rs

@@ -108,6 +108,8 @@ fn create_user_with_password(user: &str, password: &str) -> Result<()> {
     log::info!("Checking for password encryption");
     if !is_password_encrypted(password) {
         log::info!("Encrypting password");
+        #[allow(unknown_lints)]
+        #[allow(clippy::zombie_processes)]
         let echo = Command::new("echo")
             .arg(password)
             .stdout(Stdio::piped())

data-formats/Cargo.toml

@@ -17,10 +17,10 @@ serde_cbor = "0.11"
 serde_repr = "0.1.19"
 serde_tuple = "0.5"
 thiserror = "1"
-aws-nitro-enclaves-cose = { git = "https://github.com/nullr0ute/aws-nitro-enclaves-cose/", rev = "e3938e60d9051690569d1e4fcbe1c0c99d2fafa8" }
+aws-nitro-enclaves-cose = { path = "../external/aws-nitro-enclaves-cose"}
 uuid = "1.3"
 num-traits = "0.2"
-num-derive = "0.3"
+num-derive = "0.4"
 paste = "1.0"
 pem = "3.0"
 tss-esapi = { version = "7.4", features = ["generate-bindings"] }

data-formats/src/constants/serviceinfo_names.rs

@@ -6,7 +6,7 @@ impl<'de> serde::Deserialize<'de> for ServiceInfoModule {
         D: serde::de::Deserializer<'de>,
     {
         struct SIMVisitor;
-        impl<'de> serde::de::Visitor<'de> for SIMVisitor {
+        impl serde::de::Visitor<'_> for SIMVisitor {
             type Value = ServiceInfoModule;
 
             fn expecting(&self, formatter: &mut std::fmt::Formatter) -> std::fmt::Result {