diff --git a/base/comps/components.toml b/base/comps/components.toml index ac2cfc8babc..887784d7996 100644 --- a/base/comps/components.toml +++ b/base/comps/components.toml @@ -1552,7 +1552,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml", "component-min [components.kf6-attica] [components.kf6-baloo] [components.kf6-frameworkintegration] -[components.kf6-karchive] [components.kf6-kauth] [components.kf6-kbookmarks] [components.kf6-kcmutils] diff --git a/base/comps/kf6-karchive/kf6-karchive.comp.toml b/base/comps/kf6-karchive/kf6-karchive.comp.toml new file mode 100644 index 00000000000..23b4fc399a2 --- /dev/null +++ b/base/comps/kf6-karchive/kf6-karchive.comp.toml @@ -0,0 +1,27 @@ +# The upstream KDE `karchive-6.23.0.tar.xz` ships several autotest fixtures +# that trip anti-malware scanning on the AZL RPM-signing pipeline, which +# rejects encrypted / unscannable payloads inside SRPMs: +# +# - autotests/data/password_protected.7z +# Deliberately password-protected 7-Zip archive. +# - autotests/data/zip64_extra_zip64_size_first.zip.gz +# Gzipped ZIP64 edge-case fixture; the scanner decompresses the .gz +# wrapper and the inner .zip trips its detector. +# +# karchive's autotests are not built or run in our spec (no %check, and +# upstream's CMake gates them on BUILD_TESTING=ON, which we don't set), so +# stripping these test fixtures is functionally inert. +# +# Replace upstream Source0 with a deterministically-repacked tarball produced +# by base/comps/kf6-karchive/modify_source.sh. The upstream filename is +# preserved so `replace-upstream = true` swaps the entry in place in the +# Fedora `sources` manifest -- no spec edit required. +[components.kf6-karchive] + +[[components.kf6-karchive.source-files]] +filename = "karchive-6.23.0.tar.xz" +hash = "dc92a030772bfea4fd270e0bf5aa1e6b9f0bb45fed19ad8c2c992fd8f36238c4730efebe7ac2d950c6be91213cd062afd0f69f404733678e511c74b94d09ad4a" +hash-type = "SHA512" +origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/kf6-karchive/karchive-6.23.0.tar.xz/sha512/dc92a030772bfea4fd270e0bf5aa1e6b9f0bb45fed19ad8c2c992fd8f36238c4730efebe7ac2d950c6be91213cd062afd0f69f404733678e511c74b94d09ad4a/karchive-6.23.0.tar.xz" } +replace-upstream = true +replace-reason = "AZL-repacked tarball with autotest fixtures stripped that trip anti-malware scanning on the AZL RPM-signing pipeline: autotests/data/password_protected.7z (password-protected 7-Zip) and autotests/data/zip64_extra_zip64_size_first.zip.gz (ZIP64 edge-case fixture whose inner .zip the scanner rejects after decompressing the .gz wrapper). The autotests are not built or run in our spec (no %check, BUILD_TESTING is off), so removing these test fixtures is functionally inert. See modify_source.sh." diff --git a/base/comps/kf6-karchive/modify_source.sh b/base/comps/kf6-karchive/modify_source.sh new file mode 100755 index 00000000000..6e9b449e6b7 --- /dev/null +++ b/base/comps/kf6-karchive/modify_source.sh @@ -0,0 +1,139 @@ +#!/usr/bin/env bash +# +# kf6-karchive: deterministic strip-and-repack of upstream `karchive-6.23.0.tar.xz` +# with autotest fixtures that trip anti-malware scanning on the AZL +# RPM-signing pipeline removed. Rationale lives in the comp.toml `replace-reason` field. +# +# Usage: bash base/comps/kf6-karchive/modify_source.sh +# Output: base/build/work/scratch/kf6-karchive/karchive-6.23.0.tar.xz (+ .sha512) +# The upstream tarball is cached under a `.upstream` suffix; re-runs reuse it. + +set -euo pipefail + +# --- Constants -------------------------------------------------------------- + +readonly COMPONENT="kf6-karchive" +readonly UPSTREAM_VERSION="6.23.0" +# KDE stable URL is .../stable/frameworks/./. +readonly UPSTREAM_MAJMIN="${UPSTREAM_VERSION%.*}" +readonly UPSTREAM_FILENAME="karchive-${UPSTREAM_VERSION}.tar.xz" +readonly UPSTREAM_TOPDIR="karchive-${UPSTREAM_VERSION}" +readonly UPSTREAM_URL="https://download.kde.org/stable/frameworks/${UPSTREAM_MAJMIN}/${UPSTREAM_FILENAME}" + +readonly UPSTREAM_SHA512="28e10e9de84304a0d025fd1304738de2fc15812cbca33c77ed174e3ec614ebd4b2ff2896380b600f978682cdecdb464e1b8bd0abacde1d3d92197d18d6957cd8" + +# Paths (relative to ${UPSTREAM_TOPDIR}) to strip. Each is a karchive autotest +# fixture flagged as an encrypted or unscannable payload by anti-malware +# scanning on the AZL RPM-signing pipeline. The autotests are not built or +# run in our spec (no %check, BUILD_TESTING is off), so stripping fixtures +# is functionally inert. +# +# - autotests/data/password_protected.7z +# Deliberately password-protected 7-Zip archive. +# - autotests/data/zip64_extra_zip64_size_first.zip.gz +# Gzipped ZIP64 edge-case fixture; the scanner decompresses the .gz +# wrapper and the inner .zip trips its detector. +readonly REMOVE_PATHS=( + "autotests/data/password_protected.7z" + "autotests/data/zip64_extra_zip64_size_first.zip.gz" +) + +# Deterministic-repack mtime: 2020-01-01T00:00:00Z (1577836800). +# Any fixed epoch works; do not change without also bumping the +# `hash` in kf6-karchive.comp.toml. +readonly DETERMINISTIC_MTIME="@1577836800" + +# --- Work directory --------------------------------------------------------- + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)" +WORKDIR="${REPO_ROOT}/base/build/work/scratch/${COMPONENT}" + +mkdir -p "${WORKDIR}" +cd "${WORKDIR}" + +echo "[1/5] Working in ${WORKDIR}" + +# --- Download upstream ------------------------------------------------------ +# +# The upstream tarball is cached under a `.upstream` suffix so that +# the repacked output written at the canonical `${UPSTREAM_FILENAME}` +# path below cannot clobber the cache on re-runs. Treat the cache +# as authoritative only after SHA-512 verification. + +UPSTREAM_CACHE="${WORKDIR}/${UPSTREAM_FILENAME}.upstream" + +if [[ ! -f "${UPSTREAM_CACHE}" ]]; then + echo "[2/5] Downloading ${UPSTREAM_FILENAME} from ${UPSTREAM_URL}" + curl -fsSL --retry 3 -o "${UPSTREAM_CACHE}.part" "${UPSTREAM_URL}" + mv "${UPSTREAM_CACHE}.part" "${UPSTREAM_CACHE}" +else + echo "[2/5] Using cached upstream tarball ${UPSTREAM_CACHE}" +fi + +# --- Verify upstream SHA-512 ------------------------------------------------ + +echo "[3/5] Verifying upstream SHA-512" +COMPUTED_UPSTREAM_SHA512="$(sha512sum "${UPSTREAM_CACHE}" | awk '{print $1}')" +if [[ "${COMPUTED_UPSTREAM_SHA512}" != "${UPSTREAM_SHA512}" ]]; then + echo "ERROR: upstream SHA-512 mismatch (cache may be corrupt; delete ${UPSTREAM_CACHE} and re-run)" >&2 + echo " expected: ${UPSTREAM_SHA512}" >&2 + echo " computed: ${COMPUTED_UPSTREAM_SHA512}" >&2 + exit 1 +fi + +# --- Extract + strip -------------------------------------------------------- + +echo "[4/5] Extracting and stripping ${#REMOVE_PATHS[@]} fixture(s) from ${UPSTREAM_TOPDIR}" +rm -rf "${WORKDIR}/${UPSTREAM_TOPDIR}" +tar -C "${WORKDIR}" -xf "${UPSTREAM_CACHE}" +for REMOVE_PATH in "${REMOVE_PATHS[@]}"; do + if [[ ! -f "${WORKDIR}/${UPSTREAM_TOPDIR}/${REMOVE_PATH}" ]]; then + echo "ERROR: expected '${UPSTREAM_TOPDIR}/${REMOVE_PATH}' not present in upstream tarball" >&2 + exit 1 + fi + echo " stripping ${UPSTREAM_TOPDIR}/${REMOVE_PATH}" + rm -f "${WORKDIR}/${UPSTREAM_TOPDIR}/${REMOVE_PATH}" +done + +# --- Repack deterministically ----------------------------------------------- + +echo "[5/5] Repacking deterministically as ${UPSTREAM_FILENAME}" +# Deterministic flags: +# --sort=name stable entry order +# --owner=0 --group=0 no host uid/gid leakage +# --numeric-owner force numeric uid/gid +# --mtime=@ fixed mtime +# --format=gnu handles long paths deterministically +# LC_ALL=C pins sort collation so --sort=name is locale-independent. +# xz -T 1 forces single-threaded encoding; multi-threaded xz splits +# the stream into non-reproducible blocks unless --block-size is +# also pinned, and the savings are marginal for a tarball this size. +MODIFIED_TARBALL="${WORKDIR}/${UPSTREAM_FILENAME}" +rm -f "${MODIFIED_TARBALL}" +LC_ALL=C tar \ + -C "${WORKDIR}" \ + --sort=name \ + --owner=0 --group=0 --numeric-owner \ + --mtime="${DETERMINISTIC_MTIME}" \ + --format=gnu \ + -cf - "${UPSTREAM_TOPDIR}" \ + | xz -T 1 -9 -c > "${MODIFIED_TARBALL}" + +MODIFIED_SHA512="$(sha512sum "${MODIFIED_TARBALL}" | awk '{print $1}')" +echo "${MODIFIED_SHA512} ${UPSTREAM_FILENAME}" > "${MODIFIED_TARBALL}.sha512" + +echo +echo "================================================================" +echo "DONE" +echo " modified tarball: ${WORKDIR}/${UPSTREAM_FILENAME}" +echo " SHA512: ${MODIFIED_SHA512}" +echo "================================================================" +echo +echo " To upload the modified tarball to the lookaside:" +echo " az storage blob upload \\" +echo " --auth-mode login \\" +echo " --account-name azltempstaginglookaside \\" +echo " --container-name repo \\" +echo " --name \"pkgs_modified/${COMPONENT}/${UPSTREAM_FILENAME}/sha512/${MODIFIED_SHA512}/${UPSTREAM_FILENAME}\" \\" +echo " --file \"${WORKDIR}/${UPSTREAM_FILENAME}\"" diff --git a/locks/kf6-karchive.lock b/locks/kf6-karchive.lock index 7d1797b08f8..47c75941e33 100644 --- a/locks/kf6-karchive.lock +++ b/locks/kf6-karchive.lock @@ -2,5 +2,5 @@ version = 1 import-commit = '9f43e605c01ce0c7a14978cbcbc9f0226c043616' upstream-commit = '9f43e605c01ce0c7a14978cbcbc9f0226c043616' -input-fingerprint = 'sha256:1e33acd0a967ffc283c7152dee7f4b2c8e4f0b038527191519d7114a05ebae11' +input-fingerprint = 'sha256:827fa4eec374c0e1905908a3c77453f1503b8c4df9edcaf5d2dd9c4e666c449b' resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e' diff --git a/specs/k/kf6-karchive/kf6-karchive.spec b/specs/k/kf6-karchive/kf6-karchive.spec index 7de6bfa487b..4083b7ac0ec 100644 --- a/specs/k/kf6-karchive/kf6-karchive.spec +++ b/specs/k/kf6-karchive/kf6-karchive.spec @@ -5,7 +5,7 @@ Name: kf6-%{framework} Version: 6.23.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: KDE Frameworks 6 Tier 1 addon with archive functions License: LGPL-2.0-or-later AND BSD-2-Clause URL: https://invent.kde.org/frameworks/%{framework} diff --git a/specs/k/kf6-karchive/sources b/specs/k/kf6-karchive/sources index e95122e8fa0..f5311c074ca 100644 --- a/specs/k/kf6-karchive/sources +++ b/specs/k/kf6-karchive/sources @@ -1,2 +1,2 @@ -SHA512 (karchive-6.23.0.tar.xz) = 28e10e9de84304a0d025fd1304738de2fc15812cbca33c77ed174e3ec614ebd4b2ff2896380b600f978682cdecdb464e1b8bd0abacde1d3d92197d18d6957cd8 +SHA512 (karchive-6.23.0.tar.xz) = dc92a030772bfea4fd270e0bf5aa1e6b9f0bb45fed19ad8c2c992fd8f36238c4730efebe7ac2d950c6be91213cd062afd0f69f404733678e511c74b94d09ad4a SHA512 (karchive-6.23.0.tar.xz.sig) = 80c15a80cbc6c27ff49272e05ad4402e7c93b80f08aae9e2cef0a0159c111a4c0ffb6e093a7049d65fa1366c505f4326a674481438f2f7e19c8522fd657db28a