rpms/pesign
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:imports/c9-beta/pesign-113-21.el9
Branches Tags
rpms:c8s
rpms:a10s
rpms:c10s
rpms:c8
rpms:c9
rpms:c9s
rpms:c9-beta
rpms:a8-beta
rpms:c8-beta
rpms:a8
rpms:changed/a10s/pesign-116-6.el10.alma.1
rpms:imports/c10s/pesign-116-6.el10
rpms:changed/a10s/pesign-116-5.el10.alma.1
rpms:imports/c10s/pesign-116-5.el10
rpms:imports/c8/pesign-0.112-27.el8
rpms:imports/c8/pesign-0.112-27.el8_7
rpms:imports/c9/pesign-115-6.el9
rpms:imports/c9/pesign-115-6.el9_1
rpms:imports/c9/pesign-115-4.el9
rpms:imports/c9-beta/pesign-115-4.el9
rpms:imports/c9/pesign-113-21.el9
rpms:imports/c8/pesign-0.112-26.el8
rpms:changed/a8-beta/pesign-0.112-26.el8.alma
rpms:imports/c8-beta/pesign-0.112-26.el8
rpms:imports/c9-beta/pesign-113-21.el9
rpms:imports/c9-beta/pesign-113-20.el9_b
rpms:imports/c9-beta/pesign-113-17.el9
rpms:imports/c8s/pesign-0.112-26.el8
rpms:imports/c8-beta/pesign-0.112-25.el8
rpms:changed/a8/pesign-0.112-25.el8.alma
rpms:imports/c8/pesign-0.112-25.el8
rpms:imports/c8s/pesign-0.112-25.el8
...
compare: rpms:c8s
Branches Tags
rpms:a10s
rpms:c10s
rpms:c8
rpms:c8s
rpms:c9
rpms:c9s
rpms:c9-beta
rpms:a8-beta
rpms:c8-beta
rpms:a8
rpms:changed/a10s/pesign-116-6.el10.alma.1
rpms:imports/c10s/pesign-116-6.el10
rpms:changed/a10s/pesign-116-5.el10.alma.1
rpms:imports/c10s/pesign-116-5.el10
rpms:imports/c8/pesign-0.112-27.el8
rpms:imports/c8/pesign-0.112-27.el8_7
rpms:imports/c9/pesign-115-6.el9
rpms:imports/c9/pesign-115-6.el9_1
rpms:imports/c9/pesign-115-4.el9
rpms:imports/c9-beta/pesign-115-4.el9
rpms:imports/c9/pesign-113-21.el9
rpms:imports/c8/pesign-0.112-26.el8
rpms:changed/a8-beta/pesign-0.112-26.el8.alma
rpms:imports/c8-beta/pesign-0.112-26.el8
rpms:imports/c9-beta/pesign-113-21.el9
rpms:imports/c9-beta/pesign-113-20.el9_b
rpms:imports/c9-beta/pesign-113-17.el9
rpms:imports/c8s/pesign-0.112-26.el8
rpms:imports/c8-beta/pesign-0.112-25.el8
rpms:changed/a8/pesign-0.112-25.el8.alma
rpms:imports/c8/pesign-0.112-25.el8
rpms:imports/c8s/pesign-0.112-25.el8

No commits in common. "imports/c9-beta/pesign-113-21.el9" and "c8s" have entirely different histories.
imports/c9 ... c8s

52 changed files with 2441 additions and 1403 deletions
Show Stats Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,2 +1,4 @@
SOURCES/certs.tar.xz
SOURCES/pesign-113.tar.bz2
SOURCES/pesign-0.112.tar.bz2
/certs.tar.xz
/pesign-0.112.tar.bz2

2
.pesign.metadata
View File

@ -1,2 +0,0 @@
b6777cc78ca2d2f250f3142e97e17dd855bc9b88 SOURCES/certs.tar.xz
1fabe291298395b6dd3129e250d8b67345745834 SOURCES/pesign-113.tar.bz2

72
0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch Normal file
View File

@ -0,0 +1,72 @@
From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 21 Apr 2016 10:47:34 -0400
Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686
and it's unused.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 34 ----------------------------------
src/cms_common.h | 1 -
2 files changed, 35 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index b19bc62..6a4e6a7 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str)
return 0;
}
-static SEC_ASN1Template IntegerTemplate[] = {
- {.kind = SEC_ASN1_INTEGER,
- .offset = 0,
- .sub = NULL,
- .size = sizeof(long),
- },
- { 0 },
-};
-
-int
-generate_integer(cms_context *cms, SECItem *der, unsigned long integer)
-{
- void *ret;
-
- uint32_t u32;
-
- SECItem input = {
- .data = (void *)&integer,
- .len = sizeof(integer),
- .type = siUnsignedInteger,
- };
-
- if (integer < 0x100000000) {
- u32 = integer & 0xffffffffUL;
- input.data = (void *)&u32;
- input.len = sizeof(u32);
- }
-
- ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate);
- if (ret == NULL)
- cmsreterr(-1, cms, "could not encode data");
- return 0;
-}
-
int
generate_time(cms_context *cms, SECItem *encoded, time_t when)
{
diff --git a/src/cms_common.h b/src/cms_common.h
index 7d77faf..c7d7268 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded,
SECOidTag tag);
extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded);
extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when);
-extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer);
extern int generate_string(cms_context *cms, SECItem *der, char *str);
extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
extern int wrap_in_seq(cms_context *cms, SECItem *der,
--
2.13.4

73
0002-Fix-command-line-parsing.patch Normal file
View File

@ -0,0 +1,73 @@
From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 9 Jun 2016 14:30:37 +0200
Subject: [PATCH 02/29] Fix command line parsing
The gettext translation domain should be passed as .arg, not .descrip,
otherwise popt won't process any of the command line options (it stops
looping over the struct poptOption array when an entry has unset
longName, shortName and arg).
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
src/client.c | 2 +-
src/efikeygen.c | 2 +-
src/efisiglist.c | 2 +-
src/pesigcheck.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/client.c b/src/client.c
index 028419f..575c873 100644
--- a/src/client.c
+++ b/src/client.c
@@ -555,7 +555,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "token",
.shortName = 't',
.argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 6278849..8a515a5 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -486,7 +486,7 @@ int main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
/* global nss-ish things */
{.longName = "dbdir",
.shortName = 'd',
diff --git a/src/efisiglist.c b/src/efisiglist.c
index cd3f1ae..40d6a93 100644
--- a/src/efisiglist.c
+++ b/src/efisiglist.c
@@ -126,7 +126,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "infile",
.shortName = 'i',
.argInfo = POPT_ARG_STRING,
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 1328fe9..0d49c1a 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -214,7 +214,7 @@ main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "dbfile",
.shortName = 'D',
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
--
2.13.4

26
0003-gcc-don-t-error-on-stuff-in-includes.patch Normal file
View File

@ -0,0 +1,26 @@
From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 Aug 2016 17:12:39 -0400
Subject: [PATCH 03/29] gcc: don't error on stuff in includes.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.defaults b/Make.defaults
index c97b452..3511080 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -19,7 +19,7 @@ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
- -Wall -Werror -Wextra
+ -Wall -Werror -Wextra -Wno-error=cpp
AS := $(CROSS_COMPILE)as
AR := $(CROSS_COMPILE)gcc-ar
RANLIB := $(CROSS_COMPILE)gcc-ranlib
--
2.13.4

39
0004-Fix-certficate-argument-name.patch Normal file
View File

@ -0,0 +1,39 @@
From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Apr 2017 19:00:34 -0400
Subject: [PATCH 04/29] Fix "certficate" argument name.
This fixes our typoed argument name by making the incorrectly spelled
version be a popt alias, and fixing the real implementation to be
spelled right in pesign.c .
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 2 +-
src/pesign.popt | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/pesign.c b/src/pesign.c
index af374b6..279a17a 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -438,7 +438,7 @@ main(int argc, char *argv[])
.arg = &ctxp->outfile,
.descrip = "specify output file",
.argDescrip = "<outfile>" },
- {.longName = "certficate",
+ {.longName = "certificate",
.shortName = 'c',
.argInfo = POPT_ARG_STRING,
.arg = &certname,
diff --git a/src/pesign.popt b/src/pesign.popt
index 7b3385d..5a97748 100644
--- a/src/pesign.popt
+++ b/src/pesign.popt
@@ -1,2 +1,3 @@
pesign alias --cert --certificate
+pesign alias --certficate --certificate
pesign alias --daemon --daemonize
--
2.13.4

26
0005-Fix-description-of-ascii-armor-option-in-manpage.patch Normal file
View File

@ -0,0 +1,26 @@
From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 27 Jun 2016 15:38:38 +0200
Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage
The --ascii option does not exist.
---
src/pesign.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign.1 b/src/pesign.1
index 47d1aec..29ae060 100644
--- a/src/pesign.1
+++ b/src/pesign.1
@@ -81,7 +81,7 @@ Export the public key specified by \-\-certificate to \fIoutkey\fR
Export the certificate specified by \-\-certificate to \fIoutcert\fR
.TP
-\fB-\-ascii\fR
+\fB-\-ascii\-armor\fR
Use ascii armoring on exported certificates.
.TP
--
2.13.4

22
0006-Make-ascii-work-since-we-documented-it.patch Normal file
View File

@ -0,0 +1,22 @@
From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Apr 2017 19:05:40 -0400
Subject: [PATCH 06/29] Make --ascii work, since we documented it.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.popt | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/pesign.popt b/src/pesign.popt
index 5a97748..5ae0c5c 100644
--- a/src/pesign.popt
+++ b/src/pesign.popt
@@ -1,3 +1,4 @@
pesign alias --cert --certificate
pesign alias --certficate --certificate
pesign alias --daemon --daemonize
+pesign alias --ascii --ascii-armor
--
2.13.4

32
0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch Normal file
View File

@ -0,0 +1,32 @@
From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Mon, 7 Nov 2016 11:37:08 -0600
Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros
rather than use hard coded values
---
src/macros.pesign | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 18e5b5e..69280e9 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -41,11 +41,11 @@
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ -S /var/run/pesign/socket ]; then \
- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
- -c "/CN=Fedora Secure Boot Signer" \\\
+ %{_pesign_client} -t %{__pesign_token} \\\
+ -c %{__pesign_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
+ %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
--certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
--
2.13.4

25
0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch Normal file
View File

@ -0,0 +1,25 @@
From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Thu, 16 Feb 2017 15:08:30 -0800
Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer
---
src/certdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/certdb.c b/src/certdb.c
index 2a08042..b7c99bb 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -339,7 +339,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
- certUsageSSLServer,
+ certUsageObjectSigner,
digest, HASH_AlgSHA256,
PR_FALSE, atTime);
if (!result) {
--
2.13.4

47
0009-pesigcheck-make-certfile-actually-work.patch Normal file
View File

@ -0,0 +1,47 @@
From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 24 Apr 2017 15:18:10 -0400
Subject: [PATCH 09/29] pesigcheck: make --certfile actually work
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesigcheck.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 0d49c1a..d7be542 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -130,7 +130,7 @@ check_signature(pesigcheck_context *ctx)
cert_iter iter;
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
-
+
if (check_db_hash(DBX, ctx) == FOUND)
return -1;
@@ -225,6 +225,11 @@ main(int argc, char *argv[])
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
.arg = (void *)callback,
.descrip = (void *)ctxp },
+ {.longName = "certfile",
+ .shortName = 'c',
+ .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
+ .arg = (void *)callback,
+ .descrip = (void *)ctxp },
{.longName = "in",
.shortName = 'i',
.argInfo = POPT_ARG_STRING,
@@ -258,7 +263,7 @@ main(int argc, char *argv[])
.shortName = 'c',
.argInfo = POPT_ARG_STRING,
.arg = &certfile,
- .descrip = "the certificate (in DER form) for verification ",
+ .descrip = "import certfile (in DER encoding) for allowed certificate",
.argDescrip = "<certfile>" },
POPT_AUTOALIAS
POPT_AUTOHELP
--
2.13.4

27
0010-signerInfos-make-sure-err-is-always-initialized.patch Normal file
View File

@ -0,0 +1,27 @@
From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:15:07 -0400
Subject: [PATCH 10/29] signerInfos: make sure err is always initialized
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/signed_data.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/signed_data.c b/src/signed_data.c
index 721db90..9e0af23 100644
--- a/src/signed_data.c
+++ b/src/signed_data.c
@@ -132,7 +132,8 @@ int
generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, SignerInfoType type)
{
SpcSignerInfo **signerInfo_list;
- int err, rc;
+ int err = 0;
+ int rc;
if (!signerInfo_list_p)
return -1;
--
2.13.4

26
0011-pesign-make-pesign-h-tell-you-the-file-name.patch Normal file
View File

@ -0,0 +1,26 @@
From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:23:36 -0400
Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign.c b/src/pesign.c
index 279a17a..5879cfc 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -387,7 +387,7 @@ print_digest(pesign_context *pctx)
if (!ctx)
return;
- printf("hash: ");
+ printf("%s ", pctx->infile);
int j = ctx->selected_digest;
for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
printf("%02x",
--
2.13.4

104
0012-Add-coverity-build-scripts.patch Normal file
View File

@ -0,0 +1,104 @@
From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 May 2017 10:49:57 -0400
Subject: [PATCH 12/29] Add coverity build scripts
Signed-off-by: Peter Jones <pjones@redhat.com>
---
.gitignore | 1 +
Make.coverity | 37 +++++++++++++++++++++++++++++++++++++
Make.defaults | 2 ++
Make.rules | 4 ++++
Makefile | 1 +
5 files changed, 45 insertions(+)
create mode 100644 Make.coverity
diff --git a/.gitignore b/.gitignore
index 1635ba2..847e172 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@
*.tar.*
*.rpm
core.*
+cov-int
diff --git a/Make.coverity b/Make.coverity
new file mode 100644
index 0000000..b80b091
--- /dev/null
+++ b/Make.coverity
@@ -0,0 +1,37 @@
+include $(TOPDIR)/Make.version
+include $(TOPDIR)/Make.rules
+include $(TOPDIR)/Make.defaults
+
+COV_EMAIL=$(call get-config,coverity.email)
+COV_TOKEN=$(call get-config,coverity.token)
+COV_URL=$(call get-config,coverity.url)
+COV_FILE=$(NAME)-coverity-$(VERSION)-$(COMMIT_ID).tar.bz2
+
+cov-int : clean
+ cov-build --dir cov-int make all
+
+cov-clean :
+ @rm -vf $(NAME)-coverity-*.tar.*
+ @if [[ -d cov-int ]]; then rm -rf cov-int && echo "removed 'cov-int'"; fi
+
+cov-file : | $(COV_FILE)
+
+$(COV_FILE) : cov-int
+ tar caf $@ cov-int
+
+cov-upload :
+ @if [[ -n "$(COV_URL)" ]] && \
+ [[ -n "$(COV_TOKEN)" ]] && \
+ [[ -n "$(COV_EMAIL)" ]] ; \
+ then \
+ echo curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
+ curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
+ else \
+ echo Coverity output is in $(COV_FILE) ; \
+ fi
+
+coverity : cov-file cov-upload
+
+clean : | cov-clean
+
+.PHONY : coverity cov-upload cov-clean cov-file
diff --git a/Make.defaults b/Make.defaults
index 3511080..39b78f0 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -1,3 +1,5 @@
+NAME = pesign
+COMMIT_ID ?= $(shell git log -1 --pretty=%H 2>/dev/null || echo master)
prefix ?= /usr/
prefix := $(abspath $(prefix))/
libdir ?= $(prefix)lib64/
diff --git a/Make.rules b/Make.rules
index af5ecfe..5e3c83d 100644
--- a/Make.rules
+++ b/Make.rules
@@ -79,3 +79,7 @@ endef
$(TOPDIR)/libdpe/%.a $(TOPDIR)/libdpe/% :
$(MAKE) -C $(TOPDIR)/libdpe $(notdir $@)
+
+define get-config =
+$(shell git config --local --get "$(NAME).$(1)")
+endef
diff --git a/Makefile b/Makefile
index db8eb7e..ca1a359 100644
--- a/Makefile
+++ b/Makefile
@@ -4,6 +4,7 @@ TOPDIR = $(realpath .)
include $(TOPDIR)/Make.version
include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
+include $(TOPDIR)/Make.coverity
SUBDIRS := include libdpe src
--
2.13.4

25
0013-Document-implicit-fallthrough.patch Normal file
View File

@ -0,0 +1,25 @@
From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sat, 8 Jul 2017 16:31:18 -0400
Subject: [PATCH 13/29] Document implicit fallthrough.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/authvar.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/authvar.c b/src/authvar.c
index ad659ca..03e0c47 100644
--- a/src/authvar.c
+++ b/src/authvar.c
@@ -511,6 +511,7 @@ main(int argc, char *argv[])
case IMPORT|SET:
case IMPORT|SIGN|SET:
fprintf(stderr, "authvar: not implemented\n");
+ /* fallthrough. */
case IMPORT|SIGN|EXPORT:
default:
fprintf(stderr, "authvar: invalid flags: ");
--
2.13.4

50
0014-Actually-setfacl-each-directory-of-our-key-storage.patch Normal file
View File

@ -0,0 +1,50 @@
From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 16 May 2016 15:25:53 -0400
Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 6 +++---
src/pesign-authorize-users | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index a4f895e..cf51fb6 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then
setfacl -m g:${group}:rw /var/run/pesign/socket
fi
fi
- for x in /etc/pki/pesign* ; do
+ for x in /etc/pki/pesign*/ ; do
if [ -d ${x} ]; then
- setfacl -m g:${group}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
+ setfacl -m g:${group}:rx ${x}
+ for y in ${x}{cert8,key3,secmod}.db ; do
setfacl -m g:${group}:rw ${y}
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 8b9a885..940138e 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then
setfacl -m g:${username}:rw /var/run/pesign/socket
fi
fi
- for x in /etc/pki/pesign* ; do
+ for x in /etc/pki/pesign*/ ; do
if [ -d ${x} ]; then
- setfacl -m g:${username}:rx /etc/pki/pesign
- for y in ${x}/{cert8,key3,secmod}.db ; do
+ setfacl -m g:${username}:rx ${x}
+ for y in ${x}{cert8,key3,secmod}.db ; do
setfacl -m g:${username}:rw ${y}
done
fi
--
2.13.4

59
0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch Normal file
View File

@ -0,0 +1,59 @@
From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 22 Aug 2016 13:31:38 -0400
Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
indices.
That was all kinds of wrong.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/oid.c | 10 +++++++---
src/oid.h | 1 +
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/oid.c b/src/oid.c
index 9d8154f..7037e1e 100644
--- a/src/oid.c
+++ b/src/oid.c
@@ -33,6 +33,7 @@ static uint8_t oiddata[] = {
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f,
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15,
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01,
+ 0x2b, 0x06, 0x01, 0x04, 0x01, 0x92, 0x08, 0x10, 0x01, 0x02,
};
#define OID(num, desc_s, oidtype, length, value) \
@@ -53,11 +54,14 @@ static struct {
OID(SPC_STATEMENT_TYPE_OBJID, "Statement Type", siDEROID, 10,
&oiddata[10]),
OID(SPC_PE_IMAGE_DATA_OBJID, "PE Image Data", siDEROID, 10,
- &oiddata[30]),
+ &oiddata[20]),
OID(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, "Individual Key", siDEROID,
- 10, &oiddata[40]),
+ 10, &oiddata[30]),
OID(szOID_CERTSRV_CA_VERSION, "Certification server CA version",
- siAsciiString, 9, &oiddata[50]),
+ siAsciiString, 9, &oiddata[40]),
+ OID(SHIM_EKU_MODULE_SIGNING_ONLY,
+ "Certificate is used for kernel modules only", siDEROID, 10,
+ &oiddata[49]),
{ .oid = END_OID_LIST }
};
diff --git a/src/oid.h b/src/oid.h
index 599f49d..0e00781 100644
--- a/src/oid.h
+++ b/src/oid.h
@@ -25,6 +25,7 @@ typedef enum {
SPC_PE_IMAGE_DATA_OBJID, /* 1.3.6.1.4.1.311.2.1.15 */
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, /* 1.3.6.1.4.1.311.2.1.21 */
szOID_CERTSRV_CA_VERSION, /* 1.3.6.1.4.1.311.21.1 */
+ SHIM_EKU_MODULE_SIGNING_ONLY, /* 1.3.6.1.4.1.2312.16.1.2 */
END_OID_LIST
} ms_oid_t;
--
2.13.4

197
0016-efikeygen-add-modsign.patch Normal file
View File

@ -0,0 +1,197 @@
From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 22 Aug 2016 13:43:56 -0400
Subject: [PATCH 16/29] efikeygen: add --modsign
---
src/cms_common.c | 29 ++++++++++++++++++++++++++++
src/cms_common.h | 1 +
src/efikeygen.c | 59 ++++++++++++++++++++++++++++++++++++++++++++------------
3 files changed, 77 insertions(+), 12 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 6a4e6a7..2df2cfe 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
return 0;
}
+static SEC_ASN1Template EKUOidSequence[] = {
+ {
+ .kind = SEC_ASN1_OBJECT_ID,
+ .offset = 0,
+ .sub = &SEC_AnyTemplate,
+ .size = sizeof (SECItem),
+ },
+ { 0 }
+};
+
+int
+make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag)
+{
+ void *rv;
+ SECOidData *oid_data;
+
+ oid_data = SECOID_FindOIDByTag(oid_tag);
+ if (!oid_data)
+ cmsreterr(-1, cms, "could not encode eku oid data");
+
+ rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid,
+ EKUOidSequence);
+ if (rv == NULL)
+ cmsreterr(-1, cms, "could not encode eku oid data");
+
+ encoded->type = siBuffer;
+ return 0;
+}
+
int
generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
{
diff --git a/src/cms_common.h b/src/cms_common.h
index c7d7268..7a31273 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
SECItem *items, int num_items);
extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
SECItem *original);
+extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
time_t end);
extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 8a515a5..9390578 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -49,6 +49,7 @@
#include <libdpe/libdpe.h>
#include "cms_common.h"
+#include "oid.h"
#include "util.h"
typedef struct {
@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle)
}
static int
-add_extended_key_usage(cms_context *cms, void *extHandle)
+add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
{
- SECItem value = {
- .data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01"
- "\x05\x05\x07\x03\x03",
- .len = 12,
- .type = siBuffer
- };
+ SECItem values[2];
+ SECItem wrapped = { 0 };
+ SECStatus status;
+ SECOidTag tag;
+ int rc;
+
+ if (modsign_only < 1 || modsign_only > 2)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+ rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
+ tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY);
+ printf("tag: %d\n", tag);
+ rc = make_eku_oid(cms, &values[1], tag);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
+
+ rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
+ if (rc < 0)
+ cmsreterr(-1, cms, "could not encode extended key usage");
- SECStatus status;
status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
- &value, PR_FALSE, PR_TRUE);
+ &wrapped, PR_FALSE, PR_TRUE);
if (status != SECSuccess)
cmsreterr(-1, cms, "could not encode extended key usage");
@@ -294,7 +309,7 @@ static int
add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
int is_ca, int is_self_signed, SECKEYPublicKey *pubkey,
SECKEYPublicKey *spubkey,
- char *url)
+ char *url, int modsign_only)
{
void *mark = PORT_ArenaMark(cms->arena);
@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
if (rc < 0)
cmsreterr(-1, cms, "could not generate certificate extensions");
- rc = add_extended_key_usage(cms, extHandle);
+ rc = add_extended_key_usage(cms, modsign_only, extHandle);
if (rc < 0)
cmsreterr(-1, cms, "could not generate certificate extensions");
@@ -469,6 +484,7 @@ int main(int argc, char *argv[])
{
int is_ca = 0;
int is_self_signed = -1;
+ int modsign_only = 0;
char *tokenname = "NSS Certificate DB";
char *signer = NULL;
char *nickname = NULL;
@@ -522,6 +538,18 @@ int main(int argc, char *argv[])
.descrip = "Generate a self-signed certificate" },
/* stuff about the generated key */
+ {.longName = "kernel",
+ .shortName = 'k',
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
+ .arg = &modsign_only,
+ .val = 1,
+ .descrip = "Generate a kernel-signing certificate" },
+ {.longName = "module",
+ .shortName = 'm',
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
+ .arg = &modsign_only,
+ .val = 2,
+ .descrip = "Generate a module-signing certificate" },
{.longName = "nickname",
.shortName = 'n',
.argInfo = POPT_ARG_STRING,
@@ -628,6 +656,9 @@ int main(int argc, char *argv[])
liberr(1, "could not allocate cms context");
}
+ if (modsign_only < 1 || modsign_only > 2)
+ errx(1, "either --kernel or --module must be used");
+
SECStatus status = NSS_InitReadWrite(dbdir);
if (status != SECSuccess)
nsserr(1, "could not initialize NSS");
@@ -639,6 +670,10 @@ int main(int argc, char *argv[])
SECKEYPublicKey *pubkey = NULL;
SECKEYPrivateKey *privkey = NULL;
+ status = register_oids(cms);
+ if (status != SECSuccess)
+ nsserr(1, "Could not register OIDs");
+
PK11SlotInfo *slot = NULL;
if (pubfile) {
rc = get_pubkey_from_file(pubfile, &pubkey);
@@ -713,7 +748,7 @@ int main(int argc, char *argv[])
crq = CERT_CreateCertificateRequest(name, spki, &attributes);
rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey,
- spubkey, url);
+ spubkey, url, modsign_only);
if (rc < 0)
exit(1);
--
2.13.4

121
0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch Normal file
View File

@ -0,0 +1,121 @@
From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:25:02 -0400
Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable
validation time.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 66 insertions(+), 9 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index b7c99bb..1a4baf1 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx)
return check_db(which, ctx, check_hash, NULL, 0);
}
-static PRTime
-determine_reasonable_time(CERTCertificate *cert)
+static void
+find_cert_times(SEC_PKCS7ContentInfo *cinfo,
+ PRTime *notBefore, PRTime *notAfter)
{
- PRTime notBefore, notAfter;
- CERT_GetCertTimes(cert, &notBefore, &notAfter);
- return notBefore;
+ CERTCertDBHandle *defaultdb, *certdb;
+ SEC_PKCS7SignedData *sdp;
+ CERTCertificate **certs = NULL;
+ SECItem **rawcerts;
+ int i, certcount;
+ SECStatus rv;
+
+ if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) {
+err:
+ *notBefore = 0;
+ *notAfter = 0x7fffffffffffffff;
+ return;
+ }
+
+ sdp = cinfo->content.signedData;
+ rawcerts = sdp->rawCerts;
+
+ defaultdb = CERT_GetDefaultCertDB();
+
+ certdb = defaultdb;
+ if (certdb == NULL)
+ goto err;
+
+ certcount = 0;
+ if (rawcerts != NULL) {
+ for (; rawcerts[certcount] != NULL; certcount++)
+ ;
+ }
+ rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount,
+ rawcerts, &certs, PR_FALSE, PR_FALSE, NULL);
+ if (rv != SECSuccess)
+ goto err;
+
+ for (i = 0; i < certcount; i++) {
+ PRTime nb = 0, na = 0x7fffffffffff;
+ CERT_GetCertTimes(certs[i], &nb, &na);
+ if (*notBefore < nb)
+ *notBefore = nb;
+ if (*notAfter > na)
+ *notAfter = na;
+ }
+
+ CERT_DestroyCertArray(certs, certcount);
}
static db_status
@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PRBool result;
SECStatus rv;
db_status status = NOT_FOUND;
+ PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
+ PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
cert->timeOK = PR_TRUE;
+ find_cert_times(cinfo, &notBefore, &notAfter);
+ if (earlyNow < notBefore)
+ earlyNow = notBefore;
+ if (lateNow > notAfter)
+ lateNow = notAfter;
+
SECItem *eTime;
PRTime atTime;
// atTime = determine_reasonable_time(cert);
eTime = SEC_PKCS7GetSigningTime(cinfo);
if (eTime != NULL) {
- if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess)
- atTime = determine_reasonable_time(cert);
- } else {
- atTime = determine_reasonable_time(cert);
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+ if (earlyNow < atTime)
+ earlyNow = atTime;
+ if (lateNow > atTime)
+ lateNow = atTime;
+ }
}
+
+ if (lateNow < earlyNow)
+ printf("Impossible time constraints: %ld <= %ld\n",
+ earlyNow / 1000000, lateNow / 1000000);
+ atTime = earlyNow / 2 + lateNow / 2;
+
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
certUsageObjectSigner,
--
2.13.4

137
0018-show-which-db-we-re-checking.patch Normal file
View File

@ -0,0 +1,137 @@
From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 16:58:50 -0400
Subject: [PATCH 18/29] show which db we're checking
---
src/certdb.c | 35 ++++++++++++++++++++++++++++++++++-
src/pesigcheck_context.c | 2 ++
src/pesigcheck_context.h | 1 +
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/src/certdb.c b/src/certdb.c
index 1a4baf1..673e074 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -18,6 +18,7 @@
*/
#include <fcntl.h>
+#include <libgen.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -42,17 +43,33 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
return -1;
db->type = type;
-
db->fd = open(dbfile, O_RDONLY);
if (db->fd < 0) {
save_errno(free(db));
return -1;
}
+ char *path = strdup(dbfile);
+ if (!path) {
+ save_errno(close(db->fd);
+ free(db));
+ return -1;
+ }
+
+ db->path = basename(path);
+ db->path = strdup(db->path);
+ free(path);
+ if (!db->path) {
+ save_errno(close(db->fd);
+ free(db));
+ return -1;
+ }
+
struct stat sb;
int rc = fstat(db->fd, &sb);
if (rc < 0) {
save_errno(close(db->fd);
+ free(db->path);
free(db));
return -1;
}
@@ -65,6 +82,7 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
rc = read_file(db->fd, (char **)&db->map, &sz);
if (rc < 0) {
save_errno(close(db->fd);
+ free(db->path);
free(db));
return -1;
}
@@ -133,6 +151,7 @@ add_cert_file(pesigcheck_context *ctx, const char *filename)
#define DB_PATH "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
#define MOK_PATH "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23"
#define DBX_PATH "/sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
+#define MOKX_PATH "/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23"
void
init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
@@ -167,6 +186,18 @@ init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
"database \"%s\": %m\n", DBX_PATH);
exit(1);
}
+
+ rc = add_db_file(ctx, DBX, MOKX_PATH, DB_EFIVAR);
+ if (rc < 0 && errno != ENOENT) {
+ fprintf(stderr, "pesigcheck: Could not add key database "
+ "\"%s\": %m\n", MOKX_PATH);
+ exit(1);
+ }
+
+ if (ctx->dbx == NULL) {
+ fprintf(stderr, "pesigcheck: warning: "
+ "No key recovation database available\n");
+ }
}
typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
@@ -187,6 +218,8 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
sig.type = siBuffer;
while (dbl) {
+ printf("Searching %s %s\n", which == DB ? "db" : "dbx",
+ dbl->path);
EFI_SIGNATURE_LIST *certlist;
EFI_SIGNATURE_DATA *cert;
size_t dbsize = dbl->datalen;
diff --git a/src/pesigcheck_context.c b/src/pesigcheck_context.c
index b934cbe..5a355b1 100644
--- a/src/pesigcheck_context.c
+++ b/src/pesigcheck_context.c
@@ -87,6 +87,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
munmap(db->map, db->size);
close(db->fd);
ctx->db = db->next;
+ free(db->path);
free(db);
}
while (ctx->dbx) {
@@ -95,6 +96,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
if (db->type == DB_CERT)
free(db->data);
munmap(db->map, db->size);
+ free(db->path);
close(db->fd);
ctx->dbx = db->next;
free(db);
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
index 1b916e3..7b5cc89 100644
--- a/src/pesigcheck_context.h
+++ b/src/pesigcheck_context.h
@@ -34,6 +34,7 @@ typedef enum {
struct dblist {
db_f_type type;
+ char *path;
int fd;
struct dblist *next;
size_t size;
--
2.13.4

97
0019-more-about-the-time.patch Normal file
View File

@ -0,0 +1,97 @@
From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 17:00:46 -0400
Subject: [PATCH 19/29] more about the time
---
src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
1 file changed, 33 insertions(+), 26 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 673e074..1078a8a 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PRBool result;
SECStatus rv;
db_status status = NOT_FOUND;
+ PRTime atTime = PR_Now();
+ SECItem *eTime;
PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
- PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
+ PRTime notBefore, notAfter;
efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
if (!cinfo)
goto out;
+ notBefore = earlyNow;
+ notAfter = lateNow;
+ find_cert_times(cinfo, &notBefore, &notAfter);
+ if (earlyNow < notBefore)
+ earlyNow = notBefore;
+ if (lateNow > notAfter)
+ lateNow = notAfter;
+
+ // atTime = determine_reasonable_time(cert);
+ eTime = SEC_PKCS7GetSigningTime(cinfo);
+ if (eTime != NULL) {
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
+ if (earlyNow < atTime)
+ earlyNow = atTime;
+ if (lateNow > atTime)
+ lateNow = atTime;
+ }
+ }
+
+ if (lateNow < earlyNow)
+ printf("Signature has impossible time constraint: %ld <= %ld\n",
+ earlyNow / 1000000, lateNow / 1000000);
+ atTime = earlyNow / 2 + lateNow / 2;
+
+
+ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL);
+ if (!cinfo)
+ goto out;
+
/* Generate the digest of contentInfo */
/* XXX support only sha256 for now */
digest = SECITEM_AllocItem(NULL, NULL, 32);
@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
PORT_ErrorToString(PORT_GetError()));
goto out;
}
- cert->timeOK = PR_TRUE;
-
- find_cert_times(cinfo, &notBefore, &notAfter);
- if (earlyNow < notBefore)
- earlyNow = notBefore;
- if (lateNow > notAfter)
- lateNow = notAfter;
-
- SECItem *eTime;
- PRTime atTime;
- // atTime = determine_reasonable_time(cert);
- eTime = SEC_PKCS7GetSigningTime(cinfo);
- if (eTime != NULL) {
- if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
- if (earlyNow < atTime)
- earlyNow = atTime;
- if (lateNow > atTime)
- lateNow = atTime;
- }
- }
-
- if (lateNow < earlyNow)
- printf("Impossible time constraints: %ld <= %ld\n",
- earlyNow / 1000000, lateNow / 1000000);
- atTime = earlyNow / 2 + lateNow / 2;
/* Verify the signature */
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
--
2.13.4

419
0020-try-to-say-why-something-fails.patch Normal file
View File

@ -0,0 +1,419 @@
From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 25 Apr 2017 17:01:13 -0400
Subject: [PATCH 20/29] try to say why something fails
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 15 ++-
src/certdb.h | 2 +-
src/pesigcheck.c | 244 ++++++++++++++++++++++++++++++++++++++++++-----
src/pesigcheck_context.h | 1 +
4 files changed, 233 insertions(+), 29 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index 1078a8a..fae80af 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
static db_status
check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
- void *data, ssize_t datalen)
+ void *data, ssize_t datalen, SECItem *match)
{
SECItem pkcs7sig, sig;
dblist *dbl = which == DB ? ctx->db : ctx->dbx;
@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
found = check(ctx, &sig,
&certlist->SignatureType,
&pkcs7sig);
- if (found == FOUND)
+ if (found == FOUND) {
+ if (match)
+ memcpy(match, &sig,
+ sizeof(sig));
return FOUND;
+ }
cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert +
certlist->SignatureSize);
}
@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
db_status
check_db_hash(db_specifier which, pesigcheck_context *ctx)
{
- return check_db(which, ctx, check_hash, NULL, 0);
+ return check_db(which, ctx, check_hash, NULL, 0, NULL);
}
static void
@@ -459,7 +463,8 @@ out:
}
db_status
-check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen)
+check_db_cert(db_specifier which, pesigcheck_context *ctx,
+ void *data, ssize_t datalen, SECItem *match)
{
- return check_db(which, ctx, check_cert, data, datalen);
+ return check_db(which, ctx, check_cert, data, datalen, match);
}
diff --git a/src/certdb.h b/src/certdb.h
index ccf3c87..8402299 100644
--- a/src/certdb.h
+++ b/src/certdb.h
@@ -43,7 +43,7 @@ typedef struct {
extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
- void *data, ssize_t datalen);
+ void *data, ssize_t datalen, SECItem *match);
extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index d7be542..c8e1086 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -17,7 +17,9 @@
* Author(s): Peter Jones <pjones@redhat.com>
*/
+#include <err.h>
#include <fcntl.h>
+#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx)
}
static int
-cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
+cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen,
+ SECItem *digest_out)
{
SECItem sig, *pe_digest, *content;
uint8_t *digest;
@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
pe_digest = ctx->cms_ctx->digests[0].pe_digest;
content = cinfo->content.signedData->contentInfo.content.data;
digest = content->data + content->len - pe_digest->len;
+ if (digest_out) {
+ digest_out->data = malloc(pe_digest->len);
+ digest_out->len = pe_digest->len;
+ digest_out->type = pe_digest->type;
+ memcpy(digest_out->data, digest, pe_digest->len);
+ }
if (memcmp(pe_digest->data, digest, pe_digest->len) != 0)
goto out;
@@ -120,22 +129,149 @@ out:
return ret;
}
+struct reason {
+ enum {
+ WHITELISTED = 0,
+ INVALID = 1,
+ BLACKLISTED = 2,
+ NO_WHITELIST = 3,
+ } reason;
+ enum {
+ NONE = 0,
+ DIGEST = 1,
+ SIGNATURE = 2,
+ } type;
+ union {
+ struct {
+ SECItem digest;
+ };
+ struct {
+ SECItem sig;
+ SECItem db_cert;
+ };
+ };
+};
+
+static void
+print_digest(SECItem *digest)
+{
+ char buf[digest->len * 2 + 2];
+
+ for (unsigned int i = 0; i < digest->len; i++)
+ snprintf(buf + i * 2, digest->len * 2, "%02x",
+ digest->data[i]);
+ buf[digest->len * 2] = '\0';
+ printf("%s\n", buf);
+}
+
+static void
+print_certificate(SECItem *cert)
+{
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
+ printf("cert: %p\n", cert);
+}
+
+static void
+print_signatures(SECItem *database_cert, SECItem *signature)
+{
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
+ print_certificate(database_cert);
+ print_certificate(signature);
+}
+
+static void
+print_reason(struct reason *reason)
+{
+ switch (reason->reason) {
+ case WHITELISTED:
+ printf("Whitelist entry: ");
+ if (reason->type == DIGEST)
+ print_digest(&reason->digest);
+ else if (reason->type == SIGNATURE)
+ print_signatures(&reason->sig, &reason->db_cert);
+ else
+ errx(1, "Unknown data type %d\n", reason->type);
+ break;
+ case INVALID:
+ if (reason->type == DIGEST) {
+ printf("Invalid digest: ");
+ print_digest(&reason->digest);
+ } else if (reason->type == SIGNATURE) {
+ printf("Invalid signature: ");
+ print_signatures(&reason->sig, &reason->db_cert);
+ } else {
+ errx(1, "Unknown data type %d\n", reason->type);
+ }
+ break;
+ case BLACKLISTED:
+ if (reason->type == DIGEST) {
+ printf("Invalid digest: ");
+ print_digest(&reason->digest);
+ } else if (reason->type == SIGNATURE) {
+ printf("Invalid signature: ");
+ print_signatures(&reason->sig, &reason->db_cert);
+ } else {
+ errx(1, "Unknown data type %d\n", reason->type);
+ }
+ break;
+ case NO_WHITELIST:
+ if (reason->type == NONE)
+ printf("No matching whitelist entry.\n");
+ else
+ errx(1, "Invalid data type %d\n", reason->type);
+ break;
+ default:
+ errx(1, "Unknown reason type %d\n", reason->reason);
+ break;
+ }
+}
+
+static void
+get_digest(pesigcheck_context *ctx, SECItem *digest)
+{
+ struct cms_context *cms = ctx->cms_ctx;
+ struct digest *cms_digest = &cms->digests[cms->selected_digest];
+
+ memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
+}
+
static int
-check_signature(pesigcheck_context *ctx)
+check_signature(pesigcheck_context *ctx, int *nreasons,
+ struct reason **reasons)
{
- int has_valid_cert = 0;
- int has_invalid_cert = 0;
+ bool has_valid_cert = false;
+ bool is_invalid = false;
+ struct reason *reasonps = NULL, *reason;
+ int num_reasons = 16;
+ int nreason = 0;
int rc = 0;
+ int ret = -1;
cert_iter iter;
+ reasonps = calloc(sizeof(struct reason), 512);
+ if (!reasonps)
+ err(1, "check_signature");
+
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
- if (check_db_hash(DBX, ctx) == FOUND)
- return -1;
+ if (check_db_hash(DBX, ctx) == FOUND) {
+ reason = &reasonps[nreason];
+ reason->reason = BLACKLISTED;
+ reason->type = DIGEST;
+ get_digest(ctx, &reason->digest);
+ reason += 1;
+ is_invalid = true;
+ }
- if (check_db_hash(DB, ctx) == FOUND)
- has_valid_cert = 1;
+ if (check_db_hash(DB, ctx) == FOUND) {
+ reason = &reasonps[nreason];
+ reason->reason = WHITELISTED;
+ reason->type = DIGEST;
+ get_digest(ctx, &reason->digest);
+ nreason += 1;
+ has_valid_cert = true;
+ }
rc = cert_iter_init(&iter, ctx->inpe);
if (rc < 0)
@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx)
ssize_t datalen;
while (1) {
+ /*
+ * Make sure we always have enough for this iteration of the
+ * loop, plus one "NO_WHITELIST" entry at the end.
+ */
+ if (nreason >= num_reasons - 4) {
+ struct reason *new_reasons;
+
+ num_reasons += 16;
+
+ new_reasons = calloc(sizeof(struct reason), num_reasons);
+ if (!new_reasons)
+ err(1, "check_signature");
+ reasonps = new_reasons;
+ }
+
rc = next_cert(&iter, &data, &datalen);
if (rc <= 0)
break;
- if (cert_matches_digest(ctx, data, datalen) < 0) {
- has_invalid_cert = 1;
- break;
+ reason = &reasonps[nreason];
+ if (cert_matches_digest(ctx, data, datalen,
+ &reason->digest) < 0) {
+ reason->reason = INVALID;
+ reason->type = DIGEST;
+ nreason += 1;
+ is_invalid = true;
}
- if (check_db_cert(DBX, ctx, data, datalen) == FOUND) {
- has_invalid_cert = 1;
- break;
+ reason = &reasonps[nreason];
+ if (check_db_cert(DBX, ctx, data, datalen,
+ &reason->db_cert) == FOUND) {
+ reason->reason = INVALID;
+ reason->type = SIGNATURE;
+ reason->sig.data = data;
+ reason->sig.len = datalen;
+ reason->type = siBuffer;
+ nreason += 1;
+ is_invalid = true;
}
- if (check_db_cert(DB, ctx, data, datalen) == FOUND)
- has_valid_cert = 1;
+ reason = &reasonps[nreason];
+ if (check_db_cert(DB, ctx, data, datalen,
+ &reason->db_cert) == FOUND) {
+ reason->reason = WHITELISTED;
+ reason->type = SIGNATURE;
+ reason->sig.data = data;
+ reason->sig.len = datalen;
+ reason->type = siBuffer;
+ nreason += 1;
+ has_valid_cert = true;
+ }
}
err:
- if (has_invalid_cert)
- return -1;
+ if (has_valid_cert != true) {
+ if (is_invalid != true) {
+ reason = &reasonps[nreason];
+ reason->reason = NO_WHITELIST;
+ reason->type = NONE;
+ nreason += 1;
+ }
+ is_invalid = true;
+ }
- if (has_valid_cert)
- return 0;
+ if (is_invalid == false)
+ ret = 0;
- return -1;
+ if (nreasons && reasons) {
+ *nreasons = nreason;
+ *reasons = reasonps;
+ } else {
+ free(reasonps);
+ }
+
+ return ret;
}
void
@@ -204,6 +389,9 @@ main(int argc, char *argv[])
pesigcheck_context ctx, *ctxp = &ctx;
+ struct reason *reasons = NULL;
+ int nreasons = 0;
+
char *dbfile = NULL;
char *dbxfile = NULL;
char *certfile = NULL;
@@ -242,6 +430,12 @@ main(int argc, char *argv[])
.arg = &ctx.quiet,
.val = 1,
.descrip = "return only; no text output." },
+ {.longName = "verbose",
+ .shortName = 'v',
+ .argInfo = POPT_BIT_SET,
+ .arg = &ctx.verbose,
+ .val = 1,
+ .descrip = "print reasons for success and failure." },
{.longName = "no-system-db",
.shortName = 'n',
.argInfo = POPT_ARG_INT,
@@ -308,12 +502,16 @@ main(int argc, char *argv[])
exit(1);
}
- rc = check_signature(ctxp);
+ rc = check_signature(ctxp, &nreasons, &reasons);
- close_input(ctxp);
+ if (!ctx.quiet && ctx.verbose) {
+ for (int i = 0; i < nreasons; i++)
+ print_reason(&reasons[i]);
+ }
if (!ctx.quiet)
printf("pesigcheck: \"%s\" is %s.\n", ctx.infile,
rc >= 0 ? "valid" : "invalid");
+ close_input(ctxp);
pesigcheck_context_fini(&ctx);
NSS_Shutdown();
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
index 7b5cc89..aec415e 100644
--- a/src/pesigcheck_context.h
+++ b/src/pesigcheck_context.h
@@ -61,6 +61,7 @@ typedef struct pesigcheck_context {
Pe *inpe;
int quiet;
+ int verbose;
hashlist *hashes;
--
2.13.4

34
0021-Fix-race-condition-in-SEC_GetPassword.patch Normal file
View File

@ -0,0 +1,34 @@
From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 6 May 2017 22:45:34 +0200
Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword
A side effect of echoOff is to discard unread input, so if we print the
prompt before echoOff, the user (or process) at the other end might
react to it by writing the password in between those steps, which is
then discarded. This bit me when trying to drive pesign with an expect
script.
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
src/password.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/password.c b/src/password.c
index cd1c07e..d4eae0d 100644
--- a/src/password.c
+++ b/src/password.c
@@ -71,9 +71,9 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
for (;;) {
/* Prompt for password */
if (isTTY) {
+ echoOff(infd);
fprintf(output, "%s", prompt);
fflush (output);
- echoOff(infd);
}
fgets ( phrase, sizeof(phrase), input);
--
2.13.4

27
0022-sysvinit-Create-the-socket-directory-at-runtime.patch Normal file
View File

@ -0,0 +1,27 @@
From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Tue, 13 Jun 2017 13:20:16 -0700
Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime
This better supports non-systemd configurations with tmpfs on /run.
---
src/pesign.sysvinit.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index d8fffca..dc508d8 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -20,6 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
+ mkdir /var/run/pesign 2>/dev/null &&
+ chown pesign:pesign /var/run/pesign &&
+ chmod 0770 /var/run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
--
2.13.4

217
0023-Better-authorization-scripts.-Again.patch Normal file
View File

@ -0,0 +1,217 @@
From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 15:44:44 -0400
Subject: [PATCH 23/29] Better authorization scripts. Again.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 12 ++++++----
src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++
src/pesign-authorize-groups | 30 ------------------------
src/pesign-authorize-users | 30 ------------------------
src/pesign.service.in | 3 +--
src/pesign.sysvinit.in | 3 +--
6 files changed, 65 insertions(+), 69 deletions(-)
create mode 100755 src/pesign-authorize
delete mode 100644 src/pesign-authorize-groups
delete mode 100644 src/pesign-authorize-users
diff --git a/src/Makefile b/src/Makefile
index 654b792..84ad130 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
SVCTARGETS=pesign.sysvinit pesign.service
-TARGETS=$(BINTARGETS) $(SVCTARGETS)
+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
all : deps $(TARGETS)
@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
+pesign-users pesign-groups :
+ echo pesign > $@
+
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
@@ -88,10 +91,9 @@ install :
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
+ $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
+ $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
.PHONY: all deps clean install
diff --git a/src/pesign-authorize b/src/pesign-authorize
new file mode 100755
index 0000000..a496f60
--- /dev/null
+++ b/src/pesign-authorize
@@ -0,0 +1,56 @@
+#!/bin/bash
+set -e
+set -u
+
+#
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
+# acls for specific users is useful
+#
+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+#
+
+# License: GPLv2
+declare -a fileusers=()
+declare -a dirusers=()
+for user in $(cat /etc/pesign/users); do
+ dirusers[${#dirusers[@]}]=-m
+ dirusers[${#dirusers[@]}]="u:$user:rwx"
+ fileusers[${#fileusers[@]}]=-m
+ fileusers[${#fileusers[@]}]="u:$user:rw"
+done
+
+declare -a filegroups=()
+declare -a dirgroups=()
+for group in $(cat /etc/pesign/groups); do
+ dirgroups[${#dirgroups[@]}]=-m
+ dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+ filegroups[${#filegroups[@]}]=-m
+ filegroups[${#filegroups[@]}]="g:$group:rw"
+done
+
+update_subdir() {
+ subdir=$1 && shift
+
+ setfacl -bk "${subdir}"
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+ for x in "${subdir}"* ; do
+ if [ -d "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+ update_subdir "${x}/"
+ elif [ -e "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+ else
+ :;
+ fi
+ done
+}
+
+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+ if [ -d "${x}" ]; then
+ update_subdir "${x}"
+ else
+ :;
+ fi
+done
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
deleted file mode 100644
index cf51fb6..0000000
--- a/src/pesign-authorize-groups
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific groups is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/groups ]; then
- for group in $(cat /etc/pesign/groups); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${group}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${group}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${group}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${group}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
deleted file mode 100644
index 940138e..0000000
--- a/src/pesign-authorize-users
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/users ]; then
- for username in $(cat /etc/pesign/users); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${username}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${username}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${username}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${username}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign.service.in b/src/pesign.service.in
index aaa408e..c75a000 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -6,5 +6,4 @@ PrivateTmp=true
Type=forking
PIDFile=/var/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index dc508d8..b0e0f84 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -27,8 +27,7 @@ start(){
RETVAL=$?
echo
touch /var/lock/subsys/pesign
- @@LIBEXECDIR@@/pesign/pesign-authorize-users
- @@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ @@LIBEXECDIR@@/pesign/pesign-authorize
}
stop(){
--
2.13.4

95
0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch Normal file
View File

@ -0,0 +1,95 @@
From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 17:28:19 -0400
Subject: [PATCH 24/29] Make the daemon also try to give better errors on
-EPERM etc.
Basically 6796e5f but also for the daemon. This also tries to fix them
up to save errno better, for more accurate reporting.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 27 +++++++++++++++++++++++++--
src/pesign.c | 8 ++++++--
2 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 7f694b2..942d576 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -19,6 +19,7 @@
#include <errno.h>
#include <fcntl.h>
+#include <glob.h>
#include <poll.h>
#include <pwd.h>
#include <signal.h>
@@ -1104,10 +1105,32 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork)
"pesignd starting (pid %d)", ctx.pid);
SECStatus status = NSS_Init(certdir);
+ int error = errno;
if (status != SECSuccess) {
+ char *globpattern = NULL;
+ rc = asprintf(&globpattern, "%s/cert*.db",
+ certdir);
+ if (rc > 0) {
+ glob_t globbuf;
+ memset(&globbuf, 0, sizeof(globbuf));
+ rc = glob(globpattern, GLOB_ERR, NULL,
+ &globbuf);
+ if (rc != 0) {
+ errno = error;
+ ctx.backup_cms->log(ctx.backup_cms,
+ ctx.priority|LOG_NOTICE,
+ "Could not open NSS database (\"%s\"): %m",
+ PORT_ErrorToString(PORT_GetError()));
+ exit(1);
+ }
+ }
+ }
+ if (status != SECSuccess) {
+ errno = error;
ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE,
- "Could not initialize nss: %s\n",
- PORT_ErrorToString(PORT_GetError()));
+ "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
exit(1);
}
diff --git a/src/pesign.c b/src/pesign.c
index 5879cfc..6ceda34 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -660,10 +660,12 @@ main(int argc, char *argv[])
if (!daemon) {
SECStatus status;
+ int error;
if (need_db) {
status = NSS_Init(certdir);
if (status != SECSuccess) {
char *globpattern = NULL;
+ error = errno;
rc = asprintf(&globpattern, "%s/cert*.db",
certdir);
if (rc > 0) {
@@ -680,8 +682,10 @@ main(int argc, char *argv[])
} else
status = NSS_NoDB_Init(NULL);
if (status != SECSuccess) {
- errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
- PORT_ErrorToString(PORT_GetError()));
+ errno = error;
+ errx(1, "Could not initialize nss.\n"
+ "NSS says \"%s\" errno says \"%m\"\n",
+ PORT_ErrorToString(PORT_GetError()));
}
status = register_oids(ctxp->cms_ctx);
--
2.13.4

31
0025-certdb-fix-PRTime-printfs-for-i686.patch Normal file
View File

@ -0,0 +1,31 @@
From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 9 Aug 2017 17:40:33 -0400
Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/certdb.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/certdb.c b/src/certdb.c
index fae80af..29c9502 100644
--- a/src/certdb.c
+++ b/src/certdb.c
@@ -384,11 +384,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
}
if (lateNow < earlyNow)
- printf("Signature has impossible time constraint: %ld <= %ld\n",
- earlyNow / 1000000, lateNow / 1000000);
+ printf("Signature has impossible time constraint: %lld <= %lld\n",
+ earlyNow / 1000000LL, lateNow / 1000000LL);
atTime = earlyNow / 2 + lateNow / 2;
-
cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
NULL, NULL);
if (!cinfo)
--
2.13.4

41
0026-Clean-up-gcc-command-lines-a-little.patch Normal file
View File

@ -0,0 +1,41 @@
From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 10 Aug 2017 10:02:38 -0400
Subject: [PATCH 26/29] Clean up gcc command lines a little
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/Make.defaults b/Make.defaults
index 39b78f0..b6c0381 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -20,8 +20,7 @@ CROSS_COMPILE ?= $(bindir)
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
-CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
- -Wall -Werror -Wextra -Wno-error=cpp
+CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments -Wno-error=cpp
AS := $(CROSS_COMPILE)as
AR := $(CROSS_COMPILE)gcc-ar
RANLIB := $(CROSS_COMPILE)gcc-ranlib
@@ -36,10 +35,10 @@ ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,)
SOFLAGS = -shared
clang_cflags =
-gcc_cflags = -Wmaybe-uninitialized
+gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches
cflags = $(CFLAGS) $(ARCH3264) \
- -Wall -Werror -Wno-cpp -Wsign-compare -Wno-unused-result \
- -Wno-unused-function\
+ -Wall -Werror -Wextra -Wsign-compare -Wno-unused-result \
+ -Wno-unused-function -Wsign-compare \
-std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \
-fno-merge-constants -fkeep-inline-functions \
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
--
2.13.4

54
0027-Make-pesign-users-groups-static-in-the-repo.patch Normal file
View File

@ -0,0 +1,54 @@
From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 10 Aug 2017 10:03:37 -0400
Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 5 +----
src/pesign-groups | 1 +
src/pesign-users | 1 +
3 files changed, 3 insertions(+), 4 deletions(-)
create mode 100644 src/pesign-groups
create mode 100644 src/pesign-users
diff --git a/src/Makefile b/src/Makefile
index 84ad130..7d68fa1 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
SVCTARGETS=pesign.sysvinit pesign.service
-TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
+TARGETS=$(BINTARGETS) $(SVCTARGETS)
all : deps $(TARGETS)
@@ -65,9 +65,6 @@ install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
-pesign-users pesign-groups :
- echo pesign > $@
-
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
diff --git a/src/pesign-groups b/src/pesign-groups
new file mode 100644
index 0000000..7f57cc5
--- /dev/null
+++ b/src/pesign-groups
@@ -0,0 +1 @@
+pesign
diff --git a/src/pesign-users b/src/pesign-users
new file mode 100644
index 0000000..7f57cc5
--- /dev/null
+++ b/src/pesign-users
@@ -0,0 +1 @@
+pesign
--
2.13.4

43
0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch Normal file
View File

@ -0,0 +1,43 @@
From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 9 Aug 2017 17:31:31 -0400
Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values
unless overridden
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 69280e9..22a3ee6 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -9,6 +9,9 @@
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}}
+%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}}
+
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
@@ -41,11 +44,11 @@
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ -S /var/run/pesign/socket ]; then \
- %{_pesign_client} -t %{__pesign_token} \\\
- -c %{__pesign_cert} \\\
+ %{_pesign_client} -t %{__pesign_client_token} \\\
+ -c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
--certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
--
2.13.4

39
0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch Normal file
View File

@ -0,0 +1,39 @@
From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 14 Aug 2017 11:37:43 -0400
Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't
have perms on the socket
---
src/macros.pesign | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/macros.pesign b/src/macros.pesign
index 22a3ee6..1665b4c 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -43,6 +43,21 @@
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
+ elif [ "%{vendor}" == "Fedora Project" -a \\\
+ "$(id -un)" == "mockbuild" -a \\\
+ "$(uname -m)" == "x86_64" ] && \\\
+ grep -q ID=fedora /etc/os-release && \\\
+ [[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
+ ! [ -S /var/run/pesign/socket ]; then \
+ echo "No socket even though this is %{_buildhost}" \
+ ls -ld /var/run/pesign || : \
+ getfacl /var/run/pesign || : \
+ ls -l /var/run/pesign/socket || : \
+ getfacl /var/run/pesign/socket || : \
+ echo =========== env ============== \
+ set \
+ echo =========== env ============== \
+ exit 1 \
elif [ -S /var/run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
--
2.13.4

151
0030-Replace-var-run-with-run.patch Normal file
View File

@ -0,0 +1,151 @@
From cd26e9e9a7816efe2c1ce9c36d9cb14988c70dc9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 8 Nov 2021 17:58:09 -0500
Subject: [PATCH] Replace /var/run with /run
This change is in violation of the FHS and is forced by systemd being
obnoxious and logging warnings about it as if it's some kind of problem.
This commit is a subset of the work in
02d473fbfd782863a0dcef7e44822d1e7e56a4b3,
f97d3b04a2eafb42272ede24e1353dd0a7f4347c,
5f9058677e7241cc88b4e8620654bbaa08a4bce4, and
cffa10d9b5eec9a9def3533b181a32b64fc29913 (all by pjones) because they
don't backport well.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/Makefile | 2 +-
src/daemon.h | 4 ++--
src/macros.pesign | 12 ++++++------
src/pesign-authorize | 2 +-
src/pesign.service.in | 2 +-
src/pesign.sysvinit.in | 10 +++++-----
src/tmpfiles.conf | 2 +-
7 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/src/Makefile b/src/Makefile
index 7d68fa1..a11e2b4 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
diff --git a/src/daemon.h b/src/daemon.h
index d97eab9..db42c16 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -49,7 +49,7 @@ typedef enum {
} pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH "/var/run/pesign/socket"
-#define PIDFILE "/var/run/pesign.pid"
+#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid"
#endif /* DAEMON_H */
diff --git a/src/macros.pesign b/src/macros.pesign
index dfdac02..f135c29 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -48,17 +48,17 @@
"$(uname -m)" == "x86_64" ] && \\\
grep -q ID=fedora /etc/os-release && \\\
[[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
- ! [ -S /var/run/pesign/socket ]; then \
+ ! [ -S /run/pesign/socket ]; then \
echo "No socket even though this is %{_buildhost}" \
- ls -ld /var/run/pesign || : \
- getfacl /var/run/pesign || : \
- ls -l /var/run/pesign/socket || : \
- getfacl /var/run/pesign/socket || : \
+ ls -ld /run/pesign || : \
+ getfacl /run/pesign || : \
+ ls -l /run/pesign/socket || : \
+ getfacl /run/pesign/socket || : \
echo =========== env ============== \
set \
echo =========== env ============== \
exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
diff --git a/src/pesign-authorize b/src/pesign-authorize
index a496f60..83a30cd 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /run/pesign/ /etc/pki/pesign*/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
diff --git a/src/pesign.service.in b/src/pesign.service.in
index c75a000..4ac2199 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
Type=forking
-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index b0e0f84..bf8edec 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
#
# chkconfig: - 50 50
# processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
### BEGIN INIT INFO
# Provides: pesign
# Default-Start:
@@ -20,9 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
- mkdir /var/run/pesign 2>/dev/null &&
- chown pesign:pesign /var/run/pesign &&
- chmod 0770 /var/run/pesign
+ mkdir /run/pesign 2>/dev/null &&
+ chown pesign:pesign /run/pesign &&
+ chmod 0770 /run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
@@ -32,7 +32,7 @@ start(){
stop(){
echo -n "Stopping pesign: "
- killproc -p /var/run/pesign.pid pesignd
+ killproc -p /run/pesign.pid pesignd
RETVAL=$?
echo
rm -f /var/lock/subsys/pesign
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
index c1cf355..3375ad5 100644
--- a/src/tmpfiles.conf
+++ b/src/tmpfiles.conf
@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
--
2.33.0

9
SOURCES/0001-efikeygen-Fix-the-build-with-nss-3.44.patch → 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
View File

@ -1,4 +1,4 @@
From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
From d1a7496d18dc1e230115b30fa09e4481c485a27d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2019 11:28:38 -0400
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
@ -23,15 +23,16 @@ This is fixed by just making it an int.
Fixes github issue #48.
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit b535d1ac5cbcdf18a97d97a92581e38080d9e521)
---
src/efikeygen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index ede76ef0b48..2cd953e9781 100644
index 9390578..089e6a7 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -208,7 +208,7 @@ static int
@@ -206,7 +206,7 @@ static int
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
{
SECItem bitStringValue;
@ -41,5 +42,5 @@ index ede76ef0b48..2cd953e9781 100644
if (is_ca)
type |= NS_CERT_TYPE_SSL_CA |
--
2.23.0
2.33.0

49
SOURCES/0002-pesigcheck-Fix-a-wrong-assignment.patch
View File

@ -1,49 +0,0 @@
From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 18 Feb 2020 16:28:56 -0500
Subject: [PATCH] pesigcheck: Fix a wrong assignment
gcc says:
pesigcheck.c: In function 'check_signature':
pesigcheck.c:321:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
321 | reason->type = siBuffer;
| ^
pesigcheck.c:333:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
333 | reason->type = siBuffer;
| ^
cc1: all warnings being treated as errors
And indeed, that line of code makes no sense at all - it was supposed to
be reason->sig.type.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesigcheck.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 524cce307bf..8fa0f1ad03d 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
+ reason->sig.type = siBuffer;
nreason += 1;
is_invalid = true;
}
@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
+ reason->sig.type = siBuffer;
nreason += 1;
has_valid_cert = true;
}
--
2.24.1

317
SOURCES/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
View File

@ -1,317 +0,0 @@
From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 11 Jun 2020 16:23:14 -0400
Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and
vise versa
This makes the version of the sign API that takes a file type optional,
and makes the client attempt to negotiate which version it's getting.
It also leaves the server able to still handle the version from before
the file type was added.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 74 +++++++++++++++++++++++++++++++++++++---------------
src/daemon.c | 63 +++++++++++++++++++++++++++++---------------
src/daemon.h | 2 ++
3 files changed, 97 insertions(+), 42 deletions(-)
diff --git a/src/client.c b/src/client.c
index aa373abd981..57bcc09cbe8 100644
--- a/src/client.c
+++ b/src/client.c
@@ -11,6 +11,7 @@
#include <fcntl.h>
#include <popt.h>
#include <pwd.h>
+#include <stdbool.h>
#include <stddef.h>
#include <stdlib.h>
#include <sys/socket.h>
@@ -84,8 +85,8 @@ connect_to_server(void)
static int32_t
check_response(int sd, char **srvmsg);
-static void
-check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
+static int
+check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit)
{
struct msghdr msg;
struct iovec iov[1];
@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
ssize_t n;
n = sendmsg(sd, &msg, 0);
if (n < 0) {
- fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n");
+ fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n");
exit(1);
}
@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
char *srvmsg = NULL;
int32_t rc = check_response(sd, &srvmsg);
- if (rc < 0)
+
+ if (do_exit && rc < 0)
errx(1, "command \"%s\" not known by server", name);
- if (rc != version)
+
+ if (do_exit && rc != version)
errx(1, "command \"%s\": client version %d, server version %d",
name, version, rc);
+
+ if (rc < 0)
+ return rc;
+ return rc == version;
}
static void
@@ -134,7 +141,7 @@ send_kill_daemon(int sd)
struct iovec iov;
pesignd_msghdr pm;
- check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0);
+ check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_KILL_DAEMON;
@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin)
uint32_t size1 = pesignd_string_size(pin);
- check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0);
+ check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_UNLOCK_TOKEN;
@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname)
uint32_t size0 = pesignd_string_size(tokenname);
- check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0);
+ check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true);
pm.version = PESIGND_VERSION;
pm.command = CMD_IS_TOKEN_UNLOCKED;
@@ -452,6 +459,9 @@ static void
sign(int sd, char *infile, char *outfile, char *tokenname, char *certname,
int attached, uint32_t format)
{
+ int rc;
+ bool add_file_type;
+
int infd = open(infile, O_RDONLY);
if (infd < 0) {
fprintf(stderr, "pesign-client: could not open input file "
@@ -481,12 +491,28 @@ oom:
exit(1);
}
- check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED,
- attached ? "sign-attached" : "sign-detached", 0);
+ rc = check_cmd_version(sd,
+ attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
+ : CMD_SIGN_DETACHED_WITH_FILE_TYPE,
+ attached ? "sign-attached" : "sign-detached",
+ 0, format == FORMAT_KERNEL_MODULE);
+ if (rc >= 0) {
+ add_file_type = true;
+ } else {
+ add_file_type = false;
+ check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED
+ : CMD_SIGN_DETACHED,
+ attached ? "sign-attached" : "sign-detached",
+ 0, true);
+ }
+ printf("add_file_type:%d\n", add_file_type);
pm->version = PESIGND_VERSION;
- pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED;
- pm->size = size0 + size1 + sizeof(format);
+ pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
+ : CMD_SIGN_ATTACHED)
+ : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE
+ : CMD_SIGN_DETACHED);
+ pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0);
iov[0].iov_base = pm;
iov[0].iov_len = sizeof (*pm);
@@ -503,25 +529,31 @@ oom:
}
char *buffer;
- buffer = malloc(size0 + size1);
+ buffer = malloc(pm->size);
if (!buffer)
goto oom;
- iov[0].iov_base = &format;
- iov[0].iov_len = sizeof(format);
+ int pos = 0;
+
+ if (add_file_type) {
+ iov[pos].iov_base = &format;
+ iov[pos].iov_len = sizeof(format);
+ pos++;
+ }
pesignd_string *tn = (pesignd_string *)buffer;
pesignd_string_set(tn, tokenname);
- iov[1].iov_base = tn;
- iov[1].iov_len = size0;
+ iov[pos].iov_base = tn;
+ iov[pos].iov_len = size0;
+ pos++;
pesignd_string *cn = pesignd_string_next(tn);
pesignd_string_set(cn, certname);
- iov[2].iov_base = cn;
- iov[2].iov_len = size1;
+ iov[pos].iov_base = cn;
+ iov[pos].iov_len = size1;
msg.msg_iov = iov;
- msg.msg_iovlen = 3;
+ msg.msg_iovlen = add_file_type ? 3 : 2;
n = sendmsg(sd, &msg, 0);
if (n < 0) {
@@ -535,7 +567,7 @@ oom:
send_fd(sd, outfd);
char *srvmsg = NULL;
- int rc = check_response(sd, &srvmsg);
+ rc = check_response(sd, &srvmsg);
if (rc < 0) {
fprintf(stderr, "pesign-client: signing failed: \"%s\"\n",
srvmsg);
diff --git a/src/daemon.c b/src/daemon.c
index 9374d59be30..494beb9af72 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -12,6 +12,7 @@
#include <poll.h>
#include <pwd.h>
#include <signal.h>
+#include <stdbool.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
@@ -561,7 +562,7 @@ out:
static void
handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size,
- int attached)
+ int attached, bool with_file_type)
{
struct msghdr msg;
struct iovec iov;
@@ -585,8 +586,12 @@ oom:
n = recvmsg(pollfd->fd, &msg, MSG_WAITALL);
- file_format = *((uint32_t *) buffer);
- n -= sizeof(uint32_t);
+ if (with_file_type) {
+ file_format = *((uint32_t *) buffer);
+ n -= sizeof(uint32_t);
+ } else {
+ file_format = FORMAT_PE_BINARY;
+ }
pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t));
if (n < (long long)sizeof(tn->size)) {
@@ -666,34 +671,44 @@ finish:
teardown_digests(ctx->cms);
}
+static inline void
+handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size,
+ int attached, bool with_file_type)
+{
+ int rc = cms_context_alloc(&ctx->cms);
+ if (rc < 0)
+ return;
+
+ steal_from_cms(ctx->backup_cms, ctx->cms);
+
+ handle_signing(ctx, pollfd, size, attached, with_file_type);
+
+ hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
+ cms_context_fini(ctx->cms);
+}
+
static void
handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size)
{
- int rc = cms_context_alloc(&ctx->cms);
- if (rc < 0)
- return;
+ handle_sign_helper(ctx, pollfd, size, 1, false);
+}
- steal_from_cms(ctx->backup_cms, ctx->cms);
-
- handle_signing(ctx, pollfd, size, 1);
-
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
- cms_context_fini(ctx->cms);
+static void
+handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
+{
+ handle_sign_helper(ctx, pollfd, size, 1, true);
}
static void
handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size)
{
- int rc = cms_context_alloc(&ctx->cms);
- if (rc < 0)
- return;
+ handle_sign_helper(ctx, pollfd, size, 0, false);
+}
- steal_from_cms(ctx->backup_cms, ctx->cms);
-
- handle_signing(ctx, pollfd, size, 0);
-
- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
- cms_context_fini(ctx->cms);
+static void
+handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
+{
+ handle_sign_helper(ctx, pollfd, size, 0, true);
}
static void
@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = {
{ CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 },
{ CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 },
{ CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 },
+ { CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
+ handle_sign_attached_with_file_type,
+ "sign-attached-with-file-type", 0 },
+ { CMD_SIGN_DETACHED_WITH_FILE_TYPE,
+ handle_sign_detached_with_file_type,
+ "sign-detached-with-file-type", 0 },
{ CMD_RESPONSE, NULL, "response", 0 },
{ CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked,
"is-token-unlocked", 0 },
diff --git a/src/daemon.h b/src/daemon.h
index dd430512f1a..834d62c72d0 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -33,6 +33,8 @@ typedef enum {
CMD_RESPONSE,
CMD_IS_TOKEN_UNLOCKED,
CMD_GET_CMD_VERSION,
+ CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
+ CMD_SIGN_DETACHED_WITH_FILE_TYPE,
CMD_LIST_END
} pesignd_cmd;
--
2.26.2

46
SOURCES/0004-Rename-var-run-to-run.patch
View File

@ -1,46 +0,0 @@
From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 12 Jun 2020 11:49:44 -0400
Subject: [PATCH] Rename /var/run/ to /run/
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 12 ++++++------
src/tmpfiles.conf | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 56f75cafbc4..5a6da1c6809 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -45,14 +45,14 @@
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ "$(id -un)" == "kojibuilder" -a \\\
grep -q ID=fedora /etc/os-release -a \\\
- ! -S /var/run/pesign/socket ]; then \
+ ! -S /run/pesign/socket ]; then \
echo "No socket even though this is kojibuilder" 1>&2 \
- ls -ld /var/run/pesign 1>&2 \
- ls -l /var/run/pesign/socket 1>&2 \
- getfacl /var/run/pesign 1>&2 \
- getfacl /var/run/pesign/socket 1>&2 \
+ ls -ld /run/pesign 1>&2 \
+ ls -l /run/pesign/socket 1>&2 \
+ getfacl /run/pesign 1>&2 \
+ getfacl /run/pesign/socket 1>&2 \
exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
index c1cf35597d8..3375ad52a44 100644
--- a/src/tmpfiles.conf
+++ b/src/tmpfiles.conf
@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
--
2.26.2

30
SOURCES/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
View File

@ -1,30 +0,0 @@
From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001
From: Jeremy Cline <jcline@redhat.com>
Date: Tue, 18 Feb 2020 16:37:53 -0500
Subject: [PATCH] Apparently opensc got updated and the token name changed
All the kernel builds started failing yesterday because the signing
token could not be found. Update the token name in the macro shipped by
pesign.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/macros.pesign b/src/macros.pesign
index 7c5cba170e9..56f75cafbc4 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -9,7 +9,7 @@
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
-%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"}
+%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%_pesign /usr/bin/pesign
--
2.26.2

86
SOURCES/0006-client-try-run-and-var-run-for-the-socket-path.patch
View File

@ -1,86 +0,0 @@
From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 16:13:09 -0400
Subject: [PATCH 6/7] client: try /run and /var/run for the socket path.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 40 +++++++++++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 11 deletions(-)
diff --git a/src/client.c b/src/client.c
index 2119ef33bf8..a38383415d5 100644
--- a/src/client.c
+++ b/src/client.c
@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag)
}
static int
-connect_to_server(void)
+connect_to_server_helper(const char * const sockpath)
{
- int rc = access(SOCKPATH, R_OK);
+ int rc = access(sockpath, R_OK);
if (rc != 0) {
- fprintf(stderr, "pesign-client: could not connect to server: "
- "%m\n");
- exit(1);
+ warn("could not access socket \"%s\"", sockpath);
+ return rc;
}
struct sockaddr_un addr_un = {
.sun_family = AF_UNIX,
- .sun_path = SOCKPATH,
};
+ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path));
+ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0';
int sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sd < 0) {
- fprintf(stderr, "pesign-client: could not open socket: %m\n");
- exit(1);
+ warn("could not open socket \"%s\"", sockpath);
+ return sd;
}
socklen_t len = strlen(addr_un.sun_path) +
@@ -74,14 +74,32 @@ connect_to_server(void)
rc = connect(sd, (struct sockaddr *)&addr_un, len);
if (rc < 0) {
- fprintf(stderr, "pesign-client: could not connect to daemon: "
- "%m\n");
- exit(1);
+ warn("could not connect to daemon");
+ return sd;
}
return sd;
}
+static int
+connect_to_server(void)
+{
+ int rc, i;
+ const char * const sockets[] = {
+ "/run/pesign/socket",
+ "/var/run/pesign/socket",
+ NULL
+ };
+
+ for (i = 0; sockets[i] != NULL; i++) {
+ rc = connect_to_server_helper(sockets[i]);
+ if (rc >= 0)
+ return rc;
+ }
+
+ exit(1);
+}
+
static int32_t
check_response(int sd, char **srvmsg);
--
2.26.2

25
SOURCES/0007-client-remove-an-extra-debug-print.patch
View File

@ -1,25 +0,0 @@
From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 16:44:09 -0400
Subject: [PATCH 07/11] client: remove an extra debug print
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/client.c b/src/client.c
index 0082be1f597..c9966295e5f 100644
--- a/src/client.c
+++ b/src/client.c
@@ -536,7 +536,6 @@ oom:
0, true);
}
- printf("add_file_type:%d\n", add_file_type);
pm->version = PESIGND_VERSION;
pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
: CMD_SIGN_ATTACHED)
--
2.26.2

379
SOURCES/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
View File

@ -1,379 +0,0 @@
From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 13:54:35 -0400
Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Make.defaults | 1 +
src/Makefile | 8 +-
src/macros.pesign | 74 ++++--------
src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++
4 files changed, 252 insertions(+), 53 deletions(-)
create mode 100644 src/pesign-rpmbuild-helper.in
diff --git a/Make.defaults b/Make.defaults
index 0bacafe0d01..d4cd626c11e 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR)
INSTALL ?= install
CROSS_COMPILE ?=
+EFI_ARCHES ?= aa64 ia32 x64
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
diff --git a/src/Makefile b/src/Makefile
index 74327ba13f3..a7ca89159c6 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version
include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
-BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
+BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper
SVCTARGETS=pesign.sysvinit pesign.service
TARGETS=$(BINTARGETS) $(SVCTARGETS)
@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
pesign : PKGS=efivar nss nspr popt
+pesign-rpmbuild-helper: pesign-rpmbuild-helper.in
+ sed \
+ -e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \
+ $^ > $@
+
deps : PKGS=efivar nss nspr popt uuid
deps : $(ALL_SOURCES)
$(MAKE) -f $(TOPDIR)/Make.deps \
@@ -94,6 +99,7 @@ install :
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
diff --git a/src/macros.pesign b/src/macros.pesign
index 5a6da1c6809..2e984b4eeb3 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -6,7 +6,7 @@
# %pesign -s -i shim.orig -o shim.efi
# And magically get the right thing.
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
@@ -24,54 +24,24 @@
# -a <input ca cert filename> # rhel only
# -s # perform signing
%pesign(i:o:C:e:c:n:a:s) \
- _pesign_nssdir=/etc/pki/pesign \
- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
- _pesign_nssdir=/etc/pki/pesign-rh-test \
- fi \
- if [ -x %{_pesign} ] && \\\
- [ "%{_target_cpu}" == "x86_64" -o \\\
- "%{_target_cpu}" == "aarch64" ]; then \
- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \
- nss=$(mktemp -p $PWD -d) \
- echo > ${nss}/pwfile \
- certutil -N -d ${nss} -f ${nss}/pwfile \
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
- sattrs=$(mktemp -p $PWD --suffix=.der) \
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \
- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
- --certdir ${nss} -c signer %{-o} \
- rm -rf ${sattrs} ${sattrs}.sig ${nss} \
- elif [ "$(id -un)" == "kojibuilder" -a \\\
- grep -q ID=fedora /etc/os-release -a \\\
- ! -S /run/pesign/socket ]; then \
- echo "No socket even though this is kojibuilder" 1>&2 \
- ls -ld /run/pesign 1>&2 \
- ls -l /run/pesign/socket 1>&2 \
- getfacl /run/pesign 1>&2 \
- getfacl /run/pesign/socket 1>&2 \
- exit 1 \
- elif [ -S /run/pesign/socket ]; then \
- %{_pesign_client} -t %{__pesign_client_token} \\\
- -c %{__pesign_client_cert} \\\
- %{-i} %{-o} %{-e} %{-s} %{-C} \
- else \
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
- --certdir ${_pesign_nssdir} \\\
- %{-i} %{-o} %{-e} %{-s} %{-C} \
- fi \
- else \
- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
- mv %{-i*} %{-o*} \
- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
- touch %{-e*} \
- fi \
- fi \
- if [ ! -s %{-o} ]; then \
- if [ -e "%{-o*}" ]; then \
- rm -f %{-o*} \
- fi \
- exit 1 \
- fi ;
-
+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\
+ "%{_target_cpu}" \\\
+ "%{_pesign}" \\\
+ "%{_pesign_client}" \\\
+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\
+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\
+ %{?__pesign_token:%{__pesign_token}} \\\
+ %{?__pesign_cert:--cert %{__pesign_cert}} \\\
+ %{?_buildhost:--hostname "%{_buildhost}"} \\\
+ %{?vendor:--vendor "%{vendor}"} \\\
+ %{?_rhel:--rhelver "%{_rhel}"} \\\
+ %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\
+ %{?-a:--rhelcafile "%{-a*}"} \\\
+ %{?-c:--rhelcertfile "%{-c*}"} \\\
+ %{?-C:--certout "%{-C*}"} \\\
+ %{?-e:--sattrout "%{-e*}"} \\\
+ %{?-i:--in "%{-i*}"} \\\
+ %{?-o:--out "%{-o*}"} \\\
+ %{?-s:--sign} \\\
+ ; \
+%{nil}
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
new file mode 100644
index 00000000000..c5287c27e0c
--- /dev/null
+++ b/src/pesign-rpmbuild-helper.in
@@ -0,0 +1,222 @@
+#!/bin/bash
+# shellcheck shell=bash
+
+set -eu
+set -x
+
+usage() {
+ local status="${1}" && shift
+ local out
+ if [[ "${status}" -eq 0 ]] ; then
+ out=/dev/stdout
+ else
+ out=/dev/stderr
+ fi
+
+ if [[ $# -gt 0 ]] ; then
+ echo "${0}: error: $*" >>"${out}"
+ fi
+ echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}"
+ exit "${status}"
+}
+
+is_efi_arch() {
+ local arch="${1}"
+ local arches=(@@EFI_ARCHES@@)
+ local x
+ for x in "${arches[@]}" ; do
+ if [[ "${arch}" = "${x}" ]] ; then
+ return 0
+ fi
+ done
+ return 1
+}
+
+error_on_empty() {
+ local f="${1}"
+ if [[ ! -s "${f}" ]] ; then
+ if [[ -e "${f}" ]] ; then
+ rm -f "${f}"
+ fi
+ echo "${0}: error: empty result file \"${f}\"">>/dev/stderr
+ exit 1
+ fi
+}
+
+main() {
+ if [[ $# -lt 3 ]] ; then
+ usage 1 not enough arguments
+ fi
+ local target_cpu="${1}" && shift
+ local bin="${1}" && shift
+ local client="${1}" && shift
+
+ local rhelcafile="" || :
+ local rhelcertfile="" || :
+
+ local certout=() || :
+ local sattrout=() || :
+ local input=() || :
+ local output=() || :
+ local client_token=() || :
+ local client_cert=() || :
+ local token=() || :
+ local cert=() || :
+ local rhelcert=() || :
+ local rhelver=0 || :
+ local sign="" || :
+ local arch="" || :
+ local vendor="" || :
+ local HOSTNAME="" || :
+
+ while [[ $# -ge 2 ]] ; do
+ case " ${1} " in
+ " --rhelcafile ")
+ rhelcafile="${2}"
+ ;;
+ " --rhelcertfile ")
+ rhelcertfile="${2}"
+ ;;
+ " --hostname ")
+ HOSTNAME="${2}"
+ ;;
+ " --certout ")
+ certout[0]=-C
+ certout[1]="${2}"
+ ;;
+ " --sattrout ")
+ sattrout[0]=-e
+ sattrout[1]="${2}"
+ ;;
+ " --client-token ")
+ client_token[0]=-t
+ client_token[1]="${2}"
+ ;;
+ " --client-cert ")
+ client_cert[0]=-c
+ client_cert[1]="${2}"
+ ;;
+ " --token ")
+ token[0]=-t
+ token[1]="${2}"
+ ;;
+ " --cert ")
+ cert[0]=-c
+ cert[1]="${2}"
+ ;;
+ " --rhelcert ")
+ rhelcert[0]=-c
+ rhelcert[1]="${2}"
+ ;;
+ " --in ")
+ input[0]=-i
+ input[1]="${2}"
+ ;;
+ " --out ")
+ output[0]=-o
+ output[1]="${2}"
+ ;;
+ " --rhelver ")
+ rhelver="${2}"
+ ;;
+ " --vendor ")
+ vendor="${2}"
+ ;;
+ *)
+ break
+ ;;
+ esac
+ shift
+ shift
+ done
+ if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then
+ sign=-s
+ shift
+ fi
+
+ if [[ -z "${target_cpu}" ]] ; then
+ target_cpu="$(uname -m)"
+ fi
+
+ target_cpu="${target_cpu/i?86/ia32}"
+ target_cpu="${target_cpu/x86_64/x64}"
+ target_cpu="${target_cpu/aarch64/aa64}"
+ target_cpu="${target_cpu/arm*/arm/}"
+
+ local nssdir=/etc/pki/pesign
+ if [[ "${#cert[@]}" -eq 2 ]] &&
+ [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then
+ nssdir=/etc/pki/pesign-rh-test
+ fi
+
+ # is_efi_arch is ultimately returning "is pesign configured to sign these
+ # using the rpm macro", so if it isn't, we're just copying the input to
+ # the output
+ if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then
+ if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then
+ cp -v "${input[1]}" "${output[1]}"
+ elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then
+ touch "${sattrout[1]}"
+ fi
+
+ # if there's a 0-sized output file, delete it and error out
+ error_on_empty "${output[1]}"
+ return 0
+ fi
+
+ USERNAME="${USERNAME:-$(id -un)}"
+
+ local socket="" || :
+ if grep -q ID=fedora /etc/os-release \
+ && [[ "${rhelver}" -lt 7 ]] \
+ && [[ "${USERNAME}" = "mockbuild" ]] \
+ && [[ "${vendor}" = "Fedora Project" ]] \
+ && [[ "${HOSTNAME}" =~ bkernel.* ]]
+ then
+ if [[ -S /run/pesign/socket ]] ; then
+ socket=/run/pesign/socket
+ elif [[ -S /var/run/pesign/socket ]]; then
+ socket=/var/run/pesign/socket
+ else
+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+ ls -ld /run/pesign /var/run/pesign 1>&2 ||:
+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+ fi
+ fi
+
+ if [[ "${rhelver}" -ge 7 ]] ; then
+ nssdir="$(mktemp -p "${PWD}" -d)"
+ echo > "${nssdir}/pwfile"
+ certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}"
+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}"
+ sattrs="$(mktemp -p "${PWD}" --suffix=.der)"
+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \
+ "${input[@]}" --force
+ rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}"
+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
+ --certdir "${nssdir}" -c signer \
+ "${input[@]}" "${output[@]}"
+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+ elif [[ -n "${socket}" ]] ; then
+ "${client}" "${client_token[@]}" "${client_cert[@]}" \
+ "${sattrout[@]}" "${certout[@]}" \
+ ${sign} "${input[@]}" "${output[@]}"
+ else
+ "${bin}" --certdir "${nssdir}" "${token[@]}" \
+ "${cert[@]}" ${sign} "${sattrout[@]}" \
+ "${certout[@]}" "${input[@]}" "${output[@]}"
+ fi
+
+ # if there's a 0-sized output file, delete it and error out
+ if [[ "${#output[@]}" -eq 2 ]] ; then
+ error_on_empty "${output[1]}"
+ fi
+}
+
+main "${@}"
+
+# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4
--
2.26.2

60
SOURCES/0009-pesign-authorize-shellcheck.patch
View File

@ -1,60 +0,0 @@
From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 15:07:32 -0400
Subject: [PATCH 09/11] pesign-authorize: shellcheck
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index a496f601ab4..55cd5c4e55b 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -12,21 +12,21 @@ set -u
# License: GPLv2
declare -a fileusers=()
declare -a dirusers=()
-for user in $(cat /etc/pesign/users); do
+while read -r user ; do
dirusers[${#dirusers[@]}]=-m
dirusers[${#dirusers[@]}]="u:$user:rwx"
fileusers[${#fileusers[@]}]=-m
fileusers[${#fileusers[@]}]="u:$user:rw"
-done
+done </etc/pesign/users
declare -a filegroups=()
declare -a dirgroups=()
-for group in $(cat /etc/pesign/groups); do
+while read -r group ; do
dirgroups[${#dirgroups[@]}]=-m
dirgroups[${#dirgroups[@]}]="g:$group:rwx"
filegroups[${#filegroups[@]}]=-m
filegroups[${#filegroups[@]}]="g:$group:rw"
-done
+done </etc/pesign/groups
update_subdir() {
subdir=$1 && shift
@@ -35,12 +35,12 @@ update_subdir() {
setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
for x in "${subdir}"* ; do
if [ -d "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+ setfacl -bk "${x}"
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
update_subdir "${x}/"
elif [ -e "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+ setfacl -bk "${x}"
+ setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
else
:;
fi
--
2.26.2

26
SOURCES/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
View File

@ -1,26 +0,0 @@
From 24bb6e1471b16b6be82f13b5b5a302b4e98c1b4d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 15:08:15 -0400
Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index 55cd5c4e55b..c5448329c2c 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /var/run/pesign/ /etc/pki/pesign/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
--
2.26.2

41
SOURCES/0011-kernel-building-hack.patch
View File

@ -1,41 +0,0 @@
From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jul 2020 16:42:39 -0400
Subject: [PATCH 11/11] kernel building hack
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-rpmbuild-helper.in | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index c5287c27e0c..27b8261bc17 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -202,6 +202,23 @@ main() {
"${input[@]}" "${output[@]}"
rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
elif [[ -n "${socket}" ]] ; then
+ ### welcome haaaaack city
+ if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then
+ if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
+ || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
+ if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
+ || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
+ client_cert[1]=kernel-signer
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
+ client_cert[1]=grub2-signer
+ elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
+ || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
+ client_cert[1]=fwupd-signer
+ fi
+ fi
+ fi
"${client}" "${client_token[@]}" "${client_cert[@]}" \
"${sattrout[@]}" "${certout[@]}" \
${sign} "${input[@]}" "${output[@]}"
--
2.26.2

105
SOURCES/0012-Use-run-not-var-run.patch
View File

@ -1,105 +0,0 @@
From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 16 Jul 2020 16:28:26 -0400
Subject: [PATCH] Use /run not /var/run
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.h | 4 ++--
src/Makefile | 2 +-
src/pesign-authorize | 2 +-
src/pesign.service.in | 2 +-
src/pesign.sysvinit.in | 10 +++++-----
5 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/src/daemon.h b/src/daemon.h
index 0368dc9256c..5fcd97ea717 100644
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -51,8 +51,8 @@ typedef enum {
} pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH "/var/run/pesign/socket"
-#define PIDFILE "/var/run/pesign.pid"
+#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid"
static inline uint32_t UNUSED
pesignd_string_size(char *buffer)
diff --git a/src/Makefile b/src/Makefile
index a7ca89159c6..f7fb5fc9ee5 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
diff --git a/src/pesign-authorize b/src/pesign-authorize
index c5448329c2c..2381302440c 100755
--- a/src/pesign-authorize
+++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign/ ; do
+for x in /run/pesign/ /var/run/pesign/ /etc/pki/pesign/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else
diff --git a/src/pesign.service.in b/src/pesign.service.in
index c75a000892a..4ac2199bce2 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
Type=forking
-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index b0e0f84ff0b..bf8edec8ff3 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
#
# chkconfig: - 50 50
# processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
### BEGIN INIT INFO
# Provides: pesign
# Default-Start:
@@ -20,9 +20,9 @@ RETVAL=0
start(){
echo -n "Starting pesign: "
- mkdir /var/run/pesign 2>/dev/null &&
- chown pesign:pesign /var/run/pesign &&
- chmod 0770 /var/run/pesign
+ mkdir /run/pesign 2>/dev/null &&
+ chown pesign:pesign /run/pesign &&
+ chmod 0770 /run/pesign
daemon /usr/bin/pesign --daemonize
RETVAL=$?
echo
@@ -32,7 +32,7 @@ start(){
stop(){
echo -n "Stopping pesign: "
- killproc -p /var/run/pesign.pid pesignd
+ killproc -p /run/pesign.pid pesignd
RETVAL=$?
echo
rm -f /var/lock/subsys/pesign
--
2.26.2

35
SOURCES/0013-Turn-off-free-nonheap-object.patch
View File

@ -1,35 +0,0 @@
From 59428daf4863f192419eee4afec15cd099e99c9b Mon Sep 17 00:00:00 2001
From: Jeff Law <law@redhat.com>
Date: Mon, 16 Nov 2020 12:07:59 -0700
Subject: [PATCH] Turn off -Wfree-nonheap-object
authvar.c has a call to free (tokenname) where tokenname is set to a string constant
and never changed. That triggers GCC to issue a diagnostic that the value should not
be passed to free.
This is a false positive from GCC as the call is guarded by a suitable condition that
always happens to be false. But pesign is being built without optimization and thus
the condition and free call are not optimized away.
This patch just disables the warning. A better solution would be to fix the sources
or build with the optimizer enabled.
---
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Make.defaults b/Make.defaults
index d4cd626..705cc3a 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -40,7 +40,7 @@ gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches -flto
cflags = $(CFLAGS) $(ARCH3264) \
-Wall -Wextra -Wsign-compare -Wno-unused-result \
-Wno-unused-function -Wno-missing-field-initializers \
- -Werror -Wno-error=cpp \
+ -Werror -Wno-error=cpp -Wno-free-nonheap-object \
-std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
$(if $(filter $(CC),clang),$(clang_cflags), ) \
--
2.28.0

26
SOURCES/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
View File

@ -1,26 +0,0 @@
From efb69f149f256631a952e0a0db5b45ed5d391509 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 10 Aug 2021 12:39:08 -0400
Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/macros.pesign | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/macros.pesign b/src/macros.pesign
index 34af57c5b3b..2ca1afb916e 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -35,6 +35,7 @@
%{?_buildhost:--hostname "%{_buildhost}"} \\\
%{?vendor:--vendor "%{vendor}"} \\\
- %{?_rhel:--rhelver "%{_rhel}"} \\\
+ %{?rhel:--rhelver "%{rhel}"} \\\
+ %{?centos:--rhelver "%{centos}"} \\\
%{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\
%{?-a:--rhelcafile "%{-a*}"} \\\
%{?-c:--rhelcertfile "%{-c*}"} \\\
--
2.31.1

27
SOURCES/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
View File

@ -1,27 +0,0 @@
From 3956d8a819541578b31c919270e915fbcc791e89 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 1 Oct 2021 17:58:20 -0400
Subject: [PATCH] Detect the presence of rpm-sign when checking for
"rhel"-ness.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-rpmbuild-helper.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
index 27b8261bc17..d6ca29683b1 100644
--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
@@ -187,7 +187,7 @@ main() {
fi
fi
- if [[ "${rhelver}" -ge 7 ]] ; then
+ if [[ "${rhelver}" -ge 7 ]] && which rpm-sign >&/dev/null ; then
nssdir="$(mktemp -p "${PWD}" -d)"
echo > "${nssdir}/pwfile"
certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
--
2.31.1

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.hardware-pesign.tier0.functional}

0
SOURCES/pesign.py → pesign.py
View File

200
SPECS/pesign.spec → pesign.spec
View File

@ -2,62 +2,65 @@
Name: pesign
Summary: Signing utility for UEFI binaries
Version: 113
Release: 21%{?dist}
Version: 0.112
Release: 26%{?dist}
License: GPLv2
URL: https://github.com/vathpela/pesign
Obsoletes: pesign-rh-test-certs <= 0.111-7
BuildRequires: make
BuildRequires: gcc
BuildRequires: git
BuildRequires: nspr
BuildRequires: nss
BuildRequires: nss-util
BuildRequires: popt-devel
BuildRequires: git nspr nss nss-util popt-devel
BuildRequires: nss-tools
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: efivar-devel >= 31-1
BuildRequires: libuuid-devel
BuildRequires: tar
BuildRequires: xz
BuildRequires: python3-rpm-macros
BuildRequires: python3
BuildRequires: tar xz
BuildRequires: python3-rpm-macros python3
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
BuildRequires: systemd-rpm-macros
BuildRequires: systemd
%endif
Requires: nspr
Requires: nss
Requires: nss-tools >= 3.53
Requires: nss-util
Requires: popt
Requires: rpm
Requires: nspr nss nss-util nss-tools popt rpm
Requires(pre): shadow-utils
ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm}
%if 0%{?rhel} == 7
BuildRequires: rh-signing-tools >= 1.20-2
%endif
Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz
Source2: pesign.py
Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch
Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
Patch0004: 0004-Rename-var-run-to-run.patch
Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch
Patch0007: 0007-client-remove-an-extra-debug-print.patch
Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
Patch0009: 0009-pesign-authorize-shellcheck.patch
Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
Patch0011: 0011-kernel-building-hack.patch
Patch0012: 0012-Use-run-not-var-run.patch
Patch0013: 0013-Turn-off-free-nonheap-object.patch
Patch0014: 0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
Patch0015: 0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
Patch0002: 0002-Fix-command-line-parsing.patch
Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
Patch0004: 0004-Fix-certficate-argument-name.patch
Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
Patch0012: 0012-Add-coverity-build-scripts.patch
Patch0013: 0013-Document-implicit-fallthrough.patch
Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
Patch0016: 0016-efikeygen-add-modsign.patch
Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
Patch0018: 0018-show-which-db-we-re-checking.patch
Patch0019: 0019-more-about-the-time.patch
Patch0020: 0020-try-to-say-why-something-fails.patch
Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
Patch0023: 0023-Better-authorization-scripts.-Again.patch
Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
Patch0030: 0030-Replace-var-run-with-run.patch
Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
%description
This package contains the pesign utility for signing UEFI binaries as
@ -107,7 +110,7 @@ rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
cp -av libdpe/*.[ch] src/
install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
install -m 0755 -p %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
%pre
getent group pesign >/dev/null || groupadd -r pesign
@ -120,21 +123,14 @@ exit 0
%post
%systemd_post pesign.service
#%%posttrans
#%%{_libexecdir}/pesign/pesign-authorize
%preun
%systemd_preun pesign.service
%postun
%systemd_postun_with_restart pesign.service
%posttrans
certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
# this is disabled currently because it breaks the fedora kernel build root
# generation - because we don't currently have a good way of populating
# /etc/pesign/{users,groups} before the buildroot is installed, or
# populating them and re-running pesign-authorize afterwards but before the
# package build of e.g. kernel
#%%{_libexecdir}/pesign/pesign-authorize
%endif
%files
@ -153,13 +149,12 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
%config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
%{_libexecdir}/pesign/pesign-authorize
%{_libexecdir}/pesign/pesign-rpmbuild-helper
%config(noreplace)/%{_sysconfdir}/pesign/users
%config(noreplace)/%{_sysconfdir}/pesign/groups
%{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign
%{_mandir}/man*/*
%dir %attr(0770, pesign, pesign) %{_rundir}/%{name}
%dir %attr(0770, pesign, pesign) /%{_rundir}/%{name}
%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
@ -170,104 +165,21 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
%{python3_sitelib}/mockbuild/plugins/pesign.*
%changelog
* Tue Dec 14 2021 Robbie Harwood <rharwood@redhat.com> - 113-21
- Sync with beta changes
- Resolves: rhbz#2030501
* Mon Nov 08 2021 Robbie Harwood <rharwood@redhat.com> - 0.112-26
- Perform the /var/run to /run "migration" stupidity
- Resolves: rhbz#1801976
* Tue Aug 10 2021 Peter Jones <pjones@redhat.com> - 113-18
- Detect the CentOS version number correctly in rpm pesign macro
Related: rhbz#1991688
* Mon Oct 01 2018 Peter Jones <pjones@redhat.com> - 0.112-25
- Preserve .py timestamp during install so .pyc/.pyo files have the same
timestamp on all arches, preventing rpmdiff from complaining.
Related: rhbz#1625388
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 113-17
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Sep 28 2018 Peter Jones <pjones@redhat.com> - 0.112-24
- Require nss-tools at runtime so the rpm signing macros will have it
Resolves: rhbz#1625388
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 113-16
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 113-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Nov 16 2020 Jeff Law <law@redhat.com> - 113-14
- Turn off -Wfree-nonheap-object
* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-13
- Add the rundir related stuff that was staged on my f32 checkout.
* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-12
- Try to make kernel and fwupd both work at the same time.
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 113-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-10
- I really cannot figure out why bkernel01 thinks the certificate nickname
starts with /CN=, but it does, so I'm gonna stop fighting with the sand.
* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-9
- Even more kernel build debugging...
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-8
- More kernel build debugging...
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-6
- Disable the pesign-authorize call in posttrans, until we can figure out a
better way to deal with that in the fedora kernel builder chroot setup
* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-5
- Make pesign require nss-tools for the posttrans scriptlet
- Move most of macros.pesign to /usr/libexec/pesign/pesign-rpmbuild-helper
* Mon Jul 06 2020 Peter Jones <pjones@redhat.com> - 113-4
- Attempt to fix kernel signing failures caused by -3...
* Fri Jun 12 2020 Peter Jones <pjones@redhat.com> - 113-3
- Fix the signer name for fedora and some other minor nits
Related: rhbz#1708773
Related: rhbz#1678146
* Thu Jun 11 2020 Peter Jones <pjones@redhat.com> - 113-2
- Fix a signing protocol bug we introduced in 113 that makes the fedora
kernel builders fail.
Related: rhbz#1708773
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 113-1
- Update to 113 release
Resolves: rhbz#1708773
* Mon Jun 08 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.112-31
- Switch default NSS database to SQLite format (pjones)
Resolves: rhbz#1827902
* Mon Feb 24 2020 Peter Jones <pjones@redhat.com> - 0.112-30
- Make sure the patch for -29 is actually in the build in f32, and
synchronize with master.
* Tue Feb 18 2020 Peter Jones <pjones@redhat.com> - 0.112-29
- Rebuild to match OpenSC's token name mangling change.
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-28
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Nov 12 2019 Peter Jones <pjones@redhat.com> - 0.112-27
- Rebuild to fix an NSS API issue.
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-26
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Mar 6 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.112-25
- Fix build (#1675653)
- Add missing closing quote in macro (#1651020)
- Update obsolete /var/run/ path (#1678146)
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-25
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-24
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-23
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.112-23
- Rebuild for platform-python
* Mon Jan 22 2018 Peter Robinson <pbrobinson@fedoraproject.org> 0.112-22
- Minor spec cleanups, fix arm conditional

13
rpminspect.yaml Normal file
View File

@ -0,0 +1,13 @@
---
inspections:
# Not a Java package
javabytecode: off
# These just flag when things change "too much"
changedfiles: off
filesize: off
patches: off
upstream: off
# https://bugzilla.redhat.com/show_bug.cgi?id=2010936
annocheck: off

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (certs.tar.xz) = 5df34f507a365ef87320776c99cbfad76365693901c71eaf64fec008afb9acfd7b615da5906b92a070c864e74f44934395c3f474ce5b33844cfa3df49a8ad188
SHA512 (pesign-0.112.tar.bz2) = 96bff27ce5059f1ea299c21ac88998a0c17851b8b06ba2f3e286de5cd4d73651b670ac00ca035481faf9c963338527c89120c63ec891a95ce9ecb9130fbc5e5c