# SPDX-FileCopyrightText: Sergio Arroutbi <sarroutb@redhat.com>
#
# SPDX-License-Identifier: MIT

# Disable debuginfo generation for Rust binaries
%global debug_package %{nil}

# Fedora: Use system Rust libraries as josekit 0.7.4+ is available
%global bundled_rust_deps 0

Name:           clevis-pin-trustee
Version:        0.2.0
Release:        1%{?dist}
Summary:        Clevis PIN for Trustee attestation

License:        MIT
URL:            https://github.com/sarroutbi/clevis-pin-trustee
Source0:        https://github.com/sarroutbi/%{name}/archive/refs/tags/v%{version}.tar.gz

BuildRequires:  rust-packaging >= 25
BuildRequires:  openssl-devel

# Runtime dependencies
Requires:       clevis
Requires:       jose

%description
clevis-pin-trustee is a Clevis PIN that implements encryption and decryption
operations using remote attestation via a Trustee server. It enables automated
unlocking of LUKS-encrypted volumes in confidential computing environments by
fetching encryption keys from Trustee servers after successful attestation.

%prep
%autosetup -n %{name}-%{version}
%cargo_prep

%generate_buildrequires
%cargo_generate_buildrequires

%build
# Build using cargo macros
%cargo_build

%install
# Install main binary
install -D -m 0755 target/release/%{name} %{buildroot}%{_bindir}/%{name}

# Install Clevis wrapper scripts
install -D -m 0755 clevis-encrypt-trustee %{buildroot}%{_bindir}/clevis-encrypt-trustee
install -D -m 0755 clevis-decrypt-trustee %{buildroot}%{_bindir}/clevis-decrypt-trustee

%check
# Run tests using cargo macro
%cargo_test

%files
%license LICENSES/MIT.txt
%doc README.md
%{_bindir}/%{name}
%{_bindir}/clevis-encrypt-trustee
%{_bindir}/clevis-decrypt-trustee

%changelog
* Thu Nov 27 2025 Sergio Arroutbi <sarroutb@redhat.com> - 0.2.0-1
- Downgrade josekit to 0.7.4 for Fedora compatibility
- Enable system Rust libraries on Fedora

* Wed Nov 26 2025 Sergio Arroutbi <sarroutb@redhat.com> - 0.1.0-1
- Initial release
- Clevis PIN for Trustee attestation
- Support for multiple Trustee server URLs with failover
- Certificate-based TLS authentication
- Optional initdata for attestation context