Remove errant result files and raise an error from %pesign

Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2013-08-10 10:56:23 -04:00
parent b142cf3763
commit e3986cb40f
11 changed files with 3 additions and 334 deletions

View File

@ -1,61 +0,0 @@
From 2933901ce69d3830e0dad983d20d5d17e8087c75 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 23 Jul 2013 16:58:32 -0400
Subject: [PATCH 1/9] Make the RHEL %%pesign macro a little better.
Use mktemp to avoid clobering anybody's local files, and document the
arguments better.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 28 +++++++++++++++++++---------
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 26f1dd7..8b123fa 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -12,21 +12,31 @@
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
-%pesign(i:o:C:e:c:s) \
+# -i <input filename>
+# -o <output filename>
+# -C <output cert filename>
+# -e <output sattr filename>
+# -c <input certificate filename> # rhel only
+# -n <input certificate name> # rhel only
+# -a <input ca cert filename> # rhel only
+# -s # perform signing
+%pesign(i:o:C:e:c:n:a:s) \
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
if [ -e /var/run/pesign/socket ]; then \
%{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
-c "/CN=Fedora Secure Boot Signer" \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
elif [ -e /etc/rhel-release ]; then \
- mkdir nss \
- certutil -d nss -N \
- certutil -A -n "ca" -t "CT,C," -i %{-c*}.crt -a -d nss \
- certutil -A -n %{-c*} -t ",c," -i %{-c*}.crt -a -d nss \
- %{_pesign} %{-i} -E sattrs.der --certdir nss \
- rpm-sign --key "%{-c*}" --rsasign sattrs.der \
- %{_pesign} -R sattrs.der.sig -I sattrs.der %{-i} \\\
- --certdir nss %{-c} %{-o} \
+ nss=$(mktemp -p $PWD -d) \
+ certutil -d ${nss} -N \
+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
+ certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \
+ sattrs=$(mktemp -p $PWD --suffix=.der) \
+ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
+ rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
+ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
+ --certdir ${nss} -c signer %{-o} \
+ rm -rf ${sattrs} ${sattrs}.sig ${nss} \
else \
%{_pesign} %{__pesign_token} %{__pesign_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
--
1.8.3.1

View File

@ -1,29 +0,0 @@
From 1079f81298d461583851578ad6afb4a130b675e0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 5 Aug 2013 09:09:46 -0400
Subject: [PATCH 2/9] Apparently we want documentation in a non-versioned
directory these days.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index c2395f2..02e01d5 100644
--- a/Makefile
+++ b/Makefile
@@ -16,8 +16,8 @@ clean :
install :
@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
- $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/
- $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/
+ $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/
install_systemd:
@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
--
1.8.3.1

View File

@ -1,41 +0,0 @@
From c2d54b835ca3db92c9110a2596429710453c2a95 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 6 Aug 2013 12:32:43 -0400
Subject: [PATCH 3/9] Make the RHEL bits for macros.pesign a bit cleaner.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 8b123fa..244f576 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -22,11 +22,7 @@
# -s # perform signing
%pesign(i:o:C:e:c:n:a:s) \
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
- if [ -e /var/run/pesign/socket ]; then \
- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
- -c "/CN=Fedora Secure Boot Signer" \\\
- %{-i} %{-o} %{-e} %{-s} %{-C} \
- elif [ -e /etc/rhel-release ]; then \
+ if [ -e /etc/rhel-release ]; then \
nss=$(mktemp -p $PWD -d) \
certutil -d ${nss} -N \
certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
@@ -37,6 +33,10 @@
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
+ elif [ -S /var/run/pesign/socket ]; then \
+ %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
+ -c "/CN=Fedora Secure Boot Signer" \\\
+ %{-i} %{-o} %{-e} %{-s} %{-C} \
else \
%{_pesign} %{__pesign_token} %{__pesign_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
--
1.8.3.1

View File

@ -1,55 +0,0 @@
From 7c25ea77c81e63c88cf1fbeb2fc9baba94bce8b7 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 4 Mar 2013 16:25:08 +0800
Subject: [PATCH 4/9] Include the issuer's certificate only when available
When pesign generates a signature, it also includes the issuer's certificate.
In SUSE build server, we only import the signer's certificate and pesign
complaint the issuer's certificate was not found. Per Authenticode PE, the
root certificate is typically not included in the certificate list, so I
modified pesign a bit to include the issuer's certificate only when available.
Please check the attached patch.
Besides the issuer's certificate, I also found find_named_certificate() didn't
handle the certificate list properly and it may cause segfault if "node->cert"
is not valid. The patch also fixes this issue.
---
src/cms_common.c | 2 +-
src/signed_data.c | 8 ++------
2 files changed, 3 insertions(+), 7 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 6b44024..fc9796e 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -592,7 +592,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
* in the database, we'll get back what is essentially a template
* that's in NSS's cache waiting to be filled out. We can't use that,
* it'll just cause CERT_DupCertificate() to segfault. */
- if (!node || !node->cert || !node->cert->derCert.data
+ if (CERT_LIST_END(node) || !node->cert || !node->cert->derCert.data
|| !node->cert->derCert.len
|| !node->cert->derIssuer.data
|| !node->cert->derIssuer.len) {
diff --git a/src/signed_data.c b/src/signed_data.c
index 5425271..2f4b498 100644
--- a/src/signed_data.c
+++ b/src/signed_data.c
@@ -96,12 +96,8 @@ generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
CERTCertificate *signer = NULL;
int rc = find_named_certificate(cms, cms->cert->issuerName,
&signer);
- if (rc < 0) {
- PORT_ArenaRelease(cms->arena, mark);
- return -1;
- }
-
- if (signer && signer->derCert.len && signer->derCert.data) {
+ if (rc == 0 && signer &&
+ signer->derCert.len && signer->derCert.data) {
if (signer->derCert.len != cms->cert->derCert.len ||
memcmp(signer->derCert.data,
cms->cert->derCert.data,
--
1.8.3.1

View File

@ -1,26 +0,0 @@
From 39466ae9ed3ce5f78fc20c6e74eb0fb3aa93349e Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 6 Aug 2013 16:49:06 -0400
Subject: [PATCH 5/9] Try harder to figure out if this is RHEL.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 244f576..f94553d 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -22,7 +22,7 @@
# -s # perform signing
%pesign(i:o:C:e:c:n:a:s) \
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
- if [ -e /etc/rhel-release ]; then \
+ if [ "0%{?rhel}" -ge "7" ]; then \
nss=$(mktemp -p $PWD -d) \
certutil -d ${nss} -N \
certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
--
1.8.3.1

View File

@ -1,28 +0,0 @@
From f8b19278775fe8a5c599b94fcae90b99a781a42b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 7 Aug 2013 09:06:33 -0400
Subject: [PATCH 6/9] Don't use ASCII mode for RHEL certificate imports.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index f94553d..84e87a3 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -25,8 +25,8 @@
if [ "0%{?rhel}" -ge "7" ]; then \
nss=$(mktemp -p $PWD -d) \
certutil -d ${nss} -N \
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
- certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \
+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
+ certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
sattrs=$(mktemp -p $PWD --suffix=.der) \
%{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
--
1.8.3.1

View File

@ -1,30 +0,0 @@
From c7318444b811125f26828fd39e8a46de81cd5f86 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 7 Aug 2013 09:13:11 -0400
Subject: [PATCH 7/9] Apparently if something goes wrong on the HSM, we wind up
with 0-size.
Handle zero-sized output by erroring in the rpm macro. Eventually we
should make sure pesign is throwing an error there too.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/macros.pesign b/src/macros.pesign
index 84e87a3..6b22826 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -47,5 +47,8 @@
elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
touch %{-e*} \
fi \
+ fi \
+ if [ ! -s %{-o} ]; then \
+ exit 1 \
fi ;
--
1.8.3.1

View File

@ -1,26 +0,0 @@
From 5b8950a8cddad1076fb631c4ef6999bfb4f977f8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 7 Aug 2013 09:37:33 -0400
Subject: [PATCH 8/9] Use --force when we've got a sattrs blob from mktemp()
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 6b22826..a0339fe 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -28,7 +28,7 @@
certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
sattrs=$(mktemp -p $PWD --suffix=.der) \
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
+ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
--certdir ${nss} -c signer %{-o} \
--
1.8.3.1

View File

@ -1,26 +0,0 @@
From a8f70c0745fcc5b0e522bd3a6ed5871b0eea9397 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sat, 10 Aug 2013 10:28:49 -0400
Subject: [PATCH 9/9] Remove errant results from signing.
---
src/macros.pesign | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/macros.pesign b/src/macros.pesign
index a0339fe..8bf47c1 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -49,6 +49,9 @@
fi \
fi \
if [ ! -s %{-o} ]; then \
+ if [ -e "%{-o*}" ]; then \
+ rm -f %{-o*} \
+ fi \
exit 1 \
fi ;
--
1.8.3.1

View File

@ -1,7 +1,7 @@
Summary: Signing utility for UEFI binaries
Name: pesign
Version: 0.106
Release: 4%{?dist}
Version: 0.107
Release: 1%{?dist}
Group: Development/System
License: GPLv2
URL: https://github.com/vathpela/pesign
@ -21,15 +21,6 @@ BuildRequires: rh-signing-tools >= 1.20-2
# git checkout %%{version}
Source0: pesign-%{version}.tar.bz2
Source1: rh-test-certs.tar.bz2
Patch0001: 0001-Make-the-RHEL-pesign-macro-a-little-better.patch
Patch0002: 0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
Patch0003: 0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch
Patch0004: 0004-Include-the-issuer-s-certificate-only-when-available.patch
Patch0005: 0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
Patch0006: 0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
Patch0007: 0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch
Patch0008: 0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch
Patch0009: 0009-Remove-errant-results-from-signing.patch
%description
This package contains the pesign utility for signing UEFI binaries as

View File

@ -1,2 +1,2 @@
328db7cb27847cb610b7cf8f9c470455 rh-test-certs.tar.bz2
dbe4d91dc9677275fe32c9238c1ea881 pesign-0.106.tar.bz2
0f0cd4bdf207a33841cab2b22dcbb5e2 pesign-0.107.tar.bz2