New upstream version (114)
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
parent
98a054d3eb
commit
c7c4e0f825
@ -1,45 +0,0 @@
|
||||
From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 May 2019 11:28:38 -0400
|
||||
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
|
||||
|
||||
NSS 3.44 adds some certificate types, which changes a type and makes
|
||||
some encoding stuff weird. As a result, we get:
|
||||
|
||||
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
|
||||
In file included from /usr/local/include/nss/nss/cert.h:22,
|
||||
from efikeygen.c:39:
|
||||
efikeygen.c: In function 'add_cert_type':
|
||||
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
|
||||
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
|
||||
^
|
||||
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
|
||||
unsigned char type = NS_CERT_TYPE_APP;
|
||||
^~~~~~~~~~~~~~~~
|
||||
cc1: all warnings being treated as errors
|
||||
|
||||
This is fixed by just making it an int.
|
||||
|
||||
Fixes github issue #48.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/efikeygen.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/efikeygen.c b/src/efikeygen.c
|
||||
index ede76ef0b48..2cd953e9781 100644
|
||||
--- a/src/efikeygen.c
|
||||
+++ b/src/efikeygen.c
|
||||
@@ -208,7 +208,7 @@ static int
|
||||
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
|
||||
{
|
||||
SECItem bitStringValue;
|
||||
- unsigned char type = NS_CERT_TYPE_APP;
|
||||
+ int type = NS_CERT_TYPE_APP;
|
||||
|
||||
if (is_ca)
|
||||
type |= NS_CERT_TYPE_SSL_CA |
|
||||
--
|
||||
2.23.0
|
||||
|
@ -1,49 +0,0 @@
|
||||
From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 18 Feb 2020 16:28:56 -0500
|
||||
Subject: [PATCH] pesigcheck: Fix a wrong assignment
|
||||
|
||||
gcc says:
|
||||
|
||||
pesigcheck.c: In function 'check_signature':
|
||||
pesigcheck.c:321:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
|
||||
321 | reason->type = siBuffer;
|
||||
| ^
|
||||
pesigcheck.c:333:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
|
||||
333 | reason->type = siBuffer;
|
||||
| ^
|
||||
cc1: all warnings being treated as errors
|
||||
|
||||
And indeed, that line of code makes no sense at all - it was supposed to
|
||||
be reason->sig.type.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesigcheck.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
|
||||
index 524cce307bf..8fa0f1ad03d 100644
|
||||
--- a/src/pesigcheck.c
|
||||
+++ b/src/pesigcheck.c
|
||||
@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
|
||||
reason->type = SIGNATURE;
|
||||
reason->sig.data = data;
|
||||
reason->sig.len = datalen;
|
||||
- reason->type = siBuffer;
|
||||
+ reason->sig.type = siBuffer;
|
||||
nreason += 1;
|
||||
is_invalid = true;
|
||||
}
|
||||
@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
|
||||
reason->type = SIGNATURE;
|
||||
reason->sig.data = data;
|
||||
reason->sig.len = datalen;
|
||||
- reason->type = siBuffer;
|
||||
+ reason->sig.type = siBuffer;
|
||||
nreason += 1;
|
||||
has_valid_cert = true;
|
||||
}
|
||||
--
|
||||
2.24.1
|
||||
|
@ -1,317 +0,0 @@
|
||||
From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 11 Jun 2020 16:23:14 -0400
|
||||
Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and
|
||||
vise versa
|
||||
|
||||
This makes the version of the sign API that takes a file type optional,
|
||||
and makes the client attempt to negotiate which version it's getting.
|
||||
It also leaves the server able to still handle the version from before
|
||||
the file type was added.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/client.c | 74 +++++++++++++++++++++++++++++++++++++---------------
|
||||
src/daemon.c | 63 +++++++++++++++++++++++++++++---------------
|
||||
src/daemon.h | 2 ++
|
||||
3 files changed, 97 insertions(+), 42 deletions(-)
|
||||
|
||||
diff --git a/src/client.c b/src/client.c
|
||||
index aa373abd981..57bcc09cbe8 100644
|
||||
--- a/src/client.c
|
||||
+++ b/src/client.c
|
||||
@@ -11,6 +11,7 @@
|
||||
#include <fcntl.h>
|
||||
#include <popt.h>
|
||||
#include <pwd.h>
|
||||
+#include <stdbool.h>
|
||||
#include <stddef.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/socket.h>
|
||||
@@ -84,8 +85,8 @@ connect_to_server(void)
|
||||
static int32_t
|
||||
check_response(int sd, char **srvmsg);
|
||||
|
||||
-static void
|
||||
-check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
|
||||
+static int
|
||||
+check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit)
|
||||
{
|
||||
struct msghdr msg;
|
||||
struct iovec iov[1];
|
||||
@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
|
||||
ssize_t n;
|
||||
n = sendmsg(sd, &msg, 0);
|
||||
if (n < 0) {
|
||||
- fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n");
|
||||
+ fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
|
||||
|
||||
char *srvmsg = NULL;
|
||||
int32_t rc = check_response(sd, &srvmsg);
|
||||
- if (rc < 0)
|
||||
+
|
||||
+ if (do_exit && rc < 0)
|
||||
errx(1, "command \"%s\" not known by server", name);
|
||||
- if (rc != version)
|
||||
+
|
||||
+ if (do_exit && rc != version)
|
||||
errx(1, "command \"%s\": client version %d, server version %d",
|
||||
name, version, rc);
|
||||
+
|
||||
+ if (rc < 0)
|
||||
+ return rc;
|
||||
+ return rc == version;
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -134,7 +141,7 @@ send_kill_daemon(int sd)
|
||||
struct iovec iov;
|
||||
pesignd_msghdr pm;
|
||||
|
||||
- check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0);
|
||||
+ check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true);
|
||||
|
||||
pm.version = PESIGND_VERSION;
|
||||
pm.command = CMD_KILL_DAEMON;
|
||||
@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin)
|
||||
|
||||
uint32_t size1 = pesignd_string_size(pin);
|
||||
|
||||
- check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0);
|
||||
+ check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true);
|
||||
|
||||
pm.version = PESIGND_VERSION;
|
||||
pm.command = CMD_UNLOCK_TOKEN;
|
||||
@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname)
|
||||
|
||||
uint32_t size0 = pesignd_string_size(tokenname);
|
||||
|
||||
- check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0);
|
||||
+ check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true);
|
||||
|
||||
pm.version = PESIGND_VERSION;
|
||||
pm.command = CMD_IS_TOKEN_UNLOCKED;
|
||||
@@ -452,6 +459,9 @@ static void
|
||||
sign(int sd, char *infile, char *outfile, char *tokenname, char *certname,
|
||||
int attached, uint32_t format)
|
||||
{
|
||||
+ int rc;
|
||||
+ bool add_file_type;
|
||||
+
|
||||
int infd = open(infile, O_RDONLY);
|
||||
if (infd < 0) {
|
||||
fprintf(stderr, "pesign-client: could not open input file "
|
||||
@@ -481,12 +491,28 @@ oom:
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED,
|
||||
- attached ? "sign-attached" : "sign-detached", 0);
|
||||
+ rc = check_cmd_version(sd,
|
||||
+ attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
|
||||
+ : CMD_SIGN_DETACHED_WITH_FILE_TYPE,
|
||||
+ attached ? "sign-attached" : "sign-detached",
|
||||
+ 0, format == FORMAT_KERNEL_MODULE);
|
||||
+ if (rc >= 0) {
|
||||
+ add_file_type = true;
|
||||
+ } else {
|
||||
+ add_file_type = false;
|
||||
+ check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED
|
||||
+ : CMD_SIGN_DETACHED,
|
||||
+ attached ? "sign-attached" : "sign-detached",
|
||||
+ 0, true);
|
||||
+ }
|
||||
|
||||
+ printf("add_file_type:%d\n", add_file_type);
|
||||
pm->version = PESIGND_VERSION;
|
||||
- pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED;
|
||||
- pm->size = size0 + size1 + sizeof(format);
|
||||
+ pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
|
||||
+ : CMD_SIGN_ATTACHED)
|
||||
+ : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE
|
||||
+ : CMD_SIGN_DETACHED);
|
||||
+ pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0);
|
||||
iov[0].iov_base = pm;
|
||||
iov[0].iov_len = sizeof (*pm);
|
||||
|
||||
@@ -503,25 +529,31 @@ oom:
|
||||
}
|
||||
|
||||
char *buffer;
|
||||
- buffer = malloc(size0 + size1);
|
||||
+ buffer = malloc(pm->size);
|
||||
if (!buffer)
|
||||
goto oom;
|
||||
|
||||
- iov[0].iov_base = &format;
|
||||
- iov[0].iov_len = sizeof(format);
|
||||
+ int pos = 0;
|
||||
+
|
||||
+ if (add_file_type) {
|
||||
+ iov[pos].iov_base = &format;
|
||||
+ iov[pos].iov_len = sizeof(format);
|
||||
+ pos++;
|
||||
+ }
|
||||
|
||||
pesignd_string *tn = (pesignd_string *)buffer;
|
||||
pesignd_string_set(tn, tokenname);
|
||||
- iov[1].iov_base = tn;
|
||||
- iov[1].iov_len = size0;
|
||||
+ iov[pos].iov_base = tn;
|
||||
+ iov[pos].iov_len = size0;
|
||||
+ pos++;
|
||||
|
||||
pesignd_string *cn = pesignd_string_next(tn);
|
||||
pesignd_string_set(cn, certname);
|
||||
- iov[2].iov_base = cn;
|
||||
- iov[2].iov_len = size1;
|
||||
+ iov[pos].iov_base = cn;
|
||||
+ iov[pos].iov_len = size1;
|
||||
|
||||
msg.msg_iov = iov;
|
||||
- msg.msg_iovlen = 3;
|
||||
+ msg.msg_iovlen = add_file_type ? 3 : 2;
|
||||
|
||||
n = sendmsg(sd, &msg, 0);
|
||||
if (n < 0) {
|
||||
@@ -535,7 +567,7 @@ oom:
|
||||
send_fd(sd, outfd);
|
||||
|
||||
char *srvmsg = NULL;
|
||||
- int rc = check_response(sd, &srvmsg);
|
||||
+ rc = check_response(sd, &srvmsg);
|
||||
if (rc < 0) {
|
||||
fprintf(stderr, "pesign-client: signing failed: \"%s\"\n",
|
||||
srvmsg);
|
||||
diff --git a/src/daemon.c b/src/daemon.c
|
||||
index 9374d59be30..494beb9af72 100644
|
||||
--- a/src/daemon.c
|
||||
+++ b/src/daemon.c
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <poll.h>
|
||||
#include <pwd.h>
|
||||
#include <signal.h>
|
||||
+#include <stdbool.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
@@ -561,7 +562,7 @@ out:
|
||||
|
||||
static void
|
||||
handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size,
|
||||
- int attached)
|
||||
+ int attached, bool with_file_type)
|
||||
{
|
||||
struct msghdr msg;
|
||||
struct iovec iov;
|
||||
@@ -585,8 +586,12 @@ oom:
|
||||
|
||||
n = recvmsg(pollfd->fd, &msg, MSG_WAITALL);
|
||||
|
||||
- file_format = *((uint32_t *) buffer);
|
||||
- n -= sizeof(uint32_t);
|
||||
+ if (with_file_type) {
|
||||
+ file_format = *((uint32_t *) buffer);
|
||||
+ n -= sizeof(uint32_t);
|
||||
+ } else {
|
||||
+ file_format = FORMAT_PE_BINARY;
|
||||
+ }
|
||||
|
||||
pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t));
|
||||
if (n < (long long)sizeof(tn->size)) {
|
||||
@@ -666,34 +671,44 @@ finish:
|
||||
teardown_digests(ctx->cms);
|
||||
}
|
||||
|
||||
+static inline void
|
||||
+handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size,
|
||||
+ int attached, bool with_file_type)
|
||||
+{
|
||||
+ int rc = cms_context_alloc(&ctx->cms);
|
||||
+ if (rc < 0)
|
||||
+ return;
|
||||
+
|
||||
+ steal_from_cms(ctx->backup_cms, ctx->cms);
|
||||
+
|
||||
+ handle_signing(ctx, pollfd, size, attached, with_file_type);
|
||||
+
|
||||
+ hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
|
||||
+ cms_context_fini(ctx->cms);
|
||||
+}
|
||||
+
|
||||
static void
|
||||
handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size)
|
||||
{
|
||||
- int rc = cms_context_alloc(&ctx->cms);
|
||||
- if (rc < 0)
|
||||
- return;
|
||||
+ handle_sign_helper(ctx, pollfd, size, 1, false);
|
||||
+}
|
||||
|
||||
- steal_from_cms(ctx->backup_cms, ctx->cms);
|
||||
-
|
||||
- handle_signing(ctx, pollfd, size, 1);
|
||||
-
|
||||
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
|
||||
- cms_context_fini(ctx->cms);
|
||||
+static void
|
||||
+handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
|
||||
+{
|
||||
+ handle_sign_helper(ctx, pollfd, size, 1, true);
|
||||
}
|
||||
|
||||
static void
|
||||
handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size)
|
||||
{
|
||||
- int rc = cms_context_alloc(&ctx->cms);
|
||||
- if (rc < 0)
|
||||
- return;
|
||||
+ handle_sign_helper(ctx, pollfd, size, 0, false);
|
||||
+}
|
||||
|
||||
- steal_from_cms(ctx->backup_cms, ctx->cms);
|
||||
-
|
||||
- handle_signing(ctx, pollfd, size, 0);
|
||||
-
|
||||
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
|
||||
- cms_context_fini(ctx->cms);
|
||||
+static void
|
||||
+handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
|
||||
+{
|
||||
+ handle_sign_helper(ctx, pollfd, size, 0, true);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = {
|
||||
{ CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 },
|
||||
{ CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 },
|
||||
{ CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 },
|
||||
+ { CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
|
||||
+ handle_sign_attached_with_file_type,
|
||||
+ "sign-attached-with-file-type", 0 },
|
||||
+ { CMD_SIGN_DETACHED_WITH_FILE_TYPE,
|
||||
+ handle_sign_detached_with_file_type,
|
||||
+ "sign-detached-with-file-type", 0 },
|
||||
{ CMD_RESPONSE, NULL, "response", 0 },
|
||||
{ CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked,
|
||||
"is-token-unlocked", 0 },
|
||||
diff --git a/src/daemon.h b/src/daemon.h
|
||||
index dd430512f1a..834d62c72d0 100644
|
||||
--- a/src/daemon.h
|
||||
+++ b/src/daemon.h
|
||||
@@ -33,6 +33,8 @@ typedef enum {
|
||||
CMD_RESPONSE,
|
||||
CMD_IS_TOKEN_UNLOCKED,
|
||||
CMD_GET_CMD_VERSION,
|
||||
+ CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
|
||||
+ CMD_SIGN_DETACHED_WITH_FILE_TYPE,
|
||||
CMD_LIST_END
|
||||
} pesignd_cmd;
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,46 +0,0 @@
|
||||
From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 12 Jun 2020 11:49:44 -0400
|
||||
Subject: [PATCH] Rename /var/run/ to /run/
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 12 ++++++------
|
||||
src/tmpfiles.conf | 2 +-
|
||||
2 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 56f75cafbc4..5a6da1c6809 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -45,14 +45,14 @@
|
||||
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||
elif [ "$(id -un)" == "kojibuilder" -a \\\
|
||||
grep -q ID=fedora /etc/os-release -a \\\
|
||||
- ! -S /var/run/pesign/socket ]; then \
|
||||
+ ! -S /run/pesign/socket ]; then \
|
||||
echo "No socket even though this is kojibuilder" 1>&2 \
|
||||
- ls -ld /var/run/pesign 1>&2 \
|
||||
- ls -l /var/run/pesign/socket 1>&2 \
|
||||
- getfacl /var/run/pesign 1>&2 \
|
||||
- getfacl /var/run/pesign/socket 1>&2 \
|
||||
+ ls -ld /run/pesign 1>&2 \
|
||||
+ ls -l /run/pesign/socket 1>&2 \
|
||||
+ getfacl /run/pesign 1>&2 \
|
||||
+ getfacl /run/pesign/socket 1>&2 \
|
||||
exit 1 \
|
||||
- elif [ -S /var/run/pesign/socket ]; then \
|
||||
+ elif [ -S /run/pesign/socket ]; then \
|
||||
%{_pesign_client} -t %{__pesign_client_token} \\\
|
||||
-c %{__pesign_client_cert} \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
|
||||
index c1cf35597d8..3375ad52a44 100644
|
||||
--- a/src/tmpfiles.conf
|
||||
+++ b/src/tmpfiles.conf
|
||||
@@ -1 +1 @@
|
||||
-D /var/run/pesign 0770 pesign pesign -
|
||||
+D /run/pesign 0770 pesign pesign -
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001
|
||||
From: Jeremy Cline <jcline@redhat.com>
|
||||
Date: Tue, 18 Feb 2020 16:37:53 -0500
|
||||
Subject: [PATCH] Apparently opensc got updated and the token name changed
|
||||
|
||||
All the kernel builds started failing yesterday because the signing
|
||||
token could not be found. Update the token name in the macro shipped by
|
||||
pesign.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 7c5cba170e9..56f75cafbc4 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -9,7 +9,7 @@
|
||||
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
||||
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
||||
|
||||
-%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"}
|
||||
+%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
|
||||
%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
||||
|
||||
%_pesign /usr/bin/pesign
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,86 +0,0 @@
|
||||
From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 6 Jul 2020 16:13:09 -0400
|
||||
Subject: [PATCH 6/7] client: try /run and /var/run for the socket path.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/client.c | 40 +++++++++++++++++++++++++++++-----------
|
||||
1 file changed, 29 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/client.c b/src/client.c
|
||||
index 2119ef33bf8..a38383415d5 100644
|
||||
--- a/src/client.c
|
||||
+++ b/src/client.c
|
||||
@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag)
|
||||
}
|
||||
|
||||
static int
|
||||
-connect_to_server(void)
|
||||
+connect_to_server_helper(const char * const sockpath)
|
||||
{
|
||||
- int rc = access(SOCKPATH, R_OK);
|
||||
+ int rc = access(sockpath, R_OK);
|
||||
if (rc != 0) {
|
||||
- fprintf(stderr, "pesign-client: could not connect to server: "
|
||||
- "%m\n");
|
||||
- exit(1);
|
||||
+ warn("could not access socket \"%s\"", sockpath);
|
||||
+ return rc;
|
||||
}
|
||||
|
||||
struct sockaddr_un addr_un = {
|
||||
.sun_family = AF_UNIX,
|
||||
- .sun_path = SOCKPATH,
|
||||
};
|
||||
+ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path));
|
||||
+ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0';
|
||||
|
||||
int sd = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
if (sd < 0) {
|
||||
- fprintf(stderr, "pesign-client: could not open socket: %m\n");
|
||||
- exit(1);
|
||||
+ warn("could not open socket \"%s\"", sockpath);
|
||||
+ return sd;
|
||||
}
|
||||
|
||||
socklen_t len = strlen(addr_un.sun_path) +
|
||||
@@ -74,14 +74,32 @@ connect_to_server(void)
|
||||
|
||||
rc = connect(sd, (struct sockaddr *)&addr_un, len);
|
||||
if (rc < 0) {
|
||||
- fprintf(stderr, "pesign-client: could not connect to daemon: "
|
||||
- "%m\n");
|
||||
- exit(1);
|
||||
+ warn("could not connect to daemon");
|
||||
+ return sd;
|
||||
}
|
||||
|
||||
return sd;
|
||||
}
|
||||
|
||||
+static int
|
||||
+connect_to_server(void)
|
||||
+{
|
||||
+ int rc, i;
|
||||
+ const char * const sockets[] = {
|
||||
+ "/run/pesign/socket",
|
||||
+ "/var/run/pesign/socket",
|
||||
+ NULL
|
||||
+ };
|
||||
+
|
||||
+ for (i = 0; sockets[i] != NULL; i++) {
|
||||
+ rc = connect_to_server_helper(sockets[i]);
|
||||
+ if (rc >= 0)
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
+ exit(1);
|
||||
+}
|
||||
+
|
||||
static int32_t
|
||||
check_response(int sd, char **srvmsg);
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,25 +0,0 @@
|
||||
From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 Jul 2020 16:44:09 -0400
|
||||
Subject: [PATCH 07/11] client: remove an extra debug print
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/client.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/src/client.c b/src/client.c
|
||||
index 0082be1f597..c9966295e5f 100644
|
||||
--- a/src/client.c
|
||||
+++ b/src/client.c
|
||||
@@ -536,7 +536,6 @@ oom:
|
||||
0, true);
|
||||
}
|
||||
|
||||
- printf("add_file_type:%d\n", add_file_type);
|
||||
pm->version = PESIGND_VERSION;
|
||||
pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
|
||||
: CMD_SIGN_ATTACHED)
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,379 +0,0 @@
|
||||
From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 6 Jul 2020 13:54:35 -0400
|
||||
Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
Make.defaults | 1 +
|
||||
src/Makefile | 8 +-
|
||||
src/macros.pesign | 74 ++++--------
|
||||
src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 252 insertions(+), 53 deletions(-)
|
||||
create mode 100644 src/pesign-rpmbuild-helper.in
|
||||
|
||||
diff --git a/Make.defaults b/Make.defaults
|
||||
index 0bacafe0d01..d4cd626c11e 100644
|
||||
--- a/Make.defaults
|
||||
+++ b/Make.defaults
|
||||
@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR)
|
||||
|
||||
INSTALL ?= install
|
||||
CROSS_COMPILE ?=
|
||||
+EFI_ARCHES ?= aa64 ia32 x64
|
||||
|
||||
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
|
||||
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
|
||||
diff --git a/src/Makefile b/src/Makefile
|
||||
index 74327ba13f3..a7ca89159c6 100644
|
||||
--- a/src/Makefile
|
||||
+++ b/src/Makefile
|
||||
@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version
|
||||
include $(TOPDIR)/Make.rules
|
||||
include $(TOPDIR)/Make.defaults
|
||||
|
||||
-BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
|
||||
+BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper
|
||||
SVCTARGETS=pesign.sysvinit pesign.service
|
||||
TARGETS=$(BINTARGETS) $(SVCTARGETS)
|
||||
|
||||
@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
|
||||
pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
|
||||
pesign : PKGS=efivar nss nspr popt
|
||||
|
||||
+pesign-rpmbuild-helper: pesign-rpmbuild-helper.in
|
||||
+ sed \
|
||||
+ -e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \
|
||||
+ $^ > $@
|
||||
+
|
||||
deps : PKGS=efivar nss nspr popt uuid
|
||||
deps : $(ALL_SOURCES)
|
||||
$(MAKE) -f $(TOPDIR)/Make.deps \
|
||||
@@ -94,6 +99,7 @@ install :
|
||||
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
|
||||
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
|
||||
$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 5a6da1c6809..2e984b4eeb3 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -6,7 +6,7 @@
|
||||
# %pesign -s -i shim.orig -o shim.efi
|
||||
# And magically get the right thing.
|
||||
|
||||
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
||||
+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
|
||||
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
||||
|
||||
%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
|
||||
@@ -24,54 +24,24 @@
|
||||
# -a <input ca cert filename> # rhel only
|
||||
# -s # perform signing
|
||||
%pesign(i:o:C:e:c:n:a:s) \
|
||||
- _pesign_nssdir=/etc/pki/pesign \
|
||||
- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
|
||||
- _pesign_nssdir=/etc/pki/pesign-rh-test \
|
||||
- fi \
|
||||
- if [ -x %{_pesign} ] && \\\
|
||||
- [ "%{_target_cpu}" == "x86_64" -o \\\
|
||||
- "%{_target_cpu}" == "aarch64" ]; then \
|
||||
- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \
|
||||
- nss=$(mktemp -p $PWD -d) \
|
||||
- echo > ${nss}/pwfile \
|
||||
- certutil -N -d ${nss} -f ${nss}/pwfile \
|
||||
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
|
||||
- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
|
||||
- sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
|
||||
- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \
|
||||
- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||
- --certdir ${nss} -c signer %{-o} \
|
||||
- rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||
- elif [ "$(id -un)" == "kojibuilder" -a \\\
|
||||
- grep -q ID=fedora /etc/os-release -a \\\
|
||||
- ! -S /run/pesign/socket ]; then \
|
||||
- echo "No socket even though this is kojibuilder" 1>&2 \
|
||||
- ls -ld /run/pesign 1>&2 \
|
||||
- ls -l /run/pesign/socket 1>&2 \
|
||||
- getfacl /run/pesign 1>&2 \
|
||||
- getfacl /run/pesign/socket 1>&2 \
|
||||
- exit 1 \
|
||||
- elif [ -S /run/pesign/socket ]; then \
|
||||
- %{_pesign_client} -t %{__pesign_client_token} \\\
|
||||
- -c %{__pesign_client_cert} \\\
|
||||
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
- else \
|
||||
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
|
||||
- --certdir ${_pesign_nssdir} \\\
|
||||
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
- fi \
|
||||
- else \
|
||||
- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
|
||||
- mv %{-i*} %{-o*} \
|
||||
- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
|
||||
- touch %{-e*} \
|
||||
- fi \
|
||||
- fi \
|
||||
- if [ ! -s %{-o} ]; then \
|
||||
- if [ -e "%{-o*}" ]; then \
|
||||
- rm -f %{-o*} \
|
||||
- fi \
|
||||
- exit 1 \
|
||||
- fi ;
|
||||
-
|
||||
+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\
|
||||
+ "%{_target_cpu}" \\\
|
||||
+ "%{_pesign}" \\\
|
||||
+ "%{_pesign_client}" \\\
|
||||
+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\
|
||||
+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\
|
||||
+ %{?__pesign_token:%{__pesign_token}} \\\
|
||||
+ %{?__pesign_cert:--cert %{__pesign_cert}} \\\
|
||||
+ %{?_buildhost:--hostname "%{_buildhost}"} \\\
|
||||
+ %{?vendor:--vendor "%{vendor}"} \\\
|
||||
+ %{?_rhel:--rhelver "%{_rhel}"} \\\
|
||||
+ %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\
|
||||
+ %{?-a:--rhelcafile "%{-a*}"} \\\
|
||||
+ %{?-c:--rhelcertfile "%{-c*}"} \\\
|
||||
+ %{?-C:--certout "%{-C*}"} \\\
|
||||
+ %{?-e:--sattrout "%{-e*}"} \\\
|
||||
+ %{?-i:--in "%{-i*}"} \\\
|
||||
+ %{?-o:--out "%{-o*}"} \\\
|
||||
+ %{?-s:--sign} \\\
|
||||
+ ; \
|
||||
+%{nil}
|
||||
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
|
||||
new file mode 100644
|
||||
index 00000000000..c5287c27e0c
|
||||
--- /dev/null
|
||||
+++ b/src/pesign-rpmbuild-helper.in
|
||||
@@ -0,0 +1,222 @@
|
||||
+#!/bin/bash
|
||||
+# shellcheck shell=bash
|
||||
+
|
||||
+set -eu
|
||||
+set -x
|
||||
+
|
||||
+usage() {
|
||||
+ local status="${1}" && shift
|
||||
+ local out
|
||||
+ if [[ "${status}" -eq 0 ]] ; then
|
||||
+ out=/dev/stdout
|
||||
+ else
|
||||
+ out=/dev/stderr
|
||||
+ fi
|
||||
+
|
||||
+ if [[ $# -gt 0 ]] ; then
|
||||
+ echo "${0}: error: $*" >>"${out}"
|
||||
+ fi
|
||||
+ echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}"
|
||||
+ exit "${status}"
|
||||
+}
|
||||
+
|
||||
+is_efi_arch() {
|
||||
+ local arch="${1}"
|
||||
+ local arches=(@@EFI_ARCHES@@)
|
||||
+ local x
|
||||
+ for x in "${arches[@]}" ; do
|
||||
+ if [[ "${arch}" = "${x}" ]] ; then
|
||||
+ return 0
|
||||
+ fi
|
||||
+ done
|
||||
+ return 1
|
||||
+}
|
||||
+
|
||||
+error_on_empty() {
|
||||
+ local f="${1}"
|
||||
+ if [[ ! -s "${f}" ]] ; then
|
||||
+ if [[ -e "${f}" ]] ; then
|
||||
+ rm -f "${f}"
|
||||
+ fi
|
||||
+ echo "${0}: error: empty result file \"${f}\"">>/dev/stderr
|
||||
+ exit 1
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
+main() {
|
||||
+ if [[ $# -lt 3 ]] ; then
|
||||
+ usage 1 not enough arguments
|
||||
+ fi
|
||||
+ local target_cpu="${1}" && shift
|
||||
+ local bin="${1}" && shift
|
||||
+ local client="${1}" && shift
|
||||
+
|
||||
+ local rhelcafile="" || :
|
||||
+ local rhelcertfile="" || :
|
||||
+
|
||||
+ local certout=() || :
|
||||
+ local sattrout=() || :
|
||||
+ local input=() || :
|
||||
+ local output=() || :
|
||||
+ local client_token=() || :
|
||||
+ local client_cert=() || :
|
||||
+ local token=() || :
|
||||
+ local cert=() || :
|
||||
+ local rhelcert=() || :
|
||||
+ local rhelver=0 || :
|
||||
+ local sign="" || :
|
||||
+ local arch="" || :
|
||||
+ local vendor="" || :
|
||||
+ local HOSTNAME="" || :
|
||||
+
|
||||
+ while [[ $# -ge 2 ]] ; do
|
||||
+ case " ${1} " in
|
||||
+ " --rhelcafile ")
|
||||
+ rhelcafile="${2}"
|
||||
+ ;;
|
||||
+ " --rhelcertfile ")
|
||||
+ rhelcertfile="${2}"
|
||||
+ ;;
|
||||
+ " --hostname ")
|
||||
+ HOSTNAME="${2}"
|
||||
+ ;;
|
||||
+ " --certout ")
|
||||
+ certout[0]=-C
|
||||
+ certout[1]="${2}"
|
||||
+ ;;
|
||||
+ " --sattrout ")
|
||||
+ sattrout[0]=-e
|
||||
+ sattrout[1]="${2}"
|
||||
+ ;;
|
||||
+ " --client-token ")
|
||||
+ client_token[0]=-t
|
||||
+ client_token[1]="${2}"
|
||||
+ ;;
|
||||
+ " --client-cert ")
|
||||
+ client_cert[0]=-c
|
||||
+ client_cert[1]="${2}"
|
||||
+ ;;
|
||||
+ " --token ")
|
||||
+ token[0]=-t
|
||||
+ token[1]="${2}"
|
||||
+ ;;
|
||||
+ " --cert ")
|
||||
+ cert[0]=-c
|
||||
+ cert[1]="${2}"
|
||||
+ ;;
|
||||
+ " --rhelcert ")
|
||||
+ rhelcert[0]=-c
|
||||
+ rhelcert[1]="${2}"
|
||||
+ ;;
|
||||
+ " --in ")
|
||||
+ input[0]=-i
|
||||
+ input[1]="${2}"
|
||||
+ ;;
|
||||
+ " --out ")
|
||||
+ output[0]=-o
|
||||
+ output[1]="${2}"
|
||||
+ ;;
|
||||
+ " --rhelver ")
|
||||
+ rhelver="${2}"
|
||||
+ ;;
|
||||
+ " --vendor ")
|
||||
+ vendor="${2}"
|
||||
+ ;;
|
||||
+ *)
|
||||
+ break
|
||||
+ ;;
|
||||
+ esac
|
||||
+ shift
|
||||
+ shift
|
||||
+ done
|
||||
+ if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then
|
||||
+ sign=-s
|
||||
+ shift
|
||||
+ fi
|
||||
+
|
||||
+ if [[ -z "${target_cpu}" ]] ; then
|
||||
+ target_cpu="$(uname -m)"
|
||||
+ fi
|
||||
+
|
||||
+ target_cpu="${target_cpu/i?86/ia32}"
|
||||
+ target_cpu="${target_cpu/x86_64/x64}"
|
||||
+ target_cpu="${target_cpu/aarch64/aa64}"
|
||||
+ target_cpu="${target_cpu/arm*/arm/}"
|
||||
+
|
||||
+ local nssdir=/etc/pki/pesign
|
||||
+ if [[ "${#cert[@]}" -eq 2 ]] &&
|
||||
+ [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then
|
||||
+ nssdir=/etc/pki/pesign-rh-test
|
||||
+ fi
|
||||
+
|
||||
+ # is_efi_arch is ultimately returning "is pesign configured to sign these
|
||||
+ # using the rpm macro", so if it isn't, we're just copying the input to
|
||||
+ # the output
|
||||
+ if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then
|
||||
+ if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then
|
||||
+ cp -v "${input[1]}" "${output[1]}"
|
||||
+ elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then
|
||||
+ touch "${sattrout[1]}"
|
||||
+ fi
|
||||
+
|
||||
+ # if there's a 0-sized output file, delete it and error out
|
||||
+ error_on_empty "${output[1]}"
|
||||
+ return 0
|
||||
+ fi
|
||||
+
|
||||
+ USERNAME="${USERNAME:-$(id -un)}"
|
||||
+
|
||||
+ local socket="" || :
|
||||
+ if grep -q ID=fedora /etc/os-release \
|
||||
+ && [[ "${rhelver}" -lt 7 ]] \
|
||||
+ && [[ "${USERNAME}" = "mockbuild" ]] \
|
||||
+ && [[ "${vendor}" = "Fedora Project" ]] \
|
||||
+ && [[ "${HOSTNAME}" =~ bkernel.* ]]
|
||||
+ then
|
||||
+ if [[ -S /run/pesign/socket ]] ; then
|
||||
+ socket=/run/pesign/socket
|
||||
+ elif [[ -S /var/run/pesign/socket ]]; then
|
||||
+ socket=/var/run/pesign/socket
|
||||
+ else
|
||||
+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
|
||||
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
|
||||
+ ls -ld /run/pesign /var/run/pesign 1>&2 ||:
|
||||
+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
|
||||
+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
|
||||
+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
|
||||
+ fi
|
||||
+ fi
|
||||
+
|
||||
+ if [[ "${rhelver}" -ge 7 ]] ; then
|
||||
+ nssdir="$(mktemp -p "${PWD}" -d)"
|
||||
+ echo > "${nssdir}/pwfile"
|
||||
+ certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
|
||||
+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}"
|
||||
+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}"
|
||||
+ sattrs="$(mktemp -p "${PWD}" --suffix=.der)"
|
||||
+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \
|
||||
+ "${input[@]}" --force
|
||||
+ rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}"
|
||||
+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
|
||||
+ --certdir "${nssdir}" -c signer \
|
||||
+ "${input[@]}" "${output[@]}"
|
||||
+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
|
||||
+ elif [[ -n "${socket}" ]] ; then
|
||||
+ "${client}" "${client_token[@]}" "${client_cert[@]}" \
|
||||
+ "${sattrout[@]}" "${certout[@]}" \
|
||||
+ ${sign} "${input[@]}" "${output[@]}"
|
||||
+ else
|
||||
+ "${bin}" --certdir "${nssdir}" "${token[@]}" \
|
||||
+ "${cert[@]}" ${sign} "${sattrout[@]}" \
|
||||
+ "${certout[@]}" "${input[@]}" "${output[@]}"
|
||||
+ fi
|
||||
+
|
||||
+ # if there's a 0-sized output file, delete it and error out
|
||||
+ if [[ "${#output[@]}" -eq 2 ]] ; then
|
||||
+ error_on_empty "${output[1]}"
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
+main "${@}"
|
||||
+
|
||||
+# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,60 +0,0 @@
|
||||
From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 Jul 2020 15:07:32 -0400
|
||||
Subject: [PATCH 09/11] pesign-authorize: shellcheck
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize | 16 ++++++++--------
|
||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
||||
index a496f601ab4..55cd5c4e55b 100755
|
||||
--- a/src/pesign-authorize
|
||||
+++ b/src/pesign-authorize
|
||||
@@ -12,21 +12,21 @@ set -u
|
||||
# License: GPLv2
|
||||
declare -a fileusers=()
|
||||
declare -a dirusers=()
|
||||
-for user in $(cat /etc/pesign/users); do
|
||||
+while read -r user ; do
|
||||
dirusers[${#dirusers[@]}]=-m
|
||||
dirusers[${#dirusers[@]}]="u:$user:rwx"
|
||||
fileusers[${#fileusers[@]}]=-m
|
||||
fileusers[${#fileusers[@]}]="u:$user:rw"
|
||||
-done
|
||||
+done </etc/pesign/users
|
||||
|
||||
declare -a filegroups=()
|
||||
declare -a dirgroups=()
|
||||
-for group in $(cat /etc/pesign/groups); do
|
||||
+while read -r group ; do
|
||||
dirgroups[${#dirgroups[@]}]=-m
|
||||
dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
||||
filegroups[${#filegroups[@]}]=-m
|
||||
filegroups[${#filegroups[@]}]="g:$group:rw"
|
||||
-done
|
||||
+done </etc/pesign/groups
|
||||
|
||||
update_subdir() {
|
||||
subdir=$1 && shift
|
||||
@@ -35,12 +35,12 @@ update_subdir() {
|
||||
setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
||||
for x in "${subdir}"* ; do
|
||||
if [ -d "${x}" ]; then
|
||||
- setfacl -bk ${x}
|
||||
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
||||
+ setfacl -bk "${x}"
|
||||
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
|
||||
update_subdir "${x}/"
|
||||
elif [ -e "${x}" ]; then
|
||||
- setfacl -bk ${x}
|
||||
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
||||
+ setfacl -bk "${x}"
|
||||
+ setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
|
||||
else
|
||||
:;
|
||||
fi
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 24bb6e1471b16b6be82f13b5b5a302b4e98c1b4d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 Jul 2020 15:08:15 -0400
|
||||
Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
||||
index 55cd5c4e55b..c5448329c2c 100755
|
||||
--- a/src/pesign-authorize
|
||||
+++ b/src/pesign-authorize
|
||||
@@ -47,7 +47,7 @@ update_subdir() {
|
||||
done
|
||||
}
|
||||
|
||||
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
|
||||
+for x in /var/run/pesign/ /etc/pki/pesign/ ; do
|
||||
if [ -d "${x}" ]; then
|
||||
update_subdir "${x}"
|
||||
else
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 Jul 2020 16:42:39 -0400
|
||||
Subject: [PATCH 11/11] kernel building hack
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-rpmbuild-helper.in | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
|
||||
index c5287c27e0c..27b8261bc17 100644
|
||||
--- a/src/pesign-rpmbuild-helper.in
|
||||
+++ b/src/pesign-rpmbuild-helper.in
|
||||
@@ -202,6 +202,23 @@ main() {
|
||||
"${input[@]}" "${output[@]}"
|
||||
rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
|
||||
elif [[ -n "${socket}" ]] ; then
|
||||
+ ### welcome haaaaack city
|
||||
+ if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then
|
||||
+ if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
|
||||
+ || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
|
||||
+ if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
|
||||
+ || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \
|
||||
+ || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
|
||||
+ client_cert[1]=kernel-signer
|
||||
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
|
||||
+ || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
|
||||
+ client_cert[1]=grub2-signer
|
||||
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
|
||||
+ || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
|
||||
+ client_cert[1]=fwupd-signer
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi
|
||||
"${client}" "${client_token[@]}" "${client_cert[@]}" \
|
||||
"${sattrout[@]}" "${certout[@]}" \
|
||||
${sign} "${input[@]}" "${output[@]}"
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,105 +0,0 @@
|
||||
From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 16 Jul 2020 16:28:26 -0400
|
||||
Subject: [PATCH] Use /run not /var/run
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/daemon.h | 4 ++--
|
||||
src/Makefile | 2 +-
|
||||
src/pesign-authorize | 2 +-
|
||||
src/pesign.service.in | 2 +-
|
||||
src/pesign.sysvinit.in | 10 +++++-----
|
||||
5 files changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/daemon.h b/src/daemon.h
|
||||
index 0368dc9256c..5fcd97ea717 100644
|
||||
--- a/src/daemon.h
|
||||
+++ b/src/daemon.h
|
||||
@@ -51,8 +51,8 @@ typedef enum {
|
||||
} pesignd_cmd;
|
||||
|
||||
#define PESIGND_VERSION 0x2a9edaf0
|
||||
-#define SOCKPATH "/var/run/pesign/socket"
|
||||
-#define PIDFILE "/var/run/pesign.pid"
|
||||
+#define SOCKPATH "/run/pesign/socket"
|
||||
+#define PIDFILE "/run/pesign.pid"
|
||||
|
||||
static inline uint32_t UNUSED
|
||||
pesignd_string_size(char *buffer)
|
||||
diff --git a/src/Makefile b/src/Makefile
|
||||
index a7ca89159c6..f7fb5fc9ee5 100644
|
||||
--- a/src/Makefile
|
||||
+++ b/src/Makefile
|
||||
@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit
|
||||
install :
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
|
||||
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
|
||||
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
|
||||
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
|
||||
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
|
||||
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
||||
index c5448329c2c..2381302440c 100755
|
||||
--- a/src/pesign-authorize
|
||||
+++ b/src/pesign-authorize
|
||||
@@ -47,7 +47,7 @@ update_subdir() {
|
||||
done
|
||||
}
|
||||
|
||||
-for x in /var/run/pesign/ /etc/pki/pesign/ ; do
|
||||
+for x in /run/pesign/ /var/run/pesign/ /etc/pki/pesign/ ; do
|
||||
if [ -d "${x}" ]; then
|
||||
update_subdir "${x}"
|
||||
else
|
||||
diff --git a/src/pesign.service.in b/src/pesign.service.in
|
||||
index c75a000892a..4ac2199bce2 100644
|
||||
--- a/src/pesign.service.in
|
||||
+++ b/src/pesign.service.in
|
||||
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
|
||||
[Service]
|
||||
PrivateTmp=true
|
||||
Type=forking
|
||||
-PIDFile=/var/run/pesign.pid
|
||||
+PIDFile=/run/pesign.pid
|
||||
ExecStart=/usr/bin/pesign --daemonize
|
||||
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|
||||
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
|
||||
index b0e0f84ff0b..bf8edec8ff3 100644
|
||||
--- a/src/pesign.sysvinit.in
|
||||
+++ b/src/pesign.sysvinit.in
|
||||
@@ -4,7 +4,7 @@
|
||||
#
|
||||
# chkconfig: - 50 50
|
||||
# processname: /usr/bin/pesign
|
||||
-# pidfile: /var/run/pesign.pid
|
||||
+# pidfile: /run/pesign.pid
|
||||
### BEGIN INIT INFO
|
||||
# Provides: pesign
|
||||
# Default-Start:
|
||||
@@ -20,9 +20,9 @@ RETVAL=0
|
||||
|
||||
start(){
|
||||
echo -n "Starting pesign: "
|
||||
- mkdir /var/run/pesign 2>/dev/null &&
|
||||
- chown pesign:pesign /var/run/pesign &&
|
||||
- chmod 0770 /var/run/pesign
|
||||
+ mkdir /run/pesign 2>/dev/null &&
|
||||
+ chown pesign:pesign /run/pesign &&
|
||||
+ chmod 0770 /run/pesign
|
||||
daemon /usr/bin/pesign --daemonize
|
||||
RETVAL=$?
|
||||
echo
|
||||
@@ -32,7 +32,7 @@ start(){
|
||||
|
||||
stop(){
|
||||
echo -n "Stopping pesign: "
|
||||
- killproc -p /var/run/pesign.pid pesignd
|
||||
+ killproc -p /run/pesign.pid pesignd
|
||||
RETVAL=$?
|
||||
echo
|
||||
rm -f /var/lock/subsys/pesign
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 59428daf4863f192419eee4afec15cd099e99c9b Mon Sep 17 00:00:00 2001
|
||||
From: Jeff Law <law@redhat.com>
|
||||
Date: Mon, 16 Nov 2020 12:07:59 -0700
|
||||
Subject: [PATCH] Turn off -Wfree-nonheap-object
|
||||
|
||||
authvar.c has a call to free (tokenname) where tokenname is set to a string constant
|
||||
and never changed. That triggers GCC to issue a diagnostic that the value should not
|
||||
be passed to free.
|
||||
|
||||
This is a false positive from GCC as the call is guarded by a suitable condition that
|
||||
always happens to be false. But pesign is being built without optimization and thus
|
||||
the condition and free call are not optimized away.
|
||||
|
||||
This patch just disables the warning. A better solution would be to fix the sources
|
||||
or build with the optimizer enabled.
|
||||
---
|
||||
Make.defaults | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Make.defaults b/Make.defaults
|
||||
index d4cd626..705cc3a 100644
|
||||
--- a/Make.defaults
|
||||
+++ b/Make.defaults
|
||||
@@ -40,7 +40,7 @@ gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches -flto
|
||||
cflags = $(CFLAGS) $(ARCH3264) \
|
||||
-Wall -Wextra -Wsign-compare -Wno-unused-result \
|
||||
-Wno-unused-function -Wno-missing-field-initializers \
|
||||
- -Werror -Wno-error=cpp \
|
||||
+ -Werror -Wno-error=cpp -Wno-free-nonheap-object \
|
||||
-std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \
|
||||
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
|
||||
$(if $(filter $(CC),clang),$(clang_cflags), ) \
|
||||
--
|
||||
2.28.0
|
||||
|
41
pesign.spec
41
pesign.spec
@ -2,28 +2,29 @@
|
||||
|
||||
Name: pesign
|
||||
Summary: Signing utility for UEFI binaries
|
||||
Version: 113
|
||||
Release: 18%{?dist}
|
||||
License: GPLv2
|
||||
Version: 114
|
||||
Release: 1%{?dist}
|
||||
License: GPL-2.0-only
|
||||
URL: https://github.com/rhboot/pesign
|
||||
|
||||
Obsoletes: pesign-rh-test-certs <= 0.111-7
|
||||
BuildRequires: make
|
||||
BuildRequires: efivar-devel >= 31-1
|
||||
BuildRequires: gcc
|
||||
BuildRequires: git
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: make
|
||||
BuildRequires: mandoc
|
||||
BuildRequires: nspr
|
||||
BuildRequires: nspr-devel >= 4.9.2-1
|
||||
BuildRequires: nss
|
||||
BuildRequires: nss-devel >= 3.13.6-1
|
||||
BuildRequires: nss-tools
|
||||
BuildRequires: nss-util
|
||||
BuildRequires: popt-devel
|
||||
BuildRequires: nss-tools
|
||||
BuildRequires: nspr-devel >= 4.9.2-1
|
||||
BuildRequires: nss-devel >= 3.13.6-1
|
||||
BuildRequires: efivar-devel >= 31-1
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: python3
|
||||
BuildRequires: python3-rpm-macros
|
||||
BuildRequires: tar
|
||||
BuildRequires: xz
|
||||
BuildRequires: python3-rpm-macros
|
||||
BuildRequires: python3
|
||||
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
|
||||
BuildRequires: systemd-rpm-macros
|
||||
%endif
|
||||
@ -43,20 +44,6 @@ Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{
|
||||
Source1: certs.tar.xz
|
||||
Source2: pesign.py
|
||||
|
||||
Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch
|
||||
Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
|
||||
Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
|
||||
Patch0004: 0004-Rename-var-run-to-run.patch
|
||||
Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
|
||||
Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch
|
||||
Patch0007: 0007-client-remove-an-extra-debug-print.patch
|
||||
Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
|
||||
Patch0009: 0009-pesign-authorize-shellcheck.patch
|
||||
Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
|
||||
Patch0011: 0011-kernel-building-hack.patch
|
||||
Patch0012: 0012-Use-run-not-var-run.patch
|
||||
Patch0013: 0013-Turn-off-free-nonheap-object.patch
|
||||
|
||||
%description
|
||||
This package contains the pesign utility for signing UEFI binaries as
|
||||
well as other associated tools.
|
||||
@ -141,7 +128,6 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
|
||||
%doc README TODO
|
||||
%{_bindir}/authvar
|
||||
%{_bindir}/efikeygen
|
||||
%{_bindir}/efisiglist
|
||||
%{_bindir}/pesigcheck
|
||||
%{_bindir}/pesign
|
||||
%{_bindir}/pesign-client
|
||||
@ -168,6 +154,9 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
|
||||
%{python3_sitelib}/mockbuild/plugins/pesign.*
|
||||
|
||||
%changelog
|
||||
* Tue Feb 01 2022 Robbie Harwood <rharwood@redhat.com> - 114-1
|
||||
- New upstream version (114)
|
||||
|
||||
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 113-18
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
|
||||
SHA512 (pesign-113.tar.bz2) = 89c5e33bf6ac8f8dc4b65192e5fd4bf1fea285106d1de2a6ea02a8c5090f2ec5976b1d80c60e57f74fa56dc25b174a4dd5682292db44ab9aeab69ea992dfef36
|
||||
SHA512 (pesign-114.tar.bz2) = 5465c002db6f59ab59799ec79504ed96662bc5da2310282d2e85fc1f03c938343d88927e764e595bf21c3501e599e529a4752281349097cdc74e616535179b3c
|
||||
|
Loading…
Reference in New Issue
Block a user