From 31bc70417457c68a972919ab0a07a5d2ee201ba4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 21 Jan 2020 13:31:45 -0500 Subject: [PATCH] import fwupd-1.1.4-2.el8 --- ...icate-time-checks-in-the-self-tests-.patch | 220 ++++++++++++++++++ SPECS/fwupd.spec | 14 +- 2 files changed, 228 insertions(+), 6 deletions(-) create mode 100644 SOURCES/0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch diff --git a/SOURCES/0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch b/SOURCES/0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch new file mode 100644 index 0000000..b6be5f2 --- /dev/null +++ b/SOURCES/0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch @@ -0,0 +1,220 @@ +commit 58f79c3d235290c4cecccc1d55cbcc2da8e988a6 +Author: Richard Hughes +Date: Thu Aug 1 09:45:25 2019 +0100 + + Relax the certificate time checks in the self tests for the legacy certificate + + One test verifies a firmware with a signature from the old LVFS which was + hosted on secure-lvfs.rhcloud.com and used the original PKCS-7 key. This key + had a two year validity (expiring today, ohh the naivety...) rather than the + newer fwupd.org key which expires in the year 2058. + + For this specific test only, disable the certificate time checks to fix CI. + + Fixes https://github.com/hughsie/fwupd/issues/1264 + +diff --git a/src/fu-engine.c b/src/fu-engine.c +index ac102cfa..1a57b0af 100644 +--- a/src/fu-engine.c ++++ b/src/fu-engine.c +@@ -1908,7 +1908,8 @@ fu_engine_get_existing_keyring_result (FuEngine *self, + blob_sig = fu_common_get_contents_bytes (fwupd_remote_get_filename_cache_sig (remote), error); + if (blob_sig == NULL) + return NULL; +- return fu_keyring_verify_data (kr, blob, blob_sig, error); ++ return fu_keyring_verify_data (kr, blob, blob_sig, ++ FU_KEYRING_VERIFY_FLAG_NONE, error); + } + + /** +@@ -1991,7 +1992,9 @@ fu_engine_update_metadata (FuEngine *self, const gchar *remote_id, + pki_dir = g_build_filename (sysconfdir, "pki", "fwupd-metadata", NULL); + if (!fu_keyring_add_public_keys (kr, pki_dir, error)) + return FALSE; +- kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, error); ++ kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, ++ FU_KEYRING_VERIFY_FLAG_NONE, ++ error); + if (kr_result == NULL) + return FALSE; + +diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c +index af0bfbe0..a51ab7a4 100644 +--- a/src/fu-keyring-gpg.c ++++ b/src/fu-keyring-gpg.c +@@ -231,6 +231,7 @@ static FuKeyringResult * + fu_keyring_gpg_verify_data (FuKeyring *keyring, + GBytes *blob, + GBytes *blob_signature, ++ FuKeyringVerifyFlags flags, + GError **error) + { + FuKeyringGpg *self = FU_KEYRING_GPG (keyring); +diff --git a/src/fu-keyring-pkcs7.c b/src/fu-keyring-pkcs7.c +index d48dc5d0..dc310d37 100644 +--- a/src/fu-keyring-pkcs7.c ++++ b/src/fu-keyring-pkcs7.c +@@ -182,6 +182,7 @@ static FuKeyringResult * + fu_keyring_pkcs7_verify_data (FuKeyring *keyring, + GBytes *blob, + GBytes *blob_signature, ++ FuKeyringVerifyFlags flags, + GError **error) + { + FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring); +@@ -231,6 +232,14 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring, + for (gint i = 0; i < count; i++) { + gnutls_pkcs7_signature_info_st info; + gint64 signing_time = 0; ++ gnutls_certificate_verify_flags verify_flags = 0; ++ ++ /* use with care */ ++ if (flags & FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS) { ++ g_debug ("WARNING: disabling time checks"); ++ verify_flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS; ++ verify_flags |= GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS; ++ } + + /* verify the data against the detached signature */ + rc = gnutls_pkcs7_verify (pkcs7, self->tl, +@@ -238,7 +247,7 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring, + 0, /* vdata_size */ + i, /* index */ + &datum, /* data */ +- 0); /* flags */ ++ verify_flags); + if (rc < 0) { + g_set_error (error, + FWUPD_ERROR, +diff --git a/src/fu-keyring-utils.c b/src/fu-keyring-utils.c +index 0c5a7f04..465b4a02 100644 +--- a/src/fu-keyring-utils.c ++++ b/src/fu-keyring-utils.c +@@ -167,7 +167,9 @@ fu_keyring_get_release_trust_flags (AsRelease *release, + fu_keyring_get_name (kr)); + return FALSE; + } +- kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, &error_local); ++ kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, ++ FU_KEYRING_VERIFY_FLAG_NONE, ++ &error_local); + if (kr_result == NULL) { + g_warning ("untrusted as failed to verify from %s keyring: %s", + fu_keyring_get_name (kr), +diff --git a/src/fu-keyring.c b/src/fu-keyring.c +index d8a88e8c..9b582563 100644 +--- a/src/fu-keyring.c ++++ b/src/fu-keyring.c +@@ -40,13 +40,14 @@ FuKeyringResult * + fu_keyring_verify_data (FuKeyring *keyring, + GBytes *blob, + GBytes *blob_signature, ++ FuKeyringVerifyFlags flags, + GError **error) + { + FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring); + g_return_val_if_fail (FU_IS_KEYRING (keyring), NULL); + g_return_val_if_fail (blob != NULL, NULL); + g_return_val_if_fail (blob_signature != NULL, NULL); +- return klass->verify_data (keyring, blob, blob_signature, error); ++ return klass->verify_data (keyring, blob, blob_signature, flags, error); + } + + const gchar * +diff --git a/src/fu-keyring.h b/src/fu-keyring.h +index 6e03694c..f097305d 100644 +--- a/src/fu-keyring.h ++++ b/src/fu-keyring.h +@@ -17,6 +17,20 @@ G_BEGIN_DECLS + #define FU_TYPE_KEYRING (fu_keyring_get_type ()) + G_DECLARE_DERIVABLE_TYPE (FuKeyring, fu_keyring, FU, KEYRING, GObject) + ++/** ++ * FuKeyringVerifyFlags: ++ * @FU_KEYRING_VERIFY_FLAG_NONE: No flags set ++ * @FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS: Disable checking of validity periods ++ * ++ * The flags to use when interacting with a keyring ++ **/ ++typedef enum { ++ FU_KEYRING_VERIFY_FLAG_NONE = 0, ++ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS = 1 << 2, ++ /*< private >*/ ++ FU_KEYRING_VERIFY_FLAG_LAST ++} FuKeyringVerifyFlags; ++ + struct _FuKeyringClass + { + GObjectClass parent_class; +@@ -28,6 +42,7 @@ struct _FuKeyringClass + FuKeyringResult *(*verify_data) (FuKeyring *keyring, + GBytes *payload, + GBytes *payload_signature, ++ FuKeyringVerifyFlags flags, + GError **error); + }; + +@@ -39,6 +54,7 @@ gboolean fu_keyring_add_public_keys (FuKeyring *keyring, + FuKeyringResult *fu_keyring_verify_data (FuKeyring *keyring, + GBytes *blob, + GBytes *blob_signature, ++ FuKeyringVerifyFlags flags, + GError **error); + const gchar *fu_keyring_get_name (FuKeyring *self); + void fu_keyring_set_name (FuKeyring *self, +diff --git a/src/fu-self-test.c b/src/fu-self-test.c +index 4f359614..98fac714 100644 +--- a/src/fu-self-test.c ++++ b/src/fu-self-test.c +@@ -1947,7 +1947,9 @@ fu_keyring_gpg_func (void) + g_assert_no_error (error); + g_assert_nonnull (blob_pass); + blob_sig = g_bytes_new_static (sig_gpgme, strlen (sig_gpgme)); +- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error); ++ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, ++ FU_KEYRING_VERIFY_FLAG_NONE, ++ &error); + g_assert_no_error (error); + g_assert_nonnull (result_pass); + g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), == , 1438072952); +@@ -1960,7 +1962,8 @@ fu_keyring_gpg_func (void) + blob_fail = fu_common_get_contents_bytes (fw_fail, &error); + g_assert_no_error (error); + g_assert_nonnull (blob_fail); +- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error); ++ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, ++ FU_KEYRING_VERIFY_FLAG_NONE, &error); + g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID); + g_assert_null (result_fail); + g_clear_error (&error); +@@ -2010,7 +2013,9 @@ fu_keyring_pkcs7_func (void) + blob_sig = fu_common_get_contents_bytes (sig_fn, &error); + g_assert_no_error (error); + g_assert_nonnull (blob_sig); +- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error); ++ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, ++ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS, ++ &error); + g_assert_no_error (error); + g_assert_nonnull (result_pass); + g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), >= , 1502871248); +@@ -2022,7 +2027,8 @@ fu_keyring_pkcs7_func (void) + blob_sig2 = fu_common_get_contents_bytes (sig_fn2, &error); + g_assert_no_error (error); + g_assert_nonnull (blob_sig2); +- result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2, &error); ++ result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2, ++ FU_KEYRING_VERIFY_FLAG_NONE, &error); + g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID); + g_assert_null (result_fail); + g_clear_error (&error); +@@ -2033,7 +2039,8 @@ fu_keyring_pkcs7_func (void) + blob_fail = fu_common_get_contents_bytes (fw_fail, &error); + g_assert_no_error (error); + g_assert_nonnull (blob_fail); +- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error); ++ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, ++ FU_KEYRING_VERIFY_FLAG_NONE, &error); + g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID); + g_assert_null (result_fail); + g_clear_error (&error); diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec index 341d921..5e4d994 100644 --- a/SPECS/fwupd.spec +++ b/SPECS/fwupd.spec @@ -26,7 +26,7 @@ Summary: Firmware update daemon Name: fwupd Version: 1.1.4 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPLv2+ URL: https://github.com/hughsie/fwupd Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz @@ -35,6 +35,7 @@ Source2: secureboot.cer # backport from upstream Patch0: 0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch +Patch1: 0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch BuildRequires: gettext BuildRequires: glib2-devel >= %{glib2_version} @@ -100,8 +101,6 @@ Requires: libgusb%{?_isa} >= %{libgusb_version} Requires: libsoup%{?_isa} >= %{libsoup_version} Requires: bubblewrap -Recommends: python3 - Obsoletes: fwupd-sign < 0.1.6 Obsoletes: libebitdo < 0.7.5-3 Obsoletes: libdfu < 1.0.0 @@ -122,14 +121,13 @@ Files for development with %{name}. %package tests Summary: Data files for installed tests BuildArch: noarch +Recommends: python3 %description tests Data files for installed tests. %prep -%setup -q - -%patch0 -p1 -b .aarch-is-slow +%autosetup -p1 sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \ libfwupd/generate-version-script.py \ @@ -332,6 +330,10 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg %{_datadir}/installed-tests/fwupd/*.py* %changelog +* Mon Nov 25 2019 Richard Hughes 1.1.4-2 +- Do not require python3 in the base package +- Resolves: #1724593 + * Wed Nov 07 2018 Richard Hughes 1.1.4-1 - New upstream release - Use HTTPS_PROXY if set