From 8f36a7851d1f1311e8f94642fbb9b778034e5852 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Thu, 11 Jun 2020 12:03:24 +0200 Subject: [PATCH] Update to 113 release Resolves: rhbz#1708773 Signed-off-by: Javier Martinez Canillas --- ...e_integer-it-doesn-t-build-on-i686-a.patch | 72 --- ...fikeygen-Fix-the-build-with-nss-3.44.patch | 0 0002-Fix-command-line-parsing.patch | 73 --- ...02-pesigcheck-Fix-a-wrong-assignment.patch | 0 ...gcc-don-t-error-on-stuff-in-includes.patch | 26 -- 0004-Fix-certficate-argument-name.patch | 39 -- ...ion-of-ascii-armor-option-in-manpage.patch | 26 -- ...ke-ascii-work-since-we-documented-it.patch | 22 - ...ient-to-also-accept-token-cert-macro.patch | 32 -- ...fy-with-the-cert-as-an-object-signer.patch | 25 -- ...sigcheck-make-certfile-actually-work.patch | 47 -- ...-make-sure-err-is-always-initialized.patch | 27 -- ...make-pesign-h-tell-you-the-file-name.patch | 26 -- 0012-Add-coverity-build-scripts.patch | 104 ----- 0013-Document-implicit-fallthrough.patch | 25 -- ...cl-each-directory-of-our-key-storage.patch | 50 --- ..._MODULE_SIGNING_ONLY-and-fix-our-arr.patch | 59 --- 0016-efikeygen-add-modsign.patch | 197 -------- ...y-even-harder-to-pick-a-reasonable-v.patch | 121 ----- 0018-show-which-db-we-re-checking.patch | 137 ------ 0019-more-about-the-time.patch | 97 ---- 0020-try-to-say-why-something-fails.patch | 419 ------------------ ...ix-race-condition-in-SEC_GetPassword.patch | 34 -- ...eate-the-socket-directory-at-runtime.patch | 27 -- ...-Better-authorization-scripts.-Again.patch | 217 --------- ...also-try-to-give-better-errors-on-EP.patch | 95 ---- 0025-certdb-fix-PRTime-printfs-for-i686.patch | 31 -- ...-Clean-up-gcc-command-lines-a-little.patch | 41 -- ...sign-users-groups-static-in-the-repo.patch | 54 --- ...ent-signer-use-the-fedora-values-unl.patch | 43 -- ...gn-error-in-kojibuilder-if-we-don-t-.patch | 39 -- ...e-nss-database-everywhere-by-default.patch | 104 ----- pesign.spec | 50 +-- sources | 2 +- 34 files changed, 12 insertions(+), 2349 deletions(-) delete mode 100644 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch rename 0030-efikeygen-Fix-the-build-with-nss-3.44.patch => 0001-efikeygen-Fix-the-build-with-nss-3.44.patch (100%) delete mode 100644 0002-Fix-command-line-parsing.patch rename 0031-pesigcheck-Fix-a-wrong-assignment.patch => 0002-pesigcheck-Fix-a-wrong-assignment.patch (100%) delete mode 100644 0003-gcc-don-t-error-on-stuff-in-includes.patch delete mode 100644 0004-Fix-certficate-argument-name.patch delete mode 100644 0005-Fix-description-of-ascii-armor-option-in-manpage.patch delete mode 100644 0006-Make-ascii-work-since-we-documented-it.patch delete mode 100644 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch delete mode 100644 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch delete mode 100644 0009-pesigcheck-make-certfile-actually-work.patch delete mode 100644 0010-signerInfos-make-sure-err-is-always-initialized.patch delete mode 100644 0011-pesign-make-pesign-h-tell-you-the-file-name.patch delete mode 100644 0012-Add-coverity-build-scripts.patch delete mode 100644 0013-Document-implicit-fallthrough.patch delete mode 100644 0014-Actually-setfacl-each-directory-of-our-key-storage.patch delete mode 100644 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch delete mode 100644 0016-efikeygen-add-modsign.patch delete mode 100644 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch delete mode 100644 0018-show-which-db-we-re-checking.patch delete mode 100644 0019-more-about-the-time.patch delete mode 100644 0020-try-to-say-why-something-fails.patch delete mode 100644 0021-Fix-race-condition-in-SEC_GetPassword.patch delete mode 100644 0022-sysvinit-Create-the-socket-directory-at-runtime.patch delete mode 100644 0023-Better-authorization-scripts.-Again.patch delete mode 100644 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch delete mode 100644 0025-certdb-fix-PRTime-printfs-for-i686.patch delete mode 100644 0026-Clean-up-gcc-command-lines-a-little.patch delete mode 100644 0027-Make-pesign-users-groups-static-in-the-repo.patch delete mode 100644 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch delete mode 100644 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch delete mode 100644 0032-Use-sql-type-nss-database-everywhere-by-default.patch diff --git a/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch b/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch deleted file mode 100644 index 0c82dcf..0000000 --- a/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 21 Apr 2016 10:47:34 -0400 -Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686 - and it's unused. - -Signed-off-by: Peter Jones ---- - src/cms_common.c | 34 ---------------------------------- - src/cms_common.h | 1 - - 2 files changed, 35 deletions(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index b19bc62..6a4e6a7 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str) - return 0; - } - --static SEC_ASN1Template IntegerTemplate[] = { -- {.kind = SEC_ASN1_INTEGER, -- .offset = 0, -- .sub = NULL, -- .size = sizeof(long), -- }, -- { 0 }, --}; -- --int --generate_integer(cms_context *cms, SECItem *der, unsigned long integer) --{ -- void *ret; -- -- uint32_t u32; -- -- SECItem input = { -- .data = (void *)&integer, -- .len = sizeof(integer), -- .type = siUnsignedInteger, -- }; -- -- if (integer < 0x100000000) { -- u32 = integer & 0xffffffffUL; -- input.data = (void *)&u32; -- input.len = sizeof(u32); -- } -- -- ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate); -- if (ret == NULL) -- cmsreterr(-1, cms, "could not encode data"); -- return 0; --} -- - int - generate_time(cms_context *cms, SECItem *encoded, time_t when) - { -diff --git a/src/cms_common.h b/src/cms_common.h -index 7d77faf..c7d7268 100644 ---- a/src/cms_common.h -+++ b/src/cms_common.h -@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded, - SECOidTag tag); - extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded); - extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when); --extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer); - extern int generate_string(cms_context *cms, SECItem *der, char *str); - extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items); - extern int wrap_in_seq(cms_context *cms, SECItem *der, --- -2.13.4 - diff --git a/0030-efikeygen-Fix-the-build-with-nss-3.44.patch b/0001-efikeygen-Fix-the-build-with-nss-3.44.patch similarity index 100% rename from 0030-efikeygen-Fix-the-build-with-nss-3.44.patch rename to 0001-efikeygen-Fix-the-build-with-nss-3.44.patch diff --git a/0002-Fix-command-line-parsing.patch b/0002-Fix-command-line-parsing.patch deleted file mode 100644 index 9c03eeb..0000000 --- a/0002-Fix-command-line-parsing.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001 -From: Julien Cristau -Date: Thu, 9 Jun 2016 14:30:37 +0200 -Subject: [PATCH 02/29] Fix command line parsing - -The gettext translation domain should be passed as .arg, not .descrip, -otherwise popt won't process any of the command line options (it stops -looping over the struct poptOption array when an entry has unset -longName, shortName and arg). - -Signed-off-by: Julien Cristau ---- - src/client.c | 2 +- - src/efikeygen.c | 2 +- - src/efisiglist.c | 2 +- - src/pesigcheck.c | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/client.c b/src/client.c -index 028419f..575c873 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -555,7 +555,7 @@ main(int argc, char *argv[]) - - struct poptOption options[] = { - {.argInfo = POPT_ARG_INTL_DOMAIN, -- .descrip = "pesign" }, -+ .arg = "pesign" }, - {.longName = "token", - .shortName = 't', - .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT, -diff --git a/src/efikeygen.c b/src/efikeygen.c -index 6278849..8a515a5 100644 ---- a/src/efikeygen.c -+++ b/src/efikeygen.c -@@ -486,7 +486,7 @@ int main(int argc, char *argv[]) - poptContext optCon; - struct poptOption options[] = { - {.argInfo = POPT_ARG_INTL_DOMAIN, -- .descrip = "pesign" }, -+ .arg = "pesign" }, - /* global nss-ish things */ - {.longName = "dbdir", - .shortName = 'd', -diff --git a/src/efisiglist.c b/src/efisiglist.c -index cd3f1ae..40d6a93 100644 ---- a/src/efisiglist.c -+++ b/src/efisiglist.c -@@ -126,7 +126,7 @@ main(int argc, char *argv[]) - - struct poptOption options[] = { - {.argInfo = POPT_ARG_INTL_DOMAIN, -- .descrip = "pesign" }, -+ .arg = "pesign" }, - {.longName = "infile", - .shortName = 'i', - .argInfo = POPT_ARG_STRING, -diff --git a/src/pesigcheck.c b/src/pesigcheck.c -index 1328fe9..0d49c1a 100644 ---- a/src/pesigcheck.c -+++ b/src/pesigcheck.c -@@ -214,7 +214,7 @@ main(int argc, char *argv[]) - poptContext optCon; - struct poptOption options[] = { - {.argInfo = POPT_ARG_INTL_DOMAIN, -- .descrip = "pesign" }, -+ .arg = "pesign" }, - {.longName = "dbfile", - .shortName = 'D', - .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST, --- -2.13.4 - diff --git a/0031-pesigcheck-Fix-a-wrong-assignment.patch b/0002-pesigcheck-Fix-a-wrong-assignment.patch similarity index 100% rename from 0031-pesigcheck-Fix-a-wrong-assignment.patch rename to 0002-pesigcheck-Fix-a-wrong-assignment.patch diff --git a/0003-gcc-don-t-error-on-stuff-in-includes.patch b/0003-gcc-don-t-error-on-stuff-in-includes.patch deleted file mode 100644 index cf4e61d..0000000 --- a/0003-gcc-don-t-error-on-stuff-in-includes.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 10 Aug 2016 17:12:39 -0400 -Subject: [PATCH 03/29] gcc: don't error on stuff in includes. - -Signed-off-by: Peter Jones ---- - Make.defaults | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Make.defaults b/Make.defaults -index c97b452..3511080 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -19,7 +19,7 @@ PKG_CONFIG = $(CROSS_COMPILE)pkg-config - CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC)) - CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD)) - CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \ -- -Wall -Werror -Wextra -+ -Wall -Werror -Wextra -Wno-error=cpp - AS := $(CROSS_COMPILE)as - AR := $(CROSS_COMPILE)gcc-ar - RANLIB := $(CROSS_COMPILE)gcc-ranlib --- -2.13.4 - diff --git a/0004-Fix-certficate-argument-name.patch b/0004-Fix-certficate-argument-name.patch deleted file mode 100644 index 08509ff..0000000 --- a/0004-Fix-certficate-argument-name.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 18 Apr 2017 19:00:34 -0400 -Subject: [PATCH 04/29] Fix "certficate" argument name. - -This fixes our typoed argument name by making the incorrectly spelled -version be a popt alias, and fixing the real implementation to be -spelled right in pesign.c . - -Signed-off-by: Peter Jones ---- - src/pesign.c | 2 +- - src/pesign.popt | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/pesign.c b/src/pesign.c -index af374b6..279a17a 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -438,7 +438,7 @@ main(int argc, char *argv[]) - .arg = &ctxp->outfile, - .descrip = "specify output file", - .argDescrip = "" }, -- {.longName = "certficate", -+ {.longName = "certificate", - .shortName = 'c', - .argInfo = POPT_ARG_STRING, - .arg = &certname, -diff --git a/src/pesign.popt b/src/pesign.popt -index 7b3385d..5a97748 100644 ---- a/src/pesign.popt -+++ b/src/pesign.popt -@@ -1,2 +1,3 @@ - pesign alias --cert --certificate -+pesign alias --certficate --certificate - pesign alias --daemon --daemonize --- -2.13.4 - diff --git a/0005-Fix-description-of-ascii-armor-option-in-manpage.patch b/0005-Fix-description-of-ascii-armor-option-in-manpage.patch deleted file mode 100644 index 6a5b02d..0000000 --- a/0005-Fix-description-of-ascii-armor-option-in-manpage.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001 -From: Julien Cristau -Date: Mon, 27 Jun 2016 15:38:38 +0200 -Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage - -The --ascii option does not exist. ---- - src/pesign.1 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/pesign.1 b/src/pesign.1 -index 47d1aec..29ae060 100644 ---- a/src/pesign.1 -+++ b/src/pesign.1 -@@ -81,7 +81,7 @@ Export the public key specified by \-\-certificate to \fIoutkey\fR - Export the certificate specified by \-\-certificate to \fIoutcert\fR - - .TP --\fB-\-ascii\fR -+\fB-\-ascii\-armor\fR - Use ascii armoring on exported certificates. - - .TP --- -2.13.4 - diff --git a/0006-Make-ascii-work-since-we-documented-it.patch b/0006-Make-ascii-work-since-we-documented-it.patch deleted file mode 100644 index d0165f9..0000000 --- a/0006-Make-ascii-work-since-we-documented-it.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 18 Apr 2017 19:05:40 -0400 -Subject: [PATCH 06/29] Make --ascii work, since we documented it. - -Signed-off-by: Peter Jones ---- - src/pesign.popt | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/pesign.popt b/src/pesign.popt -index 5a97748..5ae0c5c 100644 ---- a/src/pesign.popt -+++ b/src/pesign.popt -@@ -1,3 +1,4 @@ - pesign alias --cert --certificate - pesign alias --certficate --certificate - pesign alias --daemon --daemonize -+pesign alias --ascii --ascii-armor --- -2.13.4 - diff --git a/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch b/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch deleted file mode 100644 index faa78ec..0000000 --- a/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch +++ /dev/null @@ -1,32 +0,0 @@ -From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001 -From: Pat Riehecky -Date: Mon, 7 Nov 2016 11:37:08 -0600 -Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros - rather than use hard coded values - ---- - src/macros.pesign | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 18e5b5e..69280e9 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -41,11 +41,11 @@ - --certdir ${nss} -c signer %{-o} \ - rm -rf ${sattrs} ${sattrs}.sig ${nss} \ - elif [ -S /var/run/pesign/socket ]; then \ -- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ -- -c "/CN=Fedora Secure Boot Signer" \\\ -+ %{_pesign_client} -t %{__pesign_token} \\\ -+ -c %{__pesign_cert} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ - else \ -- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ -+ %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\ - --certdir ${_pesign_nssdir} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ - fi \ --- -2.13.4 - diff --git a/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch b/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch deleted file mode 100644 index 2226498..0000000 --- a/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001 -From: David Michael -Date: Thu, 16 Feb 2017 15:08:30 -0800 -Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer - ---- - src/certdb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/certdb.c b/src/certdb.c -index 2a08042..b7c99bb 100644 ---- a/src/certdb.c -+++ b/src/certdb.c -@@ -339,7 +339,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, - } - /* Verify the signature */ - result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo, -- certUsageSSLServer, -+ certUsageObjectSigner, - digest, HASH_AlgSHA256, - PR_FALSE, atTime); - if (!result) { --- -2.13.4 - diff --git a/0009-pesigcheck-make-certfile-actually-work.patch b/0009-pesigcheck-make-certfile-actually-work.patch deleted file mode 100644 index 8b77417..0000000 --- a/0009-pesigcheck-make-certfile-actually-work.patch +++ /dev/null @@ -1,47 +0,0 @@ -From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 24 Apr 2017 15:18:10 -0400 -Subject: [PATCH 09/29] pesigcheck: make --certfile actually work - -Signed-off-by: Peter Jones ---- - src/pesigcheck.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/pesigcheck.c b/src/pesigcheck.c -index 0d49c1a..d7be542 100644 ---- a/src/pesigcheck.c -+++ b/src/pesigcheck.c -@@ -130,7 +130,7 @@ check_signature(pesigcheck_context *ctx) - cert_iter iter; - - generate_digest(ctx->cms_ctx, ctx->inpe, 1); -- -+ - if (check_db_hash(DBX, ctx) == FOUND) - return -1; - -@@ -225,6 +225,11 @@ main(int argc, char *argv[]) - .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST, - .arg = (void *)callback, - .descrip = (void *)ctxp }, -+ {.longName = "certfile", -+ .shortName = 'c', -+ .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST, -+ .arg = (void *)callback, -+ .descrip = (void *)ctxp }, - {.longName = "in", - .shortName = 'i', - .argInfo = POPT_ARG_STRING, -@@ -258,7 +263,7 @@ main(int argc, char *argv[]) - .shortName = 'c', - .argInfo = POPT_ARG_STRING, - .arg = &certfile, -- .descrip = "the certificate (in DER form) for verification ", -+ .descrip = "import certfile (in DER encoding) for allowed certificate", - .argDescrip = "" }, - POPT_AUTOALIAS - POPT_AUTOHELP --- -2.13.4 - diff --git a/0010-signerInfos-make-sure-err-is-always-initialized.patch b/0010-signerInfos-make-sure-err-is-always-initialized.patch deleted file mode 100644 index 08d1da7..0000000 --- a/0010-signerInfos-make-sure-err-is-always-initialized.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 25 Apr 2017 16:15:07 -0400 -Subject: [PATCH 10/29] signerInfos: make sure err is always initialized - -Signed-off-by: Peter Jones ---- - src/signed_data.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/signed_data.c b/src/signed_data.c -index 721db90..9e0af23 100644 ---- a/src/signed_data.c -+++ b/src/signed_data.c -@@ -132,7 +132,8 @@ int - generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, SignerInfoType type) - { - SpcSignerInfo **signerInfo_list; -- int err, rc; -+ int err = 0; -+ int rc; - - if (!signerInfo_list_p) - return -1; --- -2.13.4 - diff --git a/0011-pesign-make-pesign-h-tell-you-the-file-name.patch b/0011-pesign-make-pesign-h-tell-you-the-file-name.patch deleted file mode 100644 index 3e15617..0000000 --- a/0011-pesign-make-pesign-h-tell-you-the-file-name.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 25 Apr 2017 16:23:36 -0400 -Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name. - -Signed-off-by: Peter Jones ---- - src/pesign.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/pesign.c b/src/pesign.c -index 279a17a..5879cfc 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -387,7 +387,7 @@ print_digest(pesign_context *pctx) - if (!ctx) - return; - -- printf("hash: "); -+ printf("%s ", pctx->infile); - int j = ctx->selected_digest; - for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++) - printf("%02x", --- -2.13.4 - diff --git a/0012-Add-coverity-build-scripts.patch b/0012-Add-coverity-build-scripts.patch deleted file mode 100644 index f3f0a89..0000000 --- a/0012-Add-coverity-build-scripts.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 10 May 2017 10:49:57 -0400 -Subject: [PATCH 12/29] Add coverity build scripts - -Signed-off-by: Peter Jones ---- - .gitignore | 1 + - Make.coverity | 37 +++++++++++++++++++++++++++++++++++++ - Make.defaults | 2 ++ - Make.rules | 4 ++++ - Makefile | 1 + - 5 files changed, 45 insertions(+) - create mode 100644 Make.coverity - -diff --git a/.gitignore b/.gitignore -index 1635ba2..847e172 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -12,3 +12,4 @@ - *.tar.* - *.rpm - core.* -+cov-int -diff --git a/Make.coverity b/Make.coverity -new file mode 100644 -index 0000000..b80b091 ---- /dev/null -+++ b/Make.coverity -@@ -0,0 +1,37 @@ -+include $(TOPDIR)/Make.version -+include $(TOPDIR)/Make.rules -+include $(TOPDIR)/Make.defaults -+ -+COV_EMAIL=$(call get-config,coverity.email) -+COV_TOKEN=$(call get-config,coverity.token) -+COV_URL=$(call get-config,coverity.url) -+COV_FILE=$(NAME)-coverity-$(VERSION)-$(COMMIT_ID).tar.bz2 -+ -+cov-int : clean -+ cov-build --dir cov-int make all -+ -+cov-clean : -+ @rm -vf $(NAME)-coverity-*.tar.* -+ @if [[ -d cov-int ]]; then rm -rf cov-int && echo "removed 'cov-int'"; fi -+ -+cov-file : | $(COV_FILE) -+ -+$(COV_FILE) : cov-int -+ tar caf $@ cov-int -+ -+cov-upload : -+ @if [[ -n "$(COV_URL)" ]] && \ -+ [[ -n "$(COV_TOKEN)" ]] && \ -+ [[ -n "$(COV_EMAIL)" ]] ; \ -+ then \ -+ echo curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \ -+ curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \ -+ else \ -+ echo Coverity output is in $(COV_FILE) ; \ -+ fi -+ -+coverity : cov-file cov-upload -+ -+clean : | cov-clean -+ -+.PHONY : coverity cov-upload cov-clean cov-file -diff --git a/Make.defaults b/Make.defaults -index 3511080..39b78f0 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -1,3 +1,5 @@ -+NAME = pesign -+COMMIT_ID ?= $(shell git log -1 --pretty=%H 2>/dev/null || echo master) - prefix ?= /usr/ - prefix := $(abspath $(prefix))/ - libdir ?= $(prefix)lib64/ -diff --git a/Make.rules b/Make.rules -index af5ecfe..5e3c83d 100644 ---- a/Make.rules -+++ b/Make.rules -@@ -79,3 +79,7 @@ endef - - $(TOPDIR)/libdpe/%.a $(TOPDIR)/libdpe/% : - $(MAKE) -C $(TOPDIR)/libdpe $(notdir $@) -+ -+define get-config = -+$(shell git config --local --get "$(NAME).$(1)") -+endef -diff --git a/Makefile b/Makefile -index db8eb7e..ca1a359 100644 ---- a/Makefile -+++ b/Makefile -@@ -4,6 +4,7 @@ TOPDIR = $(realpath .) - include $(TOPDIR)/Make.version - include $(TOPDIR)/Make.rules - include $(TOPDIR)/Make.defaults -+include $(TOPDIR)/Make.coverity - - SUBDIRS := include libdpe src - --- -2.13.4 - diff --git a/0013-Document-implicit-fallthrough.patch b/0013-Document-implicit-fallthrough.patch deleted file mode 100644 index 3731a3f..0000000 --- a/0013-Document-implicit-fallthrough.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Sat, 8 Jul 2017 16:31:18 -0400 -Subject: [PATCH 13/29] Document implicit fallthrough. - -Signed-off-by: Peter Jones ---- - src/authvar.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/authvar.c b/src/authvar.c -index ad659ca..03e0c47 100644 ---- a/src/authvar.c -+++ b/src/authvar.c -@@ -511,6 +511,7 @@ main(int argc, char *argv[]) - case IMPORT|SET: - case IMPORT|SIGN|SET: - fprintf(stderr, "authvar: not implemented\n"); -+ /* fallthrough. */ - case IMPORT|SIGN|EXPORT: - default: - fprintf(stderr, "authvar: invalid flags: "); --- -2.13.4 - diff --git a/0014-Actually-setfacl-each-directory-of-our-key-storage.patch b/0014-Actually-setfacl-each-directory-of-our-key-storage.patch deleted file mode 100644 index 4b62cb3..0000000 --- a/0014-Actually-setfacl-each-directory-of-our-key-storage.patch +++ /dev/null @@ -1,50 +0,0 @@ -From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 16 May 2016 15:25:53 -0400 -Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage. - -Signed-off-by: Peter Jones ---- - src/pesign-authorize-groups | 6 +++--- - src/pesign-authorize-users | 6 +++--- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups -index a4f895e..cf51fb6 100644 ---- a/src/pesign-authorize-groups -+++ b/src/pesign-authorize-groups -@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then - setfacl -m g:${group}:rw /var/run/pesign/socket - fi - fi -- for x in /etc/pki/pesign* ; do -+ for x in /etc/pki/pesign*/ ; do - if [ -d ${x} ]; then -- setfacl -m g:${group}:rx /etc/pki/pesign -- for y in ${x}/{cert8,key3,secmod}.db ; do -+ setfacl -m g:${group}:rx ${x} -+ for y in ${x}{cert8,key3,secmod}.db ; do - setfacl -m g:${group}:rw ${y} - done - fi -diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users -index 8b9a885..940138e 100644 ---- a/src/pesign-authorize-users -+++ b/src/pesign-authorize-users -@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then - setfacl -m g:${username}:rw /var/run/pesign/socket - fi - fi -- for x in /etc/pki/pesign* ; do -+ for x in /etc/pki/pesign*/ ; do - if [ -d ${x} ]; then -- setfacl -m g:${username}:rx /etc/pki/pesign -- for y in ${x}/{cert8,key3,secmod}.db ; do -+ setfacl -m g:${username}:rx ${x} -+ for y in ${x}{cert8,key3,secmod}.db ; do - setfacl -m g:${username}:rw ${y} - done - fi --- -2.13.4 - diff --git a/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch b/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch deleted file mode 100644 index d5428b5..0000000 --- a/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch +++ /dev/null @@ -1,59 +0,0 @@ -From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 22 Aug 2016 13:31:38 -0400 -Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array - indices. - -That was all kinds of wrong. - -Signed-off-by: Peter Jones ---- - src/oid.c | 10 +++++++--- - src/oid.h | 1 + - 2 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/oid.c b/src/oid.c -index 9d8154f..7037e1e 100644 ---- a/src/oid.c -+++ b/src/oid.c -@@ -33,6 +33,7 @@ static uint8_t oiddata[] = { - 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f, - 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15, - 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, -+ 0x2b, 0x06, 0x01, 0x04, 0x01, 0x92, 0x08, 0x10, 0x01, 0x02, - }; - - #define OID(num, desc_s, oidtype, length, value) \ -@@ -53,11 +54,14 @@ static struct { - OID(SPC_STATEMENT_TYPE_OBJID, "Statement Type", siDEROID, 10, - &oiddata[10]), - OID(SPC_PE_IMAGE_DATA_OBJID, "PE Image Data", siDEROID, 10, -- &oiddata[30]), -+ &oiddata[20]), - OID(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, "Individual Key", siDEROID, -- 10, &oiddata[40]), -+ 10, &oiddata[30]), - OID(szOID_CERTSRV_CA_VERSION, "Certification server CA version", -- siAsciiString, 9, &oiddata[50]), -+ siAsciiString, 9, &oiddata[40]), -+ OID(SHIM_EKU_MODULE_SIGNING_ONLY, -+ "Certificate is used for kernel modules only", siDEROID, 10, -+ &oiddata[49]), - { .oid = END_OID_LIST } - }; - -diff --git a/src/oid.h b/src/oid.h -index 599f49d..0e00781 100644 ---- a/src/oid.h -+++ b/src/oid.h -@@ -25,6 +25,7 @@ typedef enum { - SPC_PE_IMAGE_DATA_OBJID, /* 1.3.6.1.4.1.311.2.1.15 */ - SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, /* 1.3.6.1.4.1.311.2.1.21 */ - szOID_CERTSRV_CA_VERSION, /* 1.3.6.1.4.1.311.21.1 */ -+ SHIM_EKU_MODULE_SIGNING_ONLY, /* 1.3.6.1.4.1.2312.16.1.2 */ - END_OID_LIST - } ms_oid_t; - --- -2.13.4 - diff --git a/0016-efikeygen-add-modsign.patch b/0016-efikeygen-add-modsign.patch deleted file mode 100644 index 8324334..0000000 --- a/0016-efikeygen-add-modsign.patch +++ /dev/null @@ -1,197 +0,0 @@ -From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 22 Aug 2016 13:43:56 -0400 -Subject: [PATCH 16/29] efikeygen: add --modsign - ---- - src/cms_common.c | 29 ++++++++++++++++++++++++++++ - src/cms_common.h | 1 + - src/efikeygen.c | 59 ++++++++++++++++++++++++++++++++++++++++++++------------ - 3 files changed, 77 insertions(+), 12 deletions(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index 6a4e6a7..2df2cfe 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded, - return 0; - } - -+static SEC_ASN1Template EKUOidSequence[] = { -+ { -+ .kind = SEC_ASN1_OBJECT_ID, -+ .offset = 0, -+ .sub = &SEC_AnyTemplate, -+ .size = sizeof (SECItem), -+ }, -+ { 0 } -+}; -+ -+int -+make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag) -+{ -+ void *rv; -+ SECOidData *oid_data; -+ -+ oid_data = SECOID_FindOIDByTag(oid_tag); -+ if (!oid_data) -+ cmsreterr(-1, cms, "could not encode eku oid data"); -+ -+ rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid, -+ EKUOidSequence); -+ if (rv == NULL) -+ cmsreterr(-1, cms, "could not encode eku oid data"); -+ -+ encoded->type = siBuffer; -+ return 0; -+} -+ - int - generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original) - { -diff --git a/src/cms_common.h b/src/cms_common.h -index c7d7268..7a31273 100644 ---- a/src/cms_common.h -+++ b/src/cms_common.h -@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der, - SECItem *items, int num_items); - extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded, - SECItem *original); -+extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag); - extern int generate_validity(cms_context *cms, SECItem *der, time_t start, - time_t end); - extern int generate_common_name(cms_context *cms, SECItem *der, char *cn); -diff --git a/src/efikeygen.c b/src/efikeygen.c -index 8a515a5..9390578 100644 ---- a/src/efikeygen.c -+++ b/src/efikeygen.c -@@ -49,6 +49,7 @@ - #include - - #include "cms_common.h" -+#include "oid.h" - #include "util.h" - - typedef struct { -@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle) - } - - static int --add_extended_key_usage(cms_context *cms, void *extHandle) -+add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle) - { -- SECItem value = { -- .data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01" -- "\x05\x05\x07\x03\x03", -- .len = 12, -- .type = siBuffer -- }; -+ SECItem values[2]; -+ SECItem wrapped = { 0 }; -+ SECStatus status; -+ SECOidTag tag; -+ int rc; -+ -+ if (modsign_only < 1 || modsign_only > 2) -+ cmsreterr(-1, cms, "could not encode extended key usage"); - -+ rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN); -+ if (rc < 0) -+ cmsreterr(-1, cms, "could not encode extended key usage"); -+ -+ tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY); -+ printf("tag: %d\n", tag); -+ rc = make_eku_oid(cms, &values[1], tag); -+ if (rc < 0) -+ cmsreterr(-1, cms, "could not encode extended key usage"); -+ -+ rc = wrap_in_seq(cms, &wrapped, values, modsign_only); -+ if (rc < 0) -+ cmsreterr(-1, cms, "could not encode extended key usage"); - -- SECStatus status; - - status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, -- &value, PR_FALSE, PR_TRUE); -+ &wrapped, PR_FALSE, PR_TRUE); - if (status != SECSuccess) - cmsreterr(-1, cms, "could not encode extended key usage"); - -@@ -294,7 +309,7 @@ static int - add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq, - int is_ca, int is_self_signed, SECKEYPublicKey *pubkey, - SECKEYPublicKey *spubkey, -- char *url) -+ char *url, int modsign_only) - { - void *mark = PORT_ArenaMark(cms->arena); - -@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq, - if (rc < 0) - cmsreterr(-1, cms, "could not generate certificate extensions"); - -- rc = add_extended_key_usage(cms, extHandle); -+ rc = add_extended_key_usage(cms, modsign_only, extHandle); - if (rc < 0) - cmsreterr(-1, cms, "could not generate certificate extensions"); - -@@ -469,6 +484,7 @@ int main(int argc, char *argv[]) - { - int is_ca = 0; - int is_self_signed = -1; -+ int modsign_only = 0; - char *tokenname = "NSS Certificate DB"; - char *signer = NULL; - char *nickname = NULL; -@@ -522,6 +538,18 @@ int main(int argc, char *argv[]) - .descrip = "Generate a self-signed certificate" }, - - /* stuff about the generated key */ -+ {.longName = "kernel", -+ .shortName = 'k', -+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR, -+ .arg = &modsign_only, -+ .val = 1, -+ .descrip = "Generate a kernel-signing certificate" }, -+ {.longName = "module", -+ .shortName = 'm', -+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR, -+ .arg = &modsign_only, -+ .val = 2, -+ .descrip = "Generate a module-signing certificate" }, - {.longName = "nickname", - .shortName = 'n', - .argInfo = POPT_ARG_STRING, -@@ -628,6 +656,9 @@ int main(int argc, char *argv[]) - liberr(1, "could not allocate cms context"); - } - -+ if (modsign_only < 1 || modsign_only > 2) -+ errx(1, "either --kernel or --module must be used"); -+ - SECStatus status = NSS_InitReadWrite(dbdir); - if (status != SECSuccess) - nsserr(1, "could not initialize NSS"); -@@ -639,6 +670,10 @@ int main(int argc, char *argv[]) - SECKEYPublicKey *pubkey = NULL; - SECKEYPrivateKey *privkey = NULL; - -+ status = register_oids(cms); -+ if (status != SECSuccess) -+ nsserr(1, "Could not register OIDs"); -+ - PK11SlotInfo *slot = NULL; - if (pubfile) { - rc = get_pubkey_from_file(pubfile, &pubkey); -@@ -713,7 +748,7 @@ int main(int argc, char *argv[]) - crq = CERT_CreateCertificateRequest(name, spki, &attributes); - - rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey, -- spubkey, url); -+ spubkey, url, modsign_only); - if (rc < 0) - exit(1); - --- -2.13.4 - diff --git a/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch b/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch deleted file mode 100644 index acebc3a..0000000 --- a/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 25 Apr 2017 16:25:02 -0400 -Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable - validation time. - -Signed-off-by: Peter Jones ---- - src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 66 insertions(+), 9 deletions(-) - -diff --git a/src/certdb.c b/src/certdb.c -index b7c99bb..1a4baf1 100644 ---- a/src/certdb.c -+++ b/src/certdb.c -@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx) - return check_db(which, ctx, check_hash, NULL, 0); - } - --static PRTime --determine_reasonable_time(CERTCertificate *cert) -+static void -+find_cert_times(SEC_PKCS7ContentInfo *cinfo, -+ PRTime *notBefore, PRTime *notAfter) - { -- PRTime notBefore, notAfter; -- CERT_GetCertTimes(cert, ¬Before, ¬After); -- return notBefore; -+ CERTCertDBHandle *defaultdb, *certdb; -+ SEC_PKCS7SignedData *sdp; -+ CERTCertificate **certs = NULL; -+ SECItem **rawcerts; -+ int i, certcount; -+ SECStatus rv; -+ -+ if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) { -+err: -+ *notBefore = 0; -+ *notAfter = 0x7fffffffffffffff; -+ return; -+ } -+ -+ sdp = cinfo->content.signedData; -+ rawcerts = sdp->rawCerts; -+ -+ defaultdb = CERT_GetDefaultCertDB(); -+ -+ certdb = defaultdb; -+ if (certdb == NULL) -+ goto err; -+ -+ certcount = 0; -+ if (rawcerts != NULL) { -+ for (; rawcerts[certcount] != NULL; certcount++) -+ ; -+ } -+ rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount, -+ rawcerts, &certs, PR_FALSE, PR_FALSE, NULL); -+ if (rv != SECSuccess) -+ goto err; -+ -+ for (i = 0; i < certcount; i++) { -+ PRTime nb = 0, na = 0x7fffffffffff; -+ CERT_GetCertTimes(certs[i], &nb, &na); -+ if (*notBefore < nb) -+ *notBefore = nb; -+ if (*notAfter > na) -+ *notAfter = na; -+ } -+ -+ CERT_DestroyCertArray(certs, certcount); - } - - static db_status -@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, - PRBool result; - SECStatus rv; - db_status status = NOT_FOUND; -+ PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff; -+ PRTime notBefore = 0, notAfter = 0x7fffffffffffffff; - - efi_guid_t efi_x509 = efi_guid_x509_cert; - -@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, - } - cert->timeOK = PR_TRUE; - -+ find_cert_times(cinfo, ¬Before, ¬After); -+ if (earlyNow < notBefore) -+ earlyNow = notBefore; -+ if (lateNow > notAfter) -+ lateNow = notAfter; -+ - SECItem *eTime; - PRTime atTime; - // atTime = determine_reasonable_time(cert); - eTime = SEC_PKCS7GetSigningTime(cinfo); - if (eTime != NULL) { -- if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess) -- atTime = determine_reasonable_time(cert); -- } else { -- atTime = determine_reasonable_time(cert); -+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) { -+ if (earlyNow < atTime) -+ earlyNow = atTime; -+ if (lateNow > atTime) -+ lateNow = atTime; -+ } - } -+ -+ if (lateNow < earlyNow) -+ printf("Impossible time constraints: %ld <= %ld\n", -+ earlyNow / 1000000, lateNow / 1000000); -+ atTime = earlyNow / 2 + lateNow / 2; -+ - /* Verify the signature */ - result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo, - certUsageObjectSigner, --- -2.13.4 - diff --git a/0018-show-which-db-we-re-checking.patch b/0018-show-which-db-we-re-checking.patch deleted file mode 100644 index 2b92f83..0000000 --- a/0018-show-which-db-we-re-checking.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 25 Apr 2017 16:58:50 -0400 -Subject: [PATCH 18/29] show which db we're checking - ---- - src/certdb.c | 35 ++++++++++++++++++++++++++++++++++- - src/pesigcheck_context.c | 2 ++ - src/pesigcheck_context.h | 1 + - 3 files changed, 37 insertions(+), 1 deletion(-) - -diff --git a/src/certdb.c b/src/certdb.c -index 1a4baf1..673e074 100644 ---- a/src/certdb.c -+++ b/src/certdb.c -@@ -18,6 +18,7 @@ - */ - - #include -+#include - #include - #include - #include -@@ -42,17 +43,33 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile, - return -1; - - db->type = type; -- - db->fd = open(dbfile, O_RDONLY); - if (db->fd < 0) { - save_errno(free(db)); - return -1; - } - -+ char *path = strdup(dbfile); -+ if (!path) { -+ save_errno(close(db->fd); -+ free(db)); -+ return -1; -+ } -+ -+ db->path = basename(path); -+ db->path = strdup(db->path); -+ free(path); -+ if (!db->path) { -+ save_errno(close(db->fd); -+ free(db)); -+ return -1; -+ } -+ - struct stat sb; - int rc = fstat(db->fd, &sb); - if (rc < 0) { - save_errno(close(db->fd); -+ free(db->path); - free(db)); - return -1; - } -@@ -65,6 +82,7 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile, - rc = read_file(db->fd, (char **)&db->map, &sz); - if (rc < 0) { - save_errno(close(db->fd); -+ free(db->path); - free(db)); - return -1; - } -@@ -133,6 +151,7 @@ add_cert_file(pesigcheck_context *ctx, const char *filename) - #define DB_PATH "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f" - #define MOK_PATH "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23" - #define DBX_PATH "/sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f" -+#define MOKX_PATH "/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23" - - void - init_cert_db(pesigcheck_context *ctx, int use_system_dbs) -@@ -167,6 +186,18 @@ init_cert_db(pesigcheck_context *ctx, int use_system_dbs) - "database \"%s\": %m\n", DBX_PATH); - exit(1); - } -+ -+ rc = add_db_file(ctx, DBX, MOKX_PATH, DB_EFIVAR); -+ if (rc < 0 && errno != ENOENT) { -+ fprintf(stderr, "pesigcheck: Could not add key database " -+ "\"%s\": %m\n", MOKX_PATH); -+ exit(1); -+ } -+ -+ if (ctx->dbx == NULL) { -+ fprintf(stderr, "pesigcheck: warning: " -+ "No key recovation database available\n"); -+ } - } - - typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig, -@@ -187,6 +218,8 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check, - sig.type = siBuffer; - - while (dbl) { -+ printf("Searching %s %s\n", which == DB ? "db" : "dbx", -+ dbl->path); - EFI_SIGNATURE_LIST *certlist; - EFI_SIGNATURE_DATA *cert; - size_t dbsize = dbl->datalen; -diff --git a/src/pesigcheck_context.c b/src/pesigcheck_context.c -index b934cbe..5a355b1 100644 ---- a/src/pesigcheck_context.c -+++ b/src/pesigcheck_context.c -@@ -87,6 +87,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx) - munmap(db->map, db->size); - close(db->fd); - ctx->db = db->next; -+ free(db->path); - free(db); - } - while (ctx->dbx) { -@@ -95,6 +96,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx) - if (db->type == DB_CERT) - free(db->data); - munmap(db->map, db->size); -+ free(db->path); - close(db->fd); - ctx->dbx = db->next; - free(db); -diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h -index 1b916e3..7b5cc89 100644 ---- a/src/pesigcheck_context.h -+++ b/src/pesigcheck_context.h -@@ -34,6 +34,7 @@ typedef enum { - - struct dblist { - db_f_type type; -+ char *path; - int fd; - struct dblist *next; - size_t size; --- -2.13.4 - diff --git a/0019-more-about-the-time.patch b/0019-more-about-the-time.patch deleted file mode 100644 index 2570bf8..0000000 --- a/0019-more-about-the-time.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 25 Apr 2017 17:00:46 -0400 -Subject: [PATCH 19/29] more about the time - ---- - src/certdb.c | 59 +++++++++++++++++++++++++++++++++-------------------------- - 1 file changed, 33 insertions(+), 26 deletions(-) - -diff --git a/src/certdb.c b/src/certdb.c -index 673e074..1078a8a 100644 ---- a/src/certdb.c -+++ b/src/certdb.c -@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, - PRBool result; - SECStatus rv; - db_status status = NOT_FOUND; -+ PRTime atTime = PR_Now(); -+ SECItem *eTime; - PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff; -- PRTime notBefore = 0, notAfter = 0x7fffffffffffffff; -+ PRTime notBefore, notAfter; - - efi_guid_t efi_x509 = efi_guid_x509_cert; - -@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, - if (!cinfo) - goto out; - -+ notBefore = earlyNow; -+ notAfter = lateNow; -+ find_cert_times(cinfo, ¬Before, ¬After); -+ if (earlyNow < notBefore) -+ earlyNow = notBefore; -+ if (lateNow > notAfter) -+ lateNow = notAfter; -+ -+ // atTime = determine_reasonable_time(cert); -+ eTime = SEC_PKCS7GetSigningTime(cinfo); -+ if (eTime != NULL) { -+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) { -+ if (earlyNow < atTime) -+ earlyNow = atTime; -+ if (lateNow > atTime) -+ lateNow = atTime; -+ } -+ } -+ -+ if (lateNow < earlyNow) -+ printf("Signature has impossible time constraint: %ld <= %ld\n", -+ earlyNow / 1000000, lateNow / 1000000); -+ atTime = earlyNow / 2 + lateNow / 2; -+ -+ -+ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL, -+ NULL, NULL); -+ if (!cinfo) -+ goto out; -+ - /* Generate the digest of contentInfo */ - /* XXX support only sha256 for now */ - digest = SECITEM_AllocItem(NULL, NULL, 32); -@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, - PORT_ErrorToString(PORT_GetError())); - goto out; - } -- cert->timeOK = PR_TRUE; -- -- find_cert_times(cinfo, ¬Before, ¬After); -- if (earlyNow < notBefore) -- earlyNow = notBefore; -- if (lateNow > notAfter) -- lateNow = notAfter; -- -- SECItem *eTime; -- PRTime atTime; -- // atTime = determine_reasonable_time(cert); -- eTime = SEC_PKCS7GetSigningTime(cinfo); -- if (eTime != NULL) { -- if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) { -- if (earlyNow < atTime) -- earlyNow = atTime; -- if (lateNow > atTime) -- lateNow = atTime; -- } -- } -- -- if (lateNow < earlyNow) -- printf("Impossible time constraints: %ld <= %ld\n", -- earlyNow / 1000000, lateNow / 1000000); -- atTime = earlyNow / 2 + lateNow / 2; - - /* Verify the signature */ - result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo, --- -2.13.4 - diff --git a/0020-try-to-say-why-something-fails.patch b/0020-try-to-say-why-something-fails.patch deleted file mode 100644 index 96bdd60..0000000 --- a/0020-try-to-say-why-something-fails.patch +++ /dev/null @@ -1,419 +0,0 @@ -From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 25 Apr 2017 17:01:13 -0400 -Subject: [PATCH 20/29] try to say why something fails - -Signed-off-by: Peter Jones ---- - src/certdb.c | 15 ++- - src/certdb.h | 2 +- - src/pesigcheck.c | 244 ++++++++++++++++++++++++++++++++++++++++++----- - src/pesigcheck_context.h | 1 + - 4 files changed, 233 insertions(+), 29 deletions(-) - -diff --git a/src/certdb.c b/src/certdb.c -index 1078a8a..fae80af 100644 ---- a/src/certdb.c -+++ b/src/certdb.c -@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig, - - static db_status - check_db(db_specifier which, pesigcheck_context *ctx, checkfn check, -- void *data, ssize_t datalen) -+ void *data, ssize_t datalen, SECItem *match) - { - SECItem pkcs7sig, sig; - dblist *dbl = which == DB ? ctx->db : ctx->dbx; -@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check, - found = check(ctx, &sig, - &certlist->SignatureType, - &pkcs7sig); -- if (found == FOUND) -+ if (found == FOUND) { -+ if (match) -+ memcpy(match, &sig, -+ sizeof(sig)); - return FOUND; -+ } - cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert + - certlist->SignatureSize); - } -@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, - db_status - check_db_hash(db_specifier which, pesigcheck_context *ctx) - { -- return check_db(which, ctx, check_hash, NULL, 0); -+ return check_db(which, ctx, check_hash, NULL, 0, NULL); - } - - static void -@@ -459,7 +463,8 @@ out: - } - - db_status --check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen) -+check_db_cert(db_specifier which, pesigcheck_context *ctx, -+ void *data, ssize_t datalen, SECItem *match) - { -- return check_db(which, ctx, check_cert, data, datalen); -+ return check_db(which, ctx, check_cert, data, datalen, match); - } -diff --git a/src/certdb.h b/src/certdb.h -index ccf3c87..8402299 100644 ---- a/src/certdb.h -+++ b/src/certdb.h -@@ -43,7 +43,7 @@ typedef struct { - - extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx); - extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx, -- void *data, ssize_t datalen); -+ void *data, ssize_t datalen, SECItem *match); - - extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs); - extern int add_cert_db(pesigcheck_context *ctx, const char *filename); -diff --git a/src/pesigcheck.c b/src/pesigcheck.c -index d7be542..c8e1086 100644 ---- a/src/pesigcheck.c -+++ b/src/pesigcheck.c -@@ -17,7 +17,9 @@ - * Author(s): Peter Jones - */ - -+#include - #include -+#include - #include - #include - #include -@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx) - } - - static int --cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen) -+cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen, -+ SECItem *digest_out) - { - SECItem sig, *pe_digest, *content; - uint8_t *digest; -@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen) - pe_digest = ctx->cms_ctx->digests[0].pe_digest; - content = cinfo->content.signedData->contentInfo.content.data; - digest = content->data + content->len - pe_digest->len; -+ if (digest_out) { -+ digest_out->data = malloc(pe_digest->len); -+ digest_out->len = pe_digest->len; -+ digest_out->type = pe_digest->type; -+ memcpy(digest_out->data, digest, pe_digest->len); -+ } - if (memcmp(pe_digest->data, digest, pe_digest->len) != 0) - goto out; - -@@ -120,22 +129,149 @@ out: - return ret; - } - -+struct reason { -+ enum { -+ WHITELISTED = 0, -+ INVALID = 1, -+ BLACKLISTED = 2, -+ NO_WHITELIST = 3, -+ } reason; -+ enum { -+ NONE = 0, -+ DIGEST = 1, -+ SIGNATURE = 2, -+ } type; -+ union { -+ struct { -+ SECItem digest; -+ }; -+ struct { -+ SECItem sig; -+ SECItem db_cert; -+ }; -+ }; -+}; -+ -+static void -+print_digest(SECItem *digest) -+{ -+ char buf[digest->len * 2 + 2]; -+ -+ for (unsigned int i = 0; i < digest->len; i++) -+ snprintf(buf + i * 2, digest->len * 2, "%02x", -+ digest->data[i]); -+ buf[digest->len * 2] = '\0'; -+ printf("%s\n", buf); -+} -+ -+static void -+print_certificate(SECItem *cert) -+{ -+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__); -+ printf("cert: %p\n", cert); -+} -+ -+static void -+print_signatures(SECItem *database_cert, SECItem *signature) -+{ -+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__); -+ print_certificate(database_cert); -+ print_certificate(signature); -+} -+ -+static void -+print_reason(struct reason *reason) -+{ -+ switch (reason->reason) { -+ case WHITELISTED: -+ printf("Whitelist entry: "); -+ if (reason->type == DIGEST) -+ print_digest(&reason->digest); -+ else if (reason->type == SIGNATURE) -+ print_signatures(&reason->sig, &reason->db_cert); -+ else -+ errx(1, "Unknown data type %d\n", reason->type); -+ break; -+ case INVALID: -+ if (reason->type == DIGEST) { -+ printf("Invalid digest: "); -+ print_digest(&reason->digest); -+ } else if (reason->type == SIGNATURE) { -+ printf("Invalid signature: "); -+ print_signatures(&reason->sig, &reason->db_cert); -+ } else { -+ errx(1, "Unknown data type %d\n", reason->type); -+ } -+ break; -+ case BLACKLISTED: -+ if (reason->type == DIGEST) { -+ printf("Invalid digest: "); -+ print_digest(&reason->digest); -+ } else if (reason->type == SIGNATURE) { -+ printf("Invalid signature: "); -+ print_signatures(&reason->sig, &reason->db_cert); -+ } else { -+ errx(1, "Unknown data type %d\n", reason->type); -+ } -+ break; -+ case NO_WHITELIST: -+ if (reason->type == NONE) -+ printf("No matching whitelist entry.\n"); -+ else -+ errx(1, "Invalid data type %d\n", reason->type); -+ break; -+ default: -+ errx(1, "Unknown reason type %d\n", reason->reason); -+ break; -+ } -+} -+ -+static void -+get_digest(pesigcheck_context *ctx, SECItem *digest) -+{ -+ struct cms_context *cms = ctx->cms_ctx; -+ struct digest *cms_digest = &cms->digests[cms->selected_digest]; -+ -+ memcpy(digest, cms_digest->pe_digest, sizeof (*digest)); -+} -+ - static int --check_signature(pesigcheck_context *ctx) -+check_signature(pesigcheck_context *ctx, int *nreasons, -+ struct reason **reasons) - { -- int has_valid_cert = 0; -- int has_invalid_cert = 0; -+ bool has_valid_cert = false; -+ bool is_invalid = false; -+ struct reason *reasonps = NULL, *reason; -+ int num_reasons = 16; -+ int nreason = 0; - int rc = 0; -+ int ret = -1; - - cert_iter iter; - -+ reasonps = calloc(sizeof(struct reason), 512); -+ if (!reasonps) -+ err(1, "check_signature"); -+ - generate_digest(ctx->cms_ctx, ctx->inpe, 1); - -- if (check_db_hash(DBX, ctx) == FOUND) -- return -1; -+ if (check_db_hash(DBX, ctx) == FOUND) { -+ reason = &reasonps[nreason]; -+ reason->reason = BLACKLISTED; -+ reason->type = DIGEST; -+ get_digest(ctx, &reason->digest); -+ reason += 1; -+ is_invalid = true; -+ } - -- if (check_db_hash(DB, ctx) == FOUND) -- has_valid_cert = 1; -+ if (check_db_hash(DB, ctx) == FOUND) { -+ reason = &reasonps[nreason]; -+ reason->reason = WHITELISTED; -+ reason->type = DIGEST; -+ get_digest(ctx, &reason->digest); -+ nreason += 1; -+ has_valid_cert = true; -+ } - - rc = cert_iter_init(&iter, ctx->inpe); - if (rc < 0) -@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx) - ssize_t datalen; - - while (1) { -+ /* -+ * Make sure we always have enough for this iteration of the -+ * loop, plus one "NO_WHITELIST" entry at the end. -+ */ -+ if (nreason >= num_reasons - 4) { -+ struct reason *new_reasons; -+ -+ num_reasons += 16; -+ -+ new_reasons = calloc(sizeof(struct reason), num_reasons); -+ if (!new_reasons) -+ err(1, "check_signature"); -+ reasonps = new_reasons; -+ } -+ - rc = next_cert(&iter, &data, &datalen); - if (rc <= 0) - break; - -- if (cert_matches_digest(ctx, data, datalen) < 0) { -- has_invalid_cert = 1; -- break; -+ reason = &reasonps[nreason]; -+ if (cert_matches_digest(ctx, data, datalen, -+ &reason->digest) < 0) { -+ reason->reason = INVALID; -+ reason->type = DIGEST; -+ nreason += 1; -+ is_invalid = true; - } - -- if (check_db_cert(DBX, ctx, data, datalen) == FOUND) { -- has_invalid_cert = 1; -- break; -+ reason = &reasonps[nreason]; -+ if (check_db_cert(DBX, ctx, data, datalen, -+ &reason->db_cert) == FOUND) { -+ reason->reason = INVALID; -+ reason->type = SIGNATURE; -+ reason->sig.data = data; -+ reason->sig.len = datalen; -+ reason->type = siBuffer; -+ nreason += 1; -+ is_invalid = true; - } - -- if (check_db_cert(DB, ctx, data, datalen) == FOUND) -- has_valid_cert = 1; -+ reason = &reasonps[nreason]; -+ if (check_db_cert(DB, ctx, data, datalen, -+ &reason->db_cert) == FOUND) { -+ reason->reason = WHITELISTED; -+ reason->type = SIGNATURE; -+ reason->sig.data = data; -+ reason->sig.len = datalen; -+ reason->type = siBuffer; -+ nreason += 1; -+ has_valid_cert = true; -+ } - } - - err: -- if (has_invalid_cert) -- return -1; -+ if (has_valid_cert != true) { -+ if (is_invalid != true) { -+ reason = &reasonps[nreason]; -+ reason->reason = NO_WHITELIST; -+ reason->type = NONE; -+ nreason += 1; -+ } -+ is_invalid = true; -+ } - -- if (has_valid_cert) -- return 0; -+ if (is_invalid == false) -+ ret = 0; - -- return -1; -+ if (nreasons && reasons) { -+ *nreasons = nreason; -+ *reasons = reasonps; -+ } else { -+ free(reasonps); -+ } -+ -+ return ret; - } - - void -@@ -204,6 +389,9 @@ main(int argc, char *argv[]) - - pesigcheck_context ctx, *ctxp = &ctx; - -+ struct reason *reasons = NULL; -+ int nreasons = 0; -+ - char *dbfile = NULL; - char *dbxfile = NULL; - char *certfile = NULL; -@@ -242,6 +430,12 @@ main(int argc, char *argv[]) - .arg = &ctx.quiet, - .val = 1, - .descrip = "return only; no text output." }, -+ {.longName = "verbose", -+ .shortName = 'v', -+ .argInfo = POPT_BIT_SET, -+ .arg = &ctx.verbose, -+ .val = 1, -+ .descrip = "print reasons for success and failure." }, - {.longName = "no-system-db", - .shortName = 'n', - .argInfo = POPT_ARG_INT, -@@ -308,12 +502,16 @@ main(int argc, char *argv[]) - exit(1); - } - -- rc = check_signature(ctxp); -+ rc = check_signature(ctxp, &nreasons, &reasons); - -- close_input(ctxp); -+ if (!ctx.quiet && ctx.verbose) { -+ for (int i = 0; i < nreasons; i++) -+ print_reason(&reasons[i]); -+ } - if (!ctx.quiet) - printf("pesigcheck: \"%s\" is %s.\n", ctx.infile, - rc >= 0 ? "valid" : "invalid"); -+ close_input(ctxp); - pesigcheck_context_fini(&ctx); - - NSS_Shutdown(); -diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h -index 7b5cc89..aec415e 100644 ---- a/src/pesigcheck_context.h -+++ b/src/pesigcheck_context.h -@@ -61,6 +61,7 @@ typedef struct pesigcheck_context { - Pe *inpe; - - int quiet; -+ int verbose; - - hashlist *hashes; - --- -2.13.4 - diff --git a/0021-Fix-race-condition-in-SEC_GetPassword.patch b/0021-Fix-race-condition-in-SEC_GetPassword.patch deleted file mode 100644 index 3088923..0000000 --- a/0021-Fix-race-condition-in-SEC_GetPassword.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001 -From: Julien Cristau -Date: Sat, 6 May 2017 22:45:34 +0200 -Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword - -A side effect of echoOff is to discard unread input, so if we print the -prompt before echoOff, the user (or process) at the other end might -react to it by writing the password in between those steps, which is -then discarded. This bit me when trying to drive pesign with an expect -script. - -Signed-off-by: Julien Cristau ---- - src/password.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/password.c b/src/password.c -index cd1c07e..d4eae0d 100644 ---- a/src/password.c -+++ b/src/password.c -@@ -71,9 +71,9 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt, - for (;;) { - /* Prompt for password */ - if (isTTY) { -+ echoOff(infd); - fprintf(output, "%s", prompt); - fflush (output); -- echoOff(infd); - } - - fgets ( phrase, sizeof(phrase), input); --- -2.13.4 - diff --git a/0022-sysvinit-Create-the-socket-directory-at-runtime.patch b/0022-sysvinit-Create-the-socket-directory-at-runtime.patch deleted file mode 100644 index 06980ee..0000000 --- a/0022-sysvinit-Create-the-socket-directory-at-runtime.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001 -From: David Michael -Date: Tue, 13 Jun 2017 13:20:16 -0700 -Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime - -This better supports non-systemd configurations with tmpfs on /run. ---- - src/pesign.sysvinit.in | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in -index d8fffca..dc508d8 100644 ---- a/src/pesign.sysvinit.in -+++ b/src/pesign.sysvinit.in -@@ -20,6 +20,9 @@ RETVAL=0 - - start(){ - echo -n "Starting pesign: " -+ mkdir /var/run/pesign 2>/dev/null && -+ chown pesign:pesign /var/run/pesign && -+ chmod 0770 /var/run/pesign - daemon /usr/bin/pesign --daemonize - RETVAL=$? - echo --- -2.13.4 - diff --git a/0023-Better-authorization-scripts.-Again.patch b/0023-Better-authorization-scripts.-Again.patch deleted file mode 100644 index c778c94..0000000 --- a/0023-Better-authorization-scripts.-Again.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 8 Aug 2017 15:44:44 -0400 -Subject: [PATCH 23/29] Better authorization scripts. Again. - -Signed-off-by: Peter Jones ---- - src/Makefile | 12 ++++++---- - src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++ - src/pesign-authorize-groups | 30 ------------------------ - src/pesign-authorize-users | 30 ------------------------ - src/pesign.service.in | 3 +-- - src/pesign.sysvinit.in | 3 +-- - 6 files changed, 65 insertions(+), 69 deletions(-) - create mode 100755 src/pesign-authorize - delete mode 100644 src/pesign-authorize-groups - delete mode 100644 src/pesign-authorize-users - -diff --git a/src/Makefile b/src/Makefile -index 654b792..84ad130 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults - - BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign - SVCTARGETS=pesign.sysvinit pesign.service --TARGETS=$(BINTARGETS) $(SVCTARGETS) -+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups - - all : deps $(TARGETS) - -@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/ - $(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign - -+pesign-users pesign-groups : -+ echo pesign > $@ -+ - install : - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ -@@ -88,10 +91,9 @@ install : - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ -- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/ -- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/ -+ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign -- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users -- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups -+ $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users -+ $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups - - .PHONY: all deps clean install -diff --git a/src/pesign-authorize b/src/pesign-authorize -new file mode 100755 -index 0000000..a496f60 ---- /dev/null -+++ b/src/pesign-authorize -@@ -0,0 +1,56 @@ -+#!/bin/bash -+set -e -+set -u -+ -+# -+# With /run/pesign/socket on tmpfs, a simple way of restoring the -+# acls for specific users is useful -+# -+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 -+# -+ -+# License: GPLv2 -+declare -a fileusers=() -+declare -a dirusers=() -+for user in $(cat /etc/pesign/users); do -+ dirusers[${#dirusers[@]}]=-m -+ dirusers[${#dirusers[@]}]="u:$user:rwx" -+ fileusers[${#fileusers[@]}]=-m -+ fileusers[${#fileusers[@]}]="u:$user:rw" -+done -+ -+declare -a filegroups=() -+declare -a dirgroups=() -+for group in $(cat /etc/pesign/groups); do -+ dirgroups[${#dirgroups[@]}]=-m -+ dirgroups[${#dirgroups[@]}]="g:$group:rwx" -+ filegroups[${#filegroups[@]}]=-m -+ filegroups[${#filegroups[@]}]="g:$group:rw" -+done -+ -+update_subdir() { -+ subdir=$1 && shift -+ -+ setfacl -bk "${subdir}" -+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}" -+ for x in "${subdir}"* ; do -+ if [ -d "${x}" ]; then -+ setfacl -bk ${x} -+ setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x} -+ update_subdir "${x}/" -+ elif [ -e "${x}" ]; then -+ setfacl -bk ${x} -+ setfacl "${fileusers[@]}" "${filegroups[@]}" ${x} -+ else -+ :; -+ fi -+ done -+} -+ -+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do -+ if [ -d "${x}" ]; then -+ update_subdir "${x}" -+ else -+ :; -+ fi -+done -diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups -deleted file mode 100644 -index cf51fb6..0000000 ---- a/src/pesign-authorize-groups -+++ /dev/null -@@ -1,30 +0,0 @@ --#!/bin/bash --set -e -- --# --# With /run/pesign/socket on tmpfs, a simple way of restoring the --# acls for specific groups is useful --# --# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 --# -- --# License: GPLv2 -- --if [ -r /etc/pesign/groups ]; then -- for group in $(cat /etc/pesign/groups); do -- if [ -d /var/run/pesign ]; then -- setfacl -m g:${group}:rx /var/run/pesign -- if [ -e /var/run/pesign/socket ]; then -- setfacl -m g:${group}:rw /var/run/pesign/socket -- fi -- fi -- for x in /etc/pki/pesign*/ ; do -- if [ -d ${x} ]; then -- setfacl -m g:${group}:rx ${x} -- for y in ${x}{cert8,key3,secmod}.db ; do -- setfacl -m g:${group}:rw ${y} -- done -- fi -- done -- done --fi -diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users -deleted file mode 100644 -index 940138e..0000000 ---- a/src/pesign-authorize-users -+++ /dev/null -@@ -1,30 +0,0 @@ --#!/bin/bash --set -e -- --# --# With /run/pesign/socket on tmpfs, a simple way of restoring the --# acls for specific users is useful --# --# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 --# -- --# License: GPLv2 -- --if [ -r /etc/pesign/users ]; then -- for username in $(cat /etc/pesign/users); do -- if [ -d /var/run/pesign ]; then -- setfacl -m g:${username}:rx /var/run/pesign -- if [ -e /var/run/pesign/socket ]; then -- setfacl -m g:${username}:rw /var/run/pesign/socket -- fi -- fi -- for x in /etc/pki/pesign*/ ; do -- if [ -d ${x} ]; then -- setfacl -m g:${username}:rx ${x} -- for y in ${x}{cert8,key3,secmod}.db ; do -- setfacl -m g:${username}:rw ${y} -- done -- fi -- done -- done --fi -diff --git a/src/pesign.service.in b/src/pesign.service.in -index aaa408e..c75a000 100644 ---- a/src/pesign.service.in -+++ b/src/pesign.service.in -@@ -6,5 +6,4 @@ PrivateTmp=true - Type=forking - PIDFile=/var/run/pesign.pid - ExecStart=/usr/bin/pesign --daemonize --ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users --ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups -+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize -diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in -index dc508d8..b0e0f84 100644 ---- a/src/pesign.sysvinit.in -+++ b/src/pesign.sysvinit.in -@@ -27,8 +27,7 @@ start(){ - RETVAL=$? - echo - touch /var/lock/subsys/pesign -- @@LIBEXECDIR@@/pesign/pesign-authorize-users -- @@LIBEXECDIR@@/pesign/pesign-authorize-groups -+ @@LIBEXECDIR@@/pesign/pesign-authorize - } - - stop(){ --- -2.13.4 - diff --git a/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch b/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch deleted file mode 100644 index 8f4a380..0000000 --- a/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch +++ /dev/null @@ -1,95 +0,0 @@ -From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 8 Aug 2017 17:28:19 -0400 -Subject: [PATCH 24/29] Make the daemon also try to give better errors on - -EPERM etc. - -Basically 6796e5f but also for the daemon. This also tries to fix them -up to save errno better, for more accurate reporting. - -Signed-off-by: Peter Jones ---- - src/daemon.c | 27 +++++++++++++++++++++++++-- - src/pesign.c | 8 ++++++-- - 2 files changed, 31 insertions(+), 4 deletions(-) - -diff --git a/src/daemon.c b/src/daemon.c -index 7f694b2..942d576 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -19,6 +19,7 @@ - - #include - #include -+#include - #include - #include - #include -@@ -1104,10 +1105,32 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork) - "pesignd starting (pid %d)", ctx.pid); - - SECStatus status = NSS_Init(certdir); -+ int error = errno; - if (status != SECSuccess) { -+ char *globpattern = NULL; -+ rc = asprintf(&globpattern, "%s/cert*.db", -+ certdir); -+ if (rc > 0) { -+ glob_t globbuf; -+ memset(&globbuf, 0, sizeof(globbuf)); -+ rc = glob(globpattern, GLOB_ERR, NULL, -+ &globbuf); -+ if (rc != 0) { -+ errno = error; -+ ctx.backup_cms->log(ctx.backup_cms, -+ ctx.priority|LOG_NOTICE, -+ "Could not open NSS database (\"%s\"): %m", -+ PORT_ErrorToString(PORT_GetError())); -+ exit(1); -+ } -+ } -+ } -+ if (status != SECSuccess) { -+ errno = error; - ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE, -- "Could not initialize nss: %s\n", -- PORT_ErrorToString(PORT_GetError())); -+ "Could not initialize nss.\n" -+ "NSS says \"%s\" errno says \"%m\"\n", -+ PORT_ErrorToString(PORT_GetError())); - exit(1); - } - -diff --git a/src/pesign.c b/src/pesign.c -index 5879cfc..6ceda34 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -660,10 +660,12 @@ main(int argc, char *argv[]) - - if (!daemon) { - SECStatus status; -+ int error; - if (need_db) { - status = NSS_Init(certdir); - if (status != SECSuccess) { - char *globpattern = NULL; -+ error = errno; - rc = asprintf(&globpattern, "%s/cert*.db", - certdir); - if (rc > 0) { -@@ -680,8 +682,10 @@ main(int argc, char *argv[]) - } else - status = NSS_NoDB_Init(NULL); - if (status != SECSuccess) { -- errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n", -- PORT_ErrorToString(PORT_GetError())); -+ errno = error; -+ errx(1, "Could not initialize nss.\n" -+ "NSS says \"%s\" errno says \"%m\"\n", -+ PORT_ErrorToString(PORT_GetError())); - } - - status = register_oids(ctxp->cms_ctx); --- -2.13.4 - diff --git a/0025-certdb-fix-PRTime-printfs-for-i686.patch b/0025-certdb-fix-PRTime-printfs-for-i686.patch deleted file mode 100644 index 0fc2ad8..0000000 --- a/0025-certdb-fix-PRTime-printfs-for-i686.patch +++ /dev/null @@ -1,31 +0,0 @@ -From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 9 Aug 2017 17:40:33 -0400 -Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686 - -Signed-off-by: Peter Jones ---- - src/certdb.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/certdb.c b/src/certdb.c -index fae80af..29c9502 100644 ---- a/src/certdb.c -+++ b/src/certdb.c -@@ -384,11 +384,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, - } - - if (lateNow < earlyNow) -- printf("Signature has impossible time constraint: %ld <= %ld\n", -- earlyNow / 1000000, lateNow / 1000000); -+ printf("Signature has impossible time constraint: %lld <= %lld\n", -+ earlyNow / 1000000LL, lateNow / 1000000LL); - atTime = earlyNow / 2 + lateNow / 2; - -- - cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL, - NULL, NULL); - if (!cinfo) --- -2.13.4 - diff --git a/0026-Clean-up-gcc-command-lines-a-little.patch b/0026-Clean-up-gcc-command-lines-a-little.patch deleted file mode 100644 index 928d62d..0000000 --- a/0026-Clean-up-gcc-command-lines-a-little.patch +++ /dev/null @@ -1,41 +0,0 @@ -From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 10 Aug 2017 10:02:38 -0400 -Subject: [PATCH 26/29] Clean up gcc command lines a little - -Signed-off-by: Peter Jones ---- - Make.defaults | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/Make.defaults b/Make.defaults -index 39b78f0..b6c0381 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -20,8 +20,7 @@ CROSS_COMPILE ?= $(bindir) - PKG_CONFIG = $(CROSS_COMPILE)pkg-config - CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC)) - CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD)) --CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \ -- -Wall -Werror -Wextra -Wno-error=cpp -+CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments -Wno-error=cpp - AS := $(CROSS_COMPILE)as - AR := $(CROSS_COMPILE)gcc-ar - RANLIB := $(CROSS_COMPILE)gcc-ranlib -@@ -36,10 +35,10 @@ ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,) - - SOFLAGS = -shared - clang_cflags = --gcc_cflags = -Wmaybe-uninitialized -+gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches - cflags = $(CFLAGS) $(ARCH3264) \ -- -Wall -Werror -Wno-cpp -Wsign-compare -Wno-unused-result \ -- -Wno-unused-function\ -+ -Wall -Werror -Wextra -Wsign-compare -Wno-unused-result \ -+ -Wno-unused-function -Wsign-compare \ - -std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \ - -fno-merge-constants -fkeep-inline-functions \ - -D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \ --- -2.13.4 - diff --git a/0027-Make-pesign-users-groups-static-in-the-repo.patch b/0027-Make-pesign-users-groups-static-in-the-repo.patch deleted file mode 100644 index 4131de3..0000000 --- a/0027-Make-pesign-users-groups-static-in-the-repo.patch +++ /dev/null @@ -1,54 +0,0 @@ -From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 10 Aug 2017 10:03:37 -0400 -Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo. - -Signed-off-by: Peter Jones ---- - src/Makefile | 5 +---- - src/pesign-groups | 1 + - src/pesign-users | 1 + - 3 files changed, 3 insertions(+), 4 deletions(-) - create mode 100644 src/pesign-groups - create mode 100644 src/pesign-users - -diff --git a/src/Makefile b/src/Makefile -index 84ad130..7d68fa1 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults - - BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign - SVCTARGETS=pesign.sysvinit pesign.service --TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups -+TARGETS=$(BINTARGETS) $(SVCTARGETS) - - all : deps $(TARGETS) - -@@ -65,9 +65,6 @@ install_sysvinit: pesign.sysvinit - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/ - $(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign - --pesign-users pesign-groups : -- echo pesign > $@ -- - install : - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ -diff --git a/src/pesign-groups b/src/pesign-groups -new file mode 100644 -index 0000000..7f57cc5 ---- /dev/null -+++ b/src/pesign-groups -@@ -0,0 +1 @@ -+pesign -diff --git a/src/pesign-users b/src/pesign-users -new file mode 100644 -index 0000000..7f57cc5 ---- /dev/null -+++ b/src/pesign-users -@@ -0,0 +1 @@ -+pesign --- -2.13.4 - diff --git a/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch b/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch deleted file mode 100644 index 793fe6c..0000000 --- a/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 9 Aug 2017 17:31:31 -0400 -Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values - unless overridden - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 69280e9..22a3ee6 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -9,6 +9,9 @@ - %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} - %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} - -+%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"} -+%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"} -+ - %_pesign /usr/bin/pesign - %_pesign_client /usr/bin/pesign-client - -@@ -41,11 +44,11 @@ - --certdir ${nss} -c signer %{-o} \ - rm -rf ${sattrs} ${sattrs}.sig ${nss} \ - elif [ -S /var/run/pesign/socket ]; then \ -- %{_pesign_client} -t %{__pesign_token} \\\ -- -c %{__pesign_cert} \\\ -+ %{_pesign_client} -t %{__pesign_client_token} \\\ -+ -c %{__pesign_client_cert} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ - else \ -- %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\ -+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ - --certdir ${_pesign_nssdir} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ - fi \ --- -2.13.4 - diff --git a/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch b/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch deleted file mode 100644 index 753afe8..0000000 --- a/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 14 Aug 2017 11:37:43 -0400 -Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't - have perms on the socket - ---- - src/macros.pesign | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 22a3ee6..1665b4c 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -43,6 +43,21 @@ - %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ - --certdir ${nss} -c signer %{-o} \ - rm -rf ${sattrs} ${sattrs}.sig ${nss} \ -+ elif [ "%{vendor}" == "Fedora Project" -a \\\ -+ "$(id -un)" == "mockbuild" -a \\\ -+ "$(uname -m)" == "x86_64" ] && \\\ -+ grep -q ID=fedora /etc/os-release && \\\ -+ [[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\ -+ ! [ -S /var/run/pesign/socket ]; then \ -+ echo "No socket even though this is %{_buildhost}" \ -+ ls -ld /var/run/pesign || : \ -+ getfacl /var/run/pesign || : \ -+ ls -l /var/run/pesign/socket || : \ -+ getfacl /var/run/pesign/socket || : \ -+ echo =========== env ============== \ -+ set \ -+ echo =========== env ============== \ -+ exit 1 \ - elif [ -S /var/run/pesign/socket ]; then \ - %{_pesign_client} -t %{__pesign_client_token} \\\ - -c %{__pesign_client_cert} \\\ --- -2.13.4 - diff --git a/0032-Use-sql-type-nss-database-everywhere-by-default.patch b/0032-Use-sql-type-nss-database-everywhere-by-default.patch deleted file mode 100644 index cab7653..0000000 --- a/0032-Use-sql-type-nss-database-everywhere-by-default.patch +++ /dev/null @@ -1,104 +0,0 @@ -From c2f2c8845b3ed34da0a76806ec81bc5ad60179ef Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 12 Mar 2018 10:51:24 -0400 -Subject: [PATCH] Use sql-type nss database everywhere by default. - -Signed-off-by: Peter Jones ---- - src/authvar.c | 2 ++ - src/client.c | 3 +++ - src/efikeygen.c | 2 ++ - src/efisiglist.c | 2 ++ - src/pesigcheck.c | 2 ++ - src/pesign.c | 2 ++ - 6 files changed, 13 insertions(+) - -diff --git a/src/authvar.c b/src/authvar.c -index 03e0c47f61c..47a73d12eaa 100644 ---- a/src/authvar.c -+++ b/src/authvar.c -@@ -272,6 +272,8 @@ main(int argc, char *argv[]) - - int action = 0; - -+ setenv("NSS_DEFAULT_DB_TYPE", "sql", 0); -+ - rc = authvar_context_init(ctxp); - if (rc < 0) { - fprintf(stderr, "Could not initialize context: %m\n"); -diff --git a/src/client.c b/src/client.c -index 575c873fb70..64e7bbb7689 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -628,6 +629,8 @@ main(int argc, char *argv[]) - POPT_TABLEEND - }; - -+ setenv("NSS_DEFAULT_DB_TYPE", "sql", 0); -+ - optCon = poptGetContext("pesign", argc, (const char **)argv, options,0); - - rc = poptReadDefaultConfig(optCon, 0); -diff --git a/src/efikeygen.c b/src/efikeygen.c -index 93905782c0c..ad34970a62d 100644 ---- a/src/efikeygen.c -+++ b/src/efikeygen.c -@@ -595,6 +595,8 @@ int main(int argc, char *argv[]) - POPT_TABLEEND - }; - -+ setenv("NSS_DEFAULT_DB_TYPE", "sql", 0); -+ - optCon = poptGetContext("pesign", argc, (const char **)argv, options,0); - - int rc = poptReadDefaultConfig(optCon, 0); -diff --git a/src/efisiglist.c b/src/efisiglist.c -index a7ed528ca13..b88c4a06ded 100644 ---- a/src/efisiglist.c -+++ b/src/efisiglist.c -@@ -177,6 +177,8 @@ main(int argc, char *argv[]) - POPT_TABLEEND - }; - -+ setenv("NSS_DEFAULT_DB_TYPE", "sql", 0); -+ - optCon = poptGetContext("pesign", argc, (const char **)argv, options,0); - - rc = poptReadDefaultConfig(optCon, 0); -diff --git a/src/pesigcheck.c b/src/pesigcheck.c -index c8e10860855..535999ca7fa 100644 ---- a/src/pesigcheck.c -+++ b/src/pesigcheck.c -@@ -464,6 +464,8 @@ main(int argc, char *argv[]) - POPT_TABLEEND - }; - -+ setenv("NSS_DEFAULT_DB_TYPE", "sql", 0); -+ - rc = pesigcheck_context_init(ctxp); - if (rc < 0) { - fprintf(stderr, "pesigcheck: Could not initialize context: %m\n"); -diff --git a/src/pesign.c b/src/pesign.c -index 6ceda34f797..bc12e4d920a 100644 ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -416,6 +416,8 @@ main(int argc, char *argv[]) - char *certdir = "/etc/pki/pesign"; - char *signum = NULL; - -+ setenv("NSS_DEFAULT_DB_TYPE", "sql", 0); -+ - rc = pesign_context_new(&ctxp); - if (rc < 0) { - fprintf(stderr, "Could not initialize context: %m\n"); --- -2.26.2 - diff --git a/pesign.spec b/pesign.spec index c5f1044..9d4932b 100644 --- a/pesign.spec +++ b/pesign.spec @@ -2,8 +2,8 @@ Name: pesign Summary: Signing utility for UEFI binaries -Version: 0.112 -Release: 31%{?dist} +Version: 113 +Release: 1%{?dist} License: GPLv2 URL: https://github.com/vathpela/pesign @@ -37,42 +37,12 @@ ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm} BuildRequires: rh-signing-tools >= 1.20-2 %endif -Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 +Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 Source1: certs.tar.xz Source2: pesign.py -Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch -Patch0002: 0002-Fix-command-line-parsing.patch -Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch -Patch0004: 0004-Fix-certficate-argument-name.patch -Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch -Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch -Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch -Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch -Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch -Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch -Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch -Patch0012: 0012-Add-coverity-build-scripts.patch -Patch0013: 0013-Document-implicit-fallthrough.patch -Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch -Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch -Patch0016: 0016-efikeygen-add-modsign.patch -Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch -Patch0018: 0018-show-which-db-we-re-checking.patch -Patch0019: 0019-more-about-the-time.patch -Patch0020: 0020-try-to-say-why-something-fails.patch -Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch -Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch -Patch0023: 0023-Better-authorization-scripts.-Again.patch -Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch -Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch -Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch -Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch -Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch -Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch -Patch0030: 0030-efikeygen-Fix-the-build-with-nss-3.44.patch -Patch0031: 0031-pesigcheck-Fix-a-wrong-assignment.patch -Patch0032: 0032-Use-sql-type-nss-database-everywhere-by-default.patch +Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch +Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch %description This package contains the pesign utility for signing UEFI binaries as @@ -138,9 +108,6 @@ exit 0 %post %systemd_post pesign.service -#%%posttrans -#%%{_libexecdir}/pesign/pesign-authorize - %preun %systemd_preun pesign.service @@ -148,7 +115,8 @@ exit 0 %systemd_postun_with_restart pesign.service %posttrans -certutil -d /etc/pki/pesign/ -X -L > /dev/null +certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null +%{_libexecdir}/pesign/pesign-authorize %endif %files @@ -183,6 +151,10 @@ certutil -d /etc/pki/pesign/ -X -L > /dev/null %{python3_sitelib}/mockbuild/plugins/pesign.* %changelog +* Thu Jun 11 2020 Javier Martinez Canillas - 113-1 +- Update to 113 release + Resolves: rhbz#1708773 + * Mon Jun 08 2020 Javier Martinez Canillas - 0.112-31 - Switch default NSS database to SQLite format (pjones) Resolves: rhbz#1827902 diff --git a/sources b/sources index a337e1e..d0199f7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f -SHA512 (pesign-0.112.tar.bz2) = 96bff27ce5059f1ea299c21ac88998a0c17851b8b06ba2f3e286de5cd4d73651b670ac00ca035481faf9c963338527c89120c63ec891a95ce9ecb9130fbc5e5c +SHA512 (pesign-113.tar.bz2) = 89c5e33bf6ac8f8dc4b65192e5fd4bf1fea285106d1de2a6ea02a8c5090f2ec5976b1d80c60e57f74fa56dc25b174a4dd5682292db44ab9aeab69ea992dfef36