Add rekor RPM package to fedora.org

[font]

• [ ] #5
• [x] #10
• [ ] spec file
• [x] Manpages? No manpages currently exist. We'll move forward without them for now. Otherwise, we can look at using go-md2man to convert markdown to manpages.
• [ ] systemd files?

[font]

Error received when building using original rekor.spec file from https://github.com/lsm5/rekor-rpm:

Start: rpmbuild rekor-0.1.1-4.fc34.src.rpm
Building target platforms: x86_64
Building for target x86_64
setting SOURCE_DATE_EPOCH=1621296000
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.OLUwFK
+ umask 022
+ cd /builddir/build/BUILD
+ cd /builddir/build/BUILD
+ rm -rf rekor-0.1.1
+ /usr/bin/gzip -dc /builddir/build/SOURCES/v0.1.1.tar.gz
+ /usr/bin/tar -xof -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd rekor-0.1.1
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ /usr/bin/git init -q
+ /usr/bin/git config user.name rpm-build
+ /usr/bin/git config user.email '<rpm-build>'
+ /usr/bin/git config gc.auto 0
+ /usr/bin/git add --force .
+ /usr/bin/git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m 'rekor-0.1.1 base'
+ RPM_EC=0
++ jobs -p
+ exit 0
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.0Cphmp
+ umask 022
+ cd /builddir/build/BUILD
+ cd rekor-0.1.1
+ export 'CGO_CFLAGS=-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64'
+ CGO_CFLAGS='-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64'
+ export 'CGO_CFLAGS=-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -m64 -mtune=generic'
+ CGO_CFLAGS='-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -m64 -mtune=generic'
+ export 'CGO_CFLAGS=-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -m64 -mtune=generic -fcf-protection'
+ CGO_CFLAGS='-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -m64 -mtune=generic -fcf-protection'
+ go build -o rekor-cli ./cmd/cli
go: github.com/asaskevich/govalidator@v0.0.0-20200907205600-7a23bdc65eef: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /builddir/go/pkg/mod/cache/vcs/f9896ddfbe91f3e08207f80400fac797422f9ea4506df8bf0e8dd25d59e6d40b: exit status 128:
        fatal: unable to access 'https://github.com/asaskevich/govalidator/': Could not resolve host: github.com

RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.0Cphmp (%build)
    Bad exit status from /var/tmp/rpm-tmp.0Cphmp (%build)
Finish: rpmbuild rekor-0.1.1-4.fc34.src.rpm
Finish: build phase for rekor-0.1.1-4.fc34.src.rpm
ERROR: Exception(/home/ifont/src/font/sigstore-rpms/lsm5/rekor/rekor-0.1.1-4.fc34.src.rpm) Config(fedora-34-x86_64) 0 minutes 22 seconds
INFO: Results and/or logs in: /home/ifont/src/font/sigstore-rpms/lsm5/rekor/results_rekor/0.1.1/4.fc34
INFO: Cleaning up build root ('cleanup_on_failure=True')
Start: clean chroot
Finish: clean chroot
ERROR: Command failed:
 # /usr/bin/systemd-nspawn -q -M 21ad5b5348bf43d9843f67ed1212636c -D /var/lib/mock/fedora-34-x86_64/root -a -u mockbuild --capability=cap_ipc_lock --bind=/tmp/mock-resolv.nxdxu5w_:/etc/resolv.conf --bind=/dev/btrfs-control --bind=/dev/loop-control --bind=/dev/loop0 --bind=/dev/loop1 --bind=/dev/loop2 --bind=/dev/loop3 --bind=/dev/loop4 --bind=/dev/loop5 --bind=/dev/loop6 --bind=/dev/loop7 --bind=/dev/loop8 --bind=/dev/loop9 --bind=/dev/loop10 --bind=/dev/loop11 --console=pipe --setenv=TERM=vt100 --setenv=SHELL=/bin/bash --setenv=HOME=/builddir --setenv=HOSTNAME=mock --setenv=PATH=/usr/bin:/bin:/usr/sbin:/sbin --setenv=PROMPT_COMMAND=printf "\033]0;<mock-chroot>\007" --setenv=PS1=<mock-chroot> \s-\v\$  --setenv=LANG=C.UTF-8 --resolv-conf=off bash --login -c /usr/bin/rpmbuild -bb --target x86_64 --nodeps /builddir/build/SPECS/rekor.spec

Cleaning up mock temporary config directory: None
Could not execute mockbuild: Failed to execute command.
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/pyrpkg/cli.py", line 2383, in mockbuild
    self.cmd.mockbuild(mockargs, self.args.root,
  File "/usr/lib/python3.9/site-packages/pyrpkg/__init__.py", line 3024, in mockbuild
    self._run_command(cmd)
  File "/usr/lib/python3.9/site-packages/pyrpkg/__init__.py", line 1279, in _run_command
    raise rpkgError('Failed to execute command.')
pyrpkg.errors.rpkgError: Failed to execute command.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/fedpkg", line 33, in <module>
    sys.exit(load_entry_point('fedpkg==1.42', 'console_scripts', 'fedpkg')())
  File "/usr/lib/python3.9/site-packages/fedpkg/__main__.py", line 89, in main
    sys.exit(client.args.command())
  File "/usr/lib/python3.9/site-packages/pyrpkg/cli.py", line 2388, in mockbuild
    raise rpkgError(e)
pyrpkg.errors.rpkgError: Failed to execute command.

[font]

There are missing go RPM dependencies so we cannot use the standard go_generate_buildrequires macro. Executing fedpkg -v -d --release f$(lsb_release -s -r) mockbuild returns the below dependency errors. Need to determine if all of these dependencies are needed for rekor-cli and rekor-server binaries or if they are test dependencies only. If that's the case, perhaps we can exclude them. Otherwise we'll need to circumvent the use of the built-in go macros and perhaps rely on vendoring the code.

Start: rpmbuild rekor-0.6.0-1.fc35.src.rpm
Building target platforms: x86_64
Building for target x86_64
setting SOURCE_DATE_EPOCH=1650931200
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.JzoOai
+ umask 022
+ cd /builddir/build/BUILD
+ cd /builddir/build/BUILD
+ rm -rf rekor-0.6.0
+ /usr/bin/gzip -dc /builddir/build/SOURCES/rekor-0.6.0.tar.gz
+ /usr/bin/tar -xof -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd rekor-0.6.0
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ rm -fr /builddir/build/BUILD/rekor-0.6.0/vendor
+ [[ ! -e /builddir/build/BUILD/rekor-0.6.0/_build/bin ]]
+ install -m 0755 -vd /builddir/build/BUILD/rekor-0.6.0/_build/bin
install: creating directory '/builddir/build/BUILD/rekor-0.6.0/_build'
install: creating directory '/builddir/build/BUILD/rekor-0.6.0/_build/bin'
+ export GOPATH=/builddir/build/BUILD/rekor-0.6.0/_build:/usr/share/gocode
+ GOPATH=/builddir/build/BUILD/rekor-0.6.0/_build:/usr/share/gocode
+ [[ ! -e /builddir/build/BUILD/rekor-0.6.0/_build/src/github.com/sigstore/rekor ]]
++ dirname /builddir/build/BUILD/rekor-0.6.0/_build/src/github.com/sigstore/rekor
+ install -m 0755 -vd /builddir/build/BUILD/rekor-0.6.0/_build/src/github.com/sigstore
install: creating directory '/builddir/build/BUILD/rekor-0.6.0/_build/src'
install: creating directory '/builddir/build/BUILD/rekor-0.6.0/_build/src/github.com'
install: creating directory '/builddir/build/BUILD/rekor-0.6.0/_build/src/github.com/sigstore'
+ ln -fs /builddir/build/BUILD/rekor-0.6.0 /builddir/build/BUILD/rekor-0.6.0/_build/src/github.com/sigstore/rekor
+ cd /builddir/build/BUILD/rekor-0.6.0/_build/src/github.com/sigstore/rekor
+ RPM_EC=0
++ jobs -p
+ exit 0
Executing(%generate_buildrequires): /bin/sh -e /var/tmp/rpm-tmp.wVCN1m
+ umask 022
+ cd /builddir/build/BUILD
+ cd rekor-0.6.0
+ GOPATH=/builddir/build/BUILD/rekor-0.6.0/_build:/usr/share/gocode
+ GO111MODULE=off
+ golist --imported --package-path github.com/sigstore/rekor --template 'golang({{.}})\n' --with-tests --skip-self
+ RPM_EC=0
++ jobs -p
+ exit 0
Wrote: /builddir/build/SRPMS/rekor-0.6.0-1.fc35.buildreqs.nosrc.rpm
INFO: Going to install missing dynamic buildrequires
No matches found for the following disable plugin patterns: local, spacewalk, versionlock
fedora                                                                                                                                                                                                                                                                                         52 kB/s |  16 kB     00:00
updates                                                                                                                                                                                                                                                                                       1.6 kB/s | 7.9 kB     00:05
Package go-rpm-macros-3.0.15-1.fc35.x86_64 is already installed.
No matching package to install: 'golang(github.com/cavaliercoder/go-rpm)'
No matching package to install: 'golang(github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer)'
No matching package to install: 'golang(github.com/in-toto/in-toto-golang/in_toto)'
No matching package to install: 'golang(github.com/mediocregopher/radix/v4)'
No matching package to install: 'golang(github.com/sassoftware/relic/lib/pkcs7)'
No matching package to install: 'golang(github.com/sassoftware/relic/lib/pkcs9)'
No matching package to install: 'golang(github.com/sassoftware/relic/lib/signjar)'
No matching package to install: 'golang(github.com/sassoftware/relic/lib/x509tools)'
No matching package to install: 'golang(github.com/secure-systems-lab/go-securesystemslib/dsse)'
No matching package to install: 'golang(github.com/sigstore/sigstore/pkg/cryptoutils)'
No matching package to install: 'golang(github.com/sigstore/sigstore/pkg/signature)'
No matching package to install: 'golang(github.com/sigstore/sigstore/pkg/signature/kms/gcp)'
No matching package to install: 'golang(github.com/sigstore/sigstore/pkg/signature/options)'
No matching package to install: 'golang(github.com/tent/canonical-json-go)'
No matching package to install: 'golang(github.com/theupdateframework/go-tuf/data)'
No matching package to install: 'golang(github.com/theupdateframework/go-tuf/verify)'
No matching package to install: 'golang(sigs.k8s.io/release-utils/version)'
Not all dependencies satisfied
Error: Some packages could not be found.
Finish: rpmbuild rekor-0.6.0-1.fc35.src.rpm

[font]

Trying to vendor dependencies leads to below error. The mockbuild chroot environment does not appear to have network access and perhaps that's intentionally hermetic.

+ go mod vendor
go: github.com/AdaLogics/go-fuzz-headers@v0.0.0-20211102141018-f7be0cbad29c: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /builddir/go/pkg/mod/cache/vcs/77272b218184fa40ada6769967d3002277bea28fd95b6c8a535537905743b3c6: exit status 128:
        fatal: unable to access 'https://github.com/AdaLogics/go-fuzz-headers/': Could not resolve host: github.com

RPM build errors:
error: Bad exit status from /var/tmp/rpm-tmp.OwkSfY (%build)
    Bad exit status from /var/tmp/rpm-tmp.OwkSfY (%build)
Finish: rpmbuild rekor-0.6.0-1.fc35.src.rpm

[font]

We either need to have upstream provide:

1. vendored dependencies
2. a separate dependency tarball

Mock's managed isolated build environment that uses chroot is intentionally hermetic and does not provide network access. All dependencies for a golang binary RPM package that is bundled need to be already available at build time.