import fwupd-1.4.2-4.el8

2020-08-10 18:25:09 +00:00 · 2020-08-10 18:25:09 +00:00 · a1b92a51da
commit a1b92a51da
parent 5f98cdbe29
5 changed files with 24 additions and 7 deletions
--- a/SOURCES/redhatsecureboot301.cer
+++ b/SOURCES/redhatsecureboot301.cer
--- a/SOURCES/redhatsecureboot503.cer
+++ b/SOURCES/redhatsecureboot503.cer
--- a/SOURCES/redhatsecurebootca3.cer
+++ b/SOURCES/redhatsecurebootca3.cer
--- a/SOURCES/redhatsecurebootca5.cer
+++ b/SOURCES/redhatsecurebootca5.cer
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec
@ -32,18 +32,24 @@
 Summary:   Firmware update daemon
 Name:      fwupd
 Version:   1.4.2
-Release:   2%{?dist}
+Release:   4%{?dist}
 License:   LGPLv2+
 URL:       https://github.com/fwupd/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
-Source1:   securebootca.cer
+Source1:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz
-Source2:   secureboot.cer
+
-Source3:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz
+# these are numbered high just to keep them wildly away from colliding with
 # the real package sources, in order to reduce churn.
 Source300:   redhatsecurebootca3.cer
 Source301:   redhatsecureboot301.cer
 Source500:   redhatsecurebootca5.cer
 Source503:   redhatsecureboot503.cer
 Patch1:    0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
 Patch2:    0001-Do-not-use-the-LVFS.patch
 Patch3:    0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch
 BuildRequires: efi-srpm-macros
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: libxmlb-devel >= %{libxmlb_version}
@ -118,6 +124,7 @@ Obsoletes: fwupd-sign < 0.1.6
 Obsoletes: libebitdo < 0.7.5-3
 Obsoletes: libdfu < 1.0.0
 Obsoletes: fwupd-labels < 1.1.0-1
 Obsoletes: fwupdate
 %description
 fwupd is a daemon to allow session software to update device firmware.
@ -142,7 +149,7 @@ Data files for installed tests.
 %patch2 -p1 -b .lvfs-disabled
 mkdir -p subprojects/libjcat
-tar xfvs %{SOURCE3} -C subprojects/libjcat --strip-components=1
+tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1
 # apply patch to subproject
 cd subprojects/libjcat
@ -168,7 +175,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %meson \
    -Dgtkdoc=true \
-    -Defi_os_dir=redhat \
+    -Defi_os_dir=%{efi_vendor} \
    -Dplugin_tpm=false \
    -Dlibjcat:gtkdoc=false \
    -Dlibjcat:introspection=false \
@ -234,7 +241,9 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %global efiarch aa64
 %endif
 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
-%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE1} -c %{SOURCE2} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
 %pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
 rm -fv %{fwup_efi_fn}.tmp
 %endif
 mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
@ -429,6 +438,14 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %endif
 %changelog
 * Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 1.4.2-4
 - Add signing with redhatsecureboot503 cert
  Related: CVE-2020-10713
 * Thu Jul 23 2020 Richard Hughes <richard@hughsie.com> 1.4.2-3
 - Obsolete the now-dead fwupdate package to prevent file conflicts
 - Resolves: #1859202
 * Fri Jun 05 2020 Richard Hughes <richard@hughsie.com> 1.4.2-2
 - Security fix for CVE-2020-10759
 - Resolves: #1844324