New upstream version (114)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
parent
98a054d3eb
commit
c7c4e0f825
@ -1,45 +0,0 @@
|
|||||||
From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Tue, 14 May 2019 11:28:38 -0400
|
|
||||||
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
|
|
||||||
|
|
||||||
NSS 3.44 adds some certificate types, which changes a type and makes
|
|
||||||
some encoding stuff weird. As a result, we get:
|
|
||||||
|
|
||||||
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
|
|
||||||
In file included from /usr/local/include/nss/nss/cert.h:22,
|
|
||||||
from efikeygen.c:39:
|
|
||||||
efikeygen.c: In function 'add_cert_type':
|
|
||||||
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
|
|
||||||
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
|
|
||||||
^
|
|
||||||
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
|
|
||||||
unsigned char type = NS_CERT_TYPE_APP;
|
|
||||||
^~~~~~~~~~~~~~~~
|
|
||||||
cc1: all warnings being treated as errors
|
|
||||||
|
|
||||||
This is fixed by just making it an int.
|
|
||||||
|
|
||||||
Fixes github issue #48.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/efikeygen.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/efikeygen.c b/src/efikeygen.c
|
|
||||||
index ede76ef0b48..2cd953e9781 100644
|
|
||||||
--- a/src/efikeygen.c
|
|
||||||
+++ b/src/efikeygen.c
|
|
||||||
@@ -208,7 +208,7 @@ static int
|
|
||||||
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
|
|
||||||
{
|
|
||||||
SECItem bitStringValue;
|
|
||||||
- unsigned char type = NS_CERT_TYPE_APP;
|
|
||||||
+ int type = NS_CERT_TYPE_APP;
|
|
||||||
|
|
||||||
if (is_ca)
|
|
||||||
type |= NS_CERT_TYPE_SSL_CA |
|
|
||||||
--
|
|
||||||
2.23.0
|
|
||||||
|
|
@ -1,49 +0,0 @@
|
|||||||
From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Tue, 18 Feb 2020 16:28:56 -0500
|
|
||||||
Subject: [PATCH] pesigcheck: Fix a wrong assignment
|
|
||||||
|
|
||||||
gcc says:
|
|
||||||
|
|
||||||
pesigcheck.c: In function 'check_signature':
|
|
||||||
pesigcheck.c:321:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
|
|
||||||
321 | reason->type = siBuffer;
|
|
||||||
| ^
|
|
||||||
pesigcheck.c:333:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
|
|
||||||
333 | reason->type = siBuffer;
|
|
||||||
| ^
|
|
||||||
cc1: all warnings being treated as errors
|
|
||||||
|
|
||||||
And indeed, that line of code makes no sense at all - it was supposed to
|
|
||||||
be reason->sig.type.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/pesigcheck.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
|
|
||||||
index 524cce307bf..8fa0f1ad03d 100644
|
|
||||||
--- a/src/pesigcheck.c
|
|
||||||
+++ b/src/pesigcheck.c
|
|
||||||
@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
|
|
||||||
reason->type = SIGNATURE;
|
|
||||||
reason->sig.data = data;
|
|
||||||
reason->sig.len = datalen;
|
|
||||||
- reason->type = siBuffer;
|
|
||||||
+ reason->sig.type = siBuffer;
|
|
||||||
nreason += 1;
|
|
||||||
is_invalid = true;
|
|
||||||
}
|
|
||||||
@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
|
|
||||||
reason->type = SIGNATURE;
|
|
||||||
reason->sig.data = data;
|
|
||||||
reason->sig.len = datalen;
|
|
||||||
- reason->type = siBuffer;
|
|
||||||
+ reason->sig.type = siBuffer;
|
|
||||||
nreason += 1;
|
|
||||||
has_valid_cert = true;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
@ -1,317 +0,0 @@
|
|||||||
From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Thu, 11 Jun 2020 16:23:14 -0400
|
|
||||||
Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and
|
|
||||||
vise versa
|
|
||||||
|
|
||||||
This makes the version of the sign API that takes a file type optional,
|
|
||||||
and makes the client attempt to negotiate which version it's getting.
|
|
||||||
It also leaves the server able to still handle the version from before
|
|
||||||
the file type was added.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/client.c | 74 +++++++++++++++++++++++++++++++++++++---------------
|
|
||||||
src/daemon.c | 63 +++++++++++++++++++++++++++++---------------
|
|
||||||
src/daemon.h | 2 ++
|
|
||||||
3 files changed, 97 insertions(+), 42 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/client.c b/src/client.c
|
|
||||||
index aa373abd981..57bcc09cbe8 100644
|
|
||||||
--- a/src/client.c
|
|
||||||
+++ b/src/client.c
|
|
||||||
@@ -11,6 +11,7 @@
|
|
||||||
#include <fcntl.h>
|
|
||||||
#include <popt.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
+#include <stdbool.h>
|
|
||||||
#include <stddef.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <sys/socket.h>
|
|
||||||
@@ -84,8 +85,8 @@ connect_to_server(void)
|
|
||||||
static int32_t
|
|
||||||
check_response(int sd, char **srvmsg);
|
|
||||||
|
|
||||||
-static void
|
|
||||||
-check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
|
|
||||||
+static int
|
|
||||||
+check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit)
|
|
||||||
{
|
|
||||||
struct msghdr msg;
|
|
||||||
struct iovec iov[1];
|
|
||||||
@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
|
|
||||||
ssize_t n;
|
|
||||||
n = sendmsg(sd, &msg, 0);
|
|
||||||
if (n < 0) {
|
|
||||||
- fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n");
|
|
||||||
+ fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n");
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
|
|
||||||
|
|
||||||
char *srvmsg = NULL;
|
|
||||||
int32_t rc = check_response(sd, &srvmsg);
|
|
||||||
- if (rc < 0)
|
|
||||||
+
|
|
||||||
+ if (do_exit && rc < 0)
|
|
||||||
errx(1, "command \"%s\" not known by server", name);
|
|
||||||
- if (rc != version)
|
|
||||||
+
|
|
||||||
+ if (do_exit && rc != version)
|
|
||||||
errx(1, "command \"%s\": client version %d, server version %d",
|
|
||||||
name, version, rc);
|
|
||||||
+
|
|
||||||
+ if (rc < 0)
|
|
||||||
+ return rc;
|
|
||||||
+ return rc == version;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
@@ -134,7 +141,7 @@ send_kill_daemon(int sd)
|
|
||||||
struct iovec iov;
|
|
||||||
pesignd_msghdr pm;
|
|
||||||
|
|
||||||
- check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0);
|
|
||||||
+ check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true);
|
|
||||||
|
|
||||||
pm.version = PESIGND_VERSION;
|
|
||||||
pm.command = CMD_KILL_DAEMON;
|
|
||||||
@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin)
|
|
||||||
|
|
||||||
uint32_t size1 = pesignd_string_size(pin);
|
|
||||||
|
|
||||||
- check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0);
|
|
||||||
+ check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true);
|
|
||||||
|
|
||||||
pm.version = PESIGND_VERSION;
|
|
||||||
pm.command = CMD_UNLOCK_TOKEN;
|
|
||||||
@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname)
|
|
||||||
|
|
||||||
uint32_t size0 = pesignd_string_size(tokenname);
|
|
||||||
|
|
||||||
- check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0);
|
|
||||||
+ check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true);
|
|
||||||
|
|
||||||
pm.version = PESIGND_VERSION;
|
|
||||||
pm.command = CMD_IS_TOKEN_UNLOCKED;
|
|
||||||
@@ -452,6 +459,9 @@ static void
|
|
||||||
sign(int sd, char *infile, char *outfile, char *tokenname, char *certname,
|
|
||||||
int attached, uint32_t format)
|
|
||||||
{
|
|
||||||
+ int rc;
|
|
||||||
+ bool add_file_type;
|
|
||||||
+
|
|
||||||
int infd = open(infile, O_RDONLY);
|
|
||||||
if (infd < 0) {
|
|
||||||
fprintf(stderr, "pesign-client: could not open input file "
|
|
||||||
@@ -481,12 +491,28 @@ oom:
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
- check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED,
|
|
||||||
- attached ? "sign-attached" : "sign-detached", 0);
|
|
||||||
+ rc = check_cmd_version(sd,
|
|
||||||
+ attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
|
|
||||||
+ : CMD_SIGN_DETACHED_WITH_FILE_TYPE,
|
|
||||||
+ attached ? "sign-attached" : "sign-detached",
|
|
||||||
+ 0, format == FORMAT_KERNEL_MODULE);
|
|
||||||
+ if (rc >= 0) {
|
|
||||||
+ add_file_type = true;
|
|
||||||
+ } else {
|
|
||||||
+ add_file_type = false;
|
|
||||||
+ check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED
|
|
||||||
+ : CMD_SIGN_DETACHED,
|
|
||||||
+ attached ? "sign-attached" : "sign-detached",
|
|
||||||
+ 0, true);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
+ printf("add_file_type:%d\n", add_file_type);
|
|
||||||
pm->version = PESIGND_VERSION;
|
|
||||||
- pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED;
|
|
||||||
- pm->size = size0 + size1 + sizeof(format);
|
|
||||||
+ pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
|
|
||||||
+ : CMD_SIGN_ATTACHED)
|
|
||||||
+ : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE
|
|
||||||
+ : CMD_SIGN_DETACHED);
|
|
||||||
+ pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0);
|
|
||||||
iov[0].iov_base = pm;
|
|
||||||
iov[0].iov_len = sizeof (*pm);
|
|
||||||
|
|
||||||
@@ -503,25 +529,31 @@ oom:
|
|
||||||
}
|
|
||||||
|
|
||||||
char *buffer;
|
|
||||||
- buffer = malloc(size0 + size1);
|
|
||||||
+ buffer = malloc(pm->size);
|
|
||||||
if (!buffer)
|
|
||||||
goto oom;
|
|
||||||
|
|
||||||
- iov[0].iov_base = &format;
|
|
||||||
- iov[0].iov_len = sizeof(format);
|
|
||||||
+ int pos = 0;
|
|
||||||
+
|
|
||||||
+ if (add_file_type) {
|
|
||||||
+ iov[pos].iov_base = &format;
|
|
||||||
+ iov[pos].iov_len = sizeof(format);
|
|
||||||
+ pos++;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
pesignd_string *tn = (pesignd_string *)buffer;
|
|
||||||
pesignd_string_set(tn, tokenname);
|
|
||||||
- iov[1].iov_base = tn;
|
|
||||||
- iov[1].iov_len = size0;
|
|
||||||
+ iov[pos].iov_base = tn;
|
|
||||||
+ iov[pos].iov_len = size0;
|
|
||||||
+ pos++;
|
|
||||||
|
|
||||||
pesignd_string *cn = pesignd_string_next(tn);
|
|
||||||
pesignd_string_set(cn, certname);
|
|
||||||
- iov[2].iov_base = cn;
|
|
||||||
- iov[2].iov_len = size1;
|
|
||||||
+ iov[pos].iov_base = cn;
|
|
||||||
+ iov[pos].iov_len = size1;
|
|
||||||
|
|
||||||
msg.msg_iov = iov;
|
|
||||||
- msg.msg_iovlen = 3;
|
|
||||||
+ msg.msg_iovlen = add_file_type ? 3 : 2;
|
|
||||||
|
|
||||||
n = sendmsg(sd, &msg, 0);
|
|
||||||
if (n < 0) {
|
|
||||||
@@ -535,7 +567,7 @@ oom:
|
|
||||||
send_fd(sd, outfd);
|
|
||||||
|
|
||||||
char *srvmsg = NULL;
|
|
||||||
- int rc = check_response(sd, &srvmsg);
|
|
||||||
+ rc = check_response(sd, &srvmsg);
|
|
||||||
if (rc < 0) {
|
|
||||||
fprintf(stderr, "pesign-client: signing failed: \"%s\"\n",
|
|
||||||
srvmsg);
|
|
||||||
diff --git a/src/daemon.c b/src/daemon.c
|
|
||||||
index 9374d59be30..494beb9af72 100644
|
|
||||||
--- a/src/daemon.c
|
|
||||||
+++ b/src/daemon.c
|
|
||||||
@@ -12,6 +12,7 @@
|
|
||||||
#include <poll.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
#include <signal.h>
|
|
||||||
+#include <stdbool.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <string.h>
|
|
||||||
@@ -561,7 +562,7 @@ out:
|
|
||||||
|
|
||||||
static void
|
|
||||||
handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size,
|
|
||||||
- int attached)
|
|
||||||
+ int attached, bool with_file_type)
|
|
||||||
{
|
|
||||||
struct msghdr msg;
|
|
||||||
struct iovec iov;
|
|
||||||
@@ -585,8 +586,12 @@ oom:
|
|
||||||
|
|
||||||
n = recvmsg(pollfd->fd, &msg, MSG_WAITALL);
|
|
||||||
|
|
||||||
- file_format = *((uint32_t *) buffer);
|
|
||||||
- n -= sizeof(uint32_t);
|
|
||||||
+ if (with_file_type) {
|
|
||||||
+ file_format = *((uint32_t *) buffer);
|
|
||||||
+ n -= sizeof(uint32_t);
|
|
||||||
+ } else {
|
|
||||||
+ file_format = FORMAT_PE_BINARY;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t));
|
|
||||||
if (n < (long long)sizeof(tn->size)) {
|
|
||||||
@@ -666,34 +671,44 @@ finish:
|
|
||||||
teardown_digests(ctx->cms);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static inline void
|
|
||||||
+handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size,
|
|
||||||
+ int attached, bool with_file_type)
|
|
||||||
+{
|
|
||||||
+ int rc = cms_context_alloc(&ctx->cms);
|
|
||||||
+ if (rc < 0)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ steal_from_cms(ctx->backup_cms, ctx->cms);
|
|
||||||
+
|
|
||||||
+ handle_signing(ctx, pollfd, size, attached, with_file_type);
|
|
||||||
+
|
|
||||||
+ hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
|
|
||||||
+ cms_context_fini(ctx->cms);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void
|
|
||||||
handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size)
|
|
||||||
{
|
|
||||||
- int rc = cms_context_alloc(&ctx->cms);
|
|
||||||
- if (rc < 0)
|
|
||||||
- return;
|
|
||||||
+ handle_sign_helper(ctx, pollfd, size, 1, false);
|
|
||||||
+}
|
|
||||||
|
|
||||||
- steal_from_cms(ctx->backup_cms, ctx->cms);
|
|
||||||
-
|
|
||||||
- handle_signing(ctx, pollfd, size, 1);
|
|
||||||
-
|
|
||||||
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
|
|
||||||
- cms_context_fini(ctx->cms);
|
|
||||||
+static void
|
|
||||||
+handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
|
|
||||||
+{
|
|
||||||
+ handle_sign_helper(ctx, pollfd, size, 1, true);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size)
|
|
||||||
{
|
|
||||||
- int rc = cms_context_alloc(&ctx->cms);
|
|
||||||
- if (rc < 0)
|
|
||||||
- return;
|
|
||||||
+ handle_sign_helper(ctx, pollfd, size, 0, false);
|
|
||||||
+}
|
|
||||||
|
|
||||||
- steal_from_cms(ctx->backup_cms, ctx->cms);
|
|
||||||
-
|
|
||||||
- handle_signing(ctx, pollfd, size, 0);
|
|
||||||
-
|
|
||||||
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
|
|
||||||
- cms_context_fini(ctx->cms);
|
|
||||||
+static void
|
|
||||||
+handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
|
|
||||||
+{
|
|
||||||
+ handle_sign_helper(ctx, pollfd, size, 0, true);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = {
|
|
||||||
{ CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 },
|
|
||||||
{ CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 },
|
|
||||||
{ CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 },
|
|
||||||
+ { CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
|
|
||||||
+ handle_sign_attached_with_file_type,
|
|
||||||
+ "sign-attached-with-file-type", 0 },
|
|
||||||
+ { CMD_SIGN_DETACHED_WITH_FILE_TYPE,
|
|
||||||
+ handle_sign_detached_with_file_type,
|
|
||||||
+ "sign-detached-with-file-type", 0 },
|
|
||||||
{ CMD_RESPONSE, NULL, "response", 0 },
|
|
||||||
{ CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked,
|
|
||||||
"is-token-unlocked", 0 },
|
|
||||||
diff --git a/src/daemon.h b/src/daemon.h
|
|
||||||
index dd430512f1a..834d62c72d0 100644
|
|
||||||
--- a/src/daemon.h
|
|
||||||
+++ b/src/daemon.h
|
|
||||||
@@ -33,6 +33,8 @@ typedef enum {
|
|
||||||
CMD_RESPONSE,
|
|
||||||
CMD_IS_TOKEN_UNLOCKED,
|
|
||||||
CMD_GET_CMD_VERSION,
|
|
||||||
+ CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
|
|
||||||
+ CMD_SIGN_DETACHED_WITH_FILE_TYPE,
|
|
||||||
CMD_LIST_END
|
|
||||||
} pesignd_cmd;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,46 +0,0 @@
|
|||||||
From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Fri, 12 Jun 2020 11:49:44 -0400
|
|
||||||
Subject: [PATCH] Rename /var/run/ to /run/
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/macros.pesign | 12 ++++++------
|
|
||||||
src/tmpfiles.conf | 2 +-
|
|
||||||
2 files changed, 7 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
|
||||||
index 56f75cafbc4..5a6da1c6809 100644
|
|
||||||
--- a/src/macros.pesign
|
|
||||||
+++ b/src/macros.pesign
|
|
||||||
@@ -45,14 +45,14 @@
|
|
||||||
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
|
||||||
elif [ "$(id -un)" == "kojibuilder" -a \\\
|
|
||||||
grep -q ID=fedora /etc/os-release -a \\\
|
|
||||||
- ! -S /var/run/pesign/socket ]; then \
|
|
||||||
+ ! -S /run/pesign/socket ]; then \
|
|
||||||
echo "No socket even though this is kojibuilder" 1>&2 \
|
|
||||||
- ls -ld /var/run/pesign 1>&2 \
|
|
||||||
- ls -l /var/run/pesign/socket 1>&2 \
|
|
||||||
- getfacl /var/run/pesign 1>&2 \
|
|
||||||
- getfacl /var/run/pesign/socket 1>&2 \
|
|
||||||
+ ls -ld /run/pesign 1>&2 \
|
|
||||||
+ ls -l /run/pesign/socket 1>&2 \
|
|
||||||
+ getfacl /run/pesign 1>&2 \
|
|
||||||
+ getfacl /run/pesign/socket 1>&2 \
|
|
||||||
exit 1 \
|
|
||||||
- elif [ -S /var/run/pesign/socket ]; then \
|
|
||||||
+ elif [ -S /run/pesign/socket ]; then \
|
|
||||||
%{_pesign_client} -t %{__pesign_client_token} \\\
|
|
||||||
-c %{__pesign_client_cert} \\\
|
|
||||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
|
||||||
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
|
|
||||||
index c1cf35597d8..3375ad52a44 100644
|
|
||||||
--- a/src/tmpfiles.conf
|
|
||||||
+++ b/src/tmpfiles.conf
|
|
||||||
@@ -1 +1 @@
|
|
||||||
-D /var/run/pesign 0770 pesign pesign -
|
|
||||||
+D /run/pesign 0770 pesign pesign -
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,30 +0,0 @@
|
|||||||
From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jeremy Cline <jcline@redhat.com>
|
|
||||||
Date: Tue, 18 Feb 2020 16:37:53 -0500
|
|
||||||
Subject: [PATCH] Apparently opensc got updated and the token name changed
|
|
||||||
|
|
||||||
All the kernel builds started failing yesterday because the signing
|
|
||||||
token could not be found. Update the token name in the macro shipped by
|
|
||||||
pesign.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/macros.pesign | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
|
||||||
index 7c5cba170e9..56f75cafbc4 100644
|
|
||||||
--- a/src/macros.pesign
|
|
||||||
+++ b/src/macros.pesign
|
|
||||||
@@ -9,7 +9,7 @@
|
|
||||||
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
|
||||||
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
|
||||||
|
|
||||||
-%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"}
|
|
||||||
+%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
|
|
||||||
%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
|
||||||
|
|
||||||
%_pesign /usr/bin/pesign
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,86 +0,0 @@
|
|||||||
From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Mon, 6 Jul 2020 16:13:09 -0400
|
|
||||||
Subject: [PATCH 6/7] client: try /run and /var/run for the socket path.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/client.c | 40 +++++++++++++++++++++++++++++-----------
|
|
||||||
1 file changed, 29 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/client.c b/src/client.c
|
|
||||||
index 2119ef33bf8..a38383415d5 100644
|
|
||||||
--- a/src/client.c
|
|
||||||
+++ b/src/client.c
|
|
||||||
@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag)
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
|
||||||
-connect_to_server(void)
|
|
||||||
+connect_to_server_helper(const char * const sockpath)
|
|
||||||
{
|
|
||||||
- int rc = access(SOCKPATH, R_OK);
|
|
||||||
+ int rc = access(sockpath, R_OK);
|
|
||||||
if (rc != 0) {
|
|
||||||
- fprintf(stderr, "pesign-client: could not connect to server: "
|
|
||||||
- "%m\n");
|
|
||||||
- exit(1);
|
|
||||||
+ warn("could not access socket \"%s\"", sockpath);
|
|
||||||
+ return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
struct sockaddr_un addr_un = {
|
|
||||||
.sun_family = AF_UNIX,
|
|
||||||
- .sun_path = SOCKPATH,
|
|
||||||
};
|
|
||||||
+ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path));
|
|
||||||
+ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0';
|
|
||||||
|
|
||||||
int sd = socket(AF_UNIX, SOCK_STREAM, 0);
|
|
||||||
if (sd < 0) {
|
|
||||||
- fprintf(stderr, "pesign-client: could not open socket: %m\n");
|
|
||||||
- exit(1);
|
|
||||||
+ warn("could not open socket \"%s\"", sockpath);
|
|
||||||
+ return sd;
|
|
||||||
}
|
|
||||||
|
|
||||||
socklen_t len = strlen(addr_un.sun_path) +
|
|
||||||
@@ -74,14 +74,32 @@ connect_to_server(void)
|
|
||||||
|
|
||||||
rc = connect(sd, (struct sockaddr *)&addr_un, len);
|
|
||||||
if (rc < 0) {
|
|
||||||
- fprintf(stderr, "pesign-client: could not connect to daemon: "
|
|
||||||
- "%m\n");
|
|
||||||
- exit(1);
|
|
||||||
+ warn("could not connect to daemon");
|
|
||||||
+ return sd;
|
|
||||||
}
|
|
||||||
|
|
||||||
return sd;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+connect_to_server(void)
|
|
||||||
+{
|
|
||||||
+ int rc, i;
|
|
||||||
+ const char * const sockets[] = {
|
|
||||||
+ "/run/pesign/socket",
|
|
||||||
+ "/var/run/pesign/socket",
|
|
||||||
+ NULL
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ for (i = 0; sockets[i] != NULL; i++) {
|
|
||||||
+ rc = connect_to_server_helper(sockets[i]);
|
|
||||||
+ if (rc >= 0)
|
|
||||||
+ return rc;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ exit(1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int32_t
|
|
||||||
check_response(int sd, char **srvmsg);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,25 +0,0 @@
|
|||||||
From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Tue, 14 Jul 2020 16:44:09 -0400
|
|
||||||
Subject: [PATCH 07/11] client: remove an extra debug print
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/client.c | 1 -
|
|
||||||
1 file changed, 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/client.c b/src/client.c
|
|
||||||
index 0082be1f597..c9966295e5f 100644
|
|
||||||
--- a/src/client.c
|
|
||||||
+++ b/src/client.c
|
|
||||||
@@ -536,7 +536,6 @@ oom:
|
|
||||||
0, true);
|
|
||||||
}
|
|
||||||
|
|
||||||
- printf("add_file_type:%d\n", add_file_type);
|
|
||||||
pm->version = PESIGND_VERSION;
|
|
||||||
pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
|
|
||||||
: CMD_SIGN_ATTACHED)
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,379 +0,0 @@
|
|||||||
From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Mon, 6 Jul 2020 13:54:35 -0400
|
|
||||||
Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
Make.defaults | 1 +
|
|
||||||
src/Makefile | 8 +-
|
|
||||||
src/macros.pesign | 74 ++++--------
|
|
||||||
src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++
|
|
||||||
4 files changed, 252 insertions(+), 53 deletions(-)
|
|
||||||
create mode 100644 src/pesign-rpmbuild-helper.in
|
|
||||||
|
|
||||||
diff --git a/Make.defaults b/Make.defaults
|
|
||||||
index 0bacafe0d01..d4cd626c11e 100644
|
|
||||||
--- a/Make.defaults
|
|
||||||
+++ b/Make.defaults
|
|
||||||
@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR)
|
|
||||||
|
|
||||||
INSTALL ?= install
|
|
||||||
CROSS_COMPILE ?=
|
|
||||||
+EFI_ARCHES ?= aa64 ia32 x64
|
|
||||||
|
|
||||||
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
|
|
||||||
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
|
|
||||||
diff --git a/src/Makefile b/src/Makefile
|
|
||||||
index 74327ba13f3..a7ca89159c6 100644
|
|
||||||
--- a/src/Makefile
|
|
||||||
+++ b/src/Makefile
|
|
||||||
@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version
|
|
||||||
include $(TOPDIR)/Make.rules
|
|
||||||
include $(TOPDIR)/Make.defaults
|
|
||||||
|
|
||||||
-BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
|
|
||||||
+BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper
|
|
||||||
SVCTARGETS=pesign.sysvinit pesign.service
|
|
||||||
TARGETS=$(BINTARGETS) $(SVCTARGETS)
|
|
||||||
|
|
||||||
@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
|
|
||||||
pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
|
|
||||||
pesign : PKGS=efivar nss nspr popt
|
|
||||||
|
|
||||||
+pesign-rpmbuild-helper: pesign-rpmbuild-helper.in
|
|
||||||
+ sed \
|
|
||||||
+ -e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \
|
|
||||||
+ $^ > $@
|
|
||||||
+
|
|
||||||
deps : PKGS=efivar nss nspr popt uuid
|
|
||||||
deps : $(ALL_SOURCES)
|
|
||||||
$(MAKE) -f $(TOPDIR)/Make.deps \
|
|
||||||
@@ -94,6 +99,7 @@ install :
|
|
||||||
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
|
|
||||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
|
||||||
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
|
|
||||||
+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
|
|
||||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
|
|
||||||
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
|
|
||||||
$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
|
|
||||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
|
||||||
index 5a6da1c6809..2e984b4eeb3 100644
|
|
||||||
--- a/src/macros.pesign
|
|
||||||
+++ b/src/macros.pesign
|
|
||||||
@@ -6,7 +6,7 @@
|
|
||||||
# %pesign -s -i shim.orig -o shim.efi
|
|
||||||
# And magically get the right thing.
|
|
||||||
|
|
||||||
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
|
||||||
+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
|
|
||||||
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
|
||||||
|
|
||||||
%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
|
|
||||||
@@ -24,54 +24,24 @@
|
|
||||||
# -a <input ca cert filename> # rhel only
|
|
||||||
# -s # perform signing
|
|
||||||
%pesign(i:o:C:e:c:n:a:s) \
|
|
||||||
- _pesign_nssdir=/etc/pki/pesign \
|
|
||||||
- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
|
|
||||||
- _pesign_nssdir=/etc/pki/pesign-rh-test \
|
|
||||||
- fi \
|
|
||||||
- if [ -x %{_pesign} ] && \\\
|
|
||||||
- [ "%{_target_cpu}" == "x86_64" -o \\\
|
|
||||||
- "%{_target_cpu}" == "aarch64" ]; then \
|
|
||||||
- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \
|
|
||||||
- nss=$(mktemp -p $PWD -d) \
|
|
||||||
- echo > ${nss}/pwfile \
|
|
||||||
- certutil -N -d ${nss} -f ${nss}/pwfile \
|
|
||||||
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
|
|
||||||
- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
|
|
||||||
- sattrs=$(mktemp -p $PWD --suffix=.der) \
|
|
||||||
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
|
|
||||||
- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \
|
|
||||||
- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
|
||||||
- --certdir ${nss} -c signer %{-o} \
|
|
||||||
- rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
|
||||||
- elif [ "$(id -un)" == "kojibuilder" -a \\\
|
|
||||||
- grep -q ID=fedora /etc/os-release -a \\\
|
|
||||||
- ! -S /run/pesign/socket ]; then \
|
|
||||||
- echo "No socket even though this is kojibuilder" 1>&2 \
|
|
||||||
- ls -ld /run/pesign 1>&2 \
|
|
||||||
- ls -l /run/pesign/socket 1>&2 \
|
|
||||||
- getfacl /run/pesign 1>&2 \
|
|
||||||
- getfacl /run/pesign/socket 1>&2 \
|
|
||||||
- exit 1 \
|
|
||||||
- elif [ -S /run/pesign/socket ]; then \
|
|
||||||
- %{_pesign_client} -t %{__pesign_client_token} \\\
|
|
||||||
- -c %{__pesign_client_cert} \\\
|
|
||||||
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
|
||||||
- else \
|
|
||||||
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
|
|
||||||
- --certdir ${_pesign_nssdir} \\\
|
|
||||||
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
|
||||||
- fi \
|
|
||||||
- else \
|
|
||||||
- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
|
|
||||||
- mv %{-i*} %{-o*} \
|
|
||||||
- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
|
|
||||||
- touch %{-e*} \
|
|
||||||
- fi \
|
|
||||||
- fi \
|
|
||||||
- if [ ! -s %{-o} ]; then \
|
|
||||||
- if [ -e "%{-o*}" ]; then \
|
|
||||||
- rm -f %{-o*} \
|
|
||||||
- fi \
|
|
||||||
- exit 1 \
|
|
||||||
- fi ;
|
|
||||||
-
|
|
||||||
+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\
|
|
||||||
+ "%{_target_cpu}" \\\
|
|
||||||
+ "%{_pesign}" \\\
|
|
||||||
+ "%{_pesign_client}" \\\
|
|
||||||
+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\
|
|
||||||
+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\
|
|
||||||
+ %{?__pesign_token:%{__pesign_token}} \\\
|
|
||||||
+ %{?__pesign_cert:--cert %{__pesign_cert}} \\\
|
|
||||||
+ %{?_buildhost:--hostname "%{_buildhost}"} \\\
|
|
||||||
+ %{?vendor:--vendor "%{vendor}"} \\\
|
|
||||||
+ %{?_rhel:--rhelver "%{_rhel}"} \\\
|
|
||||||
+ %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\
|
|
||||||
+ %{?-a:--rhelcafile "%{-a*}"} \\\
|
|
||||||
+ %{?-c:--rhelcertfile "%{-c*}"} \\\
|
|
||||||
+ %{?-C:--certout "%{-C*}"} \\\
|
|
||||||
+ %{?-e:--sattrout "%{-e*}"} \\\
|
|
||||||
+ %{?-i:--in "%{-i*}"} \\\
|
|
||||||
+ %{?-o:--out "%{-o*}"} \\\
|
|
||||||
+ %{?-s:--sign} \\\
|
|
||||||
+ ; \
|
|
||||||
+%{nil}
|
|
||||||
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000000..c5287c27e0c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/src/pesign-rpmbuild-helper.in
|
|
||||||
@@ -0,0 +1,222 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+# shellcheck shell=bash
|
|
||||||
+
|
|
||||||
+set -eu
|
|
||||||
+set -x
|
|
||||||
+
|
|
||||||
+usage() {
|
|
||||||
+ local status="${1}" && shift
|
|
||||||
+ local out
|
|
||||||
+ if [[ "${status}" -eq 0 ]] ; then
|
|
||||||
+ out=/dev/stdout
|
|
||||||
+ else
|
|
||||||
+ out=/dev/stderr
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [[ $# -gt 0 ]] ; then
|
|
||||||
+ echo "${0}: error: $*" >>"${out}"
|
|
||||||
+ fi
|
|
||||||
+ echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}"
|
|
||||||
+ exit "${status}"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+is_efi_arch() {
|
|
||||||
+ local arch="${1}"
|
|
||||||
+ local arches=(@@EFI_ARCHES@@)
|
|
||||||
+ local x
|
|
||||||
+ for x in "${arches[@]}" ; do
|
|
||||||
+ if [[ "${arch}" = "${x}" ]] ; then
|
|
||||||
+ return 0
|
|
||||||
+ fi
|
|
||||||
+ done
|
|
||||||
+ return 1
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+error_on_empty() {
|
|
||||||
+ local f="${1}"
|
|
||||||
+ if [[ ! -s "${f}" ]] ; then
|
|
||||||
+ if [[ -e "${f}" ]] ; then
|
|
||||||
+ rm -f "${f}"
|
|
||||||
+ fi
|
|
||||||
+ echo "${0}: error: empty result file \"${f}\"">>/dev/stderr
|
|
||||||
+ exit 1
|
|
||||||
+ fi
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+main() {
|
|
||||||
+ if [[ $# -lt 3 ]] ; then
|
|
||||||
+ usage 1 not enough arguments
|
|
||||||
+ fi
|
|
||||||
+ local target_cpu="${1}" && shift
|
|
||||||
+ local bin="${1}" && shift
|
|
||||||
+ local client="${1}" && shift
|
|
||||||
+
|
|
||||||
+ local rhelcafile="" || :
|
|
||||||
+ local rhelcertfile="" || :
|
|
||||||
+
|
|
||||||
+ local certout=() || :
|
|
||||||
+ local sattrout=() || :
|
|
||||||
+ local input=() || :
|
|
||||||
+ local output=() || :
|
|
||||||
+ local client_token=() || :
|
|
||||||
+ local client_cert=() || :
|
|
||||||
+ local token=() || :
|
|
||||||
+ local cert=() || :
|
|
||||||
+ local rhelcert=() || :
|
|
||||||
+ local rhelver=0 || :
|
|
||||||
+ local sign="" || :
|
|
||||||
+ local arch="" || :
|
|
||||||
+ local vendor="" || :
|
|
||||||
+ local HOSTNAME="" || :
|
|
||||||
+
|
|
||||||
+ while [[ $# -ge 2 ]] ; do
|
|
||||||
+ case " ${1} " in
|
|
||||||
+ " --rhelcafile ")
|
|
||||||
+ rhelcafile="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --rhelcertfile ")
|
|
||||||
+ rhelcertfile="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --hostname ")
|
|
||||||
+ HOSTNAME="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --certout ")
|
|
||||||
+ certout[0]=-C
|
|
||||||
+ certout[1]="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --sattrout ")
|
|
||||||
+ sattrout[0]=-e
|
|
||||||
+ sattrout[1]="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --client-token ")
|
|
||||||
+ client_token[0]=-t
|
|
||||||
+ client_token[1]="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --client-cert ")
|
|
||||||
+ client_cert[0]=-c
|
|
||||||
+ client_cert[1]="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --token ")
|
|
||||||
+ token[0]=-t
|
|
||||||
+ token[1]="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --cert ")
|
|
||||||
+ cert[0]=-c
|
|
||||||
+ cert[1]="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --rhelcert ")
|
|
||||||
+ rhelcert[0]=-c
|
|
||||||
+ rhelcert[1]="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --in ")
|
|
||||||
+ input[0]=-i
|
|
||||||
+ input[1]="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --out ")
|
|
||||||
+ output[0]=-o
|
|
||||||
+ output[1]="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --rhelver ")
|
|
||||||
+ rhelver="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ " --vendor ")
|
|
||||||
+ vendor="${2}"
|
|
||||||
+ ;;
|
|
||||||
+ *)
|
|
||||||
+ break
|
|
||||||
+ ;;
|
|
||||||
+ esac
|
|
||||||
+ shift
|
|
||||||
+ shift
|
|
||||||
+ done
|
|
||||||
+ if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then
|
|
||||||
+ sign=-s
|
|
||||||
+ shift
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [[ -z "${target_cpu}" ]] ; then
|
|
||||||
+ target_cpu="$(uname -m)"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ target_cpu="${target_cpu/i?86/ia32}"
|
|
||||||
+ target_cpu="${target_cpu/x86_64/x64}"
|
|
||||||
+ target_cpu="${target_cpu/aarch64/aa64}"
|
|
||||||
+ target_cpu="${target_cpu/arm*/arm/}"
|
|
||||||
+
|
|
||||||
+ local nssdir=/etc/pki/pesign
|
|
||||||
+ if [[ "${#cert[@]}" -eq 2 ]] &&
|
|
||||||
+ [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then
|
|
||||||
+ nssdir=/etc/pki/pesign-rh-test
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ # is_efi_arch is ultimately returning "is pesign configured to sign these
|
|
||||||
+ # using the rpm macro", so if it isn't, we're just copying the input to
|
|
||||||
+ # the output
|
|
||||||
+ if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then
|
|
||||||
+ if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then
|
|
||||||
+ cp -v "${input[1]}" "${output[1]}"
|
|
||||||
+ elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then
|
|
||||||
+ touch "${sattrout[1]}"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ # if there's a 0-sized output file, delete it and error out
|
|
||||||
+ error_on_empty "${output[1]}"
|
|
||||||
+ return 0
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ USERNAME="${USERNAME:-$(id -un)}"
|
|
||||||
+
|
|
||||||
+ local socket="" || :
|
|
||||||
+ if grep -q ID=fedora /etc/os-release \
|
|
||||||
+ && [[ "${rhelver}" -lt 7 ]] \
|
|
||||||
+ && [[ "${USERNAME}" = "mockbuild" ]] \
|
|
||||||
+ && [[ "${vendor}" = "Fedora Project" ]] \
|
|
||||||
+ && [[ "${HOSTNAME}" =~ bkernel.* ]]
|
|
||||||
+ then
|
|
||||||
+ if [[ -S /run/pesign/socket ]] ; then
|
|
||||||
+ socket=/run/pesign/socket
|
|
||||||
+ elif [[ -S /var/run/pesign/socket ]]; then
|
|
||||||
+ socket=/var/run/pesign/socket
|
|
||||||
+ else
|
|
||||||
+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
|
|
||||||
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
|
|
||||||
+ ls -ld /run/pesign /var/run/pesign 1>&2 ||:
|
|
||||||
+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
|
|
||||||
+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
|
|
||||||
+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [[ "${rhelver}" -ge 7 ]] ; then
|
|
||||||
+ nssdir="$(mktemp -p "${PWD}" -d)"
|
|
||||||
+ echo > "${nssdir}/pwfile"
|
|
||||||
+ certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
|
|
||||||
+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}"
|
|
||||||
+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}"
|
|
||||||
+ sattrs="$(mktemp -p "${PWD}" --suffix=.der)"
|
|
||||||
+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \
|
|
||||||
+ "${input[@]}" --force
|
|
||||||
+ rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}"
|
|
||||||
+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
|
|
||||||
+ --certdir "${nssdir}" -c signer \
|
|
||||||
+ "${input[@]}" "${output[@]}"
|
|
||||||
+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
|
|
||||||
+ elif [[ -n "${socket}" ]] ; then
|
|
||||||
+ "${client}" "${client_token[@]}" "${client_cert[@]}" \
|
|
||||||
+ "${sattrout[@]}" "${certout[@]}" \
|
|
||||||
+ ${sign} "${input[@]}" "${output[@]}"
|
|
||||||
+ else
|
|
||||||
+ "${bin}" --certdir "${nssdir}" "${token[@]}" \
|
|
||||||
+ "${cert[@]}" ${sign} "${sattrout[@]}" \
|
|
||||||
+ "${certout[@]}" "${input[@]}" "${output[@]}"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ # if there's a 0-sized output file, delete it and error out
|
|
||||||
+ if [[ "${#output[@]}" -eq 2 ]] ; then
|
|
||||||
+ error_on_empty "${output[1]}"
|
|
||||||
+ fi
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+main "${@}"
|
|
||||||
+
|
|
||||||
+# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,60 +0,0 @@
|
|||||||
From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Tue, 14 Jul 2020 15:07:32 -0400
|
|
||||||
Subject: [PATCH 09/11] pesign-authorize: shellcheck
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/pesign-authorize | 16 ++++++++--------
|
|
||||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
|
||||||
index a496f601ab4..55cd5c4e55b 100755
|
|
||||||
--- a/src/pesign-authorize
|
|
||||||
+++ b/src/pesign-authorize
|
|
||||||
@@ -12,21 +12,21 @@ set -u
|
|
||||||
# License: GPLv2
|
|
||||||
declare -a fileusers=()
|
|
||||||
declare -a dirusers=()
|
|
||||||
-for user in $(cat /etc/pesign/users); do
|
|
||||||
+while read -r user ; do
|
|
||||||
dirusers[${#dirusers[@]}]=-m
|
|
||||||
dirusers[${#dirusers[@]}]="u:$user:rwx"
|
|
||||||
fileusers[${#fileusers[@]}]=-m
|
|
||||||
fileusers[${#fileusers[@]}]="u:$user:rw"
|
|
||||||
-done
|
|
||||||
+done </etc/pesign/users
|
|
||||||
|
|
||||||
declare -a filegroups=()
|
|
||||||
declare -a dirgroups=()
|
|
||||||
-for group in $(cat /etc/pesign/groups); do
|
|
||||||
+while read -r group ; do
|
|
||||||
dirgroups[${#dirgroups[@]}]=-m
|
|
||||||
dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
|
||||||
filegroups[${#filegroups[@]}]=-m
|
|
||||||
filegroups[${#filegroups[@]}]="g:$group:rw"
|
|
||||||
-done
|
|
||||||
+done </etc/pesign/groups
|
|
||||||
|
|
||||||
update_subdir() {
|
|
||||||
subdir=$1 && shift
|
|
||||||
@@ -35,12 +35,12 @@ update_subdir() {
|
|
||||||
setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
|
||||||
for x in "${subdir}"* ; do
|
|
||||||
if [ -d "${x}" ]; then
|
|
||||||
- setfacl -bk ${x}
|
|
||||||
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
|
||||||
+ setfacl -bk "${x}"
|
|
||||||
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
|
|
||||||
update_subdir "${x}/"
|
|
||||||
elif [ -e "${x}" ]; then
|
|
||||||
- setfacl -bk ${x}
|
|
||||||
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
|
||||||
+ setfacl -bk "${x}"
|
|
||||||
+ setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
|
|
||||||
else
|
|
||||||
:;
|
|
||||||
fi
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
From 24bb6e1471b16b6be82f13b5b5a302b4e98c1b4d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Tue, 14 Jul 2020 15:08:15 -0400
|
|
||||||
Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/pesign-authorize | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
|
||||||
index 55cd5c4e55b..c5448329c2c 100755
|
|
||||||
--- a/src/pesign-authorize
|
|
||||||
+++ b/src/pesign-authorize
|
|
||||||
@@ -47,7 +47,7 @@ update_subdir() {
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
|
|
||||||
+for x in /var/run/pesign/ /etc/pki/pesign/ ; do
|
|
||||||
if [ -d "${x}" ]; then
|
|
||||||
update_subdir "${x}"
|
|
||||||
else
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Tue, 14 Jul 2020 16:42:39 -0400
|
|
||||||
Subject: [PATCH 11/11] kernel building hack
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/pesign-rpmbuild-helper.in | 17 +++++++++++++++++
|
|
||||||
1 file changed, 17 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
|
|
||||||
index c5287c27e0c..27b8261bc17 100644
|
|
||||||
--- a/src/pesign-rpmbuild-helper.in
|
|
||||||
+++ b/src/pesign-rpmbuild-helper.in
|
|
||||||
@@ -202,6 +202,23 @@ main() {
|
|
||||||
"${input[@]}" "${output[@]}"
|
|
||||||
rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
|
|
||||||
elif [[ -n "${socket}" ]] ; then
|
|
||||||
+ ### welcome haaaaack city
|
|
||||||
+ if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then
|
|
||||||
+ if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
|
|
||||||
+ || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
|
|
||||||
+ if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
|
|
||||||
+ || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \
|
|
||||||
+ || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
|
|
||||||
+ client_cert[1]=kernel-signer
|
|
||||||
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
|
|
||||||
+ || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
|
|
||||||
+ client_cert[1]=grub2-signer
|
|
||||||
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
|
|
||||||
+ || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
|
|
||||||
+ client_cert[1]=fwupd-signer
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
"${client}" "${client_token[@]}" "${client_cert[@]}" \
|
|
||||||
"${sattrout[@]}" "${certout[@]}" \
|
|
||||||
${sign} "${input[@]}" "${output[@]}"
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,105 +0,0 @@
|
|||||||
From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Thu, 16 Jul 2020 16:28:26 -0400
|
|
||||||
Subject: [PATCH] Use /run not /var/run
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
---
|
|
||||||
src/daemon.h | 4 ++--
|
|
||||||
src/Makefile | 2 +-
|
|
||||||
src/pesign-authorize | 2 +-
|
|
||||||
src/pesign.service.in | 2 +-
|
|
||||||
src/pesign.sysvinit.in | 10 +++++-----
|
|
||||||
5 files changed, 10 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/daemon.h b/src/daemon.h
|
|
||||||
index 0368dc9256c..5fcd97ea717 100644
|
|
||||||
--- a/src/daemon.h
|
|
||||||
+++ b/src/daemon.h
|
|
||||||
@@ -51,8 +51,8 @@ typedef enum {
|
|
||||||
} pesignd_cmd;
|
|
||||||
|
|
||||||
#define PESIGND_VERSION 0x2a9edaf0
|
|
||||||
-#define SOCKPATH "/var/run/pesign/socket"
|
|
||||||
-#define PIDFILE "/var/run/pesign.pid"
|
|
||||||
+#define SOCKPATH "/run/pesign/socket"
|
|
||||||
+#define PIDFILE "/run/pesign.pid"
|
|
||||||
|
|
||||||
static inline uint32_t UNUSED
|
|
||||||
pesignd_string_size(char *buffer)
|
|
||||||
diff --git a/src/Makefile b/src/Makefile
|
|
||||||
index a7ca89159c6..f7fb5fc9ee5 100644
|
|
||||||
--- a/src/Makefile
|
|
||||||
+++ b/src/Makefile
|
|
||||||
@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit
|
|
||||||
install :
|
|
||||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
|
|
||||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
|
|
||||||
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
|
|
||||||
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
|
|
||||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
|
|
||||||
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
|
|
||||||
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
|
|
||||||
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
|
||||||
index c5448329c2c..2381302440c 100755
|
|
||||||
--- a/src/pesign-authorize
|
|
||||||
+++ b/src/pesign-authorize
|
|
||||||
@@ -47,7 +47,7 @@ update_subdir() {
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
-for x in /var/run/pesign/ /etc/pki/pesign/ ; do
|
|
||||||
+for x in /run/pesign/ /var/run/pesign/ /etc/pki/pesign/ ; do
|
|
||||||
if [ -d "${x}" ]; then
|
|
||||||
update_subdir "${x}"
|
|
||||||
else
|
|
||||||
diff --git a/src/pesign.service.in b/src/pesign.service.in
|
|
||||||
index c75a000892a..4ac2199bce2 100644
|
|
||||||
--- a/src/pesign.service.in
|
|
||||||
+++ b/src/pesign.service.in
|
|
||||||
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
|
|
||||||
[Service]
|
|
||||||
PrivateTmp=true
|
|
||||||
Type=forking
|
|
||||||
-PIDFile=/var/run/pesign.pid
|
|
||||||
+PIDFile=/run/pesign.pid
|
|
||||||
ExecStart=/usr/bin/pesign --daemonize
|
|
||||||
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|
|
||||||
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
|
|
||||||
index b0e0f84ff0b..bf8edec8ff3 100644
|
|
||||||
--- a/src/pesign.sysvinit.in
|
|
||||||
+++ b/src/pesign.sysvinit.in
|
|
||||||
@@ -4,7 +4,7 @@
|
|
||||||
#
|
|
||||||
# chkconfig: - 50 50
|
|
||||||
# processname: /usr/bin/pesign
|
|
||||||
-# pidfile: /var/run/pesign.pid
|
|
||||||
+# pidfile: /run/pesign.pid
|
|
||||||
### BEGIN INIT INFO
|
|
||||||
# Provides: pesign
|
|
||||||
# Default-Start:
|
|
||||||
@@ -20,9 +20,9 @@ RETVAL=0
|
|
||||||
|
|
||||||
start(){
|
|
||||||
echo -n "Starting pesign: "
|
|
||||||
- mkdir /var/run/pesign 2>/dev/null &&
|
|
||||||
- chown pesign:pesign /var/run/pesign &&
|
|
||||||
- chmod 0770 /var/run/pesign
|
|
||||||
+ mkdir /run/pesign 2>/dev/null &&
|
|
||||||
+ chown pesign:pesign /run/pesign &&
|
|
||||||
+ chmod 0770 /run/pesign
|
|
||||||
daemon /usr/bin/pesign --daemonize
|
|
||||||
RETVAL=$?
|
|
||||||
echo
|
|
||||||
@@ -32,7 +32,7 @@ start(){
|
|
||||||
|
|
||||||
stop(){
|
|
||||||
echo -n "Stopping pesign: "
|
|
||||||
- killproc -p /var/run/pesign.pid pesignd
|
|
||||||
+ killproc -p /run/pesign.pid pesignd
|
|
||||||
RETVAL=$?
|
|
||||||
echo
|
|
||||||
rm -f /var/lock/subsys/pesign
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
From 59428daf4863f192419eee4afec15cd099e99c9b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jeff Law <law@redhat.com>
|
|
||||||
Date: Mon, 16 Nov 2020 12:07:59 -0700
|
|
||||||
Subject: [PATCH] Turn off -Wfree-nonheap-object
|
|
||||||
|
|
||||||
authvar.c has a call to free (tokenname) where tokenname is set to a string constant
|
|
||||||
and never changed. That triggers GCC to issue a diagnostic that the value should not
|
|
||||||
be passed to free.
|
|
||||||
|
|
||||||
This is a false positive from GCC as the call is guarded by a suitable condition that
|
|
||||||
always happens to be false. But pesign is being built without optimization and thus
|
|
||||||
the condition and free call are not optimized away.
|
|
||||||
|
|
||||||
This patch just disables the warning. A better solution would be to fix the sources
|
|
||||||
or build with the optimizer enabled.
|
|
||||||
---
|
|
||||||
Make.defaults | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/Make.defaults b/Make.defaults
|
|
||||||
index d4cd626..705cc3a 100644
|
|
||||||
--- a/Make.defaults
|
|
||||||
+++ b/Make.defaults
|
|
||||||
@@ -40,7 +40,7 @@ gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches -flto
|
|
||||||
cflags = $(CFLAGS) $(ARCH3264) \
|
|
||||||
-Wall -Wextra -Wsign-compare -Wno-unused-result \
|
|
||||||
-Wno-unused-function -Wno-missing-field-initializers \
|
|
||||||
- -Werror -Wno-error=cpp \
|
|
||||||
+ -Werror -Wno-error=cpp -Wno-free-nonheap-object \
|
|
||||||
-std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \
|
|
||||||
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
|
|
||||||
$(if $(filter $(CC),clang),$(clang_cflags), ) \
|
|
||||||
--
|
|
||||||
2.28.0
|
|
||||||
|
|
41
pesign.spec
41
pesign.spec
@ -2,28 +2,29 @@
|
|||||||
|
|
||||||
Name: pesign
|
Name: pesign
|
||||||
Summary: Signing utility for UEFI binaries
|
Summary: Signing utility for UEFI binaries
|
||||||
Version: 113
|
Version: 114
|
||||||
Release: 18%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPLv2
|
License: GPL-2.0-only
|
||||||
URL: https://github.com/rhboot/pesign
|
URL: https://github.com/rhboot/pesign
|
||||||
|
|
||||||
Obsoletes: pesign-rh-test-certs <= 0.111-7
|
Obsoletes: pesign-rh-test-certs <= 0.111-7
|
||||||
BuildRequires: make
|
BuildRequires: efivar-devel >= 31-1
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: git
|
BuildRequires: git
|
||||||
|
BuildRequires: libuuid-devel
|
||||||
|
BuildRequires: make
|
||||||
|
BuildRequires: mandoc
|
||||||
BuildRequires: nspr
|
BuildRequires: nspr
|
||||||
|
BuildRequires: nspr-devel >= 4.9.2-1
|
||||||
BuildRequires: nss
|
BuildRequires: nss
|
||||||
|
BuildRequires: nss-devel >= 3.13.6-1
|
||||||
|
BuildRequires: nss-tools
|
||||||
BuildRequires: nss-util
|
BuildRequires: nss-util
|
||||||
BuildRequires: popt-devel
|
BuildRequires: popt-devel
|
||||||
BuildRequires: nss-tools
|
BuildRequires: python3
|
||||||
BuildRequires: nspr-devel >= 4.9.2-1
|
BuildRequires: python3-rpm-macros
|
||||||
BuildRequires: nss-devel >= 3.13.6-1
|
|
||||||
BuildRequires: efivar-devel >= 31-1
|
|
||||||
BuildRequires: libuuid-devel
|
|
||||||
BuildRequires: tar
|
BuildRequires: tar
|
||||||
BuildRequires: xz
|
BuildRequires: xz
|
||||||
BuildRequires: python3-rpm-macros
|
|
||||||
BuildRequires: python3
|
|
||||||
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
|
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
|
||||||
BuildRequires: systemd-rpm-macros
|
BuildRequires: systemd-rpm-macros
|
||||||
%endif
|
%endif
|
||||||
@ -43,20 +44,6 @@ Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{
|
|||||||
Source1: certs.tar.xz
|
Source1: certs.tar.xz
|
||||||
Source2: pesign.py
|
Source2: pesign.py
|
||||||
|
|
||||||
Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch
|
|
||||||
Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
|
|
||||||
Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
|
|
||||||
Patch0004: 0004-Rename-var-run-to-run.patch
|
|
||||||
Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
|
|
||||||
Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch
|
|
||||||
Patch0007: 0007-client-remove-an-extra-debug-print.patch
|
|
||||||
Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
|
|
||||||
Patch0009: 0009-pesign-authorize-shellcheck.patch
|
|
||||||
Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
|
|
||||||
Patch0011: 0011-kernel-building-hack.patch
|
|
||||||
Patch0012: 0012-Use-run-not-var-run.patch
|
|
||||||
Patch0013: 0013-Turn-off-free-nonheap-object.patch
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This package contains the pesign utility for signing UEFI binaries as
|
This package contains the pesign utility for signing UEFI binaries as
|
||||||
well as other associated tools.
|
well as other associated tools.
|
||||||
@ -141,7 +128,6 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
|
|||||||
%doc README TODO
|
%doc README TODO
|
||||||
%{_bindir}/authvar
|
%{_bindir}/authvar
|
||||||
%{_bindir}/efikeygen
|
%{_bindir}/efikeygen
|
||||||
%{_bindir}/efisiglist
|
|
||||||
%{_bindir}/pesigcheck
|
%{_bindir}/pesigcheck
|
||||||
%{_bindir}/pesign
|
%{_bindir}/pesign
|
||||||
%{_bindir}/pesign-client
|
%{_bindir}/pesign-client
|
||||||
@ -168,6 +154,9 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
|
|||||||
%{python3_sitelib}/mockbuild/plugins/pesign.*
|
%{python3_sitelib}/mockbuild/plugins/pesign.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 01 2022 Robbie Harwood <rharwood@redhat.com> - 114-1
|
||||||
|
- New upstream version (114)
|
||||||
|
|
||||||
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 113-18
|
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 113-18
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
|
SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
|
||||||
SHA512 (pesign-113.tar.bz2) = 89c5e33bf6ac8f8dc4b65192e5fd4bf1fea285106d1de2a6ea02a8c5090f2ec5976b1d80c60e57f74fa56dc25b174a4dd5682292db44ab9aeab69ea992dfef36
|
SHA512 (pesign-114.tar.bz2) = 5465c002db6f59ab59799ec79504ed96662bc5da2310282d2e85fc1f03c938343d88927e764e595bf21c3501e599e529a4752281349097cdc74e616535179b3c
|
||||||
|
Loading…
Reference in New Issue
Block a user