Fix the signer name for fedora and some other minor nits

Related: rhbz#1708773 Related: rhbz#1678146 Signed-off-by: Peter Jones <pjones@redhat.com>
2020-06-12 11:52:32 -04:00 · 2020-06-12 11:52:32 -04:00 · 9b526cffa9
commit 9b526cffa9
parent edca44f2a2
3 changed files with 85 additions and 5 deletions
--- a/0004-Rename-var-run-to-run.patch
+++ b/0004-Rename-var-run-to-run.patch
@ -0,0 +1,46 @@
+From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 12 Jun 2020 11:49:44 -0400
+Subject: [PATCH] Rename /var/run/ to /run/
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 12 ++++++------
+ src/tmpfiles.conf |  2 +-
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 56f75cafbc4..5a6da1c6809 100644
+--- a/src/macros.pesign
+++ b/src/macros.pesign
+@@ -45,14 +45,14 @@
+       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
+     elif [ "$(id -un)" == "kojibuilder" -a				\\\
+            grep -q ID=fedora /etc/os-release -a				\\\
+-           ! -S /var/run/pesign/socket ]; then				\
+           ! -S /run/pesign/socket ]; then				\
+       echo "No socket even though this is kojibuilder" 1>&2		\
+-      ls -ld /var/run/pesign 1>&2					\
+-      ls -l /var/run/pesign/socket 1>&2					\
+-      getfacl /var/run/pesign 1>&2					\
+-      getfacl /var/run/pesign/socket 1>&2				\
+      ls -ld /run/pesign 1>&2					\
+      ls -l /run/pesign/socket 1>&2					\
+      getfacl /run/pesign 1>&2					\
+      getfacl /run/pesign/socket 1>&2				\
+       exit 1								\
+-    elif [ -S /var/run/pesign/socket ]; then				\
+    elif [ -S /run/pesign/socket ]; then				\
+       %{_pesign_client} -t %{__pesign_client_token}			\\\
+                         -c %{__pesign_client_cert}			\\\
+                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
+diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
+index c1cf35597d8..3375ad52a44 100644
+--- a/src/tmpfiles.conf
+++ b/src/tmpfiles.conf
+@@ -1 +1 @@
+-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
+-- 
+2.26.2
+
--- a/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
+++ b/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
@ -0,0 +1,30 @@
+From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Tue, 18 Feb 2020 16:37:53 -0500
+Subject: [PATCH] Apparently opensc got updated and the token name changed
+
+All the kernel builds started failing yesterday because the signing
+token could not be found. Update the token name in the macro shipped by
+pesign.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 7c5cba170e9..56f75cafbc4 100644
+--- a/src/macros.pesign
+++ b/src/macros.pesign
+@@ -9,7 +9,7 @@
+ %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
+ %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+ 
+-%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"}
+%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
+ %__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+ 
+ %_pesign /usr/bin/pesign
+-- 
+2.26.2
+
--- a/pesign.spec
+++ b/pesign.spec
@ -3,7 +3,7 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
 Version: 113
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2
 URL:     https://github.com/vathpela/pesign

@ -44,6 +44,8 @@ Source2: pesign.py
 Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch
 Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
 Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
+Patch0004: 0004-Rename-var-run-to-run.patch
+Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch

 %description
 This package contains the pesign utility for signing UEFI binaries as
@ -61,9 +63,6 @@ git am %{patches} </dev/null
 git config --unset user.email
 git config --unset user.name

-# https://bugzilla.redhat.com/show_bug.cgi?id=1678146
-sed -i 's|/var/run/pesign|/run/pesign|' src/tmpfiles.conf
-
 %build
 make PREFIX=%{_prefix} LIBDIR=%{_libdir}

@ -101,7 +100,7 @@ install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
 %pre
 getent group pesign >/dev/null || groupadd -r pesign
 getent passwd pesign >/dev/null || \
-	useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
+	useradd -r -g pesign -d /run/pesign -s /sbin/nologin \
 		-c "Group for the pesign signing daemon" pesign
 exit 0

@ -152,6 +151,11 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
 %{python3_sitelib}/mockbuild/plugins/pesign.*

 %changelog
+* Fri Jun 12 2020 Peter Jones <pjones@redhat.com> - 113-3
+- Fix the signer name for fedora and some other minor nits
+  Related: rhbz#1708773
+  Related: rhbz#1678146
+
 * Thu Jun 11 2020 Peter Jones <pjones@redhat.com> - 113-2
 - Fix a signing protocol bug we introduced in 113 that makes the fedora
  kernel builders fail.