Attempt to fix kernel signing failures caused by -3...

Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2020-07-06 14:00:27 -04:00
parent 9b526cffa9
commit 4f2a0b0969
2 changed files with 268 additions and 1 deletions

View File

@ -0,0 +1,263 @@
From 873345b4970a28c7c590ca0c4e04bf88dd19e3b5 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 13:54:35 -0400
Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 1 +
src/macros.pesign | 71 +++++-------------
src/pesign-rpmbuild-helper | 143 +++++++++++++++++++++++++++++++++++++
3 files changed, 163 insertions(+), 52 deletions(-)
create mode 100644 src/pesign-rpmbuild-helper
diff --git a/src/Makefile b/src/Makefile
index 74327ba13f3..af8bef6d9ff 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -94,6 +94,7 @@ install :
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 750 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
diff --git a/src/macros.pesign b/src/macros.pesign
index 5a6da1c6809..104586beca5 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -6,7 +6,7 @@
# %pesign -s -i shim.orig -o shim.efi
# And magically get the right thing.
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
+%__pesign_token %{nil}%{?pe_signing_token:"%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
@@ -24,54 +24,21 @@
# -a <input ca cert filename> # rhel only
# -s # perform signing
%pesign(i:o:C:e:c:n:a:s) \
- _pesign_nssdir=/etc/pki/pesign \
- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
- _pesign_nssdir=/etc/pki/pesign-rh-test \
- fi \
- if [ -x %{_pesign} ] && \\\
- [ "%{_target_cpu}" == "x86_64" -o \\\
- "%{_target_cpu}" == "aarch64" ]; then \
- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \
- nss=$(mktemp -p $PWD -d) \
- echo > ${nss}/pwfile \
- certutil -N -d ${nss} -f ${nss}/pwfile \
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
- sattrs=$(mktemp -p $PWD --suffix=.der) \
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \
- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
- --certdir ${nss} -c signer %{-o} \
- rm -rf ${sattrs} ${sattrs}.sig ${nss} \
- elif [ "$(id -un)" == "kojibuilder" -a \\\
- grep -q ID=fedora /etc/os-release -a \\\
- ! -S /run/pesign/socket ]; then \
- echo "No socket even though this is kojibuilder" 1>&2 \
- ls -ld /run/pesign 1>&2 \
- ls -l /run/pesign/socket 1>&2 \
- getfacl /run/pesign 1>&2 \
- getfacl /run/pesign/socket 1>&2 \
- exit 1 \
- elif [ -S /run/pesign/socket ]; then \
- %{_pesign_client} -t %{__pesign_client_token} \\\
- -c %{__pesign_client_cert} \\\
- %{-i} %{-o} %{-e} %{-s} %{-C} \
- else \
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
- --certdir ${_pesign_nssdir} \\\
- %{-i} %{-o} %{-e} %{-s} %{-C} \
- fi \
- else \
- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
- mv %{-i*} %{-o*} \
- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
- touch %{-e*} \
- fi \
- fi \
- if [ ! -s %{-o} ]; then \
- if [ -e "%{-o*}" ]; then \
- rm -f %{-o*} \
- fi \
- exit 1 \
- fi ;
-
+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\
+ "%{_target_cpu}" \\\
+ "%{_pesign}" \\\
+ "%{_pesign_client}" \\\
+ %{?__pesign_client_token?--client-token "%{__pesign_client_token}"} \\\
+ %{?__pesign_client_cert?--client-cert "%{__pesign_client_cert}"} \\\
+ %{?__pesign_token?--token "%{__pesign_token}"} \\\
+ %{?__pesign_cert?--cert "%{__pesign_cert}"} \\\
+ %{?_rhel:--rhelver "%{_rhel}"} \\\
+ %{?-a*:--cafile "%{-a*}"} \\\
+ %{?-c*:--certfile "%{-c*}"} \\\
+ %{?-n*:--certname "%{-n*}"} \\\
+ %{?-C*:--certout "%{-C*}"} \\\
+ %{?-e*:--sattrout "%{-e*}"} \\\
+ %{?-i*:--in "%{i*}"} \\\
+ %{?-o*:--out "%{o*}"} \\\
+ %{?-s:--sign} \\\
+%{nil}
diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper
new file mode 100644
index 00000000000..69b430940ec
--- /dev/null
+++ b/src/pesign-rpmbuild-helper
@@ -0,0 +1,143 @@
+#!/bin/sh
+
+set -eu
+
+main() {
+ local target_cpu="${1}" && shift
+ local bin="${1}" && shift
+ local client="${1}" && shift
+
+ local cafile="" || :
+ local certfile="" || :
+ local certname="" || :
+
+ local certout=() || :
+ local sattrout=() || :
+ local input=() || :
+ local output=() || :
+ local client_token=() || :
+ local client_cert=() || :
+ local token=() || :
+ local cert=() || :
+ local rhelver=0 || :
+ local sign="" || :
+
+ while [[ $# -ge 2 ]] ; do
+ case " ${1} " in
+ " --cafile ")
+ cafile="${2}"
+ ;;
+ " --certfile ")
+ certfile="${2}"
+ ;;
+ " --certname ")
+ certname="${2}"
+ ;;
+ " --certout ")
+ certout=(-C "${2}")
+ ;;
+ " --sattrout ")
+ sattrout=(-e "${2}")
+ ;;
+ " --client-token ")
+ client_token=(-t "${2}")
+ ;;
+ " --client-cert ")
+ client_cert=(-c "${2}")
+ ;;
+ " --token ")
+ token=(-t "${2}")
+ ;;
+ " --cert ")
+ cert=(-c "${2}")
+ ;;
+ " --in ")
+ input=(-i "${2}")
+ ;;
+ " --out ")
+ output=(-o "${2}")
+ ;;
+ " --rhelver ")
+ rhelver="${2}"
+ ;;
+ *)
+ break
+ ;;
+ esac
+ shift
+ shift
+ done
+ if [ $# -ge 1 -a "${1}" = --sign ] ; then
+ sign=-s
+ shift
+ fi
+
+ local nssdir=/etc/pki/pesign
+ if [ "${cert}" == "Red Hat Test Certificate" ] ; then
+ nssdir=/etc/pki/pesign-rh-test
+ fi
+
+ if [ -x "${bin}" ] &&
+ [ "${target_cpu}" != "x86_64" -a "${target_cpu}" != "aarch64" ] ; then
+ if [ -n "${input[*]}" -a -n "${output[*]}" ] ; then
+ mv -v "${input[1]}" "${output[1]}"
+ elif [ -n "${input[*]}" -a -n "${sattrout[*]}" ] ; then
+ touch "${sattrout[1]}"
+ fi
+
+ # if there's a 0-sized output file, delete it and error out
+ if [ ! -s "${output[1]}" ] ; then
+ if [ -e "${output[1]}" ] ; then
+ rm -f "${output[1]}"
+ fi
+ exit 1
+ fi
+ return 0
+ fi
+
+ if grep -q ID=fedora /etc/os-release &&
+ [ "${rhelver}" -lt 7 ] &&
+ [ "$(id -un)" = "kojibuilder" -o
+ "$(id -un)" = "mockbuilder" ] &&
+ ! [ -S /run/pesign/socket ]; then
+ echo "Warning: no socket even though this is $(id -un)" 1>&2
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+ ls -ld /run/pesign 1>&2
+ ls -l /run/pesign/socket 1>&2
+ getfacl /run/pesign /run/pesign/socket 1>&2
+ fi
+
+ if [ "${rhelver}" -ge 7 ] ; then
+ nssdir=$(mktemp -p $PWD -d)
+ echo > ${nssdir}/pwfile
+ certutil -N -d ${nssdir} -f ${nssdir}/pwfile
+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${cafile}" -d ${nssdir}
+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir}
+ sattrs="$(mktemp -p $PWD --suffix=.der)"
+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \
+ ${input[@]} --force
+ rpm-sign --key "${certname}" --rsadgstsign "${sattrs}"
+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
+ --certdir "${nssdir}" -c signer \
+ ${input[@]} ${output[@]}
+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+ elif [ -S /run/pesign/socket ] ; then
+ "${client}" ${client_token[@]} ${client_cert[@]} \
+ ${sattrout[@]} ${certout[@]} \
+ ${sign} ${input[@]} ${output[@]}
+ else
+ "${bin}" --certdir "${nssdir}" ${token[@]} ${cert[@]} \
+ ${sign} ${sattrout[@]} ${certout[@]} \
+ ${input[@]} ${output[@]}
+ fi
+
+ # if there's a 0-sized output file, delete it and error out
+ if [ ! -s "${output[1]}" ] ; then
+ if [ -e "${output[1]}" ] ; then
+ rm -f "${output[1]}"
+ fi
+ exit 1
+ fi
+}
+
+main "${@}"
--
2.26.2

View File

@ -3,7 +3,7 @@
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 113
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2
URL: https://github.com/vathpela/pesign
@ -46,6 +46,7 @@ Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
Patch0004: 0004-Rename-var-run-to-run.patch
Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
Patch0006: 0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
%description
This package contains the pesign utility for signing UEFI binaries as
@ -151,6 +152,9 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Mon Jul 06 2020 Peter Jones <pjones@redhat.com> - 113-4
- Attempt to fix kernel signing failures caused by -3...
* Fri Jun 12 2020 Peter Jones <pjones@redhat.com> - 113-3
- Fix the signer name for fedora and some other minor nits
Related: rhbz#1708773