RHEL 9.0.0 Alpha bootstrap

The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/pesign#2ee3400b3c6ed63e365a4361219b79a833cd76ea
This commit is contained in:
Troy Dawson 2020-10-14 15:59:05 -07:00
parent 677030638c
commit a4b37eed9e
16 changed files with 1805 additions and 0 deletions

7
.gitignore vendored
View File

@ -0,0 +1,7 @@
/pesign-*.tar.bz2
clog
/rh-test-certs.tar.bz2
*.rpm
/certs.tar.xz
.build*.log
/pesign-*/

View File

@ -0,0 +1,45 @@
From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2019 11:28:38 -0400
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
NSS 3.44 adds some certificate types, which changes a type and makes
some encoding stuff weird. As a result, we get:
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
In file included from /usr/local/include/nss/nss/cert.h:22,
from efikeygen.c:39:
efikeygen.c: In function 'add_cert_type':
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
^
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
unsigned char type = NS_CERT_TYPE_APP;
^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
This is fixed by just making it an int.
Fixes github issue #48.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/efikeygen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index ede76ef0b48..2cd953e9781 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -208,7 +208,7 @@ static int
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
{
SECItem bitStringValue;
- unsigned char type = NS_CERT_TYPE_APP;
+ int type = NS_CERT_TYPE_APP;
if (is_ca)
type |= NS_CERT_TYPE_SSL_CA |
--
2.23.0

View File

@ -0,0 +1,49 @@
From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Feb 2020 16:28:56 -0500
Subject: [PATCH] pesigcheck: Fix a wrong assignment
gcc says:
pesigcheck.c: In function 'check_signature':
pesigcheck.c:321:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
321 | reason->type = siBuffer;
| ^
pesigcheck.c:333:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
333 | reason->type = siBuffer;
| ^
cc1: all warnings being treated as errors
And indeed, that line of code makes no sense at all - it was supposed to
be reason->sig.type.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesigcheck.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 524cce307bf..8fa0f1ad03d 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
+ reason->sig.type = siBuffer;
nreason += 1;
is_invalid = true;
}
@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
+ reason->sig.type = siBuffer;
nreason += 1;
has_valid_cert = true;
}
--
2.24.1

View File

@ -0,0 +1,317 @@
From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 11 Jun 2020 16:23:14 -0400
Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and
vise versa
This makes the version of the sign API that takes a file type optional,
and makes the client attempt to negotiate which version it's getting.
It also leaves the server able to still handle the version from before
the file type was added.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 74 +++++++++++++++++++++++++++++++++++++---------------
src/daemon.c | 63 +++++++++++++++++++++++++++++---------------
src/daemon.h | 2 ++
3 files changed, 97 insertions(+), 42 deletions(-)
diff --git a/src/client.c b/src/client.c
index aa373abd981..57bcc09cbe8 100644
--- a/src/client.c
+++ b/src/client.c
@@ -11,6 +11,7 @@
#include <fcntl.h>
#include <popt.h>
#include <pwd.h>
+#include <stdbool.h>
#include <stddef.h>
#include <stdlib.h>
#include <sys/socket.h>
@@ -84,8 +85,8 @@ connect_to_server(void)
static int32_t
check_response(int sd, char **srvmsg);
-static void
-check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
+static int
+check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit)
{
struct msghdr msg;
struct iovec iov[1];
@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
ssize_t n;
n = sendmsg(sd, &msg, 0);
if (n < 0) {
- fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n");
+ fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n");
exit(1);
}
@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
char *srvmsg = NULL;
int32_t rc = check_response(sd, &srvmsg);
- if (rc < 0)
+
+ if (do_exit && rc < 0)
errx(1, "command \"%s\" not known by server", name);
- if (rc != version)
+
+ if (do_exit && rc != version)
errx(1, "command \"%s\": client version %d, server version %d",
name, version, rc);
+
+ if (rc < 0)
+ return rc;
+ return rc == version;
}
static void
@@ -134,7 +141,7 @@ send_kill_daemon(int sd)
struct iovec iov;
pesignd_msghdr pm;
- check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0);
+ check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_KILL_DAEMON;
@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin)
uint32_t size1 = pesignd_string_size(pin);
- check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0);
+ check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_UNLOCK_TOKEN;
@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname)
uint32_t size0 = pesignd_string_size(tokenname);
- check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0);
+ check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_IS_TOKEN_UNLOCKED;
@@ -452,6 +459,9 @@ static void
sign(int sd, char *infile, char *outfile, char *tokenname, char *certname,
int attached, uint32_t format)
{
+ int rc;
+ bool add_file_type;
+
int infd = open(infile, O_RDONLY);
if (infd < 0) {
fprintf(stderr, "pesign-client: could not open input file "
@@ -481,12 +491,28 @@ oom:
exit(1);
}
- check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED,
- attached ? "sign-attached" : "sign-detached", 0);
+ rc = check_cmd_version(sd,
+ attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
+ : CMD_SIGN_DETACHED_WITH_FILE_TYPE,
+ attached ? "sign-attached" : "sign-detached",
+ 0, format == FORMAT_KERNEL_MODULE);
+ if (rc >= 0) {
+ add_file_type = true;
+ } else {
+ add_file_type = false;
+ check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED
+ : CMD_SIGN_DETACHED,
+ attached ? "sign-attached" : "sign-detached",
+ 0, true);
+ }
+ printf("add_file_type:%d\n", add_file_type);
pm->version = PESIGND_VERSION;
- pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED;
- pm->size = size0 + size1 + sizeof(format);
+ pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
+ : CMD_SIGN_ATTACHED)
+ : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE
+ : CMD_SIGN_DETACHED);
+ pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0);
iov[0].iov_base = pm;
iov[0].iov_len = sizeof (*pm);
@@ -503,25 +529,31 @@ oom:
}
char *buffer;
- buffer = malloc(size0 + size1);
+ buffer = malloc(pm->size);
if (!buffer)
goto oom;
- iov[0].iov_base = &format;
- iov[0].iov_len = sizeof(format);
+ int pos = 0;
+
+ if (add_file_type) {
+ iov[pos].iov_base = &format;
+ iov[pos].iov_len = sizeof(format);
+ pos++;
+ }
pesignd_string *tn = (pesignd_string *)buffer;
pesignd_string_set(tn, tokenname);
- iov[1].iov_base = tn;
- iov[1].iov_len = size0;
+ iov[pos].iov_base = tn;
+ iov[pos].iov_len = size0;
+ pos++;
pesignd_string *cn = pesignd_string_next(tn);
pesignd_string_set(cn, certname);
- iov[2].iov_base = cn;
- iov[2].iov_len = size1;
+ iov[pos].iov_base = cn;
+ iov[pos].iov_len = size1;
msg.msg_iov = iov;
- msg.msg_iovlen = 3;
+ msg.msg_iovlen = add_file_type ? 3 : 2;
n = sendmsg(sd, &msg, 0);
if (n < 0) {
@@ -535,7 +567,7 @@ oom:
send_fd(sd, outfd);
char *srvmsg = NULL;
- int rc = check_response(sd, &srvmsg);
+ rc = check_response(sd, &srvmsg);
if (rc < 0) {
fprintf(stderr, "pesign-client: signing failed: \"%s\"\n",
srvmsg);
diff --git a/src/daemon.c b/src/daemon.c
index 9374d59be30..494beb9af72 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -12,6 +12,7 @@
#include <poll.h>
#include <pwd.h>
#include <signal.h>
+#include <stdbool.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
@@ -561,7 +562,7 @@ out:
static void
handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size,
- int attached)
+ int attached, bool with_file_type)
{
struct msghdr msg;
struct iovec iov;
@@ -585,8 +586,12 @@ oom:
n = recvmsg(pollfd->fd, &msg, MSG_WAITALL);
- file_format = *((uint32_t *) buffer);
- n -= sizeof(uint32_t);
+ if (with_file_type) {
+ file_format = *((uint32_t *) buffer);
+ n -= sizeof(uint32_t);
+ } else {
+ file_format = FORMAT_PE_BINARY;
+ }
pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t));
if (n < (long long)sizeof(tn->size)) {
@@ -666,34 +671,44 @@ finish:
teardown_digests(ctx->cms);
}
+static inline void
+handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size,
+ int attached, bool with_file_type)
+{
+ int rc = cms_context_alloc(&ctx->cms);
+ if (rc < 0)
+ return;
+
+ steal_from_cms(ctx->backup_cms, ctx->cms);
+
+ handle_signing(ctx, pollfd, size, attached, with_file_type);
+
+ hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
+ cms_context_fini(ctx->cms);
+}
+
static void
handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size)
{
- int rc = cms_context_alloc(&ctx->cms);
- if (rc < 0)
- return;
+ handle_sign_helper(ctx, pollfd, size, 1, false);
+}
- steal_from_cms(ctx->backup_cms, ctx->cms);
-
- handle_signing(ctx, pollfd, size, 1);
-
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
- cms_context_fini(ctx->cms);
+static void
+handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
+{
+ handle_sign_helper(ctx, pollfd, size, 1, true);
}
static void
handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size)
{
- int rc = cms_context_alloc(&ctx->cms);
- if (rc < 0)
- return;
+ handle_sign_helper(ctx, pollfd, size, 0, false);
+}
- steal_from_cms(ctx->backup_cms, ctx->cms);
-
- handle_signing(ctx, pollfd, size, 0);
-
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
- cms_context_fini(ctx->cms);
+static void
+handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
+{
+ handle_sign_helper(ctx, pollfd, size, 0, true);
}
static void
@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = {
{ CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 },
{ CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 },
{ CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 },
+ { CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
+ handle_sign_attached_with_file_type,
+ "sign-attached-with-file-type", 0 },
+ { CMD_SIGN_DETACHED_WITH_FILE_TYPE,
+ handle_sign_detached_with_file_type,
+ "sign-detached-with-file-type", 0 },
{ CMD_RESPONSE, NULL, "response", 0 },
{ CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked,
"is-token-unlocked", 0 },
diff --git a/src/daemon.h b/src/daemon.h
index dd430512f1a..834d62c72d0 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -33,6 +33,8 @@ typedef enum {
CMD_RESPONSE,
CMD_IS_TOKEN_UNLOCKED,
CMD_GET_CMD_VERSION,
+ CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
+ CMD_SIGN_DETACHED_WITH_FILE_TYPE,
CMD_LIST_END
} pesignd_cmd;
--
2.26.2

View File

@ -0,0 +1,46 @@
From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 12 Jun 2020 11:49:44 -0400
Subject: [PATCH] Rename /var/run/ to /run/
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 12 ++++++------
src/tmpfiles.conf | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 56f75cafbc4..5a6da1c6809 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -45,14 +45,14 @@
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ "$(id -un)" == "kojibuilder" -a \\\
grep -q ID=fedora /etc/os-release -a \\\
- ! -S /var/run/pesign/socket ]; then \
+ ! -S /run/pesign/socket ]; then \
echo "No socket even though this is kojibuilder" 1>&2 \
- ls -ld /var/run/pesign 1>&2 \
- ls -l /var/run/pesign/socket 1>&2 \
- getfacl /var/run/pesign 1>&2 \
- getfacl /var/run/pesign/socket 1>&2 \
+ ls -ld /run/pesign 1>&2 \
+ ls -l /run/pesign/socket 1>&2 \
+ getfacl /run/pesign 1>&2 \
+ getfacl /run/pesign/socket 1>&2 \
exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
index c1cf35597d8..3375ad52a44 100644
--- a/src/tmpfiles.conf
+++ b/src/tmpfiles.conf
@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
--
2.26.2

View File

@ -0,0 +1,30 @@
From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Tue, 18 Feb 2020 16:37:53 -0500
Subject: [PATCH] Apparently opensc got updated and the token name changed
All the kernel builds started failing yesterday because the signing
token could not be found. Update the token name in the macro shipped by
pesign.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 7c5cba170e9..56f75cafbc4 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -9,7 +9,7 @@
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
-%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"}
+%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%_pesign /usr/bin/pesign
--
2.26.2

View File

@ -0,0 +1,86 @@
From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 16:13:09 -0400
Subject: [PATCH 6/7] client: try /run and /var/run for the socket path.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 40 +++++++++++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 11 deletions(-)
diff --git a/src/client.c b/src/client.c
index 2119ef33bf8..a38383415d5 100644
--- a/src/client.c
+++ b/src/client.c
@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag)
}
static int
-connect_to_server(void)
+connect_to_server_helper(const char * const sockpath)
{
- int rc = access(SOCKPATH, R_OK);
+ int rc = access(sockpath, R_OK);
if (rc != 0) {
- fprintf(stderr, "pesign-client: could not connect to server: "
- "%m\n");
- exit(1);
+ warn("could not access socket \"%s\"", sockpath);
+ return rc;
}
struct sockaddr_un addr_un = {
.sun_family = AF_UNIX,
- .sun_path = SOCKPATH,
};
+ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path));
+ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0';
int sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sd < 0) {
- fprintf(stderr, "pesign-client: could not open socket: %m\n");
- exit(1);
+ warn("could not open socket \"%s\"", sockpath);
+ return sd;
}
socklen_t len = strlen(addr_un.sun_path) +
@@ -74,14 +74,32 @@ connect_to_server(void)
rc = connect(sd, (struct sockaddr *)&addr_un, len);
if (rc < 0) {
- fprintf(stderr, "pesign-client: could not connect to daemon: "
- "%m\n");
- exit(1);
+ warn("could not connect to daemon");
+ return sd;
}
return sd;
}
+static int
+connect_to_server(void)
+{
+ int rc, i;
+ const char * const sockets[] = {
+ "/run/pesign/socket",
+ "/var/run/pesign/socket",
+ NULL
+ };
+
+ for (i = 0; sockets[i] != NULL; i++) {
+ rc = connect_to_server_helper(sockets[i]);
+ if (rc >= 0)
+ return rc;
+ }
+
+ exit(1);
+}
+
static int32_t
check_response(int sd, char **srvmsg);
--
2.26.2

View File

@ -0,0 +1,25 @@
From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 16:44:09 -0400
Subject: [PATCH 07/11] client: remove an extra debug print
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/client.c b/src/client.c
index 0082be1f597..c9966295e5f 100644
--- a/src/client.c
+++ b/src/client.c
@@ -536,7 +536,6 @@ oom:
0, true);
}
- printf("add_file_type:%d\n", add_file_type);
pm->version = PESIGND_VERSION;
pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
: CMD_SIGN_ATTACHED)
--
2.26.2

View File

@ -0,0 +1,379 @@
From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 13:54:35 -0400
Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 1 +
src/Makefile | 8 +-
src/macros.pesign | 74 ++++--------
src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++
4 files changed, 252 insertions(+), 53 deletions(-)
create mode 100644 src/pesign-rpmbuild-helper.in
diff --git a/Make.defaults b/Make.defaults
index 0bacafe0d01..d4cd626c11e 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR)
INSTALL ?= install
CROSS_COMPILE ?=
+EFI_ARCHES ?= aa64 ia32 x64
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
diff --git a/src/Makefile b/src/Makefile
index 74327ba13f3..a7ca89159c6 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version
include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
-BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
+BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper
SVCTARGETS=pesign.sysvinit pesign.service
TARGETS=$(BINTARGETS) $(SVCTARGETS)
@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
pesign : PKGS=efivar nss nspr popt
+pesign-rpmbuild-helper: pesign-rpmbuild-helper.in
+ sed \
+ -e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \
+ $^ > $@
+
deps : PKGS=efivar nss nspr popt uuid
deps : $(ALL_SOURCES)
$(MAKE) -f $(TOPDIR)/Make.deps \
@@ -94,6 +99,7 @@ install :
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
diff --git a/src/macros.pesign b/src/macros.pesign
index 5a6da1c6809..2e984b4eeb3 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -6,7 +6,7 @@
# %pesign -s -i shim.orig -o shim.efi
# And magically get the right thing.
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
@@ -24,54 +24,24 @@
# -a <input ca cert filename> # rhel only
# -s # perform signing
%pesign(i:o:C:e:c:n:a:s) \
- _pesign_nssdir=/etc/pki/pesign \
- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
- _pesign_nssdir=/etc/pki/pesign-rh-test \
- fi \
- if [ -x %{_pesign} ] && \\\
- [ "%{_target_cpu}" == "x86_64" -o \\\
- "%{_target_cpu}" == "aarch64" ]; then \
- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \
- nss=$(mktemp -p $PWD -d) \
- echo > ${nss}/pwfile \
- certutil -N -d ${nss} -f ${nss}/pwfile \
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
- sattrs=$(mktemp -p $PWD --suffix=.der) \
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \
- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
- --certdir ${nss} -c signer %{-o} \
- rm -rf ${sattrs} ${sattrs}.sig ${nss} \
- elif [ "$(id -un)" == "kojibuilder" -a \\\
- grep -q ID=fedora /etc/os-release -a \\\
- ! -S /run/pesign/socket ]; then \
- echo "No socket even though this is kojibuilder" 1>&2 \
- ls -ld /run/pesign 1>&2 \
- ls -l /run/pesign/socket 1>&2 \
- getfacl /run/pesign 1>&2 \
- getfacl /run/pesign/socket 1>&2 \
- exit 1 \
- elif [ -S /run/pesign/socket ]; then \
- %{_pesign_client} -t %{__pesign_client_token} \\\
- -c %{__pesign_client_cert} \\\
- %{-i} %{-o} %{-e} %{-s} %{-C} \
- else \
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
- --certdir ${_pesign_nssdir} \\\
- %{-i} %{-o} %{-e} %{-s} %{-C} \
- fi \
- else \
- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
- mv %{-i*} %{-o*} \
- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
- touch %{-e*} \
- fi \
- fi \
- if [ ! -s %{-o} ]; then \
- if [ -e "%{-o*}" ]; then \
- rm -f %{-o*} \
- fi \
- exit 1 \
- fi ;
-
+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\
+ "%{_target_cpu}" \\\
+ "%{_pesign}" \\\
+ "%{_pesign_client}" \\\
+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\
+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\
+ %{?__pesign_token:%{__pesign_token}} \\\
+ %{?__pesign_cert:--cert %{__pesign_cert}} \\\
+ %{?_buildhost:--hostname "%{_buildhost}"} \\\
+ %{?vendor:--vendor "%{vendor}"} \\\
+ %{?_rhel:--rhelver "%{_rhel}"} \\\
+ %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\
+ %{?-a:--rhelcafile "%{-a*}"} \\\
+ %{?-c:--rhelcertfile "%{-c*}"} \\\
+ %{?-C:--certout "%{-C*}"} \\\
+ %{?-e:--sattrout "%{-e*}"} \\\
+ %{?-i:--in "%{-i*}"} \\\
+ %{?-o:--out "%{-o*}"} \\\
+ %{?-s:--sign} \\\
+ ; \
+%{nil}
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
new file mode 100644
index 00000000000..c5287c27e0c
--- /dev/null
+++ b/src/pesign-rpmbuild-helper.in
@@ -0,0 +1,222 @@
+#!/bin/bash
+# shellcheck shell=bash
+
+set -eu
+set -x
+
+usage() {
+ local status="${1}" && shift
+ local out
+ if [[ "${status}" -eq 0 ]] ; then
+ out=/dev/stdout
+ else
+ out=/dev/stderr
+ fi
+
+ if [[ $# -gt 0 ]] ; then
+ echo "${0}: error: $*" >>"${out}"
+ fi
+ echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}"
+ exit "${status}"
+}
+
+is_efi_arch() {
+ local arch="${1}"
+ local arches=(@@EFI_ARCHES@@)
+ local x
+ for x in "${arches[@]}" ; do
+ if [[ "${arch}" = "${x}" ]] ; then
+ return 0
+ fi
+ done
+ return 1
+}
+
+error_on_empty() {
+ local f="${1}"
+ if [[ ! -s "${f}" ]] ; then
+ if [[ -e "${f}" ]] ; then
+ rm -f "${f}"
+ fi
+ echo "${0}: error: empty result file \"${f}\"">>/dev/stderr
+ exit 1
+ fi
+}
+
+main() {
+ if [[ $# -lt 3 ]] ; then
+ usage 1 not enough arguments
+ fi
+ local target_cpu="${1}" && shift
+ local bin="${1}" && shift
+ local client="${1}" && shift
+
+ local rhelcafile="" || :
+ local rhelcertfile="" || :
+
+ local certout=() || :
+ local sattrout=() || :
+ local input=() || :
+ local output=() || :
+ local client_token=() || :
+ local client_cert=() || :
+ local token=() || :
+ local cert=() || :
+ local rhelcert=() || :
+ local rhelver=0 || :
+ local sign="" || :
+ local arch="" || :
+ local vendor="" || :
+ local HOSTNAME="" || :
+
+ while [[ $# -ge 2 ]] ; do
+ case " ${1} " in
+ " --rhelcafile ")
+ rhelcafile="${2}"
+ ;;
+ " --rhelcertfile ")
+ rhelcertfile="${2}"
+ ;;
+ " --hostname ")
+ HOSTNAME="${2}"
+ ;;
+ " --certout ")
+ certout[0]=-C
+ certout[1]="${2}"
+ ;;
+ " --sattrout ")
+ sattrout[0]=-e
+ sattrout[1]="${2}"
+ ;;
+ " --client-token ")
+ client_token[0]=-t
+ client_token[1]="${2}"
+ ;;
+ " --client-cert ")
+ client_cert[0]=-c
+ client_cert[1]="${2}"
+ ;;
+ " --token ")
+ token[0]=-t
+ token[1]="${2}"
+ ;;
+ " --cert ")
+ cert[0]=-c
+ cert[1]="${2}"
+ ;;
+ " --rhelcert ")
+ rhelcert[0]=-c
+ rhelcert[1]="${2}"
+ ;;
+ " --in ")
+ input[0]=-i
+ input[1]="${2}"
+ ;;
+ " --out ")
+ output[0]=-o
+ output[1]="${2}"
+ ;;
+ " --rhelver ")
+ rhelver="${2}"
+ ;;
+ " --vendor ")
+ vendor="${2}"
+ ;;
+ *)
+ break
+ ;;
+ esac
+ shift
+ shift
+ done
+ if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then
+ sign=-s
+ shift
+ fi
+
+ if [[ -z "${target_cpu}" ]] ; then
+ target_cpu="$(uname -m)"
+ fi
+
+ target_cpu="${target_cpu/i?86/ia32}"
+ target_cpu="${target_cpu/x86_64/x64}"
+ target_cpu="${target_cpu/aarch64/aa64}"
+ target_cpu="${target_cpu/arm*/arm/}"
+
+ local nssdir=/etc/pki/pesign
+ if [[ "${#cert[@]}" -eq 2 ]] &&
+ [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then
+ nssdir=/etc/pki/pesign-rh-test
+ fi
+
+ # is_efi_arch is ultimately returning "is pesign configured to sign these
+ # using the rpm macro", so if it isn't, we're just copying the input to
+ # the output
+ if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then
+ if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then
+ cp -v "${input[1]}" "${output[1]}"
+ elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then
+ touch "${sattrout[1]}"
+ fi
+
+ # if there's a 0-sized output file, delete it and error out
+ error_on_empty "${output[1]}"
+ return 0
+ fi
+
+ USERNAME="${USERNAME:-$(id -un)}"
+
+ local socket="" || :
+ if grep -q ID=fedora /etc/os-release \
+ && [[ "${rhelver}" -lt 7 ]] \
+ && [[ "${USERNAME}" = "mockbuild" ]] \
+ && [[ "${vendor}" = "Fedora Project" ]] \
+ && [[ "${HOSTNAME}" =~ bkernel.* ]]
+ then
+ if [[ -S /run/pesign/socket ]] ; then
+ socket=/run/pesign/socket
+ elif [[ -S /var/run/pesign/socket ]]; then
+ socket=/var/run/pesign/socket
+ else
+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+ ls -ld /run/pesign /var/run/pesign 1>&2 ||:
+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+ fi
+ fi
+
+ if [[ "${rhelver}" -ge 7 ]] ; then
+ nssdir="$(mktemp -p "${PWD}" -d)"
+ echo > "${nssdir}/pwfile"
+ certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}"
+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}"
+ sattrs="$(mktemp -p "${PWD}" --suffix=.der)"
+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \
+ "${input[@]}" --force
+ rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}"
+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
+ --certdir "${nssdir}" -c signer \
+ "${input[@]}" "${output[@]}"
+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+ elif [[ -n "${socket}" ]] ; then
+ "${client}" "${client_token[@]}" "${client_cert[@]}" \
+ "${sattrout[@]}" "${certout[@]}" \
+ ${sign} "${input[@]}" "${output[@]}"
+ else
+ "${bin}" --certdir "${nssdir}" "${token[@]}" \
+ "${cert[@]}" ${sign} "${sattrout[@]}" \
+ "${certout[@]}" "${input[@]}" "${output[@]}"
+ fi
+
+ # if there's a 0-sized output file, delete it and error out
+ if [[ "${#output[@]}" -eq 2 ]] ; then
+ error_on_empty "${output[1]}"
+ fi
+}
+
+main "${@}"
+
+# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4
--
2.26.2

View File

@ -0,0 +1,60 @@
From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 15:07:32 -0400
Subject: [PATCH 09/11] pesign-authorize: shellcheck
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index a496f601ab4..55cd5c4e55b 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -12,21 +12,21 @@ set -u
# License: GPLv2
declare -a fileusers=()
declare -a dirusers=()
-for user in $(cat /etc/pesign/users); do
+while read -r user ; do
dirusers[${#dirusers[@]}]=-m
dirusers[${#dirusers[@]}]="u:$user:rwx"
fileusers[${#fileusers[@]}]=-m
fileusers[${#fileusers[@]}]="u:$user:rw"
-done
+done </etc/pesign/users
declare -a filegroups=()
declare -a dirgroups=()
-for group in $(cat /etc/pesign/groups); do
+while read -r group ; do
dirgroups[${#dirgroups[@]}]=-m
dirgroups[${#dirgroups[@]}]="g:$group:rwx"
filegroups[${#filegroups[@]}]=-m
filegroups[${#filegroups[@]}]="g:$group:rw"
-done
+done </etc/pesign/groups
update_subdir() {
subdir=$1 && shift
@@ -35,12 +35,12 @@ update_subdir() {
setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
for x in "${subdir}"* ; do
if [ -d "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+ setfacl -bk "${x}"
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
update_subdir "${x}/"
elif [ -e "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+ setfacl -bk "${x}"
+ setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
else
:;
fi
--
2.26.2

View File

@ -0,0 +1,26 @@
From 24bb6e1471b16b6be82f13b5b5a302b4e98c1b4d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 15:08:15 -0400
Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index 55cd5c4e55b..c5448329c2c 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /var/run/pesign/ /etc/pki/pesign/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
--
2.26.2

View File

@ -0,0 +1,41 @@
From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 16:42:39 -0400
Subject: [PATCH 11/11] kernel building hack
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-rpmbuild-helper.in | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index c5287c27e0c..27b8261bc17 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -202,6 +202,23 @@ main() {
"${input[@]}" "${output[@]}"
rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
elif [[ -n "${socket}" ]] ; then
+ ### welcome haaaaack city
+ if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then
+ if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
+ || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
+ if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
+ || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
+ client_cert[1]=kernel-signer
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
+ client_cert[1]=grub2-signer
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
+ client_cert[1]=fwupd-signer
+ fi
+ fi
+ fi
"${client}" "${client_token[@]}" "${client_cert[@]}" \
"${sattrout[@]}" "${certout[@]}" \
${sign} "${input[@]}" "${output[@]}"
--
2.26.2

View File

@ -0,0 +1,105 @@
From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 16 Jul 2020 16:28:26 -0400
Subject: [PATCH] Use /run not /var/run
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.h | 4 ++--
src/Makefile | 2 +-
src/pesign-authorize | 2 +-
src/pesign.service.in | 2 +-
src/pesign.sysvinit.in | 10 +++++-----
5 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/daemon.h b/src/daemon.h
index 0368dc9256c..5fcd97ea717 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -51,8 +51,8 @@ typedef enum {
} pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH "/var/run/pesign/socket"
-#define PIDFILE "/var/run/pesign.pid"
+#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid"
static inline uint32_t UNUSED
pesignd_string_size(char *buffer)
diff --git a/src/Makefile b/src/Makefile
index a7ca89159c6..f7fb5fc9ee5 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index c5448329c2c..2381302440c 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign/ ; do
+for x in /run/pesign/ /var/run/pesign/ /etc/pki/pesign/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
diff --git a/src/pesign.service.in b/src/pesign.service.in
index c75a000892a..4ac2199bce2 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
Type=forking
-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index b0e0f84ff0b..bf8edec8ff3 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
#
# chkconfig: - 50 50
# processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
### BEGIN INIT INFO
# Provides: pesign
# Default-Start:
@@ -20,9 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
- mkdir /var/run/pesign 2>/dev/null &&
- chown pesign:pesign /var/run/pesign &&
- chmod 0770 /var/run/pesign
+ mkdir /run/pesign 2>/dev/null &&
+ chown pesign:pesign /run/pesign &&
+ chmod 0770 /run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
@@ -32,7 +32,7 @@ start(){
stop(){
echo -n "Stopping pesign: "
- killproc -p /var/run/pesign.pid pesignd
+ killproc -p /run/pesign.pid pesignd
RETVAL=$?
echo
rm -f /var/lock/subsys/pesign
--
2.26.2

91
pesign.py Normal file
View File

@ -0,0 +1,91 @@
#!/usr/bin/python3
#
# Copyright 2017 Peter Jones <Peter Jones@random>
#
# Distributed under terms of the GPLv3 license.
"""
mock plugin to make sure pesign and mockbuild users have the right uid and
gid.
"""
from mockbuild.trace_decorator import getLog, traceLog
import mockbuild.util
requires_api_version = "1.1"
@traceLog()
def init(plugins, conf, buildroot):
""" hello """
Pesign(plugins, conf, buildroot)
def getuid(name):
""" get a uid for a user name """
output = mockbuild.util.do(["getent", "passwd", "%s" % (name,)],
returnOutput=1, printOutput=True)
output = output.split(':')
return output[2], output[3]
def getgid(name):
""" get a gid for a group name """
output = mockbuild.util.do(["getent", "group", "%s" % (name,)],
returnOutput=1, printOutput=True)
return output.split(':')[2]
def newgroup(name, gid, rootdir):
""" create a group with a gid """
getLog().info("creating group %s with gid %s" % (name, gid))
mockbuild.util.do(["groupadd",
"-g", "%s" % (gid,),
"-R", "%s" % (rootdir,),
"%s" % (name,),
])
def newuser(name, uid, gid, rootdir):
""" create a user with a uid """
getLog().info("creating user %s with uid %s" % (name, uid))
mockbuild.util.do(["useradd",
"-u", "%s" % (uid,),
"-g", "%s" % (gid,),
"-R", "%s" % (rootdir,),
"%s" % (name,)])
class Pesign(object):
""" Creates some stuff in our mock root """
# pylint: disable=too-few-public-methods
@traceLog()
def __init__(self, plugins, conf, buildroot):
""" Effectively we're doing:
getent group pesign >/dev/null || groupadd -r pesign
getent passwd pesign >/dev/null || \
useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
-c "Group for the pesign signing daemon" pesign
"""
self.buildroot = buildroot
self.pesign_opts = conf
self.config = buildroot.config
self.state = buildroot.state
self.users = {}
self.groups = {}
plugins.add_hook("postinit", self._pesignPostInitHook)
@traceLog()
def _pesignPostInitHook(self):
""" find our uid and gid lists """
for user in self.pesign_opts['users']:
uid, gid = getuid(user)
self.users[user] = [user, uid, gid]
for group in self.pesign_opts['groups']:
gid = getgid(group)
self.groups[group] = [group, gid]
# create our users
rootdir = self.buildroot.make_chroot_path()
for name, gid in self.groups.values():
newgroup(name, gid, rootdir)
for name, uid, gid in self.users.values():
newuser(name, uid, gid, rootdir)
# -*- coding: utf-8 -*-
# vim:fenc=utf-8:tw=75

496
pesign.spec Normal file
View File

@ -0,0 +1,496 @@
%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 113
Release: 13%{?dist}
License: GPLv2
URL: https://github.com/vathpela/pesign
Obsoletes: pesign-rh-test-certs <= 0.111-7
BuildRequires: gcc
BuildRequires: git
BuildRequires: nspr
BuildRequires: nss
BuildRequires: nss-util
BuildRequires: popt-devel
BuildRequires: nss-tools
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: efivar-devel >= 31-1
BuildRequires: libuuid-devel
BuildRequires: tar
BuildRequires: xz
BuildRequires: python3-rpm-macros
BuildRequires: python3
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
BuildRequires: systemd-rpm-macros
%endif
Requires: nspr
Requires: nss
Requires: nss-tools >= 3.53
Requires: nss-util
Requires: popt
Requires: rpm
Requires(pre): shadow-utils
ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm}
%if 0%{?rhel} == 7
BuildRequires: rh-signing-tools >= 1.20-2
%endif
Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz
Source2: pesign.py
Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch
Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
Patch0004: 0004-Rename-var-run-to-run.patch
Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch
Patch0007: 0007-client-remove-an-extra-debug-print.patch
Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
Patch0009: 0009-pesign-authorize-shellcheck.patch
Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
Patch0011: 0011-kernel-building-hack.patch
Patch0012: 0012-Use-run-not-var-run.patch
%description
This package contains the pesign utility for signing UEFI binaries as
well as other associated tools.
%prep
%setup -q -T -b 0
%setup -q -T -D -c -n pesign-%{version}/ -a 1
git init
git config user.email "pesign-owner@fedoraproject.org"
git config user.name "Fedora Ninjas"
git add .
git commit -a -q -m "%{version} baseline."
git am %{patches} </dev/null
git config --unset user.email
git config --unset user.name
%build
make PREFIX=%{_prefix} LIBDIR=%{_libdir}
%install
mkdir -p %{buildroot}/%{_libdir}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
install
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
install_systemd
%endif
# there's some stuff that's not really meant to be shipped yet
rm -rf %{buildroot}/boot %{buildroot}/usr/include
rm -rf %{buildroot}%{_libdir}/libdpe*
mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/
mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
cp -a etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
mkdir -p %{buildroot}%{macrosdir}
mv %{buildroot}%{_sysconfdir}/rpm/macros.pesign \
%{buildroot}%{macrosdir}
rmdir %{buildroot}%{_sysconfdir}/rpm
fi
rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
# and find-debuginfo.sh has some pretty awful deficencies too...
cp -av libdpe/*.[ch] src/
install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
%pre
getent group pesign >/dev/null || groupadd -r pesign
getent passwd pesign >/dev/null || \
useradd -r -g pesign -d /run/pesign -s /sbin/nologin \
-c "Group for the pesign signing daemon" pesign
exit 0
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%post
%systemd_post pesign.service
%preun
%systemd_preun pesign.service
%postun
%systemd_postun_with_restart pesign.service
%posttrans
certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
# this is disabled currently because it breaks the fedora kernel build root
# generation - because we don't currently have a good way of populating
# /etc/pesign/{users,groups} before the buildroot is installed, or
# populating them and re-running pesign-authorize afterwards but before the
# package build of e.g. kernel
#%%{_libexecdir}/pesign/pesign-authorize
%endif
%files
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc README TODO
%{_bindir}/authvar
%{_bindir}/efikeygen
%{_bindir}/efisiglist
%{_bindir}/pesigcheck
%{_bindir}/pesign
%{_bindir}/pesign-client
%dir %{_libexecdir}/pesign/
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
%config(noreplace) %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
%config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
%{_libexecdir}/pesign/pesign-authorize
%{_libexecdir}/pesign/pesign-rpmbuild-helper
%config(noreplace)/%{_sysconfdir}/pesign/users
%config(noreplace)/%{_sysconfdir}/pesign/groups
%{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign
%{_mandir}/man*/*
%dir %attr(0770, pesign, pesign) %{_rundir}/%{name}
%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%{_tmpfilesdir}/pesign.conf
%{_unitdir}/pesign.service
%endif
%{python3_sitelib}/mockbuild/plugins/*/pesign.*
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-13
- Add the rundir related stuff that was staged on my f32 checkout.
* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-12
- Try to make kernel and fwupd both work at the same time.
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 113-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-10
- I really cannot figure out why bkernel01 thinks the certificate nickname
starts with /CN=, but it does, so I'm gonna stop fighting with the sand.
* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-9
- Even more kernel build debugging...
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-8
- More kernel build debugging...
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-6
- Disable the pesign-authorize call in posttrans, until we can figure out a
better way to deal with that in the fedora kernel builder chroot setup
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-5
- Make pesign require nss-tools for the posttrans scriptlet
- Move most of macros.pesign to /usr/libexec/pesign/pesign-rpmbuild-helper
* Mon Jul 06 2020 Peter Jones <pjones@redhat.com> - 113-4
- Attempt to fix kernel signing failures caused by -3...
* Fri Jun 12 2020 Peter Jones <pjones@redhat.com> - 113-3
- Fix the signer name for fedora and some other minor nits
Related: rhbz#1708773
Related: rhbz#1678146
* Thu Jun 11 2020 Peter Jones <pjones@redhat.com> - 113-2
- Fix a signing protocol bug we introduced in 113 that makes the fedora
kernel builders fail.
Related: rhbz#1708773
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 113-1
- Update to 113 release
Resolves: rhbz#1708773
* Mon Jun 08 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.112-31
- Switch default NSS database to SQLite format (pjones)
Resolves: rhbz#1827902
* Mon Feb 24 2020 Peter Jones <pjones@redhat.com> - 0.112-30
- Make sure the patch for -29 is actually in the build in f32, and
synchronize with master.
* Tue Feb 18 2020 Peter Jones <pjones@redhat.com> - 0.112-29
- Rebuild to match OpenSC's token name mangling change.
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-28
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 12 2019 Peter Jones <pjones@redhat.com> - 0.112-27
- Rebuild to fix an NSS API issue.
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-26
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Mar 6 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.112-25
- Fix build (#1675653)
- Add missing closing quote in macro (#1651020)
- Update obsolete /var/run/ path (#1678146)
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-25
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-24
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-23
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Jan 22 2018 Peter Robinson <pbrobinson@fedoraproject.org> 0.112-22
- Minor spec cleanups, fix arm conditional
* Fri Oct 06 2017 Troy Dawson <tdawson@redhat.com> - 0.112-21
- Cleanup spec file conditionals
* Tue Aug 15 2017 Peter Jones <pjones@redhat.com> - 0.112-20
- Maybe fewer typoes would be better.
* Tue Aug 15 2017 Peter Jones <pjones@redhat.com> - 0.112-19
- Update to match f26's build so new kernel builds will work.
* Thu Aug 10 2017 Peter Jones <pjones@redhat.com> - 0.112-10
- Try to fix the db problem nirik is seeing trying to upgrade the builders.
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Jul 08 2017 Peter Jones <pjones@redhat.com> - 0.112-7
- Rebuild for efivar-31-1.fc26
Related: rhbz#1468841
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 06 2017 Peter Jones <pjones@redhat.com> - 0.112-5
- Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy
scripts.
Related: rhbz#1349073
* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 0.112-4
- Build as -4 to make bodhi happy.
* Fri Aug 12 2016 Adam Williamson <awilliam@redhat.com> - 0.112-3
- backport fix for command line parsing from upstream master
* Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 0.112-2
- Build with newer efivar.
* Wed Apr 20 2016 Peter Jones <pjones@redhat.com> - 0.112-1
- Update to 0.112
- Also fix up some spec file woes:
- dumb things in %%setup
- find-debuginfo.sh not working right for some source files...
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.111-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Dec 10 2015 Peter Jones <pjones@redhat.com> - 0.111-7
- Obsolete pesign-rh-test-certs, it was in -1's update.
Resolves: rhbz#1283475
* Wed Dec 02 2015 Peter Jones <pjones@redhat.com> - 0.111-6
- *Don't* use --certdir if we're using the socket.
Related: rhbz#1283475
Related: rhbz#1284063
Related: rhbz#1284561
* Tue Dec 01 2015 Peter Jones <pjones@redhat.com> - 0.111-5
- Actually do a better job of choosing which cert to use when, so people will
stop seeing any of this problem. (Thanks for the thought, jforbes.)
Resolves: rhbz#1283475
Resolves: rhbz#1284063
Resolves: rhbz#1284561
* Mon Nov 30 2015 Peter Jones <pjones@redhat.com> - 0.111-5
- setfacl even harder.
Related: rhbz#1283475
Related: rhbz#1284063
Related: rhbz#1284561
* Fri Nov 20 2015 Peter Jones <pjones@redhat.com> - 0.111-3
- Better ACL setting code.
Related: rhbz#1283475
* Thu Nov 19 2015 Peter Jones <pjones@redhat.com> - 0.111-2
- Allow the mockbuild user to read the nss database if the account exists.
* Wed Oct 28 2015 Peter Jones <pjones@redhat.com> - 0.111-1
- Rebase to 0.111
- Split test certs out into a "Recommends" subpackage.
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.110-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Wed Mar 4 2015 Ville Skyttä <ville.skytta@iki.fi> - 0.110-2
- Install macros in %%{_rpmconfigdir}/macros.d where available (#1074281)
* Fri Oct 24 2014 Peter Jones <pjones@redhat.com> - 0.110-1
- Update to pesign-0.110
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.108-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.108-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu May 29 2014 Peter Jones <pjones@redhat.com> - 0.108-2
- Fix a networking problem nirik observed when reinstalling builders.
* Sat Aug 10 2013 Peter Jones <pjones@redhat.com> - 0.108-1
- Remove errant result files and raise an error from %%pesign
* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.106-3
- Add code for signing in RHEL 7
* Mon Aug 05 2013 Peter Jones <pjones@redhat.com> - 0.106-2
- Fix for new %%doc rules.
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.106-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue May 21 2013 Peter Jones <pjones@redhat.com> - 0.106-1
- Update to 0.106
- Hopefully fix the segfault dgilmore was seeing.
* Mon May 20 2013 Peter Jones <pjones@redhat.com> - 0.105-1
- Various bug fixes.
* Wed May 15 2013 Peter Jones <pjones@redhat.com> - 0.104-1
- Make sure alignment is correct on signature list entries
Resolves: rhbz#963361
- Make sure section alignment is correct if we have to extend the file
* Wed Feb 06 2013 Peter Jones <pjones@redhat.com> - 0.103-2
- Conditionalize systemd bits so they don't show up in RHEL 6 builds
* Tue Feb 05 2013 Peter Jones <pjones@redhat.com> - 0.103-1
- One more compiler problem. Let's expect a few more, shall we?
* Tue Feb 05 2013 Peter Jones <pjones@redhat.com> - 0.102-1
- Don't use --std=gnu11 because we have to work on RHEL 6 builders.
* Mon Feb 04 2013 Peter Jones <pjones@redhat.com> - 0.101-1
- Update to 0.101 to fix more "pesign -E" issues.
* Fri Nov 30 2012 Peter Jones <pjones@redhat.com> - 0.100-1
- Fix insertion of signatures from a file.
* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.99-9
- Add a patch needed for new shim builds
* Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-8
- Get the Fedora signing token name right.
* Fri Oct 19 2012 Peter Jones <pjones@redhat.com>
- Add coolkey and opensc modules to pki database during %%install.
* Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-7
- setfacl u:kojibuilder:rw /var/run/pesign/socket
- Fix command line checking in client
- Add client stdin pin reading.
* Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-6
- Automatically select daemon as signer when using rpm macros.
* Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-5
- Make it work on the -el6 branch as well.
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-4
- Fix some more bugs found by valgrind and coverity.
- Don't build utils/ ; we're not using them and they're not ready anyway.
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-3
- Fix daemon startup bug from 0.99-2
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-2
- Fix various bugs from 0.99-1
- Don't make the database unreadable just yet.
* Mon Oct 15 2012 Peter Jones <pjones@redhat.com> - 0.99-1
- Update to 0.99
- Add documentation for client/server mode.
- Add --pinfd and --pinfile to server mode.
* Fri Oct 12 2012 Peter Jones <pjones@redhat.com> - 0.98-1
- Update to 0.98
- Add client/server mode.
* Mon Oct 01 2012 Peter Jones <pjones@redhat.com> - 0.10-5
- Fix missing section address fixup.
* Wed Aug 15 2012 Peter Jones <pjones@redhat.com> - 0.10-4
- Make macros.pesign even better (and make it work right for i686 packages)
* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.10-3
- Only sign things on x86_64; all else ignore gracefully.
* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.10-2
- Make macros.pesign more reliable
* Mon Aug 13 2012 Peter Jones <pjones@redhat.com> - 0.10-1
- Update to 0.10
- Include rpm macros to support easy custom signing of signed packages.
* Fri Aug 10 2012 Peter Jones <pjones@redhat.com> - 0.9-1
- Update to 0.9
- Bug fix from Gary Ching-Pang Lin
- Support NSS Token selection for use with smart cards.
* Wed Aug 08 2012 Peter Jones <pjones@redhat.com> - 0.8-1
- Update to 0.8
- Don't open the db read-write
- Fix permissions on keystore (everybody can sign with test keys)
* Wed Aug 08 2012 Peter Jones <pjones@redhat.com> - 0.7-2
- Include test keys.
* Mon Jul 30 2012 Peter Jones <pjones@redhat.com> - 0.7-1
- Update to 0.7
- Better fix for MS compatibility.
* Mon Jul 30 2012 Peter Jones <pjones@redhat.com> - 0.6-1
- Update to 0.6
- Bug-for-bug compatibility with signtool.exe .
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Wed Jul 11 2012 Peter Jones <pjones@redhat.com> - 0.5-1
- Rebase to 0.5
- Do more rigorous bounds checking when hashing a new binary.
* Tue Jul 10 2012 Peter Jones <pjones@redhat.com> - 0.3-2
- Rebase to 0.4
* Fri Jun 22 2012 Peter Jones <pjones@redhat.com> - 0.3-2
- Move man page to a more reasonable place.
* Fri Jun 22 2012 Peter Jones <pjones@redhat.com> - 0.3-1
- Update to upstream's 0.3 .
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-4
- Do not build with smp flags.
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-3
- Make it build on i686, though it's unclear it'll ever be necessary.
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-2
- Fix compile problem with f18's compiler.
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-1
- Fix some rpmlint complaints nirik pointed out
- Add popt-devel build dep
* Fri Jun 15 2012 Peter Jones <pjones@redhat.com> - 0.1-1
- First version of SRPM.

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
SHA512 (pesign-113.tar.bz2) = 89c5e33bf6ac8f8dc4b65192e5fd4bf1fea285106d1de2a6ea02a8c5090f2ec5976b1d80c60e57f74fa56dc25b174a4dd5682292db44ab9aeab69ea992dfef36