fix(kf6-karchive): strip scanner-flagged autotest fixtures from source tarball

base/comps/components.toml

@@ -1552,7 +1552,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml", "component-min
 [components.kf6-attica]
 [components.kf6-baloo]
 [components.kf6-frameworkintegration]
-[components.kf6-karchive]
 [components.kf6-kauth]
 [components.kf6-kbookmarks]
 [components.kf6-kcmutils]

base/comps/kf6-karchive/kf6-karchive.comp.toml

@@ -0,0 +1,27 @@
+# The upstream KDE `karchive-6.23.0.tar.xz` ships several autotest fixtures
+# that trip anti-malware scanning on the AZL RPM-signing pipeline, which
+# rejects encrypted / unscannable payloads inside SRPMs:
+#
+#   - autotests/data/password_protected.7z
+#       Deliberately password-protected 7-Zip archive.
+#   - autotests/data/zip64_extra_zip64_size_first.zip.gz
+#       Gzipped ZIP64 edge-case fixture; the scanner decompresses the .gz
+#       wrapper and the inner .zip trips its detector.
+#
+# karchive's autotests are not built or run in our spec (no %check, and
+# upstream's CMake gates them on BUILD_TESTING=ON, which we don't set), so
+# stripping these test fixtures is functionally inert.
+#
+# Replace upstream Source0 with a deterministically-repacked tarball produced
+# by base/comps/kf6-karchive/modify_source.sh. The upstream filename is
+# preserved so `replace-upstream = true` swaps the entry in place in the
+# Fedora `sources` manifest -- no spec edit required.
+[components.kf6-karchive]
+
+[[components.kf6-karchive.source-files]]
+filename = "karchive-6.23.0.tar.xz"
+hash = "dc92a030772bfea4fd270e0bf5aa1e6b9f0bb45fed19ad8c2c992fd8f36238c4730efebe7ac2d950c6be91213cd062afd0f69f404733678e511c74b94d09ad4a"
+hash-type = "SHA512"
+origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/kf6-karchive/karchive-6.23.0.tar.xz/sha512/dc92a030772bfea4fd270e0bf5aa1e6b9f0bb45fed19ad8c2c992fd8f36238c4730efebe7ac2d950c6be91213cd062afd0f69f404733678e511c74b94d09ad4a/karchive-6.23.0.tar.xz" }
+replace-upstream = true
+replace-reason = "AZL-repacked tarball with autotest fixtures stripped that trip anti-malware scanning on the AZL RPM-signing pipeline: autotests/data/password_protected.7z (password-protected 7-Zip) and autotests/data/zip64_extra_zip64_size_first.zip.gz (ZIP64 edge-case fixture whose inner .zip the scanner rejects after decompressing the .gz wrapper). The autotests are not built or run in our spec (no %check, BUILD_TESTING is off), so removing these test fixtures is functionally inert. See modify_source.sh."

base/comps/kf6-karchive/modify_source.sh

@@ -0,0 +1,139 @@
+#!/usr/bin/env bash
+#
+# kf6-karchive: deterministic strip-and-repack of upstream `karchive-6.23.0.tar.xz`
+# with autotest fixtures that trip anti-malware scanning on the AZL
+# RPM-signing pipeline removed. Rationale lives in the comp.toml `replace-reason` field.
+#
+# Usage:   bash base/comps/kf6-karchive/modify_source.sh
+# Output:  base/build/work/scratch/kf6-karchive/karchive-6.23.0.tar.xz (+ .sha512)
+# The upstream tarball is cached under a `.upstream` suffix; re-runs reuse it.
+
+set -euo pipefail
+
+# --- Constants --------------------------------------------------------------
+
+readonly COMPONENT="kf6-karchive"
+readonly UPSTREAM_VERSION="6.23.0"
+# KDE stable URL is .../stable/frameworks/<MAJOR>.<MINOR>/<filename>.
+readonly UPSTREAM_MAJMIN="${UPSTREAM_VERSION%.*}"
+readonly UPSTREAM_FILENAME="karchive-${UPSTREAM_VERSION}.tar.xz"
+readonly UPSTREAM_TOPDIR="karchive-${UPSTREAM_VERSION}"
+readonly UPSTREAM_URL="https://download.kde.org/stable/frameworks/${UPSTREAM_MAJMIN}/${UPSTREAM_FILENAME}"
+
+readonly UPSTREAM_SHA512="28e10e9de84304a0d025fd1304738de2fc15812cbca33c77ed174e3ec614ebd4b2ff2896380b600f978682cdecdb464e1b8bd0abacde1d3d92197d18d6957cd8"
+
+# Paths (relative to ${UPSTREAM_TOPDIR}) to strip. Each is a karchive autotest
+# fixture flagged as an encrypted or unscannable payload by anti-malware
+# scanning on the AZL RPM-signing pipeline. The autotests are not built or
+# run in our spec (no %check, BUILD_TESTING is off), so stripping fixtures
+# is functionally inert.
+#
+#   - autotests/data/password_protected.7z
+#       Deliberately password-protected 7-Zip archive.
+#   - autotests/data/zip64_extra_zip64_size_first.zip.gz
+#       Gzipped ZIP64 edge-case fixture; the scanner decompresses the .gz
+#       wrapper and the inner .zip trips its detector.
+readonly REMOVE_PATHS=(
+    "autotests/data/password_protected.7z"
+    "autotests/data/zip64_extra_zip64_size_first.zip.gz"
+)
+
+# Deterministic-repack mtime: 2020-01-01T00:00:00Z (1577836800).
+# Any fixed epoch works; do not change without also bumping the
+# `hash` in kf6-karchive.comp.toml.
+readonly DETERMINISTIC_MTIME="@1577836800"
+
+# --- Work directory ---------------------------------------------------------
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
+WORKDIR="${REPO_ROOT}/base/build/work/scratch/${COMPONENT}"
+
+mkdir -p "${WORKDIR}"
+cd "${WORKDIR}"
+
+echo "[1/5] Working in ${WORKDIR}"
+
+# --- Download upstream ------------------------------------------------------
+#
+# The upstream tarball is cached under a `.upstream` suffix so that
+# the repacked output written at the canonical `${UPSTREAM_FILENAME}`
+# path below cannot clobber the cache on re-runs. Treat the cache
+# as authoritative only after SHA-512 verification.
+
+UPSTREAM_CACHE="${WORKDIR}/${UPSTREAM_FILENAME}.upstream"
+
+if [[ ! -f "${UPSTREAM_CACHE}" ]]; then
+    echo "[2/5] Downloading ${UPSTREAM_FILENAME} from ${UPSTREAM_URL}"
+    curl -fsSL --retry 3 -o "${UPSTREAM_CACHE}.part" "${UPSTREAM_URL}"
+    mv "${UPSTREAM_CACHE}.part" "${UPSTREAM_CACHE}"
+else
+    echo "[2/5] Using cached upstream tarball ${UPSTREAM_CACHE}"
+fi
+
+# --- Verify upstream SHA-512 ------------------------------------------------
+
+echo "[3/5] Verifying upstream SHA-512"
+COMPUTED_UPSTREAM_SHA512="$(sha512sum "${UPSTREAM_CACHE}" | awk '{print $1}')"
+if [[ "${COMPUTED_UPSTREAM_SHA512}" != "${UPSTREAM_SHA512}" ]]; then
+    echo "ERROR: upstream SHA-512 mismatch (cache may be corrupt; delete ${UPSTREAM_CACHE} and re-run)" >&2
+    echo "  expected: ${UPSTREAM_SHA512}" >&2
+    echo "  computed: ${COMPUTED_UPSTREAM_SHA512}" >&2
+    exit 1
+fi
+
+# --- Extract + strip --------------------------------------------------------
+
+echo "[4/5] Extracting and stripping ${#REMOVE_PATHS[@]} fixture(s) from ${UPSTREAM_TOPDIR}"
+rm -rf "${WORKDIR}/${UPSTREAM_TOPDIR}"
+tar -C "${WORKDIR}" -xf "${UPSTREAM_CACHE}"
+for REMOVE_PATH in "${REMOVE_PATHS[@]}"; do
+    if [[ ! -f "${WORKDIR}/${UPSTREAM_TOPDIR}/${REMOVE_PATH}" ]]; then
+        echo "ERROR: expected '${UPSTREAM_TOPDIR}/${REMOVE_PATH}' not present in upstream tarball" >&2
+        exit 1
+    fi
+    echo "    stripping ${UPSTREAM_TOPDIR}/${REMOVE_PATH}"
+    rm -f "${WORKDIR}/${UPSTREAM_TOPDIR}/${REMOVE_PATH}"
+done
+
+# --- Repack deterministically -----------------------------------------------
+
+echo "[5/5] Repacking deterministically as ${UPSTREAM_FILENAME}"
+# Deterministic flags:
+#   --sort=name             stable entry order
+#   --owner=0 --group=0     no host uid/gid leakage
+#   --numeric-owner         force numeric uid/gid
+#   --mtime=@<epoch>        fixed mtime
+#   --format=gnu            handles long paths deterministically
+# LC_ALL=C pins sort collation so --sort=name is locale-independent.
+# xz -T 1 forces single-threaded encoding; multi-threaded xz splits
+# the stream into non-reproducible blocks unless --block-size is
+# also pinned, and the savings are marginal for a tarball this size.
+MODIFIED_TARBALL="${WORKDIR}/${UPSTREAM_FILENAME}"
+rm -f "${MODIFIED_TARBALL}"
+LC_ALL=C tar \
+    -C "${WORKDIR}" \
+    --sort=name \
+    --owner=0 --group=0 --numeric-owner \
+    --mtime="${DETERMINISTIC_MTIME}" \
+    --format=gnu \
+    -cf - "${UPSTREAM_TOPDIR}" \
+    | xz -T 1 -9 -c > "${MODIFIED_TARBALL}"
+
+MODIFIED_SHA512="$(sha512sum "${MODIFIED_TARBALL}" | awk '{print $1}')"
+echo "${MODIFIED_SHA512}  ${UPSTREAM_FILENAME}" > "${MODIFIED_TARBALL}.sha512"
+
+echo
+echo "================================================================"
+echo "DONE"
+echo "  modified tarball: ${WORKDIR}/${UPSTREAM_FILENAME}"
+echo "  SHA512:           ${MODIFIED_SHA512}"
+echo "================================================================"
+echo
+echo " To upload the modified tarball to the lookaside:"
+echo "       az storage blob upload \\"
+echo "           --auth-mode login \\"
+echo "           --account-name azltempstaginglookaside \\"
+echo "           --container-name repo \\"
+echo "           --name \"pkgs_modified/${COMPONENT}/${UPSTREAM_FILENAME}/sha512/${MODIFIED_SHA512}/${UPSTREAM_FILENAME}\" \\"
+echo "           --file \"${WORKDIR}/${UPSTREAM_FILENAME}\""

locks/kf6-karchive.lock

@@ -2,5 +2,5 @@
 version = 1
 import-commit = '9f43e605c01ce0c7a14978cbcbc9f0226c043616'
 upstream-commit = '9f43e605c01ce0c7a14978cbcbc9f0226c043616'
-input-fingerprint = 'sha256:1e33acd0a967ffc283c7152dee7f4b2c8e4f0b038527191519d7114a05ebae11'
+input-fingerprint = 'sha256:827fa4eec374c0e1905908a3c77453f1503b8c4df9edcaf5d2dd9c4e666c449b'
 resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e'

specs/k/kf6-karchive/kf6-karchive.spec

@@ -5,7 +5,7 @@
 
 Name:           kf6-%{framework}
 Version:        6.23.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 Summary:        KDE Frameworks 6 Tier 1 addon with archive functions
 License:        LGPL-2.0-or-later AND BSD-2-Clause
 URL:            https://invent.kde.org/frameworks/%{framework}

specs/k/kf6-karchive/sources

@@ -1,2 +1,2 @@
-SHA512 (karchive-6.23.0.tar.xz) = 28e10e9de84304a0d025fd1304738de2fc15812cbca33c77ed174e3ec614ebd4b2ff2896380b600f978682cdecdb464e1b8bd0abacde1d3d92197d18d6957cd8
+SHA512 (karchive-6.23.0.tar.xz) = dc92a030772bfea4fd270e0bf5aa1e6b9f0bb45fed19ad8c2c992fd8f36238c4730efebe7ac2d950c6be91213cd062afd0f69f404733678e511c74b94d09ad4a
 SHA512 (karchive-6.23.0.tar.xz.sig) = 80c15a80cbc6c27ff49272e05ad4402e7c93b80f08aae9e2cef0a0159c111a4c0ffb6e093a7049d65fa1366c505f4326a674481438f2f7e19c8522fd657db28a