From cf2e7981efc41a9973c12fc8eba7a9bbc110715f Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 15 Aug 2017 11:14:22 -0400 Subject: [PATCH] Update to match f26's build so new kernel builds will work. Signed-off-by: Peter Jones --- ...e_integer-it-doesn-t-build-on-i686-a.patch | 2 +- 0002-Fix-command-line-parsing.patch | 2 +- ...gcc-don-t-error-on-stuff-in-includes.patch | 2 +- 0004-Fix-certficate-argument-name.patch | 2 +- ...ion-of-ascii-armor-option-in-manpage.patch | 2 +- ...ke-ascii-work-since-we-documented-it.patch | 2 +- ...ient-to-also-accept-token-cert-macro.patch | 2 +- ...fy-with-the-cert-as-an-object-signer.patch | 2 +- ...sigcheck-make-certfile-actually-work.patch | 2 +- ...-make-sure-err-is-always-initialized.patch | 2 +- ...make-pesign-h-tell-you-the-file-name.patch | 2 +- 0012-Add-coverity-build-scripts.patch | 2 +- 0013-Document-implicit-fallthrough.patch | 2 +- ...cl-each-directory-of-our-key-storage.patch | 2 +- ..._MODULE_SIGNING_ONLY-and-fix-our-arr.patch | 2 +- 0016-efikeygen-add-modsign.patch | 2 +- ...y-even-harder-to-pick-a-reasonable-v.patch | 2 +- 0018-show-which-db-we-re-checking.patch | 2 +- 0019-more-about-the-time.patch | 2 +- 0020-try-to-say-why-something-fails.patch | 2 +- ...ix-race-condition-in-SEC_GetPassword.patch | 2 +- ...eate-the-socket-directory-at-runtime.patch | 2 +- ...-Better-authorization-scripts.-Again.patch | 2 +- ...also-try-to-give-better-errors-on-EP.patch | 2 +- 0025-certdb-fix-PRTime-printfs-for-i686.patch | 2 +- ...-Clean-up-gcc-command-lines-a-little.patch | 2 +- ...sign-users-groups-static-in-the-repo.patch | 2 +- ...ent-signer-use-the-fedora-values-unl.patch | 2 +- ...gn-error-in-kojibuilder-if-we-don-t-.patch | 39 ++++++++ pesign.py | 91 +++++++++++++++++++ pesign.spec | 17 +++- 31 files changed, 172 insertions(+), 31 deletions(-) create mode 100644 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch create mode 100644 pesign.py diff --git a/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch b/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch index a8128a3..0c82dcf 100644 --- a/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch +++ b/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch @@ -1,7 +1,7 @@ From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 21 Apr 2016 10:47:34 -0400 -Subject: [PATCH 01/28] cms: kill generate_integer(), it doesn't build on i686 +Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686 and it's unused. Signed-off-by: Peter Jones diff --git a/0002-Fix-command-line-parsing.patch b/0002-Fix-command-line-parsing.patch index dd45127..9c03eeb 100644 --- a/0002-Fix-command-line-parsing.patch +++ b/0002-Fix-command-line-parsing.patch @@ -1,7 +1,7 @@ From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Thu, 9 Jun 2016 14:30:37 +0200 -Subject: [PATCH 02/28] Fix command line parsing +Subject: [PATCH 02/29] Fix command line parsing The gettext translation domain should be passed as .arg, not .descrip, otherwise popt won't process any of the command line options (it stops diff --git a/0003-gcc-don-t-error-on-stuff-in-includes.patch b/0003-gcc-don-t-error-on-stuff-in-includes.patch index a7a0bb2..cf4e61d 100644 --- a/0003-gcc-don-t-error-on-stuff-in-includes.patch +++ b/0003-gcc-don-t-error-on-stuff-in-includes.patch @@ -1,7 +1,7 @@ From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 10 Aug 2016 17:12:39 -0400 -Subject: [PATCH 03/28] gcc: don't error on stuff in includes. +Subject: [PATCH 03/29] gcc: don't error on stuff in includes. Signed-off-by: Peter Jones --- diff --git a/0004-Fix-certficate-argument-name.patch b/0004-Fix-certficate-argument-name.patch index 2a64c6c..08509ff 100644 --- a/0004-Fix-certficate-argument-name.patch +++ b/0004-Fix-certficate-argument-name.patch @@ -1,7 +1,7 @@ From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 18 Apr 2017 19:00:34 -0400 -Subject: [PATCH 04/28] Fix "certficate" argument name. +Subject: [PATCH 04/29] Fix "certficate" argument name. This fixes our typoed argument name by making the incorrectly spelled version be a popt alias, and fixing the real implementation to be diff --git a/0005-Fix-description-of-ascii-armor-option-in-manpage.patch b/0005-Fix-description-of-ascii-armor-option-in-manpage.patch index 40a58d4..6a5b02d 100644 --- a/0005-Fix-description-of-ascii-armor-option-in-manpage.patch +++ b/0005-Fix-description-of-ascii-armor-option-in-manpage.patch @@ -1,7 +1,7 @@ From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Mon, 27 Jun 2016 15:38:38 +0200 -Subject: [PATCH 05/28] Fix description of --ascii-armor option in manpage +Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage The --ascii option does not exist. --- diff --git a/0006-Make-ascii-work-since-we-documented-it.patch b/0006-Make-ascii-work-since-we-documented-it.patch index e34776f..d0165f9 100644 --- a/0006-Make-ascii-work-since-we-documented-it.patch +++ b/0006-Make-ascii-work-since-we-documented-it.patch @@ -1,7 +1,7 @@ From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 18 Apr 2017 19:05:40 -0400 -Subject: [PATCH 06/28] Make --ascii work, since we documented it. +Subject: [PATCH 06/29] Make --ascii work, since we documented it. Signed-off-by: Peter Jones --- diff --git a/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch b/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch index 20b0a37..faa78ec 100644 --- a/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch +++ b/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch @@ -1,7 +1,7 @@ From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001 From: Pat Riehecky Date: Mon, 7 Nov 2016 11:37:08 -0600 -Subject: [PATCH 07/28] Switch pesign client to also accept token/cert macros +Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros rather than use hard coded values --- diff --git a/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch b/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch index 4571474..2226498 100644 --- a/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch +++ b/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch @@ -1,7 +1,7 @@ From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001 From: David Michael Date: Thu, 16 Feb 2017 15:08:30 -0800 -Subject: [PATCH 08/28] pesigcheck: Verify with the cert as an object signer +Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer --- src/certdb.c | 2 +- diff --git a/0009-pesigcheck-make-certfile-actually-work.patch b/0009-pesigcheck-make-certfile-actually-work.patch index 038e0c6..8b77417 100644 --- a/0009-pesigcheck-make-certfile-actually-work.patch +++ b/0009-pesigcheck-make-certfile-actually-work.patch @@ -1,7 +1,7 @@ From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 24 Apr 2017 15:18:10 -0400 -Subject: [PATCH 09/28] pesigcheck: make --certfile actually work +Subject: [PATCH 09/29] pesigcheck: make --certfile actually work Signed-off-by: Peter Jones --- diff --git a/0010-signerInfos-make-sure-err-is-always-initialized.patch b/0010-signerInfos-make-sure-err-is-always-initialized.patch index 9a249e8..08d1da7 100644 --- a/0010-signerInfos-make-sure-err-is-always-initialized.patch +++ b/0010-signerInfos-make-sure-err-is-always-initialized.patch @@ -1,7 +1,7 @@ From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 16:15:07 -0400 -Subject: [PATCH 10/28] signerInfos: make sure err is always initialized +Subject: [PATCH 10/29] signerInfos: make sure err is always initialized Signed-off-by: Peter Jones --- diff --git a/0011-pesign-make-pesign-h-tell-you-the-file-name.patch b/0011-pesign-make-pesign-h-tell-you-the-file-name.patch index bb2c2a1..3e15617 100644 --- a/0011-pesign-make-pesign-h-tell-you-the-file-name.patch +++ b/0011-pesign-make-pesign-h-tell-you-the-file-name.patch @@ -1,7 +1,7 @@ From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 16:23:36 -0400 -Subject: [PATCH 11/28] pesign: make "pesign -h" tell you the file name. +Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name. Signed-off-by: Peter Jones --- diff --git a/0012-Add-coverity-build-scripts.patch b/0012-Add-coverity-build-scripts.patch index a211c01..f3f0a89 100644 --- a/0012-Add-coverity-build-scripts.patch +++ b/0012-Add-coverity-build-scripts.patch @@ -1,7 +1,7 @@ From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 10 May 2017 10:49:57 -0400 -Subject: [PATCH 12/28] Add coverity build scripts +Subject: [PATCH 12/29] Add coverity build scripts Signed-off-by: Peter Jones --- diff --git a/0013-Document-implicit-fallthrough.patch b/0013-Document-implicit-fallthrough.patch index d8d3e47..3731a3f 100644 --- a/0013-Document-implicit-fallthrough.patch +++ b/0013-Document-implicit-fallthrough.patch @@ -1,7 +1,7 @@ From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sat, 8 Jul 2017 16:31:18 -0400 -Subject: [PATCH 13/28] Document implicit fallthrough. +Subject: [PATCH 13/29] Document implicit fallthrough. Signed-off-by: Peter Jones --- diff --git a/0014-Actually-setfacl-each-directory-of-our-key-storage.patch b/0014-Actually-setfacl-each-directory-of-our-key-storage.patch index de170d8..4b62cb3 100644 --- a/0014-Actually-setfacl-each-directory-of-our-key-storage.patch +++ b/0014-Actually-setfacl-each-directory-of-our-key-storage.patch @@ -1,7 +1,7 @@ From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 16 May 2016 15:25:53 -0400 -Subject: [PATCH 14/28] Actually setfacl /each/ directory of our key storage. +Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage. Signed-off-by: Peter Jones --- diff --git a/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch b/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch index f4c79a4..d5428b5 100644 --- a/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch +++ b/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch @@ -1,7 +1,7 @@ From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 22 Aug 2016 13:31:38 -0400 -Subject: [PATCH 15/28] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array +Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array indices. That was all kinds of wrong. diff --git a/0016-efikeygen-add-modsign.patch b/0016-efikeygen-add-modsign.patch index 42568ac..8324334 100644 --- a/0016-efikeygen-add-modsign.patch +++ b/0016-efikeygen-add-modsign.patch @@ -1,7 +1,7 @@ From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 22 Aug 2016 13:43:56 -0400 -Subject: [PATCH 16/28] efikeygen: add --modsign +Subject: [PATCH 16/29] efikeygen: add --modsign --- src/cms_common.c | 29 ++++++++++++++++++++++++++++ diff --git a/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch b/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch index f7f46b8..acebc3a 100644 --- a/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch +++ b/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch @@ -1,7 +1,7 @@ From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 16:25:02 -0400 -Subject: [PATCH 17/28] check_cert_db(): try even harder to pick a reasonable +Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable validation time. Signed-off-by: Peter Jones diff --git a/0018-show-which-db-we-re-checking.patch b/0018-show-which-db-we-re-checking.patch index 3e0ccff..2b92f83 100644 --- a/0018-show-which-db-we-re-checking.patch +++ b/0018-show-which-db-we-re-checking.patch @@ -1,7 +1,7 @@ From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 16:58:50 -0400 -Subject: [PATCH 18/28] show which db we're checking +Subject: [PATCH 18/29] show which db we're checking --- src/certdb.c | 35 ++++++++++++++++++++++++++++++++++- diff --git a/0019-more-about-the-time.patch b/0019-more-about-the-time.patch index 7e8b5f6..2570bf8 100644 --- a/0019-more-about-the-time.patch +++ b/0019-more-about-the-time.patch @@ -1,7 +1,7 @@ From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 17:00:46 -0400 -Subject: [PATCH 19/28] more about the time +Subject: [PATCH 19/29] more about the time --- src/certdb.c | 59 +++++++++++++++++++++++++++++++++-------------------------- diff --git a/0020-try-to-say-why-something-fails.patch b/0020-try-to-say-why-something-fails.patch index 2e21cb4..96bdd60 100644 --- a/0020-try-to-say-why-something-fails.patch +++ b/0020-try-to-say-why-something-fails.patch @@ -1,7 +1,7 @@ From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 17:01:13 -0400 -Subject: [PATCH 20/28] try to say why something fails +Subject: [PATCH 20/29] try to say why something fails Signed-off-by: Peter Jones --- diff --git a/0021-Fix-race-condition-in-SEC_GetPassword.patch b/0021-Fix-race-condition-in-SEC_GetPassword.patch index 7cb4aa6..3088923 100644 --- a/0021-Fix-race-condition-in-SEC_GetPassword.patch +++ b/0021-Fix-race-condition-in-SEC_GetPassword.patch @@ -1,7 +1,7 @@ From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Sat, 6 May 2017 22:45:34 +0200 -Subject: [PATCH 21/28] Fix race condition in SEC_GetPassword +Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword A side effect of echoOff is to discard unread input, so if we print the prompt before echoOff, the user (or process) at the other end might diff --git a/0022-sysvinit-Create-the-socket-directory-at-runtime.patch b/0022-sysvinit-Create-the-socket-directory-at-runtime.patch index acdaf75..06980ee 100644 --- a/0022-sysvinit-Create-the-socket-directory-at-runtime.patch +++ b/0022-sysvinit-Create-the-socket-directory-at-runtime.patch @@ -1,7 +1,7 @@ From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 13 Jun 2017 13:20:16 -0700 -Subject: [PATCH 22/28] sysvinit: Create the socket directory at runtime +Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime This better supports non-systemd configurations with tmpfs on /run. --- diff --git a/0023-Better-authorization-scripts.-Again.patch b/0023-Better-authorization-scripts.-Again.patch index 8629db4..c778c94 100644 --- a/0023-Better-authorization-scripts.-Again.patch +++ b/0023-Better-authorization-scripts.-Again.patch @@ -1,7 +1,7 @@ From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 8 Aug 2017 15:44:44 -0400 -Subject: [PATCH 23/28] Better authorization scripts. Again. +Subject: [PATCH 23/29] Better authorization scripts. Again. Signed-off-by: Peter Jones --- diff --git a/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch b/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch index c6f8da3..8f4a380 100644 --- a/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch +++ b/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch @@ -1,7 +1,7 @@ From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 8 Aug 2017 17:28:19 -0400 -Subject: [PATCH 24/28] Make the daemon also try to give better errors on +Subject: [PATCH 24/29] Make the daemon also try to give better errors on -EPERM etc. Basically 6796e5f but also for the daemon. This also tries to fix them diff --git a/0025-certdb-fix-PRTime-printfs-for-i686.patch b/0025-certdb-fix-PRTime-printfs-for-i686.patch index 64f4975..0fc2ad8 100644 --- a/0025-certdb-fix-PRTime-printfs-for-i686.patch +++ b/0025-certdb-fix-PRTime-printfs-for-i686.patch @@ -1,7 +1,7 @@ From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 9 Aug 2017 17:40:33 -0400 -Subject: [PATCH 25/28] certdb: fix PRTime printfs for i686 +Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686 Signed-off-by: Peter Jones --- diff --git a/0026-Clean-up-gcc-command-lines-a-little.patch b/0026-Clean-up-gcc-command-lines-a-little.patch index 11a76a7..928d62d 100644 --- a/0026-Clean-up-gcc-command-lines-a-little.patch +++ b/0026-Clean-up-gcc-command-lines-a-little.patch @@ -1,7 +1,7 @@ From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 10 Aug 2017 10:02:38 -0400 -Subject: [PATCH 26/28] Clean up gcc command lines a little +Subject: [PATCH 26/29] Clean up gcc command lines a little Signed-off-by: Peter Jones --- diff --git a/0027-Make-pesign-users-groups-static-in-the-repo.patch b/0027-Make-pesign-users-groups-static-in-the-repo.patch index e3a7291..4131de3 100644 --- a/0027-Make-pesign-users-groups-static-in-the-repo.patch +++ b/0027-Make-pesign-users-groups-static-in-the-repo.patch @@ -1,7 +1,7 @@ From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 10 Aug 2017 10:03:37 -0400 -Subject: [PATCH 27/28] Make pesign-{users,groups} static in the repo. +Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo. Signed-off-by: Peter Jones --- diff --git a/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch b/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch index d7c56a8..ad9da8d 100644 --- a/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch +++ b/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch @@ -1,7 +1,7 @@ From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 9 Aug 2017 17:31:31 -0400 -Subject: [PATCH 28/28] rpm: Make the client signer use the fedora values +Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values unless overridden Signed-off-by: Peter Jones diff --git a/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch b/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch new file mode 100644 index 0000000..d16d409 --- /dev/null +++ b/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch @@ -0,0 +1,39 @@ +From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 14 Aug 2017 11:37:43 -0400 +Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't + have perms on the socket + +--- + src/macros.pesign | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 22a3ee6..1665b4c 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -43,6 +43,21 @@ + %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ + --certdir ${nss} -c signer %{-o} \ + rm -rf ${sattrs} ${sattrs}.sig ${nss} \ ++ elif [ "%{vendor}" == "Fedora Project" -a \\\ ++ "$(id -un)" == "mockbuild" -a \\\ ++ "$(uname -m)" == "x86_64" ] && \\\ ++ grep -q ID=fedora /etc/os-release && \\\ ++ [[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\ ++ ! [ -S /var/run/pesign/socket ]; then \ ++ echo "No socket even though this is "%{_buildhost}" \ ++ ls -ld /var/run/pesign || : \ ++ getfacl /var/run/pesign || : \ ++ ls -l /var/run/pesign/socket || : \ ++ getfacl /var/run/pesign/socket || : \ ++ echo =========== env ============== \ ++ set \ ++ echo =========== env ============== \ ++ exit 1 \ + elif [ -S /var/run/pesign/socket ]; then \ + %{_pesign_client} -t %{__pesign_client_token} \\\ + -c %{__pesign_client_cert} \\\ +-- +2.13.4 + diff --git a/pesign.py b/pesign.py new file mode 100644 index 0000000..4ee59f8 --- /dev/null +++ b/pesign.py @@ -0,0 +1,91 @@ +#!/usr/bin/python3 +# +# Copyright 2017 Peter Jones +# +# Distributed under terms of the GPLv3 license. + +""" +mock plugin to make sure pesign and mockbuild users have the right uid and +gid. +""" + +from mockbuild.trace_decorator import getLog, traceLog +import mockbuild.util + +requires_api_version = "1.1" + +@traceLog() +def init(plugins, conf, buildroot): + """ hello """ + Pesign(plugins, conf, buildroot) + +def getuid(name): + """ get a uid for a user name """ + output = mockbuild.util.do(["getent", "passwd", "%s" % (name,)], + returnOutput=1, printOutput=True) + output = output.split(':') + return output[2], output[3] + +def getgid(name): + """ get a gid for a group name """ + output = mockbuild.util.do(["getent", "group", "%s" % (name,)], + returnOutput=1, printOutput=True) + return output.split(':')[2] + +def newgroup(name, gid, rootdir): + """ create a group with a gid """ + getLog().info("creating group %s with gid %s" % (name, gid)) + mockbuild.util.do(["groupadd", + "-g", "%s" % (gid,), + "-R", "%s" % (rootdir,), + "%s" % (name,), + ]) + +def newuser(name, uid, gid, rootdir): + """ create a user with a uid """ + getLog().info("creating user %s with uid %s" % (name, uid)) + mockbuild.util.do(["useradd", + "-u", "%s" % (uid,), + "-g", "%s" % (gid,), + "-R", "%s" % (rootdir,), + "%s" % (name,)]) + +class Pesign(object): + """ Creates some stuff in our mock root """ + # pylint: disable=too-few-public-methods + @traceLog() + def __init__(self, plugins, conf, buildroot): + """ Effectively we're doing: + getent group pesign >/dev/null || groupadd -r pesign + getent passwd pesign >/dev/null || \ + useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \ + -c "Group for the pesign signing daemon" pesign + """ + + self.buildroot = buildroot + self.pesign_opts = conf + self.config = buildroot.config + self.state = buildroot.state + self.users = {} + self.groups = {} + plugins.add_hook("postinit", self._pesignPostInitHook) + + @traceLog() + def _pesignPostInitHook(self): + """ find our uid and gid lists """ + for user in self.pesign_opts['users']: + uid, gid = getuid(user) + self.users[user] = [user, uid, gid] + for group in self.pesign_opts['groups']: + gid = getgid(group) + self.groups[group] = [group, gid] + + # create our users + rootdir = self.buildroot.make_chroot_path() + for name, gid in self.groups.values(): + newgroup(name, gid, rootdir) + for name, uid, gid in self.users.values(): + newuser(name, uid, gid, rootdir) + +# -*- coding: utf-8 -*- +# vim:fenc=utf-8:tw=75 diff --git a/pesign.spec b/pesign.spec index e5c716a..39dd9dd 100644 --- a/pesign.spec +++ b/pesign.spec @@ -3,7 +3,7 @@ Summary: Signing utility for UEFI binaries Name: pesign Version: 0.112 -Release: 10%{?dist} +Release: 19%{?dist} Group: Development/System License: GPLv2 URL: https://github.com/vathpela/pesign @@ -15,6 +15,7 @@ BuildRequires: nss-devel >= 3.13.6-1 BuildRequires: efivar-devel >= 31-1 BuildRequires: libuuid-devel BuildRequires: tar xz +BuildRequires: python3-rpm-macros python3 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 BuildRequires: systemd %endif @@ -27,6 +28,7 @@ BuildRequires: rh-signing-tools >= 1.20-2 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 Source1: certs.tar.xz +Source2: pesign.py Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch Patch0002: 0002-Fix-command-line-parsing.patch @@ -56,6 +58,7 @@ Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch +Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch %description This package contains the pesign utility for signing UEFI binaries as @@ -105,6 +108,9 @@ rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING # and find-debuginfo.sh has some pretty awful deficencies too... cp -av libdpe/*.[ch] src/ +install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/ +install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/ + %pre getent group pesign >/dev/null || groupadd -r pesign getent passwd pesign >/dev/null || \ @@ -116,8 +122,8 @@ exit 0 %post %systemd_post pesign.service -%posttrans -%{_libexecdir}/pesign/pesign-authorize +#%%posttrans +#%%{_libexecdir}/pesign/pesign-authorize %preun %systemd_preun pesign.service @@ -155,8 +161,13 @@ exit 0 %{_tmpfilesdir}/pesign.conf %{_unitdir}/pesign.service %endif +%{python3_sitelib}/mockbuild/plugins/*/pesign.* +%{python3_sitelib}/mockbuild/plugins/pesign.* %changelog +* Tue Aug 15 2017 Peter Jones - 0.112-19 +- Update to match f26's build so new kernel builds will work. + * Thu Aug 10 2017 Peter Jones - 0.112-10 - Try to fix the db problem nirik is seeing trying to upgrade the builders.