Attempt to fix kernel signing failures caused by -3...

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-06 14:00:27 -04:00 · 2020-07-06 14:00:27 -04:00 · 4f2a0b0969
commit 4f2a0b0969
parent 9b526cffa9
2 changed files with 268 additions and 1 deletions
--- a/0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
+++ b/0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
@ -0,0 +1,263 @@
+From 873345b4970a28c7c590ca0c4e04bf88dd19e3b5 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 6 Jul 2020 13:54:35 -0400
+Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/Makefile               |   1 +
+ src/macros.pesign          |  71 +++++-------------
+ src/pesign-rpmbuild-helper | 143 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 163 insertions(+), 52 deletions(-)
+ create mode 100644 src/pesign-rpmbuild-helper
+
+diff --git a/src/Makefile b/src/Makefile
+index 74327ba13f3..af8bef6d9ff 100644
+--- a/src/Makefile
+++ b/src/Makefile
+@@ -94,6 +94,7 @@ install :
+ 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
+ 	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
+	$(INSTALL) -m 750 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
+ 	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
+ 	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 5a6da1c6809..104586beca5 100644
+--- a/src/macros.pesign
+++ b/src/macros.pesign
+@@ -6,7 +6,7 @@
+ # %pesign -s -i shim.orig -o shim.efi
+ # And magically get the right thing.
+ 
+-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
+%__pesign_token %{nil}%{?pe_signing_token:"%{pe_signing_token}"}
+ %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+ 
+ %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
+@@ -24,54 +24,21 @@
+ # -a <input ca cert filename>		# rhel only
+ # -s 					# perform signing
+ %pesign(i:o:C:e:c:n:a:s)						\
+-  _pesign_nssdir=/etc/pki/pesign					\
+-  if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then		\
+-    _pesign_nssdir=/etc/pki/pesign-rh-test				\
+-  fi									\
+-  if [ -x %{_pesign} ] &&  						\\\
+-       [ "%{_target_cpu}" == "x86_64" -o 				\\\
+-         "%{_target_cpu}" == "aarch64" ]; then				\
+-    if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
+-      nss=$(mktemp -p $PWD -d)						\
+-      echo > ${nss}/pwfile						\
+-      certutil -N -d ${nss} -f ${nss}/pwfile				\
+-      certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss}		\
+-      certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
+-      sattrs=$(mktemp -p $PWD --suffix=.der)				\
+-      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force		\
+-      rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs}			\
+-      %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
+-                 --certdir ${nss} -c signer %{-o}			\
+-      rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
+-    elif [ "$(id -un)" == "kojibuilder" -a				\\\
+-           grep -q ID=fedora /etc/os-release -a				\\\
+-           ! -S /run/pesign/socket ]; then				\
+-      echo "No socket even though this is kojibuilder" 1>&2		\
+-      ls -ld /run/pesign 1>&2					\
+-      ls -l /run/pesign/socket 1>&2					\
+-      getfacl /run/pesign 1>&2					\
+-      getfacl /run/pesign/socket 1>&2				\
+-      exit 1								\
+-    elif [ -S /run/pesign/socket ]; then				\
+-      %{_pesign_client} -t %{__pesign_client_token}			\\\
+-                        -c %{__pesign_client_cert}			\\\
+-                        %{-i} %{-o} %{-e} %{-s} %{-C}			\
+-    else								\
+-      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
+-                 --certdir ${_pesign_nssdir}				\\\
+-                 %{-i} %{-o} %{-e} %{-s} %{-C}				\
+-    fi									\
+-  else									\
+-    if [ -n "%{-i*}" -a -n "%{-o*}" ]; then				\
+-      mv %{-i*} %{-o*}							\
+-    elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then				\
+-      touch %{-e*}							\
+-    fi									\
+-  fi									\
+-  if [ ! -s %{-o} ]; then						\
+-    if [ -e "%{-o*}" ]; then						\
+-      rm -f %{-o*}							\
+-    fi									\
+-    exit 1								\
+-  fi ;
+-
+  %{_libexecdir}/pesign/pesign-rpmbuild-helper				\\\
+    "%{_target_cpu}"							\\\
+    "%{_pesign}"							\\\
+    "%{_pesign_client}"							\\\
+    %{?__pesign_client_token?--client-token "%{__pesign_client_token}"}	\\\
+    %{?__pesign_client_cert?--client-cert "%{__pesign_client_cert}"}	\\\
+    %{?__pesign_token?--token "%{__pesign_token}"}			\\\
+    %{?__pesign_cert?--cert "%{__pesign_cert}"}				\\\
+    %{?_rhel:--rhelver "%{_rhel}"}					\\\
+    %{?-a*:--cafile "%{-a*}"}						\\\
+    %{?-c*:--certfile "%{-c*}"}						\\\
+    %{?-n*:--certname "%{-n*}"}						\\\
+    %{?-C*:--certout "%{-C*}"}						\\\
+    %{?-e*:--sattrout "%{-e*}"}						\\\
+    %{?-i*:--in "%{i*}"}						\\\
+    %{?-o*:--out "%{o*}"}						\\\
+    %{?-s:--sign}							\\\
+%{nil}
+diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper
+new file mode 100644
+index 00000000000..69b430940ec
+--- /dev/null
+++ b/src/pesign-rpmbuild-helper
+@@ -0,0 +1,143 @@
+#!/bin/sh
+
+set -eu
+
+main() {
+	local target_cpu="${1}" && shift
+	local bin="${1}" && shift
+	local client="${1}" && shift
+
+	local cafile="" || :
+	local certfile="" || :
+	local certname="" || :
+
+	local certout=() || :
+	local sattrout=() || :
+	local input=() || :
+	local output=() || :
+	local client_token=() || :
+	local client_cert=() || :
+	local token=() || :
+	local cert=() || :
+	local rhelver=0 || :
+	local sign="" || :
+
+	while [[ $# -ge 2 ]] ; do
+		case " ${1} " in
+		" --cafile ")
+			cafile="${2}"
+			;;
+		" --certfile ")
+			certfile="${2}"
+			;;
+		" --certname ")
+			certname="${2}"
+			;;
+		" --certout ")
+			certout=(-C "${2}")
+			;;
+		" --sattrout ")
+			sattrout=(-e "${2}")
+			;;
+		" --client-token ")
+			client_token=(-t "${2}")
+			;;
+		" --client-cert ")
+			client_cert=(-c "${2}")
+			;;
+		" --token ")
+			token=(-t "${2}")
+			;;
+		" --cert ")
+			cert=(-c "${2}")
+			;;
+		" --in ")
+			input=(-i "${2}")
+			;;
+		" --out ")
+			output=(-o "${2}")
+			;;
+		" --rhelver ")
+			rhelver="${2}"
+			;;
+		*)
+			break
+			;;
+		esac
+		shift
+		shift
+	done
+	if [ $# -ge 1 -a "${1}" = --sign ] ; then
+		sign=-s
+		shift
+	fi
+
+	local nssdir=/etc/pki/pesign
+	if [ "${cert}" == "Red Hat Test Certificate" ] ; then
+		nssdir=/etc/pki/pesign-rh-test
+	fi
+
+	if [ -x "${bin}" ] &&
+	   [ "${target_cpu}" != "x86_64" -a "${target_cpu}" != "aarch64" ] ; then
+		if [ -n "${input[*]}" -a -n "${output[*]}" ] ; then
+			mv -v "${input[1]}" "${output[1]}"
+		elif [ -n "${input[*]}" -a -n "${sattrout[*]}" ] ; then
+			touch "${sattrout[1]}"
+		fi
+
+		# if there's a 0-sized output file, delete it and error out
+		if [ ! -s "${output[1]}" ] ; then
+			if [ -e "${output[1]}" ] ; then
+				rm -f "${output[1]}"
+			fi
+			exit 1
+		fi
+		return 0
+	fi
+
+	if grep -q ID=fedora /etc/os-release &&
+	   [ "${rhelver}" -lt 7 ] &&
+	   [ "$(id -un)" = "kojibuilder" -o
+	     "$(id -un)" = "mockbuilder" ] &&
+	   ! [ -S /run/pesign/socket ]; then
+		echo "Warning: no socket even though this is $(id -un)" 1>&2
+		echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+		ls -ld /run/pesign 1>&2
+		ls -l /run/pesign/socket 1>&2
+		getfacl /run/pesign /run/pesign/socket 1>&2
+	fi
+
+	if [ "${rhelver}" -ge 7 ] ; then
+		nssdir=$(mktemp -p $PWD -d)
+		echo > ${nssdir}/pwfile
+		certutil -N -d ${nssdir} -f ${nssdir}/pwfile
+		certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${cafile}" -d ${nssdir}
+		certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir}
+		sattrs="$(mktemp -p $PWD --suffix=.der)"
+		"${bin}" -E "${sattrs}" --certdir "${nssdir}" \
+			${input[@]} --force
+		rpm-sign --key "${certname}" --rsadgstsign "${sattrs}"
+		"${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
+			--certdir "${nssdir}" -c signer \
+			${input[@]} ${output[@]}
+		rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+	elif [ -S /run/pesign/socket ] ; then
+		"${client}" ${client_token[@]} ${client_cert[@]}	\
+			${sattrout[@]} ${certout[@]}			\
+			${sign} ${input[@]} ${output[@]}
+	else
+		"${bin}" --certdir "${nssdir}" ${token[@]} ${cert[@]}	\
+			${sign} ${sattrout[@]} ${certout[@]}		\
+			${input[@]} ${output[@]}
+	fi
+
+	# if there's a 0-sized output file, delete it and error out
+	if [ ! -s "${output[1]}" ] ; then
+		if [ -e "${output[1]}" ] ; then
+			rm -f "${output[1]}"
+		fi
+		exit 1
+	fi
+}
+
+main "${@}"
+-- 
+2.26.2
+
--- a/pesign.spec
+++ b/pesign.spec
@ -3,7 +3,7 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
 Version: 113
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2
 URL:     https://github.com/vathpela/pesign

@ -46,6 +46,7 @@ Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
 Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
 Patch0004: 0004-Rename-var-run-to-run.patch
 Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
+Patch0006: 0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch

 %description
 This package contains the pesign utility for signing UEFI binaries as
@ -151,6 +152,9 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
 %{python3_sitelib}/mockbuild/plugins/pesign.*

 %changelog
+* Mon Jul 06 2020 Peter Jones <pjones@redhat.com> - 113-4
+- Attempt to fix kernel signing failures caused by -3...
+
 * Fri Jun 12 2020 Peter Jones <pjones@redhat.com> - 113-3
 - Fix the signer name for fedora and some other minor nits
  Related: rhbz#1708773