import fwupd-1.4.2-4.el8

2020-08-10 18:25:09 +00:00 · 2020-08-10 18:25:09 +00:00 · a1b92a51da
parent 5f98cdbe29
commit a1b92a51da
5 changed files with 24 additions and 7 deletions
--- a/SOURCES/redhatsecureboot301.cer
+++ b/SOURCES/redhatsecureboot301.cer
--- a/SOURCES/redhatsecureboot503.cer
+++ b/SOURCES/redhatsecureboot503.cer
--- a/SOURCES/redhatsecurebootca3.cer
+++ b/SOURCES/redhatsecurebootca3.cer
--- a/SOURCES/redhatsecurebootca5.cer
+++ b/SOURCES/redhatsecurebootca5.cer
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec
@ -32,18 +32,24 @@
 Summary:   Firmware update daemon
 Name:      fwupd
 Version:   1.4.2
-Release:   2%{?dist}
+Release:   4%{?dist}
 License:   LGPLv2+
 URL:       https://github.com/fwupd/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
-Source1:   securebootca.cer
-Source2:   secureboot.cer
-Source3:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz
+Source1:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz
+
+# these are numbered high just to keep them wildly away from colliding with
+# the real package sources, in order to reduce churn.
+Source300:   redhatsecurebootca3.cer
+Source301:   redhatsecureboot301.cer
+Source500:   redhatsecurebootca5.cer
+Source503:   redhatsecureboot503.cer

 Patch1:    0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
 Patch2:    0001-Do-not-use-the-LVFS.patch
 Patch3:    0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch

+BuildRequires: efi-srpm-macros
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: libxmlb-devel >= %{libxmlb_version}
@ -118,6 +124,7 @@ Obsoletes: fwupd-sign < 0.1.6
 Obsoletes: libebitdo < 0.7.5-3
 Obsoletes: libdfu < 1.0.0
 Obsoletes: fwupd-labels < 1.1.0-1
+Obsoletes: fwupdate

 %description
 fwupd is a daemon to allow session software to update device firmware.
@ -142,7 +149,7 @@ Data files for installed tests.
 %patch2 -p1 -b .lvfs-disabled

 mkdir -p subprojects/libjcat
-tar xfvs %{SOURCE3} -C subprojects/libjcat --strip-components=1
+tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1

 # apply patch to subproject
 cd subprojects/libjcat
@ -168,7 +175,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1

 %meson \
    -Dgtkdoc=true \
-    -Defi_os_dir=redhat \
+    -Defi_os_dir=%{efi_vendor} \
    -Dplugin_tpm=false \
    -Dlibjcat:gtkdoc=false \
    -Dlibjcat:introspection=false \
@ -234,7 +241,9 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %global efiarch aa64
 %endif
 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
-%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE1} -c %{SOURCE2} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
+rm -fv %{fwup_efi_fn}.tmp
 %endif

 mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
@ -429,6 +438,14 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %endif

 %changelog
+* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 1.4.2-4
+- Add signing with redhatsecureboot503 cert
+  Related: CVE-2020-10713
+
+* Thu Jul 23 2020 Richard Hughes <richard@hughsie.com> 1.4.2-3
+- Obsolete the now-dead fwupdate package to prevent file conflicts
+- Resolves: #1859202
+
 * Fri Jun 05 2020 Richard Hughes <richard@hughsie.com> 1.4.2-2
 - Security fix for CVE-2020-10759
 - Resolves: #1844324