diff --git a/0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch b/0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch deleted file mode 100644 index 660962f..0000000 --- a/0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch +++ /dev/null @@ -1,287 +0,0 @@ -From 22658f290fcf66213ca6237e37ae97bba39a8a0b Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 6 Jul 2020 13:54:35 -0400 -Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper - -Signed-off-by: Peter Jones ---- - src/Makefile | 1 + - src/macros.pesign | 73 +++++------------ - src/pesign-rpmbuild-helper | 163 +++++++++++++++++++++++++++++++++++++ - 3 files changed, 184 insertions(+), 53 deletions(-) - create mode 100644 src/pesign-rpmbuild-helper - -diff --git a/src/Makefile b/src/Makefile -index 74327ba13f3..c9e9cc6cd1b 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -94,6 +94,7 @@ install : - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ -+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign - $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users - $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups -diff --git a/src/macros.pesign b/src/macros.pesign -index 5a6da1c6809..e3a0de9c2f4 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -6,10 +6,10 @@ - # %pesign -s -i shim.orig -o shim.efi - # And magically get the right thing. - --%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} -+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"} - %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} - - %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"} - %__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"} - - %_pesign /usr/bin/pesign -@@ -24,54 +24,21 @@ - # -a # rhel only - # -s # perform signing - %pesign(i:o:C:e:c:n:a:s) \ -- _pesign_nssdir=/etc/pki/pesign \ -- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \ -- _pesign_nssdir=/etc/pki/pesign-rh-test \ -- fi \ -- if [ -x %{_pesign} ] && \\\ -- [ "%{_target_cpu}" == "x86_64" -o \\\ -- "%{_target_cpu}" == "aarch64" ]; then \ -- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \ -- nss=$(mktemp -p $PWD -d) \ -- echo > ${nss}/pwfile \ -- certutil -N -d ${nss} -f ${nss}/pwfile \ -- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \ -- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ -- sattrs=$(mktemp -p $PWD --suffix=.der) \ -- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \ -- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \ -- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ -- --certdir ${nss} -c signer %{-o} \ -- rm -rf ${sattrs} ${sattrs}.sig ${nss} \ -- elif [ "$(id -un)" == "kojibuilder" -a \\\ -- grep -q ID=fedora /etc/os-release -a \\\ -- ! -S /run/pesign/socket ]; then \ -- echo "No socket even though this is kojibuilder" 1>&2 \ -- ls -ld /run/pesign 1>&2 \ -- ls -l /run/pesign/socket 1>&2 \ -- getfacl /run/pesign 1>&2 \ -- getfacl /run/pesign/socket 1>&2 \ -- exit 1 \ -- elif [ -S /run/pesign/socket ]; then \ -- %{_pesign_client} -t %{__pesign_client_token} \\\ -- -c %{__pesign_client_cert} \\\ -- %{-i} %{-o} %{-e} %{-s} %{-C} \ -- else \ -- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ -- --certdir ${_pesign_nssdir} \\\ -- %{-i} %{-o} %{-e} %{-s} %{-C} \ -- fi \ -- else \ -- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \ -- mv %{-i*} %{-o*} \ -- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \ -- touch %{-e*} \ -- fi \ -- fi \ -- if [ ! -s %{-o} ]; then \ -- if [ -e "%{-o*}" ]; then \ -- rm -f %{-o*} \ -- fi \ -- exit 1 \ -- fi ; -- -+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\ -+ "%{_target_cpu}" \\\ -+ "%{_pesign}" \\\ -+ "%{_pesign_client}" \\\ -+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\ -+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\ -+ %{?__pesign_token:%{__pesign_token}} \\\ -+ %{?-n:--cert "\"%{-n*}\""}%{?!-n:--cert "\"%{__pesign_cert}\""} \\\ -+ %{?_rhel:--rhelver "%{_rhel}"} \\\ -+ %{?-a:--cafile "%{-a*}"} \\\ -+ %{?-c:--certfile "%{-c*}"} \\\ -+ %{?-C:--certout "%{-C*}"} \\\ -+ %{?-e:--sattrout "%{-e*}"} \\\ -+ %{?-i:--in "%{-i*}"} \\\ -+ %{?-o:--out "%{-o*}"} \\\ -+ %{?-s:--sign} \\\ -+ ; \ -+%{nil} -diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper -new file mode 100644 -index 00000000000..f3d66320bcc ---- /dev/null -+++ b/src/pesign-rpmbuild-helper -@@ -0,0 +1,164 @@ -+#!/bin/sh -+ -+set -eu -+set -x -+ -+main() { -+ local target_cpu="${1}" && shift -+ local bin="${1}" && shift -+ local client="${1}" && shift -+ -+ local cafile="" || : -+ local certfile="" || : -+ -+ local certout=() || : -+ local sattrout=() || : -+ local input=() || : -+ local output=() || : -+ local client_token=() || : -+ local client_cert=() || : -+ local token=() || : -+ local cert=() || : -+ local rhelver=0 || : -+ local sign="" || : -+ -+ local username="$(id -un)" -+ -+ while [[ $# -ge 2 ]] ; do -+ case " ${1} " in -+ " --cafile ") -+ cafile="${2}" -+ ;; -+ " --certfile ") -+ certfile="${2}" -+ ;; -+ " --certout ") -+ certout[0]=-C -+ certout[1]="${2}" -+ ;; -+ " --sattrout ") -+ sattrout[0]=-e -+ sattrout[1]="${2}" -+ ;; -+ " --client-token ") -+ client_token[0]=-t -+ client_token[1]="${2}" -+ ;; -+ " --client-cert ") -+ client_cert[0]=-c -+ client_cert[1]="${2}" -+ ;; -+ " --token ") -+ token[0]=-t -+ token="${2}" -+ ;; -+ " --cert ") -+ cert[0]=-c -+ cert[1]="${2}" -+ ;; -+ " --certname ") -+ cert[0]=-c -+ cert[1]="${2}" -+ ;; -+ " --in ") -+ input[0]=-i -+ input[1]="${2}" -+ ;; -+ " --out ") -+ output[0]=-o -+ output[1]="${2}" -+ ;; -+ " --rhelver ") -+ rhelver="${2}" -+ ;; -+ *) -+ break -+ ;; -+ esac -+ shift -+ shift -+ done -+ if [ $# -ge 1 -a "${1}" = --sign ] ; then -+ sign=-s -+ shift -+ fi -+ -+ local nssdir=/etc/pki/pesign -+ if [ "${#cert[@]}" -eq 2 ] && -+ [ "${cert[1]}" == "Red Hat Test Certificate" ] ; then -+ nssdir=/etc/pki/pesign-rh-test -+ fi -+ -+ if [ -x "${bin}" ] && -+ [ "${target_cpu}" != "x86_64" -a "${target_cpu}" != "aarch64" ] ; then -+ if [ -n "${input[*]}" -a -n "${output[*]}" ] ; then -+ mv -v "${input[1]}" "${output[1]}" -+ elif [ -n "${input[*]}" -a -n "${sattrout[*]}" ] ; then -+ touch "${sattrout[1]}" -+ fi -+ -+ # if there's a 0-sized output file, delete it and error out -+ if [ ! -s "${output[1]}" ] ; then -+ if [ -e "${output[1]}" ] ; then -+ rm -f "${output[1]}" -+ fi -+ exit 1 -+ fi -+ return 0 -+ fi -+ -+ local socket="" || : -+ if grep -q ID=fedora /etc/os-release && [ "${rhelver}" -lt 7 ] && -+ [ "${username}" = "kojibuilder" -o "${username}" = "mockbuild" ] ; then -+ if [ -S /run/pesign/socket ] ; then -+ socket=/run/pesign/socket -+ elif [ -S /var/run/pesign/socket ]; then -+ socket=/var/run/pesign/socket -+ else -+ echo "Warning: no pesign socket even though user is ${username}" 1>&2 -+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2 -+ ls -ld /run/pesign 1>&2 ||: -+ ls -l /run/pesign/socket 1>&2 ||: -+ getfacl /run/pesign 1>&2 || : -+ getfacl /run/pesign/socket 1>&2 ||: -+ ls -ld /var/run/pesign 1>&2 ||: -+ ls -l /var/run/pesign/socket 1>&2 ||: -+ getfacl /var/run/pesign 1>&2 || : -+ getfacl /var/run/pesign/socket 1>&2 || : -+ fi -+ fi -+ -+ if [ "${rhelver}" -ge 7 ] ; then -+ nssdir=$(mktemp -p $PWD -d) -+ echo > ${nssdir}/pwfile -+ certutil -N -d ${nssdir} -f ${nssdir}/pwfile -+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${cafile}" -d ${nssdir} -+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir} -+ sattrs="$(mktemp -p $PWD --suffix=.der)" -+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \ -+ "${input[@]}" --force -+ rpm-sign --key "${cert[1]}" --rsadgstsign "${sattrs}" -+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \ -+ --certdir "${nssdir}" -c signer \ -+ "${input[@]}" "${output[@]}" -+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" -+ elif [ -n "${socket}" ] ; then -+ "${client}" "${client_token[@]}" "${client_cert[@]}" \ -+ "${sattrout[@]}" "${certout[@]}" \ -+ ${sign} "${input[@]}" "${output[@]}" -+ else -+ "${bin}" --certdir "${nssdir}" "${token[@]}" \ -+ "${cert[@]}" ${sign} "${sattrout[@]}" \ -+ "${certout[@]}" "${input[@]}" "${output[@]}" -+ fi -+ -+ # if there's a 0-sized output file, delete it and error out -+ if [ "${#output[@]}" -eq 2 ] && ! [ -s "${output[1]}" ] ; then -+ if [ -e "${output[1]}" ] ; then -+ rm -f "${output[1]}" -+ fi -+ exit 1 -+ fi -+} -+ -+main "${@}" --- -2.26.2 - diff --git a/0008-remove-debug-print.patch b/0007-client-remove-an-extra-debug-print.patch similarity index 76% rename from 0008-remove-debug-print.patch rename to 0007-client-remove-an-extra-debug-print.patch index 996f92a..b094ea5 100644 --- a/0008-remove-debug-print.patch +++ b/0007-client-remove-an-extra-debug-print.patch @@ -1,7 +1,7 @@ -From 722d60568a1aba99a39918c187b7331e2c368b29 Mon Sep 17 00:00:00 2001 +From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001 From: Peter Jones -Date: Tue, 7 Jul 2020 15:23:36 -0400 -Subject: [PATCH] remove debug print +Date: Tue, 14 Jul 2020 16:44:09 -0400 +Subject: [PATCH 07/11] client: remove an extra debug print Signed-off-by: Peter Jones --- diff --git a/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch b/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch new file mode 100644 index 0000000..4b782ed --- /dev/null +++ b/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch @@ -0,0 +1,375 @@ +From 25981d57c4d56c53128d561bbe29593a6a20b259 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 6 Jul 2020 13:54:35 -0400 +Subject: [PATCH 08/11] Move most of macros.pesign to pesign-rpmbuild-helper + +Signed-off-by: Peter Jones +--- + Make.defaults | 1 + + src/Makefile | 8 +- + src/macros.pesign | 73 ++++-------- + src/pesign-rpmbuild-helper.in | 216 ++++++++++++++++++++++++++++++++++ + 4 files changed, 245 insertions(+), 53 deletions(-) + create mode 100644 src/pesign-rpmbuild-helper.in + +diff --git a/Make.defaults b/Make.defaults +index 0bacafe0d01..302da50efb5 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR) + + INSTALL ?= install + CROSS_COMPILE ?= ++EFI_ARCHES ?= aa64 ia32 x64 + + PKG_CONFIG = $(CROSS_COMPILE)pkg-config + CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC)) +diff --git a/src/Makefile b/src/Makefile +index 74327ba13f3..a7ca89159c6 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version + include $(TOPDIR)/Make.rules + include $(TOPDIR)/Make.defaults + +-BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign ++BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper + SVCTARGETS=pesign.sysvinit pesign.service + TARGETS=$(BINTARGETS) $(SVCTARGETS) + +@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC + pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a + pesign : PKGS=efivar nss nspr popt + ++pesign-rpmbuild-helper: pesign-rpmbuild-helper.in ++ sed \ ++ -e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \ ++ $^ > $@ ++ + deps : PKGS=efivar nss nspr popt uuid + deps : $(ALL_SOURCES) + $(MAKE) -f $(TOPDIR)/Make.deps \ +@@ -94,6 +99,7 @@ install : + $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ ++ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign + $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users + $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups +diff --git a/src/macros.pesign b/src/macros.pesign +index 5a6da1c6809..730d3bc449c 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -6,7 +6,7 @@ + # %pesign -s -i shim.orig -o shim.efi + # And magically get the right thing. + +-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} ++%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"} + %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} + + %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"} +@@ -24,54 +24,23 @@ + # -a # rhel only + # -s # perform signing + %pesign(i:o:C:e:c:n:a:s) \ +- _pesign_nssdir=/etc/pki/pesign \ +- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \ +- _pesign_nssdir=/etc/pki/pesign-rh-test \ +- fi \ +- if [ -x %{_pesign} ] && \\\ +- [ "%{_target_cpu}" == "x86_64" -o \\\ +- "%{_target_cpu}" == "aarch64" ]; then \ +- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \ +- nss=$(mktemp -p $PWD -d) \ +- echo > ${nss}/pwfile \ +- certutil -N -d ${nss} -f ${nss}/pwfile \ +- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \ +- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ +- sattrs=$(mktemp -p $PWD --suffix=.der) \ +- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \ +- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \ +- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ +- --certdir ${nss} -c signer %{-o} \ +- rm -rf ${sattrs} ${sattrs}.sig ${nss} \ +- elif [ "$(id -un)" == "kojibuilder" -a \\\ +- grep -q ID=fedora /etc/os-release -a \\\ +- ! -S /run/pesign/socket ]; then \ +- echo "No socket even though this is kojibuilder" 1>&2 \ +- ls -ld /run/pesign 1>&2 \ +- ls -l /run/pesign/socket 1>&2 \ +- getfacl /run/pesign 1>&2 \ +- getfacl /run/pesign/socket 1>&2 \ +- exit 1 \ +- elif [ -S /run/pesign/socket ]; then \ +- %{_pesign_client} -t %{__pesign_client_token} \\\ +- -c %{__pesign_client_cert} \\\ +- %{-i} %{-o} %{-e} %{-s} %{-C} \ +- else \ +- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ +- --certdir ${_pesign_nssdir} \\\ +- %{-i} %{-o} %{-e} %{-s} %{-C} \ +- fi \ +- else \ +- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \ +- mv %{-i*} %{-o*} \ +- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \ +- touch %{-e*} \ +- fi \ +- fi \ +- if [ ! -s %{-o} ]; then \ +- if [ -e "%{-o*}" ]; then \ +- rm -f %{-o*} \ +- fi \ +- exit 1 \ +- fi ; +- ++ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\ ++ "%{_target_cpu}" \\\ ++ "%{_pesign}" \\\ ++ "%{_pesign_client}" \\\ ++ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\ ++ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\ ++ %{?__pesign_token:%{__pesign_token}} \\\ ++ %{?__pesign_cert:--cert %{__pesign_cert}} \\\ ++ %{?vendor:--vendor %{vendor}} \\\ ++ %{?_rhel:--rhelver "%{_rhel}"} \\\ ++ %{?-n:--rhelcert "%{-n*}"}%{?!-n:--rhelcert "%{__pesign_cert}"} \\\ ++ %{?-a:--rhelcafile "%{-a*}"} \\\ ++ %{?-c:--rhelcertfile "%{-c*}"} \\\ ++ %{?-C:--certout "%{-C*}"} \\\ ++ %{?-e:--sattrout "%{-e*}"} \\\ ++ %{?-i:--in "%{-i*}"} \\\ ++ %{?-o:--out "%{-o*}"} \\\ ++ %{?-s:--sign} \\\ ++ ; \ ++%{nil} +diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in +new file mode 100644 +index 00000000000..cb53550121f +--- /dev/null ++++ b/src/pesign-rpmbuild-helper.in +@@ -0,0 +1,219 @@ ++#!/bin/bash ++# shellcheck shell=bash ++ ++set -eu ++set -x ++ ++usage() { ++ local status="${1}" && shift ++ local out ++ if [[ "${status}" -eq 0 ]] ; then ++ out=/dev/stdout ++ else ++ out=/dev/stderr ++ fi ++ ++ if [[ $# -gt 0 ]] ; then ++ echo "${0}: error: $*" >>"${out}" ++ fi ++ echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}" ++ exit "${status}" ++} ++ ++is_efi_arch() { ++ local arch="${1}" ++ local arches=(@@EFI_ARCHES@@) ++ local x ++ for x in "${arches[@]}" ; do ++ if [[ "${arch}" = "${x}" ]] ; then ++ return 0 ++ fi ++ done ++ return 1 ++} ++ ++error_on_empty() { ++ local f="${1}" ++ if [[ ! -s "${f}" ]] ; then ++ if [[ -e "${f}" ]] ; then ++ rm -f "${f}" ++ fi ++ echo "${0}: error: empty result file \"${f}\"">>/dev/stderr ++ exit 1 ++ fi ++} ++ ++main() { ++ if [[ $# -lt 3 ]] ; then ++ usage 1 not enough arguments ++ fi ++ local target_cpu="${1}" && shift ++ local bin="${1}" && shift ++ local client="${1}" && shift ++ ++ local rhelcafile="" || : ++ local rhelcertfile="" || : ++ ++ local certout=() || : ++ local sattrout=() || : ++ local input=() || : ++ local output=() || : ++ local client_token=() || : ++ local client_cert=() || : ++ local token=() || : ++ local cert=() || : ++ local rhelcert=() || : ++ local rhelver=0 || : ++ local sign="" || : ++ local arch="" || : ++ local vendor="" || : ++ ++ while [[ $# -ge 2 ]] ; do ++ case " ${1} " in ++ " --rhelcafile ") ++ rhelcafile="${2}" ++ ;; ++ " --rhelcertfile ") ++ rhelcertfile="${2}" ++ ;; ++ " --certout ") ++ certout[0]=-C ++ certout[1]="${2}" ++ ;; ++ " --sattrout ") ++ sattrout[0]=-e ++ sattrout[1]="${2}" ++ ;; ++ " --client-token ") ++ client_token[0]=-t ++ client_token[1]="${2}" ++ ;; ++ " --client-cert ") ++ client_cert[0]=-c ++ client_cert[1]="${2}" ++ ;; ++ " --token ") ++ token[0]=-t ++ token[1]="${2}" ++ ;; ++ " --cert ") ++ cert[0]=-c ++ cert[1]="${2}" ++ ;; ++ " --rhelcert ") ++ rhelcert[0]=-c ++ rhelcert[1]="${2}" ++ ;; ++ " --in ") ++ input[0]=-i ++ input[1]="${2}" ++ ;; ++ " --out ") ++ output[0]=-o ++ output[1]="${2}" ++ ;; ++ " --rhelver ") ++ rhelver="${2}" ++ ;; ++ " --vendor ") ++ vendor="${2}" ++ ;; ++ *) ++ break ++ ;; ++ esac ++ shift ++ shift ++ done ++ if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then ++ sign=-s ++ shift ++ fi ++ ++ if [[ -z "${target_cpu}" ]] ; then ++ target_cpu="$(uname -m)" ++ fi ++ ++ target_cpu="${target_cpu/i?86/ia32}" ++ target_cpu="${target_cpu/x86_64/x64}" ++ target_cpu="${target_cpu/aarch64/aa64}" ++ target_cpu="${target_cpu/arm*/arm/}" ++ ++ local nssdir=/etc/pki/pesign ++ if [[ "${#cert[@]}" -eq 2 ]] && ++ [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then ++ nssdir=/etc/pki/pesign-rh-test ++ fi ++ ++ # is_efi_arch is ultimately returning "is pesign configured to sign these ++ # using the rpm macro", so if it isn't, we're just copying the input to ++ # the output ++ if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then ++ if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then ++ cp -v "${input[1]}" "${output[1]}" ++ elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then ++ touch "${sattrout[1]}" ++ fi ++ ++ # if there's a 0-sized output file, delete it and error out ++ error_on_empty "${output[1]}" ++ return 0 ++ fi ++ ++ USERNAME="${USERNAME:-$(id -un)}" ++ HOSTNAME="${HOSTNAME:-$(hostname)}" ++ ++ local socket="" || : ++ if grep -q ID=fedora /etc/os-release \ ++ && [[ "${rhelver}" -lt 7 ]] \ ++ && [[ "${USERNAME}" = "mockbuild" ]] \ ++ && [[ "${vendor}" == "Fedora Project" ]] \ ++ && [[ "${HOSTNAME}" =~ bkernel.* ]] ++ then ++ if [[ -S /run/pesign/socket ]] ; then ++ socket=/run/pesign/socket ++ elif [[ -S /var/run/pesign/socket ]]; then ++ socket=/var/run/pesign/socket ++ else ++ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2 ++ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2 ++ ls -ld /run/pesign /var/run/pesign 1>&2 ||: ++ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||: ++ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||: ++ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||: ++ fi ++ fi ++ ++ if [[ "${rhelver}" -ge 7 ]] ; then ++ nssdir="$(mktemp -p "${PWD}" -d)" ++ echo > "${nssdir}/pwfile" ++ certutil -N -d "${nssdir}" -f "${nssdir}/pwfile" ++ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}" ++ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}" ++ sattrs="$(mktemp -p "${PWD}" --suffix=.der)" ++ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \ ++ "${input[@]}" --force ++ rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}" ++ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \ ++ --certdir "${nssdir}" -c signer \ ++ "${input[@]}" "${output[@]}" ++ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" ++ elif [[ -n "${socket}" ]] ; then ++ "${client}" "${client_token[@]}" "${client_cert[@]}" \ ++ "${sattrout[@]}" "${certout[@]}" \ ++ ${sign} "${input[@]}" "${output[@]}" ++ else ++ "${bin}" --certdir "${nssdir}" "${token[@]}" \ ++ "${cert[@]}" ${sign} "${sattrout[@]}" \ ++ "${certout[@]}" "${input[@]}" "${output[@]}" ++ fi ++ ++ # if there's a 0-sized output file, delete it and error out ++ if [[ "${#output[@]}" -eq 2 ]] ; then ++ error_on_empty "${output[1]}" ++ fi ++} ++ ++main "${@}" ++ ++# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4 +-- +2.26.2 + diff --git a/0009-pesign-authorize-shellcheck.patch b/0009-pesign-authorize-shellcheck.patch new file mode 100644 index 0000000..8a8f7c9 --- /dev/null +++ b/0009-pesign-authorize-shellcheck.patch @@ -0,0 +1,60 @@ +From 91d45fea14dfce71f79534b0df276cf8175c0565 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jul 2020 15:07:32 -0400 +Subject: [PATCH 09/11] pesign-authorize: shellcheck + +Signed-off-by: Peter Jones +--- + src/pesign-authorize | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/pesign-authorize b/src/pesign-authorize +index a496f601ab4..55cd5c4e55b 100755 +--- a/src/pesign-authorize ++++ b/src/pesign-authorize +@@ -12,21 +12,21 @@ set -u + # License: GPLv2 + declare -a fileusers=() + declare -a dirusers=() +-for user in $(cat /etc/pesign/users); do ++while read -r user ; do + dirusers[${#dirusers[@]}]=-m + dirusers[${#dirusers[@]}]="u:$user:rwx" + fileusers[${#fileusers[@]}]=-m + fileusers[${#fileusers[@]}]="u:$user:rw" +-done ++done +Date: Tue, 14 Jul 2020 15:08:15 -0400 +Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/ + +Signed-off-by: Peter Jones +--- + src/pesign-authorize | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pesign-authorize b/src/pesign-authorize +index 55cd5c4e55b..c5448329c2c 100755 +--- a/src/pesign-authorize ++++ b/src/pesign-authorize +@@ -47,7 +47,7 @@ update_subdir() { + done + } + +-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do ++for x in /var/run/pesign/ /etc/pki/pesign/ ; do + if [ -d "${x}" ]; then + update_subdir "${x}" + else +-- +2.26.2 + diff --git a/0011-kernel-building-hack.patch b/0011-kernel-building-hack.patch new file mode 100644 index 0000000..532b098 --- /dev/null +++ b/0011-kernel-building-hack.patch @@ -0,0 +1,40 @@ +From 43d1c74b391485178da1d38722da0f28ece8b336 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jul 2020 16:42:39 -0400 +Subject: [PATCH 11/11] kernel building hack + +Signed-off-by: Peter Jones +--- + src/pesign-rpmbuild-helper.in | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in +index d9236035928..2666c74a9ba 100644 +--- a/src/pesign-rpmbuild-helper.in ++++ b/src/pesign-rpmbuild-helper.in +@@ -195,6 +195,22 @@ main() { + "${input[@]}" "${output[@]}" + rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" + elif [[ -n "${socket}" ]] ; then ++ ### welcome haaaaack city ++ if [[ "${client_token[1]}" = "/CN=Fedora Secure Boot Signer" ]] ; then ++ if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \ ++ || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then ++ if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \ ++ || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then ++ client_token[1]=kernel-signer ++ elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \ ++ || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then ++ client_token[1]=grub2-signer ++ elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \ ++ || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then ++ client_token[1]=fwupd-signer ++ fi ++ fi ++ fi + "${client}" "${client_token[@]}" "${client_cert[@]}" \ + "${sattrout[@]}" "${certout[@]}" \ + ${sign} "${input[@]}" "${output[@]}" +-- +2.26.2 + diff --git a/pesign.spec b/pesign.spec index 7086dce..d2f310c 100644 --- a/pesign.spec +++ b/pesign.spec @@ -3,7 +3,7 @@ Name: pesign Summary: Signing utility for UEFI binaries Version: 113 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2 URL: https://github.com/vathpela/pesign @@ -48,8 +48,11 @@ Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch Patch0004: 0004-Rename-var-run-to-run.patch Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch -Patch0007: 0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch -Patch0008: 0008-remove-debug-print.patch +Patch0007: 0007-client-remove-an-extra-debug-print.patch +Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch +Patch0009: 0009-pesign-authorize-shellcheck.patch +Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch +Patch0011: 0011-kernel-building-hack.patch %description This package contains the pesign utility for signing UEFI binaries as @@ -162,6 +165,9 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null %{python3_sitelib}/mockbuild/plugins/pesign.* %changelog +* Thu Jul 16 2020 Peter Jones - 113-9 +- Even more kernel build debugging... + * Tue Jul 07 2020 Peter Jones - 113-8 - More kernel build debugging...