# SPDX-FileCopyrightText: Sergio Arroutbi <sarroutb@redhat.com>
#
# SPDX-License-Identifier: MIT

# Disable debuginfo generation for Rust binaries
%global debug_package %{nil}

Name:           clevis-pin-trustee
Version:        0.1.0
Release:        1%{?dist}
Summary:        Clevis PIN for Trustee attestation

License:        MIT
URL:            https://github.com/sarroutbi/clevis-pin-trustee
Source0:        %{name}-%{version}-vendor.tar.gz

BuildRequires:  rust-packaging >= 25
BuildRequires:  rust >= 1.85.0
BuildRequires:  cargo >= 1.85.0
BuildRequires:  openssl-devel

# Runtime dependencies
Requires:       clevis
Requires:       jose

%description
clevis-pin-trustee is a Clevis PIN that implements encryption and decryption
operations using remote attestation via a Trustee server. It enables automated
unlocking of LUKS-encrypted volumes in confidential computing environments by
fetching encryption keys from Trustee servers after successful attestation.

%prep
%autosetup -n %{name}-%{version}
# Configure cargo to use vendored dependencies
%cargo_prep -v vendor

%build
# Generate vendor manifest (required for bundled crates tracking)
%cargo_vendor_manifest
# Build using vendored dependencies
%cargo_build

%install
# Install main binary using cargo macro
%cargo_install

# Install Clevis wrapper scripts
install -D -m 0755 clevis-encrypt-trustee %{buildroot}%{_bindir}/clevis-encrypt-trustee
install -D -m 0755 clevis-decrypt-trustee %{buildroot}%{_bindir}/clevis-decrypt-trustee

%check
# Run tests with vendored dependencies
%cargo_test

%files
%license LICENSES/MIT.txt
%license cargo-vendor.txt
%doc README.md
%{_bindir}/%{name}
%{_bindir}/clevis-encrypt-trustee
%{_bindir}/clevis-decrypt-trustee

%changelog
* Wed Nov 26 2025 Sergio Arroutbi <sarroutb@redhat.com> - 0.1.0-1
- Initial release
- Clevis PIN for Trustee attestation
- Support for multiple Trustee server URLs with failover
- Certificate-based TLS authentication
- Optional initdata for attestation context