rpms/pesign
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream version (114)

Browse Source 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
Robbie Harwood 2022-02-01 19:52:01 +00:00
parent 98a054d3eb
commit c7c4e0f825
15 changed files with 16 additions and 1271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
0001-efikeygen-Fix-the-build-with-nss-3.44.patch
View File

@ -1,45 +0,0 @@
From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2019 11:28:38 -0400
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
NSS 3.44 adds some certificate types, which changes a type and makes
some encoding stuff weird. As a result, we get:
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
In file included from /usr/local/include/nss/nss/cert.h:22,
from efikeygen.c:39:
efikeygen.c: In function 'add_cert_type':
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
^
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
unsigned char type = NS_CERT_TYPE_APP;
^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
This is fixed by just making it an int.
Fixes github issue #48.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/efikeygen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index ede76ef0b48..2cd953e9781 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -208,7 +208,7 @@ static int
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
{
SECItem bitStringValue;
- unsigned char type = NS_CERT_TYPE_APP;
+ int type = NS_CERT_TYPE_APP;
if (is_ca)
type |= NS_CERT_TYPE_SSL_CA |
--
2.23.0

49
0002-pesigcheck-Fix-a-wrong-assignment.patch
View File

@ -1,49 +0,0 @@
From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Feb 2020 16:28:56 -0500
Subject: [PATCH] pesigcheck: Fix a wrong assignment
gcc says:
pesigcheck.c: In function 'check_signature':
pesigcheck.c:321:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
321 | reason->type = siBuffer;
| ^
pesigcheck.c:333:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
333 | reason->type = siBuffer;
| ^
cc1: all warnings being treated as errors
And indeed, that line of code makes no sense at all - it was supposed to
be reason->sig.type.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesigcheck.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 524cce307bf..8fa0f1ad03d 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
+ reason->sig.type = siBuffer;
nreason += 1;
is_invalid = true;
}
@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
+ reason->sig.type = siBuffer;
nreason += 1;
has_valid_cert = true;
}
--
2.24.1

317
0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
View File

@ -1,317 +0,0 @@
From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 11 Jun 2020 16:23:14 -0400
Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and
vise versa
This makes the version of the sign API that takes a file type optional,
and makes the client attempt to negotiate which version it's getting.
It also leaves the server able to still handle the version from before
the file type was added.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 74 +++++++++++++++++++++++++++++++++++++---------------
src/daemon.c | 63 +++++++++++++++++++++++++++++---------------
src/daemon.h | 2 ++
3 files changed, 97 insertions(+), 42 deletions(-)
diff --git a/src/client.c b/src/client.c
index aa373abd981..57bcc09cbe8 100644
--- a/src/client.c
+++ b/src/client.c
@@ -11,6 +11,7 @@
#include <fcntl.h>
#include <popt.h>
#include <pwd.h>
+#include <stdbool.h>
#include <stddef.h>
#include <stdlib.h>
#include <sys/socket.h>
@@ -84,8 +85,8 @@ connect_to_server(void)
static int32_t
check_response(int sd, char **srvmsg);
-static void
-check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
+static int
+check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit)
{
struct msghdr msg;
struct iovec iov[1];
@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
ssize_t n;
n = sendmsg(sd, &msg, 0);
if (n < 0) {
- fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n");
+ fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n");
exit(1);
}
@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
char *srvmsg = NULL;
int32_t rc = check_response(sd, &srvmsg);
- if (rc < 0)
+
+ if (do_exit && rc < 0)
errx(1, "command \"%s\" not known by server", name);
- if (rc != version)
+
+ if (do_exit && rc != version)
errx(1, "command \"%s\": client version %d, server version %d",
name, version, rc);
+
+ if (rc < 0)
+ return rc;
+ return rc == version;
}
static void
@@ -134,7 +141,7 @@ send_kill_daemon(int sd)
struct iovec iov;
pesignd_msghdr pm;
- check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0);
+ check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_KILL_DAEMON;
@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin)
uint32_t size1 = pesignd_string_size(pin);
- check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0);
+ check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_UNLOCK_TOKEN;
@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname)
uint32_t size0 = pesignd_string_size(tokenname);
- check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0);
+ check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_IS_TOKEN_UNLOCKED;
@@ -452,6 +459,9 @@ static void
sign(int sd, char *infile, char *outfile, char *tokenname, char *certname,
int attached, uint32_t format)
{
+ int rc;
+ bool add_file_type;
+
int infd = open(infile, O_RDONLY);
if (infd < 0) {
fprintf(stderr, "pesign-client: could not open input file "
@@ -481,12 +491,28 @@ oom:
exit(1);
}
- check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED,
- attached ? "sign-attached" : "sign-detached", 0);
+ rc = check_cmd_version(sd,
+ attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
+ : CMD_SIGN_DETACHED_WITH_FILE_TYPE,
+ attached ? "sign-attached" : "sign-detached",
+ 0, format == FORMAT_KERNEL_MODULE);
+ if (rc >= 0) {
+ add_file_type = true;
+ } else {
+ add_file_type = false;
+ check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED
+ : CMD_SIGN_DETACHED,
+ attached ? "sign-attached" : "sign-detached",
+ 0, true);
+ }
+ printf("add_file_type:%d\n", add_file_type);
pm->version = PESIGND_VERSION;
- pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED;
- pm->size = size0 + size1 + sizeof(format);
+ pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
+ : CMD_SIGN_ATTACHED)
+ : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE
+ : CMD_SIGN_DETACHED);
+ pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0);
iov[0].iov_base = pm;
iov[0].iov_len = sizeof (*pm);
@@ -503,25 +529,31 @@ oom:
}
char *buffer;
- buffer = malloc(size0 + size1);
+ buffer = malloc(pm->size);
if (!buffer)
goto oom;
- iov[0].iov_base = &format;
- iov[0].iov_len = sizeof(format);
+ int pos = 0;
+
+ if (add_file_type) {
+ iov[pos].iov_base = &format;
+ iov[pos].iov_len = sizeof(format);
+ pos++;
+ }
pesignd_string *tn = (pesignd_string *)buffer;
pesignd_string_set(tn, tokenname);
- iov[1].iov_base = tn;
- iov[1].iov_len = size0;
+ iov[pos].iov_base = tn;
+ iov[pos].iov_len = size0;
+ pos++;
pesignd_string *cn = pesignd_string_next(tn);
pesignd_string_set(cn, certname);
- iov[2].iov_base = cn;
- iov[2].iov_len = size1;
+ iov[pos].iov_base = cn;
+ iov[pos].iov_len = size1;
msg.msg_iov = iov;
- msg.msg_iovlen = 3;
+ msg.msg_iovlen = add_file_type ? 3 : 2;
n = sendmsg(sd, &msg, 0);
if (n < 0) {
@@ -535,7 +567,7 @@ oom:
send_fd(sd, outfd);
char *srvmsg = NULL;
- int rc = check_response(sd, &srvmsg);
+ rc = check_response(sd, &srvmsg);
if (rc < 0) {
fprintf(stderr, "pesign-client: signing failed: \"%s\"\n",
srvmsg);
diff --git a/src/daemon.c b/src/daemon.c
index 9374d59be30..494beb9af72 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -12,6 +12,7 @@
#include <poll.h>
#include <pwd.h>
#include <signal.h>
+#include <stdbool.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
@@ -561,7 +562,7 @@ out:
static void
handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size,
- int attached)
+ int attached, bool with_file_type)
{
struct msghdr msg;
struct iovec iov;
@@ -585,8 +586,12 @@ oom:
n = recvmsg(pollfd->fd, &msg, MSG_WAITALL);
- file_format = *((uint32_t *) buffer);
- n -= sizeof(uint32_t);
+ if (with_file_type) {
+ file_format = *((uint32_t *) buffer);
+ n -= sizeof(uint32_t);
+ } else {
+ file_format = FORMAT_PE_BINARY;
+ }
pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t));
if (n < (long long)sizeof(tn->size)) {
@@ -666,34 +671,44 @@ finish:
teardown_digests(ctx->cms);
}
+static inline void
+handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size,
+ int attached, bool with_file_type)
+{
+ int rc = cms_context_alloc(&ctx->cms);
+ if (rc < 0)
+ return;
+
+ steal_from_cms(ctx->backup_cms, ctx->cms);
+
+ handle_signing(ctx, pollfd, size, attached, with_file_type);
+
+ hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
+ cms_context_fini(ctx->cms);
+}
+
static void
handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size)
{
- int rc = cms_context_alloc(&ctx->cms);
- if (rc < 0)
- return;
+ handle_sign_helper(ctx, pollfd, size, 1, false);
+}
- steal_from_cms(ctx->backup_cms, ctx->cms);
-
- handle_signing(ctx, pollfd, size, 1);
-
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
- cms_context_fini(ctx->cms);
+static void
+handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
+{
+ handle_sign_helper(ctx, pollfd, size, 1, true);
}
static void
handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size)
{
- int rc = cms_context_alloc(&ctx->cms);
- if (rc < 0)
- return;
+ handle_sign_helper(ctx, pollfd, size, 0, false);
+}
- steal_from_cms(ctx->backup_cms, ctx->cms);
-
- handle_signing(ctx, pollfd, size, 0);
-
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
- cms_context_fini(ctx->cms);
+static void
+handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
+{
+ handle_sign_helper(ctx, pollfd, size, 0, true);
}
static void
@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = {
{ CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 },
{ CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 },
{ CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 },
+ { CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
+ handle_sign_attached_with_file_type,
+ "sign-attached-with-file-type", 0 },
+ { CMD_SIGN_DETACHED_WITH_FILE_TYPE,
+ handle_sign_detached_with_file_type,
+ "sign-detached-with-file-type", 0 },
{ CMD_RESPONSE, NULL, "response", 0 },
{ CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked,
"is-token-unlocked", 0 },
diff --git a/src/daemon.h b/src/daemon.h
index dd430512f1a..834d62c72d0 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -33,6 +33,8 @@ typedef enum {
CMD_RESPONSE,
CMD_IS_TOKEN_UNLOCKED,
CMD_GET_CMD_VERSION,
+ CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
+ CMD_SIGN_DETACHED_WITH_FILE_TYPE,
CMD_LIST_END
} pesignd_cmd;
--
2.26.2

46
0004-Rename-var-run-to-run.patch
View File

@ -1,46 +0,0 @@
From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 12 Jun 2020 11:49:44 -0400
Subject: [PATCH] Rename /var/run/ to /run/
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 12 ++++++------
src/tmpfiles.conf | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 56f75cafbc4..5a6da1c6809 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -45,14 +45,14 @@
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ "$(id -un)" == "kojibuilder" -a \\\
grep -q ID=fedora /etc/os-release -a \\\
- ! -S /var/run/pesign/socket ]; then \
+ ! -S /run/pesign/socket ]; then \
echo "No socket even though this is kojibuilder" 1>&2 \
- ls -ld /var/run/pesign 1>&2 \
- ls -l /var/run/pesign/socket 1>&2 \
- getfacl /var/run/pesign 1>&2 \
- getfacl /var/run/pesign/socket 1>&2 \
+ ls -ld /run/pesign 1>&2 \
+ ls -l /run/pesign/socket 1>&2 \
+ getfacl /run/pesign 1>&2 \
+ getfacl /run/pesign/socket 1>&2 \
exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
index c1cf35597d8..3375ad52a44 100644
--- a/src/tmpfiles.conf
+++ b/src/tmpfiles.conf
@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
--
2.26.2

30
0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
View File

@ -1,30 +0,0 @@
From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Tue, 18 Feb 2020 16:37:53 -0500
Subject: [PATCH] Apparently opensc got updated and the token name changed
All the kernel builds started failing yesterday because the signing
token could not be found. Update the token name in the macro shipped by
pesign.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 7c5cba170e9..56f75cafbc4 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -9,7 +9,7 @@
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
-%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"}
+%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%_pesign /usr/bin/pesign
--
2.26.2

86
0006-client-try-run-and-var-run-for-the-socket-path.patch
View File

@ -1,86 +0,0 @@
From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 16:13:09 -0400
Subject: [PATCH 6/7] client: try /run and /var/run for the socket path.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 40 +++++++++++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 11 deletions(-)
diff --git a/src/client.c b/src/client.c
index 2119ef33bf8..a38383415d5 100644
--- a/src/client.c
+++ b/src/client.c
@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag)
}
static int
-connect_to_server(void)
+connect_to_server_helper(const char * const sockpath)
{
- int rc = access(SOCKPATH, R_OK);
+ int rc = access(sockpath, R_OK);
if (rc != 0) {
- fprintf(stderr, "pesign-client: could not connect to server: "
- "%m\n");
- exit(1);
+ warn("could not access socket \"%s\"", sockpath);
+ return rc;
}
struct sockaddr_un addr_un = {
.sun_family = AF_UNIX,
- .sun_path = SOCKPATH,
};
+ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path));
+ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0';
int sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sd < 0) {
- fprintf(stderr, "pesign-client: could not open socket: %m\n");
- exit(1);
+ warn("could not open socket \"%s\"", sockpath);
+ return sd;
}
socklen_t len = strlen(addr_un.sun_path) +
@@ -74,14 +74,32 @@ connect_to_server(void)
rc = connect(sd, (struct sockaddr *)&addr_un, len);
if (rc < 0) {
- fprintf(stderr, "pesign-client: could not connect to daemon: "
- "%m\n");
- exit(1);
+ warn("could not connect to daemon");
+ return sd;
}
return sd;
}
+static int
+connect_to_server(void)
+{
+ int rc, i;
+ const char * const sockets[] = {
+ "/run/pesign/socket",
+ "/var/run/pesign/socket",
+ NULL
+ };
+
+ for (i = 0; sockets[i] != NULL; i++) {
+ rc = connect_to_server_helper(sockets[i]);
+ if (rc >= 0)
+ return rc;
+ }
+
+ exit(1);
+}
+
static int32_t
check_response(int sd, char **srvmsg);
--
2.26.2

25
0007-client-remove-an-extra-debug-print.patch
View File

@ -1,25 +0,0 @@
From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 16:44:09 -0400
Subject: [PATCH 07/11] client: remove an extra debug print
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/client.c b/src/client.c
index 0082be1f597..c9966295e5f 100644
--- a/src/client.c
+++ b/src/client.c
@@ -536,7 +536,6 @@ oom:
0, true);
}
- printf("add_file_type:%d\n", add_file_type);
pm->version = PESIGND_VERSION;
pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
: CMD_SIGN_ATTACHED)
--
2.26.2

379
0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
View File

@ -1,379 +0,0 @@
From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 13:54:35 -0400
Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 1 +
src/Makefile | 8 +-
src/macros.pesign | 74 ++++--------
src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++
4 files changed, 252 insertions(+), 53 deletions(-)
create mode 100644 src/pesign-rpmbuild-helper.in
diff --git a/Make.defaults b/Make.defaults
index 0bacafe0d01..d4cd626c11e 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR)
INSTALL ?= install
CROSS_COMPILE ?=
+EFI_ARCHES ?= aa64 ia32 x64
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
diff --git a/src/Makefile b/src/Makefile
index 74327ba13f3..a7ca89159c6 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version
include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
-BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
+BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper
SVCTARGETS=pesign.sysvinit pesign.service
TARGETS=$(BINTARGETS) $(SVCTARGETS)
@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
pesign : PKGS=efivar nss nspr popt
+pesign-rpmbuild-helper: pesign-rpmbuild-helper.in
+ sed \
+ -e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \
+ $^ > $@
+
deps : PKGS=efivar nss nspr popt uuid
deps : $(ALL_SOURCES)
$(MAKE) -f $(TOPDIR)/Make.deps \
@@ -94,6 +99,7 @@ install :
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
diff --git a/src/macros.pesign b/src/macros.pesign
index 5a6da1c6809..2e984b4eeb3 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -6,7 +6,7 @@
# %pesign -s -i shim.orig -o shim.efi
# And magically get the right thing.
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
@@ -24,54 +24,24 @@
# -a <input ca cert filename> # rhel only
# -s # perform signing
%pesign(i:o:C:e:c:n:a:s) \
- _pesign_nssdir=/etc/pki/pesign \
- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
- _pesign_nssdir=/etc/pki/pesign-rh-test \
- fi \
- if [ -x %{_pesign} ] && \\\
- [ "%{_target_cpu}" == "x86_64" -o \\\
- "%{_target_cpu}" == "aarch64" ]; then \
- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \
- nss=$(mktemp -p $PWD -d) \
- echo > ${nss}/pwfile \
- certutil -N -d ${nss} -f ${nss}/pwfile \
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
- sattrs=$(mktemp -p $PWD --suffix=.der) \
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \
- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
- --certdir ${nss} -c signer %{-o} \
- rm -rf ${sattrs} ${sattrs}.sig ${nss} \
- elif [ "$(id -un)" == "kojibuilder" -a \\\
- grep -q ID=fedora /etc/os-release -a \\\
- ! -S /run/pesign/socket ]; then \
- echo "No socket even though this is kojibuilder" 1>&2 \
- ls -ld /run/pesign 1>&2 \
- ls -l /run/pesign/socket 1>&2 \
- getfacl /run/pesign 1>&2 \
- getfacl /run/pesign/socket 1>&2 \
- exit 1 \
- elif [ -S /run/pesign/socket ]; then \
- %{_pesign_client} -t %{__pesign_client_token} \\\
- -c %{__pesign_client_cert} \\\
- %{-i} %{-o} %{-e} %{-s} %{-C} \
- else \
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
- --certdir ${_pesign_nssdir} \\\
- %{-i} %{-o} %{-e} %{-s} %{-C} \
- fi \
- else \
- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
- mv %{-i*} %{-o*} \
- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
- touch %{-e*} \
- fi \
- fi \
- if [ ! -s %{-o} ]; then \
- if [ -e "%{-o*}" ]; then \
- rm -f %{-o*} \
- fi \
- exit 1 \
- fi ;
-
+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\
+ "%{_target_cpu}" \\\
+ "%{_pesign}" \\\
+ "%{_pesign_client}" \\\
+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\
+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\
+ %{?__pesign_token:%{__pesign_token}} \\\
+ %{?__pesign_cert:--cert %{__pesign_cert}} \\\
+ %{?_buildhost:--hostname "%{_buildhost}"} \\\
+ %{?vendor:--vendor "%{vendor}"} \\\
+ %{?_rhel:--rhelver "%{_rhel}"} \\\
+ %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\
+ %{?-a:--rhelcafile "%{-a*}"} \\\
+ %{?-c:--rhelcertfile "%{-c*}"} \\\
+ %{?-C:--certout "%{-C*}"} \\\
+ %{?-e:--sattrout "%{-e*}"} \\\
+ %{?-i:--in "%{-i*}"} \\\
+ %{?-o:--out "%{-o*}"} \\\
+ %{?-s:--sign} \\\
+ ; \
+%{nil}
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
new file mode 100644
index 00000000000..c5287c27e0c
--- /dev/null
+++ b/src/pesign-rpmbuild-helper.in
@@ -0,0 +1,222 @@
+#!/bin/bash
+# shellcheck shell=bash
+
+set -eu
+set -x
+
+usage() {
+ local status="${1}" && shift
+ local out
+ if [[ "${status}" -eq 0 ]] ; then
+ out=/dev/stdout
+ else
+ out=/dev/stderr
+ fi
+
+ if [[ $# -gt 0 ]] ; then
+ echo "${0}: error: $*" >>"${out}"
+ fi
+ echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}"
+ exit "${status}"
+}
+
+is_efi_arch() {
+ local arch="${1}"
+ local arches=(@@EFI_ARCHES@@)
+ local x
+ for x in "${arches[@]}" ; do
+ if [[ "${arch}" = "${x}" ]] ; then
+ return 0
+ fi
+ done
+ return 1
+}
+
+error_on_empty() {
+ local f="${1}"
+ if [[ ! -s "${f}" ]] ; then
+ if [[ -e "${f}" ]] ; then
+ rm -f "${f}"
+ fi
+ echo "${0}: error: empty result file \"${f}\"">>/dev/stderr
+ exit 1
+ fi
+}
+
+main() {
+ if [[ $# -lt 3 ]] ; then
+ usage 1 not enough arguments
+ fi
+ local target_cpu="${1}" && shift
+ local bin="${1}" && shift
+ local client="${1}" && shift
+
+ local rhelcafile="" || :
+ local rhelcertfile="" || :
+
+ local certout=() || :
+ local sattrout=() || :
+ local input=() || :
+ local output=() || :
+ local client_token=() || :
+ local client_cert=() || :
+ local token=() || :
+ local cert=() || :
+ local rhelcert=() || :
+ local rhelver=0 || :
+ local sign="" || :
+ local arch="" || :
+ local vendor="" || :
+ local HOSTNAME="" || :
+
+ while [[ $# -ge 2 ]] ; do
+ case " ${1} " in
+ " --rhelcafile ")
+ rhelcafile="${2}"
+ ;;
+ " --rhelcertfile ")
+ rhelcertfile="${2}"
+ ;;
+ " --hostname ")
+ HOSTNAME="${2}"
+ ;;
+ " --certout ")
+ certout[0]=-C
+ certout[1]="${2}"
+ ;;
+ " --sattrout ")
+ sattrout[0]=-e
+ sattrout[1]="${2}"
+ ;;
+ " --client-token ")
+ client_token[0]=-t
+ client_token[1]="${2}"
+ ;;
+ " --client-cert ")
+ client_cert[0]=-c
+ client_cert[1]="${2}"
+ ;;
+ " --token ")
+ token[0]=-t
+ token[1]="${2}"
+ ;;
+ " --cert ")
+ cert[0]=-c
+ cert[1]="${2}"
+ ;;
+ " --rhelcert ")
+ rhelcert[0]=-c
+ rhelcert[1]="${2}"
+ ;;
+ " --in ")
+ input[0]=-i
+ input[1]="${2}"
+ ;;
+ " --out ")
+ output[0]=-o
+ output[1]="${2}"
+ ;;
+ " --rhelver ")
+ rhelver="${2}"
+ ;;
+ " --vendor ")
+ vendor="${2}"
+ ;;
+ *)
+ break
+ ;;
+ esac
+ shift
+ shift
+ done
+ if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then
+ sign=-s
+ shift
+ fi
+
+ if [[ -z "${target_cpu}" ]] ; then
+ target_cpu="$(uname -m)"
+ fi
+
+ target_cpu="${target_cpu/i?86/ia32}"
+ target_cpu="${target_cpu/x86_64/x64}"
+ target_cpu="${target_cpu/aarch64/aa64}"
+ target_cpu="${target_cpu/arm*/arm/}"
+
+ local nssdir=/etc/pki/pesign
+ if [[ "${#cert[@]}" -eq 2 ]] &&
+ [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then
+ nssdir=/etc/pki/pesign-rh-test
+ fi
+
+ # is_efi_arch is ultimately returning "is pesign configured to sign these
+ # using the rpm macro", so if it isn't, we're just copying the input to
+ # the output
+ if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then
+ if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then
+ cp -v "${input[1]}" "${output[1]}"
+ elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then
+ touch "${sattrout[1]}"
+ fi
+
+ # if there's a 0-sized output file, delete it and error out
+ error_on_empty "${output[1]}"
+ return 0
+ fi
+
+ USERNAME="${USERNAME:-$(id -un)}"
+
+ local socket="" || :
+ if grep -q ID=fedora /etc/os-release \
+ && [[ "${rhelver}" -lt 7 ]] \
+ && [[ "${USERNAME}" = "mockbuild" ]] \
+ && [[ "${vendor}" = "Fedora Project" ]] \
+ && [[ "${HOSTNAME}" =~ bkernel.* ]]
+ then
+ if [[ -S /run/pesign/socket ]] ; then
+ socket=/run/pesign/socket
+ elif [[ -S /var/run/pesign/socket ]]; then
+ socket=/var/run/pesign/socket
+ else
+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+ ls -ld /run/pesign /var/run/pesign 1>&2 ||:
+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+ fi
+ fi
+
+ if [[ "${rhelver}" -ge 7 ]] ; then
+ nssdir="$(mktemp -p "${PWD}" -d)"
+ echo > "${nssdir}/pwfile"
+ certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}"
+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}"
+ sattrs="$(mktemp -p "${PWD}" --suffix=.der)"
+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \
+ "${input[@]}" --force
+ rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}"
+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
+ --certdir "${nssdir}" -c signer \
+ "${input[@]}" "${output[@]}"
+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+ elif [[ -n "${socket}" ]] ; then
+ "${client}" "${client_token[@]}" "${client_cert[@]}" \
+ "${sattrout[@]}" "${certout[@]}" \
+ ${sign} "${input[@]}" "${output[@]}"
+ else
+ "${bin}" --certdir "${nssdir}" "${token[@]}" \
+ "${cert[@]}" ${sign} "${sattrout[@]}" \
+ "${certout[@]}" "${input[@]}" "${output[@]}"
+ fi
+
+ # if there's a 0-sized output file, delete it and error out
+ if [[ "${#output[@]}" -eq 2 ]] ; then
+ error_on_empty "${output[1]}"
+ fi
+}
+
+main "${@}"
+
+# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4
--
2.26.2

60
0009-pesign-authorize-shellcheck.patch
View File

@ -1,60 +0,0 @@
From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 15:07:32 -0400
Subject: [PATCH 09/11] pesign-authorize: shellcheck
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index a496f601ab4..55cd5c4e55b 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -12,21 +12,21 @@ set -u
# License: GPLv2
declare -a fileusers=()
declare -a dirusers=()
-for user in $(cat /etc/pesign/users); do
+while read -r user ; do
dirusers[${#dirusers[@]}]=-m
dirusers[${#dirusers[@]}]="u:$user:rwx"
fileusers[${#fileusers[@]}]=-m
fileusers[${#fileusers[@]}]="u:$user:rw"
-done
+done </etc/pesign/users
declare -a filegroups=()
declare -a dirgroups=()
-for group in $(cat /etc/pesign/groups); do
+while read -r group ; do
dirgroups[${#dirgroups[@]}]=-m
dirgroups[${#dirgroups[@]}]="g:$group:rwx"
filegroups[${#filegroups[@]}]=-m
filegroups[${#filegroups[@]}]="g:$group:rw"
-done
+done </etc/pesign/groups
update_subdir() {
subdir=$1 && shift
@@ -35,12 +35,12 @@ update_subdir() {
setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
for x in "${subdir}"* ; do
if [ -d "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+ setfacl -bk "${x}"
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
update_subdir "${x}/"
elif [ -e "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+ setfacl -bk "${x}"
+ setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
else
:;
fi
--
2.26.2

26
0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
View File

@ -1,26 +0,0 @@
From 24bb6e1471b16b6be82f13b5b5a302b4e98c1b4d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 15:08:15 -0400
Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index 55cd5c4e55b..c5448329c2c 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /var/run/pesign/ /etc/pki/pesign/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
--
2.26.2

41
0011-kernel-building-hack.patch
View File

@ -1,41 +0,0 @@
From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 16:42:39 -0400
Subject: [PATCH 11/11] kernel building hack
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-rpmbuild-helper.in | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index c5287c27e0c..27b8261bc17 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -202,6 +202,23 @@ main() {
"${input[@]}" "${output[@]}"
rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
elif [[ -n "${socket}" ]] ; then
+ ### welcome haaaaack city
+ if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then
+ if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
+ || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
+ if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
+ || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
+ client_cert[1]=kernel-signer
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
+ client_cert[1]=grub2-signer
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
+ client_cert[1]=fwupd-signer
+ fi
+ fi
+ fi
"${client}" "${client_token[@]}" "${client_cert[@]}" \
"${sattrout[@]}" "${certout[@]}" \
${sign} "${input[@]}" "${output[@]}"
--
2.26.2

105
0012-Use-run-not-var-run.patch
View File

@ -1,105 +0,0 @@
From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 16 Jul 2020 16:28:26 -0400
Subject: [PATCH] Use /run not /var/run
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.h | 4 ++--
src/Makefile | 2 +-
src/pesign-authorize | 2 +-
src/pesign.service.in | 2 +-
src/pesign.sysvinit.in | 10 +++++-----
5 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/daemon.h b/src/daemon.h
index 0368dc9256c..5fcd97ea717 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -51,8 +51,8 @@ typedef enum {
} pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH "/var/run/pesign/socket"
-#define PIDFILE "/var/run/pesign.pid"
+#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid"
static inline uint32_t UNUSED
pesignd_string_size(char *buffer)
diff --git a/src/Makefile b/src/Makefile
index a7ca89159c6..f7fb5fc9ee5 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index c5448329c2c..2381302440c 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign/ ; do
+for x in /run/pesign/ /var/run/pesign/ /etc/pki/pesign/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
diff --git a/src/pesign.service.in b/src/pesign.service.in
index c75a000892a..4ac2199bce2 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
Type=forking
-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index b0e0f84ff0b..bf8edec8ff3 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
#
# chkconfig: - 50 50
# processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
### BEGIN INIT INFO
# Provides: pesign
# Default-Start:
@@ -20,9 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
- mkdir /var/run/pesign 2>/dev/null &&
- chown pesign:pesign /var/run/pesign &&
- chmod 0770 /var/run/pesign
+ mkdir /run/pesign 2>/dev/null &&
+ chown pesign:pesign /run/pesign &&
+ chmod 0770 /run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
@@ -32,7 +32,7 @@ start(){
stop(){
echo -n "Stopping pesign: "
- killproc -p /var/run/pesign.pid pesignd
+ killproc -p /run/pesign.pid pesignd
RETVAL=$?
echo
rm -f /var/lock/subsys/pesign
--
2.26.2

35
0013-Turn-off-free-nonheap-object.patch
View File

@ -1,35 +0,0 @@
From 59428daf4863f192419eee4afec15cd099e99c9b Mon Sep 17 00:00:00 2001
From: Jeff Law <law@redhat.com>
Date: Mon, 16 Nov 2020 12:07:59 -0700
Subject: [PATCH] Turn off -Wfree-nonheap-object
authvar.c has a call to free (tokenname) where tokenname is set to a string constant
and never changed. That triggers GCC to issue a diagnostic that the value should not
be passed to free.
This is a false positive from GCC as the call is guarded by a suitable condition that
always happens to be false. But pesign is being built without optimization and thus
the condition and free call are not optimized away.
This patch just disables the warning. A better solution would be to fix the sources
or build with the optimizer enabled.
---
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.defaults b/Make.defaults
index d4cd626..705cc3a 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -40,7 +40,7 @@ gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches -flto
cflags = $(CFLAGS) $(ARCH3264) \
-Wall -Wextra -Wsign-compare -Wno-unused-result \
-Wno-unused-function -Wno-missing-field-initializers \
- -Werror -Wno-error=cpp \
+ -Werror -Wno-error=cpp -Wno-free-nonheap-object \
-std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
$(if $(filter $(CC),clang),$(clang_cflags), ) \
--
2.28.0

41
pesign.spec
View File

@ -2,28 +2,29 @@
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 113
Release: 18%{?dist}
License: GPLv2
Version: 114
Release: 1%{?dist}
License: GPL-2.0-only
URL: https://github.com/rhboot/pesign
Obsoletes: pesign-rh-test-certs <= 0.111-7
BuildRequires: make
BuildRequires: efivar-devel >= 31-1
BuildRequires: gcc
BuildRequires: git
BuildRequires: libuuid-devel
BuildRequires: make
BuildRequires: mandoc
BuildRequires: nspr
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: nss-tools
BuildRequires: nss-util
BuildRequires: popt-devel
BuildRequires: nss-tools
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: efivar-devel >= 31-1
BuildRequires: libuuid-devel
BuildRequires: python3
BuildRequires: python3-rpm-macros
BuildRequires: tar
BuildRequires: xz
BuildRequires: python3-rpm-macros
BuildRequires: python3
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
BuildRequires: systemd-rpm-macros
%endif
@ -43,20 +44,6 @@ Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{
Source1: certs.tar.xz
Source2: pesign.py
Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch
Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
Patch0004: 0004-Rename-var-run-to-run.patch
Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch
Patch0007: 0007-client-remove-an-extra-debug-print.patch
Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
Patch0009: 0009-pesign-authorize-shellcheck.patch
Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
Patch0011: 0011-kernel-building-hack.patch
Patch0012: 0012-Use-run-not-var-run.patch
Patch0013: 0013-Turn-off-free-nonheap-object.patch
%description
This package contains the pesign utility for signing UEFI binaries as
well as other associated tools.
@ -141,7 +128,6 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
%doc README TODO
%{_bindir}/authvar
%{_bindir}/efikeygen
%{_bindir}/efisiglist
%{_bindir}/pesigcheck
%{_bindir}/pesign
%{_bindir}/pesign-client
@ -168,6 +154,9 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Tue Feb 01 2022 Robbie Harwood <rharwood@redhat.com> - 114-1
- New upstream version (114)
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 113-18
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
SHA512 (pesign-113.tar.bz2) = 89c5e33bf6ac8f8dc4b65192e5fd4bf1fea285106d1de2a6ea02a8c5090f2ec5976b1d80c60e57f74fa56dc25b174a4dd5682292db44ab9aeab69ea992dfef36
SHA512 (pesign-114.tar.bz2) = 5465c002db6f59ab59799ec79504ed96662bc5da2310282d2e85fc1f03c938343d88927e764e595bf21c3501e599e529a4752281349097cdc74e616535179b3c