Add support for non-koji signing in macros

Resolves: #1880858
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
Robbie Harwood 2022-03-24 21:24:15 +00:00
parent bdccb8412c
commit b201f43f63
3 changed files with 65 additions and 2 deletions

View File

@ -0,0 +1,55 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Julian Sikorski <belegdol+github@gmail.com>
Date: Wed, 23 Mar 2022 20:54:03 +0100
Subject: [PATCH] Fix building signed kernels on setups other than koji
Thanks to Will Springer for the idea. Details at
https://bugzilla.redhat.com/show_bug.cgi?id=1880858
Signed-off-by: Julian Sikorski <belegdol+github@gmail.com>
Suggested-by: Will Springer <skirmisher@protonmail.com>
(cherry picked from commit 9969b1757a1941c9f57081b308026d687f6c0943)
---
src/pesign-rpmbuild-helper.in | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index 0a845d2..c9d5570 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -172,24 +172,22 @@ main() {
USERNAME="${USERNAME:-$(id -un)}"
local socket="" || :
- if grep -q ID=fedora /etc/os-release \
+ if [[ -S /run/pesign/socket ]] ; then
+ socket=/run/pesign/socket
+ elif [[ -S /var/run/pesign/socket ]]; then
+ socket=/var/run/pesign/socket
+ elif grep -q ID=fedora /etc/os-release \
&& [[ "${rhelver}" -lt 7 ]] \
&& [[ "${USERNAME}" = "mockbuild" ]] \
&& [[ "${vendor}" = "Fedora Project" ]] \
&& [[ "${HOSTNAME}" =~ bkernel.* ]]
then
- if [[ -S /run/pesign/socket ]] ; then
- socket=/run/pesign/socket
- elif [[ -S /var/run/pesign/socket ]]; then
- socket=/var/run/pesign/socket
- else
- echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
- echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
- ls -ld /run/pesign /var/run/pesign 1>&2 ||:
- ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
- getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
- getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
- fi
+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+ ls -ld /run/pesign /var/run/pesign 1>&2 ||:
+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
fi
if [[ "${rhelver}" -ge 7 ]] ; then

2
pesign.patches Normal file
View File

@ -0,0 +1,2 @@
Patch0001: 0001-daemon-remove-always-true-comparison.patch
Patch0002: 0002-Fix-building-signed-kernels-on-setups-other-than-koj.patch

View File

@ -6,7 +6,7 @@
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 115
Release: 1%{?dist}
Release: 2%{?dist}
License: GPL-2.0-only
URL: https://github.com/rhboot/pesign
@ -46,8 +46,10 @@ BuildRequires: rh-signing-tools >= 1.20-2
Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz
Source2: pesign.py
Source3: pesign.patches
Patch0001: 0001-daemon-remove-always-true-comparison.patch
# generate with tool
%include %{SOURCE3}
%description
This package contains the pesign utility for signing UEFI binaries as
@ -159,6 +161,10 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Thu Mar 24 2022 Robbie Harwood <rharwood@redhat.com> - 115-2
- Add support for non-koji signing in macros
- Resolves: #1880858
* Tue Mar 08 2022 Robbie Harwood <rharwood@redhat.com> - 115-1
- New upstream version (115)