From 853167a32574ce175c7de2ee730afc1a835191f4 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 6 Jul 2020 13:54:35 -0400 Subject: [PATCH 6/7] Move most of macros.pesign to pesign-rpmbuild-helper Signed-off-by: Peter Jones --- src/Makefile | 1 + src/macros.pesign | 72 +++++------------- src/pesign-rpmbuild-helper | 152 +++++++++++++++++++++++++++++++++++++ 3 files changed, 173 insertions(+), 52 deletions(-) create mode 100755 src/pesign-rpmbuild-helper diff --git a/src/Makefile b/src/Makefile index 74327ba13f3..c9e9cc6cd1b 100644 --- a/src/Makefile +++ b/src/Makefile @@ -94,6 +94,7 @@ install : $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups diff --git a/src/macros.pesign b/src/macros.pesign index 5a6da1c6809..4caf0ba9c8d 100644 --- a/src/macros.pesign +++ b/src/macros.pesign @@ -6,7 +6,7 @@ # %pesign -s -i shim.orig -o shim.efi # And magically get the right thing. -%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} +%__pesign_token %{nil}%{?pe_signing_token:"%{pe_signing_token}"} %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"} @@ -24,54 +24,22 @@ # -a # rhel only # -s # perform signing %pesign(i:o:C:e:c:n:a:s) \ - _pesign_nssdir=/etc/pki/pesign \ - if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \ - _pesign_nssdir=/etc/pki/pesign-rh-test \ - fi \ - if [ -x %{_pesign} ] && \\\ - [ "%{_target_cpu}" == "x86_64" -o \\\ - "%{_target_cpu}" == "aarch64" ]; then \ - if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \ - nss=$(mktemp -p $PWD -d) \ - echo > ${nss}/pwfile \ - certutil -N -d ${nss} -f ${nss}/pwfile \ - certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \ - certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ - sattrs=$(mktemp -p $PWD --suffix=.der) \ - %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \ - rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \ - %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ - --certdir ${nss} -c signer %{-o} \ - rm -rf ${sattrs} ${sattrs}.sig ${nss} \ - elif [ "$(id -un)" == "kojibuilder" -a \\\ - grep -q ID=fedora /etc/os-release -a \\\ - ! -S /run/pesign/socket ]; then \ - echo "No socket even though this is kojibuilder" 1>&2 \ - ls -ld /run/pesign 1>&2 \ - ls -l /run/pesign/socket 1>&2 \ - getfacl /run/pesign 1>&2 \ - getfacl /run/pesign/socket 1>&2 \ - exit 1 \ - elif [ -S /run/pesign/socket ]; then \ - %{_pesign_client} -t %{__pesign_client_token} \\\ - -c %{__pesign_client_cert} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ - else \ - %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ - --certdir ${_pesign_nssdir} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ - fi \ - else \ - if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \ - mv %{-i*} %{-o*} \ - elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \ - touch %{-e*} \ - fi \ - fi \ - if [ ! -s %{-o} ]; then \ - if [ -e "%{-o*}" ]; then \ - rm -f %{-o*} \ - fi \ - exit 1 \ - fi ; - + %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\ + "%{_target_cpu}" \\\ + "%{_pesign}" \\\ + "%{_pesign_client}" \\\ + %{?__pesign_client_token?--client-token "%{__pesign_client_token}"} \\\ + %{?__pesign_client_cert?--client-cert "%{__pesign_client_cert}"} \\\ + %{?__pesign_token?--token "%{__pesign_token}"} \\\ + %{?__pesign_cert?--cert "%{__pesign_cert}"} \\\ + %{?_rhel:--rhelver "%{_rhel}"} \\\ + %{?-a*:--cafile "%{-a*}"} \\\ + %{?-c*:--certfile "%{-c*}"} \\\ + %{?-n*:--certname "%{-n*}"} \\\ + %{?-C*:--certout "%{-C*}"} \\\ + %{?-e*:--sattrout "%{-e*}"} \\\ + %{?-i*:--in "%{i*}"} \\\ + %{?-o*:--out "%{o*}"} \\\ + %{?-s:--sign} \\\ + ; \ +%{nil} diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper new file mode 100755 index 00000000000..24514aa0b5d --- /dev/null +++ b/src/pesign-rpmbuild-helper @@ -0,0 +1,152 @@ +#!/bin/sh + +set -eu + +main() { + local target_cpu="${1}" && shift + local bin="${1}" && shift + local client="${1}" && shift + + local cafile="" || : + local certfile="" || : + local certname="" || : + + local certout=() || : + local sattrout=() || : + local input=() || : + local output=() || : + local client_token=() || : + local client_cert=() || : + local token=() || : + local cert=() || : + local rhelver=0 || : + local sign="" || : + + local username="$(id -un)" + + while [[ $# -ge 2 ]] ; do + case " ${1} " in + " --cafile ") + cafile="${2}" + ;; + " --certfile ") + certfile="${2}" + ;; + " --certname ") + certname="${2}" + ;; + " --certout ") + certout=(-C "${2}") + ;; + " --sattrout ") + sattrout=(-e "${2}") + ;; + " --client-token ") + client_token=(-t "${2}") + ;; + " --client-cert ") + client_cert=(-c "${2}") + ;; + " --token ") + token=(-t "${2}") + ;; + " --cert ") + cert=(-c "${2}") + ;; + " --in ") + input=(-i "${2}") + ;; + " --out ") + output=(-o "${2}") + ;; + " --rhelver ") + rhelver="${2}" + ;; + *) + break + ;; + esac + shift + shift + done + if [ $# -ge 1 -a "${1}" = --sign ] ; then + sign=-s + shift + fi + + local nssdir=/etc/pki/pesign + if [ "${cert}" == "Red Hat Test Certificate" ] ; then + nssdir=/etc/pki/pesign-rh-test + fi + + if [ -x "${bin}" ] && + [ "${target_cpu}" != "x86_64" -a "${target_cpu}" != "aarch64" ] ; then + if [ -n "${input[*]}" -a -n "${output[*]}" ] ; then + mv -v "${input[1]}" "${output[1]}" + elif [ -n "${input[*]}" -a -n "${sattrout[*]}" ] ; then + touch "${sattrout[1]}" + fi + + # if there's a 0-sized output file, delete it and error out + if [ ! -s "${output[1]}" ] ; then + if [ -e "${output[1]}" ] ; then + rm -f "${output[1]}" + fi + exit 1 + fi + return 0 + fi + + local socket="" || : + if grep -q ID=fedora /etc/os-release && [ "${rhelver}" -lt 7 ] && + [ "${username}" = "kojibuilder" -o "${username}" = "mockbuilder" ] ; then + if [ -S /run/pesign/socket ] ; then + socket=/run/pesign/socket + elif [ -S /var/run/pesign/socket ]; then + socket=/var/run/pesign/socket + else + echo "Warning: no pesign socket even though user is ${username}" 1>&2 + echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2 + ls -ld /run/pesign 1>&2 + ls -l /run/pesign/socket 1>&2 + getfacl /run/pesign /run/pesign/socket 1>&2 + ls -ld /var/run/pesign 1>&2 + ls -l /var/run/pesign/socket 1>&2 + getfacl /var/run/pesign /var/run/pesign/socket 1>&2 + fi + fi + + if [ "${rhelver}" -ge 7 ] ; then + nssdir=$(mktemp -p $PWD -d) + echo > ${nssdir}/pwfile + certutil -N -d ${nssdir} -f ${nssdir}/pwfile + certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${cafile}" -d ${nssdir} + certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir} + sattrs="$(mktemp -p $PWD --suffix=.der)" + "${bin}" -E "${sattrs}" --certdir "${nssdir}" \ + ${input[@]} --force + rpm-sign --key "${certname}" --rsadgstsign "${sattrs}" + "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \ + --certdir "${nssdir}" -c signer \ + ${input[@]} ${output[@]} + rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" + elif [ -n "${socket}" ] ; then + "${client}" ${client_token[@]} ${client_cert[@]} \ + ${sattrout[@]} ${certout[@]} \ + ${sign} ${input[@]} ${output[@]} + else + "${bin}" --certdir "${nssdir}" ${token[@]} ${cert[@]} \ + ${sign} ${sattrout[@]} ${certout[@]} \ + ${input[@]} ${output[@]} + fi + + # if there's a 0-sized output file, delete it and error out + if [ ! -s "${output[1]}" ] ; then + if [ -e "${output[1]}" ] ; then + rm -f "${output[1]}" + fi + exit 1 + fi +} + +main "${@}" -- 2.26.2