# Spec file for azure-protected-vm-secrets, the Azure CVM Secrets
# Provisioning Library (SSPL) and its CLI front-end. Authored for Fedora
# rawhide / EPEL 10+; see ./README.md for build instructions and the
# project's `plan to publish packages in fedora.md` for context.
#
# Source code lives in the azure-protected-vm-secrets/ subdirectory of the
# Azure/confidential-computing-cvm-guest-attestation monorepo on GitHub.
# We use GitHub's auto-generated tag tarball and re-root via %%autosetup -n
# into that subdirectory. Pattern based on SourceURL.adoc §Git Tags, extended
# for the subdirectory case (the doc explicitly endorses comments above
# Source: to explain non-standard situations).

Name:           azure-protected-vm-secrets
Version:        1.0.7
Release:        %autorelease
Summary:        Decrypts host-protected secrets in Azure Confidential VMs

License:        MIT
URL:            https://github.com/Azure/confidential-computing-cvm-guest-attestation
Source0:        %{url}/archive/refs/tags/%{name}-v%{version}.tar.gz#/%{name}-%{version}.tar.gz

BuildRequires:  cmake
BuildRequires:  gcc-c++
BuildRequires:  make
BuildRequires:  pkgconfig
BuildRequires:  boost-devel
BuildRequires:  openssl-devel
BuildRequires:  systemd-devel
BuildRequires:  tpm2-tss-devel
BuildRequires:  nlohmann-json-devel
BuildRequires:  gtest-devel
BuildRequires:  gmock-devel

# %%cmake will install the shared object to %%{_libdir}; the main package pulls
# in the runtime library via the -libs subpackage.
Requires:       %{name}-libs%{?_isa} = %{version}-%{release}

%description
azure-protected-vm-secrets provisions and decrypts host-protected secrets on
Azure Confidential VMs (AMD SEV-SNP, Intel TDX). The package contains the
azure-protected-secrets-tool CLI for invoking the supported operations
(is-cvm, is-secrets-provisioning-enabled, unprotect-secret, validate-imds);
the runtime shared library is in the -libs subpackage and the C header for
linking against it is in the -devel subpackage.

%package libs
Summary:        Runtime shared library for %{name}

%description libs
Shared library implementing the host-secret unprotect and CVM-attestation
helpers consumed by azure-protected-vm-secrets and any third-party
application that links directly against libazure_protected_vm_secrets.

%package devel
Summary:        Development files for %{name}
Requires:       %{name}-libs%{?_isa} = %{version}-%{release}

%description devel
C header file and unversioned shared-library symlink for building software
that links against libazure_protected_vm_secrets.

%prep
# The tarball expands to confidential-computing-cvm-guest-attestation-<tag>/;
# the SSPL component is in the azure-protected-vm-secrets/ subdirectory of
# that tree. %%autosetup -n re-roots the build there.
%autosetup -n confidential-computing-cvm-guest-attestation-%{name}-v%{version}/%{name}

%conf
%cmake

%build
%cmake_build

%install
%cmake_install
# The repo's top-level LICENSE file lives one level up from our build subdir.
# Stage it into the install tree so %%license can find it relative to the
# build dir below.
install -D -m 0644 ../LICENSE %{_builddir}/%{buildsubdir}/LICENSE

%check
%ctest

%files
%license LICENSE
%doc README.md
%{_bindir}/azure-protected-secrets-tool

%files libs
%license LICENSE
%{_libdir}/libazure_protected_vm_secrets.so.%{version}
%{_libdir}/libazure_protected_vm_secrets.so.1

%files devel
%{_includedir}/SecretsProvisioningLibrary.h
%{_libdir}/libazure_protected_vm_secrets.so

%changelog
%autochangelog