import fwupd-1.1.4-2.el8

SOURCES/0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch

@@ -0,0 +1,220 @@
+commit 58f79c3d235290c4cecccc1d55cbcc2da8e988a6
+Author: Richard Hughes <richard@hughsie.com>
+Date:   Thu Aug 1 09:45:25 2019 +0100
+
+    Relax the certificate time checks in the self tests for the legacy certificate
+    
+    One test verifies a firmware with a signature from the old LVFS which was
+    hosted on secure-lvfs.rhcloud.com and used the original PKCS-7 key. This key
+    had a two year validity (expiring today, ohh the naivety...) rather than the
+    newer fwupd.org key which expires in the year 2058.
+    
+    For this specific test only, disable the certificate time checks to fix CI.
+    
+    Fixes https://github.com/hughsie/fwupd/issues/1264
+
+diff --git a/src/fu-engine.c b/src/fu-engine.c
+index ac102cfa..1a57b0af 100644
+--- a/src/fu-engine.c
++++ b/src/fu-engine.c
+@@ -1908,7 +1908,8 @@ fu_engine_get_existing_keyring_result (FuEngine *self,
+ 	blob_sig = fu_common_get_contents_bytes (fwupd_remote_get_filename_cache_sig (remote), error);
+ 	if (blob_sig == NULL)
+ 		return NULL;
+-	return fu_keyring_verify_data (kr, blob, blob_sig, error);
++	return fu_keyring_verify_data (kr, blob, blob_sig,
++				       FU_KEYRING_VERIFY_FLAG_NONE, error);
+ }
+ 
+ /**
+@@ -1991,7 +1992,9 @@ fu_engine_update_metadata (FuEngine *self, const gchar *remote_id,
+ 		pki_dir = g_build_filename (sysconfdir, "pki", "fwupd-metadata", NULL);
+ 		if (!fu_keyring_add_public_keys (kr, pki_dir, error))
+ 			return FALSE;
+-		kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, error);
++		kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig,
++						    FU_KEYRING_VERIFY_FLAG_NONE,
++						    error);
+ 		if (kr_result == NULL)
+ 			return FALSE;
+ 
+diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c
+index af0bfbe0..a51ab7a4 100644
+--- a/src/fu-keyring-gpg.c
++++ b/src/fu-keyring-gpg.c
+@@ -231,6 +231,7 @@ static FuKeyringResult *
+ fu_keyring_gpg_verify_data (FuKeyring *keyring,
+ 			    GBytes *blob,
+ 			    GBytes *blob_signature,
++			    FuKeyringVerifyFlags flags,
+ 			    GError **error)
+ {
+ 	FuKeyringGpg *self = FU_KEYRING_GPG (keyring);
+diff --git a/src/fu-keyring-pkcs7.c b/src/fu-keyring-pkcs7.c
+index d48dc5d0..dc310d37 100644
+--- a/src/fu-keyring-pkcs7.c
++++ b/src/fu-keyring-pkcs7.c
+@@ -182,6 +182,7 @@ static FuKeyringResult *
+ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
+ 			     GBytes *blob,
+ 			     GBytes *blob_signature,
++			     FuKeyringVerifyFlags flags,
+ 			     GError **error)
+ {
+ 	FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring);
+@@ -231,6 +232,14 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
+ 	for (gint i = 0; i < count; i++) {
+ 		gnutls_pkcs7_signature_info_st info;
+ 		gint64 signing_time = 0;
++		gnutls_certificate_verify_flags verify_flags = 0;
++
++		/* use with care */
++		if (flags & FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS) {
++			g_debug ("WARNING: disabling time checks");
++			verify_flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
++			verify_flags |= GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS;
++		}
+ 
+ 		/* verify the data against the detached signature */
+ 		rc = gnutls_pkcs7_verify (pkcs7, self->tl,
+@@ -238,7 +247,7 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
+ 					  0,    /* vdata_size */
+ 					  i,    /* index */
+ 					  &datum, /* data */
+-					  0);   /* flags */
++					  verify_flags);
+ 		if (rc < 0) {
+ 			g_set_error (error,
+ 				     FWUPD_ERROR,
+diff --git a/src/fu-keyring-utils.c b/src/fu-keyring-utils.c
+index 0c5a7f04..465b4a02 100644
+--- a/src/fu-keyring-utils.c
++++ b/src/fu-keyring-utils.c
+@@ -167,7 +167,9 @@ fu_keyring_get_release_trust_flags (AsRelease *release,
+ 				fu_keyring_get_name (kr));
+ 		return FALSE;
+ 	}
+-	kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, &error_local);
++	kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature,
++					    FU_KEYRING_VERIFY_FLAG_NONE,
++					    &error_local);
+ 	if (kr_result == NULL) {
+ 		g_warning ("untrusted as failed to verify from %s keyring: %s",
+ 			   fu_keyring_get_name (kr),
+diff --git a/src/fu-keyring.c b/src/fu-keyring.c
+index d8a88e8c..9b582563 100644
+--- a/src/fu-keyring.c
++++ b/src/fu-keyring.c
+@@ -40,13 +40,14 @@ FuKeyringResult *
+ fu_keyring_verify_data (FuKeyring *keyring,
+ 		       GBytes *blob,
+ 		       GBytes *blob_signature,
++		       FuKeyringVerifyFlags flags,
+ 		       GError **error)
+ {
+ 	FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring);
+ 	g_return_val_if_fail (FU_IS_KEYRING (keyring), NULL);
+ 	g_return_val_if_fail (blob != NULL, NULL);
+ 	g_return_val_if_fail (blob_signature != NULL, NULL);
+-	return klass->verify_data (keyring, blob, blob_signature, error);
++	return klass->verify_data (keyring, blob, blob_signature, flags, error);
+ }
+ 
+ const gchar *
+diff --git a/src/fu-keyring.h b/src/fu-keyring.h
+index 6e03694c..f097305d 100644
+--- a/src/fu-keyring.h
++++ b/src/fu-keyring.h
+@@ -17,6 +17,20 @@ G_BEGIN_DECLS
+ #define FU_TYPE_KEYRING (fu_keyring_get_type ())
+ G_DECLARE_DERIVABLE_TYPE (FuKeyring, fu_keyring, FU, KEYRING, GObject)
+ 
++/**
++ * FuKeyringVerifyFlags:
++ * @FU_KEYRING_VERIFY_FLAG_NONE:		No flags set
++ * @FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS:	Disable checking of validity periods
++ *
++ * The flags to use when interacting with a keyring
++ **/
++typedef enum {
++	FU_KEYRING_VERIFY_FLAG_NONE			= 0,
++	FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS	= 1 << 2,
++	/*< private >*/
++	FU_KEYRING_VERIFY_FLAG_LAST
++} FuKeyringVerifyFlags;
++
+ struct _FuKeyringClass
+ {
+ 	GObjectClass		 parent_class;
+@@ -28,6 +42,7 @@ struct _FuKeyringClass
+ 	FuKeyringResult		*(*verify_data)		(FuKeyring	*keyring,
+ 							 GBytes		*payload,
+ 							 GBytes		*payload_signature,
++							 FuKeyringVerifyFlags flags,
+ 							 GError		**error);
+ };
+ 
+@@ -39,6 +54,7 @@ gboolean	 fu_keyring_add_public_keys		(FuKeyring	*keyring,
+ FuKeyringResult	*fu_keyring_verify_data			(FuKeyring	*keyring,
+ 							 GBytes		*blob,
+ 							 GBytes		*blob_signature,
++							 FuKeyringVerifyFlags flags,
+ 							 GError		**error);
+ const gchar	*fu_keyring_get_name			(FuKeyring	*self);
+ void		 fu_keyring_set_name			(FuKeyring	*self,
+diff --git a/src/fu-self-test.c b/src/fu-self-test.c
+index 4f359614..98fac714 100644
+--- a/src/fu-self-test.c
++++ b/src/fu-self-test.c
+@@ -1947,7 +1947,9 @@ fu_keyring_gpg_func (void)
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (blob_pass);
+ 	blob_sig = g_bytes_new_static (sig_gpgme, strlen (sig_gpgme));
+-	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
++	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
++					      FU_KEYRING_VERIFY_FLAG_NONE,
++					      &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (result_pass);
+ 	g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), == , 1438072952);
+@@ -1960,7 +1962,8 @@ fu_keyring_gpg_func (void)
+ 	blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (blob_fail);
+-	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
++	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
++					      FU_KEYRING_VERIFY_FLAG_NONE, &error);
+ 	g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
+ 	g_assert_null (result_fail);
+ 	g_clear_error (&error);
+@@ -2010,7 +2013,9 @@ fu_keyring_pkcs7_func (void)
+ 	blob_sig = fu_common_get_contents_bytes (sig_fn, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (blob_sig);
+-	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
++	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
++					      FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS,
++					      &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (result_pass);
+ 	g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), >= , 1502871248);
+@@ -2022,7 +2027,8 @@ fu_keyring_pkcs7_func (void)
+ 	blob_sig2 = fu_common_get_contents_bytes (sig_fn2, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (blob_sig2);
+-	result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2, &error);
++	result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2,
++					      FU_KEYRING_VERIFY_FLAG_NONE, &error);
+ 	g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
+ 	g_assert_null (result_fail);
+ 	g_clear_error (&error);
+@@ -2033,7 +2039,8 @@ fu_keyring_pkcs7_func (void)
+ 	blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (blob_fail);
+-	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
++	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
++					      FU_KEYRING_VERIFY_FLAG_NONE, &error);
+ 	g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
+ 	g_assert_null (result_fail);
+ 	g_clear_error (&error);

SPECS/fwupd.spec

@@ -26,7 +26,7 @@
 Summary:   Firmware update daemon
 Name:      fwupd
 Version:   1.1.4
-Release:   1%{?dist}
+Release:   2%{?dist}
 License:   LGPLv2+
 URL:       https://github.com/hughsie/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
@@ -35,6 +35,7 @@ Source2:   secureboot.cer
 
 # backport from upstream
 Patch0:    0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch
+Patch1:    0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
 
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
@@ -100,8 +101,6 @@ Requires: libgusb%{?_isa} >= %{libgusb_version}
 Requires: libsoup%{?_isa} >= %{libsoup_version}
 Requires: bubblewrap
 
-Recommends: python3
-
 Obsoletes: fwupd-sign < 0.1.6
 Obsoletes: libebitdo < 0.7.5-3
 Obsoletes: libdfu < 1.0.0
@@ -122,14 +121,13 @@ Files for development with %{name}.
 %package tests
 Summary: Data files for installed tests
 BuildArch: noarch
+Recommends: python3
 
 %description tests
 Data files for installed tests.
 
 %prep
-%setup -q
+%autosetup -p1
-
-%patch0 -p1 -b .aarch-is-slow
 
 sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \
         libfwupd/generate-version-script.py \
@@ -332,6 +330,10 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
 %{_datadir}/installed-tests/fwupd/*.py*
 
 %changelog
+* Mon Nov 25 2019 Richard Hughes <richard@hughsie.com> 1.1.4-2
+- Do not require python3 in the base package
+- Resolves: #1724593
+
 * Wed Nov 07 2018 Richard Hughes <richard@hughsie.com> 1.1.4-1
 - New upstream release
 - Use HTTPS_PROXY if set