Remove errant result files and raise an error from %pesign

2013-08-10 10:30:26 -04:00 · 2013-08-10 10:30:26 -04:00 · 7d6ce00fe5
commit 7d6ce00fe5
parent 2915fd2186
9 changed files with 288 additions and 4 deletions
--- a/0001-Make-the-RHEL-pesign-macro-a-little-better.patch
+++ b/0001-Make-the-RHEL-pesign-macro-a-little-better.patch
@ -0,0 +1,61 @@
 From 2933901ce69d3830e0dad983d20d5d17e8087c75 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 23 Jul 2013 16:58:32 -0400
 Subject: [PATCH 1/8] Make the RHEL %%pesign macro a little better.
 Use mktemp to avoid clobering anybody's local files, and document the
 arguments better.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/macros.pesign | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 26f1dd7..8b123fa 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -12,21 +12,31 @@
 %_pesign /usr/bin/pesign
 %_pesign_client /usr/bin/pesign-client
 -%pesign(i:o:C:e:c:s)							\
 +# -i <input filename>
 +# -o <output filename>
 +# -C <output cert filename>
 +# -e <output sattr filename>
 +# -c <input certificate filename>	# rhel only
 +# -n <input certificate name>		# rhel only
 +# -a <input ca cert filename>		# rhel only
 +# -s 					# perform signing
 +%pesign(i:o:C:e:c:n:a:s)						\
   if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
     if [ -e /var/run/pesign/socket ]; then				\
       %{_pesign_client} -t "OpenSC Card (Fedora Signer)"		\\\
                         -c "/CN=Fedora Secure Boot Signer"		\\\
                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
     elif [ -e /etc/rhel-release ]; then					\
 -      mkdir nss								\
 -      certutil -d nss -N						\
 -      certutil -A -n "ca" -t "CT,C," -i %{-c*}.crt -a -d nss		\
 -      certutil -A -n %{-c*} -t ",c," -i %{-c*}.crt -a -d nss		\
 -      %{_pesign} %{-i} -E sattrs.der --certdir nss			\
 -      rpm-sign --key "%{-c*}" --rsasign sattrs.der			\
 -      %{_pesign} -R sattrs.der.sig -I sattrs.der %{-i}			\\\
 -                 --certdir nss %{-c} %{-o}				\
 +      nss=$(mktemp -p $PWD -d)						\
 +      certutil -d ${nss} -N						\
 +      certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss}		\
 +      certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss}		\
 +      sattrs=$(mktemp -p $PWD --suffix=.der)				\
 +      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss}			\
 +      rpm-sign --key "%{-n*}" --rsasign ${sattrs}			\
 +      %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
 +                 --certdir ${nss} -c signer %{-o}			\
 +      rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
     else								\
       %{_pesign} %{__pesign_token} %{__pesign_cert}			\\\
                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
 -- 
 1.8.3.1
--- a/0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
+++ b/0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
@ -1,8 +1,8 @@
 From 1079f81298d461583851578ad6afb4a130b675e0 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 5 Aug 2013 09:09:46 -0400
-Subject: [PATCH] Apparently we want documentation in a non-versioned directory
+Subject: [PATCH 2/8] Apparently we want documentation in a non-versioned
- these days.
+ directory these days.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch
+++ b/0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch
@ -0,0 +1,41 @@
 From c2d54b835ca3db92c9110a2596429710453c2a95 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 6 Aug 2013 12:32:43 -0400
 Subject: [PATCH 3/8] Make the RHEL bits for macros.pesign a bit cleaner.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/macros.pesign | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 8b123fa..244f576 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -22,11 +22,7 @@
 # -s 					# perform signing
 %pesign(i:o:C:e:c:n:a:s)						\
   if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
 -    if [ -e /var/run/pesign/socket ]; then				\
 -      %{_pesign_client} -t "OpenSC Card (Fedora Signer)"		\\\
 -                        -c "/CN=Fedora Secure Boot Signer"		\\\
 -                        %{-i} %{-o} %{-e} %{-s} %{-C}			\
 -    elif [ -e /etc/rhel-release ]; then					\
 +    if [ -e /etc/rhel-release ]; then					\
       nss=$(mktemp -p $PWD -d)						\
       certutil -d ${nss} -N						\
       certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss}		\
@@ -37,6 +33,10 @@
       %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
                  --certdir ${nss} -c signer %{-o}			\
       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
 +    elif [ -S /var/run/pesign/socket ]; then				\
 +      %{_pesign_client} -t "OpenSC Card (Fedora Signer)"		\\\
 +                        -c "/CN=Fedora Secure Boot Signer"		\\\
 +                        %{-i} %{-o} %{-e} %{-s} %{-C}			\
     else								\
       %{_pesign} %{__pesign_token} %{__pesign_cert}			\\\
                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
 -- 
 1.8.3.1
--- a/0004-Include-the-issuer-s-certificate-only-when-available.patch
+++ b/0004-Include-the-issuer-s-certificate-only-when-available.patch
@ -0,0 +1,55 @@
 From 7c25ea77c81e63c88cf1fbeb2fc9baba94bce8b7 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 4 Mar 2013 16:25:08 +0800
 Subject: [PATCH 4/8] Include the issuer's certificate only when available
 When pesign generates a signature, it also includes the issuer's certificate.
 In SUSE build server, we only import the signer's certificate and pesign
 complaint the issuer's certificate was not found. Per Authenticode PE, the
 root certificate is typically not included in the certificate list, so I
 modified pesign a bit to include the issuer's certificate only when available.
 Please check the attached patch.
 Besides the issuer's certificate, I also found find_named_certificate() didn't
 handle the certificate list properly and it may cause segfault if "node->cert"
 is not valid. The patch also fixes this issue.
 ---
 src/cms_common.c  | 2 +-
 src/signed_data.c | 8 ++------
 2 files changed, 3 insertions(+), 7 deletions(-)
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 6b44024..fc9796e 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -592,7 +592,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
 	 * in the database, we'll get back what is essentially a template
 	 * that's in NSS's cache waiting to be filled out.  We can't use that,
 	 * it'll just cause CERT_DupCertificate() to segfault. */
 -	if (!node || !node->cert || !node->cert->derCert.data
 +	if (CERT_LIST_END(node) || !node->cert || !node->cert->derCert.data
 				 || !node->cert->derCert.len
 				 || !node->cert->derIssuer.data
 				 || !node->cert->derIssuer.len) {
 diff --git a/src/signed_data.c b/src/signed_data.c
 index 5425271..2f4b498 100644
 --- a/src/signed_data.c
 +++ b/src/signed_data.c
@@ -96,12 +96,8 @@ generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
 		CERTCertificate *signer = NULL;
 		int rc = find_named_certificate(cms, cms->cert->issuerName,
 						&signer);
 -		if (rc < 0) {
 -			PORT_ArenaRelease(cms->arena, mark);
 -			return -1;
 -		}
 -
 -		if (signer && signer->derCert.len && signer->derCert.data) {
 +		if (rc == 0 && signer &&
 +				signer->derCert.len && signer->derCert.data) {
 			if (signer->derCert.len != cms->cert->derCert.len ||
 					memcmp(signer->derCert.data,
 						cms->cert->derCert.data,
 -- 
 1.8.3.1
--- a/0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
+++ b/0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
@ -0,0 +1,26 @@
 From 39466ae9ed3ce5f78fc20c6e74eb0fb3aa93349e Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 6 Aug 2013 16:49:06 -0400
 Subject: [PATCH 5/8] Try harder to figure out if this is RHEL.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/macros.pesign | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 244f576..f94553d 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -22,7 +22,7 @@
 # -s 					# perform signing
 %pesign(i:o:C:e:c:n:a:s)						\
   if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
 -    if [ -e /etc/rhel-release ]; then					\
 +    if [ "0%{?rhel}" -ge "7" ]; then					\
       nss=$(mktemp -p $PWD -d)						\
       certutil -d ${nss} -N						\
       certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss}		\
 -- 
 1.8.3.1
--- a/0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
+++ b/0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
@ -0,0 +1,28 @@
 From f8b19278775fe8a5c599b94fcae90b99a781a42b Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 7 Aug 2013 09:06:33 -0400
 Subject: [PATCH 6/8] Don't use ASCII mode for RHEL certificate imports.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/macros.pesign | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index f94553d..84e87a3 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -25,8 +25,8 @@
     if [ "0%{?rhel}" -ge "7" ]; then					\
       nss=$(mktemp -p $PWD -d)						\
       certutil -d ${nss} -N						\
 -      certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss}		\
 -      certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss}		\
 +      certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss}		\
 +      certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
       sattrs=$(mktemp -p $PWD --suffix=.der)				\
       %{_pesign} %{-i} -E ${sattrs} --certdir ${nss}			\
       rpm-sign --key "%{-n*}" --rsasign ${sattrs}			\
 -- 
 1.8.3.1
--- a/0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch
+++ b/0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch
@ -0,0 +1,30 @@
 From c7318444b811125f26828fd39e8a46de81cd5f86 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 7 Aug 2013 09:13:11 -0400
 Subject: [PATCH 7/8] Apparently if something goes wrong on the HSM, we wind up
 with 0-size.
 Handle zero-sized output by erroring in the rpm macro.  Eventually we
 should make sure pesign is throwing an error there too.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/macros.pesign | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 84e87a3..6b22826 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -47,5 +47,8 @@
     elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then				\
       touch %{-e*}							\
     fi									\
 +  fi									\
 +  if [ ! -s %{-o} ]; then						\
 +    exit 1								\
   fi ;
 -- 
 1.8.3.1
--- a/0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch
+++ b/0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch
@ -0,0 +1,26 @@
 From 5b8950a8cddad1076fb631c4ef6999bfb4f977f8 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 7 Aug 2013 09:37:33 -0400
 Subject: [PATCH 8/8] Use --force when we've got a sattrs blob from mktemp()
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/macros.pesign | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 6b22826..a0339fe 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -28,7 +28,7 @@
       certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss}		\
       certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
       sattrs=$(mktemp -p $PWD --suffix=.der)				\
 -      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss}			\
 +      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force		\
       rpm-sign --key "%{-n*}" --rsasign ${sattrs}			\
       %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
                  --certdir ${nss} -c signer %{-o}			\
 -- 
 1.8.3.1
--- a/pesign.spec
+++ b/pesign.spec
@ -1,7 +1,7 @@
 Summary: Signing utility for UEFI binaries
 Name: pesign
 Version: 0.106
-Release: 2%{?dist}
+Release: 4%{?dist}
 Group: Development/System
 License: GPLv2
 URL: https://github.com/vathpela/pesign
@ -12,13 +12,24 @@ BuildRequires: nss-devel >= 3.13.6-1
 Requires: nspr nss nss-util popt rpm coolkey opensc
 Requires(pre): shadow-utils
 ExclusiveArch: i686 x86_64 ia64
 %if 0%{?rhel} >= 7
 BuildRequires: rh-signing-tools >= 1.20-2
 %endif
 # there is no tarball at github, of course.  To get this version do:
 # git clone https://github.com/vathpela/pesign.git
 # git checkout %%{version}
 Source0: pesign-%{version}.tar.bz2
 Source1: rh-test-certs.tar.bz2
-Patch0: 0001-Apparently-we-want-documentation-in-a-non-versioned-.patch
+Patch0001: 0001-Make-the-RHEL-pesign-macro-a-little-better.patch
 Patch0002: 0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
 Patch0003: 0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch
 Patch0004: 0004-Include-the-issuer-s-certificate-only-when-available.patch
 Patch0005: 0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
 Patch0006: 0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
 Patch0007: 0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch
 Patch0008: 0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch
 Patch0009: 0009-Remove-errant-results-from-signing.patch
 %description
 This package contains the pesign utility for signing UEFI binaries as
@ -97,6 +108,12 @@ exit 0
 %endif
 %changelog
 * Sat Aug 10 2013 Peter Jones <pjones@redhat.com> - 0.106-4
 - Remove errant result files and raise an error from %%pesign 
 * Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.106-3
 - Add code for signing in RHEL 7
 * Mon Aug 05 2013 Peter Jones <pjones@redhat.com> - 0.106-2
 - Fix for new %%doc rules.