rpms/pesign
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import pesign-0.112-26.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-11-11 08:21:52 +00:00 committed by Stepan Oksanichenko
parent b41975225a
commit 9364cc5c20
3 changed files with 208 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
SOURCES/0030-Replace-var-run-with-run.patch Normal file
View File

@ -0,0 +1,151 @@
From cd26e9e9a7816efe2c1ce9c36d9cb14988c70dc9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 8 Nov 2021 17:58:09 -0500
Subject: [PATCH] Replace /var/run with /run
This change is in violation of the FHS and is forced by systemd being
obnoxious and logging warnings about it as if it's some kind of problem.
This commit is a subset of the work in
02d473fbfd782863a0dcef7e44822d1e7e56a4b3,
f97d3b04a2eafb42272ede24e1353dd0a7f4347c,
5f9058677e7241cc88b4e8620654bbaa08a4bce4, and
cffa10d9b5eec9a9def3533b181a32b64fc29913 (all by pjones) because they
don't backport well.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/Makefile | 2 +-
src/daemon.h | 4 ++--
src/macros.pesign | 12 ++++++------
src/pesign-authorize | 2 +-
src/pesign.service.in | 2 +-
src/pesign.sysvinit.in | 10 +++++-----
src/tmpfiles.conf | 2 +-
7 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/src/Makefile b/src/Makefile
index 7d68fa1..a11e2b4 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
diff --git a/src/daemon.h b/src/daemon.h
index d97eab9..db42c16 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -49,7 +49,7 @@ typedef enum {
} pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH "/var/run/pesign/socket"
-#define PIDFILE "/var/run/pesign.pid"
+#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid"
#endif /* DAEMON_H */
diff --git a/src/macros.pesign b/src/macros.pesign
index dfdac02..f135c29 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -48,17 +48,17 @@
"$(uname -m)" == "x86_64" ] && \\\
grep -q ID=fedora /etc/os-release && \\\
[[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
- ! [ -S /var/run/pesign/socket ]; then \
+ ! [ -S /run/pesign/socket ]; then \
echo "No socket even though this is %{_buildhost}" \
- ls -ld /var/run/pesign || : \
- getfacl /var/run/pesign || : \
- ls -l /var/run/pesign/socket || : \
- getfacl /var/run/pesign/socket || : \
+ ls -ld /run/pesign || : \
+ getfacl /run/pesign || : \
+ ls -l /run/pesign/socket || : \
+ getfacl /run/pesign/socket || : \
echo =========== env ============== \
set \
echo =========== env ============== \
exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
diff --git a/src/pesign-authorize b/src/pesign-authorize
index a496f60..83a30cd 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /run/pesign/ /etc/pki/pesign*/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
diff --git a/src/pesign.service.in b/src/pesign.service.in
index c75a000..4ac2199 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
Type=forking
-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index b0e0f84..bf8edec 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
#
# chkconfig: - 50 50
# processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
### BEGIN INIT INFO
# Provides: pesign
# Default-Start:
@@ -20,9 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
- mkdir /var/run/pesign 2>/dev/null &&
- chown pesign:pesign /var/run/pesign &&
- chmod 0770 /var/run/pesign
+ mkdir /run/pesign 2>/dev/null &&
+ chown pesign:pesign /run/pesign &&
+ chmod 0770 /run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
@@ -32,7 +32,7 @@ start(){
stop(){
echo -n "Stopping pesign: "
- killproc -p /var/run/pesign.pid pesignd
+ killproc -p /run/pesign.pid pesignd
RETVAL=$?
echo
rm -f /var/lock/subsys/pesign
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
index c1cf355..3375ad5 100644
--- a/src/tmpfiles.conf
+++ b/src/tmpfiles.conf
@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
--
2.33.0

46
SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch Normal file
View File

@ -0,0 +1,46 @@
From d1a7496d18dc1e230115b30fa09e4481c485a27d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2019 11:28:38 -0400
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
NSS 3.44 adds some certificate types, which changes a type and makes
some encoding stuff weird. As a result, we get:
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
In file included from /usr/local/include/nss/nss/cert.h:22,
from efikeygen.c:39:
efikeygen.c: In function 'add_cert_type':
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
^
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
unsigned char type = NS_CERT_TYPE_APP;
^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
This is fixed by just making it an int.
Fixes github issue #48.
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit b535d1ac5cbcdf18a97d97a92581e38080d9e521)
---
src/efikeygen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 9390578..089e6a7 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -206,7 +206,7 @@ static int
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
{
SECItem bitStringValue;
- unsigned char type = NS_CERT_TYPE_APP;
+ int type = NS_CERT_TYPE_APP;
if (is_ca)
type |= NS_CERT_TYPE_SSL_CA |
--
2.33.0

16
SPECS/pesign.spec
View File

@ -3,7 +3,7 @@
Name: pesign Name: pesign
Summary: Signing utility for UEFI binaries Summary: Signing utility for UEFI binaries
Version: 0.112 Version: 0.112
Release: 25%{?dist} Release: 26%{?dist}
License: GPLv2 License: GPLv2
URL: https://github.com/vathpela/pesign URL: https://github.com/vathpela/pesign
@ -59,6 +59,8 @@ Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
Patch0030: 0030-Replace-var-run-with-run.patch
Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
%description %description
This package contains the pesign utility for signing UEFI binaries as This package contains the pesign utility for signing UEFI binaries as
@ -113,7 +115,7 @@ install -m 0755 -p %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
%pre %pre
getent group pesign >/dev/null || groupadd -r pesign getent group pesign >/dev/null || groupadd -r pesign
getent passwd pesign >/dev/null || \ getent passwd pesign >/dev/null || \
useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \ useradd -r -g pesign -d /run/pesign -s /sbin/nologin \
-c "Group for the pesign signing daemon" pesign -c "Group for the pesign signing daemon" pesign
exit 0 exit 0
@ -152,9 +154,9 @@ exit 0
%{_sysconfdir}/popt.d/pesign.popt %{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign %{macrosdir}/macros.pesign
%{_mandir}/man*/* %{_mandir}/man*/*
%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name} %dir %attr(0770, pesign, pesign) /%{_rundir}/%{name}
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket %ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid %ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%{_tmpfilesdir}/pesign.conf %{_tmpfilesdir}/pesign.conf
%{_unitdir}/pesign.service %{_unitdir}/pesign.service
@ -163,6 +165,10 @@ exit 0
%{python3_sitelib}/mockbuild/plugins/pesign.* %{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog %changelog
* Mon Nov 08 2021 Robbie Harwood <rharwood@redhat.com> - 0.112-26
- Perform the /var/run to /run "migration" stupidity
- Resolves: rhbz#1801976
* Mon Oct 01 2018 Peter Jones <pjones@redhat.com> - 0.112-25 * Mon Oct 01 2018 Peter Jones <pjones@redhat.com> - 0.112-25
- Preserve .py timestamp during install so .pyc/.pyo files have the same - Preserve .py timestamp during install so .pyc/.pyo files have the same
timestamp on all arches, preventing rpmdiff from complaining. timestamp on all arches, preventing rpmdiff from complaining.