this one seems to work in my mock setup

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-16 13:42:13 -04:00 · 2020-07-16 13:42:13 -04:00 · 2cab315fd4
commit 2cab315fd4
parent 1f469180cd
4 changed files with 18 additions and 13 deletions
--- a/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
+++ b/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
@ -1,4 +1,4 @@
-From 6cab63b9b01533f82067ac15b9cc426937c8e48b Mon Sep 17 00:00:00 2001
+From e05840efa8dc9d0a9ff3104b9fa6e5736e0ec549 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 6 Jul 2020 13:54:35 -0400
 Subject: [PATCH 08/11] Move most of macros.pesign to pesign-rpmbuild-helper
@ -7,9 +7,9 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 Make.defaults                 |   1 +
 src/Makefile                  |   8 +-
- src/macros.pesign             |  74 ++++--------
+ src/macros.pesign             |  76 ++++--------
 src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++
- 4 files changed, 252 insertions(+), 53 deletions(-)
+ 4 files changed, 253 insertions(+), 54 deletions(-)
 create mode 100644 src/pesign-rpmbuild-helper.in

 diff --git a/Make.defaults b/Make.defaults
@ -58,10 +58,10 @@ index 74327ba13f3..a7ca89159c6 100644
 	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
 	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
 diff --git a/src/macros.pesign b/src/macros.pesign
-index 5a6da1c6809..2e984b4eeb3 100644
+index 5a6da1c6809..cb066b35f4a 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
-@@ -6,7 +6,7 @@
+@@ -6,11 +6,11 @@
 # %pesign -s -i shim.orig -o shim.efi
 # And magically get the right thing.
 
@ -70,6 +70,11 @@ index 5a6da1c6809..2e984b4eeb3 100644
 %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
 
 %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
+-%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+%__pesign_client_cert %{!?pe_signing_cert:"Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+ 
+ %_pesign /usr/bin/pesign
+ %_pesign_client /usr/bin/pesign-client
@@ -24,54 +24,24 @@
 # -a <input ca cert filename>		# rhel only
 # -s 					# perform signing
--- a/0009-pesign-authorize-shellcheck.patch
+++ b/0009-pesign-authorize-shellcheck.patch
@ -1,4 +1,4 @@
-From a2c286c5b420b0f398221fb777eab5932c728f02 Mon Sep 17 00:00:00 2001
+From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jul 2020 15:07:32 -0400
 Subject: [PATCH 09/11] pesign-authorize: shellcheck
--- a/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
+++ b/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
@ -1,4 +1,4 @@
-From 14d8f7c1952f4f707b94e52a2985fe26c7426374 Mon Sep 17 00:00:00 2001
+From 24bb6e1471b16b6be82f13b5b5a302b4e98c1b4d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jul 2020 15:08:15 -0400
 Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
--- a/0011-kernel-building-hack.patch
+++ b/0011-kernel-building-hack.patch
@ -1,4 +1,4 @@
-From e1bcbd2040dbf9633771bf4330f7e046e77a2d20 Mon Sep 17 00:00:00 2001
+From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jul 2020 16:42:39 -0400
 Subject: [PATCH 11/11] kernel building hack
@ -9,7 +9,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
 1 file changed, 17 insertions(+)

 diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
-index c5287c27e0c..1fd0c2fc117 100644
+index c5287c27e0c..27b8261bc17 100644
 --- a/src/pesign-rpmbuild-helper.in
 +++ b/src/pesign-rpmbuild-helper.in
@@ -202,6 +202,23 @@ main() {
@ -17,19 +17,19 @@ index c5287c27e0c..1fd0c2fc117 100644
 	rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
     elif [[ -n "${socket}" ]] ; then
 +	### welcome haaaaack city
-+	if [[ "${client_token[1]}" = "/CN=Fedora Secure Boot Signer" ]] ; then
+	if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then
 +	    if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
 +	       || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
 +		if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
 +		   || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \
 +		   || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
-+		    client_token[1]=kernel-signer
+		    client_cert[1]=kernel-signer
 +		elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
 +		   || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
-+		    client_token[1]=grub2-signer
+		    client_cert[1]=grub2-signer
 +		elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
 +		   || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
-+		    client_token[1]=fwupd-signer
+		    client_cert[1]=fwupd-signer
 +		fi
 +	    fi
 +	fi