rpms/pesign
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import pesign-115-4.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-09-27 09:47:57 -04:00 committed by Stepan Oksanichenko
parent 971fe1203a
commit b651903e90
22 changed files with 162 additions and 1302 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/certs.tar.xz
SOURCES/pesign-113.tar.bz2
SOURCES/pesign-115.tar.bz2

2
.pesign.metadata
View File

@ -1,2 +1,2 @@
b6777cc78ca2d2f250f3142e97e17dd855bc9b88 SOURCES/certs.tar.xz
1fabe291298395b6dd3129e250d8b67345745834 SOURCES/pesign-113.tar.bz2
849099b74a8c54f3fe5090605d2a71c0511acd1a SOURCES/pesign-115.tar.bz2

24
SOURCES/0001-daemon-remove-always-true-comparison.patch Normal file
View File

@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 8 Mar 2022 12:59:34 -0500
Subject: [PATCH] daemon: remove always-true comparison
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/daemon.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 0a66deb..ff88210 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -221,8 +221,7 @@ malformed:
if (!ctx->cms->tokenname)
goto oom;
- if (!tp->value)
- pin = strndup((char *)tp->value, tp->size);
+ pin = strndup((char *)tp->value, tp->size);
if (!pin)
goto oom;

45
SOURCES/0001-efikeygen-Fix-the-build-with-nss-3.44.patch
View File

@ -1,45 +0,0 @@
From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2019 11:28:38 -0400
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
NSS 3.44 adds some certificate types, which changes a type and makes
some encoding stuff weird. As a result, we get:
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
In file included from /usr/local/include/nss/nss/cert.h:22,
from efikeygen.c:39:
efikeygen.c: In function 'add_cert_type':
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
^
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
unsigned char type = NS_CERT_TYPE_APP;
^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
This is fixed by just making it an int.
Fixes github issue #48.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/efikeygen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index ede76ef0b48..2cd953e9781 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -208,7 +208,7 @@ static int
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
{
SECItem bitStringValue;
- unsigned char type = NS_CERT_TYPE_APP;
+ int type = NS_CERT_TYPE_APP;
if (is_ca)
type |= NS_CERT_TYPE_SSL_CA |
--
2.23.0

33
SOURCES/0002-Disable-pragmas-for-warnings-that-are-too-old.patch Normal file
View File

@ -0,0 +1,33 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 9 Feb 2022 14:42:24 -0500
Subject: [PATCH] Disable pragmas for warnings that are too old
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/daemon.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index ff88210..d66dd50 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -917,10 +917,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
free(pollfds);
}
-/* GCC -fanalyzer has trouble with realloc
- * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value"
static int
handle_events(context *ctx)
{
@@ -999,7 +995,6 @@ shutdown:
}
return 0;
}
-#pragma GCC diagnostic pop
static int
get_uid_and_gid(context *ctx, char **homedir)

49
SOURCES/0002-pesigcheck-Fix-a-wrong-assignment.patch
View File

@ -1,49 +0,0 @@
From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Feb 2020 16:28:56 -0500
Subject: [PATCH] pesigcheck: Fix a wrong assignment
gcc says:
pesigcheck.c: In function 'check_signature':
pesigcheck.c:321:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
321 | reason->type = siBuffer;
| ^
pesigcheck.c:333:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
333 | reason->type = siBuffer;
| ^
cc1: all warnings being treated as errors
And indeed, that line of code makes no sense at all - it was supposed to
be reason->sig.type.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesigcheck.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 524cce307bf..8fa0f1ad03d 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
+ reason->sig.type = siBuffer;
nreason += 1;
is_invalid = true;
}
@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
+ reason->sig.type = siBuffer;
nreason += 1;
has_valid_cert = true;
}
--
2.24.1

23
SOURCES/0003-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch Normal file
View File

@ -0,0 +1,23 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 25 Mar 2022 15:01:54 -0400
Subject: [PATCH] Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.defaults b/Make.defaults
index 130c1ee..4b0e77c 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -79,7 +79,7 @@ ccldflags = $(cflags) $(CCLDFLAGS) $(LDFLAGS) \
$(call pkg-config-ccldflags)
efi_cflags = $(cflags)
ASFLAGS ?= $(ARCH3264)
-CPPFLAGS ?= -D_FORTIFY_SOURCE=2
+CPPFLAGS ?= -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS
RANLIBFLAGS ?= $(if $(filter $(CC),gcc),-D)
ARFLAGS ?= $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs)

317
SOURCES/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
View File

@ -1,317 +0,0 @@
From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 11 Jun 2020 16:23:14 -0400
Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and
vise versa
This makes the version of the sign API that takes a file type optional,
and makes the client attempt to negotiate which version it's getting.
It also leaves the server able to still handle the version from before
the file type was added.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 74 +++++++++++++++++++++++++++++++++++++---------------
src/daemon.c | 63 +++++++++++++++++++++++++++++---------------
src/daemon.h | 2 ++
3 files changed, 97 insertions(+), 42 deletions(-)
diff --git a/src/client.c b/src/client.c
index aa373abd981..57bcc09cbe8 100644
--- a/src/client.c
+++ b/src/client.c
@@ -11,6 +11,7 @@
#include <fcntl.h>
#include <popt.h>
#include <pwd.h>
+#include <stdbool.h>
#include <stddef.h>
#include <stdlib.h>
#include <sys/socket.h>
@@ -84,8 +85,8 @@ connect_to_server(void)
static int32_t
check_response(int sd, char **srvmsg);
-static void
-check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
+static int
+check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit)
{
struct msghdr msg;
struct iovec iov[1];
@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
ssize_t n;
n = sendmsg(sd, &msg, 0);
if (n < 0) {
- fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n");
+ fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n");
exit(1);
}
@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
char *srvmsg = NULL;
int32_t rc = check_response(sd, &srvmsg);
- if (rc < 0)
+
+ if (do_exit && rc < 0)
errx(1, "command \"%s\" not known by server", name);
- if (rc != version)
+
+ if (do_exit && rc != version)
errx(1, "command \"%s\": client version %d, server version %d",
name, version, rc);
+
+ if (rc < 0)
+ return rc;
+ return rc == version;
}
static void
@@ -134,7 +141,7 @@ send_kill_daemon(int sd)
struct iovec iov;
pesignd_msghdr pm;
- check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0);
+ check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_KILL_DAEMON;
@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin)
uint32_t size1 = pesignd_string_size(pin);
- check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0);
+ check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_UNLOCK_TOKEN;
@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname)
uint32_t size0 = pesignd_string_size(tokenname);
- check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0);
+ check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_IS_TOKEN_UNLOCKED;
@@ -452,6 +459,9 @@ static void
sign(int sd, char *infile, char *outfile, char *tokenname, char *certname,
int attached, uint32_t format)
{
+ int rc;
+ bool add_file_type;
+
int infd = open(infile, O_RDONLY);
if (infd < 0) {
fprintf(stderr, "pesign-client: could not open input file "
@@ -481,12 +491,28 @@ oom:
exit(1);
}
- check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED,
- attached ? "sign-attached" : "sign-detached", 0);
+ rc = check_cmd_version(sd,
+ attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
+ : CMD_SIGN_DETACHED_WITH_FILE_TYPE,
+ attached ? "sign-attached" : "sign-detached",
+ 0, format == FORMAT_KERNEL_MODULE);
+ if (rc >= 0) {
+ add_file_type = true;
+ } else {
+ add_file_type = false;
+ check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED
+ : CMD_SIGN_DETACHED,
+ attached ? "sign-attached" : "sign-detached",
+ 0, true);
+ }
+ printf("add_file_type:%d\n", add_file_type);
pm->version = PESIGND_VERSION;
- pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED;
- pm->size = size0 + size1 + sizeof(format);
+ pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
+ : CMD_SIGN_ATTACHED)
+ : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE
+ : CMD_SIGN_DETACHED);
+ pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0);
iov[0].iov_base = pm;
iov[0].iov_len = sizeof (*pm);
@@ -503,25 +529,31 @@ oom:
}
char *buffer;
- buffer = malloc(size0 + size1);
+ buffer = malloc(pm->size);
if (!buffer)
goto oom;
- iov[0].iov_base = &format;
- iov[0].iov_len = sizeof(format);
+ int pos = 0;
+
+ if (add_file_type) {
+ iov[pos].iov_base = &format;
+ iov[pos].iov_len = sizeof(format);
+ pos++;
+ }
pesignd_string *tn = (pesignd_string *)buffer;
pesignd_string_set(tn, tokenname);
- iov[1].iov_base = tn;
- iov[1].iov_len = size0;
+ iov[pos].iov_base = tn;
+ iov[pos].iov_len = size0;
+ pos++;
pesignd_string *cn = pesignd_string_next(tn);
pesignd_string_set(cn, certname);
- iov[2].iov_base = cn;
- iov[2].iov_len = size1;
+ iov[pos].iov_base = cn;
+ iov[pos].iov_len = size1;
msg.msg_iov = iov;
- msg.msg_iovlen = 3;
+ msg.msg_iovlen = add_file_type ? 3 : 2;
n = sendmsg(sd, &msg, 0);
if (n < 0) {
@@ -535,7 +567,7 @@ oom:
send_fd(sd, outfd);
char *srvmsg = NULL;
- int rc = check_response(sd, &srvmsg);
+ rc = check_response(sd, &srvmsg);
if (rc < 0) {
fprintf(stderr, "pesign-client: signing failed: \"%s\"\n",
srvmsg);
diff --git a/src/daemon.c b/src/daemon.c
index 9374d59be30..494beb9af72 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -12,6 +12,7 @@
#include <poll.h>
#include <pwd.h>
#include <signal.h>
+#include <stdbool.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
@@ -561,7 +562,7 @@ out:
static void
handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size,
- int attached)
+ int attached, bool with_file_type)
{
struct msghdr msg;
struct iovec iov;
@@ -585,8 +586,12 @@ oom:
n = recvmsg(pollfd->fd, &msg, MSG_WAITALL);
- file_format = *((uint32_t *) buffer);
- n -= sizeof(uint32_t);
+ if (with_file_type) {
+ file_format = *((uint32_t *) buffer);
+ n -= sizeof(uint32_t);
+ } else {
+ file_format = FORMAT_PE_BINARY;
+ }
pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t));
if (n < (long long)sizeof(tn->size)) {
@@ -666,34 +671,44 @@ finish:
teardown_digests(ctx->cms);
}
+static inline void
+handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size,
+ int attached, bool with_file_type)
+{
+ int rc = cms_context_alloc(&ctx->cms);
+ if (rc < 0)
+ return;
+
+ steal_from_cms(ctx->backup_cms, ctx->cms);
+
+ handle_signing(ctx, pollfd, size, attached, with_file_type);
+
+ hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
+ cms_context_fini(ctx->cms);
+}
+
static void
handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size)
{
- int rc = cms_context_alloc(&ctx->cms);
- if (rc < 0)
- return;
+ handle_sign_helper(ctx, pollfd, size, 1, false);
+}
- steal_from_cms(ctx->backup_cms, ctx->cms);
-
- handle_signing(ctx, pollfd, size, 1);
-
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
- cms_context_fini(ctx->cms);
+static void
+handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
+{
+ handle_sign_helper(ctx, pollfd, size, 1, true);
}
static void
handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size)
{
- int rc = cms_context_alloc(&ctx->cms);
- if (rc < 0)
- return;
+ handle_sign_helper(ctx, pollfd, size, 0, false);
+}
- steal_from_cms(ctx->backup_cms, ctx->cms);
-
- handle_signing(ctx, pollfd, size, 0);
-
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
- cms_context_fini(ctx->cms);
+static void
+handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
+{
+ handle_sign_helper(ctx, pollfd, size, 0, true);
}
static void
@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = {
{ CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 },
{ CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 },
{ CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 },
+ { CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
+ handle_sign_attached_with_file_type,
+ "sign-attached-with-file-type", 0 },
+ { CMD_SIGN_DETACHED_WITH_FILE_TYPE,
+ handle_sign_detached_with_file_type,
+ "sign-detached-with-file-type", 0 },
{ CMD_RESPONSE, NULL, "response", 0 },
{ CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked,
"is-token-unlocked", 0 },
diff --git a/src/daemon.h b/src/daemon.h
index dd430512f1a..834d62c72d0 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -33,6 +33,8 @@ typedef enum {
CMD_RESPONSE,
CMD_IS_TOKEN_UNLOCKED,
CMD_GET_CMD_VERSION,
+ CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
+ CMD_SIGN_DETACHED_WITH_FILE_TYPE,
CMD_LIST_END
} pesignd_cmd;
--
2.26.2

46
SOURCES/0004-Rename-var-run-to-run.patch
View File

@ -1,46 +0,0 @@
From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 12 Jun 2020 11:49:44 -0400
Subject: [PATCH] Rename /var/run/ to /run/
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 12 ++++++------
src/tmpfiles.conf | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 56f75cafbc4..5a6da1c6809 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -45,14 +45,14 @@
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ "$(id -un)" == "kojibuilder" -a \\\
grep -q ID=fedora /etc/os-release -a \\\
- ! -S /var/run/pesign/socket ]; then \
+ ! -S /run/pesign/socket ]; then \
echo "No socket even though this is kojibuilder" 1>&2 \
- ls -ld /var/run/pesign 1>&2 \
- ls -l /var/run/pesign/socket 1>&2 \
- getfacl /var/run/pesign 1>&2 \
- getfacl /var/run/pesign/socket 1>&2 \
+ ls -ld /run/pesign 1>&2 \
+ ls -l /run/pesign/socket 1>&2 \
+ getfacl /run/pesign 1>&2 \
+ getfacl /run/pesign/socket 1>&2 \
exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
index c1cf35597d8..3375ad52a44 100644
--- a/src/tmpfiles.conf
+++ b/src/tmpfiles.conf
@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
--
2.26.2

16
SOURCES/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch → SOURCES/0004-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
View File

@ -1,18 +1,21 @@
From efb69f149f256631a952e0a0db5b45ed5d391509 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 10 Aug 2021 12:39:08 -0400
Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit a1bc65c8b0fc20dbe9c9714ee3a31937184ba7f6)
(cherry picked from commit 83190f50505a0744dfb70d3b549914ae713e6713)
---
src/macros.pesign | 1 +
1 file changed, 1 insertion(+)
src/macros.pesign | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 34af57c5b3b..2ca1afb916e 100644
index 34af57c..b7d6af1 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -35,6 +35,7 @@
@@ -34,7 +34,8 @@
%{?__pesign_cert:--cert %{__pesign_cert}} \\\
%{?_buildhost:--hostname "%{_buildhost}"} \\\
%{?vendor:--vendor "%{vendor}"} \\\
- %{?_rhel:--rhelver "%{_rhel}"} \\\
@ -21,6 +24,3 @@ index 34af57c5b3b..2ca1afb916e 100644
%{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\
%{?-a:--rhelcafile "%{-a*}"} \\\
%{?-c:--rhelcertfile "%{-c*}"} \\\
--
2.31.1

30
SOURCES/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
View File

@ -1,30 +0,0 @@
From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Tue, 18 Feb 2020 16:37:53 -0500
Subject: [PATCH] Apparently opensc got updated and the token name changed
All the kernel builds started failing yesterday because the signing
token could not be found. Update the token name in the macro shipped by
pesign.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 7c5cba170e9..56f75cafbc4 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -9,7 +9,7 @@
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
-%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"}
+%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%_pesign /usr/bin/pesign
--
2.26.2

18
SOURCES/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch → SOURCES/0005-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
View File

@ -1,19 +1,22 @@
From 3956d8a819541578b31c919270e915fbcc791e89 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 1 Oct 2021 17:58:20 -0400
Subject: [PATCH] Detect the presence of rpm-sign when checking for
"rhel"-ness.
Date: Mon, 4 Apr 2022 14:45:29 -0400
Subject: [PATCH] Detect the presence of rpm-sign when checking for "rhel"-ness
Signed-off-by: Peter Jones <pjones@redhat.com>
[rharwood: manually reapply to main]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 17e5878cb087e0a766722d3c487f87c41b318f9a)
(cherry picked from commit a1cfd0b6ddb423571d430f3df46af7761c0797e3)
---
src/pesign-rpmbuild-helper.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index 27b8261bc17..d6ca29683b1 100644
index 0a845d2..239605a 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -187,7 +187,7 @@ main() {
@@ -192,7 +192,7 @@ main() {
fi
fi
@ -22,6 +25,3 @@ index 27b8261bc17..d6ca29683b1 100644
nssdir="$(mktemp -p "${PWD}" -d)"
echo > "${nssdir}/pwfile"
certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
--
2.31.1

86
SOURCES/0006-client-try-run-and-var-run-for-the-socket-path.patch
View File

@ -1,86 +0,0 @@
From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 16:13:09 -0400
Subject: [PATCH 6/7] client: try /run and /var/run for the socket path.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 40 +++++++++++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 11 deletions(-)
diff --git a/src/client.c b/src/client.c
index 2119ef33bf8..a38383415d5 100644
--- a/src/client.c
+++ b/src/client.c
@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag)
}
static int
-connect_to_server(void)
+connect_to_server_helper(const char * const sockpath)
{
- int rc = access(SOCKPATH, R_OK);
+ int rc = access(sockpath, R_OK);
if (rc != 0) {
- fprintf(stderr, "pesign-client: could not connect to server: "
- "%m\n");
- exit(1);
+ warn("could not access socket \"%s\"", sockpath);
+ return rc;
}
struct sockaddr_un addr_un = {
.sun_family = AF_UNIX,
- .sun_path = SOCKPATH,
};
+ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path));
+ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0';
int sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sd < 0) {
- fprintf(stderr, "pesign-client: could not open socket: %m\n");
- exit(1);
+ warn("could not open socket \"%s\"", sockpath);
+ return sd;
}
socklen_t len = strlen(addr_un.sun_path) +
@@ -74,14 +74,32 @@ connect_to_server(void)
rc = connect(sd, (struct sockaddr *)&addr_un, len);
if (rc < 0) {
- fprintf(stderr, "pesign-client: could not connect to daemon: "
- "%m\n");
- exit(1);
+ warn("could not connect to daemon");
+ return sd;
}
return sd;
}
+static int
+connect_to_server(void)
+{
+ int rc, i;
+ const char * const sockets[] = {
+ "/run/pesign/socket",
+ "/var/run/pesign/socket",
+ NULL
+ };
+
+ for (i = 0; sockets[i] != NULL; i++) {
+ rc = connect_to_server_helper(sockets[i]);
+ if (rc >= 0)
+ return rc;
+ }
+
+ exit(1);
+}
+
static int32_t
check_response(int sd, char **srvmsg);
--
2.26.2

25
SOURCES/0007-client-remove-an-extra-debug-print.patch
View File

@ -1,25 +0,0 @@
From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 16:44:09 -0400
Subject: [PATCH 07/11] client: remove an extra debug print
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/client.c b/src/client.c
index 0082be1f597..c9966295e5f 100644
--- a/src/client.c
+++ b/src/client.c
@@ -536,7 +536,6 @@ oom:
0, true);
}
- printf("add_file_type:%d\n", add_file_type);
pm->version = PESIGND_VERSION;
pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
: CMD_SIGN_ATTACHED)
--
2.26.2

379
SOURCES/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
View File

@ -1,379 +0,0 @@
From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 13:54:35 -0400
Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 1 +
src/Makefile | 8 +-
src/macros.pesign | 74 ++++--------
src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++
4 files changed, 252 insertions(+), 53 deletions(-)
create mode 100644 src/pesign-rpmbuild-helper.in
diff --git a/Make.defaults b/Make.defaults
index 0bacafe0d01..d4cd626c11e 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR)
INSTALL ?= install
CROSS_COMPILE ?=
+EFI_ARCHES ?= aa64 ia32 x64
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
diff --git a/src/Makefile b/src/Makefile
index 74327ba13f3..a7ca89159c6 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version
include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
-BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
+BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper
SVCTARGETS=pesign.sysvinit pesign.service
TARGETS=$(BINTARGETS) $(SVCTARGETS)
@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
pesign : PKGS=efivar nss nspr popt
+pesign-rpmbuild-helper: pesign-rpmbuild-helper.in
+ sed \
+ -e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \
+ $^ > $@
+
deps : PKGS=efivar nss nspr popt uuid
deps : $(ALL_SOURCES)
$(MAKE) -f $(TOPDIR)/Make.deps \
@@ -94,6 +99,7 @@ install :
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
diff --git a/src/macros.pesign b/src/macros.pesign
index 5a6da1c6809..2e984b4eeb3 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -6,7 +6,7 @@
# %pesign -s -i shim.orig -o shim.efi
# And magically get the right thing.
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
@@ -24,54 +24,24 @@
# -a <input ca cert filename> # rhel only
# -s # perform signing
%pesign(i:o:C:e:c:n:a:s) \
- _pesign_nssdir=/etc/pki/pesign \
- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
- _pesign_nssdir=/etc/pki/pesign-rh-test \
- fi \
- if [ -x %{_pesign} ] && \\\
- [ "%{_target_cpu}" == "x86_64" -o \\\
- "%{_target_cpu}" == "aarch64" ]; then \
- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \
- nss=$(mktemp -p $PWD -d) \
- echo > ${nss}/pwfile \
- certutil -N -d ${nss} -f ${nss}/pwfile \
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
- sattrs=$(mktemp -p $PWD --suffix=.der) \
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \
- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
- --certdir ${nss} -c signer %{-o} \
- rm -rf ${sattrs} ${sattrs}.sig ${nss} \
- elif [ "$(id -un)" == "kojibuilder" -a \\\
- grep -q ID=fedora /etc/os-release -a \\\
- ! -S /run/pesign/socket ]; then \
- echo "No socket even though this is kojibuilder" 1>&2 \
- ls -ld /run/pesign 1>&2 \
- ls -l /run/pesign/socket 1>&2 \
- getfacl /run/pesign 1>&2 \
- getfacl /run/pesign/socket 1>&2 \
- exit 1 \
- elif [ -S /run/pesign/socket ]; then \
- %{_pesign_client} -t %{__pesign_client_token} \\\
- -c %{__pesign_client_cert} \\\
- %{-i} %{-o} %{-e} %{-s} %{-C} \
- else \
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
- --certdir ${_pesign_nssdir} \\\
- %{-i} %{-o} %{-e} %{-s} %{-C} \
- fi \
- else \
- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
- mv %{-i*} %{-o*} \
- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
- touch %{-e*} \
- fi \
- fi \
- if [ ! -s %{-o} ]; then \
- if [ -e "%{-o*}" ]; then \
- rm -f %{-o*} \
- fi \
- exit 1 \
- fi ;
-
+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\
+ "%{_target_cpu}" \\\
+ "%{_pesign}" \\\
+ "%{_pesign_client}" \\\
+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\
+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\
+ %{?__pesign_token:%{__pesign_token}} \\\
+ %{?__pesign_cert:--cert %{__pesign_cert}} \\\
+ %{?_buildhost:--hostname "%{_buildhost}"} \\\
+ %{?vendor:--vendor "%{vendor}"} \\\
+ %{?_rhel:--rhelver "%{_rhel}"} \\\
+ %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\
+ %{?-a:--rhelcafile "%{-a*}"} \\\
+ %{?-c:--rhelcertfile "%{-c*}"} \\\
+ %{?-C:--certout "%{-C*}"} \\\
+ %{?-e:--sattrout "%{-e*}"} \\\
+ %{?-i:--in "%{-i*}"} \\\
+ %{?-o:--out "%{-o*}"} \\\
+ %{?-s:--sign} \\\
+ ; \
+%{nil}
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
new file mode 100644
index 00000000000..c5287c27e0c
--- /dev/null
+++ b/src/pesign-rpmbuild-helper.in
@@ -0,0 +1,222 @@
+#!/bin/bash
+# shellcheck shell=bash
+
+set -eu
+set -x
+
+usage() {
+ local status="${1}" && shift
+ local out
+ if [[ "${status}" -eq 0 ]] ; then
+ out=/dev/stdout
+ else
+ out=/dev/stderr
+ fi
+
+ if [[ $# -gt 0 ]] ; then
+ echo "${0}: error: $*" >>"${out}"
+ fi
+ echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}"
+ exit "${status}"
+}
+
+is_efi_arch() {
+ local arch="${1}"
+ local arches=(@@EFI_ARCHES@@)
+ local x
+ for x in "${arches[@]}" ; do
+ if [[ "${arch}" = "${x}" ]] ; then
+ return 0
+ fi
+ done
+ return 1
+}
+
+error_on_empty() {
+ local f="${1}"
+ if [[ ! -s "${f}" ]] ; then
+ if [[ -e "${f}" ]] ; then
+ rm -f "${f}"
+ fi
+ echo "${0}: error: empty result file \"${f}\"">>/dev/stderr
+ exit 1
+ fi
+}
+
+main() {
+ if [[ $# -lt 3 ]] ; then
+ usage 1 not enough arguments
+ fi
+ local target_cpu="${1}" && shift
+ local bin="${1}" && shift
+ local client="${1}" && shift
+
+ local rhelcafile="" || :
+ local rhelcertfile="" || :
+
+ local certout=() || :
+ local sattrout=() || :
+ local input=() || :
+ local output=() || :
+ local client_token=() || :
+ local client_cert=() || :
+ local token=() || :
+ local cert=() || :
+ local rhelcert=() || :
+ local rhelver=0 || :
+ local sign="" || :
+ local arch="" || :
+ local vendor="" || :
+ local HOSTNAME="" || :
+
+ while [[ $# -ge 2 ]] ; do
+ case " ${1} " in
+ " --rhelcafile ")
+ rhelcafile="${2}"
+ ;;
+ " --rhelcertfile ")
+ rhelcertfile="${2}"
+ ;;
+ " --hostname ")
+ HOSTNAME="${2}"
+ ;;
+ " --certout ")
+ certout[0]=-C
+ certout[1]="${2}"
+ ;;
+ " --sattrout ")
+ sattrout[0]=-e
+ sattrout[1]="${2}"
+ ;;
+ " --client-token ")
+ client_token[0]=-t
+ client_token[1]="${2}"
+ ;;
+ " --client-cert ")
+ client_cert[0]=-c
+ client_cert[1]="${2}"
+ ;;
+ " --token ")
+ token[0]=-t
+ token[1]="${2}"
+ ;;
+ " --cert ")
+ cert[0]=-c
+ cert[1]="${2}"
+ ;;
+ " --rhelcert ")
+ rhelcert[0]=-c
+ rhelcert[1]="${2}"
+ ;;
+ " --in ")
+ input[0]=-i
+ input[1]="${2}"
+ ;;
+ " --out ")
+ output[0]=-o
+ output[1]="${2}"
+ ;;
+ " --rhelver ")
+ rhelver="${2}"
+ ;;
+ " --vendor ")
+ vendor="${2}"
+ ;;
+ *)
+ break
+ ;;
+ esac
+ shift
+ shift
+ done
+ if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then
+ sign=-s
+ shift
+ fi
+
+ if [[ -z "${target_cpu}" ]] ; then
+ target_cpu="$(uname -m)"
+ fi
+
+ target_cpu="${target_cpu/i?86/ia32}"
+ target_cpu="${target_cpu/x86_64/x64}"
+ target_cpu="${target_cpu/aarch64/aa64}"
+ target_cpu="${target_cpu/arm*/arm/}"
+
+ local nssdir=/etc/pki/pesign
+ if [[ "${#cert[@]}" -eq 2 ]] &&
+ [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then
+ nssdir=/etc/pki/pesign-rh-test
+ fi
+
+ # is_efi_arch is ultimately returning "is pesign configured to sign these
+ # using the rpm macro", so if it isn't, we're just copying the input to
+ # the output
+ if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then
+ if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then
+ cp -v "${input[1]}" "${output[1]}"
+ elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then
+ touch "${sattrout[1]}"
+ fi
+
+ # if there's a 0-sized output file, delete it and error out
+ error_on_empty "${output[1]}"
+ return 0
+ fi
+
+ USERNAME="${USERNAME:-$(id -un)}"
+
+ local socket="" || :
+ if grep -q ID=fedora /etc/os-release \
+ && [[ "${rhelver}" -lt 7 ]] \
+ && [[ "${USERNAME}" = "mockbuild" ]] \
+ && [[ "${vendor}" = "Fedora Project" ]] \
+ && [[ "${HOSTNAME}" =~ bkernel.* ]]
+ then
+ if [[ -S /run/pesign/socket ]] ; then
+ socket=/run/pesign/socket
+ elif [[ -S /var/run/pesign/socket ]]; then
+ socket=/var/run/pesign/socket
+ else
+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+ ls -ld /run/pesign /var/run/pesign 1>&2 ||:
+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+ fi
+ fi
+
+ if [[ "${rhelver}" -ge 7 ]] ; then
+ nssdir="$(mktemp -p "${PWD}" -d)"
+ echo > "${nssdir}/pwfile"
+ certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}"
+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}"
+ sattrs="$(mktemp -p "${PWD}" --suffix=.der)"
+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \
+ "${input[@]}" --force
+ rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}"
+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
+ --certdir "${nssdir}" -c signer \
+ "${input[@]}" "${output[@]}"
+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+ elif [[ -n "${socket}" ]] ; then
+ "${client}" "${client_token[@]}" "${client_cert[@]}" \
+ "${sattrout[@]}" "${certout[@]}" \
+ ${sign} "${input[@]}" "${output[@]}"
+ else
+ "${bin}" --certdir "${nssdir}" "${token[@]}" \
+ "${cert[@]}" ${sign} "${sattrout[@]}" \
+ "${certout[@]}" "${input[@]}" "${output[@]}"
+ fi
+
+ # if there's a 0-sized output file, delete it and error out
+ if [[ "${#output[@]}" -eq 2 ]] ; then
+ error_on_empty "${output[1]}"
+ fi
+}
+
+main "${@}"
+
+# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4
--
2.26.2

60
SOURCES/0009-pesign-authorize-shellcheck.patch
View File

@ -1,60 +0,0 @@
From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 15:07:32 -0400
Subject: [PATCH 09/11] pesign-authorize: shellcheck
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index a496f601ab4..55cd5c4e55b 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -12,21 +12,21 @@ set -u
# License: GPLv2
declare -a fileusers=()
declare -a dirusers=()
-for user in $(cat /etc/pesign/users); do
+while read -r user ; do
dirusers[${#dirusers[@]}]=-m
dirusers[${#dirusers[@]}]="u:$user:rwx"
fileusers[${#fileusers[@]}]=-m
fileusers[${#fileusers[@]}]="u:$user:rw"
-done
+done </etc/pesign/users
declare -a filegroups=()
declare -a dirgroups=()
-for group in $(cat /etc/pesign/groups); do
+while read -r group ; do
dirgroups[${#dirgroups[@]}]=-m
dirgroups[${#dirgroups[@]}]="g:$group:rwx"
filegroups[${#filegroups[@]}]=-m
filegroups[${#filegroups[@]}]="g:$group:rw"
-done
+done </etc/pesign/groups
update_subdir() {
subdir=$1 && shift
@@ -35,12 +35,12 @@ update_subdir() {
setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
for x in "${subdir}"* ; do
if [ -d "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+ setfacl -bk "${x}"
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
update_subdir "${x}/"
elif [ -e "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+ setfacl -bk "${x}"
+ setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
else
:;
fi
--
2.26.2

26
SOURCES/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
View File

@ -1,26 +0,0 @@
From 24bb6e1471b16b6be82f13b5b5a302b4e98c1b4d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 15:08:15 -0400
Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index 55cd5c4e55b..c5448329c2c 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /var/run/pesign/ /etc/pki/pesign/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
--
2.26.2

41
SOURCES/0011-kernel-building-hack.patch
View File

@ -1,41 +0,0 @@
From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 16:42:39 -0400
Subject: [PATCH 11/11] kernel building hack
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-rpmbuild-helper.in | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index c5287c27e0c..27b8261bc17 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -202,6 +202,23 @@ main() {
"${input[@]}" "${output[@]}"
rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
elif [[ -n "${socket}" ]] ; then
+ ### welcome haaaaack city
+ if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then
+ if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
+ || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
+ if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
+ || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
+ client_cert[1]=kernel-signer
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
+ client_cert[1]=grub2-signer
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
+ client_cert[1]=fwupd-signer
+ fi
+ fi
+ fi
"${client}" "${client_token[@]}" "${client_cert[@]}" \
"${sattrout[@]}" "${certout[@]}" \
${sign} "${input[@]}" "${output[@]}"
--
2.26.2

105
SOURCES/0012-Use-run-not-var-run.patch
View File

@ -1,105 +0,0 @@
From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 16 Jul 2020 16:28:26 -0400
Subject: [PATCH] Use /run not /var/run
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.h | 4 ++--
src/Makefile | 2 +-
src/pesign-authorize | 2 +-
src/pesign.service.in | 2 +-
src/pesign.sysvinit.in | 10 +++++-----
5 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/daemon.h b/src/daemon.h
index 0368dc9256c..5fcd97ea717 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -51,8 +51,8 @@ typedef enum {
} pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH "/var/run/pesign/socket"
-#define PIDFILE "/var/run/pesign.pid"
+#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid"
static inline uint32_t UNUSED
pesignd_string_size(char *buffer)
diff --git a/src/Makefile b/src/Makefile
index a7ca89159c6..f7fb5fc9ee5 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index c5448329c2c..2381302440c 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign/ ; do
+for x in /run/pesign/ /var/run/pesign/ /etc/pki/pesign/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
diff --git a/src/pesign.service.in b/src/pesign.service.in
index c75a000892a..4ac2199bce2 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
Type=forking
-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index b0e0f84ff0b..bf8edec8ff3 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
#
# chkconfig: - 50 50
# processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
### BEGIN INIT INFO
# Provides: pesign
# Default-Start:
@@ -20,9 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
- mkdir /var/run/pesign 2>/dev/null &&
- chown pesign:pesign /var/run/pesign &&
- chmod 0770 /var/run/pesign
+ mkdir /run/pesign 2>/dev/null &&
+ chown pesign:pesign /run/pesign &&
+ chmod 0770 /run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
@@ -32,7 +32,7 @@ start(){
stop(){
echo -n "Stopping pesign: "
- killproc -p /var/run/pesign.pid pesignd
+ killproc -p /run/pesign.pid pesignd
RETVAL=$?
echo
rm -f /var/lock/subsys/pesign
--
2.26.2

35
SOURCES/0013-Turn-off-free-nonheap-object.patch
View File

@ -1,35 +0,0 @@
From 59428daf4863f192419eee4afec15cd099e99c9b Mon Sep 17 00:00:00 2001
From: Jeff Law <law@redhat.com>
Date: Mon, 16 Nov 2020 12:07:59 -0700
Subject: [PATCH] Turn off -Wfree-nonheap-object
authvar.c has a call to free (tokenname) where tokenname is set to a string constant
and never changed. That triggers GCC to issue a diagnostic that the value should not
be passed to free.
This is a false positive from GCC as the call is guarded by a suitable condition that
always happens to be false. But pesign is being built without optimization and thus
the condition and free call are not optimized away.
This patch just disables the warning. A better solution would be to fix the sources
or build with the optimizer enabled.
---
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.defaults b/Make.defaults
index d4cd626..705cc3a 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -40,7 +40,7 @@ gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches -flto
cflags = $(CFLAGS) $(ARCH3264) \
-Wall -Wextra -Wsign-compare -Wno-unused-result \
-Wno-unused-function -Wno-missing-field-initializers \
- -Werror -Wno-error=cpp \
+ -Werror -Wno-error=cpp -Wno-free-nonheap-object \
-std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
$(if $(filter $(CC),clang),$(clang_cflags), ) \
--
2.28.0

5
SOURCES/pesign.patches Normal file
View File

@ -0,0 +1,5 @@
Patch0001: 0001-daemon-remove-always-true-comparison.patch
Patch0002: 0002-Disable-pragmas-for-warnings-that-are-too-old.patch
Patch0003: 0003-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch
Patch0004: 0004-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
Patch0005: 0005-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch

97
SPECS/pesign.spec
View File

@ -2,28 +2,29 @@
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 113
Release: 21%{?dist}
License: GPLv2
URL: https://github.com/vathpela/pesign
Version: 115
Release: 4%{?dist}
License: GPL-2.0-only
URL: https://github.com/rhboot/pesign
Obsoletes: pesign-rh-test-certs <= 0.111-7
BuildRequires: make
BuildRequires: efivar-devel >= 38-1
BuildRequires: gcc
BuildRequires: git
BuildRequires: libuuid-devel
BuildRequires: make
#BuildRequires: mandoc
BuildRequires: nspr
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: nss-tools
BuildRequires: nss-util
BuildRequires: popt-devel
BuildRequires: nss-tools
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: efivar-devel >= 31-1
BuildRequires: libuuid-devel
BuildRequires: python3
BuildRequires: python3-rpm-macros
BuildRequires: tar
BuildRequires: xz
BuildRequires: python3-rpm-macros
BuildRequires: python3
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
BuildRequires: systemd-rpm-macros
%endif
@ -42,22 +43,9 @@ BuildRequires: rh-signing-tools >= 1.20-2
Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz
Source2: pesign.py
Source3: pesign.patches
Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch
Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
Patch0004: 0004-Rename-var-run-to-run.patch
Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch
Patch0007: 0007-client-remove-an-extra-debug-print.patch
Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
Patch0009: 0009-pesign-authorize-shellcheck.patch
Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
Patch0011: 0011-kernel-building-hack.patch
Patch0012: 0012-Use-run-not-var-run.patch
Patch0013: 0013-Turn-off-free-nonheap-object.patch
Patch0014: 0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
Patch0015: 0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
%include %{SOURCE3}
%description
This package contains the pesign utility for signing UEFI binaries as
@ -76,6 +64,11 @@ git config --unset user.email
git config --unset user.name
%build
# Workaround for mandoc not being packaged
for f in authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1; do
cp src/"$f".mdoc src/"$f"
done
make PREFIX=%{_prefix} LIBDIR=%{_libdir}
%install
@ -143,7 +136,6 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
%doc README TODO
%{_bindir}/authvar
%{_bindir}/efikeygen
%{_bindir}/efisiglist
%{_bindir}/pesigcheck
%{_bindir}/pesign
%{_bindir}/pesign-client
@ -170,20 +162,47 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Tue Dec 14 2021 Robbie Harwood <rharwood@redhat.com> - 113-21
- Sync with beta changes
- Resolves: rhbz#2030501
* Mon Apr 04 2022 Robbie Harwood <rharwood@redhat.com>
- Detect presence of rpm-sign when checking for rhel-ness
- Resolves: #2044886
* Tue Aug 10 2021 Peter Jones <pjones@redhat.com> - 113-18
- Detect the CentOS version number correctly in rpm pesign macro
Related: rhbz#1991688
* Fri Apr 01 2022 Robbie Harwood <rharwood@redhat.com> - 115-3
- Correct handling of rhel and centos macros
- Resolves: #2044886
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 113-17
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Mar 25 2022 Robbie Harwood <rharwood@redhat.com> - 115-2
- Add -D_GLIBCXX_ASSERTIONS
- Resolves: #2044886
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 113-16
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Mar 08 2022 Robbie Harwood <rharwood@redhat.com> - 115-1
- New upstream version (115)
- Resolves: #2044886
* Mon Feb 14 2022 Robbie Harwood <rharwood@redhat.com> - 114-4
- Fix explicit NULL deref when daemonizing
- Resolves: #2049320
* Wed Feb 09 2022 Robbie Harwood <rharwood@redhat.com> - 114-3
- Rebuild; no code changes
- Resolves: #2049320
* Wed Feb 09 2022 Robbie Harwood <rharwood@redhat.com> - 114-2
- Fix build on aarch64
- Resolves: #2049320
* Tue Feb 08 2022 Robbie Harwood <rharwood@redhat.com> - 114-1
- New upstream version (114)
- Resolves: #2049320
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 113-18
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 113-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 113-16
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 113-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild