Remove errant result files and raise an error from %pesign
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones
parent
b142cf3763
commit
e3986cb40f
@ -1,61 +0,0 @@
|
||||
From 2933901ce69d3830e0dad983d20d5d17e8087c75 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 23 Jul 2013 16:58:32 -0400
|
||||
Subject: [PATCH 1/9] Make the RHEL %%pesign macro a little better.
|
||||
|
||||
Use mktemp to avoid clobering anybody's local files, and document the
|
||||
arguments better.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 28 +++++++++++++++++++---------
|
||||
1 file changed, 19 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 26f1dd7..8b123fa 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -12,21 +12,31 @@
|
||||
%_pesign /usr/bin/pesign
|
||||
%_pesign_client /usr/bin/pesign-client
|
||||
|
||||
-%pesign(i:o:C:e:c:s) \
|
||||
+# -i <input filename>
|
||||
+# -o <output filename>
|
||||
+# -C <output cert filename>
|
||||
+# -e <output sattr filename>
|
||||
+# -c <input certificate filename> # rhel only
|
||||
+# -n <input certificate name> # rhel only
|
||||
+# -a <input ca cert filename> # rhel only
|
||||
+# -s # perform signing
|
||||
+%pesign(i:o:C:e:c:n:a:s) \
|
||||
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
|
||||
if [ -e /var/run/pesign/socket ]; then \
|
||||
%{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||
-c "/CN=Fedora Secure Boot Signer" \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
elif [ -e /etc/rhel-release ]; then \
|
||||
- mkdir nss \
|
||||
- certutil -d nss -N \
|
||||
- certutil -A -n "ca" -t "CT,C," -i %{-c*}.crt -a -d nss \
|
||||
- certutil -A -n %{-c*} -t ",c," -i %{-c*}.crt -a -d nss \
|
||||
- %{_pesign} %{-i} -E sattrs.der --certdir nss \
|
||||
- rpm-sign --key "%{-c*}" --rsasign sattrs.der \
|
||||
- %{_pesign} -R sattrs.der.sig -I sattrs.der %{-i} \\\
|
||||
- --certdir nss %{-c} %{-o} \
|
||||
+ nss=$(mktemp -p $PWD -d) \
|
||||
+ certutil -d ${nss} -N \
|
||||
+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||
+ certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \
|
||||
+ sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||
+ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
|
||||
+ rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
|
||||
+ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||
+ --certdir ${nss} -c signer %{-o} \
|
||||
+ rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||
else \
|
||||
%{_pesign} %{__pesign_token} %{__pesign_cert} \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,29 +0,0 @@
|
||||
From 1079f81298d461583851578ad6afb4a130b675e0 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 5 Aug 2013 09:09:46 -0400
|
||||
Subject: [PATCH 2/9] Apparently we want documentation in a non-versioned
|
||||
directory these days.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
Makefile | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index c2395f2..02e01d5 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -16,8 +16,8 @@ clean :
|
||||
|
||||
install :
|
||||
@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
|
||||
- $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/
|
||||
- $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/
|
||||
+ $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/
|
||||
+ $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/
|
||||
|
||||
install_systemd:
|
||||
@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,41 +0,0 @@
|
||||
From c2d54b835ca3db92c9110a2596429710453c2a95 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 6 Aug 2013 12:32:43 -0400
|
||||
Subject: [PATCH 3/9] Make the RHEL bits for macros.pesign a bit cleaner.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 8b123fa..244f576 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -22,11 +22,7 @@
|
||||
# -s # perform signing
|
||||
%pesign(i:o:C:e:c:n:a:s) \
|
||||
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
|
||||
- if [ -e /var/run/pesign/socket ]; then \
|
||||
- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||
- -c "/CN=Fedora Secure Boot Signer" \\\
|
||||
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
- elif [ -e /etc/rhel-release ]; then \
|
||||
+ if [ -e /etc/rhel-release ]; then \
|
||||
nss=$(mktemp -p $PWD -d) \
|
||||
certutil -d ${nss} -N \
|
||||
certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||
@@ -37,6 +33,10 @@
|
||||
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||
--certdir ${nss} -c signer %{-o} \
|
||||
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||
+ elif [ -S /var/run/pesign/socket ]; then \
|
||||
+ %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||
+ -c "/CN=Fedora Secure Boot Signer" \\\
|
||||
+ %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
else \
|
||||
%{_pesign} %{__pesign_token} %{__pesign_cert} \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,55 +0,0 @@
|
||||
From 7c25ea77c81e63c88cf1fbeb2fc9baba94bce8b7 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Mon, 4 Mar 2013 16:25:08 +0800
|
||||
Subject: [PATCH 4/9] Include the issuer's certificate only when available
|
||||
|
||||
When pesign generates a signature, it also includes the issuer's certificate.
|
||||
In SUSE build server, we only import the signer's certificate and pesign
|
||||
complaint the issuer's certificate was not found. Per Authenticode PE, the
|
||||
root certificate is typically not included in the certificate list, so I
|
||||
modified pesign a bit to include the issuer's certificate only when available.
|
||||
Please check the attached patch.
|
||||
|
||||
Besides the issuer's certificate, I also found find_named_certificate() didn't
|
||||
handle the certificate list properly and it may cause segfault if "node->cert"
|
||||
is not valid. The patch also fixes this issue.
|
||||
---
|
||||
src/cms_common.c | 2 +-
|
||||
src/signed_data.c | 8 ++------
|
||||
2 files changed, 3 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||
index 6b44024..fc9796e 100644
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -592,7 +592,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
|
||||
* in the database, we'll get back what is essentially a template
|
||||
* that's in NSS's cache waiting to be filled out. We can't use that,
|
||||
* it'll just cause CERT_DupCertificate() to segfault. */
|
||||
- if (!node || !node->cert || !node->cert->derCert.data
|
||||
+ if (CERT_LIST_END(node) || !node->cert || !node->cert->derCert.data
|
||||
|| !node->cert->derCert.len
|
||||
|| !node->cert->derIssuer.data
|
||||
|| !node->cert->derIssuer.len) {
|
||||
diff --git a/src/signed_data.c b/src/signed_data.c
|
||||
index 5425271..2f4b498 100644
|
||||
--- a/src/signed_data.c
|
||||
+++ b/src/signed_data.c
|
||||
@@ -96,12 +96,8 @@ generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
|
||||
CERTCertificate *signer = NULL;
|
||||
int rc = find_named_certificate(cms, cms->cert->issuerName,
|
||||
&signer);
|
||||
- if (rc < 0) {
|
||||
- PORT_ArenaRelease(cms->arena, mark);
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
- if (signer && signer->derCert.len && signer->derCert.data) {
|
||||
+ if (rc == 0 && signer &&
|
||||
+ signer->derCert.len && signer->derCert.data) {
|
||||
if (signer->derCert.len != cms->cert->derCert.len ||
|
||||
memcmp(signer->derCert.data,
|
||||
cms->cert->derCert.data,
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
From 39466ae9ed3ce5f78fc20c6e74eb0fb3aa93349e Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 6 Aug 2013 16:49:06 -0400
|
||||
Subject: [PATCH 5/9] Try harder to figure out if this is RHEL.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 244f576..f94553d 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -22,7 +22,7 @@
|
||||
# -s # perform signing
|
||||
%pesign(i:o:C:e:c:n:a:s) \
|
||||
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
|
||||
- if [ -e /etc/rhel-release ]; then \
|
||||
+ if [ "0%{?rhel}" -ge "7" ]; then \
|
||||
nss=$(mktemp -p $PWD -d) \
|
||||
certutil -d ${nss} -N \
|
||||
certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,28 +0,0 @@
|
||||
From f8b19278775fe8a5c599b94fcae90b99a781a42b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 7 Aug 2013 09:06:33 -0400
|
||||
Subject: [PATCH 6/9] Don't use ASCII mode for RHEL certificate imports.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index f94553d..84e87a3 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -25,8 +25,8 @@
|
||||
if [ "0%{?rhel}" -ge "7" ]; then \
|
||||
nss=$(mktemp -p $PWD -d) \
|
||||
certutil -d ${nss} -N \
|
||||
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||
- certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \
|
||||
+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
|
||||
+ certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
|
||||
sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||
%{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
|
||||
rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,30 +0,0 @@
|
||||
From c7318444b811125f26828fd39e8a46de81cd5f86 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 7 Aug 2013 09:13:11 -0400
|
||||
Subject: [PATCH 7/9] Apparently if something goes wrong on the HSM, we wind up
|
||||
with 0-size.
|
||||
|
||||
Handle zero-sized output by erroring in the rpm macro. Eventually we
|
||||
should make sure pesign is throwing an error there too.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 84e87a3..6b22826 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -47,5 +47,8 @@
|
||||
elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
|
||||
touch %{-e*} \
|
||||
fi \
|
||||
+ fi \
|
||||
+ if [ ! -s %{-o} ]; then \
|
||||
+ exit 1 \
|
||||
fi ;
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
From 5b8950a8cddad1076fb631c4ef6999bfb4f977f8 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 7 Aug 2013 09:37:33 -0400
|
||||
Subject: [PATCH 8/9] Use --force when we've got a sattrs blob from mktemp()
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 6b22826..a0339fe 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -28,7 +28,7 @@
|
||||
certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
|
||||
certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
|
||||
sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
|
||||
+ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
|
||||
rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
|
||||
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||
--certdir ${nss} -c signer %{-o} \
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
From a8f70c0745fcc5b0e522bd3a6ed5871b0eea9397 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sat, 10 Aug 2013 10:28:49 -0400
|
||||
Subject: [PATCH 9/9] Remove errant results from signing.
|
||||
|
||||
---
|
||||
src/macros.pesign | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index a0339fe..8bf47c1 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -49,6 +49,9 @@
|
||||
fi \
|
||||
fi \
|
||||
if [ ! -s %{-o} ]; then \
|
||||
+ if [ -e "%{-o*}" ]; then \
|
||||
+ rm -f %{-o*} \
|
||||
+ fi \
|
||||
exit 1 \
|
||||
fi ;
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
13
pesign.spec
13
pesign.spec
@ -1,7 +1,7 @@
|
||||
Summary: Signing utility for UEFI binaries
|
||||
Name: pesign
|
||||
Version: 0.106
|
||||
Release: 4%{?dist}
|
||||
Version: 0.107
|
||||
Release: 1%{?dist}
|
||||
Group: Development/System
|
||||
License: GPLv2
|
||||
URL: https://github.com/vathpela/pesign
|
||||
@ -21,15 +21,6 @@ BuildRequires: rh-signing-tools >= 1.20-2
|
||||
# git checkout %%{version}
|
||||
Source0: pesign-%{version}.tar.bz2
|
||||
Source1: rh-test-certs.tar.bz2
|
||||
Patch0001: 0001-Make-the-RHEL-pesign-macro-a-little-better.patch
|
||||
Patch0002: 0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
|
||||
Patch0003: 0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch
|
||||
Patch0004: 0004-Include-the-issuer-s-certificate-only-when-available.patch
|
||||
Patch0005: 0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
|
||||
Patch0006: 0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
|
||||
Patch0007: 0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch
|
||||
Patch0008: 0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch
|
||||
Patch0009: 0009-Remove-errant-results-from-signing.patch
|
||||
|
||||
%description
|
||||
This package contains the pesign utility for signing UEFI binaries as
|
||||
|
||||
Loading…
Reference in New Issue
Block a user