1702b23026
Signed-off-by: Peter Jones <pjones@redhat.com>
288 lines
9.0 KiB
Diff
288 lines
9.0 KiB
Diff
From 22658f290fcf66213ca6237e37ae97bba39a8a0b Mon Sep 17 00:00:00 2001
|
|
From: Peter Jones <pjones@redhat.com>
|
|
Date: Mon, 6 Jul 2020 13:54:35 -0400
|
|
Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
---
|
|
src/Makefile | 1 +
|
|
src/macros.pesign | 73 +++++------------
|
|
src/pesign-rpmbuild-helper | 163 +++++++++++++++++++++++++++++++++++++
|
|
3 files changed, 184 insertions(+), 53 deletions(-)
|
|
create mode 100644 src/pesign-rpmbuild-helper
|
|
|
|
diff --git a/src/Makefile b/src/Makefile
|
|
index 74327ba13f3..c9e9cc6cd1b 100644
|
|
--- a/src/Makefile
|
|
+++ b/src/Makefile
|
|
@@ -94,6 +94,7 @@ install :
|
|
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
|
|
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
|
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
|
|
+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
|
|
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
|
|
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
|
|
$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
|
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
|
index 5a6da1c6809..e3a0de9c2f4 100644
|
|
--- a/src/macros.pesign
|
|
+++ b/src/macros.pesign
|
|
@@ -6,10 +6,10 @@
|
|
# %pesign -s -i shim.orig -o shim.efi
|
|
# And magically get the right thing.
|
|
|
|
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
|
+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
|
|
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
|
|
|
%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
|
|
%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
|
|
|
%_pesign /usr/bin/pesign
|
|
@@ -24,54 +24,21 @@
|
|
# -a <input ca cert filename> # rhel only
|
|
# -s # perform signing
|
|
%pesign(i:o:C:e:c:n:a:s) \
|
|
- _pesign_nssdir=/etc/pki/pesign \
|
|
- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
|
|
- _pesign_nssdir=/etc/pki/pesign-rh-test \
|
|
- fi \
|
|
- if [ -x %{_pesign} ] && \\\
|
|
- [ "%{_target_cpu}" == "x86_64" -o \\\
|
|
- "%{_target_cpu}" == "aarch64" ]; then \
|
|
- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \
|
|
- nss=$(mktemp -p $PWD -d) \
|
|
- echo > ${nss}/pwfile \
|
|
- certutil -N -d ${nss} -f ${nss}/pwfile \
|
|
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
|
|
- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
|
|
- sattrs=$(mktemp -p $PWD --suffix=.der) \
|
|
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
|
|
- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \
|
|
- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
|
- --certdir ${nss} -c signer %{-o} \
|
|
- rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
|
- elif [ "$(id -un)" == "kojibuilder" -a \\\
|
|
- grep -q ID=fedora /etc/os-release -a \\\
|
|
- ! -S /run/pesign/socket ]; then \
|
|
- echo "No socket even though this is kojibuilder" 1>&2 \
|
|
- ls -ld /run/pesign 1>&2 \
|
|
- ls -l /run/pesign/socket 1>&2 \
|
|
- getfacl /run/pesign 1>&2 \
|
|
- getfacl /run/pesign/socket 1>&2 \
|
|
- exit 1 \
|
|
- elif [ -S /run/pesign/socket ]; then \
|
|
- %{_pesign_client} -t %{__pesign_client_token} \\\
|
|
- -c %{__pesign_client_cert} \\\
|
|
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
|
- else \
|
|
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
|
|
- --certdir ${_pesign_nssdir} \\\
|
|
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
|
- fi \
|
|
- else \
|
|
- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
|
|
- mv %{-i*} %{-o*} \
|
|
- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
|
|
- touch %{-e*} \
|
|
- fi \
|
|
- fi \
|
|
- if [ ! -s %{-o} ]; then \
|
|
- if [ -e "%{-o*}" ]; then \
|
|
- rm -f %{-o*} \
|
|
- fi \
|
|
- exit 1 \
|
|
- fi ;
|
|
-
|
|
+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\
|
|
+ "%{_target_cpu}" \\\
|
|
+ "%{_pesign}" \\\
|
|
+ "%{_pesign_client}" \\\
|
|
+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\
|
|
+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\
|
|
+ %{?__pesign_token:%{__pesign_token}} \\\
|
|
+ %{?-n:--cert "\"%{-n*}\""}%{?!-n:--cert "\"%{__pesign_cert}\""} \\\
|
|
+ %{?_rhel:--rhelver "%{_rhel}"} \\\
|
|
+ %{?-a:--cafile "%{-a*}"} \\\
|
|
+ %{?-c:--certfile "%{-c*}"} \\\
|
|
+ %{?-C:--certout "%{-C*}"} \\\
|
|
+ %{?-e:--sattrout "%{-e*}"} \\\
|
|
+ %{?-i:--in "%{-i*}"} \\\
|
|
+ %{?-o:--out "%{-o*}"} \\\
|
|
+ %{?-s:--sign} \\\
|
|
+ ; \
|
|
+%{nil}
|
|
diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper
|
|
new file mode 100644
|
|
index 00000000000..f3d66320bcc
|
|
--- /dev/null
|
|
+++ b/src/pesign-rpmbuild-helper
|
|
@@ -0,0 +1,164 @@
|
|
+#!/bin/sh
|
|
+
|
|
+set -eu
|
|
+set -x
|
|
+
|
|
+main() {
|
|
+ local target_cpu="${1}" && shift
|
|
+ local bin="${1}" && shift
|
|
+ local client="${1}" && shift
|
|
+
|
|
+ local cafile="" || :
|
|
+ local certfile="" || :
|
|
+
|
|
+ local certout=() || :
|
|
+ local sattrout=() || :
|
|
+ local input=() || :
|
|
+ local output=() || :
|
|
+ local client_token=() || :
|
|
+ local client_cert=() || :
|
|
+ local token=() || :
|
|
+ local cert=() || :
|
|
+ local rhelver=0 || :
|
|
+ local sign="" || :
|
|
+
|
|
+ local username="$(id -un)"
|
|
+
|
|
+ while [[ $# -ge 2 ]] ; do
|
|
+ case " ${1} " in
|
|
+ " --cafile ")
|
|
+ cafile="${2}"
|
|
+ ;;
|
|
+ " --certfile ")
|
|
+ certfile="${2}"
|
|
+ ;;
|
|
+ " --certout ")
|
|
+ certout[0]=-C
|
|
+ certout[1]="${2}"
|
|
+ ;;
|
|
+ " --sattrout ")
|
|
+ sattrout[0]=-e
|
|
+ sattrout[1]="${2}"
|
|
+ ;;
|
|
+ " --client-token ")
|
|
+ client_token[0]=-t
|
|
+ client_token[1]="${2}"
|
|
+ ;;
|
|
+ " --client-cert ")
|
|
+ client_cert[0]=-c
|
|
+ client_cert[1]="${2}"
|
|
+ ;;
|
|
+ " --token ")
|
|
+ token[0]=-t
|
|
+ token="${2}"
|
|
+ ;;
|
|
+ " --cert ")
|
|
+ cert[0]=-c
|
|
+ cert[1]="${2}"
|
|
+ ;;
|
|
+ " --certname ")
|
|
+ cert[0]=-c
|
|
+ cert[1]="${2}"
|
|
+ ;;
|
|
+ " --in ")
|
|
+ input[0]=-i
|
|
+ input[1]="${2}"
|
|
+ ;;
|
|
+ " --out ")
|
|
+ output[0]=-o
|
|
+ output[1]="${2}"
|
|
+ ;;
|
|
+ " --rhelver ")
|
|
+ rhelver="${2}"
|
|
+ ;;
|
|
+ *)
|
|
+ break
|
|
+ ;;
|
|
+ esac
|
|
+ shift
|
|
+ shift
|
|
+ done
|
|
+ if [ $# -ge 1 -a "${1}" = --sign ] ; then
|
|
+ sign=-s
|
|
+ shift
|
|
+ fi
|
|
+
|
|
+ local nssdir=/etc/pki/pesign
|
|
+ if [ "${#cert[@]}" -eq 2 ] &&
|
|
+ [ "${cert[1]}" == "Red Hat Test Certificate" ] ; then
|
|
+ nssdir=/etc/pki/pesign-rh-test
|
|
+ fi
|
|
+
|
|
+ if [ -x "${bin}" ] &&
|
|
+ [ "${target_cpu}" != "x86_64" -a "${target_cpu}" != "aarch64" ] ; then
|
|
+ if [ -n "${input[*]}" -a -n "${output[*]}" ] ; then
|
|
+ mv -v "${input[1]}" "${output[1]}"
|
|
+ elif [ -n "${input[*]}" -a -n "${sattrout[*]}" ] ; then
|
|
+ touch "${sattrout[1]}"
|
|
+ fi
|
|
+
|
|
+ # if there's a 0-sized output file, delete it and error out
|
|
+ if [ ! -s "${output[1]}" ] ; then
|
|
+ if [ -e "${output[1]}" ] ; then
|
|
+ rm -f "${output[1]}"
|
|
+ fi
|
|
+ exit 1
|
|
+ fi
|
|
+ return 0
|
|
+ fi
|
|
+
|
|
+ local socket="" || :
|
|
+ if grep -q ID=fedora /etc/os-release && [ "${rhelver}" -lt 7 ] &&
|
|
+ [ "${username}" = "kojibuilder" -o "${username}" = "mockbuild" ] ; then
|
|
+ if [ -S /run/pesign/socket ] ; then
|
|
+ socket=/run/pesign/socket
|
|
+ elif [ -S /var/run/pesign/socket ]; then
|
|
+ socket=/var/run/pesign/socket
|
|
+ else
|
|
+ echo "Warning: no pesign socket even though user is ${username}" 1>&2
|
|
+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
|
|
+ ls -ld /run/pesign 1>&2 ||:
|
|
+ ls -l /run/pesign/socket 1>&2 ||:
|
|
+ getfacl /run/pesign 1>&2 || :
|
|
+ getfacl /run/pesign/socket 1>&2 ||:
|
|
+ ls -ld /var/run/pesign 1>&2 ||:
|
|
+ ls -l /var/run/pesign/socket 1>&2 ||:
|
|
+ getfacl /var/run/pesign 1>&2 || :
|
|
+ getfacl /var/run/pesign/socket 1>&2 || :
|
|
+ fi
|
|
+ fi
|
|
+
|
|
+ if [ "${rhelver}" -ge 7 ] ; then
|
|
+ nssdir=$(mktemp -p $PWD -d)
|
|
+ echo > ${nssdir}/pwfile
|
|
+ certutil -N -d ${nssdir} -f ${nssdir}/pwfile
|
|
+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${cafile}" -d ${nssdir}
|
|
+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir}
|
|
+ sattrs="$(mktemp -p $PWD --suffix=.der)"
|
|
+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \
|
|
+ "${input[@]}" --force
|
|
+ rpm-sign --key "${cert[1]}" --rsadgstsign "${sattrs}"
|
|
+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
|
|
+ --certdir "${nssdir}" -c signer \
|
|
+ "${input[@]}" "${output[@]}"
|
|
+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
|
|
+ elif [ -n "${socket}" ] ; then
|
|
+ "${client}" "${client_token[@]}" "${client_cert[@]}" \
|
|
+ "${sattrout[@]}" "${certout[@]}" \
|
|
+ ${sign} "${input[@]}" "${output[@]}"
|
|
+ else
|
|
+ "${bin}" --certdir "${nssdir}" "${token[@]}" \
|
|
+ "${cert[@]}" ${sign} "${sattrout[@]}" \
|
|
+ "${certout[@]}" "${input[@]}" "${output[@]}"
|
|
+ fi
|
|
+
|
|
+ # if there's a 0-sized output file, delete it and error out
|
|
+ if [ "${#output[@]}" -eq 2 ] && ! [ -s "${output[1]}" ] ; then
|
|
+ if [ -e "${output[1]}" ] ; then
|
|
+ rm -f "${output[1]}"
|
|
+ fi
|
|
+ exit 1
|
|
+ fi
|
|
+}
|
|
+
|
|
+main "${@}"
|
|
--
|
|
2.26.2
|
|
|