Sun, 09 May 2021 18:31:48 CDT | login

Information for build cigetcert-1.16-2.osg35.el7

Package Namecigetcert
SummaryGet an X.509 certificate with SAML ECP and store proxies
Descriptioncigetcert gets an X.509 certificate from a SAML 2.0 Service Provider (SP) such as CILogon using the Enhanced Client and Proxy (ECP) profile. Optionally it can also get a grid proxy certificate and/or transfer the proxy to MyProxy. It was developed for the Fermilab Distributed Computing Access with Federated Identities (DCAFI) project but is intended to be usable by other projects.
Built byCARL EDQUIST A21486
State complete
StartedFri, 02 Aug 2019 13:11:47 CDT
CompletedFri, 02 Aug 2019 13:12:40 CDT
Taskbuild (osg-3.5-el7, /svn/native/redhat/branches/osg-3.5/cigetcert:25102)
cigetcert-1.16-2.osg35.el7.src.rpm (info) (download)
cigetcert-1.16-2.osg35.el7.noarch.rpm (info) (download)
Changelog * Fri Mar 03 2017 Dave Dykstra <> 1.16-2 - In /usr/bin/cigetcert, invoke python with the '-E' option to avoid variables like PYTHONHOME. * Tue Oct 18 2016 Dave Dykstra <> 1.16-1 - Fix typo in the variable name added in the last version. This was not noticed because it was caught in an exception and caused it to always behave as if a previous proxy stored in myproxy could not be used. * Mon Oct 17 2016 Dave Dykstra <> 1.15-1 - Fix bug that caused the proxy to be stored into MyProxy under the DN of a previous certificate (if it existed but could not be reused) rather than the newly generated one. * Tue Oct 11 2016 Dave Dykstra <> 1.14-1 - Limit the number of proxy levels stripped off of %certsubject to 5. This is to catch programming errors where people call voms-proxy-init -noregen after every call to cigetcert, even when cigetcert determines that the previous proxy can be reused. * Mon Oct 10 2016 Dave Dykstra <> 1.13-1 - Choose a prefix for the temp output file in the same directory as the output file to avoid renaming across filesystems. * Thu Oct 06 2016 Dave Dykstra <> 1.12-1 - Fix bug introduced in 1.11-1 that caused too-long certificates to be stored on local disk. * Thu Sep 29 2016 Dave Dykstra <> 1.11-1 - If the requested --hours is fractional, round the hours of the original certificate up to the next whole number rather than down. In this case generate a proxy with the requested fractional hours. * Wed Sep 28 2016 Dave Dykstra <> 1.10-1 - Change default --minhours value from 12 to 1. - If the formula calculating the remaining hours in the myproxy cert (%hours - %proxyhours - %minhours) comes out to a value lower than %minhours, set it to %minhours * Thu Sep 22 2016 Dave Dykstra <> 1.9-1 - Add support for $X509_USER_PROXY as the default value of --out. * Fri Sep 16 2016 Dave Dykstra <> 1.8-1 - Allow a previous output file to have additional proxy layers added on to it when checking to see if it is still valid. That is, strip off any number of /CN=[0-9]+ or /CN=proxy patterns appended to the certificate subject. In particular this is useful for when someone does voms-proxy-init -noregen after a previous run of cigetcert. * Wed Sep 14 2016 Dave Dykstra <> 1.7-1 - Fix man page description of --idplisturl - Do many changes in response to a code review: - change default python to the system python in /usr/bin - always cleanly shutdown SSL connections to avoid truncation attacks - support all TLS versions, not just v1.0 - disable the possibility of SSL compression to avoid CRIME attack - disable SSL ciphers known to be insecure - document the fact that CRLs are not actually checked (this is deemed to be an acceptable risk) - set a timeout on SSL connections to 15 seconds - change the message digest on proxies from sha1 to sha256 - sanitize user input sent directly to myproxy (that is, the username) - change maximum proxy duration to a million seconds (277 hours) and maximum certificate duration to 10000 hours, leaving the defaults as they were - disable support for http:// URLs; everything has to be https:// (or in some cases file://) - use effective uid rather than real uid for the %uid macro - use mkstemp() to create the output in a temporary file, in order to avoid race conditions where another process could be reading the file as cigetcert creates it - catch any errors writing the output file to avoid a stack trace - add some explanatory comments to the source code - Add support for Debian - Allow alternate default cafile of /etc/ssl/certs/ca-certificates.crt - Only use SSL.Connection.settimeout if it is present * Tue Jul 26 2016 Dave Dykstra <> 1.6-1 - Add support for $X509_CERT_DIR as the default directory for finding CA certs and CRLs. - Use the time from the underlying certificate for the "Not Before" time in proxies rather than the current time. It is typically 5 minutes in the past, which helps with client machines that have clock skew up to that far in the future. * Wed Jul 20 2016 Dave Dykstra <> 1.5-1 - Make failure to read myproxy into a reuse failure instead of a fatal error, because it can be caused by an attempt to use an invalid existing proxy such as a non-rfc VOMS proxy. * Wed Jul 20 2016 Dave Dykstra <> 1.4-1 - Use more reliable method of calculating seconds since the epoch. It was off by an hour. - Fix broken case of proxy not previously existing without --reuseonly. * Tue Jul 19 2016 Dave Dykstra <> 1.3-1 - Add --reuseonly and --noreuseonly options. - When checking for reuse, do not require the institution name to match the /O= in the DN. - Allow an institution to support only kerberos authentication: don't prompt for password if there's no non-kerberos IdP listed. - Remove extra newline at the end of fatal error messages. * Fri Jul 08 2016 Dave Dykstra <> 1.2-1 - Try kerberos authentication first by default when the institution's IdP is known to support it, without a --kerberos option. - Add --nokerberos option. - Add support for additional default options in $CIGETCERTOPTS. - Use getpwuid() instead of $LOGNAME for current user name. - Avoid stack trace crash on el5 when previous outfile is empty. - Avoid stack trace when password prompt is interrupted. - Add wrapper script to unset PYTHONPATH and LD_LIBRARY_PATH. - Pre-compile cigetcert python source. * Mon Apr 04 2016 Dave Dykstra <> 1.1-1 - Create the output file with O_EXCL. * Tue Mar 01 2016 Dave Dykstra <> 1.0-1 - Remove a pylint error and a few pylint warnings * Fri Feb 19 2016 Dave Dykstra <> 0.9-1 - Add missing '/' to the beginning of the DN used as the username for myproxy and printed out the -v option - Add --listinstitutions option * Thu Feb 11 2016 Dave Dykstra <> 0.8-1 - Initial rpm packaging