import fwupd-1.1.4-7.el8_2

2020-07-29 13:16:11 -04:00 · 2020-07-29 13:16:11 -04:00 · 1554303a7f
commit 1554303a7f
parent 5ddd76f6ca
5 changed files with 17 additions and 5 deletions
--- a/SOURCES/redhatsecureboot301.cer
+++ b/SOURCES/redhatsecureboot301.cer
--- a/SOURCES/redhatsecureboot503.cer
+++ b/SOURCES/redhatsecureboot503.cer
--- a/SOURCES/redhatsecurebootca3.cer
+++ b/SOURCES/redhatsecurebootca3.cer
--- a/SOURCES/redhatsecurebootca5.cer
+++ b/SOURCES/redhatsecurebootca5.cer
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec
@ -26,12 +26,17 @@
 Summary:   Firmware update daemon
 Name:      fwupd
 Version:   1.1.4
-Release:   6%{?dist}
+Release:   7%{?dist}
 License:   LGPLv2+
 URL:       https://github.com/hughsie/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
-Source1:   securebootca.cer
-Source2:   secureboot.cer
+
+# these are numbered high just to keep them wildly away from colliding with
+# the real package sources, in order to reduce churn.
+Source300:   redhatsecurebootca3.cer
+Source301:   redhatsecureboot301.cer
+Source500:   redhatsecurebootca5.cer
+Source503:   redhatsecureboot503.cer

 # backport from upstream
 Patch0:    0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch
@ -39,6 +44,7 @@ Patch1:    0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
 Patch2:    0001-Disable-wacomhid-by-default-as-probing-the-device-st.patch
 Patch3:    0001-uefi-add-a-new-option-to-specify-the-os-name.patch

+BuildRequires: efi-srpm-macros
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: libappstream-glib-devel >= %{libappstream_version}
@ -148,7 +154,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1

 %meson \
    -Dgtkdoc=true \
-    -Defi_os_dir=redhat \
+    -Defi_os_dir=%{efi_vendor} \
 %if 0%{?enable_tests}
    -Dtests=true \
 %else
@ -200,7 +206,9 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %global efiarch aa64
 %endif
 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
-%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE1} -c %{SOURCE2} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
+rm -fv %{fwup_efi_fn}.tmp
 %endif

 mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
@ -333,6 +341,10 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
 %{_datadir}/installed-tests/fwupd/*.py*

 %changelog
+* Mon Jul 27 2020 Peter Jones <pjones@redhat.com> - 1.1.4-7
+- Add signing with redhatsecureboot503 cert
+  Related: CVE-2020-10713
+
 * Wed Feb 19 2020 Richard Hughes <richard@hughsie.com> 1.1.4-6
 - Rebuild to get the EFI executable signed with the Red Hat key
 - Resolves: #1713033