import pesign-0.112-26.el8

2022-03-29 13:48:28 -04:00 · 2022-03-29 13:48:28 -04:00 · 6af0ea3e44
commit 6af0ea3e44
parent 9b2d6ac218
3 changed files with 208 additions and 5 deletions
--- a/SOURCES/0030-Replace-var-run-with-run.patch
+++ b/SOURCES/0030-Replace-var-run-with-run.patch
@ -0,0 +1,151 @@
+From cd26e9e9a7816efe2c1ce9c36d9cb14988c70dc9 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Mon, 8 Nov 2021 17:58:09 -0500
+Subject: [PATCH] Replace /var/run with /run
+
+This change is in violation of the FHS and is forced by systemd being
+obnoxious and logging warnings about it as if it's some kind of problem.
+
+This commit is a subset of the work in
+02d473fbfd782863a0dcef7e44822d1e7e56a4b3,
+f97d3b04a2eafb42272ede24e1353dd0a7f4347c,
+5f9058677e7241cc88b4e8620654bbaa08a4bce4, and
+cffa10d9b5eec9a9def3533b181a32b64fc29913 (all by pjones) because they
+don't backport well.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ src/Makefile           |  2 +-
+ src/daemon.h           |  4 ++--
+ src/macros.pesign      | 12 ++++++------
+ src/pesign-authorize   |  2 +-
+ src/pesign.service.in  |  2 +-
+ src/pesign.sysvinit.in | 10 +++++-----
+ src/tmpfiles.conf      |  2 +-
+ 7 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index 7d68fa1..a11e2b4 100644
+--- a/src/Makefile
+++ b/src/Makefile
+@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
+ install :
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
+-	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+	$(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
+ 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
+ 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
+diff --git a/src/daemon.h b/src/daemon.h
+index d97eab9..db42c16 100644
+--- a/src/daemon.h
+++ b/src/daemon.h
+@@ -49,7 +49,7 @@ typedef enum {
+ } pesignd_cmd;
+ 
+ #define PESIGND_VERSION 0x2a9edaf0
+-#define SOCKPATH	"/var/run/pesign/socket"
+-#define PIDFILE		"/var/run/pesign.pid"
+#define SOCKPATH	"/run/pesign/socket"
+#define PIDFILE		"/run/pesign.pid"
+ 
+ #endif /* DAEMON_H */
+diff --git a/src/macros.pesign b/src/macros.pesign
+index dfdac02..f135c29 100644
+--- a/src/macros.pesign
+++ b/src/macros.pesign
+@@ -48,17 +48,17 @@
+            "$(uname -m)" == "x86_64" ] &&				\\\
+          grep -q ID=fedora /etc/os-release && 				\\\
+          [[ "%{_buildhost}" =~ ^bkernel.* ]] &&			\\\
+-         ! [ -S /var/run/pesign/socket ]; then				\
+         ! [ -S /run/pesign/socket ]; then				\
+       echo "No socket even though this is %{_buildhost}"		\
+-      ls -ld /var/run/pesign || :					\
+-      getfacl /var/run/pesign || :					\
+-      ls -l /var/run/pesign/socket || :				\
+-      getfacl /var/run/pesign/socket || :				\
+      ls -ld /run/pesign || :					\
+      getfacl /run/pesign || :					\
+      ls -l /run/pesign/socket || :				\
+      getfacl /run/pesign/socket || :				\
+       echo =========== env ==============				\
+       set								\
+       echo =========== env ==============				\
+       exit 1								\
+-    elif [ -S /var/run/pesign/socket ]; then				\
+    elif [ -S /run/pesign/socket ]; then				\
+       %{_pesign_client} -t %{__pesign_client_token}			\\\
+                         -c %{__pesign_client_cert}			\\\
+                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
+diff --git a/src/pesign-authorize b/src/pesign-authorize
+index a496f60..83a30cd 100755
+--- a/src/pesign-authorize
+++ b/src/pesign-authorize
+@@ -47,7 +47,7 @@ update_subdir() {
+ 	done
+ }
+ 
+-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /run/pesign/ /etc/pki/pesign*/ ; do
+ 	if [ -d "${x}" ]; then
+ 		update_subdir "${x}"
+ 	else
+diff --git a/src/pesign.service.in b/src/pesign.service.in
+index c75a000..4ac2199 100644
+--- a/src/pesign.service.in
+++ b/src/pesign.service.in
+@@ -4,6 +4,6 @@ Description=Pesign signing daemon
+ [Service]
+ PrivateTmp=true
+ Type=forking
+-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
+ ExecStart=/usr/bin/pesign --daemonize
+ ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
+diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
+index b0e0f84..bf8edec 100644
+--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
+@@ -4,7 +4,7 @@
+ #
+ # chkconfig: - 50 50
+ # processname: /usr/bin/pesign
+-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
+ ### BEGIN INIT INFO 
+ # Provides: pesign
+ # Default-Start:
+@@ -20,9 +20,9 @@ RETVAL=0
+ 
+ start(){
+     echo -n "Starting pesign: "
+-    mkdir /var/run/pesign 2>/dev/null &&
+-        chown pesign:pesign /var/run/pesign &&
+-        chmod 0770 /var/run/pesign
+    mkdir /run/pesign 2>/dev/null &&
+        chown pesign:pesign /run/pesign &&
+        chmod 0770 /run/pesign
+     daemon /usr/bin/pesign --daemonize
+     RETVAL=$?
+     echo
+@@ -32,7 +32,7 @@ start(){
+ 
+ stop(){
+     echo -n "Stopping pesign: "
+-    killproc -p /var/run/pesign.pid pesignd
+    killproc -p /run/pesign.pid pesignd
+     RETVAL=$?
+     echo
+     rm -f /var/lock/subsys/pesign
+diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
+index c1cf355..3375ad5 100644
+--- a/src/tmpfiles.conf
+++ b/src/tmpfiles.conf
+@@ -1 +1 @@
+-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
+-- 
+2.33.0
+
--- a/SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch
+++ b/SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch
@ -0,0 +1,46 @@
+From d1a7496d18dc1e230115b30fa09e4481c485a27d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 May 2019 11:28:38 -0400
+Subject: [PATCH] efikeygen: Fix the build with nss 3.44
+
+NSS 3.44 adds some certificate types, which changes a type and makes
+some encoding stuff weird.  As a result, we get:
+
+gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe  -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing  -g -O0 -g -O0  -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/  -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr  -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
+In file included from /usr/local/include/nss/nss/cert.h:22,
+                 from efikeygen.c:39:
+efikeygen.c: In function 'add_cert_type':
+/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
+     (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
+     ^
+efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
+  unsigned char type = NS_CERT_TYPE_APP;
+                       ^~~~~~~~~~~~~~~~
+cc1: all warnings being treated as errors
+
+This is fixed by just making it an int.
+
+Fixes github issue #48.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit b535d1ac5cbcdf18a97d97a92581e38080d9e521)
+---
+ src/efikeygen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/efikeygen.c b/src/efikeygen.c
+index 9390578..089e6a7 100644
+--- a/src/efikeygen.c
+++ b/src/efikeygen.c
+@@ -206,7 +206,7 @@ static int
+ add_cert_type(cms_context *cms, void *extHandle, int is_ca)
+ {
+ 	SECItem bitStringValue;
+-	unsigned char type = NS_CERT_TYPE_APP;
+	int type = NS_CERT_TYPE_APP;
+ 
+ 	if (is_ca)
+ 		type |= NS_CERT_TYPE_SSL_CA |
+-- 
+2.33.0
+
--- a/SPECS/pesign.spec
+++ b/SPECS/pesign.spec
@ -3,7 +3,7 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
 Version: 0.112
-Release: 25%{?dist}
+Release: 26%{?dist}
 License: GPLv2
 URL:     https://github.com/vathpela/pesign

@ -59,6 +59,8 @@ Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
 Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
 Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
 Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
+Patch0030: 0030-Replace-var-run-with-run.patch
+Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch

 %description
 This package contains the pesign utility for signing UEFI binaries as
@ -113,7 +115,7 @@ install -m 0755 -p %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
 %pre
 getent group pesign >/dev/null || groupadd -r pesign
 getent passwd pesign >/dev/null || \
-	useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
+	useradd -r -g pesign -d /run/pesign -s /sbin/nologin \
 		-c "Group for the pesign signing daemon" pesign
 exit 0

@ -152,9 +154,9 @@ exit 0
 %{_sysconfdir}/popt.d/pesign.popt
 %{macrosdir}/macros.pesign
 %{_mandir}/man*/*
-%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
-%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
-%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
+%dir %attr(0770, pesign, pesign) /%{_rundir}/%{name}
+%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
+%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
 %{_tmpfilesdir}/pesign.conf
 %{_unitdir}/pesign.service
@ -163,6 +165,10 @@ exit 0
 %{python3_sitelib}/mockbuild/plugins/pesign.*

 %changelog
+* Mon Nov 08 2021 Robbie Harwood <rharwood@redhat.com> - 0.112-26
+- Perform the /var/run to /run "migration" stupidity
+- Resolves: rhbz#1801976
+
 * Mon Oct 01 2018 Peter Jones <pjones@redhat.com> - 0.112-25
 - Preserve .py timestamp during install so .pyc/.pyo files have the same
  timestamp on all arches, preventing rpmdiff from complaining.