Compare commits

..

No commits in common. "a8" and "c8s" have entirely different histories.
a8 ... c8s

38 changed files with 189 additions and 16 deletions

2
.gitignore vendored
View File

@ -1,2 +1,4 @@
SOURCES/certs.tar.xz
SOURCES/pesign-0.112.tar.bz2
/certs.tar.xz
/pesign-0.112.tar.bz2

View File

@ -1,2 +0,0 @@
53d9b43ef6eadb4512ce9738b5a6efbb40477983 SOURCES/certs.tar.xz
7cba5cfddabc425d0a927edfdd6865cc92f00c7b SOURCES/pesign-0.112.tar.bz2

View File

@ -0,0 +1,151 @@
From cd26e9e9a7816efe2c1ce9c36d9cb14988c70dc9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 8 Nov 2021 17:58:09 -0500
Subject: [PATCH] Replace /var/run with /run
This change is in violation of the FHS and is forced by systemd being
obnoxious and logging warnings about it as if it's some kind of problem.
This commit is a subset of the work in
02d473fbfd782863a0dcef7e44822d1e7e56a4b3,
f97d3b04a2eafb42272ede24e1353dd0a7f4347c,
5f9058677e7241cc88b4e8620654bbaa08a4bce4, and
cffa10d9b5eec9a9def3533b181a32b64fc29913 (all by pjones) because they
don't backport well.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/Makefile | 2 +-
src/daemon.h | 4 ++--
src/macros.pesign | 12 ++++++------
src/pesign-authorize | 2 +-
src/pesign.service.in | 2 +-
src/pesign.sysvinit.in | 10 +++++-----
src/tmpfiles.conf | 2 +-
7 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/src/Makefile b/src/Makefile
index 7d68fa1..a11e2b4 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
diff --git a/src/daemon.h b/src/daemon.h
index d97eab9..db42c16 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -49,7 +49,7 @@ typedef enum {
} pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH "/var/run/pesign/socket"
-#define PIDFILE "/var/run/pesign.pid"
+#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid"
#endif /* DAEMON_H */
diff --git a/src/macros.pesign b/src/macros.pesign
index dfdac02..f135c29 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -48,17 +48,17 @@
"$(uname -m)" == "x86_64" ] && \\\
grep -q ID=fedora /etc/os-release && \\\
[[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
- ! [ -S /var/run/pesign/socket ]; then \
+ ! [ -S /run/pesign/socket ]; then \
echo "No socket even though this is %{_buildhost}" \
- ls -ld /var/run/pesign || : \
- getfacl /var/run/pesign || : \
- ls -l /var/run/pesign/socket || : \
- getfacl /var/run/pesign/socket || : \
+ ls -ld /run/pesign || : \
+ getfacl /run/pesign || : \
+ ls -l /run/pesign/socket || : \
+ getfacl /run/pesign/socket || : \
echo =========== env ============== \
set \
echo =========== env ============== \
exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
diff --git a/src/pesign-authorize b/src/pesign-authorize
index a496f60..83a30cd 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /run/pesign/ /etc/pki/pesign*/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
diff --git a/src/pesign.service.in b/src/pesign.service.in
index c75a000..4ac2199 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
Type=forking
-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index b0e0f84..bf8edec 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
#
# chkconfig: - 50 50
# processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
### BEGIN INIT INFO
# Provides: pesign
# Default-Start:
@@ -20,9 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
- mkdir /var/run/pesign 2>/dev/null &&
- chown pesign:pesign /var/run/pesign &&
- chmod 0770 /var/run/pesign
+ mkdir /run/pesign 2>/dev/null &&
+ chown pesign:pesign /run/pesign &&
+ chmod 0770 /run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
@@ -32,7 +32,7 @@ start(){
stop(){
echo -n "Stopping pesign: "
- killproc -p /var/run/pesign.pid pesignd
+ killproc -p /run/pesign.pid pesignd
RETVAL=$?
echo
rm -f /var/lock/subsys/pesign
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
index c1cf355..3375ad5 100644
--- a/src/tmpfiles.conf
+++ b/src/tmpfiles.conf
@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
--
2.33.0

View File

@ -1,4 +1,4 @@
From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
From d1a7496d18dc1e230115b30fa09e4481c485a27d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2019 11:28:38 -0400
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
@ -23,15 +23,16 @@ This is fixed by just making it an int.
Fixes github issue #48.
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit b535d1ac5cbcdf18a97d97a92581e38080d9e521)
---
src/efikeygen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index ede76ef..2cd953e 100644
index 9390578..089e6a7 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -208,7 +208,7 @@ static int
@@ -206,7 +206,7 @@ static int
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
{
SECItem bitStringValue;
@ -41,5 +42,5 @@ index ede76ef..2cd953e 100644
if (is_ca)
type |= NS_CERT_TYPE_SSL_CA |
--
2.21.0
2.33.0

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.hardware-pesign.tier0.functional}

View File

@ -1,10 +1,9 @@
%global dist %{?dist}.alma
%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 0.112
Release: 25%{?dist}
Release: 26%{?dist}
License: GPLv2
URL: https://github.com/vathpela/pesign
@ -60,7 +59,8 @@ Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
Patch0030: 0030-fix-the-build-with-nss-3.44.patch
Patch0030: 0030-Replace-var-run-with-run.patch
Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
%description
This package contains the pesign utility for signing UEFI binaries as
@ -115,7 +115,7 @@ install -m 0755 -p %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
%pre
getent group pesign >/dev/null || groupadd -r pesign
getent passwd pesign >/dev/null || \
useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
useradd -r -g pesign -d /run/pesign -s /sbin/nologin \
-c "Group for the pesign signing daemon" pesign
exit 0
@ -154,9 +154,9 @@ exit 0
%{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign
%{_mandir}/man*/*
%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
%dir %attr(0770, pesign, pesign) /%{_rundir}/%{name}
%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%{_tmpfilesdir}/pesign.conf
%{_unitdir}/pesign.service
@ -165,9 +165,9 @@ exit 0
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Sat Dec 21 2019 Eugene Zamriy <ezamriy@cloudlinux.com> - 0.112-25.cloudlinux
- Apply 0030-fix-the-build-with-nss-3.44.patch
Resolves: https://github.com/rhboot/pesign/issues/48
* Mon Nov 08 2021 Robbie Harwood <rharwood@redhat.com> - 0.112-26
- Perform the /var/run to /run "migration" stupidity
- Resolves: rhbz#1801976
* Mon Oct 01 2018 Peter Jones <pjones@redhat.com> - 0.112-25
- Preserve .py timestamp during install so .pyc/.pyo files have the same

13
rpminspect.yaml Normal file
View File

@ -0,0 +1,13 @@
---
inspections:
# Not a Java package
javabytecode: off
# These just flag when things change "too much"
changedfiles: off
filesize: off
patches: off
upstream: off
# https://bugzilla.redhat.com/show_bug.cgi?id=2010936
annocheck: off

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (certs.tar.xz) = 5df34f507a365ef87320776c99cbfad76365693901c71eaf64fec008afb9acfd7b615da5906b92a070c864e74f44934395c3f474ce5b33844cfa3df49a8ad188
SHA512 (pesign-0.112.tar.bz2) = 96bff27ce5059f1ea299c21ac88998a0c17851b8b06ba2f3e286de5cd4d73651b670ac00ca035481faf9c963338527c89120c63ec891a95ce9ecb9130fbc5e5c