Switch default NSS database to SQLite format

Resolves: rhbz#1827902 Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2020-06-08 15:54:08 +02:00 · 2020-06-08 15:54:08 +02:00 · 6076214ded
commit 6076214ded
parent 9664ede71c
3 changed files with 115 additions and 3 deletions
--- a/0032-Use-sql-type-nss-database-everywhere-by-default.patch
+++ b/0032-Use-sql-type-nss-database-everywhere-by-default.patch
@ -0,0 +1,104 @@
+From c2f2c8845b3ed34da0a76806ec81bc5ad60179ef Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 12 Mar 2018 10:51:24 -0400
+Subject: [PATCH] Use sql-type nss database everywhere by default.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/authvar.c    | 2 ++
+ src/client.c     | 3 +++
+ src/efikeygen.c  | 2 ++
+ src/efisiglist.c | 2 ++
+ src/pesigcheck.c | 2 ++
+ src/pesign.c     | 2 ++
+ 6 files changed, 13 insertions(+)
+
+diff --git a/src/authvar.c b/src/authvar.c
+index 03e0c47f61c..47a73d12eaa 100644
+--- a/src/authvar.c
+++ b/src/authvar.c
+@@ -272,6 +272,8 @@ main(int argc, char *argv[])
+ 
+ 	int action = 0;
+ 
+	setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);
+
+ 	rc = authvar_context_init(ctxp);
+ 	if (rc < 0) {
+ 		fprintf(stderr, "Could not initialize context: %m\n");
+diff --git a/src/client.c b/src/client.c
+index 575c873fb70..64e7bbb7689 100644
+--- a/src/client.c
+++ b/src/client.c
+@@ -22,6 +22,7 @@
+ #include <popt.h>
+ #include <pwd.h>
+ #include <stddef.h>
+#include <stdlib.h>
+ #include <sys/socket.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
+@@ -628,6 +629,8 @@ main(int argc, char *argv[])
+ 		POPT_TABLEEND
+ 	};
+ 
+	setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);
+
+ 	optCon = poptGetContext("pesign", argc, (const char **)argv, options,0);
+ 
+ 	rc = poptReadDefaultConfig(optCon, 0);
+diff --git a/src/efikeygen.c b/src/efikeygen.c
+index 93905782c0c..ad34970a62d 100644
+--- a/src/efikeygen.c
+++ b/src/efikeygen.c
+@@ -595,6 +595,8 @@ int main(int argc, char *argv[])
+ 		POPT_TABLEEND
+ 	};
+ 
+	setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);
+
+ 	optCon = poptGetContext("pesign", argc, (const char **)argv, options,0);
+ 
+ 	int rc = poptReadDefaultConfig(optCon, 0);
+diff --git a/src/efisiglist.c b/src/efisiglist.c
+index a7ed528ca13..b88c4a06ded 100644
+--- a/src/efisiglist.c
+++ b/src/efisiglist.c
+@@ -177,6 +177,8 @@ main(int argc, char *argv[])
+ 		POPT_TABLEEND
+ 	};
+ 
+	setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);
+
+ 	optCon = poptGetContext("pesign", argc, (const char **)argv, options,0);
+ 
+ 	rc = poptReadDefaultConfig(optCon, 0);
+diff --git a/src/pesigcheck.c b/src/pesigcheck.c
+index c8e10860855..535999ca7fa 100644
+--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
+@@ -464,6 +464,8 @@ main(int argc, char *argv[])
+ 		POPT_TABLEEND
+ 	};
+ 
+	setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);
+
+ 	rc = pesigcheck_context_init(ctxp);
+ 	if (rc < 0) {
+ 		fprintf(stderr, "pesigcheck: Could not initialize context: %m\n");
+diff --git a/src/pesign.c b/src/pesign.c
+index 6ceda34f797..bc12e4d920a 100644
+--- a/src/pesign.c
+++ b/src/pesign.c
+@@ -416,6 +416,8 @@ main(int argc, char *argv[])
+ 	char *certdir = "/etc/pki/pesign";
+ 	char *signum = NULL;
+ 
+	setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);
+
+ 	rc = pesign_context_new(&ctxp);
+ 	if (rc < 0) {
+ 		fprintf(stderr, "Could not initialize context: %m\n");
+-- 
+2.26.2
+
--- a/pesign.spec
+++ b/pesign.spec
@ -3,7 +3,7 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
 Version: 0.112
-Release: 30%{?dist}
+Release: 31%{?dist}
 License: GPLv2
 URL:     https://github.com/vathpela/pesign

@ -72,6 +72,7 @@ Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
 Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
 Patch0030: 0030-efikeygen-Fix-the-build-with-nss-3.44.patch
 Patch0031: 0031-pesigcheck-Fix-a-wrong-assignment.patch
+Patch0032: 0032-Use-sql-type-nss-database-everywhere-by-default.patch

 %description
 This package contains the pesign utility for signing UEFI binaries as
@ -145,6 +146,9 @@ exit 0

 %postun
 %systemd_postun_with_restart pesign.service
+
+%posttrans
+certutil -d /etc/pki/pesign/ -X -L > /dev/null
 %endif

 %files
@ -179,6 +183,10 @@ exit 0
 %{python3_sitelib}/mockbuild/plugins/pesign.*

 %changelog
+* Mon Jun 08 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.112-31
+- Switch default NSS database to SQLite format (pjones)
+  Resolves: rhbz#1827902
+
 * Mon Feb 24 2020 Peter Jones <pjones@redhat.com> - 0.112-30
 - Make sure the patch for -29 is actually in the build in f32, and
  synchronize with master.
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-e377e0bc924287ee09356a239c5f51a8  certs.tar.xz
-eae1d66e160be744ff310ad7592ae31e  pesign-0.112.tar.bz2
+SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
+SHA512 (pesign-0.112.tar.bz2) = 96bff27ce5059f1ea299c21ac88998a0c17851b8b06ba2f3e286de5cd4d73651b670ac00ca035481faf9c963338527c89120c63ec891a95ce9ecb9130fbc5e5c