## START: Set by rpmautospec
## (rpmautospec version 0.8.1)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
    release_number = 1;
    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
    print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec

# trustee.spec
# Generated by rust2rpm 20

%bcond_without check

%global crate trustee

%if 0%{?rhel}
# RHEL: Use bundled deps as it doesn't ship Rust libraries
%global bundled_rust_deps 1
%global __brp_mangle_shebangs_exclude_from ^/usr/src/debug/.*$
%else
# Fedora: Use only system Rust libraries
%global bundled_rust_deps 0
%endif

Name:           trustee
Version:        0.14.0
Release:        %{?autorelease}%{!?autorelease:1%{?dist}}
Summary:        Confidential Containers Trust and Attestation Framework

# Upstream license specification: Apache-2.0
License:        Apache-2.0
URL:            https://github.com/confidential-containers/trustee
Source0:        %{url}/archive/refs/tags/v%{version}.tar.gz
# Vendored guest-components for kbs_protocol dependency
Source1:        https://github.com/confidential-containers/guest-components/archive/refs/tags/v%{version}/guest-components-%{version}.tar.gz
# The vendor tarball is created using cargo-vendor-filterer to remove Windows
# related files (https://github.com/cgwalters/cargo-vendor-filterer)
#   tar xf v%%{version}.tar.gz
#   cd trustee-%%{version}
#   tar xf guest-components-%%{version}.tar.gz
#   cargo vendor-filterer --platform x86_64-unknown-linux-gnu \
#       --platform powerpc64le-unknown-linux-gnu \
#       --platform aarch64-unknown-linux-gnu \
#       --platform i686-unknown-linux-gnu \
#       --platform s390x-unknown-linux-gnu \
#       --exclude-crate-path "windows*#*" \
#       --versioned-dirs \
#       --prefix=vendor --format=tar.zstd
#   Rename the vendor.tar.zstd tarball to trustee-%%{version}-vendor.tar.zstd
Source2:        trustee-%{version}-vendor.tar.zstd


Patch: 0001-Remove-non-KBS-components-from-workspace.patch
Patch: 0002-Configure-KBS-for-passport-resource-mode-with-minima.patch
Patch: 0003-Update-dependency-versions-to-match-Fedora-packages.patch
Patch: 0004-Replace-jwt-simple-with-jsonwebtoken.patch
Patch: 0005-Replace-git-dependencies-with-local-paths-and-Fedora.patch
Patch: 0006-Remove-kms-dependency-and-aliyun-feature.patch
Patch: 0007-Gate-rvps-test-imports-behind-coco-as-builtin-featur.patch
Patch: 0008-Replace-concat-kdf-crate-with-OpenSSL-implementation.patch
Patch: 0009-Downgrade-base64ct-to-1.6.0-to-avoid-edition2024-req.patch


ExclusiveArch:  x86_64

BuildRequires:  systemd
BuildRequires:  openssl-devel
BuildRequires:  pkg-config
BuildRequires:  git-core
%if 0%{?bundled_rust_deps}
BuildRequires:  rust-toolset
%else
BuildRequires:  rust-packaging >= 21-2
%endif

%description
Trustee is a unified trust and attestation framework for Confidential Computing.
It provides key management, attestation services, and reference value management
for confidential containers and virtual machines.

This is a meta-package that installs all trustee components.

#===============================================================================

%package kbs
Summary:        Key Broker Service for Confidential Computing
Requires:       openssl

%description kbs
The Key Broker Service (KBS) is a key management component for Confidential
Computing scenarios. It provides secure key distribution for confidential
containers and virtual machines. KBS supports multiple backend storage
systems and attestation services.

#===============================================================================

%prep
%autosetup -n trustee-%{version} -a1 -S git

%if 0%{?bundled_rust_deps}
# Manually extract Source2 (vendor tarball) for RHEL.
tar xf %{SOURCE2}
%cargo_prep -v vendor
%else
%cargo_prep
%generate_buildrequires
%cargo_generate_buildrequires
%endif
# Force openssl-sys to use system OpenSSL instead of building from source.
if ! grep -q "OPENSSL_NO_VENDOR" .cargo/config.toml; then
    if grep -q "^\[env\]" .cargo/config.toml; then
        # [env] section exists, append to it.
        sed -i '/^\[env\]/a OPENSSL_NO_VENDOR = "1"' .cargo/config.toml
    else
        # No [env] section, create one.
        echo '' >> .cargo/config.toml
        echo '[env]' >> .cargo/config.toml
        echo 'OPENSSL_NO_VENDOR = "1"' >> .cargo/config.toml
    fi
fi

%build
%cargo_build
%if 0%{?bundled_rust_deps}
%cargo_vendor_manifest
%endif
%cargo_license_summary
%{cargo_license} > LICENSE.dependencies

%install
# Install KBS
install -D -m 755 target/rpm/kbs %{buildroot}%{_bindir}/kbs

%if %{with check}
%check
%cargo_test
%endif

%files kbs
%license LICENSE
%license LICENSE.dependencies
%if 0%{?bundled_rust_deps}
%license cargo-vendor.txt
%endif
%doc README.md
%{_bindir}/kbs

%changelog
## START: Generated by rpmautospec
* Fri Oct 24 2025 John Doe <packager@example.com> - 0.14.0-1
- Uncommitted changes
## END: Generated by rpmautospec