Remove errant result files and raise an error from %pesign
This commit is contained in:
parent
2915fd2186
commit
7d6ce00fe5
61
0001-Make-the-RHEL-pesign-macro-a-little-better.patch
Normal file
61
0001-Make-the-RHEL-pesign-macro-a-little-better.patch
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
From 2933901ce69d3830e0dad983d20d5d17e8087c75 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 23 Jul 2013 16:58:32 -0400
|
||||||
|
Subject: [PATCH 1/8] Make the RHEL %%pesign macro a little better.
|
||||||
|
|
||||||
|
Use mktemp to avoid clobering anybody's local files, and document the
|
||||||
|
arguments better.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/macros.pesign | 28 +++++++++++++++++++---------
|
||||||
|
1 file changed, 19 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||||
|
index 26f1dd7..8b123fa 100644
|
||||||
|
--- a/src/macros.pesign
|
||||||
|
+++ b/src/macros.pesign
|
||||||
|
@@ -12,21 +12,31 @@
|
||||||
|
%_pesign /usr/bin/pesign
|
||||||
|
%_pesign_client /usr/bin/pesign-client
|
||||||
|
|
||||||
|
-%pesign(i:o:C:e:c:s) \
|
||||||
|
+# -i <input filename>
|
||||||
|
+# -o <output filename>
|
||||||
|
+# -C <output cert filename>
|
||||||
|
+# -e <output sattr filename>
|
||||||
|
+# -c <input certificate filename> # rhel only
|
||||||
|
+# -n <input certificate name> # rhel only
|
||||||
|
+# -a <input ca cert filename> # rhel only
|
||||||
|
+# -s # perform signing
|
||||||
|
+%pesign(i:o:C:e:c:n:a:s) \
|
||||||
|
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
|
||||||
|
if [ -e /var/run/pesign/socket ]; then \
|
||||||
|
%{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||||
|
-c "/CN=Fedora Secure Boot Signer" \\\
|
||||||
|
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||||
|
elif [ -e /etc/rhel-release ]; then \
|
||||||
|
- mkdir nss \
|
||||||
|
- certutil -d nss -N \
|
||||||
|
- certutil -A -n "ca" -t "CT,C," -i %{-c*}.crt -a -d nss \
|
||||||
|
- certutil -A -n %{-c*} -t ",c," -i %{-c*}.crt -a -d nss \
|
||||||
|
- %{_pesign} %{-i} -E sattrs.der --certdir nss \
|
||||||
|
- rpm-sign --key "%{-c*}" --rsasign sattrs.der \
|
||||||
|
- %{_pesign} -R sattrs.der.sig -I sattrs.der %{-i} \\\
|
||||||
|
- --certdir nss %{-c} %{-o} \
|
||||||
|
+ nss=$(mktemp -p $PWD -d) \
|
||||||
|
+ certutil -d ${nss} -N \
|
||||||
|
+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||||
|
+ certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \
|
||||||
|
+ sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||||
|
+ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
|
||||||
|
+ rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
|
||||||
|
+ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||||
|
+ --certdir ${nss} -c signer %{-o} \
|
||||||
|
+ rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||||
|
else \
|
||||||
|
%{_pesign} %{__pesign_token} %{__pesign_cert} \\\
|
||||||
|
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
@ -1,8 +1,8 @@
|
|||||||
From 1079f81298d461583851578ad6afb4a130b675e0 Mon Sep 17 00:00:00 2001
|
From 1079f81298d461583851578ad6afb4a130b675e0 Mon Sep 17 00:00:00 2001
|
||||||
From: Peter Jones <pjones@redhat.com>
|
From: Peter Jones <pjones@redhat.com>
|
||||||
Date: Mon, 5 Aug 2013 09:09:46 -0400
|
Date: Mon, 5 Aug 2013 09:09:46 -0400
|
||||||
Subject: [PATCH] Apparently we want documentation in a non-versioned directory
|
Subject: [PATCH 2/8] Apparently we want documentation in a non-versioned
|
||||||
these days.
|
directory these days.
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
---
|
---
|
@ -0,0 +1,41 @@
|
|||||||
|
From c2d54b835ca3db92c9110a2596429710453c2a95 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 6 Aug 2013 12:32:43 -0400
|
||||||
|
Subject: [PATCH 3/8] Make the RHEL bits for macros.pesign a bit cleaner.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/macros.pesign | 10 +++++-----
|
||||||
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||||
|
index 8b123fa..244f576 100644
|
||||||
|
--- a/src/macros.pesign
|
||||||
|
+++ b/src/macros.pesign
|
||||||
|
@@ -22,11 +22,7 @@
|
||||||
|
# -s # perform signing
|
||||||
|
%pesign(i:o:C:e:c:n:a:s) \
|
||||||
|
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
|
||||||
|
- if [ -e /var/run/pesign/socket ]; then \
|
||||||
|
- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||||
|
- -c "/CN=Fedora Secure Boot Signer" \\\
|
||||||
|
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||||
|
- elif [ -e /etc/rhel-release ]; then \
|
||||||
|
+ if [ -e /etc/rhel-release ]; then \
|
||||||
|
nss=$(mktemp -p $PWD -d) \
|
||||||
|
certutil -d ${nss} -N \
|
||||||
|
certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||||
|
@@ -37,6 +33,10 @@
|
||||||
|
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||||
|
--certdir ${nss} -c signer %{-o} \
|
||||||
|
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||||
|
+ elif [ -S /var/run/pesign/socket ]; then \
|
||||||
|
+ %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||||
|
+ -c "/CN=Fedora Secure Boot Signer" \\\
|
||||||
|
+ %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||||
|
else \
|
||||||
|
%{_pesign} %{__pesign_token} %{__pesign_cert} \\\
|
||||||
|
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
@ -0,0 +1,55 @@
|
|||||||
|
From 7c25ea77c81e63c88cf1fbeb2fc9baba94bce8b7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
Date: Mon, 4 Mar 2013 16:25:08 +0800
|
||||||
|
Subject: [PATCH 4/8] Include the issuer's certificate only when available
|
||||||
|
|
||||||
|
When pesign generates a signature, it also includes the issuer's certificate.
|
||||||
|
In SUSE build server, we only import the signer's certificate and pesign
|
||||||
|
complaint the issuer's certificate was not found. Per Authenticode PE, the
|
||||||
|
root certificate is typically not included in the certificate list, so I
|
||||||
|
modified pesign a bit to include the issuer's certificate only when available.
|
||||||
|
Please check the attached patch.
|
||||||
|
|
||||||
|
Besides the issuer's certificate, I also found find_named_certificate() didn't
|
||||||
|
handle the certificate list properly and it may cause segfault if "node->cert"
|
||||||
|
is not valid. The patch also fixes this issue.
|
||||||
|
---
|
||||||
|
src/cms_common.c | 2 +-
|
||||||
|
src/signed_data.c | 8 ++------
|
||||||
|
2 files changed, 3 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||||
|
index 6b44024..fc9796e 100644
|
||||||
|
--- a/src/cms_common.c
|
||||||
|
+++ b/src/cms_common.c
|
||||||
|
@@ -592,7 +592,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
|
||||||
|
* in the database, we'll get back what is essentially a template
|
||||||
|
* that's in NSS's cache waiting to be filled out. We can't use that,
|
||||||
|
* it'll just cause CERT_DupCertificate() to segfault. */
|
||||||
|
- if (!node || !node->cert || !node->cert->derCert.data
|
||||||
|
+ if (CERT_LIST_END(node) || !node->cert || !node->cert->derCert.data
|
||||||
|
|| !node->cert->derCert.len
|
||||||
|
|| !node->cert->derIssuer.data
|
||||||
|
|| !node->cert->derIssuer.len) {
|
||||||
|
diff --git a/src/signed_data.c b/src/signed_data.c
|
||||||
|
index 5425271..2f4b498 100644
|
||||||
|
--- a/src/signed_data.c
|
||||||
|
+++ b/src/signed_data.c
|
||||||
|
@@ -96,12 +96,8 @@ generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
|
||||||
|
CERTCertificate *signer = NULL;
|
||||||
|
int rc = find_named_certificate(cms, cms->cert->issuerName,
|
||||||
|
&signer);
|
||||||
|
- if (rc < 0) {
|
||||||
|
- PORT_ArenaRelease(cms->arena, mark);
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (signer && signer->derCert.len && signer->derCert.data) {
|
||||||
|
+ if (rc == 0 && signer &&
|
||||||
|
+ signer->derCert.len && signer->derCert.data) {
|
||||||
|
if (signer->derCert.len != cms->cert->derCert.len ||
|
||||||
|
memcmp(signer->derCert.data,
|
||||||
|
cms->cert->derCert.data,
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
26
0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
Normal file
26
0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
From 39466ae9ed3ce5f78fc20c6e74eb0fb3aa93349e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 6 Aug 2013 16:49:06 -0400
|
||||||
|
Subject: [PATCH 5/8] Try harder to figure out if this is RHEL.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/macros.pesign | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||||
|
index 244f576..f94553d 100644
|
||||||
|
--- a/src/macros.pesign
|
||||||
|
+++ b/src/macros.pesign
|
||||||
|
@@ -22,7 +22,7 @@
|
||||||
|
# -s # perform signing
|
||||||
|
%pesign(i:o:C:e:c:n:a:s) \
|
||||||
|
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
|
||||||
|
- if [ -e /etc/rhel-release ]; then \
|
||||||
|
+ if [ "0%{?rhel}" -ge "7" ]; then \
|
||||||
|
nss=$(mktemp -p $PWD -d) \
|
||||||
|
certutil -d ${nss} -N \
|
||||||
|
certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
28
0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
Normal file
28
0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From f8b19278775fe8a5c599b94fcae90b99a781a42b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Wed, 7 Aug 2013 09:06:33 -0400
|
||||||
|
Subject: [PATCH 6/8] Don't use ASCII mode for RHEL certificate imports.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/macros.pesign | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||||
|
index f94553d..84e87a3 100644
|
||||||
|
--- a/src/macros.pesign
|
||||||
|
+++ b/src/macros.pesign
|
||||||
|
@@ -25,8 +25,8 @@
|
||||||
|
if [ "0%{?rhel}" -ge "7" ]; then \
|
||||||
|
nss=$(mktemp -p $PWD -d) \
|
||||||
|
certutil -d ${nss} -N \
|
||||||
|
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||||
|
- certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \
|
||||||
|
+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
|
||||||
|
+ certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
|
||||||
|
sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||||
|
%{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
|
||||||
|
rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
@ -0,0 +1,30 @@
|
|||||||
|
From c7318444b811125f26828fd39e8a46de81cd5f86 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Wed, 7 Aug 2013 09:13:11 -0400
|
||||||
|
Subject: [PATCH 7/8] Apparently if something goes wrong on the HSM, we wind up
|
||||||
|
with 0-size.
|
||||||
|
|
||||||
|
Handle zero-sized output by erroring in the rpm macro. Eventually we
|
||||||
|
should make sure pesign is throwing an error there too.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/macros.pesign | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||||
|
index 84e87a3..6b22826 100644
|
||||||
|
--- a/src/macros.pesign
|
||||||
|
+++ b/src/macros.pesign
|
||||||
|
@@ -47,5 +47,8 @@
|
||||||
|
elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
|
||||||
|
touch %{-e*} \
|
||||||
|
fi \
|
||||||
|
+ fi \
|
||||||
|
+ if [ ! -s %{-o} ]; then \
|
||||||
|
+ exit 1 \
|
||||||
|
fi ;
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
@ -0,0 +1,26 @@
|
|||||||
|
From 5b8950a8cddad1076fb631c4ef6999bfb4f977f8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Wed, 7 Aug 2013 09:37:33 -0400
|
||||||
|
Subject: [PATCH 8/8] Use --force when we've got a sattrs blob from mktemp()
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/macros.pesign | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||||
|
index 6b22826..a0339fe 100644
|
||||||
|
--- a/src/macros.pesign
|
||||||
|
+++ b/src/macros.pesign
|
||||||
|
@@ -28,7 +28,7 @@
|
||||||
|
certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
|
||||||
|
certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
|
||||||
|
sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||||
|
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
|
||||||
|
+ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
|
||||||
|
rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
|
||||||
|
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||||
|
--certdir ${nss} -c signer %{-o} \
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
21
pesign.spec
21
pesign.spec
@ -1,7 +1,7 @@
|
|||||||
Summary: Signing utility for UEFI binaries
|
Summary: Signing utility for UEFI binaries
|
||||||
Name: pesign
|
Name: pesign
|
||||||
Version: 0.106
|
Version: 0.106
|
||||||
Release: 2%{?dist}
|
Release: 4%{?dist}
|
||||||
Group: Development/System
|
Group: Development/System
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
URL: https://github.com/vathpela/pesign
|
URL: https://github.com/vathpela/pesign
|
||||||
@ -12,13 +12,24 @@ BuildRequires: nss-devel >= 3.13.6-1
|
|||||||
Requires: nspr nss nss-util popt rpm coolkey opensc
|
Requires: nspr nss nss-util popt rpm coolkey opensc
|
||||||
Requires(pre): shadow-utils
|
Requires(pre): shadow-utils
|
||||||
ExclusiveArch: i686 x86_64 ia64
|
ExclusiveArch: i686 x86_64 ia64
|
||||||
|
%if 0%{?rhel} >= 7
|
||||||
|
BuildRequires: rh-signing-tools >= 1.20-2
|
||||||
|
%endif
|
||||||
|
|
||||||
# there is no tarball at github, of course. To get this version do:
|
# there is no tarball at github, of course. To get this version do:
|
||||||
# git clone https://github.com/vathpela/pesign.git
|
# git clone https://github.com/vathpela/pesign.git
|
||||||
# git checkout %%{version}
|
# git checkout %%{version}
|
||||||
Source0: pesign-%{version}.tar.bz2
|
Source0: pesign-%{version}.tar.bz2
|
||||||
Source1: rh-test-certs.tar.bz2
|
Source1: rh-test-certs.tar.bz2
|
||||||
Patch0: 0001-Apparently-we-want-documentation-in-a-non-versioned-.patch
|
Patch0001: 0001-Make-the-RHEL-pesign-macro-a-little-better.patch
|
||||||
|
Patch0002: 0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
|
||||||
|
Patch0003: 0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch
|
||||||
|
Patch0004: 0004-Include-the-issuer-s-certificate-only-when-available.patch
|
||||||
|
Patch0005: 0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
|
||||||
|
Patch0006: 0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
|
||||||
|
Patch0007: 0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch
|
||||||
|
Patch0008: 0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch
|
||||||
|
Patch0009: 0009-Remove-errant-results-from-signing.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This package contains the pesign utility for signing UEFI binaries as
|
This package contains the pesign utility for signing UEFI binaries as
|
||||||
@ -97,6 +108,12 @@ exit 0
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Aug 10 2013 Peter Jones <pjones@redhat.com> - 0.106-4
|
||||||
|
- Remove errant result files and raise an error from %%pesign
|
||||||
|
|
||||||
|
* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.106-3
|
||||||
|
- Add code for signing in RHEL 7
|
||||||
|
|
||||||
* Mon Aug 05 2013 Peter Jones <pjones@redhat.com> - 0.106-2
|
* Mon Aug 05 2013 Peter Jones <pjones@redhat.com> - 0.106-2
|
||||||
- Fix for new %%doc rules.
|
- Fix for new %%doc rules.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user