From 6c0d5908cba6a870256638eb9ea48b91155fd6a8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 10 May 2022 03:03:16 -0400 Subject: [PATCH] import pesign-0.112-26.el8 --- SOURCES/0030-Replace-var-run-with-run.patch | 151 ++++++++++++++++++ ...fikeygen-Fix-the-build-with-nss-3.44.patch | 46 ++++++ SPECS/pesign.spec | 16 +- 3 files changed, 208 insertions(+), 5 deletions(-) create mode 100644 SOURCES/0030-Replace-var-run-with-run.patch create mode 100644 SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch diff --git a/SOURCES/0030-Replace-var-run-with-run.patch b/SOURCES/0030-Replace-var-run-with-run.patch new file mode 100644 index 0000000..8ade2cd --- /dev/null +++ b/SOURCES/0030-Replace-var-run-with-run.patch @@ -0,0 +1,151 @@ +From cd26e9e9a7816efe2c1ce9c36d9cb14988c70dc9 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 8 Nov 2021 17:58:09 -0500 +Subject: [PATCH] Replace /var/run with /run + +This change is in violation of the FHS and is forced by systemd being +obnoxious and logging warnings about it as if it's some kind of problem. + +This commit is a subset of the work in +02d473fbfd782863a0dcef7e44822d1e7e56a4b3, +f97d3b04a2eafb42272ede24e1353dd0a7f4347c, +5f9058677e7241cc88b4e8620654bbaa08a4bce4, and +cffa10d9b5eec9a9def3533b181a32b64fc29913 (all by pjones) because they +don't backport well. + +Signed-off-by: Robbie Harwood +--- + src/Makefile | 2 +- + src/daemon.h | 4 ++-- + src/macros.pesign | 12 ++++++------ + src/pesign-authorize | 2 +- + src/pesign.service.in | 2 +- + src/pesign.sysvinit.in | 10 +++++----- + src/tmpfiles.conf | 2 +- + 7 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/src/Makefile b/src/Makefile +index 7d68fa1..a11e2b4 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit + install : + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ +- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ ++ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) +diff --git a/src/daemon.h b/src/daemon.h +index d97eab9..db42c16 100644 +--- a/src/daemon.h ++++ b/src/daemon.h +@@ -49,7 +49,7 @@ typedef enum { + } pesignd_cmd; + + #define PESIGND_VERSION 0x2a9edaf0 +-#define SOCKPATH "/var/run/pesign/socket" +-#define PIDFILE "/var/run/pesign.pid" ++#define SOCKPATH "/run/pesign/socket" ++#define PIDFILE "/run/pesign.pid" + + #endif /* DAEMON_H */ +diff --git a/src/macros.pesign b/src/macros.pesign +index dfdac02..f135c29 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -48,17 +48,17 @@ + "$(uname -m)" == "x86_64" ] && \\\ + grep -q ID=fedora /etc/os-release && \\\ + [[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\ +- ! [ -S /var/run/pesign/socket ]; then \ ++ ! [ -S /run/pesign/socket ]; then \ + echo "No socket even though this is %{_buildhost}" \ +- ls -ld /var/run/pesign || : \ +- getfacl /var/run/pesign || : \ +- ls -l /var/run/pesign/socket || : \ +- getfacl /var/run/pesign/socket || : \ ++ ls -ld /run/pesign || : \ ++ getfacl /run/pesign || : \ ++ ls -l /run/pesign/socket || : \ ++ getfacl /run/pesign/socket || : \ + echo =========== env ============== \ + set \ + echo =========== env ============== \ + exit 1 \ +- elif [ -S /var/run/pesign/socket ]; then \ ++ elif [ -S /run/pesign/socket ]; then \ + %{_pesign_client} -t %{__pesign_client_token} \\\ + -c %{__pesign_client_cert} \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ +diff --git a/src/pesign-authorize b/src/pesign-authorize +index a496f60..83a30cd 100755 +--- a/src/pesign-authorize ++++ b/src/pesign-authorize +@@ -47,7 +47,7 @@ update_subdir() { + done + } + +-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do ++for x in /run/pesign/ /etc/pki/pesign*/ ; do + if [ -d "${x}" ]; then + update_subdir "${x}" + else +diff --git a/src/pesign.service.in b/src/pesign.service.in +index c75a000..4ac2199 100644 +--- a/src/pesign.service.in ++++ b/src/pesign.service.in +@@ -4,6 +4,6 @@ Description=Pesign signing daemon + [Service] + PrivateTmp=true + Type=forking +-PIDFile=/var/run/pesign.pid ++PIDFile=/run/pesign.pid + ExecStart=/usr/bin/pesign --daemonize + ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize +diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in +index b0e0f84..bf8edec 100644 +--- a/src/pesign.sysvinit.in ++++ b/src/pesign.sysvinit.in +@@ -4,7 +4,7 @@ + # + # chkconfig: - 50 50 + # processname: /usr/bin/pesign +-# pidfile: /var/run/pesign.pid ++# pidfile: /run/pesign.pid + ### BEGIN INIT INFO + # Provides: pesign + # Default-Start: +@@ -20,9 +20,9 @@ RETVAL=0 + + start(){ + echo -n "Starting pesign: " +- mkdir /var/run/pesign 2>/dev/null && +- chown pesign:pesign /var/run/pesign && +- chmod 0770 /var/run/pesign ++ mkdir /run/pesign 2>/dev/null && ++ chown pesign:pesign /run/pesign && ++ chmod 0770 /run/pesign + daemon /usr/bin/pesign --daemonize + RETVAL=$? + echo +@@ -32,7 +32,7 @@ start(){ + + stop(){ + echo -n "Stopping pesign: " +- killproc -p /var/run/pesign.pid pesignd ++ killproc -p /run/pesign.pid pesignd + RETVAL=$? + echo + rm -f /var/lock/subsys/pesign +diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf +index c1cf355..3375ad5 100644 +--- a/src/tmpfiles.conf ++++ b/src/tmpfiles.conf +@@ -1 +1 @@ +-D /var/run/pesign 0770 pesign pesign - ++D /run/pesign 0770 pesign pesign - +-- +2.33.0 + diff --git a/SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch b/SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch new file mode 100644 index 0000000..7f84af1 --- /dev/null +++ b/SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch @@ -0,0 +1,46 @@ +From d1a7496d18dc1e230115b30fa09e4481c485a27d Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 May 2019 11:28:38 -0400 +Subject: [PATCH] efikeygen: Fix the build with nss 3.44 + +NSS 3.44 adds some certificate types, which changes a type and makes +some encoding stuff weird. As a result, we get: + +gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o +In file included from /usr/local/include/nss/nss/cert.h:22, + from efikeygen.c:39: +efikeygen.c: In function 'add_cert_type': +/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow] + (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ + ^ +efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP' + unsigned char type = NS_CERT_TYPE_APP; + ^~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors + +This is fixed by just making it an int. + +Fixes github issue #48. + +Signed-off-by: Peter Jones +(cherry picked from commit b535d1ac5cbcdf18a97d97a92581e38080d9e521) +--- + src/efikeygen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/efikeygen.c b/src/efikeygen.c +index 9390578..089e6a7 100644 +--- a/src/efikeygen.c ++++ b/src/efikeygen.c +@@ -206,7 +206,7 @@ static int + add_cert_type(cms_context *cms, void *extHandle, int is_ca) + { + SECItem bitStringValue; +- unsigned char type = NS_CERT_TYPE_APP; ++ int type = NS_CERT_TYPE_APP; + + if (is_ca) + type |= NS_CERT_TYPE_SSL_CA | +-- +2.33.0 + diff --git a/SPECS/pesign.spec b/SPECS/pesign.spec index 99ae141..eb1de3c 100644 --- a/SPECS/pesign.spec +++ b/SPECS/pesign.spec @@ -3,7 +3,7 @@ Name: pesign Summary: Signing utility for UEFI binaries Version: 0.112 -Release: 25%{?dist} +Release: 26%{?dist} License: GPLv2 URL: https://github.com/vathpela/pesign @@ -59,6 +59,8 @@ Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch +Patch0030: 0030-Replace-var-run-with-run.patch +Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch %description This package contains the pesign utility for signing UEFI binaries as @@ -113,7 +115,7 @@ install -m 0755 -p %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/ %pre getent group pesign >/dev/null || groupadd -r pesign getent passwd pesign >/dev/null || \ - useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \ + useradd -r -g pesign -d /run/pesign -s /sbin/nologin \ -c "Group for the pesign signing daemon" pesign exit 0 @@ -152,9 +154,9 @@ exit 0 %{_sysconfdir}/popt.d/pesign.popt %{macrosdir}/macros.pesign %{_mandir}/man*/* -%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name} -%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket -%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid +%dir %attr(0770, pesign, pesign) /%{_rundir}/%{name} +%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket +%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 %{_tmpfilesdir}/pesign.conf %{_unitdir}/pesign.service @@ -163,6 +165,10 @@ exit 0 %{python3_sitelib}/mockbuild/plugins/pesign.* %changelog +* Mon Nov 08 2021 Robbie Harwood - 0.112-26 +- Perform the /var/run to /run "migration" stupidity +- Resolves: rhbz#1801976 + * Mon Oct 01 2018 Peter Jones - 0.112-25 - Preserve .py timestamp during install so .pyc/.pyo files have the same timestamp on all arches, preventing rpmdiff from complaining.