sbsigntools/SOURCES/f12484869c9590682ac3253d583bf59b890bb826.patch

From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001
From: dann frazier <dann.frazier@canonical.com>
Date: Wed, 12 Aug 2020 15:27:08 -0600
Subject: sbkeysync: Don't ignore errors from insert_new_keys()

If insert_new_keys() fails, say due to a full variable store, we currently
still exit(0). This can make it difficult to know something is wrong.
For example, Debian and Ubuntu implement a secureboot-db systemd service
to update the DB and DBX, which calls:

 ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose

But although this seemed to succeed on my system, looking at the logs shows
a different story:

Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
Error writing key update: Invalid argument
Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin

Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 src/sbkeysync.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index e51f177..7748990 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -889,10 +889,12 @@ int main(int argc, char **argv)
 {
 	bool use_default_keystore_dirs;
 	struct sync_context *ctx;
+	int rc;
 
 	use_default_keystore_dirs = true;
 	ctx = talloc_zero(NULL, struct sync_context);
 	list_head_init(&ctx->new_keys);
+	rc = EXIT_SUCCESS;
 
 	for (;;) {
 		int idx, c;
@@ -985,10 +987,10 @@ int main(int argc, char **argv)
 	if (ctx->verbose)
 		print_new_keys(ctx);
 
-	if (!ctx->dry_run)
-		insert_new_keys(ctx);
+	if (!ctx->dry_run && insert_new_keys(ctx))
+		rc = EXIT_FAILURE;
 
 	talloc_free(ctx);
 
-	return EXIT_SUCCESS;
+	return rc;
 }
-- 
cgit 1.2.3-1.el7
import Fedora sbsigntools-0.9.4-11.fc38 2023-09-13 11:53:32 +00:00			`From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001`
			`From: dann frazier <dann.frazier@canonical.com>`
			`Date: Wed, 12 Aug 2020 15:27:08 -0600`
			`Subject: sbkeysync: Don't ignore errors from insert_new_keys()`

			`If insert_new_keys() fails, say due to a full variable store, we currently`
			`still exit(0). This can make it difficult to know something is wrong.`
			`For example, Debian and Ubuntu implement a secureboot-db systemd service`
			`to update the DB and DBX, which calls:`

			`ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose`

			`But although this seemed to succeed on my system, looking at the logs shows`
			`a different story:`

			`Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx`
			`Error writing key update: Invalid argument`
			`Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin`

			`Signed-off-by: dann frazier <dann.frazier@canonical.com>`
			`Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>`
			`---`
			`src/sbkeysync.c \| 8 +++++---`
			`1 file changed, 5 insertions(+), 3 deletions(-)`

			`diff --git a/src/sbkeysync.c b/src/sbkeysync.c`
			`index e51f177..7748990 100644`
			`--- a/src/sbkeysync.c`
			`+++ b/src/sbkeysync.c`
			`@@ -889,10 +889,12 @@ int main(int argc, char **argv)`
			`{`
			`bool use_default_keystore_dirs;`
			`struct sync_context *ctx;`
			`+ int rc;`

			`use_default_keystore_dirs = true;`
			`ctx = talloc_zero(NULL, struct sync_context);`
			`list_head_init(&ctx->new_keys);`
			`+ rc = EXIT_SUCCESS;`

			`for (;;) {`
			`int idx, c;`
			`@@ -985,10 +987,10 @@ int main(int argc, char **argv)`
			`if (ctx->verbose)`
			`print_new_keys(ctx);`

			`- if (!ctx->dry_run)`
			`- insert_new_keys(ctx);`
			`+ if (!ctx->dry_run && insert_new_keys(ctx))`
			`+ rc = EXIT_FAILURE;`

			`talloc_free(ctx);`

			`- return EXIT_SUCCESS;`
			`+ return rc;`
			`}`
			`--`
			`cgit 1.2.3-1.el7`