diff --git a/0001-Revert-Move-license-to-GPLv3.patch b/0001-Revert-Move-license-to-GPLv3.patch new file mode 100644 index 0000000..4b8931c --- /dev/null +++ b/0001-Revert-Move-license-to-GPLv3.patch @@ -0,0 +1,969 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 1 Feb 2022 15:04:30 -0500 +Subject: [PATCH 1/3] Revert "Move license to GPLv3+" + +This was done too soon. It's missing some pieces and we need buy-in on +a couple of source files. + +This reverts commit 735650258c7956525b7ecf4b67483d025f0500e8. +--- + COPYING | 881 +++++++++++++++++--------------------------------------- + 1 file changed, 272 insertions(+), 609 deletions(-) + +diff --git a/COPYING b/COPYING +index 4432540..d159169 100644 +--- a/COPYING ++++ b/COPYING +@@ -1,627 +1,285 @@ ++ GNU GENERAL PUBLIC LICENSE ++ Version 2, June 1991 + +- GNU GENERAL PUBLIC LICENSE +- Version 3, 29 June 2007 +- +- Copyright (C) 2007 Free Software Foundation, Inc. ++ Copyright (C) 1989, 1991 Free Software Foundation, Inc., ++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + +- Preamble ++ Preamble + +- The GNU General Public License is a free, copyleft license for +-software and other kinds of works. +- +- The licenses for most software and other practical works are designed +-to take away your freedom to share and change the works. By contrast, +-the GNU General Public License is intended to guarantee your freedom to +-share and change all versions of a program--to make sure it remains free +-software for all its users. We, the Free Software Foundation, use the +-GNU General Public License for most of our software; it applies also to +-any other work released this way by its authors. You can apply it to ++ The licenses for most software are designed to take away your ++freedom to share and change it. By contrast, the GNU General Public ++License is intended to guarantee your freedom to share and change free ++software--to make sure the software is free for all its users. This ++General Public License applies to most of the Free Software ++Foundation's software and to any other program whose authors commit to ++using it. (Some other Free Software Foundation software is covered by ++the GNU Lesser General Public License instead.) You can apply it to + your programs, too. + + When we speak of free software, we are referring to freedom, not + price. Our General Public Licenses are designed to make sure that you + have the freedom to distribute copies of free software (and charge for +-them if you wish), that you receive source code or can get it if you +-want it, that you can change the software or use pieces of it in new +-free programs, and that you know you can do these things. ++this service if you wish), that you receive source code or can get it ++if you want it, that you can change the software or use pieces of it ++in new free programs; and that you know you can do these things. + +- To protect your rights, we need to prevent others from denying you +-these rights or asking you to surrender the rights. Therefore, you have +-certain responsibilities if you distribute copies of the software, or if +-you modify it: responsibilities to respect the freedom of others. ++ To protect your rights, we need to make restrictions that forbid ++anyone to deny you these rights or to ask you to surrender the rights. ++These restrictions translate to certain responsibilities for you if you ++distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +-gratis or for a fee, you must pass on to the recipients the same +-freedoms that you received. You must make sure that they, too, receive +-or can get the source code. And you must show them these terms so they +-know their rights. ++gratis or for a fee, you must give the recipients all the rights that ++you have. You must make sure that they, too, receive or can get the ++source code. And you must show them these terms so they know their ++rights. + +- Developers that use the GNU GPL protect your rights with two steps: +-(1) assert copyright on the software, and (2) offer you this License +-giving you legal permission to copy, distribute and/or modify it. ++ We protect your rights with two steps: (1) copyright the software, and ++(2) offer you this license which gives you legal permission to copy, ++distribute and/or modify the software. + +- For the developers' and authors' protection, the GPL clearly explains +-that there is no warranty for this free software. For both users' and +-authors' sake, the GPL requires that modified versions be marked as +-changed, so that their problems will not be attributed erroneously to +-authors of previous versions. ++ Also, for each author's protection and ours, we want to make certain ++that everyone understands that there is no warranty for this free ++software. If the software is modified by someone else and passed on, we ++want its recipients to know that what they have is not the original, so ++that any problems introduced by others will not reflect on the original ++authors' reputations. + +- Some devices are designed to deny users access to install or run +-modified versions of the software inside them, although the manufacturer +-can do so. This is fundamentally incompatible with the aim of +-protecting users' freedom to change the software. The systematic +-pattern of such abuse occurs in the area of products for individuals to +-use, which is precisely where it is most unacceptable. Therefore, we +-have designed this version of the GPL to prohibit the practice for those +-products. If such problems arise substantially in other domains, we +-stand ready to extend this provision to those domains in future versions +-of the GPL, as needed to protect the freedom of users. +- +- Finally, every program is threatened constantly by software patents. +-States should not allow patents to restrict development and use of +-software on general-purpose computers, but in those that do, we wish to +-avoid the special danger that patents applied to a free program could +-make it effectively proprietary. To prevent this, the GPL assures that +-patents cannot be used to render the program non-free. ++ Finally, any free program is threatened constantly by software ++patents. We wish to avoid the danger that redistributors of a free ++program will individually obtain patent licenses, in effect making the ++program proprietary. To prevent this, we have made it clear that any ++patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and + modification follow. + +- TERMS AND CONDITIONS +- +- 0. Definitions. +- +- "This License" refers to version 3 of the GNU General Public License. +- +- "Copyright" also means copyright-like laws that apply to other kinds of +-works, such as semiconductor masks. +- +- "The Program" refers to any copyrightable work licensed under this +-License. Each licensee is addressed as "you". "Licensees" and +-"recipients" may be individuals or organizations. +- +- To "modify" a work means to copy from or adapt all or part of the work +-in a fashion requiring copyright permission, other than the making of an +-exact copy. The resulting work is called a "modified version" of the +-earlier work or a work "based on" the earlier work. +- +- A "covered work" means either the unmodified Program or a work based +-on the Program. +- +- To "propagate" a work means to do anything with it that, without +-permission, would make you directly or secondarily liable for +-infringement under applicable copyright law, except executing it on a +-computer or modifying a private copy. Propagation includes copying, +-distribution (with or without modification), making available to the +-public, and in some countries other activities as well. +- +- To "convey" a work means any kind of propagation that enables other +-parties to make or receive copies. Mere interaction with a user through +-a computer network, with no transfer of a copy, is not conveying. +- +- An interactive user interface displays "Appropriate Legal Notices" +-to the extent that it includes a convenient and prominently visible +-feature that (1) displays an appropriate copyright notice, and (2) +-tells the user that there is no warranty for the work (except to the +-extent that warranties are provided), that licensees may convey the +-work under this License, and how to view a copy of this License. If +-the interface presents a list of user commands or options, such as a +-menu, a prominent item in the list meets this criterion. +- +- 1. Source Code. +- +- The "source code" for a work means the preferred form of the work +-for making modifications to it. "Object code" means any non-source +-form of a work. +- +- A "Standard Interface" means an interface that either is an official +-standard defined by a recognized standards body, or, in the case of +-interfaces specified for a particular programming language, one that +-is widely used among developers working in that language. +- +- The "System Libraries" of an executable work include anything, other +-than the work as a whole, that (a) is included in the normal form of +-packaging a Major Component, but which is not part of that Major +-Component, and (b) serves only to enable use of the work with that +-Major Component, or to implement a Standard Interface for which an +-implementation is available to the public in source code form. A +-"Major Component", in this context, means a major essential component +-(kernel, window system, and so on) of the specific operating system +-(if any) on which the executable work runs, or a compiler used to +-produce the work, or an object code interpreter used to run it. +- +- The "Corresponding Source" for a work in object code form means all +-the source code needed to generate, install, and (for an executable +-work) run the object code and to modify the work, including scripts to +-control those activities. However, it does not include the work's +-System Libraries, or general-purpose tools or generally available free +-programs which are used unmodified in performing those activities but +-which are not part of the work. For example, Corresponding Source +-includes interface definition files associated with source files for +-the work, and the source code for shared libraries and dynamically +-linked subprograms that the work is specifically designed to require, +-such as by intimate data communication or control flow between those +-subprograms and other parts of the work. +- +- The Corresponding Source need not include anything that users +-can regenerate automatically from other parts of the Corresponding +-Source. +- +- The Corresponding Source for a work in source code form is that +-same work. +- +- 2. Basic Permissions. +- +- All rights granted under this License are granted for the term of +-copyright on the Program, and are irrevocable provided the stated +-conditions are met. This License explicitly affirms your unlimited +-permission to run the unmodified Program. The output from running a +-covered work is covered by this License only if the output, given its +-content, constitutes a covered work. This License acknowledges your +-rights of fair use or other equivalent, as provided by copyright law. +- +- You may make, run and propagate covered works that you do not +-convey, without conditions so long as your license otherwise remains +-in force. You may convey covered works to others for the sole purpose +-of having them make modifications exclusively for you, or provide you +-with facilities for running those works, provided that you comply with +-the terms of this License in conveying all material for which you do +-not control copyright. Those thus making or running the covered works +-for you must do so exclusively on your behalf, under your direction +-and control, on terms that prohibit them from making any copies of +-your copyrighted material outside their relationship with you. +- +- Conveying under any other circumstances is permitted solely under +-the conditions stated below. Sublicensing is not allowed; section 10 +-makes it unnecessary. +- +- 3. Protecting Users' Legal Rights From Anti-Circumvention Law. +- +- No covered work shall be deemed part of an effective technological +-measure under any applicable law fulfilling obligations under article +-11 of the WIPO copyright treaty adopted on 20 December 1996, or +-similar laws prohibiting or restricting circumvention of such +-measures. +- +- When you convey a covered work, you waive any legal power to forbid +-circumvention of technological measures to the extent such circumvention +-is effected by exercising rights under this License with respect to +-the covered work, and you disclaim any intention to limit operation or +-modification of the work as a means of enforcing, against the work's +-users, your or third parties' legal rights to forbid circumvention of +-technological measures. +- +- 4. Conveying Verbatim Copies. +- +- You may convey verbatim copies of the Program's source code as you +-receive it, in any medium, provided that you conspicuously and +-appropriately publish on each copy an appropriate copyright notice; +-keep intact all notices stating that this License and any +-non-permissive terms added in accord with section 7 apply to the code; +-keep intact all notices of the absence of any warranty; and give all +-recipients a copy of this License along with the Program. +- +- You may charge any price or no price for each copy that you convey, +-and you may offer support or warranty protection for a fee. +- +- 5. Conveying Modified Source Versions. +- +- You may convey a work based on the Program, or the modifications to +-produce it from the Program, in the form of source code under the +-terms of section 4, provided that you also meet all of these conditions: +- +- a) The work must carry prominent notices stating that you modified +- it, and giving a relevant date. +- +- b) The work must carry prominent notices stating that it is +- released under this License and any conditions added under section +- 7. This requirement modifies the requirement in section 4 to +- "keep intact all notices". +- +- c) You must license the entire work, as a whole, under this +- License to anyone who comes into possession of a copy. This +- License will therefore apply, along with any applicable section 7 +- additional terms, to the whole of the work, and all its parts, +- regardless of how they are packaged. This License gives no +- permission to license the work in any other way, but it does not +- invalidate such permission if you have separately received it. +- +- d) If the work has interactive user interfaces, each must display +- Appropriate Legal Notices; however, if the Program has interactive +- interfaces that do not display Appropriate Legal Notices, your +- work need not make them do so. +- +- A compilation of a covered work with other separate and independent +-works, which are not by their nature extensions of the covered work, +-and which are not combined with it such as to form a larger program, +-in or on a volume of a storage or distribution medium, is called an +-"aggregate" if the compilation and its resulting copyright are not +-used to limit the access or legal rights of the compilation's users +-beyond what the individual works permit. Inclusion of a covered work +-in an aggregate does not cause this License to apply to the other +-parts of the aggregate. +- +- 6. Conveying Non-Source Forms. +- +- You may convey a covered work in object code form under the terms +-of sections 4 and 5, provided that you also convey the +-machine-readable Corresponding Source under the terms of this License, +-in one of these ways: +- +- a) Convey the object code in, or embodied in, a physical product +- (including a physical distribution medium), accompanied by the +- Corresponding Source fixed on a durable physical medium +- customarily used for software interchange. +- +- b) Convey the object code in, or embodied in, a physical product +- (including a physical distribution medium), accompanied by a +- written offer, valid for at least three years and valid for as +- long as you offer spare parts or customer support for that product +- model, to give anyone who possesses the object code either (1) a +- copy of the Corresponding Source for all the software in the +- product that is covered by this License, on a durable physical +- medium customarily used for software interchange, for a price no +- more than your reasonable cost of physically performing this +- conveying of source, or (2) access to copy the +- Corresponding Source from a network server at no charge. +- +- c) Convey individual copies of the object code with a copy of the +- written offer to provide the Corresponding Source. This +- alternative is allowed only occasionally and noncommercially, and +- only if you received the object code with such an offer, in accord +- with subsection 6b. +- +- d) Convey the object code by offering access from a designated +- place (gratis or for a charge), and offer equivalent access to the +- Corresponding Source in the same way through the same place at no +- further charge. You need not require recipients to copy the +- Corresponding Source along with the object code. If the place to +- copy the object code is a network server, the Corresponding Source +- may be on a different server (operated by you or a third party) +- that supports equivalent copying facilities, provided you maintain +- clear directions next to the object code saying where to find the +- Corresponding Source. Regardless of what server hosts the +- Corresponding Source, you remain obligated to ensure that it is +- available for as long as needed to satisfy these requirements. +- +- e) Convey the object code using peer-to-peer transmission, provided +- you inform other peers where the object code and Corresponding +- Source of the work are being offered to the general public at no +- charge under subsection 6d. +- +- A separable portion of the object code, whose source code is excluded +-from the Corresponding Source as a System Library, need not be +-included in conveying the object code work. +- +- A "User Product" is either (1) a "consumer product", which means any +-tangible personal property which is normally used for personal, family, +-or household purposes, or (2) anything designed or sold for incorporation +-into a dwelling. In determining whether a product is a consumer product, +-doubtful cases shall be resolved in favor of coverage. For a particular +-product received by a particular user, "normally used" refers to a +-typical or common use of that class of product, regardless of the status +-of the particular user or of the way in which the particular user +-actually uses, or expects or is expected to use, the product. A product +-is a consumer product regardless of whether the product has substantial +-commercial, industrial or non-consumer uses, unless such uses represent +-the only significant mode of use of the product. +- +- "Installation Information" for a User Product means any methods, +-procedures, authorization keys, or other information required to install +-and execute modified versions of a covered work in that User Product from +-a modified version of its Corresponding Source. The information must +-suffice to ensure that the continued functioning of the modified object +-code is in no case prevented or interfered with solely because +-modification has been made. +- +- If you convey an object code work under this section in, or with, or +-specifically for use in, a User Product, and the conveying occurs as +-part of a transaction in which the right of possession and use of the +-User Product is transferred to the recipient in perpetuity or for a +-fixed term (regardless of how the transaction is characterized), the +-Corresponding Source conveyed under this section must be accompanied +-by the Installation Information. But this requirement does not apply +-if neither you nor any third party retains the ability to install +-modified object code on the User Product (for example, the work has +-been installed in ROM). +- +- The requirement to provide Installation Information does not include a +-requirement to continue to provide support service, warranty, or updates +-for a work that has been modified or installed by the recipient, or for +-the User Product in which it has been modified or installed. Access to a +-network may be denied when the modification itself materially and +-adversely affects the operation of the network or violates the rules and +-protocols for communication across the network. +- +- Corresponding Source conveyed, and Installation Information provided, +-in accord with this section must be in a format that is publicly +-documented (and with an implementation available to the public in +-source code form), and must require no special password or key for +-unpacking, reading or copying. +- +- 7. Additional Terms. +- +- "Additional permissions" are terms that supplement the terms of this +-License by making exceptions from one or more of its conditions. +-Additional permissions that are applicable to the entire Program shall +-be treated as though they were included in this License, to the extent +-that they are valid under applicable law. If additional permissions +-apply only to part of the Program, that part may be used separately +-under those permissions, but the entire Program remains governed by +-this License without regard to the additional permissions. +- +- When you convey a copy of a covered work, you may at your option +-remove any additional permissions from that copy, or from any part of +-it. (Additional permissions may be written to require their own +-removal in certain cases when you modify the work.) You may place +-additional permissions on material, added by you to a covered work, +-for which you have or can give appropriate copyright permission. +- +- Notwithstanding any other provision of this License, for material you +-add to a covered work, you may (if authorized by the copyright holders of +-that material) supplement the terms of this License with terms: +- +- a) Disclaiming warranty or limiting liability differently from the +- terms of sections 15 and 16 of this License; or +- +- b) Requiring preservation of specified reasonable legal notices or +- author attributions in that material or in the Appropriate Legal +- Notices displayed by works containing it; or +- +- c) Prohibiting misrepresentation of the origin of that material, or +- requiring that modified versions of such material be marked in +- reasonable ways as different from the original version; or +- +- d) Limiting the use for publicity purposes of names of licensors or +- authors of the material; or +- +- e) Declining to grant rights under trademark law for use of some +- trade names, trademarks, or service marks; or +- +- f) Requiring indemnification of licensors and authors of that +- material by anyone who conveys the material (or modified versions of +- it) with contractual assumptions of liability to the recipient, for +- any liability that these contractual assumptions directly impose on +- those licensors and authors. +- +- All other non-permissive additional terms are considered "further +-restrictions" within the meaning of section 10. If the Program as you +-received it, or any part of it, contains a notice stating that it is +-governed by this License along with a term that is a further +-restriction, you may remove that term. If a license document contains +-a further restriction but permits relicensing or conveying under this +-License, you may add to a covered work material governed by the terms +-of that license document, provided that the further restriction does +-not survive such relicensing or conveying. +- +- If you add terms to a covered work in accord with this section, you +-must place, in the relevant source files, a statement of the +-additional terms that apply to those files, or a notice indicating +-where to find the applicable terms. +- +- Additional terms, permissive or non-permissive, may be stated in the +-form of a separately written license, or stated as exceptions; +-the above requirements apply either way. +- +- 8. Termination. +- +- You may not propagate or modify a covered work except as expressly +-provided under this License. Any attempt otherwise to propagate or +-modify it is void, and will automatically terminate your rights under +-this License (including any patent licenses granted under the third +-paragraph of section 11). +- +- However, if you cease all violation of this License, then your +-license from a particular copyright holder is reinstated (a) +-provisionally, unless and until the copyright holder explicitly and +-finally terminates your license, and (b) permanently, if the copyright +-holder fails to notify you of the violation by some reasonable means +-prior to 60 days after the cessation. +- +- Moreover, your license from a particular copyright holder is +-reinstated permanently if the copyright holder notifies you of the +-violation by some reasonable means, this is the first time you have +-received notice of violation of this License (for any work) from that +-copyright holder, and you cure the violation prior to 30 days after +-your receipt of the notice. +- +- Termination of your rights under this section does not terminate the +-licenses of parties who have received copies or rights from you under +-this License. If your rights have been terminated and not permanently +-reinstated, you do not qualify to receive new licenses for the same +-material under section 10. +- +- 9. Acceptance Not Required for Having Copies. +- +- You are not required to accept this License in order to receive or +-run a copy of the Program. Ancillary propagation of a covered work +-occurring solely as a consequence of using peer-to-peer transmission +-to receive a copy likewise does not require acceptance. However, +-nothing other than this License grants you permission to propagate or +-modify any covered work. These actions infringe copyright if you do +-not accept this License. Therefore, by modifying or propagating a +-covered work, you indicate your acceptance of this License to do so. +- +- 10. Automatic Licensing of Downstream Recipients. +- +- Each time you convey a covered work, the recipient automatically +-receives a license from the original licensors, to run, modify and +-propagate that work, subject to this License. You are not responsible +-for enforcing compliance by third parties with this License. +- +- An "entity transaction" is a transaction transferring control of an +-organization, or substantially all assets of one, or subdividing an +-organization, or merging organizations. If propagation of a covered +-work results from an entity transaction, each party to that +-transaction who receives a copy of the work also receives whatever +-licenses to the work the party's predecessor in interest had or could +-give under the previous paragraph, plus a right to possession of the +-Corresponding Source of the work from the predecessor in interest, if +-the predecessor has it or can get it with reasonable efforts. +- +- You may not impose any further restrictions on the exercise of the +-rights granted or affirmed under this License. For example, you may +-not impose a license fee, royalty, or other charge for exercise of +-rights granted under this License, and you may not initiate litigation +-(including a cross-claim or counterclaim in a lawsuit) alleging that +-any patent claim is infringed by making, using, selling, offering for +-sale, or importing the Program or any portion of it. +- +- 11. Patents. +- +- A "contributor" is a copyright holder who authorizes use under this +-License of the Program or a work on which the Program is based. The +-work thus licensed is called the contributor's "contributor version". +- +- A contributor's "essential patent claims" are all patent claims +-owned or controlled by the contributor, whether already acquired or +-hereafter acquired, that would be infringed by some manner, permitted +-by this License, of making, using, or selling its contributor version, +-but do not include claims that would be infringed only as a +-consequence of further modification of the contributor version. For +-purposes of this definition, "control" includes the right to grant +-patent sublicenses in a manner consistent with the requirements of ++ GNU GENERAL PUBLIC LICENSE ++ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION ++ ++ 0. This License applies to any program or other work which contains ++a notice placed by the copyright holder saying it may be distributed ++under the terms of this General Public License. The "Program", below, ++refers to any such program or work, and a "work based on the Program" ++means either the Program or any derivative work under copyright law: ++that is to say, a work containing the Program or a portion of it, ++either verbatim or with modifications and/or translated into another ++language. (Hereinafter, translation is included without limitation in ++the term "modification".) Each licensee is addressed as "you". ++ ++Activities other than copying, distribution and modification are not ++covered by this License; they are outside its scope. The act of ++running the Program is not restricted, and the output from the Program ++is covered only if its contents constitute a work based on the ++Program (independent of having been made by running the Program). ++Whether that is true depends on what the Program does. ++ ++ 1. You may copy and distribute verbatim copies of the Program's ++source code as you receive it, in any medium, provided that you ++conspicuously and appropriately publish on each copy an appropriate ++copyright notice and disclaimer of warranty; keep intact all the ++notices that refer to this License and to the absence of any warranty; ++and give any other recipients of the Program a copy of this License ++along with the Program. ++ ++You may charge a fee for the physical act of transferring a copy, and ++you may at your option offer warranty protection in exchange for a fee. ++ ++ 2. You may modify your copy or copies of the Program or any portion ++of it, thus forming a work based on the Program, and copy and ++distribute such modifications or work under the terms of Section 1 ++above, provided that you also meet all of these conditions: ++ ++ a) You must cause the modified files to carry prominent notices ++ stating that you changed the files and the date of any change. ++ ++ b) You must cause any work that you distribute or publish, that in ++ whole or in part contains or is derived from the Program or any ++ part thereof, to be licensed as a whole at no charge to all third ++ parties under the terms of this License. ++ ++ c) If the modified program normally reads commands interactively ++ when run, you must cause it, when started running for such ++ interactive use in the most ordinary way, to print or display an ++ announcement including an appropriate copyright notice and a ++ notice that there is no warranty (or else, saying that you provide ++ a warranty) and that users may redistribute the program under ++ these conditions, and telling the user how to view a copy of this ++ License. (Exception: if the Program itself is interactive but ++ does not normally print such an announcement, your work based on ++ the Program is not required to print an announcement.) ++ ++These requirements apply to the modified work as a whole. If ++identifiable sections of that work are not derived from the Program, ++and can be reasonably considered independent and separate works in ++themselves, then this License, and its terms, do not apply to those ++sections when you distribute them as separate works. But when you ++distribute the same sections as part of a whole which is a work based ++on the Program, the distribution of the whole must be on the terms of ++this License, whose permissions for other licensees extend to the ++entire whole, and thus to each and every part regardless of who wrote it. ++ ++Thus, it is not the intent of this section to claim rights or contest ++your rights to work written entirely by you; rather, the intent is to ++exercise the right to control the distribution of derivative or ++collective works based on the Program. ++ ++In addition, mere aggregation of another work not based on the Program ++with the Program (or with a work based on the Program) on a volume of ++a storage or distribution medium does not bring the other work under ++the scope of this License. ++ ++ 3. You may copy and distribute the Program (or a work based on it, ++under Section 2) in object code or executable form under the terms of ++Sections 1 and 2 above provided that you also do one of the following: ++ ++ a) Accompany it with the complete corresponding machine-readable ++ source code, which must be distributed under the terms of Sections ++ 1 and 2 above on a medium customarily used for software interchange; or, ++ ++ b) Accompany it with a written offer, valid for at least three ++ years, to give any third party, for a charge no more than your ++ cost of physically performing source distribution, a complete ++ machine-readable copy of the corresponding source code, to be ++ distributed under the terms of Sections 1 and 2 above on a medium ++ customarily used for software interchange; or, ++ ++ c) Accompany it with the information you received as to the offer ++ to distribute corresponding source code. (This alternative is ++ allowed only for noncommercial distribution and only if you ++ received the program in object code or executable form with such ++ an offer, in accord with Subsection b above.) ++ ++The source code for a work means the preferred form of the work for ++making modifications to it. For an executable work, complete source ++code means all the source code for all modules it contains, plus any ++associated interface definition files, plus the scripts used to ++control compilation and installation of the executable. However, as a ++special exception, the source code distributed need not include ++anything that is normally distributed (in either source or binary ++form) with the major components (compiler, kernel, and so on) of the ++operating system on which the executable runs, unless that component ++itself accompanies the executable. ++ ++If distribution of executable or object code is made by offering ++access to copy from a designated place, then offering equivalent ++access to copy the source code from the same place counts as ++distribution of the source code, even though third parties are not ++compelled to copy the source along with the object code. ++ ++ 4. You may not copy, modify, sublicense, or distribute the Program ++except as expressly provided under this License. Any attempt ++otherwise to copy, modify, sublicense or distribute the Program is ++void, and will automatically terminate your rights under this License. ++However, parties who have received copies, or rights, from you under ++this License will not have their licenses terminated so long as such ++parties remain in full compliance. ++ ++ 5. You are not required to accept this License, since you have not ++signed it. However, nothing else grants you permission to modify or ++distribute the Program or its derivative works. These actions are ++prohibited by law if you do not accept this License. Therefore, by ++modifying or distributing the Program (or any work based on the ++Program), you indicate your acceptance of this License to do so, and ++all its terms and conditions for copying, distributing or modifying ++the Program or works based on it. ++ ++ 6. Each time you redistribute the Program (or any work based on the ++Program), the recipient automatically receives a license from the ++original licensor to copy, distribute or modify the Program subject to ++these terms and conditions. You may not impose any further ++restrictions on the recipients' exercise of the rights granted herein. ++You are not responsible for enforcing compliance by third parties to + this License. + +- Each contributor grants you a non-exclusive, worldwide, royalty-free +-patent license under the contributor's essential patent claims, to +-make, use, sell, offer for sale, import and otherwise run, modify and +-propagate the contents of its contributor version. +- +- In the following three paragraphs, a "patent license" is any express +-agreement or commitment, however denominated, not to enforce a patent +-(such as an express permission to practice a patent or covenant not to +-sue for patent infringement). To "grant" such a patent license to a +-party means to make such an agreement or commitment not to enforce a +-patent against the party. +- +- If you convey a covered work, knowingly relying on a patent license, +-and the Corresponding Source of the work is not available for anyone +-to copy, free of charge and under the terms of this License, through a +-publicly available network server or other readily accessible means, +-then you must either (1) cause the Corresponding Source to be so +-available, or (2) arrange to deprive yourself of the benefit of the +-patent license for this particular work, or (3) arrange, in a manner +-consistent with the requirements of this License, to extend the patent +-license to downstream recipients. "Knowingly relying" means you have +-actual knowledge that, but for the patent license, your conveying the +-covered work in a country, or your recipient's use of the covered work +-in a country, would infringe one or more identifiable patents in that +-country that you have reason to believe are valid. +- +- If, pursuant to or in connection with a single transaction or +-arrangement, you convey, or propagate by procuring conveyance of, a +-covered work, and grant a patent license to some of the parties +-receiving the covered work authorizing them to use, propagate, modify +-or convey a specific copy of the covered work, then the patent license +-you grant is automatically extended to all recipients of the covered +-work and works based on it. +- +- A patent license is "discriminatory" if it does not include within +-the scope of its coverage, prohibits the exercise of, or is +-conditioned on the non-exercise of one or more of the rights that are +-specifically granted under this License. You may not convey a covered +-work if you are a party to an arrangement with a third party that is +-in the business of distributing software, under which you make payment +-to the third party based on the extent of your activity of conveying +-the work, and under which the third party grants, to any of the +-parties who would receive the covered work from you, a discriminatory +-patent license (a) in connection with copies of the covered work +-conveyed by you (or copies made from those copies), or (b) primarily +-for and in connection with specific products or compilations that +-contain the covered work, unless you entered into that arrangement, +-or that patent license was granted, prior to 28 March 2007. +- +- Nothing in this License shall be construed as excluding or limiting +-any implied license or other defenses to infringement that may +-otherwise be available to you under applicable patent law. +- +- 12. No Surrender of Others' Freedom. +- +- If conditions are imposed on you (whether by court order, agreement or ++ 7. If, as a consequence of a court judgment or allegation of patent ++infringement or for any other reason (not limited to patent issues), ++conditions are imposed on you (whether by court order, agreement or + otherwise) that contradict the conditions of this License, they do not +-excuse you from the conditions of this License. If you cannot convey a +-covered work so as to satisfy simultaneously your obligations under this +-License and any other pertinent obligations, then as a consequence you may +-not convey it at all. For example, if you agree to terms that obligate you +-to collect a royalty for further conveying from those to whom you convey +-the Program, the only way you could satisfy both those terms and this +-License would be to refrain entirely from conveying the Program. ++excuse you from the conditions of this License. If you cannot ++distribute so as to satisfy simultaneously your obligations under this ++License and any other pertinent obligations, then as a consequence you ++may not distribute the Program at all. For example, if a patent ++license would not permit royalty-free redistribution of the Program by ++all those who receive copies directly or indirectly through you, then ++the only way you could satisfy both it and this License would be to ++refrain entirely from distribution of the Program. + +- 13. Use with the GNU Affero General Public License. ++If any portion of this section is held invalid or unenforceable under ++any particular circumstance, the balance of the section is intended to ++apply and the section as a whole is intended to apply in other ++circumstances. + +- Notwithstanding any other provision of this License, you have +-permission to link or combine any covered work with a work licensed +-under version 3 of the GNU Affero General Public License into a single +-combined work, and to convey the resulting work. The terms of this +-License will continue to apply to the part which is the covered work, +-but the special requirements of the GNU Affero General Public License, +-section 13, concerning interaction through a network will apply to the +-combination as such. ++It is not the purpose of this section to induce you to infringe any ++patents or other property right claims or to contest validity of any ++such claims; this section has the sole purpose of protecting the ++integrity of the free software distribution system, which is ++implemented by public license practices. Many people have made ++generous contributions to the wide range of software distributed ++through that system in reliance on consistent application of that ++system; it is up to the author/donor to decide if he or she is willing ++to distribute software through any other system and a licensee cannot ++impose that choice. + +- 14. Revised Versions of this License. ++This section is intended to make thoroughly clear what is believed to ++be a consequence of the rest of this License. + +- The Free Software Foundation may publish revised and/or new versions of +-the GNU General Public License from time to time. Such new versions will ++ 8. If the distribution and/or use of the Program is restricted in ++certain countries either by patents or by copyrighted interfaces, the ++original copyright holder who places the Program under this License ++may add an explicit geographical distribution limitation excluding ++those countries, so that distribution is permitted only in or among ++countries not thus excluded. In such case, this License incorporates ++the limitation as if written in the body of this License. ++ ++ 9. The Free Software Foundation may publish revised and/or new versions ++of the General Public License from time to time. Such new versions will + be similar in spirit to the present version, but may differ in detail to + address new problems or concerns. + +- Each version is given a distinguishing version number. If the +-Program specifies that a certain numbered version of the GNU General +-Public License "or any later version" applies to it, you have the +-option of following the terms and conditions either of that numbered +-version or of any later version published by the Free Software +-Foundation. If the Program does not specify a version number of the +-GNU General Public License, you may choose any version ever published +-by the Free Software Foundation. ++Each version is given a distinguishing version number. If the Program ++specifies a version number of this License which applies to it and "any ++later version", you have the option of following the terms and conditions ++either of that version or of any later version published by the Free ++Software Foundation. If the Program does not specify a version number of ++this License, you may choose any version ever published by the Free Software ++Foundation. + +- If the Program specifies that a proxy can decide which future +-versions of the GNU General Public License can be used, that proxy's +-public statement of acceptance of a version permanently authorizes you +-to choose that version for the Program. ++ 10. If you wish to incorporate parts of the Program into other free ++programs whose distribution conditions are different, write to the author ++to ask for permission. For software which is copyrighted by the Free ++Software Foundation, write to the Free Software Foundation; we sometimes ++make exceptions for this. Our decision will be guided by the two goals ++of preserving the free status of all derivatives of our free software and ++of promoting the sharing and reuse of software generally. + +- Later license versions may give you additional or different +-permissions. However, no additional obligations are imposed on any +-author or copyright holder as a result of your choosing to follow a +-later version. ++ NO WARRANTY + +- 15. Disclaimer of Warranty. ++ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY ++FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN ++OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES ++PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED ++OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF ++MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS ++TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE ++PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, ++REPAIR OR CORRECTION. + +- THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +-APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +-PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +-IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +-ALL NECESSARY SERVICING, REPAIR OR CORRECTION. ++ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING ++WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR ++REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, ++INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING ++OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED ++TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY ++YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER ++PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE ++POSSIBILITY OF SUCH DAMAGES. + +- 16. Limitation of Liability. ++ END OF TERMS AND CONDITIONS + +- IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +-SUCH DAMAGES. +- +- 17. Interpretation of Sections 15 and 16. +- +- If the disclaimer of warranty and limitation of liability provided +-above cannot be given local legal effect according to their terms, +-reviewing courts shall apply local law that most closely approximates +-an absolute waiver of all civil liability in connection with the +-Program, unless a warranty or assumption of liability accompanies a +-copy of the Program in return for a fee. +- +- END OF TERMS AND CONDITIONS +- +- How to Apply These Terms to Your New Programs ++ How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest + possible use to the public, the best way to achieve this is to make it +@@ -629,15 +287,15 @@ free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest + to attach them to the start of each source file to most effectively +-state the exclusion of warranty; and each file should have at least ++convey the exclusion of warranty; and each file should have at least + the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + +- This program is free software: you can redistribute it and/or modify ++ This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +- the Free Software Foundation, either version 3 of the License, or ++ the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, +@@ -645,32 +303,37 @@ the "copyright" line and a pointer to where the full notice is found. + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + +- You should have received a copy of the GNU General Public License +- along with this program. If not, see . ++ You should have received a copy of the GNU General Public License along ++ with this program; if not, write to the Free Software Foundation, Inc., ++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + Also add information on how to contact you by electronic and paper mail. + +- If the program does terminal interaction, make it output a short +-notice like this when it starts in an interactive mode: ++If the program is interactive, make it output a short notice like this ++when it starts in an interactive mode: + +- Copyright (C) +- This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. ++ Gnomovision version 69, Copyright (C) year name of author ++ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + + The hypothetical commands `show w' and `show c' should show the appropriate +-parts of the General Public License. Of course, your program's commands +-might be different; for a GUI interface, you would use an "about box". ++parts of the General Public License. Of course, the commands you use may ++be called something other than `show w' and `show c'; they could even be ++mouse-clicks or menu items--whatever suits your program. + +- You should also get your employer (if you work as a programmer) or school, +-if any, to sign a "copyright disclaimer" for the program, if necessary. +-For more information on this, and how to apply and follow the GNU GPL, see +-. ++You should also get your employer (if you work as a programmer) or your ++school, if any, to sign a "copyright disclaimer" for the program, if ++necessary. Here is a sample; alter the names: + +- The GNU General Public License does not permit incorporating your program +-into proprietary programs. If your program is a subroutine library, you +-may consider it more useful to permit linking proprietary applications with +-the library. If this is what you want to do, use the GNU Lesser General +-Public License instead of this License. But first, please read +-. ++ Yoyodyne, Inc., hereby disclaims all copyright interest in the program ++ `Gnomovision' (which makes passes at compilers) written by James Hacker. + ++ , 1 April 1989 ++ Ty Coon, President of Vice ++ ++This General Public License does not permit incorporating your program into ++proprietary programs. If your program is a subroutine library, you may ++consider it more useful to permit linking proprietary applications with the ++library. If this is what you want to do, use the GNU Lesser General ++Public License instead of this License. +-- +2.34.1 + diff --git a/0001-efikeygen-Fix-the-build-with-nss-3.44.patch b/0001-efikeygen-Fix-the-build-with-nss-3.44.patch deleted file mode 100644 index e583369..0000000 --- a/0001-efikeygen-Fix-the-build-with-nss-3.44.patch +++ /dev/null @@ -1,45 +0,0 @@ -From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 14 May 2019 11:28:38 -0400 -Subject: [PATCH] efikeygen: Fix the build with nss 3.44 - -NSS 3.44 adds some certificate types, which changes a type and makes -some encoding stuff weird. As a result, we get: - -gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o -In file included from /usr/local/include/nss/nss/cert.h:22, - from efikeygen.c:39: -efikeygen.c: In function 'add_cert_type': -/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow] - (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ - ^ -efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP' - unsigned char type = NS_CERT_TYPE_APP; - ^~~~~~~~~~~~~~~~ -cc1: all warnings being treated as errors - -This is fixed by just making it an int. - -Fixes github issue #48. - -Signed-off-by: Peter Jones ---- - src/efikeygen.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/efikeygen.c b/src/efikeygen.c -index ede76ef0b48..2cd953e9781 100644 ---- a/src/efikeygen.c -+++ b/src/efikeygen.c -@@ -208,7 +208,7 @@ static int - add_cert_type(cms_context *cms, void *extHandle, int is_ca) - { - SECItem bitStringValue; -- unsigned char type = NS_CERT_TYPE_APP; -+ int type = NS_CERT_TYPE_APP; - - if (is_ca) - type |= NS_CERT_TYPE_SSL_CA | --- -2.23.0 - diff --git a/0002-Fix-format-strings-for-32-bit-arches.patch b/0002-Fix-format-strings-for-32-bit-arches.patch new file mode 100644 index 0000000..3a5ece2 --- /dev/null +++ b/0002-Fix-format-strings-for-32-bit-arches.patch @@ -0,0 +1,112 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 1 Feb 2022 17:37:14 -0500 +Subject: [PATCH 2/3] Fix format strings for 32-bit arches + +Sadly, in 2022, this remains a thing. + +Signed-off-by: Robbie Harwood +--- + src/cms_pe_common.c | 16 +++++++++------- + src/password.c | 7 ++++--- + 2 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/src/cms_pe_common.c b/src/cms_pe_common.c +index 964f0d9..3a3921b 100644 +--- a/src/cms_pe_common.c ++++ b/src/cms_pe_common.c +@@ -49,7 +49,7 @@ check_pointer_and_size(cms_context *cms, Pe *pe, void *ptr, size_t size) + + if (p + size > m + map_size) + cmsreterr(0, cms, +- "pointer %p is above mmap end at %p (%lu is %lu bytes past EOF at %lu)", ++ "pointer %p is above mmap end at %p (%lu is %lu bytes past EOF at %zu)", + (void *)((uintptr_t)p + size), + (void *)((uintptr_t)m + map_size), + p + size - m, +@@ -189,7 +189,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded) + if (!check_pointer_and_size(cms, pe, hash_base, hash_size)) + cmsgotoerr(error, cms, "PE header is invalid"); + dprintf("beginning of hash"); +- dprintf("digesting %lx + %lx", hash_base - map, hash_size); ++ dprintf("digesting %tx + %zx", hash_base - map, hash_size); + generate_digest_step(cms, hash_base, hash_size); + + /* 5. Skip over the image checksum +@@ -209,7 +209,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded) + cmsgotoerr(error, cms, "PE data directory is invalid"); + + generate_digest_step(cms, hash_base, hash_size); +- dprintf("digesting %lx + %lx", hash_base - map, hash_size); ++ dprintf("digesting %tx + %zx", hash_base - map, hash_size); + + /* 8. Skip over the crt dir + * 9. Hash everything up to the end of the image header. */ +@@ -222,7 +222,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded) + cmsgotoerr(error, cms, "PE relocations table is invalid"); + + generate_digest_step(cms, hash_base, hash_size); +- dprintf("digesting %lx + %lx", hash_base - map, hash_size); ++ dprintf("digesting %tx + %zx", hash_base - map, hash_size); + + /* 10. Set SUM_OF_BYTES_HASHED to the size of the header. */ + hashed_bytes = pe32opthdr ? pe32opthdr->header_size +@@ -265,7 +265,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded) + } + + generate_digest_step(cms, hash_base, hash_size); +- dprintf("digesting %lx + %lx", hash_base - map, hash_size); ++ dprintf("digesting %tx + %zx", hash_base - map, hash_size); + + hashed_bytes += hash_size; + } +@@ -285,10 +285,12 @@ generate_digest(cms_context *cms, Pe *pe, int padded) + memset(tmp_array, '\0', tmp_size); + memcpy(tmp_array, hash_base, hash_size); + generate_digest_step(cms, tmp_array, tmp_size); +- dprintf("digesting %lx + %lx", (unsigned long)tmp_array, tmp_size); ++ dprintf("digesting %tx + %zx", (ptrdiff_t)tmp_array, ++ tmp_size); + } else { + generate_digest_step(cms, hash_base, hash_size); +- dprintf("digesting %lx + %lx", hash_base - map, hash_size); ++ dprintf("digesting %tx + %zx", hash_base - map, ++ hash_size); + } + } + dprintf("end of hash"); +diff --git a/src/password.c b/src/password.c +index 644f362..05add9a 100644 +--- a/src/password.c ++++ b/src/password.c +@@ -213,7 +213,7 @@ parse_pwfile_line(char *start, struct token_pass *tp) + dprintf("non-whitespace span is %zd", span); + + if (line[span] == '\0') { +- dprintf("returning %ld", (line + span) - start); ++ dprintf("returning %td", (line + span) - start); + return (line + span) - start; + } + line[span] = '\0'; +@@ -241,7 +241,7 @@ parse_pwfile_line(char *start, struct token_pass *tp) + dprintf("Setting token pass %p to { %p, %p }", tp, tp->token, tp->pass); + dprintf("token:\"%s\"", tp->token); + dprintf("pass:\"%s\"", tp->pass); +- dprintf("returning %ld", (line + span) - start); ++ dprintf("returning %td", (line + span) - start); + return (line + span) - start; + } + +@@ -330,7 +330,8 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg) + if (c != '\0') + span++; + start += span; +- dprintf("start is file[%ld] == '\\x%02hhx'", start - file, start[0]); ++ dprintf("start is file[%td] == '\\x%02hhx'", start - file, ++ start[0]); + } + + qsort(phrases, nphrases, sizeof(struct token_pass), token_pass_cmp); +-- +2.34.1 + diff --git a/0002-pesigcheck-Fix-a-wrong-assignment.patch b/0002-pesigcheck-Fix-a-wrong-assignment.patch deleted file mode 100644 index 7df5f0b..0000000 --- a/0002-pesigcheck-Fix-a-wrong-assignment.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 18 Feb 2020 16:28:56 -0500 -Subject: [PATCH] pesigcheck: Fix a wrong assignment - -gcc says: - - pesigcheck.c: In function 'check_signature': - pesigcheck.c:321:17: error: implicit conversion from 'enum ' to 'enum ' [-Werror=enum-conversion] - 321 | reason->type = siBuffer; - | ^ - pesigcheck.c:333:17: error: implicit conversion from 'enum ' to 'enum ' [-Werror=enum-conversion] - 333 | reason->type = siBuffer; - | ^ - cc1: all warnings being treated as errors - -And indeed, that line of code makes no sense at all - it was supposed to -be reason->sig.type. - -Signed-off-by: Peter Jones ---- - src/pesigcheck.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/pesigcheck.c b/src/pesigcheck.c -index 524cce307bf..8fa0f1ad03d 100644 ---- a/src/pesigcheck.c -+++ b/src/pesigcheck.c -@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons, - reason->type = SIGNATURE; - reason->sig.data = data; - reason->sig.len = datalen; -- reason->type = siBuffer; -+ reason->sig.type = siBuffer; - nreason += 1; - is_invalid = true; - } -@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons, - reason->type = SIGNATURE; - reason->sig.data = data; - reason->sig.len = datalen; -- reason->type = siBuffer; -+ reason->sig.type = siBuffer; - nreason += 1; - has_valid_cert = true; - } --- -2.24.1 - diff --git a/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch b/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch deleted file mode 100644 index e639675..0000000 --- a/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch +++ /dev/null @@ -1,317 +0,0 @@ -From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 11 Jun 2020 16:23:14 -0400 -Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and - vise versa - -This makes the version of the sign API that takes a file type optional, -and makes the client attempt to negotiate which version it's getting. -It also leaves the server able to still handle the version from before -the file type was added. - -Signed-off-by: Peter Jones ---- - src/client.c | 74 +++++++++++++++++++++++++++++++++++++--------------- - src/daemon.c | 63 +++++++++++++++++++++++++++++--------------- - src/daemon.h | 2 ++ - 3 files changed, 97 insertions(+), 42 deletions(-) - -diff --git a/src/client.c b/src/client.c -index aa373abd981..57bcc09cbe8 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -11,6 +11,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -84,8 +85,8 @@ connect_to_server(void) - static int32_t - check_response(int sd, char **srvmsg); - --static void --check_cmd_version(int sd, uint32_t command, char *name, int32_t version) -+static int -+check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit) - { - struct msghdr msg; - struct iovec iov[1]; -@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version) - ssize_t n; - n = sendmsg(sd, &msg, 0); - if (n < 0) { -- fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n"); -+ fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n"); - exit(1); - } - -@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version) - - char *srvmsg = NULL; - int32_t rc = check_response(sd, &srvmsg); -- if (rc < 0) -+ -+ if (do_exit && rc < 0) - errx(1, "command \"%s\" not known by server", name); -- if (rc != version) -+ -+ if (do_exit && rc != version) - errx(1, "command \"%s\": client version %d, server version %d", - name, version, rc); -+ -+ if (rc < 0) -+ return rc; -+ return rc == version; - } - - static void -@@ -134,7 +141,7 @@ send_kill_daemon(int sd) - struct iovec iov; - pesignd_msghdr pm; - -- check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0); -+ check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true); - - pm.version = PESIGND_VERSION; - pm.command = CMD_KILL_DAEMON; -@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin) - - uint32_t size1 = pesignd_string_size(pin); - -- check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0); -+ check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true); - - pm.version = PESIGND_VERSION; - pm.command = CMD_UNLOCK_TOKEN; -@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname) - - uint32_t size0 = pesignd_string_size(tokenname); - -- check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0); -+ check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true); - - pm.version = PESIGND_VERSION; - pm.command = CMD_IS_TOKEN_UNLOCKED; -@@ -452,6 +459,9 @@ static void - sign(int sd, char *infile, char *outfile, char *tokenname, char *certname, - int attached, uint32_t format) - { -+ int rc; -+ bool add_file_type; -+ - int infd = open(infile, O_RDONLY); - if (infd < 0) { - fprintf(stderr, "pesign-client: could not open input file " -@@ -481,12 +491,28 @@ oom: - exit(1); - } - -- check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED, -- attached ? "sign-attached" : "sign-detached", 0); -+ rc = check_cmd_version(sd, -+ attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE -+ : CMD_SIGN_DETACHED_WITH_FILE_TYPE, -+ attached ? "sign-attached" : "sign-detached", -+ 0, format == FORMAT_KERNEL_MODULE); -+ if (rc >= 0) { -+ add_file_type = true; -+ } else { -+ add_file_type = false; -+ check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED -+ : CMD_SIGN_DETACHED, -+ attached ? "sign-attached" : "sign-detached", -+ 0, true); -+ } - -+ printf("add_file_type:%d\n", add_file_type); - pm->version = PESIGND_VERSION; -- pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED; -- pm->size = size0 + size1 + sizeof(format); -+ pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE -+ : CMD_SIGN_ATTACHED) -+ : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE -+ : CMD_SIGN_DETACHED); -+ pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0); - iov[0].iov_base = pm; - iov[0].iov_len = sizeof (*pm); - -@@ -503,25 +529,31 @@ oom: - } - - char *buffer; -- buffer = malloc(size0 + size1); -+ buffer = malloc(pm->size); - if (!buffer) - goto oom; - -- iov[0].iov_base = &format; -- iov[0].iov_len = sizeof(format); -+ int pos = 0; -+ -+ if (add_file_type) { -+ iov[pos].iov_base = &format; -+ iov[pos].iov_len = sizeof(format); -+ pos++; -+ } - - pesignd_string *tn = (pesignd_string *)buffer; - pesignd_string_set(tn, tokenname); -- iov[1].iov_base = tn; -- iov[1].iov_len = size0; -+ iov[pos].iov_base = tn; -+ iov[pos].iov_len = size0; -+ pos++; - - pesignd_string *cn = pesignd_string_next(tn); - pesignd_string_set(cn, certname); -- iov[2].iov_base = cn; -- iov[2].iov_len = size1; -+ iov[pos].iov_base = cn; -+ iov[pos].iov_len = size1; - - msg.msg_iov = iov; -- msg.msg_iovlen = 3; -+ msg.msg_iovlen = add_file_type ? 3 : 2; - - n = sendmsg(sd, &msg, 0); - if (n < 0) { -@@ -535,7 +567,7 @@ oom: - send_fd(sd, outfd); - - char *srvmsg = NULL; -- int rc = check_response(sd, &srvmsg); -+ rc = check_response(sd, &srvmsg); - if (rc < 0) { - fprintf(stderr, "pesign-client: signing failed: \"%s\"\n", - srvmsg); -diff --git a/src/daemon.c b/src/daemon.c -index 9374d59be30..494beb9af72 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -12,6 +12,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -561,7 +562,7 @@ out: - - static void - handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size, -- int attached) -+ int attached, bool with_file_type) - { - struct msghdr msg; - struct iovec iov; -@@ -585,8 +586,12 @@ oom: - - n = recvmsg(pollfd->fd, &msg, MSG_WAITALL); - -- file_format = *((uint32_t *) buffer); -- n -= sizeof(uint32_t); -+ if (with_file_type) { -+ file_format = *((uint32_t *) buffer); -+ n -= sizeof(uint32_t); -+ } else { -+ file_format = FORMAT_PE_BINARY; -+ } - - pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t)); - if (n < (long long)sizeof(tn->size)) { -@@ -666,34 +671,44 @@ finish: - teardown_digests(ctx->cms); - } - -+static inline void -+handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size, -+ int attached, bool with_file_type) -+{ -+ int rc = cms_context_alloc(&ctx->cms); -+ if (rc < 0) -+ return; -+ -+ steal_from_cms(ctx->backup_cms, ctx->cms); -+ -+ handle_signing(ctx, pollfd, size, attached, with_file_type); -+ -+ hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms); -+ cms_context_fini(ctx->cms); -+} -+ - static void - handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size) - { -- int rc = cms_context_alloc(&ctx->cms); -- if (rc < 0) -- return; -+ handle_sign_helper(ctx, pollfd, size, 1, false); -+} - -- steal_from_cms(ctx->backup_cms, ctx->cms); -- -- handle_signing(ctx, pollfd, size, 1); -- -- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms); -- cms_context_fini(ctx->cms); -+static void -+handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size) -+{ -+ handle_sign_helper(ctx, pollfd, size, 1, true); - } - - static void - handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size) - { -- int rc = cms_context_alloc(&ctx->cms); -- if (rc < 0) -- return; -+ handle_sign_helper(ctx, pollfd, size, 0, false); -+} - -- steal_from_cms(ctx->backup_cms, ctx->cms); -- -- handle_signing(ctx, pollfd, size, 0); -- -- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms); -- cms_context_fini(ctx->cms); -+static void -+handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size) -+{ -+ handle_sign_helper(ctx, pollfd, size, 0, true); - } - - static void -@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = { - { CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 }, - { CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 }, - { CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 }, -+ { CMD_SIGN_ATTACHED_WITH_FILE_TYPE, -+ handle_sign_attached_with_file_type, -+ "sign-attached-with-file-type", 0 }, -+ { CMD_SIGN_DETACHED_WITH_FILE_TYPE, -+ handle_sign_detached_with_file_type, -+ "sign-detached-with-file-type", 0 }, - { CMD_RESPONSE, NULL, "response", 0 }, - { CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked, - "is-token-unlocked", 0 }, -diff --git a/src/daemon.h b/src/daemon.h -index dd430512f1a..834d62c72d0 100644 ---- a/src/daemon.h -+++ b/src/daemon.h -@@ -33,6 +33,8 @@ typedef enum { - CMD_RESPONSE, - CMD_IS_TOKEN_UNLOCKED, - CMD_GET_CMD_VERSION, -+ CMD_SIGN_ATTACHED_WITH_FILE_TYPE, -+ CMD_SIGN_DETACHED_WITH_FILE_TYPE, - CMD_LIST_END - } pesignd_cmd; - --- -2.26.2 - diff --git a/0003-macros-drop-_pesign_args.patch b/0003-macros-drop-_pesign_args.patch new file mode 100644 index 0000000..0511bfa --- /dev/null +++ b/0003-macros-drop-_pesign_args.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 2 Feb 2022 16:07:46 -0500 +Subject: [PATCH 3/3] macros: drop %{_pesign_args} + +Effectively reverts 30b488682a92c524bb9c0d450c34e9abc0b56de9 + +Also, make our argument parser fail on extra arguments to make it easier +to debug when this kind of thing happens again. + +Signed-off-by: Robbie Harwood +--- + src/macros.pesign | 1 - + src/pesign-rpmbuild-helper.in | 5 +++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 519a8a3..34af57c 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -27,7 +27,6 @@ + %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\ + "%{_target_cpu}" \\\ + "%{_pesign}" \\\ +- "%{_pesign_args}" \\\ + "%{_pesign_client}" \\\ + %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\ + %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\ +diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in +index 27b8261..0a845d2 100644 +--- a/src/pesign-rpmbuild-helper.in ++++ b/src/pesign-rpmbuild-helper.in +@@ -133,6 +133,11 @@ main() { + sign=-s + shift + fi ++ if [[ $# -ge 1 ]] ; then ++ echo "$# extra unparsed arguments!">>/dev/stderr ++ echo "Cowardly refusing to run">>/dev/stderr ++ exit 1 ++ fi + + if [[ -z "${target_cpu}" ]] ; then + target_cpu="$(uname -m)" +-- +2.34.1 + diff --git a/0004-Disable-pragmas-for-warnings-that-are-too-old.patch b/0004-Disable-pragmas-for-warnings-that-are-too-old.patch new file mode 100644 index 0000000..412f98b --- /dev/null +++ b/0004-Disable-pragmas-for-warnings-that-are-too-old.patch @@ -0,0 +1,36 @@ +From 2effad829bd719d2316d7eea45ea6e4f9c291c67 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 9 Feb 2022 14:42:24 -0500 +Subject: [PATCH] Disable pragmas for warnings that are too old + +Signed-off-by: Robbie Harwood +--- + src/daemon.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/daemon.c b/src/daemon.c +index c19eb80..01c612f 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -916,10 +916,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds) + free(pollfds); + } + +-/* GCC -fanalyzer has trouble with realloc +- * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */ +-#pragma GCC diagnostic push +-#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value" + static int + handle_events(context *ctx) + { +@@ -998,7 +994,6 @@ shutdown: + } + return 0; + } +-#pragma GCC diagnostic pop + + static int + get_uid_and_gid(context *ctx, char **homedir) +-- +2.34.1 + diff --git a/0004-Rename-var-run-to-run.patch b/0004-Rename-var-run-to-run.patch deleted file mode 100644 index 593761b..0000000 --- a/0004-Rename-var-run-to-run.patch +++ /dev/null @@ -1,46 +0,0 @@ -From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 12 Jun 2020 11:49:44 -0400 -Subject: [PATCH] Rename /var/run/ to /run/ - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 12 ++++++------ - src/tmpfiles.conf | 2 +- - 2 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 56f75cafbc4..5a6da1c6809 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -45,14 +45,14 @@ - rm -rf ${sattrs} ${sattrs}.sig ${nss} \ - elif [ "$(id -un)" == "kojibuilder" -a \\\ - grep -q ID=fedora /etc/os-release -a \\\ -- ! -S /var/run/pesign/socket ]; then \ -+ ! -S /run/pesign/socket ]; then \ - echo "No socket even though this is kojibuilder" 1>&2 \ -- ls -ld /var/run/pesign 1>&2 \ -- ls -l /var/run/pesign/socket 1>&2 \ -- getfacl /var/run/pesign 1>&2 \ -- getfacl /var/run/pesign/socket 1>&2 \ -+ ls -ld /run/pesign 1>&2 \ -+ ls -l /run/pesign/socket 1>&2 \ -+ getfacl /run/pesign 1>&2 \ -+ getfacl /run/pesign/socket 1>&2 \ - exit 1 \ -- elif [ -S /var/run/pesign/socket ]; then \ -+ elif [ -S /run/pesign/socket ]; then \ - %{_pesign_client} -t %{__pesign_client_token} \\\ - -c %{__pesign_client_cert} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ -diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf -index c1cf35597d8..3375ad52a44 100644 ---- a/src/tmpfiles.conf -+++ b/src/tmpfiles.conf -@@ -1 +1 @@ --D /var/run/pesign 0770 pesign pesign - -+D /run/pesign 0770 pesign pesign - --- -2.26.2 - diff --git a/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch b/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch deleted file mode 100644 index 2b47880..0000000 --- a/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001 -From: Jeremy Cline -Date: Tue, 18 Feb 2020 16:37:53 -0500 -Subject: [PATCH] Apparently opensc got updated and the token name changed - -All the kernel builds started failing yesterday because the signing -token could not be found. Update the token name in the macro shipped by -pesign. - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 7c5cba170e9..56f75cafbc4 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -9,7 +9,7 @@ - %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} - %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} - --%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"} -+%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"} - %__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"} - - %_pesign /usr/bin/pesign --- -2.26.2 - diff --git a/0006-client-try-run-and-var-run-for-the-socket-path.patch b/0006-client-try-run-and-var-run-for-the-socket-path.patch deleted file mode 100644 index 337faab..0000000 --- a/0006-client-try-run-and-var-run-for-the-socket-path.patch +++ /dev/null @@ -1,86 +0,0 @@ -From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 6 Jul 2020 16:13:09 -0400 -Subject: [PATCH 6/7] client: try /run and /var/run for the socket path. - -Signed-off-by: Peter Jones ---- - src/client.c | 40 +++++++++++++++++++++++++++++----------- - 1 file changed, 29 insertions(+), 11 deletions(-) - -diff --git a/src/client.c b/src/client.c -index 2119ef33bf8..a38383415d5 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag) - } - - static int --connect_to_server(void) -+connect_to_server_helper(const char * const sockpath) - { -- int rc = access(SOCKPATH, R_OK); -+ int rc = access(sockpath, R_OK); - if (rc != 0) { -- fprintf(stderr, "pesign-client: could not connect to server: " -- "%m\n"); -- exit(1); -+ warn("could not access socket \"%s\"", sockpath); -+ return rc; - } - - struct sockaddr_un addr_un = { - .sun_family = AF_UNIX, -- .sun_path = SOCKPATH, - }; -+ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path)); -+ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0'; - - int sd = socket(AF_UNIX, SOCK_STREAM, 0); - if (sd < 0) { -- fprintf(stderr, "pesign-client: could not open socket: %m\n"); -- exit(1); -+ warn("could not open socket \"%s\"", sockpath); -+ return sd; - } - - socklen_t len = strlen(addr_un.sun_path) + -@@ -74,14 +74,32 @@ connect_to_server(void) - - rc = connect(sd, (struct sockaddr *)&addr_un, len); - if (rc < 0) { -- fprintf(stderr, "pesign-client: could not connect to daemon: " -- "%m\n"); -- exit(1); -+ warn("could not connect to daemon"); -+ return sd; - } - - return sd; - } - -+static int -+connect_to_server(void) -+{ -+ int rc, i; -+ const char * const sockets[] = { -+ "/run/pesign/socket", -+ "/var/run/pesign/socket", -+ NULL -+ }; -+ -+ for (i = 0; sockets[i] != NULL; i++) { -+ rc = connect_to_server_helper(sockets[i]); -+ if (rc >= 0) -+ return rc; -+ } -+ -+ exit(1); -+} -+ - static int32_t - check_response(int sd, char **srvmsg); - --- -2.26.2 - diff --git a/0007-client-remove-an-extra-debug-print.patch b/0007-client-remove-an-extra-debug-print.patch deleted file mode 100644 index b094ea5..0000000 --- a/0007-client-remove-an-extra-debug-print.patch +++ /dev/null @@ -1,25 +0,0 @@ -From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 14 Jul 2020 16:44:09 -0400 -Subject: [PATCH 07/11] client: remove an extra debug print - -Signed-off-by: Peter Jones ---- - src/client.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/client.c b/src/client.c -index 0082be1f597..c9966295e5f 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -536,7 +536,6 @@ oom: - 0, true); - } - -- printf("add_file_type:%d\n", add_file_type); - pm->version = PESIGND_VERSION; - pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE - : CMD_SIGN_ATTACHED) --- -2.26.2 - diff --git a/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch b/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch deleted file mode 100644 index 3a62cf6..0000000 --- a/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch +++ /dev/null @@ -1,379 +0,0 @@ -From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 6 Jul 2020 13:54:35 -0400 -Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper - -Signed-off-by: Peter Jones ---- - Make.defaults | 1 + - src/Makefile | 8 +- - src/macros.pesign | 74 ++++-------- - src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++ - 4 files changed, 252 insertions(+), 53 deletions(-) - create mode 100644 src/pesign-rpmbuild-helper.in - -diff --git a/Make.defaults b/Make.defaults -index 0bacafe0d01..d4cd626c11e 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR) - - INSTALL ?= install - CROSS_COMPILE ?= -+EFI_ARCHES ?= aa64 ia32 x64 - - PKG_CONFIG = $(CROSS_COMPILE)pkg-config - CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC)) -diff --git a/src/Makefile b/src/Makefile -index 74327ba13f3..a7ca89159c6 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version - include $(TOPDIR)/Make.rules - include $(TOPDIR)/Make.defaults - --BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign -+BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper - SVCTARGETS=pesign.sysvinit pesign.service - TARGETS=$(BINTARGETS) $(SVCTARGETS) - -@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC - pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a - pesign : PKGS=efivar nss nspr popt - -+pesign-rpmbuild-helper: pesign-rpmbuild-helper.in -+ sed \ -+ -e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \ -+ $^ > $@ -+ - deps : PKGS=efivar nss nspr popt uuid - deps : $(ALL_SOURCES) - $(MAKE) -f $(TOPDIR)/Make.deps \ -@@ -94,6 +99,7 @@ install : - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ -+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign - $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users - $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups -diff --git a/src/macros.pesign b/src/macros.pesign -index 5a6da1c6809..2e984b4eeb3 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -6,7 +6,7 @@ - # %pesign -s -i shim.orig -o shim.efi - # And magically get the right thing. - --%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} -+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"} - %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} - - %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"} -@@ -24,54 +24,24 @@ - # -a # rhel only - # -s # perform signing - %pesign(i:o:C:e:c:n:a:s) \ -- _pesign_nssdir=/etc/pki/pesign \ -- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \ -- _pesign_nssdir=/etc/pki/pesign-rh-test \ -- fi \ -- if [ -x %{_pesign} ] && \\\ -- [ "%{_target_cpu}" == "x86_64" -o \\\ -- "%{_target_cpu}" == "aarch64" ]; then \ -- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \ -- nss=$(mktemp -p $PWD -d) \ -- echo > ${nss}/pwfile \ -- certutil -N -d ${nss} -f ${nss}/pwfile \ -- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \ -- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ -- sattrs=$(mktemp -p $PWD --suffix=.der) \ -- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \ -- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \ -- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ -- --certdir ${nss} -c signer %{-o} \ -- rm -rf ${sattrs} ${sattrs}.sig ${nss} \ -- elif [ "$(id -un)" == "kojibuilder" -a \\\ -- grep -q ID=fedora /etc/os-release -a \\\ -- ! -S /run/pesign/socket ]; then \ -- echo "No socket even though this is kojibuilder" 1>&2 \ -- ls -ld /run/pesign 1>&2 \ -- ls -l /run/pesign/socket 1>&2 \ -- getfacl /run/pesign 1>&2 \ -- getfacl /run/pesign/socket 1>&2 \ -- exit 1 \ -- elif [ -S /run/pesign/socket ]; then \ -- %{_pesign_client} -t %{__pesign_client_token} \\\ -- -c %{__pesign_client_cert} \\\ -- %{-i} %{-o} %{-e} %{-s} %{-C} \ -- else \ -- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ -- --certdir ${_pesign_nssdir} \\\ -- %{-i} %{-o} %{-e} %{-s} %{-C} \ -- fi \ -- else \ -- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \ -- mv %{-i*} %{-o*} \ -- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \ -- touch %{-e*} \ -- fi \ -- fi \ -- if [ ! -s %{-o} ]; then \ -- if [ -e "%{-o*}" ]; then \ -- rm -f %{-o*} \ -- fi \ -- exit 1 \ -- fi ; -- -+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\ -+ "%{_target_cpu}" \\\ -+ "%{_pesign}" \\\ -+ "%{_pesign_client}" \\\ -+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\ -+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\ -+ %{?__pesign_token:%{__pesign_token}} \\\ -+ %{?__pesign_cert:--cert %{__pesign_cert}} \\\ -+ %{?_buildhost:--hostname "%{_buildhost}"} \\\ -+ %{?vendor:--vendor "%{vendor}"} \\\ -+ %{?_rhel:--rhelver "%{_rhel}"} \\\ -+ %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\ -+ %{?-a:--rhelcafile "%{-a*}"} \\\ -+ %{?-c:--rhelcertfile "%{-c*}"} \\\ -+ %{?-C:--certout "%{-C*}"} \\\ -+ %{?-e:--sattrout "%{-e*}"} \\\ -+ %{?-i:--in "%{-i*}"} \\\ -+ %{?-o:--out "%{-o*}"} \\\ -+ %{?-s:--sign} \\\ -+ ; \ -+%{nil} -diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in -new file mode 100644 -index 00000000000..c5287c27e0c ---- /dev/null -+++ b/src/pesign-rpmbuild-helper.in -@@ -0,0 +1,222 @@ -+#!/bin/bash -+# shellcheck shell=bash -+ -+set -eu -+set -x -+ -+usage() { -+ local status="${1}" && shift -+ local out -+ if [[ "${status}" -eq 0 ]] ; then -+ out=/dev/stdout -+ else -+ out=/dev/stderr -+ fi -+ -+ if [[ $# -gt 0 ]] ; then -+ echo "${0}: error: $*" >>"${out}" -+ fi -+ echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}" -+ exit "${status}" -+} -+ -+is_efi_arch() { -+ local arch="${1}" -+ local arches=(@@EFI_ARCHES@@) -+ local x -+ for x in "${arches[@]}" ; do -+ if [[ "${arch}" = "${x}" ]] ; then -+ return 0 -+ fi -+ done -+ return 1 -+} -+ -+error_on_empty() { -+ local f="${1}" -+ if [[ ! -s "${f}" ]] ; then -+ if [[ -e "${f}" ]] ; then -+ rm -f "${f}" -+ fi -+ echo "${0}: error: empty result file \"${f}\"">>/dev/stderr -+ exit 1 -+ fi -+} -+ -+main() { -+ if [[ $# -lt 3 ]] ; then -+ usage 1 not enough arguments -+ fi -+ local target_cpu="${1}" && shift -+ local bin="${1}" && shift -+ local client="${1}" && shift -+ -+ local rhelcafile="" || : -+ local rhelcertfile="" || : -+ -+ local certout=() || : -+ local sattrout=() || : -+ local input=() || : -+ local output=() || : -+ local client_token=() || : -+ local client_cert=() || : -+ local token=() || : -+ local cert=() || : -+ local rhelcert=() || : -+ local rhelver=0 || : -+ local sign="" || : -+ local arch="" || : -+ local vendor="" || : -+ local HOSTNAME="" || : -+ -+ while [[ $# -ge 2 ]] ; do -+ case " ${1} " in -+ " --rhelcafile ") -+ rhelcafile="${2}" -+ ;; -+ " --rhelcertfile ") -+ rhelcertfile="${2}" -+ ;; -+ " --hostname ") -+ HOSTNAME="${2}" -+ ;; -+ " --certout ") -+ certout[0]=-C -+ certout[1]="${2}" -+ ;; -+ " --sattrout ") -+ sattrout[0]=-e -+ sattrout[1]="${2}" -+ ;; -+ " --client-token ") -+ client_token[0]=-t -+ client_token[1]="${2}" -+ ;; -+ " --client-cert ") -+ client_cert[0]=-c -+ client_cert[1]="${2}" -+ ;; -+ " --token ") -+ token[0]=-t -+ token[1]="${2}" -+ ;; -+ " --cert ") -+ cert[0]=-c -+ cert[1]="${2}" -+ ;; -+ " --rhelcert ") -+ rhelcert[0]=-c -+ rhelcert[1]="${2}" -+ ;; -+ " --in ") -+ input[0]=-i -+ input[1]="${2}" -+ ;; -+ " --out ") -+ output[0]=-o -+ output[1]="${2}" -+ ;; -+ " --rhelver ") -+ rhelver="${2}" -+ ;; -+ " --vendor ") -+ vendor="${2}" -+ ;; -+ *) -+ break -+ ;; -+ esac -+ shift -+ shift -+ done -+ if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then -+ sign=-s -+ shift -+ fi -+ -+ if [[ -z "${target_cpu}" ]] ; then -+ target_cpu="$(uname -m)" -+ fi -+ -+ target_cpu="${target_cpu/i?86/ia32}" -+ target_cpu="${target_cpu/x86_64/x64}" -+ target_cpu="${target_cpu/aarch64/aa64}" -+ target_cpu="${target_cpu/arm*/arm/}" -+ -+ local nssdir=/etc/pki/pesign -+ if [[ "${#cert[@]}" -eq 2 ]] && -+ [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then -+ nssdir=/etc/pki/pesign-rh-test -+ fi -+ -+ # is_efi_arch is ultimately returning "is pesign configured to sign these -+ # using the rpm macro", so if it isn't, we're just copying the input to -+ # the output -+ if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then -+ if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then -+ cp -v "${input[1]}" "${output[1]}" -+ elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then -+ touch "${sattrout[1]}" -+ fi -+ -+ # if there's a 0-sized output file, delete it and error out -+ error_on_empty "${output[1]}" -+ return 0 -+ fi -+ -+ USERNAME="${USERNAME:-$(id -un)}" -+ -+ local socket="" || : -+ if grep -q ID=fedora /etc/os-release \ -+ && [[ "${rhelver}" -lt 7 ]] \ -+ && [[ "${USERNAME}" = "mockbuild" ]] \ -+ && [[ "${vendor}" = "Fedora Project" ]] \ -+ && [[ "${HOSTNAME}" =~ bkernel.* ]] -+ then -+ if [[ -S /run/pesign/socket ]] ; then -+ socket=/run/pesign/socket -+ elif [[ -S /var/run/pesign/socket ]]; then -+ socket=/var/run/pesign/socket -+ else -+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2 -+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2 -+ ls -ld /run/pesign /var/run/pesign 1>&2 ||: -+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||: -+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||: -+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||: -+ fi -+ fi -+ -+ if [[ "${rhelver}" -ge 7 ]] ; then -+ nssdir="$(mktemp -p "${PWD}" -d)" -+ echo > "${nssdir}/pwfile" -+ certutil -N -d "${nssdir}" -f "${nssdir}/pwfile" -+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}" -+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}" -+ sattrs="$(mktemp -p "${PWD}" --suffix=.der)" -+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \ -+ "${input[@]}" --force -+ rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}" -+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \ -+ --certdir "${nssdir}" -c signer \ -+ "${input[@]}" "${output[@]}" -+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" -+ elif [[ -n "${socket}" ]] ; then -+ "${client}" "${client_token[@]}" "${client_cert[@]}" \ -+ "${sattrout[@]}" "${certout[@]}" \ -+ ${sign} "${input[@]}" "${output[@]}" -+ else -+ "${bin}" --certdir "${nssdir}" "${token[@]}" \ -+ "${cert[@]}" ${sign} "${sattrout[@]}" \ -+ "${certout[@]}" "${input[@]}" "${output[@]}" -+ fi -+ -+ # if there's a 0-sized output file, delete it and error out -+ if [[ "${#output[@]}" -eq 2 ]] ; then -+ error_on_empty "${output[1]}" -+ fi -+} -+ -+main "${@}" -+ -+# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4 --- -2.26.2 - diff --git a/0009-pesign-authorize-shellcheck.patch b/0009-pesign-authorize-shellcheck.patch deleted file mode 100644 index 3597f5f..0000000 --- a/0009-pesign-authorize-shellcheck.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 14 Jul 2020 15:07:32 -0400 -Subject: [PATCH 09/11] pesign-authorize: shellcheck - -Signed-off-by: Peter Jones ---- - src/pesign-authorize | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/src/pesign-authorize b/src/pesign-authorize -index a496f601ab4..55cd5c4e55b 100755 ---- a/src/pesign-authorize -+++ b/src/pesign-authorize -@@ -12,21 +12,21 @@ set -u - # License: GPLv2 - declare -a fileusers=() - declare -a dirusers=() --for user in $(cat /etc/pesign/users); do -+while read -r user ; do - dirusers[${#dirusers[@]}]=-m - dirusers[${#dirusers[@]}]="u:$user:rwx" - fileusers[${#fileusers[@]}]=-m - fileusers[${#fileusers[@]}]="u:$user:rw" --done -+done -Date: Tue, 14 Jul 2020 15:08:15 -0400 -Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/ - -Signed-off-by: Peter Jones ---- - src/pesign-authorize | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/pesign-authorize b/src/pesign-authorize -index 55cd5c4e55b..c5448329c2c 100755 ---- a/src/pesign-authorize -+++ b/src/pesign-authorize -@@ -47,7 +47,7 @@ update_subdir() { - done - } - --for x in /var/run/pesign/ /etc/pki/pesign*/ ; do -+for x in /var/run/pesign/ /etc/pki/pesign/ ; do - if [ -d "${x}" ]; then - update_subdir "${x}" - else --- -2.26.2 - diff --git a/0011-kernel-building-hack.patch b/0011-kernel-building-hack.patch deleted file mode 100644 index 69ffc56..0000000 --- a/0011-kernel-building-hack.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 14 Jul 2020 16:42:39 -0400 -Subject: [PATCH 11/11] kernel building hack - -Signed-off-by: Peter Jones ---- - src/pesign-rpmbuild-helper.in | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in -index c5287c27e0c..27b8261bc17 100644 ---- a/src/pesign-rpmbuild-helper.in -+++ b/src/pesign-rpmbuild-helper.in -@@ -202,6 +202,23 @@ main() { - "${input[@]}" "${output[@]}" - rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" - elif [[ -n "${socket}" ]] ; then -+ ### welcome haaaaack city -+ if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then -+ if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \ -+ || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then -+ if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \ -+ || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \ -+ || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then -+ client_cert[1]=kernel-signer -+ elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \ -+ || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then -+ client_cert[1]=grub2-signer -+ elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \ -+ || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then -+ client_cert[1]=fwupd-signer -+ fi -+ fi -+ fi - "${client}" "${client_token[@]}" "${client_cert[@]}" \ - "${sattrout[@]}" "${certout[@]}" \ - ${sign} "${input[@]}" "${output[@]}" --- -2.26.2 - diff --git a/0012-Use-run-not-var-run.patch b/0012-Use-run-not-var-run.patch deleted file mode 100644 index 1b4e0c6..0000000 --- a/0012-Use-run-not-var-run.patch +++ /dev/null @@ -1,105 +0,0 @@ -From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 16 Jul 2020 16:28:26 -0400 -Subject: [PATCH] Use /run not /var/run - -Signed-off-by: Peter Jones ---- - src/daemon.h | 4 ++-- - src/Makefile | 2 +- - src/pesign-authorize | 2 +- - src/pesign.service.in | 2 +- - src/pesign.sysvinit.in | 10 +++++----- - 5 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/src/daemon.h b/src/daemon.h -index 0368dc9256c..5fcd97ea717 100644 ---- a/src/daemon.h -+++ b/src/daemon.h -@@ -51,8 +51,8 @@ typedef enum { - } pesignd_cmd; - - #define PESIGND_VERSION 0x2a9edaf0 --#define SOCKPATH "/var/run/pesign/socket" --#define PIDFILE "/var/run/pesign.pid" -+#define SOCKPATH "/run/pesign/socket" -+#define PIDFILE "/run/pesign.pid" - - static inline uint32_t UNUSED - pesignd_string_size(char *buffer) -diff --git a/src/Makefile b/src/Makefile -index a7ca89159c6..f7fb5fc9ee5 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit - install : - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ -- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ -+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) - $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) - $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) -diff --git a/src/pesign-authorize b/src/pesign-authorize -index c5448329c2c..2381302440c 100755 ---- a/src/pesign-authorize -+++ b/src/pesign-authorize -@@ -47,7 +47,7 @@ update_subdir() { - done - } - --for x in /var/run/pesign/ /etc/pki/pesign/ ; do -+for x in /run/pesign/ /var/run/pesign/ /etc/pki/pesign/ ; do - if [ -d "${x}" ]; then - update_subdir "${x}" - else -diff --git a/src/pesign.service.in b/src/pesign.service.in -index c75a000892a..4ac2199bce2 100644 ---- a/src/pesign.service.in -+++ b/src/pesign.service.in -@@ -4,6 +4,6 @@ Description=Pesign signing daemon - [Service] - PrivateTmp=true - Type=forking --PIDFile=/var/run/pesign.pid -+PIDFile=/run/pesign.pid - ExecStart=/usr/bin/pesign --daemonize - ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize -diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in -index b0e0f84ff0b..bf8edec8ff3 100644 ---- a/src/pesign.sysvinit.in -+++ b/src/pesign.sysvinit.in -@@ -4,7 +4,7 @@ - # - # chkconfig: - 50 50 - # processname: /usr/bin/pesign --# pidfile: /var/run/pesign.pid -+# pidfile: /run/pesign.pid - ### BEGIN INIT INFO - # Provides: pesign - # Default-Start: -@@ -20,9 +20,9 @@ RETVAL=0 - - start(){ - echo -n "Starting pesign: " -- mkdir /var/run/pesign 2>/dev/null && -- chown pesign:pesign /var/run/pesign && -- chmod 0770 /var/run/pesign -+ mkdir /run/pesign 2>/dev/null && -+ chown pesign:pesign /run/pesign && -+ chmod 0770 /run/pesign - daemon /usr/bin/pesign --daemonize - RETVAL=$? - echo -@@ -32,7 +32,7 @@ start(){ - - stop(){ - echo -n "Stopping pesign: " -- killproc -p /var/run/pesign.pid pesignd -+ killproc -p /run/pesign.pid pesignd - RETVAL=$? - echo - rm -f /var/lock/subsys/pesign --- -2.26.2 - diff --git a/0013-Turn-off-free-nonheap-object.patch b/0013-Turn-off-free-nonheap-object.patch deleted file mode 100644 index 3e62bd8..0000000 --- a/0013-Turn-off-free-nonheap-object.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 59428daf4863f192419eee4afec15cd099e99c9b Mon Sep 17 00:00:00 2001 -From: Jeff Law -Date: Mon, 16 Nov 2020 12:07:59 -0700 -Subject: [PATCH] Turn off -Wfree-nonheap-object - -authvar.c has a call to free (tokenname) where tokenname is set to a string constant -and never changed. That triggers GCC to issue a diagnostic that the value should not -be passed to free. - -This is a false positive from GCC as the call is guarded by a suitable condition that -always happens to be false. But pesign is being built without optimization and thus -the condition and free call are not optimized away. - -This patch just disables the warning. A better solution would be to fix the sources -or build with the optimizer enabled. ---- - Make.defaults | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Make.defaults b/Make.defaults -index d4cd626..705cc3a 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -40,7 +40,7 @@ gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches -flto - cflags = $(CFLAGS) $(ARCH3264) \ - -Wall -Wextra -Wsign-compare -Wno-unused-result \ - -Wno-unused-function -Wno-missing-field-initializers \ -- -Werror -Wno-error=cpp \ -+ -Werror -Wno-error=cpp -Wno-free-nonheap-object \ - -std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \ - -D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \ - $(if $(filter $(CC),clang),$(clang_cflags), ) \ --- -2.28.0 - diff --git a/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch b/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch deleted file mode 100644 index f483ec6..0000000 --- a/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch +++ /dev/null @@ -1,26 +0,0 @@ -From efb69f149f256631a952e0a0db5b45ed5d391509 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 10 Aug 2021 12:39:08 -0400 -Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 34af57c5b3b..2ca1afb916e 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -35,6 +35,7 @@ - %{?_buildhost:--hostname "%{_buildhost}"} \\\ - %{?vendor:--vendor "%{vendor}"} \\\ -- %{?_rhel:--rhelver "%{_rhel}"} \\\ -+ %{?rhel:--rhelver "%{rhel}"} \\\ -+ %{?centos:--rhelver "%{centos}"} \\\ - %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\ - %{?-a:--rhelcafile "%{-a*}"} \\\ - %{?-c:--rhelcertfile "%{-c*}"} \\\ --- -2.31.1 - diff --git a/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch b/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch deleted file mode 100644 index 7a4fba6..0000000 --- a/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3956d8a819541578b31c919270e915fbcc791e89 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 1 Oct 2021 17:58:20 -0400 -Subject: [PATCH] Detect the presence of rpm-sign when checking for - "rhel"-ness. - -Signed-off-by: Peter Jones ---- - src/pesign-rpmbuild-helper.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in -index 27b8261bc17..d6ca29683b1 100644 ---- a/src/pesign-rpmbuild-helper.in -+++ b/src/pesign-rpmbuild-helper.in -@@ -187,7 +187,7 @@ main() { - fi - fi - -- if [[ "${rhelver}" -ge 7 ]] ; then -+ if [[ "${rhelver}" -ge 7 ]] && which rpm-sign >&/dev/null ; then - nssdir="$(mktemp -p "${PWD}" -d)" - echo > "${nssdir}/pwfile" - certutil -N -d "${nssdir}" -f "${nssdir}/pwfile" --- -2.31.1 - diff --git a/pesign.spec b/pesign.spec index 5905a96..64cf1d4 100644 --- a/pesign.spec +++ b/pesign.spec @@ -2,28 +2,29 @@ Name: pesign Summary: Signing utility for UEFI binaries -Version: 113 -Release: 21%{?dist} -License: GPLv2 -URL: https://github.com/vathpela/pesign +Version: 114 +Release: 1%{?dist} +License: GPL-2.0-only +URL: https://github.com/rhboot/pesign Obsoletes: pesign-rh-test-certs <= 0.111-7 -BuildRequires: make +BuildRequires: efivar-devel >= 38-1 BuildRequires: gcc BuildRequires: git +BuildRequires: libuuid-devel +BuildRequires: make +#BuildRequires: mandoc BuildRequires: nspr +BuildRequires: nspr-devel >= 4.9.2-1 BuildRequires: nss +BuildRequires: nss-devel >= 3.13.6-1 +BuildRequires: nss-tools BuildRequires: nss-util BuildRequires: popt-devel -BuildRequires: nss-tools -BuildRequires: nspr-devel >= 4.9.2-1 -BuildRequires: nss-devel >= 3.13.6-1 -BuildRequires: efivar-devel >= 31-1 -BuildRequires: libuuid-devel +BuildRequires: python3 +BuildRequires: python3-rpm-macros BuildRequires: tar BuildRequires: xz -BuildRequires: python3-rpm-macros -BuildRequires: python3 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 BuildRequires: systemd-rpm-macros %endif @@ -43,21 +44,10 @@ Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{ Source1: certs.tar.xz Source2: pesign.py -Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch -Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch -Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch -Patch0004: 0004-Rename-var-run-to-run.patch -Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch -Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch -Patch0007: 0007-client-remove-an-extra-debug-print.patch -Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch -Patch0009: 0009-pesign-authorize-shellcheck.patch -Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch -Patch0011: 0011-kernel-building-hack.patch -Patch0012: 0012-Use-run-not-var-run.patch -Patch0013: 0013-Turn-off-free-nonheap-object.patch -Patch0014: 0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch -Patch0015: 0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch +Patch0001: 0001-Revert-Move-license-to-GPLv3.patch +Patch0002: 0002-Fix-format-strings-for-32-bit-arches.patch +Patch0003: 0003-macros-drop-_pesign_args.patch +Patch0004: 0004-Disable-pragmas-for-warnings-that-are-too-old.patch %description This package contains the pesign utility for signing UEFI binaries as @@ -76,6 +66,11 @@ git config --unset user.email git config --unset user.name %build +# Workaround for mandoc not being packaged +for f in authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1; do + cp src/"$f".mdoc src/"$f" +done + make PREFIX=%{_prefix} LIBDIR=%{_libdir} %install @@ -143,7 +138,6 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null %doc README TODO %{_bindir}/authvar %{_bindir}/efikeygen -%{_bindir}/efisiglist %{_bindir}/pesigcheck %{_bindir}/pesign %{_bindir}/pesign-client @@ -170,20 +164,19 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null %{python3_sitelib}/mockbuild/plugins/pesign.* %changelog -* Tue Dec 14 2021 Robbie Harwood - 113-21 -- Sync with beta changes -- Resolves: rhbz#2030501 +* Tue Feb 08 2022 Robbie Harwood - 114-1 +- New upstream version (114) +- Resolves: #2049320 -* Tue Aug 10 2021 Peter Jones - 113-18 -- Detect the CentOS version number correctly in rpm pesign macro - Related: rhbz#1991688 +* Fri Jan 21 2022 Fedora Release Engineering - 113-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild -* Mon Aug 09 2021 Mohan Boddu - 113-17 -- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Related: rhbz#1991688 +* Fri Jul 23 2021 Fedora Release Engineering - 113-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild -* Fri Apr 16 2021 Mohan Boddu - 113-16 -- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 113-16 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. * Wed Jan 27 2021 Fedora Release Engineering - 113-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild diff --git a/sources b/sources index d0199f7..3522848 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f -SHA512 (pesign-113.tar.bz2) = 89c5e33bf6ac8f8dc4b65192e5fd4bf1fea285106d1de2a6ea02a8c5090f2ec5976b1d80c60e57f74fa56dc25b174a4dd5682292db44ab9aeab69ea992dfef36 +SHA512 (pesign-114.tar.bz2) = 5465c002db6f59ab59799ec79504ed96662bc5da2310282d2e85fc1f03c938343d88927e764e595bf21c3501e599e529a4752281349097cdc74e616535179b3c