diff --git a/0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch b/0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch new file mode 100644 index 0000000..12f9113 --- /dev/null +++ b/0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch @@ -0,0 +1,263 @@ +From 873345b4970a28c7c590ca0c4e04bf88dd19e3b5 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 6 Jul 2020 13:54:35 -0400 +Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper + +Signed-off-by: Peter Jones +--- + src/Makefile | 1 + + src/macros.pesign | 71 +++++------------- + src/pesign-rpmbuild-helper | 143 +++++++++++++++++++++++++++++++++++++ + 3 files changed, 163 insertions(+), 52 deletions(-) + create mode 100644 src/pesign-rpmbuild-helper + +diff --git a/src/Makefile b/src/Makefile +index 74327ba13f3..af8bef6d9ff 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -94,6 +94,7 @@ install : + $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ ++ $(INSTALL) -m 750 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign + $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users + $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups +diff --git a/src/macros.pesign b/src/macros.pesign +index 5a6da1c6809..104586beca5 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -6,7 +6,7 @@ + # %pesign -s -i shim.orig -o shim.efi + # And magically get the right thing. + +-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} ++%__pesign_token %{nil}%{?pe_signing_token:"%{pe_signing_token}"} + %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} + + %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"} +@@ -24,54 +24,21 @@ + # -a # rhel only + # -s # perform signing + %pesign(i:o:C:e:c:n:a:s) \ +- _pesign_nssdir=/etc/pki/pesign \ +- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \ +- _pesign_nssdir=/etc/pki/pesign-rh-test \ +- fi \ +- if [ -x %{_pesign} ] && \\\ +- [ "%{_target_cpu}" == "x86_64" -o \\\ +- "%{_target_cpu}" == "aarch64" ]; then \ +- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \ +- nss=$(mktemp -p $PWD -d) \ +- echo > ${nss}/pwfile \ +- certutil -N -d ${nss} -f ${nss}/pwfile \ +- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \ +- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ +- sattrs=$(mktemp -p $PWD --suffix=.der) \ +- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \ +- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \ +- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ +- --certdir ${nss} -c signer %{-o} \ +- rm -rf ${sattrs} ${sattrs}.sig ${nss} \ +- elif [ "$(id -un)" == "kojibuilder" -a \\\ +- grep -q ID=fedora /etc/os-release -a \\\ +- ! -S /run/pesign/socket ]; then \ +- echo "No socket even though this is kojibuilder" 1>&2 \ +- ls -ld /run/pesign 1>&2 \ +- ls -l /run/pesign/socket 1>&2 \ +- getfacl /run/pesign 1>&2 \ +- getfacl /run/pesign/socket 1>&2 \ +- exit 1 \ +- elif [ -S /run/pesign/socket ]; then \ +- %{_pesign_client} -t %{__pesign_client_token} \\\ +- -c %{__pesign_client_cert} \\\ +- %{-i} %{-o} %{-e} %{-s} %{-C} \ +- else \ +- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ +- --certdir ${_pesign_nssdir} \\\ +- %{-i} %{-o} %{-e} %{-s} %{-C} \ +- fi \ +- else \ +- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \ +- mv %{-i*} %{-o*} \ +- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \ +- touch %{-e*} \ +- fi \ +- fi \ +- if [ ! -s %{-o} ]; then \ +- if [ -e "%{-o*}" ]; then \ +- rm -f %{-o*} \ +- fi \ +- exit 1 \ +- fi ; +- ++ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\ ++ "%{_target_cpu}" \\\ ++ "%{_pesign}" \\\ ++ "%{_pesign_client}" \\\ ++ %{?__pesign_client_token?--client-token "%{__pesign_client_token}"} \\\ ++ %{?__pesign_client_cert?--client-cert "%{__pesign_client_cert}"} \\\ ++ %{?__pesign_token?--token "%{__pesign_token}"} \\\ ++ %{?__pesign_cert?--cert "%{__pesign_cert}"} \\\ ++ %{?_rhel:--rhelver "%{_rhel}"} \\\ ++ %{?-a*:--cafile "%{-a*}"} \\\ ++ %{?-c*:--certfile "%{-c*}"} \\\ ++ %{?-n*:--certname "%{-n*}"} \\\ ++ %{?-C*:--certout "%{-C*}"} \\\ ++ %{?-e*:--sattrout "%{-e*}"} \\\ ++ %{?-i*:--in "%{i*}"} \\\ ++ %{?-o*:--out "%{o*}"} \\\ ++ %{?-s:--sign} \\\ ++%{nil} +diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper +new file mode 100644 +index 00000000000..69b430940ec +--- /dev/null ++++ b/src/pesign-rpmbuild-helper +@@ -0,0 +1,143 @@ ++#!/bin/sh ++ ++set -eu ++ ++main() { ++ local target_cpu="${1}" && shift ++ local bin="${1}" && shift ++ local client="${1}" && shift ++ ++ local cafile="" || : ++ local certfile="" || : ++ local certname="" || : ++ ++ local certout=() || : ++ local sattrout=() || : ++ local input=() || : ++ local output=() || : ++ local client_token=() || : ++ local client_cert=() || : ++ local token=() || : ++ local cert=() || : ++ local rhelver=0 || : ++ local sign="" || : ++ ++ while [[ $# -ge 2 ]] ; do ++ case " ${1} " in ++ " --cafile ") ++ cafile="${2}" ++ ;; ++ " --certfile ") ++ certfile="${2}" ++ ;; ++ " --certname ") ++ certname="${2}" ++ ;; ++ " --certout ") ++ certout=(-C "${2}") ++ ;; ++ " --sattrout ") ++ sattrout=(-e "${2}") ++ ;; ++ " --client-token ") ++ client_token=(-t "${2}") ++ ;; ++ " --client-cert ") ++ client_cert=(-c "${2}") ++ ;; ++ " --token ") ++ token=(-t "${2}") ++ ;; ++ " --cert ") ++ cert=(-c "${2}") ++ ;; ++ " --in ") ++ input=(-i "${2}") ++ ;; ++ " --out ") ++ output=(-o "${2}") ++ ;; ++ " --rhelver ") ++ rhelver="${2}" ++ ;; ++ *) ++ break ++ ;; ++ esac ++ shift ++ shift ++ done ++ if [ $# -ge 1 -a "${1}" = --sign ] ; then ++ sign=-s ++ shift ++ fi ++ ++ local nssdir=/etc/pki/pesign ++ if [ "${cert}" == "Red Hat Test Certificate" ] ; then ++ nssdir=/etc/pki/pesign-rh-test ++ fi ++ ++ if [ -x "${bin}" ] && ++ [ "${target_cpu}" != "x86_64" -a "${target_cpu}" != "aarch64" ] ; then ++ if [ -n "${input[*]}" -a -n "${output[*]}" ] ; then ++ mv -v "${input[1]}" "${output[1]}" ++ elif [ -n "${input[*]}" -a -n "${sattrout[*]}" ] ; then ++ touch "${sattrout[1]}" ++ fi ++ ++ # if there's a 0-sized output file, delete it and error out ++ if [ ! -s "${output[1]}" ] ; then ++ if [ -e "${output[1]}" ] ; then ++ rm -f "${output[1]}" ++ fi ++ exit 1 ++ fi ++ return 0 ++ fi ++ ++ if grep -q ID=fedora /etc/os-release && ++ [ "${rhelver}" -lt 7 ] && ++ [ "$(id -un)" = "kojibuilder" -o ++ "$(id -un)" = "mockbuilder" ] && ++ ! [ -S /run/pesign/socket ]; then ++ echo "Warning: no socket even though this is $(id -un)" 1>&2 ++ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2 ++ ls -ld /run/pesign 1>&2 ++ ls -l /run/pesign/socket 1>&2 ++ getfacl /run/pesign /run/pesign/socket 1>&2 ++ fi ++ ++ if [ "${rhelver}" -ge 7 ] ; then ++ nssdir=$(mktemp -p $PWD -d) ++ echo > ${nssdir}/pwfile ++ certutil -N -d ${nssdir} -f ${nssdir}/pwfile ++ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${cafile}" -d ${nssdir} ++ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir} ++ sattrs="$(mktemp -p $PWD --suffix=.der)" ++ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \ ++ ${input[@]} --force ++ rpm-sign --key "${certname}" --rsadgstsign "${sattrs}" ++ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \ ++ --certdir "${nssdir}" -c signer \ ++ ${input[@]} ${output[@]} ++ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" ++ elif [ -S /run/pesign/socket ] ; then ++ "${client}" ${client_token[@]} ${client_cert[@]} \ ++ ${sattrout[@]} ${certout[@]} \ ++ ${sign} ${input[@]} ${output[@]} ++ else ++ "${bin}" --certdir "${nssdir}" ${token[@]} ${cert[@]} \ ++ ${sign} ${sattrout[@]} ${certout[@]} \ ++ ${input[@]} ${output[@]} ++ fi ++ ++ # if there's a 0-sized output file, delete it and error out ++ if [ ! -s "${output[1]}" ] ; then ++ if [ -e "${output[1]}" ] ; then ++ rm -f "${output[1]}" ++ fi ++ exit 1 ++ fi ++} ++ ++main "${@}" +-- +2.26.2 + diff --git a/pesign.spec b/pesign.spec index 70704d7..ec9cba2 100644 --- a/pesign.spec +++ b/pesign.spec @@ -3,7 +3,7 @@ Name: pesign Summary: Signing utility for UEFI binaries Version: 113 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 URL: https://github.com/vathpela/pesign @@ -46,6 +46,7 @@ Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch Patch0004: 0004-Rename-var-run-to-run.patch Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch +Patch0006: 0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch %description This package contains the pesign utility for signing UEFI binaries as @@ -151,6 +152,9 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null %{python3_sitelib}/mockbuild/plugins/pesign.* %changelog +* Mon Jul 06 2020 Peter Jones - 113-4 +- Attempt to fix kernel signing failures caused by -3... + * Fri Jun 12 2020 Peter Jones - 113-3 - Fix the signer name for fedora and some other minor nits Related: rhbz#1708773