0.192-5

- Enable debuginfod IMA verification - Add elfutils-0.192-fix-configure-conditional.patch - Add elfutils-0.192-skip-ima-test.patch Resolves: RHEL-69472
2024-12-12 17:01:41 -05:00 · 2024-12-12 17:01:41 -05:00 · 9f0d1325fb
commit 9f0d1325fb
parent 9dfd07e7df
3 changed files with 96 additions and 2 deletions
--- a/elfutils-0.192-fix-configure-conditional.patch
+++ b/elfutils-0.192-fix-configure-conditional.patch
@ -0,0 +1,26 @@
 From fb4753feb0ed7e3387f52b54bb02c6c74aac6a3e Mon Sep 17 00:00:00 2001
 From: Aaron Merey <amerey@redhat.com>
 Date: Tue, 29 Oct 2024 14:54:10 -0400
 Subject: [PATCH] Fix ENABLE_DEBUGINFOD_IMA_VERIFICATION always
 evaluating to false
 ---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/configure.ac b/configure.ac
 index f191488..3d2d3ee 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -892,7 +892,7 @@ AS_IF([test "x$enable_debuginfod" != "xno"],AC_DEFINE([ENABLE_DEBUGINFOD],[1],[B
 AM_CONDITIONAL([DEBUGINFOD],[test "x$enable_debuginfod" = "xyes"])
 AS_IF([test "x$enable_debuginfod_ima_verification" = "xyes"],AC_DEFINE([ENABLE_IMA_VERIFICATION],[1],[Build IMA verification]))
 AS_IF([test "x$have_libarchive" = "xyes"],AC_DEFINE([HAVE_LIBARCHIVE],[1],[Define to 1 if libarchive is available]))
 -AM_CONDITIONAL([ENABLE_IMA_VERIFICATION],[test "$enable_debuginfod_ima_verification" = "xyes"])
 +AM_CONDITIONAL([ENABLE_IMA_VERIFICATION],[test "x$enable_debuginfod_ima_verification" = "xyes"])
 AM_CONDITIONAL([OLD_LIBMICROHTTPD],[test "x$old_libmicrohttpd" = "xyes"])
 dnl for /etc/profile.d/elfutils.{csh,sh}
 -- 
 2.47.0
--- a/elfutils-0.192-skip-ima-test.patch
+++ b/elfutils-0.192-skip-ima-test.patch
@ -0,0 +1,48 @@
 From 36bd0ffe72f63a187902679823dfd50510bf7300 Mon Sep 17 00:00:00 2001
 From: Aaron Merey <amerey@redhat.com>
 Date: Fri, 13 Dec 2024 11:14:39 -0500
 Subject: [PATCH] run-debuginfod-ima-verification.sh: Skip test 4
 Test 4 requires `rpmsign --delfilesign` to remove IMA signatures.
 RHEL 9 rpmsign does not currently support delfilesign, so skip this
 test for now.
 ---
 tests/run-debuginfod-ima-verification.sh | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)
 diff --git a/tests/run-debuginfod-ima-verification.sh b/tests/run-debuginfod-ima-verification.sh
 index d582af5f..a5e6eeb2 100755
 --- a/tests/run-debuginfod-ima-verification.sh
 +++ b/tests/run-debuginfod-ima-verification.sh
@@ -127,17 +127,17 @@ RC=0
 testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1
 test $RC -ne 0
 -echo Test 4: A rpm without a signature will fail
 -cp signed.rpm R/signed.rpm
 -rpmsign --delfilesign R/signed.rpm
 -rm -rf $DEBUGINFOD_CACHE_PATH # clean it from previous tests
 -kill -USR1 $PID1
 -wait_ready $PORT1 'thread_work_total{role="traverse"}' 4
 -wait_ready $PORT1 'thread_work_pending{role="scan"}' 0
 -wait_ready $PORT1 'thread_busy{role="scan"}' 0
 -RC=0
 -testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1
 -test $RC -ne 0
 +#echo Test 4: A rpm without a signature will fail
 +#cp signed.rpm R/signed.rpm
 +#rpmsign --delfilesign R/signed.rpm
 +#rm -rf $DEBUGINFOD_CACHE_PATH # clean it from previous tests
 +#kill -USR1 $PID1
 +#wait_ready $PORT1 'thread_work_total{role="traverse"}' 4
 +#wait_ready $PORT1 'thread_work_pending{role="scan"}' 0
 +#wait_ready $PORT1 'thread_busy{role="scan"}' 0
 +#RC=0
 +#testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable $RPM_BUILDID || RC=1
 +#test $RC -ne 0
 echo Test 5: Only tests 1,2 will result in extracted signature
 [[ $(curl -s http://127.0.0.1:$PORT1/metrics | grep 'http_responses_total{extra="ima-sigs-extracted"}' | awk '{print $NF}') -eq 2 ]]
 -- 
 2.47.1
--- a/elfutils.spec
+++ b/elfutils.spec
@ -4,7 +4,7 @@
 Name: elfutils
 Version: 0.192
-%global baserelease 2
+%global baserelease 3
 Release: %{baserelease}%{?dist}
 URL: http://elfutils.org/
 %global source_url ftp://sourceware.org/pub/elfutils/%{version}/
@ -60,6 +60,12 @@ BuildRequires: curl
 # For run-debuginfod-response-headers.sh test case
 BuildRequires: socat
 # For debuginfod rpm IMA verification
 BuildRequires: rpm-devel
 BuildRequires: ima-evm-utils-devel
 BuildRequires: openssl-devel
 BuildRequires: rpm-sign
 # For eu-stacktrace
 %if %{enable_stacktrace}
 BuildRequires: sysprof-capture-devel
@ -92,6 +98,12 @@ Patch1: elfutils-0.192-libelf-static.patch
 # Fix eu-stacktrace LTO build error.
 Patch2: elfutils-0.192-stacktrace-lto.patch
 # Fix configure.ac setting ENABLE_DEBUGINFOD_IMA_VERIFICATION.
 Patch3: elfutils-0.192-fix-configure-conditional.patch
 # Skip IMA test not currently supported in RHEL 9.
 Patch4: elfutils-0.192-skip-ima-test.patch
 %description
 Elfutils is a collection of utilities, including stack (to show
 backtraces), nm (for listing symbols from object files), size
@ -325,7 +337,9 @@ trap 'cat config.log' EXIT
 %if %{enable_stacktrace}
 	--enable-stacktrace \
 %endif
-	--enable-debuginfod
+	--enable-debuginfod \
 	--enable-debuginfod-ima-verification \
 	--enable-debuginfod-ima-cert-path=%{_sysconfdir}/keys/ima
 trap '' EXIT
 %make_build
@ -479,6 +493,7 @@ fi
 %config(noreplace) %{_datadir}/fish/vendor_conf.d/*
 %if 0%{?centos} >= 8
 %{_sysconfdir}/debuginfod/*.urls
 %{_sysconfdir}/debuginfod/*.certpath
 %endif
 %files debuginfod-client-devel
@ -518,6 +533,11 @@ exit 0
 %systemd_postun_with_restart debuginfod.service
 %changelog
 * Fri Dec 13 2024 Aaron Merey <amerey@redhat.com> - 0.192-5
 - Enable debuginfod IMA verification
 - Add elfutils-0.192-fix-configure-conditional.patch
 - Add elfutils-0.192-skip-ima-test.patch
 * Thu Oct 24 2024 Aaron Merey <amerey@redhat.com> - 0.192-2
 - Enable eu-stacktrace on x86_64
 - Add elfutils-0.192-stacktrace-lto.patch