Rebuilt to use redhatsecureboot503 signatures

Resolves: rhbz#2007520
This commit is contained in:
Richard Hughes 2021-09-24 10:45:10 +01:00
parent a9dc0aac7b
commit 6a2b4a0cfd
8 changed files with 86 additions and 6 deletions

6
.gitignore vendored
View File

@ -75,3 +75,9 @@
/fwupd-1.5.4.tar.xz /fwupd-1.5.4.tar.xz
/fwupd-1.5.5.tar.xz /fwupd-1.5.5.tar.xz
/fwupd-1.5.9.tar.xz /fwupd-1.5.9.tar.xz
/DBXUpdate-20100307-x64.cab
/DBXUpdate-20140413-x64.cab
/DBXUpdate-20160809-x64.cab
/DBXUpdate-20200729-aa64.cab
/DBXUpdate-20200729-ia32.cab
/DBXUpdate-20200729-x64.cab

View File

@ -0,0 +1,39 @@
From 945ef070f2095eac32c9438a30f73acd3fda420c Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Fri, 24 Sep 2021 09:41:09 +0100
Subject: [PATCH] Do not use the LVFS
---
data/remotes.d/lvfs.conf | 2 +-
libfwupd/fwupd-self-test.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/data/remotes.d/lvfs.conf b/data/remotes.d/lvfs.conf
index f956bc97..f993b970 100644
--- a/data/remotes.d/lvfs.conf
+++ b/data/remotes.d/lvfs.conf
@@ -1,7 +1,7 @@
[fwupd Remote]
# this remote provides metadata and firmware marked as 'stable' from the LVFS
-Enabled=true
+Enabled=false
Title=Linux Vendor Firmware Service
MetadataURI=https://cdn.fwupd.org/downloads/firmware.xml.gz
ReportURI=https://fwupd.org/lvfs/firmware/report
diff --git a/libfwupd/fwupd-self-test.c b/libfwupd/fwupd-self-test.c
index 089bfafe..606ceefc 100644
--- a/libfwupd/fwupd-self-test.c
+++ b/libfwupd/fwupd-self-test.c
@@ -190,7 +190,7 @@ fwupd_remote_download_func (void)
g_assert_cmpint (fwupd_remote_get_kind (remote), ==, FWUPD_REMOTE_KIND_DOWNLOAD);
g_assert_cmpint (fwupd_remote_get_keyring_kind (remote), ==, FWUPD_KEYRING_KIND_JCAT);
g_assert_cmpint (fwupd_remote_get_priority (remote), ==, 0);
- g_assert (fwupd_remote_get_enabled (remote));
+ //g_assert (fwupd_remote_get_enabled (remote));
g_assert (fwupd_remote_get_metadata_uri (remote) != NULL);
g_assert (fwupd_remote_get_metadata_uri_sig (remote) != NULL);
g_assert_cmpstr (fwupd_remote_get_title (remote), ==, "Linux Vendor Firmware Service");
--
2.32.0

View File

@ -44,13 +44,27 @@
Summary: Firmware update daemon Summary: Firmware update daemon
Name: fwupd Name: fwupd
Version: 1.5.9 Version: 1.5.9
Release: 3%{?dist} Release: 4%{?dist}
License: LGPLv2+ License: LGPLv2+
URL: https://github.com/fwupd/fwupd URL: https://github.com/fwupd/fwupd
Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
# backport from upstream Source10: http://people.redhat.com/rhughes/dbx/DBXUpdate-20100307-x64.cab
Source11: http://people.redhat.com/rhughes/dbx/DBXUpdate-20140413-x64.cab
Source12: http://people.redhat.com/rhughes/dbx/DBXUpdate-20160809-x64.cab
Source13: http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-aa64.cab
Source14: http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-ia32.cab
Source15: http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-x64.cab
# these are numbered high just to keep them wildly away from colliding with
# the real package sources, in order to reduce churn.
Source300: redhatsecurebootca3.cer
Source301: redhatsecureboot301.cer
Source500: redhatsecurebootca5.cer
Source503: redhatsecureboot503.cer
Patch0: 13524af2029c2a8a3fb32ef27c39c214d9b5b13c.patch Patch0: 13524af2029c2a8a3fb32ef27c39c214d9b5b13c.patch
Patch2: 0001-Do-not-use-the-LVFS.patch
BuildRequires: gettext BuildRequires: gettext
BuildRequires: glib2-devel >= %{glib2_version} BuildRequires: glib2-devel >= %{glib2_version}
@ -240,6 +254,10 @@ can be flashed using flashrom. It is probably not required on servers.
%install %install
%meson_install %meson_install
# on RHEL the LVFS is disabled by default
mkdir -p %{buildroot}/%{_datadir}/dbxtool
install %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{buildroot}/%{_datadir}/dbxtool
# sign fwupd.efi loader # sign fwupd.efi loader
%if 0%{?have_uefi} %if 0%{?have_uefi}
%ifarch x86_64 %ifarch x86_64
@ -249,10 +267,9 @@ can be flashed using flashrom. It is probably not required on servers.
%global efiarch aa64 %global efiarch aa64
%endif %endif
%global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp %pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
%define __pesign_client_cert fwupd-signer %pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed rm -fv %{fwup_efi_fn}.tmp
rm -vf %{fwup_efi_fn}.tmp
%endif %endif
mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
@ -336,6 +353,13 @@ done
%{_datadir}/polkit-1/actions/org.freedesktop.fwupd.policy %{_datadir}/polkit-1/actions/org.freedesktop.fwupd.policy
%{_datadir}/polkit-1/rules.d/org.freedesktop.fwupd.rules %{_datadir}/polkit-1/rules.d/org.freedesktop.fwupd.rules
%{_datadir}/dbus-1/system-services/org.freedesktop.fwupd.service %{_datadir}/dbus-1/system-services/org.freedesktop.fwupd.service
%dir %{_datadir}/dbxtool
%{_datadir}/dbxtool/DBXUpdate-20100307-x64.cab
%{_datadir}/dbxtool/DBXUpdate-20140413-x64.cab
%{_datadir}/dbxtool/DBXUpdate-20160809-x64.cab
%{_datadir}/dbxtool/DBXUpdate-20200729-aa64.cab
%{_datadir}/dbxtool/DBXUpdate-20200729-ia32.cab
%{_datadir}/dbxtool/DBXUpdate-20200729-x64.cab
%{_mandir}/man1/fwupdtool.1* %{_mandir}/man1/fwupdtool.1*
%{_mandir}/man1/fwupdagent.1* %{_mandir}/man1/fwupdagent.1*
%{_mandir}/man1/dfu-tool.1* %{_mandir}/man1/dfu-tool.1*
@ -481,6 +505,11 @@ done
%endif %endif
%changelog %changelog
* Fri Sep 24 2021 Richard Hughes <richard@hughsie.com> 1.5.9-4
- Rebuilt to use redhatsecureboot503 signatures
- Undo last Fedora sync to use the RHEL-specific patches
- Resolves: rhbz#2007520
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.9-3 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.9-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688

BIN
redhatsecureboot301.cer Normal file

Binary file not shown.

BIN
redhatsecureboot503.cer Normal file

Binary file not shown.

BIN
redhatsecurebootca3.cer Normal file

Binary file not shown.

BIN
redhatsecurebootca5.cer Normal file

Binary file not shown.

View File

@ -1 +1,7 @@
SHA512 (fwupd-1.5.9.tar.xz) = 1d22bb9759bb0fa6a9030c83b3372ffd02f812c34e4d60f83cbacf5793d68dd846b353a3f127eccfb8f2cdcd329ba09320465cd2f0fe422dea13738e5b0b47ed SHA512 (fwupd-1.5.9.tar.xz) = 1d22bb9759bb0fa6a9030c83b3372ffd02f812c34e4d60f83cbacf5793d68dd846b353a3f127eccfb8f2cdcd329ba09320465cd2f0fe422dea13738e5b0b47ed
SHA512 (DBXUpdate-20100307-x64.cab) = f8ad56cf015f4cdc5c305856ff1f7a8589c25a2a671708c61883f427f38eb9b6a7abd3f2c8d79ef9d5076222255e42585917f8705a2a4b13f860bad4e02ec409
SHA512 (DBXUpdate-20140413-x64.cab) = 75771876a2309fa8ca083c2e76520173d434229b7cacf1e7636bd9b1bc4f871d745c348b9792bfb65fd9f40ef54c25bb427b1431151e817e7050b7829456731a
SHA512 (DBXUpdate-20160809-x64.cab) = c27c564999ae84515540f1a598cd0fd9ef3a80cdfaaf439f1c4cb04eaee0e73074548b6d76c21ca3af1ba9c4c0625907e821582998eb5617e33ecd412e6c8a13
SHA512 (DBXUpdate-20200729-aa64.cab) = 7a0cea13ed9b645fd9f1d5e3410a451d83643a75f5dc603272b0771b093f2c012f9a19419160403631c250cf64127ad2ce1c8fa2079b04064af73fe85b9add33
SHA512 (DBXUpdate-20200729-ia32.cab) = 578ec9cccf2001b8bfa54b66809a1662269677050e74bd3225536fbd2be56a8162c48669bd16ea553723580195df1693a28dc01fc1cf62ff06e36a2c5568f74f
SHA512 (DBXUpdate-20200729-x64.cab) = b8b195167d286a3f16aaa7c89149a0d5b4c8f53080e3265758b912f250fa655533c603359b7d1c989ebad6953ce443809b3317ec1d00f750326945ee0537e43b