import fwupd-1.1.4-2.el8

This commit is contained in:
CentOS Sources 2020-01-21 13:31:45 -05:00 committed by Stepan Oksanichenko
parent aa3ac103b1
commit 31bc704174
2 changed files with 228 additions and 6 deletions

View File

@ -0,0 +1,220 @@
commit 58f79c3d235290c4cecccc1d55cbcc2da8e988a6
Author: Richard Hughes <richard@hughsie.com>
Date: Thu Aug 1 09:45:25 2019 +0100
Relax the certificate time checks in the self tests for the legacy certificate
One test verifies a firmware with a signature from the old LVFS which was
hosted on secure-lvfs.rhcloud.com and used the original PKCS-7 key. This key
had a two year validity (expiring today, ohh the naivety...) rather than the
newer fwupd.org key which expires in the year 2058.
For this specific test only, disable the certificate time checks to fix CI.
Fixes https://github.com/hughsie/fwupd/issues/1264
diff --git a/src/fu-engine.c b/src/fu-engine.c
index ac102cfa..1a57b0af 100644
--- a/src/fu-engine.c
+++ b/src/fu-engine.c
@@ -1908,7 +1908,8 @@ fu_engine_get_existing_keyring_result (FuEngine *self,
blob_sig = fu_common_get_contents_bytes (fwupd_remote_get_filename_cache_sig (remote), error);
if (blob_sig == NULL)
return NULL;
- return fu_keyring_verify_data (kr, blob, blob_sig, error);
+ return fu_keyring_verify_data (kr, blob, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE, error);
}
/**
@@ -1991,7 +1992,9 @@ fu_engine_update_metadata (FuEngine *self, const gchar *remote_id,
pki_dir = g_build_filename (sysconfdir, "pki", "fwupd-metadata", NULL);
if (!fu_keyring_add_public_keys (kr, pki_dir, error))
return FALSE;
- kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, error);
+ kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE,
+ error);
if (kr_result == NULL)
return FALSE;
diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c
index af0bfbe0..a51ab7a4 100644
--- a/src/fu-keyring-gpg.c
+++ b/src/fu-keyring-gpg.c
@@ -231,6 +231,7 @@ static FuKeyringResult *
fu_keyring_gpg_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error)
{
FuKeyringGpg *self = FU_KEYRING_GPG (keyring);
diff --git a/src/fu-keyring-pkcs7.c b/src/fu-keyring-pkcs7.c
index d48dc5d0..dc310d37 100644
--- a/src/fu-keyring-pkcs7.c
+++ b/src/fu-keyring-pkcs7.c
@@ -182,6 +182,7 @@ static FuKeyringResult *
fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error)
{
FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring);
@@ -231,6 +232,14 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
for (gint i = 0; i < count; i++) {
gnutls_pkcs7_signature_info_st info;
gint64 signing_time = 0;
+ gnutls_certificate_verify_flags verify_flags = 0;
+
+ /* use with care */
+ if (flags & FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS) {
+ g_debug ("WARNING: disabling time checks");
+ verify_flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
+ verify_flags |= GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS;
+ }
/* verify the data against the detached signature */
rc = gnutls_pkcs7_verify (pkcs7, self->tl,
@@ -238,7 +247,7 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
0, /* vdata_size */
i, /* index */
&datum, /* data */
- 0); /* flags */
+ verify_flags);
if (rc < 0) {
g_set_error (error,
FWUPD_ERROR,
diff --git a/src/fu-keyring-utils.c b/src/fu-keyring-utils.c
index 0c5a7f04..465b4a02 100644
--- a/src/fu-keyring-utils.c
+++ b/src/fu-keyring-utils.c
@@ -167,7 +167,9 @@ fu_keyring_get_release_trust_flags (AsRelease *release,
fu_keyring_get_name (kr));
return FALSE;
}
- kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, &error_local);
+ kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature,
+ FU_KEYRING_VERIFY_FLAG_NONE,
+ &error_local);
if (kr_result == NULL) {
g_warning ("untrusted as failed to verify from %s keyring: %s",
fu_keyring_get_name (kr),
diff --git a/src/fu-keyring.c b/src/fu-keyring.c
index d8a88e8c..9b582563 100644
--- a/src/fu-keyring.c
+++ b/src/fu-keyring.c
@@ -40,13 +40,14 @@ FuKeyringResult *
fu_keyring_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error)
{
FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring);
g_return_val_if_fail (FU_IS_KEYRING (keyring), NULL);
g_return_val_if_fail (blob != NULL, NULL);
g_return_val_if_fail (blob_signature != NULL, NULL);
- return klass->verify_data (keyring, blob, blob_signature, error);
+ return klass->verify_data (keyring, blob, blob_signature, flags, error);
}
const gchar *
diff --git a/src/fu-keyring.h b/src/fu-keyring.h
index 6e03694c..f097305d 100644
--- a/src/fu-keyring.h
+++ b/src/fu-keyring.h
@@ -17,6 +17,20 @@ G_BEGIN_DECLS
#define FU_TYPE_KEYRING (fu_keyring_get_type ())
G_DECLARE_DERIVABLE_TYPE (FuKeyring, fu_keyring, FU, KEYRING, GObject)
+/**
+ * FuKeyringVerifyFlags:
+ * @FU_KEYRING_VERIFY_FLAG_NONE: No flags set
+ * @FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS: Disable checking of validity periods
+ *
+ * The flags to use when interacting with a keyring
+ **/
+typedef enum {
+ FU_KEYRING_VERIFY_FLAG_NONE = 0,
+ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS = 1 << 2,
+ /*< private >*/
+ FU_KEYRING_VERIFY_FLAG_LAST
+} FuKeyringVerifyFlags;
+
struct _FuKeyringClass
{
GObjectClass parent_class;
@@ -28,6 +42,7 @@ struct _FuKeyringClass
FuKeyringResult *(*verify_data) (FuKeyring *keyring,
GBytes *payload,
GBytes *payload_signature,
+ FuKeyringVerifyFlags flags,
GError **error);
};
@@ -39,6 +54,7 @@ gboolean fu_keyring_add_public_keys (FuKeyring *keyring,
FuKeyringResult *fu_keyring_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error);
const gchar *fu_keyring_get_name (FuKeyring *self);
void fu_keyring_set_name (FuKeyring *self,
diff --git a/src/fu-self-test.c b/src/fu-self-test.c
index 4f359614..98fac714 100644
--- a/src/fu-self-test.c
+++ b/src/fu-self-test.c
@@ -1947,7 +1947,9 @@ fu_keyring_gpg_func (void)
g_assert_no_error (error);
g_assert_nonnull (blob_pass);
blob_sig = g_bytes_new_static (sig_gpgme, strlen (sig_gpgme));
- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
+ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE,
+ &error);
g_assert_no_error (error);
g_assert_nonnull (result_pass);
g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), == , 1438072952);
@@ -1960,7 +1962,8 @@ fu_keyring_gpg_func (void)
blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_fail);
- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
+ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
g_assert_null (result_fail);
g_clear_error (&error);
@@ -2010,7 +2013,9 @@ fu_keyring_pkcs7_func (void)
blob_sig = fu_common_get_contents_bytes (sig_fn, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_sig);
- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
+ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS,
+ &error);
g_assert_no_error (error);
g_assert_nonnull (result_pass);
g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), >= , 1502871248);
@@ -2022,7 +2027,8 @@ fu_keyring_pkcs7_func (void)
blob_sig2 = fu_common_get_contents_bytes (sig_fn2, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_sig2);
- result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2, &error);
+ result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2,
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
g_assert_null (result_fail);
g_clear_error (&error);
@@ -2033,7 +2039,8 @@ fu_keyring_pkcs7_func (void)
blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_fail);
- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
+ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
g_assert_null (result_fail);
g_clear_error (&error);

View File

@ -26,7 +26,7 @@
Summary: Firmware update daemon Summary: Firmware update daemon
Name: fwupd Name: fwupd
Version: 1.1.4 Version: 1.1.4
Release: 1%{?dist} Release: 2%{?dist}
License: LGPLv2+ License: LGPLv2+
URL: https://github.com/hughsie/fwupd URL: https://github.com/hughsie/fwupd
Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
@ -35,6 +35,7 @@ Source2: secureboot.cer
# backport from upstream # backport from upstream
Patch0: 0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch Patch0: 0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch
Patch1: 0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
BuildRequires: gettext BuildRequires: gettext
BuildRequires: glib2-devel >= %{glib2_version} BuildRequires: glib2-devel >= %{glib2_version}
@ -100,8 +101,6 @@ Requires: libgusb%{?_isa} >= %{libgusb_version}
Requires: libsoup%{?_isa} >= %{libsoup_version} Requires: libsoup%{?_isa} >= %{libsoup_version}
Requires: bubblewrap Requires: bubblewrap
Recommends: python3
Obsoletes: fwupd-sign < 0.1.6 Obsoletes: fwupd-sign < 0.1.6
Obsoletes: libebitdo < 0.7.5-3 Obsoletes: libebitdo < 0.7.5-3
Obsoletes: libdfu < 1.0.0 Obsoletes: libdfu < 1.0.0
@ -122,14 +121,13 @@ Files for development with %{name}.
%package tests %package tests
Summary: Data files for installed tests Summary: Data files for installed tests
BuildArch: noarch BuildArch: noarch
Recommends: python3
%description tests %description tests
Data files for installed tests. Data files for installed tests.
%prep %prep
%setup -q %autosetup -p1
%patch0 -p1 -b .aarch-is-slow
sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \ sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \
libfwupd/generate-version-script.py \ libfwupd/generate-version-script.py \
@ -332,6 +330,10 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
%{_datadir}/installed-tests/fwupd/*.py* %{_datadir}/installed-tests/fwupd/*.py*
%changelog %changelog
* Mon Nov 25 2019 Richard Hughes <richard@hughsie.com> 1.1.4-2
- Do not require python3 in the base package
- Resolves: #1724593
* Wed Nov 07 2018 Richard Hughes <richard@hughsie.com> 1.1.4-1 * Wed Nov 07 2018 Richard Hughes <richard@hughsie.com> 1.1.4-1
- New upstream release - New upstream release
- Use HTTPS_PROXY if set - Use HTTPS_PROXY if set