setfacl u:kojibuilder:rw /var/run/pesign/socket

- Fix command line checking in client - Add client stdin pin reading.
2012-10-19 10:24:10 -04:00 · 2012-10-19 10:24:10 -04:00 · b58922c480
commit b58922c480
parent 9e2491cafb
42 changed files with 374 additions and 37 deletions
--- a/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
+++ b/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
@ -1,7 +1,7 @@
 From 406a08cc45a2d0761294002d946ee3381a4706ee Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 09:53:07 -0400
-Subject: [PATCH 01/36] Use PK11_TraverseCertsForNicknameInSlot after all.
+Subject: [PATCH 01/41] Use PK11_TraverseCertsForNicknameInSlot after all.
 As of 76bc13c it doesn't appear to be leaky any more, and it does a
 better job of disinguishing between certificates with the same nickname
--- a/0002-Remove-an-unused-field.patch
+++ b/0002-Remove-an-unused-field.patch
@ -1,7 +1,7 @@
 From e4aa0a2755d7b00e31760a7f90561b0566445fa4 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 09:54:10 -0400
-Subject: [PATCH 02/36] Remove an unused field.
+Subject: [PATCH 02/41] Remove an unused field.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
+++ b/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
@ -1,7 +1,7 @@
 From df5afd0e6d92f31a804f5f1631b6fae3b8ef4d8b Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 09:54:37 -0400
-Subject: [PATCH 03/36] Free the certificate list we make once we're done
+Subject: [PATCH 03/41] Free the certificate list we make once we're done
 using it.
 Signed-off-by: Peter Jones <pjones@redhat.com>
--- a/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
+++ b/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
@ -1,7 +1,7 @@
 From c13cc0b03dcae9a743cc49aaa62c3923a3e7d8f9 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 09:55:02 -0400
-Subject: [PATCH 04/36] Make sure we actually look up the certificate when not
+Subject: [PATCH 04/41] Make sure we actually look up the certificate when not
 in daemon mode.
 Signed-off-by: Peter Jones <pjones@redhat.com>
--- a/0005-Fix-check-for-allocations-on-tokenname-certname.patch
+++ b/0005-Fix-check-for-allocations-on-tokenname-certname.patch
@ -1,7 +1,7 @@
 From 844138e07535a8aa2be80496378c9929acaa1687 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 10:35:41 -0400
-Subject: [PATCH 05/36] Fix check for allocations on tokenname,certname.
+Subject: [PATCH 05/41] Fix check for allocations on tokenname,certname.
 If we didn't have anything to start with, we won't have anything when
 we're done...
--- a/0006-Update-valgrind.supp-for-newer-codepaths.patch
+++ b/0006-Update-valgrind.supp-for-newer-codepaths.patch
@ -1,7 +1,7 @@
 From 682233d107460b49071017b4d88c0430373dbd35 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 10:55:25 -0400
-Subject: [PATCH 06/36] Update valgrind.supp for newer codepaths.
+Subject: [PATCH 06/41] Update valgrind.supp for newer codepaths.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0007-Free-the-pid-string-once-we-re-done-writing-it.patch
+++ b/0007-Free-the-pid-string-once-we-re-done-writing-it.patch
@ -1,7 +1,7 @@
 From 81bf0e36a82a3d746a01aee50d8ee460dc794b19 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 10:57:20 -0400
-Subject: [PATCH 07/36] Free the pid string once we're done writing it.
+Subject: [PATCH 07/41] Free the pid string once we're done writing it.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch
+++ b/0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch
@ -1,7 +1,7 @@
 From 50c50c8fbebab3d8b5efff35dc1a7ca4b44d6b19 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 11:08:30 -0400
-Subject: [PATCH 08/36] [valgrind] Don't complain about unlocking a key and
+Subject: [PATCH 08/41] [valgrind] Don't complain about unlocking a key and
 keeping the handle.
 Signed-off-by: Peter Jones <pjones@redhat.com>
--- a/0009-Only-try-to-register-OIDs-once.patch
+++ b/0009-Only-try-to-register-OIDs-once.patch
@ -1,7 +1,7 @@
 From b71f1d2e8f7ad6853e5e68134a66baf9dea2471b Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 11:26:04 -0400
-Subject: [PATCH 09/36] Only try to register OIDs once.
+Subject: [PATCH 09/41] Only try to register OIDs once.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0010-Check-for-NSS_Shutdown-failure.patch
+++ b/0010-Check-for-NSS_Shutdown-failure.patch
@ -1,7 +1,7 @@
 From f966137c17f74fc3e343dfb6e04300a9d179de03 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 12:05:29 -0400
-Subject: [PATCH 10/36] Check for NSS_Shutdown() failure.
+Subject: [PATCH 10/41] Check for NSS_Shutdown() failure.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch
+++ b/0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch
@ -1,7 +1,7 @@
 From 0dddfd5e738232403220b0d18888f94fa0032a59 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 12:17:39 -0400
-Subject: [PATCH 11/36] Don't destroy stdin/stdout/stderr if we don't fork.
+Subject: [PATCH 11/41] Don't destroy stdin/stdout/stderr if we don't fork.
 I like being able to read my error messages.
--- a/0012-valgrind-Add-SECMOD_LoadModule-codepath.patch
+++ b/0012-valgrind-Add-SECMOD_LoadModule-codepath.patch
@ -1,7 +1,7 @@
 From 19c8e797d092e17f2882d249d5446728a76db050 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 14:29:30 -0400
-Subject: [PATCH 12/36] [valgrind] Add SECMOD_LoadModule codepath.
+Subject: [PATCH 12/41] [valgrind] Add SECMOD_LoadModule codepath.
 This is called once when we initialize the database.
--- a/0013-Don-t-set-up-digests-in-cms_context_init.patch
+++ b/0013-Don-t-set-up-digests-in-cms_context_init.patch
@ -1,7 +1,7 @@
 From 186b6d5d39a1feeaa5f9493d28dc4f53015d551d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 14:33:35 -0400
-Subject: [PATCH 13/36] Don't set up digests in cms_context_init.
+Subject: [PATCH 13/41] Don't set up digests in cms_context_init.
 Move digest setup out of cms_context_init, so we can avoid leaking the
 reference to the digests by not having them in ctx->backup_cms in the
--- a/0014-Do-register_oids-where-we-re-doing-NSS_Init.patch
+++ b/0014-Do-register_oids-where-we-re-doing-NSS_Init.patch
@ -1,7 +1,7 @@
 From e1f8d4e38f4ad08fb407691a3f59edc19a1f15e2 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 14:41:18 -0400
-Subject: [PATCH 14/36] Do register_oids() where we're doing NSS_Init()
+Subject: [PATCH 14/41] Do register_oids() where we're doing NSS_Init()
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch
+++ b/0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch
@ -1,7 +1,7 @@
 From 092e3f81233655849156b0948a53f3b5f51b8c97 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 14:43:58 -0400
-Subject: [PATCH 15/36] Make daemon shutdown actually close the NSS databases
+Subject: [PATCH 15/41] Make daemon shutdown actually close the NSS databases
 and whatnot.
 Signed-off-by: Peter Jones <pjones@redhat.com>
--- a/0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch
+++ b/0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch
@ -1,7 +1,7 @@
 From b6ff405da1bf4627a40fc104457a539788c9f470 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 15:18:08 -0400
-Subject: [PATCH 16/36] Reformat a bunch of error messages to be vaguely
+Subject: [PATCH 16/41] Reformat a bunch of error messages to be vaguely
 consistent.
 Signed-off-by: Peter Jones <pjones@redhat.com>
--- a/0017-Use-PORT_ArenaStrdup-where-appropriate.patch
+++ b/0017-Use-PORT_ArenaStrdup-where-appropriate.patch
@ -1,7 +1,7 @@
 From 8ffe6943f04d42314f81eb8b5e3350d4ccc41895 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 15:26:23 -0400
-Subject: [PATCH 17/36] Use PORT_ArenaStrdup() where appropriate.
+Subject: [PATCH 17/41] Use PORT_ArenaStrdup() where appropriate.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0018-Minor-whitespace-fixes.patch
+++ b/0018-Minor-whitespace-fixes.patch
@ -1,7 +1,7 @@
 From c196b462ad5267e8ed20c0b855b9921268b22a7b Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 15:26:47 -0400
-Subject: [PATCH 18/36] Minor whitespace fixes.
+Subject: [PATCH 18/41] Minor whitespace fixes.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch
+++ b/0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch
@ -1,7 +1,7 @@
 From 7a8c50f620c7484af9d750f484df8a6837e6b2a5 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 15:27:03 -0400
-Subject: [PATCH 19/36] [daemon] Make sure inpe is initialized before all
+Subject: [PATCH 19/41] [daemon] Make sure inpe is initialized before all
 error handling.
 find_certificate() and set_up_inpe() errors wind up being at the same
--- a/0020-Allocate-pesign_context-rather-than-having-it-on-the.patch
+++ b/0020-Allocate-pesign_context-rather-than-having-it-on-the.patch
@ -1,7 +1,7 @@
 From 66d3353e6d24c9e69ce71735c5aa4741717a6d68 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 15:31:15 -0400
-Subject: [PATCH 20/36] Allocate pesign_context rather than having it on the
+Subject: [PATCH 20/41] Allocate pesign_context rather than having it on the
 stack.
 This way it won't try to re-initialize cms_context when it's cleaned up.
--- a/0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch
+++ b/0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch
@ -1,7 +1,7 @@
 From 444a514e1a7c9a27953f914cf416d559ef5be083 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 15:32:57 -0400
-Subject: [PATCH 21/36] [pesign] initialize nss only if we're not a daemon.
+Subject: [PATCH 21/41] [pesign] initialize nss only if we're not a daemon.
 If it's a deamon, NSS_Init, register_oids, and setup_digests will be
 done in the daemon code, not in the normal tool code.
--- a/0022-Handle-errors-on-pesign_context_init.patch
+++ b/0022-Handle-errors-on-pesign_context_init.patch
@ -1,7 +1,7 @@
 From a1ce809e199c7fbbd6f5c0e75f27a4234fcbd2bc Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 15:34:00 -0400
-Subject: [PATCH 22/36] Handle errors on pesign_context_init()
+Subject: [PATCH 22/41] Handle errors on pesign_context_init()
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch
+++ b/0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch
@ -1,7 +1,7 @@
 From 4ed91a1bb65769401c0fd6c1c5b2a3c64c0c1266 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 16:35:43 -0400
-Subject: [PATCH 23/36] Add sanity checking to make sure we don't emit
+Subject: [PATCH 23/41] Add sanity checking to make sure we don't emit
 uninitialized hashes.
 Signed-off-by: Peter Jones <pjones@redhat.com>
--- a/0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch
+++ b/0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch
@ -1,7 +1,7 @@
 From d8ead122f34375a496d280bcc803f730542ca78d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 17:47:49 -0400
-Subject: [PATCH 24/36] Make sure we free the token/cert we get from the
+Subject: [PATCH 24/41] Make sure we free the token/cert we get from the
 command line.
 This probably needs some further examination, but valgrind likes what's
--- a/0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch
+++ b/0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch
@ -1,7 +1,7 @@
 From 2030d382b49a1b957de829a67f74d9cc127c55ee Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 17:48:44 -0400
-Subject: [PATCH 25/36] [pesign] Only shut down nss in pesign.c if we're not
+Subject: [PATCH 25/41] [pesign] Only shut down nss in pesign.c if we're not
 the daemon.
 The daemon does its own init and shutdown.
--- a/0026-Rework-setup_digests-and-teardown_digests.patch
+++ b/0026-Rework-setup_digests-and-teardown_digests.patch
@ -1,7 +1,7 @@
 From 4efe979d6b781e064fe1afa946753ead9e3bbb9d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 17:49:17 -0400
-Subject: [PATCH 26/36] Rework setup_digests() and teardown_digests()
+Subject: [PATCH 26/41] Rework setup_digests() and teardown_digests()
 This fixes the problem I was seeing with empty content_info digests, and
 makes the code a /little/ bit cleaner in some ways.
--- a/0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch
+++ b/0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch
@ -1,7 +1,7 @@
 From 15cd554d35c5ea8d31671b346dffd84e27e7c6ec Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 17:52:57 -0400
-Subject: [PATCH 27/36] We shouldn't need
+Subject: [PATCH 27/41] We shouldn't need
 Environment=NSS_STRICT_NOFORK=DISABLED any more.
 Since NSS_Init is called from the daemon now, we should get past its
--- a/0028-Fix-errors-found-by-coverity.patch
+++ b/0028-Fix-errors-found-by-coverity.patch
@ -1,7 +1,7 @@
 From 1b94dd90f5a1c65df16ffe3b0619ce5dc0ca1f06 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 17 Oct 2012 19:59:49 -0400
-Subject: [PATCH 28/36] Fix errors found by coverity.
+Subject: [PATCH 28/41] Fix errors found by coverity.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0029-Don-t-keep-the-DEPS-list-twice.patch
+++ b/0029-Don-t-keep-the-DEPS-list-twice.patch
@ -1,7 +1,7 @@
 From 95c0fe1d512fcdf3b397359fb0f54dc44e5947c2 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 18 Oct 2012 09:12:25 -0400
-Subject: [PATCH 29/36] Don't keep the DEPS list twice.
+Subject: [PATCH 29/41] Don't keep the DEPS list twice.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0030-Don-t-build-util-right-now.patch
+++ b/0030-Don-t-build-util-right-now.patch
@ -1,7 +1,7 @@
 From 44aad110fd3f0a12e1817d95047f882c4d8b0fce Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 18 Oct 2012 11:36:10 -0400
-Subject: [PATCH 30/36] Don't build util/ right now.
+Subject: [PATCH 30/41] Don't build util/ right now.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0031-Make-install_systemd-and-install_sysvinit-separate-t.patch
+++ b/0031-Make-install_systemd-and-install_sysvinit-separate-t.patch
@ -1,7 +1,7 @@
 From 4c13f6d393db0aa5ff5b327cb5e842ee21522236 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 18 Oct 2012 13:09:58 -0400
-Subject: [PATCH 31/36] Make "install_systemd" and "install_sysvinit" separate
+Subject: [PATCH 31/41] Make "install_systemd" and "install_sysvinit" separate
 targets
 Signed-off-by: Peter Jones <pjones@redhat.com>
--- a/0032-Get-rid-of-an-unnecessary-allocation.patch
+++ b/0032-Get-rid-of-an-unnecessary-allocation.patch
@ -1,7 +1,7 @@
 From df1b69e304f2a7eb82e2f94e50f07099afbf4578 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 18 Oct 2012 13:10:28 -0400
-Subject: [PATCH 32/36] Get rid of an unnecessary allocation.
+Subject: [PATCH 32/41] Get rid of an unnecessary allocation.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0033-Allow-use-of-e-from-rpm-macro.patch
+++ b/0033-Allow-use-of-e-from-rpm-macro.patch
@ -1,7 +1,7 @@
 From 24a63eab7ddbe2be3ab6b25b04602d8e3fe5d775 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 18 Oct 2012 14:28:36 -0400
-Subject: [PATCH 33/36] Allow use of -e from rpm macro.
+Subject: [PATCH 33/41] Allow use of -e from rpm macro.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch
+++ b/0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch
@ -1,7 +1,7 @@
 From e5c632516a2a31f3e184d0ca9d8ac5ceba1f9015 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 18 Oct 2012 14:55:07 -0400
-Subject: [PATCH 34/36] Make client use -e like pesign does, rather than
+Subject: [PATCH 34/41] Make client use -e like pesign does, rather than
 --detached.
 This way we can use the same macros for them.
--- a/0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch
+++ b/0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch
@ -1,7 +1,7 @@
 From f1a2f097cfb290951702251703abcd34ca0bf9e6 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 18 Oct 2012 15:13:11 -0400
-Subject: [PATCH 35/36] Fix shutdown by systemd to remove socket and pidfile.
+Subject: [PATCH 35/41] Fix shutdown by systemd to remove socket and pidfile.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch
+++ b/0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch
@ -1,7 +1,7 @@
 From 22308fbfb540b5215efb9ce96a4dfdce08ef9165 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 18 Oct 2012 15:16:05 -0400
-Subject: [PATCH 36/36] Make the macros use the default (fedora) signer if
+Subject: [PATCH 36/41] Make the macros use the default (fedora) signer if
 there's a daemon running.
 Signed-off-by: Peter Jones <pjones@redhat.com>
--- a/0037-Fix-command-line-checking-for-s.patch
+++ b/0037-Fix-command-line-checking-for-s.patch
@ -0,0 +1,28 @@
 From abe7981ba049b23ae9c42da92559576c6e0cc53b Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 19 Oct 2012 10:07:40 -0400
 Subject: [PATCH 37/41] Fix command line checking for -s.
 Accidentally applied when not using -s.  Woops.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/client.c b/src/client.c
 index 5e5399d..777197a 100644
 --- a/src/client.c
 +++ b/src/client.c
@@ -496,7 +496,7 @@ main(int argc, char *argv[])
 		exit(1);
 	}
 -	if (!outfile && !exportfile) {
 +	if (action & SIGN_BINARY && (!outfile && !exportfile)) {
 		fprintf(stderr, "pesign-client: neither --outfile nor --export "
 			"specified\n");
 		exit(1);
 -- 
 1.7.12.1
--- a/0038-Add-support-to-read-the-pin-from-stdin-in-client.patch
+++ b/0038-Add-support-to-read-the-pin-from-stdin-in-client.patch
@ -0,0 +1,178 @@
 From 8067d9bace148a254528fdf752f083d2a0debada Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 19 Oct 2012 10:08:26 -0400
 Subject: [PATCH 38/41] Add support to read the pin from stdin in client.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/client.c      | 10 +++++++---
 src/password.c    | 41 +++++++++++++++++++++++++++++++++++++++++
 src/password.h    |  1 +
 src/signer_info.c | 45 +--------------------------------------------
 4 files changed, 50 insertions(+), 47 deletions(-)
 diff --git a/src/client.c b/src/client.c
 index 777197a..1ec582b 100644
 --- a/src/client.c
 +++ b/src/client.c
@@ -212,10 +212,14 @@ get_token_pin(int pinfd, char *pinfile, char *envname)
 		fclose(pinf);
 		return pin;
 -	} else
 -		return strdup(getenv(envname));
 +	} else {
 +		pin = getenv(envname);
 +		if (pin)
 +			return strdup(pin);
 +	}
 -	return NULL;
 +	pin = readpw(NULL, PR_FALSE, NULL);
 +	return pin;
 }
 static void
 diff --git a/src/password.c b/src/password.c
 index 100c584..c663955 100644
 --- a/src/password.c
 +++ b/src/password.c
@@ -17,6 +17,7 @@
  * Author(s): Peter Jones <pjones@redhat.com>
  */
 +#include <limits.h>
 #include <stdlib.h>
 #include <termios.h>
 #include <unistd.h>
@@ -289,4 +290,44 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
     return NULL;
 }
 +#if 0
 +#warning investigate killing readpw
 +#endif
 +char *
 +readpw(PK11SlotInfo *slot, PRBool retry, void *arg)
 +{
 +	struct termios sio, tio;
 +	char line[LINE_MAX], *p;
 +	if (tcgetattr(fileno(stdin), &sio) < 0) {
 +		fprintf(stderr, "Could not read password from standard input.\n");
 +		return NULL;
 +	}
 +	tio = sio;
 +	tio.c_lflag &= ~ECHO;
 +	if (tcsetattr(fileno(stdin), 0, &tio) < 0) {
 +		fprintf(stderr, "Could not read password from standard input.\n");
 +		return NULL;
 +	}
 +
 +	fprintf(stdout, "Enter passphrase for private key: ");
 +	if (fgets(line, sizeof(line), stdin) == NULL) {
 +		fprintf(stdout, "\n");
 +		tcsetattr(fileno(stdin), 0, &sio);
 +		return NULL;
 +	}
 +	fprintf(stdout, "\n");
 +	tcsetattr(fileno(stdin), 0, &sio);
 +
 +	p = line + strcspn(line, "\r\n");
 +	if (p != NULL)
 +		*p = '\0';
 +
 +	char *ret = strdup(line);
 +	memset(line, '\0', sizeof (line));
 +	if (!ret) {
 +		fprintf(stderr, "Could not read passphrase.\n");
 +		return NULL;
 +	}
 +	return ret;
 +}
 diff --git a/src/password.h b/src/password.h
 index 853bd5a..bcbac44 100644
 --- a/src/password.h
 +++ b/src/password.h
@@ -22,5 +22,6 @@
 extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
 extern char *get_password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg);
 extern char *get_password_fail(PK11SlotInfo *slot, PRBool retry, void *arg);
 +extern char *readpw(PK11SlotInfo *slot, PRBool retry, void *arg);
 #endif /* PASSWORD_H */
 diff --git a/src/signer_info.c b/src/signer_info.c
 index 932b896..f755bf6 100644
 --- a/src/signer_info.c
 +++ b/src/signer_info.c
@@ -19,10 +19,8 @@
 #include "pesign.h"
 -#include <limits.h>
 #include <string.h>
 #include <syslog.h>
 -#include <termios.h>
 #include <time.h>
 #include <unistd.h>
@@ -159,47 +157,6 @@ err:
 	return -1;
 }
 -#if 0
 -#warning investigate killing getpw
 -#endif
 -static char *getpw(PK11SlotInfo *slot, PRBool retry, void *arg)
 -{
 -	struct termios sio, tio;
 -	char line[LINE_MAX], *p;
 -
 -	if (tcgetattr(fileno(stdin), &sio) < 0) {
 -		fprintf(stderr, "Could not read password from standard input.\n");
 -		return NULL;
 -	}
 -	tio = sio;
 -	tio.c_lflag &= ~ECHO;
 -	if (tcsetattr(fileno(stdin), 0, &tio) < 0) {
 -		fprintf(stderr, "Could not read password from standard input.\n");
 -		return NULL;
 -	}
 -
 -	fprintf(stdout, "Enter passphrase for private key: ");
 -	if (fgets(line, sizeof(line), stdin) == NULL) {
 -		fprintf(stdout, "\n");
 -		tcsetattr(fileno(stdin), 0, &sio);
 -		return NULL;
 -	}
 -	fprintf(stdout, "\n");
 -	tcsetattr(fileno(stdin), 0, &sio);
 -
 -	p = line + strcspn(line, "\r\n");
 -	if (p != NULL)
 -		*p = '\0';
 -
 -	char *ret = strdup(line);
 -	memset(line, '\0', sizeof (line));
 -	if (!ret) {
 -		fprintf(stderr, "Could not read passphrase.\n");
 -		return NULL;
 -	}
 -	return ret;
 -}
 -
 static int
 sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
 {
@@ -216,7 +173,7 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
 	if (!oid)
 		goto err;
 -	PK11_SetPasswordFunc(cms->func ? cms->func : getpw);
 +	PK11_SetPasswordFunc(cms->func ? cms->func : readpw);
 	SECKEYPrivateKey *privkey = PK11_FindKeyByAnyCert(cms->cert,
 				cms->pwdata ? cms->pwdata : NULL);
 	if (!privkey) {
 -- 
 1.7.12.1
--- a/0039-Fix-token-auth-authentication-failure-error-reportin.patch
+++ b/0039-Fix-token-auth-authentication-failure-error-reportin.patch
@ -0,0 +1,60 @@
 From 3ceb3eb5b1c36ead2a862bcec5e527f74dc91381 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 19 Oct 2012 10:08:49 -0400
 Subject: [PATCH 39/41] Fix token auth authentication failure error reporting.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/cms_common.c | 4 +++-
 src/daemon.c     | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 898ddfb..2f3683e 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -316,6 +316,7 @@ unlock_nss_token(cms_context *cms)
 	secuPWData pwdata_val = { 0, 0 };
 	void *pwdata = cms->pwdata ? cms->pwdata : &pwdata_val;
 	PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
 +	int rc = -1;
 	PK11SlotList *slots = NULL;
 	slots = PK11_GetAllTokens(CKM_RSA_PKCS, PR_FALSE, PR_TRUE, pwdata);
@@ -323,7 +324,7 @@ unlock_nss_token(cms_context *cms)
 		cms->log(cms, LOG_ERR, "Could not find certificate \"%s\"",
 			cms->tokenname);
 err:
 -		return -1;
 +		return rc;
 	}
 	PK11SlotListElement *psle = NULL;
@@ -351,6 +352,7 @@ err_slots:
 			cms->log(cms, LOG_ERR, "Authentication failed for "
 				"token \"%s\"", cms->tokenname);
 			PK11_DestroySlotListElement(slots, &psle);
 +			rc = -2;
 			goto err_slots;
 		}
 	}
 diff --git a/src/daemon.c b/src/daemon.c
 index 974a559..bf7485f 100644
 --- a/src/daemon.c
 +++ b/src/daemon.c
@@ -204,10 +204,10 @@ malformed:
 	cms_set_pw_callback(ctx->cms, get_password_fail);
 	cms_set_pw_data(ctx->cms, NULL);
 -	if (rc < 0)
 +	if (rc == -1)
 		ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
 			"could not find token \"%s\"", tn->value);
 -	else
 +	else if (rc == 0)
 		ctx->cms->log(ctx->cms, ctx->priority|LOG_NOTICE,
 			"authentication succeeded for token \"%s\"",
 			tn->value);
 -- 
 1.7.12.1
--- a/0040-Use-setfacl-in-sysvinit-script-to-allow-kojibuilder-.patch
+++ b/0040-Use-setfacl-in-sysvinit-script-to-allow-kojibuilder-.patch
@ -0,0 +1,28 @@
 From 9c2daa8d3761b49961498cb9a9bbc8a37e05b0da Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 19 Oct 2012 10:19:39 -0400
 Subject: [PATCH 40/41] Use setfacl in sysvinit script to allow kojibuilder
 access.
 ---
 src/pesign.sysvinit | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit
 index f955e01..ea37c58 100644
 --- a/src/pesign.sysvinit
 +++ b/src/pesign.sysvinit
@@ -24,6 +24,10 @@ start(){
     RETVAL=$?
     echo
     touch /var/lock/subsys/pesign
 +    setfacl -m u:kojibuilder:x /var/run/pesign
 +    setfacl -m u:kojibuilder:rw /var/run/pesign/socket
 +    setfacl -m g:kojibuilder:x /var/run/pesign
 +    setfacl -m g:kojibuilder:rw /var/run/pesign/socket
 }
 stop(){
 -- 
 1.7.12.1
--- a/0041-Don-t-return-quite-so-immediately-if-we-re-the-paren.patch
+++ b/0041-Don-t-return-quite-so-immediately-if-we-re-the-paren.patch
@ -0,0 +1,33 @@
 From 2bd84dcfbdf084bcfb3e6d7c26756ca3783cdae4 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 19 Oct 2012 10:20:40 -0400
 Subject: [PATCH 41/41] Don't return quite so immediately if we're the parent
 pid when daemonizing.
 Long term we probably want to look for the socket and/or sigchld instead
 of this.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/daemon.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/src/daemon.c b/src/daemon.c
 index bf7485f..6951f0a 100644
 --- a/src/daemon.c
 +++ b/src/daemon.c
@@ -885,8 +885,10 @@ daemonize(cms_context *cms_ctx, int do_fork)
 	if (do_fork) {
 		pid_t pid;
 -		if ((pid = fork()))
 +		if ((pid = fork())) {
 +			sleep(2);
 			return 0;
 +		}
 	}
 	ctx.pid = getpid();
 	write_pid_file(ctx.pid);
 -- 
 1.7.12.1
--- a/pesign.spec
+++ b/pesign.spec
@ -1,7 +1,7 @@
 Summary: Signing utility for UEFI binaries
 Name: pesign
 Version: 0.99
-Release: 6%{?dist}
+Release: 7%{?dist}
 Group: Development/System
 License: GPLv2
 URL: https://github.com/vathpela/pesign
@ -53,6 +53,11 @@ Patch33: 0033-Allow-use-of-e-from-rpm-macro.patch
 Patch34: 0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch
 Patch35: 0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch
 Patch36: 0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch
 Patch37: 0037-Fix-command-line-checking-for-s.patch
 Patch38: 0038-Add-support-to-read-the-pin-from-stdin-in-client.patch
 Patch39: 0039-Fix-token-auth-authentication-failure-error-reportin.patch
 Patch40: 0040-Use-setfacl-in-sysvinit-script-to-allow-kojibuilder-.patch
 Patch41: 0041-Don-t-return-quite-so-immediately-if-we-re-the-paren.patch
 %description
 This package contains the pesign utility for signing UEFI binaries as
@ -117,6 +122,11 @@ exit 0
 %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
 %changelog
 * Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-7
 - setfacl u:kojibuilder:rw /var/run/pesign/socket
 - Fix command line checking in client
 - Add client stdin pin reading.
 * Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-6
 - Automatically select daemon as signer when using rpm macros.