More kernel build debugging...
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
parent
658f5fea05
commit
2335e6390f
@ -1,287 +0,0 @@
|
||||
From 22658f290fcf66213ca6237e37ae97bba39a8a0b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 6 Jul 2020 13:54:35 -0400
|
||||
Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/Makefile | 1 +
|
||||
src/macros.pesign | 73 +++++------------
|
||||
src/pesign-rpmbuild-helper | 163 +++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 184 insertions(+), 53 deletions(-)
|
||||
create mode 100644 src/pesign-rpmbuild-helper
|
||||
|
||||
diff --git a/src/Makefile b/src/Makefile
|
||||
index 74327ba13f3..c9e9cc6cd1b 100644
|
||||
--- a/src/Makefile
|
||||
+++ b/src/Makefile
|
||||
@@ -94,6 +94,7 @@ install :
|
||||
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
|
||||
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
|
||||
$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 5a6da1c6809..e3a0de9c2f4 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -6,10 +6,10 @@
|
||||
# %pesign -s -i shim.orig -o shim.efi
|
||||
# And magically get the right thing.
|
||||
|
||||
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
||||
+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
|
||||
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
||||
|
||||
%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
|
||||
%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
||||
|
||||
%_pesign /usr/bin/pesign
|
||||
@@ -24,54 +24,21 @@
|
||||
# -a <input ca cert filename> # rhel only
|
||||
# -s # perform signing
|
||||
%pesign(i:o:C:e:c:n:a:s) \
|
||||
- _pesign_nssdir=/etc/pki/pesign \
|
||||
- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
|
||||
- _pesign_nssdir=/etc/pki/pesign-rh-test \
|
||||
- fi \
|
||||
- if [ -x %{_pesign} ] && \\\
|
||||
- [ "%{_target_cpu}" == "x86_64" -o \\\
|
||||
- "%{_target_cpu}" == "aarch64" ]; then \
|
||||
- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \
|
||||
- nss=$(mktemp -p $PWD -d) \
|
||||
- echo > ${nss}/pwfile \
|
||||
- certutil -N -d ${nss} -f ${nss}/pwfile \
|
||||
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
|
||||
- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
|
||||
- sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
|
||||
- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \
|
||||
- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||
- --certdir ${nss} -c signer %{-o} \
|
||||
- rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||
- elif [ "$(id -un)" == "kojibuilder" -a \\\
|
||||
- grep -q ID=fedora /etc/os-release -a \\\
|
||||
- ! -S /run/pesign/socket ]; then \
|
||||
- echo "No socket even though this is kojibuilder" 1>&2 \
|
||||
- ls -ld /run/pesign 1>&2 \
|
||||
- ls -l /run/pesign/socket 1>&2 \
|
||||
- getfacl /run/pesign 1>&2 \
|
||||
- getfacl /run/pesign/socket 1>&2 \
|
||||
- exit 1 \
|
||||
- elif [ -S /run/pesign/socket ]; then \
|
||||
- %{_pesign_client} -t %{__pesign_client_token} \\\
|
||||
- -c %{__pesign_client_cert} \\\
|
||||
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
- else \
|
||||
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
|
||||
- --certdir ${_pesign_nssdir} \\\
|
||||
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
- fi \
|
||||
- else \
|
||||
- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
|
||||
- mv %{-i*} %{-o*} \
|
||||
- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
|
||||
- touch %{-e*} \
|
||||
- fi \
|
||||
- fi \
|
||||
- if [ ! -s %{-o} ]; then \
|
||||
- if [ -e "%{-o*}" ]; then \
|
||||
- rm -f %{-o*} \
|
||||
- fi \
|
||||
- exit 1 \
|
||||
- fi ;
|
||||
-
|
||||
+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\
|
||||
+ "%{_target_cpu}" \\\
|
||||
+ "%{_pesign}" \\\
|
||||
+ "%{_pesign_client}" \\\
|
||||
+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\
|
||||
+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\
|
||||
+ %{?__pesign_token:%{__pesign_token}} \\\
|
||||
+ %{?-n:--cert "\"%{-n*}\""}%{?!-n:--cert "\"%{__pesign_cert}\""} \\\
|
||||
+ %{?_rhel:--rhelver "%{_rhel}"} \\\
|
||||
+ %{?-a:--cafile "%{-a*}"} \\\
|
||||
+ %{?-c:--certfile "%{-c*}"} \\\
|
||||
+ %{?-C:--certout "%{-C*}"} \\\
|
||||
+ %{?-e:--sattrout "%{-e*}"} \\\
|
||||
+ %{?-i:--in "%{-i*}"} \\\
|
||||
+ %{?-o:--out "%{-o*}"} \\\
|
||||
+ %{?-s:--sign} \\\
|
||||
+ ; \
|
||||
+%{nil}
|
||||
diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper
|
||||
new file mode 100644
|
||||
index 00000000000..f3d66320bcc
|
||||
--- /dev/null
|
||||
+++ b/src/pesign-rpmbuild-helper
|
||||
@@ -0,0 +1,164 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+set -eu
|
||||
+set -x
|
||||
+
|
||||
+main() {
|
||||
+ local target_cpu="${1}" && shift
|
||||
+ local bin="${1}" && shift
|
||||
+ local client="${1}" && shift
|
||||
+
|
||||
+ local cafile="" || :
|
||||
+ local certfile="" || :
|
||||
+
|
||||
+ local certout=() || :
|
||||
+ local sattrout=() || :
|
||||
+ local input=() || :
|
||||
+ local output=() || :
|
||||
+ local client_token=() || :
|
||||
+ local client_cert=() || :
|
||||
+ local token=() || :
|
||||
+ local cert=() || :
|
||||
+ local rhelver=0 || :
|
||||
+ local sign="" || :
|
||||
+
|
||||
+ local username="$(id -un)"
|
||||
+
|
||||
+ while [[ $# -ge 2 ]] ; do
|
||||
+ case " ${1} " in
|
||||
+ " --cafile ")
|
||||
+ cafile="${2}"
|
||||
+ ;;
|
||||
+ " --certfile ")
|
||||
+ certfile="${2}"
|
||||
+ ;;
|
||||
+ " --certout ")
|
||||
+ certout[0]=-C
|
||||
+ certout[1]="${2}"
|
||||
+ ;;
|
||||
+ " --sattrout ")
|
||||
+ sattrout[0]=-e
|
||||
+ sattrout[1]="${2}"
|
||||
+ ;;
|
||||
+ " --client-token ")
|
||||
+ client_token[0]=-t
|
||||
+ client_token[1]="${2}"
|
||||
+ ;;
|
||||
+ " --client-cert ")
|
||||
+ client_cert[0]=-c
|
||||
+ client_cert[1]="${2}"
|
||||
+ ;;
|
||||
+ " --token ")
|
||||
+ token[0]=-t
|
||||
+ token="${2}"
|
||||
+ ;;
|
||||
+ " --cert ")
|
||||
+ cert[0]=-c
|
||||
+ cert[1]="${2}"
|
||||
+ ;;
|
||||
+ " --certname ")
|
||||
+ cert[0]=-c
|
||||
+ cert[1]="${2}"
|
||||
+ ;;
|
||||
+ " --in ")
|
||||
+ input[0]=-i
|
||||
+ input[1]="${2}"
|
||||
+ ;;
|
||||
+ " --out ")
|
||||
+ output[0]=-o
|
||||
+ output[1]="${2}"
|
||||
+ ;;
|
||||
+ " --rhelver ")
|
||||
+ rhelver="${2}"
|
||||
+ ;;
|
||||
+ *)
|
||||
+ break
|
||||
+ ;;
|
||||
+ esac
|
||||
+ shift
|
||||
+ shift
|
||||
+ done
|
||||
+ if [ $# -ge 1 -a "${1}" = --sign ] ; then
|
||||
+ sign=-s
|
||||
+ shift
|
||||
+ fi
|
||||
+
|
||||
+ local nssdir=/etc/pki/pesign
|
||||
+ if [ "${#cert[@]}" -eq 2 ] &&
|
||||
+ [ "${cert[1]}" == "Red Hat Test Certificate" ] ; then
|
||||
+ nssdir=/etc/pki/pesign-rh-test
|
||||
+ fi
|
||||
+
|
||||
+ if [ -x "${bin}" ] &&
|
||||
+ [ "${target_cpu}" != "x86_64" -a "${target_cpu}" != "aarch64" ] ; then
|
||||
+ if [ -n "${input[*]}" -a -n "${output[*]}" ] ; then
|
||||
+ mv -v "${input[1]}" "${output[1]}"
|
||||
+ elif [ -n "${input[*]}" -a -n "${sattrout[*]}" ] ; then
|
||||
+ touch "${sattrout[1]}"
|
||||
+ fi
|
||||
+
|
||||
+ # if there's a 0-sized output file, delete it and error out
|
||||
+ if [ ! -s "${output[1]}" ] ; then
|
||||
+ if [ -e "${output[1]}" ] ; then
|
||||
+ rm -f "${output[1]}"
|
||||
+ fi
|
||||
+ exit 1
|
||||
+ fi
|
||||
+ return 0
|
||||
+ fi
|
||||
+
|
||||
+ local socket="" || :
|
||||
+ if grep -q ID=fedora /etc/os-release && [ "${rhelver}" -lt 7 ] &&
|
||||
+ [ "${username}" = "kojibuilder" -o "${username}" = "mockbuild" ] ; then
|
||||
+ if [ -S /run/pesign/socket ] ; then
|
||||
+ socket=/run/pesign/socket
|
||||
+ elif [ -S /var/run/pesign/socket ]; then
|
||||
+ socket=/var/run/pesign/socket
|
||||
+ else
|
||||
+ echo "Warning: no pesign socket even though user is ${username}" 1>&2
|
||||
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
|
||||
+ ls -ld /run/pesign 1>&2 ||:
|
||||
+ ls -l /run/pesign/socket 1>&2 ||:
|
||||
+ getfacl /run/pesign 1>&2 || :
|
||||
+ getfacl /run/pesign/socket 1>&2 ||:
|
||||
+ ls -ld /var/run/pesign 1>&2 ||:
|
||||
+ ls -l /var/run/pesign/socket 1>&2 ||:
|
||||
+ getfacl /var/run/pesign 1>&2 || :
|
||||
+ getfacl /var/run/pesign/socket 1>&2 || :
|
||||
+ fi
|
||||
+ fi
|
||||
+
|
||||
+ if [ "${rhelver}" -ge 7 ] ; then
|
||||
+ nssdir=$(mktemp -p $PWD -d)
|
||||
+ echo > ${nssdir}/pwfile
|
||||
+ certutil -N -d ${nssdir} -f ${nssdir}/pwfile
|
||||
+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${cafile}" -d ${nssdir}
|
||||
+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir}
|
||||
+ sattrs="$(mktemp -p $PWD --suffix=.der)"
|
||||
+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \
|
||||
+ "${input[@]}" --force
|
||||
+ rpm-sign --key "${cert[1]}" --rsadgstsign "${sattrs}"
|
||||
+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
|
||||
+ --certdir "${nssdir}" -c signer \
|
||||
+ "${input[@]}" "${output[@]}"
|
||||
+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
|
||||
+ elif [ -n "${socket}" ] ; then
|
||||
+ "${client}" "${client_token[@]}" "${client_cert[@]}" \
|
||||
+ "${sattrout[@]}" "${certout[@]}" \
|
||||
+ ${sign} "${input[@]}" "${output[@]}"
|
||||
+ else
|
||||
+ "${bin}" --certdir "${nssdir}" "${token[@]}" \
|
||||
+ "${cert[@]}" ${sign} "${sattrout[@]}" \
|
||||
+ "${certout[@]}" "${input[@]}" "${output[@]}"
|
||||
+ fi
|
||||
+
|
||||
+ # if there's a 0-sized output file, delete it and error out
|
||||
+ if [ "${#output[@]}" -eq 2 ] && ! [ -s "${output[1]}" ] ; then
|
||||
+ if [ -e "${output[1]}" ] ; then
|
||||
+ rm -f "${output[1]}"
|
||||
+ fi
|
||||
+ exit 1
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
+main "${@}"
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 722d60568a1aba99a39918c187b7331e2c368b29 Mon Sep 17 00:00:00 2001
|
||||
From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 7 Jul 2020 15:23:36 -0400
|
||||
Subject: [PATCH] remove debug print
|
||||
Date: Tue, 14 Jul 2020 16:44:09 -0400
|
||||
Subject: [PATCH 07/11] client: remove an extra debug print
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
375
0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
Normal file
375
0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
Normal file
@ -0,0 +1,375 @@
|
||||
From 25981d57c4d56c53128d561bbe29593a6a20b259 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 6 Jul 2020 13:54:35 -0400
|
||||
Subject: [PATCH 08/11] Move most of macros.pesign to pesign-rpmbuild-helper
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
Make.defaults | 1 +
|
||||
src/Makefile | 8 +-
|
||||
src/macros.pesign | 73 ++++--------
|
||||
src/pesign-rpmbuild-helper.in | 216 ++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 245 insertions(+), 53 deletions(-)
|
||||
create mode 100644 src/pesign-rpmbuild-helper.in
|
||||
|
||||
diff --git a/Make.defaults b/Make.defaults
|
||||
index 0bacafe0d01..302da50efb5 100644
|
||||
--- a/Make.defaults
|
||||
+++ b/Make.defaults
|
||||
@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR)
|
||||
|
||||
INSTALL ?= install
|
||||
CROSS_COMPILE ?=
|
||||
+EFI_ARCHES ?= aa64 ia32 x64
|
||||
|
||||
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
|
||||
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
|
||||
diff --git a/src/Makefile b/src/Makefile
|
||||
index 74327ba13f3..a7ca89159c6 100644
|
||||
--- a/src/Makefile
|
||||
+++ b/src/Makefile
|
||||
@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version
|
||||
include $(TOPDIR)/Make.rules
|
||||
include $(TOPDIR)/Make.defaults
|
||||
|
||||
-BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
|
||||
+BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper
|
||||
SVCTARGETS=pesign.sysvinit pesign.service
|
||||
TARGETS=$(BINTARGETS) $(SVCTARGETS)
|
||||
|
||||
@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
|
||||
pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
|
||||
pesign : PKGS=efivar nss nspr popt
|
||||
|
||||
+pesign-rpmbuild-helper: pesign-rpmbuild-helper.in
|
||||
+ sed \
|
||||
+ -e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \
|
||||
+ $^ > $@
|
||||
+
|
||||
deps : PKGS=efivar nss nspr popt uuid
|
||||
deps : $(ALL_SOURCES)
|
||||
$(MAKE) -f $(TOPDIR)/Make.deps \
|
||||
@@ -94,6 +99,7 @@ install :
|
||||
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
|
||||
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
|
||||
$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 5a6da1c6809..730d3bc449c 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -6,7 +6,7 @@
|
||||
# %pesign -s -i shim.orig -o shim.efi
|
||||
# And magically get the right thing.
|
||||
|
||||
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
||||
+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
|
||||
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
||||
|
||||
%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
|
||||
@@ -24,54 +24,23 @@
|
||||
# -a <input ca cert filename> # rhel only
|
||||
# -s # perform signing
|
||||
%pesign(i:o:C:e:c:n:a:s) \
|
||||
- _pesign_nssdir=/etc/pki/pesign \
|
||||
- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
|
||||
- _pesign_nssdir=/etc/pki/pesign-rh-test \
|
||||
- fi \
|
||||
- if [ -x %{_pesign} ] && \\\
|
||||
- [ "%{_target_cpu}" == "x86_64" -o \\\
|
||||
- "%{_target_cpu}" == "aarch64" ]; then \
|
||||
- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \
|
||||
- nss=$(mktemp -p $PWD -d) \
|
||||
- echo > ${nss}/pwfile \
|
||||
- certutil -N -d ${nss} -f ${nss}/pwfile \
|
||||
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
|
||||
- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
|
||||
- sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
|
||||
- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \
|
||||
- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||
- --certdir ${nss} -c signer %{-o} \
|
||||
- rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||
- elif [ "$(id -un)" == "kojibuilder" -a \\\
|
||||
- grep -q ID=fedora /etc/os-release -a \\\
|
||||
- ! -S /run/pesign/socket ]; then \
|
||||
- echo "No socket even though this is kojibuilder" 1>&2 \
|
||||
- ls -ld /run/pesign 1>&2 \
|
||||
- ls -l /run/pesign/socket 1>&2 \
|
||||
- getfacl /run/pesign 1>&2 \
|
||||
- getfacl /run/pesign/socket 1>&2 \
|
||||
- exit 1 \
|
||||
- elif [ -S /run/pesign/socket ]; then \
|
||||
- %{_pesign_client} -t %{__pesign_client_token} \\\
|
||||
- -c %{__pesign_client_cert} \\\
|
||||
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
- else \
|
||||
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
|
||||
- --certdir ${_pesign_nssdir} \\\
|
||||
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
- fi \
|
||||
- else \
|
||||
- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
|
||||
- mv %{-i*} %{-o*} \
|
||||
- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
|
||||
- touch %{-e*} \
|
||||
- fi \
|
||||
- fi \
|
||||
- if [ ! -s %{-o} ]; then \
|
||||
- if [ -e "%{-o*}" ]; then \
|
||||
- rm -f %{-o*} \
|
||||
- fi \
|
||||
- exit 1 \
|
||||
- fi ;
|
||||
-
|
||||
+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\
|
||||
+ "%{_target_cpu}" \\\
|
||||
+ "%{_pesign}" \\\
|
||||
+ "%{_pesign_client}" \\\
|
||||
+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\
|
||||
+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\
|
||||
+ %{?__pesign_token:%{__pesign_token}} \\\
|
||||
+ %{?__pesign_cert:--cert %{__pesign_cert}} \\\
|
||||
+ %{?vendor:--vendor %{vendor}} \\\
|
||||
+ %{?_rhel:--rhelver "%{_rhel}"} \\\
|
||||
+ %{?-n:--rhelcert "%{-n*}"}%{?!-n:--rhelcert "%{__pesign_cert}"} \\\
|
||||
+ %{?-a:--rhelcafile "%{-a*}"} \\\
|
||||
+ %{?-c:--rhelcertfile "%{-c*}"} \\\
|
||||
+ %{?-C:--certout "%{-C*}"} \\\
|
||||
+ %{?-e:--sattrout "%{-e*}"} \\\
|
||||
+ %{?-i:--in "%{-i*}"} \\\
|
||||
+ %{?-o:--out "%{-o*}"} \\\
|
||||
+ %{?-s:--sign} \\\
|
||||
+ ; \
|
||||
+%{nil}
|
||||
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
|
||||
new file mode 100644
|
||||
index 00000000000..cb53550121f
|
||||
--- /dev/null
|
||||
+++ b/src/pesign-rpmbuild-helper.in
|
||||
@@ -0,0 +1,219 @@
|
||||
+#!/bin/bash
|
||||
+# shellcheck shell=bash
|
||||
+
|
||||
+set -eu
|
||||
+set -x
|
||||
+
|
||||
+usage() {
|
||||
+ local status="${1}" && shift
|
||||
+ local out
|
||||
+ if [[ "${status}" -eq 0 ]] ; then
|
||||
+ out=/dev/stdout
|
||||
+ else
|
||||
+ out=/dev/stderr
|
||||
+ fi
|
||||
+
|
||||
+ if [[ $# -gt 0 ]] ; then
|
||||
+ echo "${0}: error: $*" >>"${out}"
|
||||
+ fi
|
||||
+ echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}"
|
||||
+ exit "${status}"
|
||||
+}
|
||||
+
|
||||
+is_efi_arch() {
|
||||
+ local arch="${1}"
|
||||
+ local arches=(@@EFI_ARCHES@@)
|
||||
+ local x
|
||||
+ for x in "${arches[@]}" ; do
|
||||
+ if [[ "${arch}" = "${x}" ]] ; then
|
||||
+ return 0
|
||||
+ fi
|
||||
+ done
|
||||
+ return 1
|
||||
+}
|
||||
+
|
||||
+error_on_empty() {
|
||||
+ local f="${1}"
|
||||
+ if [[ ! -s "${f}" ]] ; then
|
||||
+ if [[ -e "${f}" ]] ; then
|
||||
+ rm -f "${f}"
|
||||
+ fi
|
||||
+ echo "${0}: error: empty result file \"${f}\"">>/dev/stderr
|
||||
+ exit 1
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
+main() {
|
||||
+ if [[ $# -lt 3 ]] ; then
|
||||
+ usage 1 not enough arguments
|
||||
+ fi
|
||||
+ local target_cpu="${1}" && shift
|
||||
+ local bin="${1}" && shift
|
||||
+ local client="${1}" && shift
|
||||
+
|
||||
+ local rhelcafile="" || :
|
||||
+ local rhelcertfile="" || :
|
||||
+
|
||||
+ local certout=() || :
|
||||
+ local sattrout=() || :
|
||||
+ local input=() || :
|
||||
+ local output=() || :
|
||||
+ local client_token=() || :
|
||||
+ local client_cert=() || :
|
||||
+ local token=() || :
|
||||
+ local cert=() || :
|
||||
+ local rhelcert=() || :
|
||||
+ local rhelver=0 || :
|
||||
+ local sign="" || :
|
||||
+ local arch="" || :
|
||||
+ local vendor="" || :
|
||||
+
|
||||
+ while [[ $# -ge 2 ]] ; do
|
||||
+ case " ${1} " in
|
||||
+ " --rhelcafile ")
|
||||
+ rhelcafile="${2}"
|
||||
+ ;;
|
||||
+ " --rhelcertfile ")
|
||||
+ rhelcertfile="${2}"
|
||||
+ ;;
|
||||
+ " --certout ")
|
||||
+ certout[0]=-C
|
||||
+ certout[1]="${2}"
|
||||
+ ;;
|
||||
+ " --sattrout ")
|
||||
+ sattrout[0]=-e
|
||||
+ sattrout[1]="${2}"
|
||||
+ ;;
|
||||
+ " --client-token ")
|
||||
+ client_token[0]=-t
|
||||
+ client_token[1]="${2}"
|
||||
+ ;;
|
||||
+ " --client-cert ")
|
||||
+ client_cert[0]=-c
|
||||
+ client_cert[1]="${2}"
|
||||
+ ;;
|
||||
+ " --token ")
|
||||
+ token[0]=-t
|
||||
+ token[1]="${2}"
|
||||
+ ;;
|
||||
+ " --cert ")
|
||||
+ cert[0]=-c
|
||||
+ cert[1]="${2}"
|
||||
+ ;;
|
||||
+ " --rhelcert ")
|
||||
+ rhelcert[0]=-c
|
||||
+ rhelcert[1]="${2}"
|
||||
+ ;;
|
||||
+ " --in ")
|
||||
+ input[0]=-i
|
||||
+ input[1]="${2}"
|
||||
+ ;;
|
||||
+ " --out ")
|
||||
+ output[0]=-o
|
||||
+ output[1]="${2}"
|
||||
+ ;;
|
||||
+ " --rhelver ")
|
||||
+ rhelver="${2}"
|
||||
+ ;;
|
||||
+ " --vendor ")
|
||||
+ vendor="${2}"
|
||||
+ ;;
|
||||
+ *)
|
||||
+ break
|
||||
+ ;;
|
||||
+ esac
|
||||
+ shift
|
||||
+ shift
|
||||
+ done
|
||||
+ if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then
|
||||
+ sign=-s
|
||||
+ shift
|
||||
+ fi
|
||||
+
|
||||
+ if [[ -z "${target_cpu}" ]] ; then
|
||||
+ target_cpu="$(uname -m)"
|
||||
+ fi
|
||||
+
|
||||
+ target_cpu="${target_cpu/i?86/ia32}"
|
||||
+ target_cpu="${target_cpu/x86_64/x64}"
|
||||
+ target_cpu="${target_cpu/aarch64/aa64}"
|
||||
+ target_cpu="${target_cpu/arm*/arm/}"
|
||||
+
|
||||
+ local nssdir=/etc/pki/pesign
|
||||
+ if [[ "${#cert[@]}" -eq 2 ]] &&
|
||||
+ [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then
|
||||
+ nssdir=/etc/pki/pesign-rh-test
|
||||
+ fi
|
||||
+
|
||||
+ # is_efi_arch is ultimately returning "is pesign configured to sign these
|
||||
+ # using the rpm macro", so if it isn't, we're just copying the input to
|
||||
+ # the output
|
||||
+ if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then
|
||||
+ if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then
|
||||
+ cp -v "${input[1]}" "${output[1]}"
|
||||
+ elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then
|
||||
+ touch "${sattrout[1]}"
|
||||
+ fi
|
||||
+
|
||||
+ # if there's a 0-sized output file, delete it and error out
|
||||
+ error_on_empty "${output[1]}"
|
||||
+ return 0
|
||||
+ fi
|
||||
+
|
||||
+ USERNAME="${USERNAME:-$(id -un)}"
|
||||
+ HOSTNAME="${HOSTNAME:-$(hostname)}"
|
||||
+
|
||||
+ local socket="" || :
|
||||
+ if grep -q ID=fedora /etc/os-release \
|
||||
+ && [[ "${rhelver}" -lt 7 ]] \
|
||||
+ && [[ "${USERNAME}" = "mockbuild" ]] \
|
||||
+ && [[ "${vendor}" == "Fedora Project" ]] \
|
||||
+ && [[ "${HOSTNAME}" =~ bkernel.* ]]
|
||||
+ then
|
||||
+ if [[ -S /run/pesign/socket ]] ; then
|
||||
+ socket=/run/pesign/socket
|
||||
+ elif [[ -S /var/run/pesign/socket ]]; then
|
||||
+ socket=/var/run/pesign/socket
|
||||
+ else
|
||||
+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
|
||||
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
|
||||
+ ls -ld /run/pesign /var/run/pesign 1>&2 ||:
|
||||
+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
|
||||
+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
|
||||
+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
|
||||
+ fi
|
||||
+ fi
|
||||
+
|
||||
+ if [[ "${rhelver}" -ge 7 ]] ; then
|
||||
+ nssdir="$(mktemp -p "${PWD}" -d)"
|
||||
+ echo > "${nssdir}/pwfile"
|
||||
+ certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
|
||||
+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}"
|
||||
+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}"
|
||||
+ sattrs="$(mktemp -p "${PWD}" --suffix=.der)"
|
||||
+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \
|
||||
+ "${input[@]}" --force
|
||||
+ rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}"
|
||||
+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
|
||||
+ --certdir "${nssdir}" -c signer \
|
||||
+ "${input[@]}" "${output[@]}"
|
||||
+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
|
||||
+ elif [[ -n "${socket}" ]] ; then
|
||||
+ "${client}" "${client_token[@]}" "${client_cert[@]}" \
|
||||
+ "${sattrout[@]}" "${certout[@]}" \
|
||||
+ ${sign} "${input[@]}" "${output[@]}"
|
||||
+ else
|
||||
+ "${bin}" --certdir "${nssdir}" "${token[@]}" \
|
||||
+ "${cert[@]}" ${sign} "${sattrout[@]}" \
|
||||
+ "${certout[@]}" "${input[@]}" "${output[@]}"
|
||||
+ fi
|
||||
+
|
||||
+ # if there's a 0-sized output file, delete it and error out
|
||||
+ if [[ "${#output[@]}" -eq 2 ]] ; then
|
||||
+ error_on_empty "${output[1]}"
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
+main "${@}"
|
||||
+
|
||||
+# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4
|
||||
--
|
||||
2.26.2
|
||||
|
60
0009-pesign-authorize-shellcheck.patch
Normal file
60
0009-pesign-authorize-shellcheck.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From 91d45fea14dfce71f79534b0df276cf8175c0565 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 Jul 2020 15:07:32 -0400
|
||||
Subject: [PATCH 09/11] pesign-authorize: shellcheck
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize | 16 ++++++++--------
|
||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
||||
index a496f601ab4..55cd5c4e55b 100755
|
||||
--- a/src/pesign-authorize
|
||||
+++ b/src/pesign-authorize
|
||||
@@ -12,21 +12,21 @@ set -u
|
||||
# License: GPLv2
|
||||
declare -a fileusers=()
|
||||
declare -a dirusers=()
|
||||
-for user in $(cat /etc/pesign/users); do
|
||||
+while read -r user ; do
|
||||
dirusers[${#dirusers[@]}]=-m
|
||||
dirusers[${#dirusers[@]}]="u:$user:rwx"
|
||||
fileusers[${#fileusers[@]}]=-m
|
||||
fileusers[${#fileusers[@]}]="u:$user:rw"
|
||||
-done
|
||||
+done </etc/pesign/users
|
||||
|
||||
declare -a filegroups=()
|
||||
declare -a dirgroups=()
|
||||
-for group in $(cat /etc/pesign/groups); do
|
||||
+while read -r group ; do
|
||||
dirgroups[${#dirgroups[@]}]=-m
|
||||
dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
||||
filegroups[${#filegroups[@]}]=-m
|
||||
filegroups[${#filegroups[@]}]="g:$group:rw"
|
||||
-done
|
||||
+done </etc/pesign/groups
|
||||
|
||||
update_subdir() {
|
||||
subdir=$1 && shift
|
||||
@@ -35,12 +35,12 @@ update_subdir() {
|
||||
setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
||||
for x in "${subdir}"* ; do
|
||||
if [ -d "${x}" ]; then
|
||||
- setfacl -bk ${x}
|
||||
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
||||
+ setfacl -bk "${x}"
|
||||
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
|
||||
update_subdir "${x}/"
|
||||
elif [ -e "${x}" ]; then
|
||||
- setfacl -bk ${x}
|
||||
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
||||
+ setfacl -bk "${x}"
|
||||
+ setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
|
||||
else
|
||||
:;
|
||||
fi
|
||||
--
|
||||
2.26.2
|
||||
|
26
0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
Normal file
26
0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 34efa71e9837bcf2e4c52234bc472e554c24c567 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 Jul 2020 15:08:15 -0400
|
||||
Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
||||
index 55cd5c4e55b..c5448329c2c 100755
|
||||
--- a/src/pesign-authorize
|
||||
+++ b/src/pesign-authorize
|
||||
@@ -47,7 +47,7 @@ update_subdir() {
|
||||
done
|
||||
}
|
||||
|
||||
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
|
||||
+for x in /var/run/pesign/ /etc/pki/pesign/ ; do
|
||||
if [ -d "${x}" ]; then
|
||||
update_subdir "${x}"
|
||||
else
|
||||
--
|
||||
2.26.2
|
||||
|
40
0011-kernel-building-hack.patch
Normal file
40
0011-kernel-building-hack.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 43d1c74b391485178da1d38722da0f28ece8b336 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 Jul 2020 16:42:39 -0400
|
||||
Subject: [PATCH 11/11] kernel building hack
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-rpmbuild-helper.in | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
|
||||
index d9236035928..2666c74a9ba 100644
|
||||
--- a/src/pesign-rpmbuild-helper.in
|
||||
+++ b/src/pesign-rpmbuild-helper.in
|
||||
@@ -195,6 +195,22 @@ main() {
|
||||
"${input[@]}" "${output[@]}"
|
||||
rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
|
||||
elif [[ -n "${socket}" ]] ; then
|
||||
+ ### welcome haaaaack city
|
||||
+ if [[ "${client_token[1]}" = "/CN=Fedora Secure Boot Signer" ]] ; then
|
||||
+ if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
|
||||
+ || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
|
||||
+ if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
|
||||
+ || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
|
||||
+ client_token[1]=kernel-signer
|
||||
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
|
||||
+ || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
|
||||
+ client_token[1]=grub2-signer
|
||||
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
|
||||
+ || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
|
||||
+ client_token[1]=fwupd-signer
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi
|
||||
"${client}" "${client_token[@]}" "${client_cert[@]}" \
|
||||
"${sattrout[@]}" "${certout[@]}" \
|
||||
${sign} "${input[@]}" "${output[@]}"
|
||||
--
|
||||
2.26.2
|
||||
|
12
pesign.spec
12
pesign.spec
@ -3,7 +3,7 @@
|
||||
Name: pesign
|
||||
Summary: Signing utility for UEFI binaries
|
||||
Version: 113
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
License: GPLv2
|
||||
URL: https://github.com/vathpela/pesign
|
||||
|
||||
@ -48,8 +48,11 @@ Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
|
||||
Patch0004: 0004-Rename-var-run-to-run.patch
|
||||
Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
|
||||
Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch
|
||||
Patch0007: 0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
|
||||
Patch0008: 0008-remove-debug-print.patch
|
||||
Patch0007: 0007-client-remove-an-extra-debug-print.patch
|
||||
Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
|
||||
Patch0009: 0009-pesign-authorize-shellcheck.patch
|
||||
Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
|
||||
Patch0011: 0011-kernel-building-hack.patch
|
||||
|
||||
%description
|
||||
This package contains the pesign utility for signing UEFI binaries as
|
||||
@ -162,6 +165,9 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
|
||||
%{python3_sitelib}/mockbuild/plugins/pesign.*
|
||||
|
||||
%changelog
|
||||
* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-9
|
||||
- Even more kernel build debugging...
|
||||
|
||||
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-8
|
||||
- More kernel build debugging...
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user