import Fedora sbsigntools-0.9.4-11.fc38

2023-09-13 11:53:32 +00:00 · 2023-09-13 11:53:32 +00:00 · 2f0c33f570
commit 2f0c33f570
8 changed files with 364 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+SOURCES/sbsigntools-0.9.4.tar.xz
--- a/.sbsigntools.metadata
+++ b/.sbsigntools.metadata
@ -0,0 +1 @@
+9d252e4f6dbace51bef1e781f3d3ea09f2b313e4 SOURCES/sbsigntools-0.9.4.tar.xz
--- a/SOURCES/f12484869c9590682ac3253d583bf59b890bb826.patch
+++ b/SOURCES/f12484869c9590682ac3253d583bf59b890bb826.patch
@ -0,0 +1,59 @@
+From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001
+From: dann frazier <dann.frazier@canonical.com>
+Date: Wed, 12 Aug 2020 15:27:08 -0600
+Subject: sbkeysync: Don't ignore errors from insert_new_keys()
+
+If insert_new_keys() fails, say due to a full variable store, we currently
+still exit(0). This can make it difficult to know something is wrong.
+For example, Debian and Ubuntu implement a secureboot-db systemd service
+to update the DB and DBX, which calls:
+
+ ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose
+
+But although this seemed to succeed on my system, looking at the logs shows
+a different story:
+
+Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
+Error writing key update: Invalid argument
+Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
+
+Signed-off-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+---
+ src/sbkeysync.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/sbkeysync.c b/src/sbkeysync.c
+index e51f177..7748990 100644
+--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
+@@ -889,10 +889,12 @@ int main(int argc, char **argv)
+ {
+ 	bool use_default_keystore_dirs;
+ 	struct sync_context *ctx;
+	int rc;
+ 
+ 	use_default_keystore_dirs = true;
+ 	ctx = talloc_zero(NULL, struct sync_context);
+ 	list_head_init(&ctx->new_keys);
+	rc = EXIT_SUCCESS;
+ 
+ 	for (;;) {
+ 		int idx, c;
+@@ -985,10 +987,10 @@ int main(int argc, char **argv)
+ 	if (ctx->verbose)
+ 		print_new_keys(ctx);
+ 
+-	if (!ctx->dry_run)
+-		insert_new_keys(ctx);
+	if (!ctx->dry_run && insert_new_keys(ctx))
+		rc = EXIT_FAILURE;
+ 
+ 	talloc_free(ctx);
+ 
+-	return EXIT_SUCCESS;
+	return rc;
+ }
+-- 
+cgit 1.2.3-1.el7
+
--- a/SOURCES/sbsigntools-gnuefi.patch
+++ b/SOURCES/sbsigntools-gnuefi.patch
@ -0,0 +1,69 @@
+diff -up sbsigntools-0.9.3/configure.ac.gnu-efi sbsigntools-0.9.3/configure.ac
+--- sbsigntools-0.9.3/configure.ac.gnu-efi	2020-02-03 09:38:56.000000000 +0100
+++ sbsigntools-0.9.3/configure.ac	2020-02-04 09:48:53.011259075 +0100
+@@ -64,19 +64,30 @@ PKG_CHECK_MODULES(uuid, uuid,
+     AC_MSG_ERROR([libuuid (from the uuid package) is required]))
+ 
+ dnl gnu-efi headers require extra include dirs
+-EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
+-AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ])
+EFI_ARCH=$(uname -m | sed -e 's/i.86/ia32/;s/arm.*/arm/' -e 's/x86_64/x64/' -e 's/aarch64/aa64/')
+AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aa64" ])
+ 
+ ##
+ # no consistent view of where gnu-efi should dump the efi stuff, so find it
+ ##
+-for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do
+-    if test -e $path/crt0-efi-$EFI_ARCH.o; then
+AC_MSG_CHECKING([gnu-efi crt path])
+for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi /usr/lib/gnuefi/$EFI_ARCH ; do
+    if test -e $path/crt0.o; then
+        CRTPATH=$path
+       CRT=crt0.o
+       LDS=efi.lds
+       EFI_PATH=$path
+    elif test -e $path/crt0-efi-$EFI_ARCH.o; then
+       CRTPATH=$path
+       CRT=crt0-efi-${EFI_ARCH}.o
+       LDS=elf_${EFI_ARCH}_efi.lds
+       EFI_PATH=$libdir
+     fi
+ done
+ if test -z "$CRTPATH"; then
+    AC_MSG_ERROR([cannot find the gnu-efi crt path])
+else
+   AC_MSG_RESULT($CRTPATH)
+ fi
+ 
+ EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
+@@ -88,6 +99,9 @@ CPPFLAGS="$CPPFLAGS_save"
+ AC_SUBST(EFI_CPPFLAGS, $EFI_CPPFLAGS)
+ AC_SUBST(EFI_ARCH, $EFI_ARCH)
+ AC_SUBST(CRTPATH, $CRTPATH)
+AC_SUBST(CRT, $CRT)
+AC_SUBST(LDS, $LDS)
+AC_SUBST(EFI_PATH, $EFI_PATH)
+ 
+ AC_CONFIG_FILES([Makefile src/Makefile lib/ccan/Makefile]
+ 		[docs/Makefile tests/Makefile])
+diff -up sbsigntools-0.9.3/tests/Makefile.am.gnu-efi sbsigntools-0.9.3/tests/Makefile.am
+--- sbsigntools-0.9.3/tests/Makefile.am.gnu-efi	2020-02-03 09:38:56.000000000 +0100
+++ sbsigntools-0.9.3/tests/Makefile.am	2020-02-04 09:47:44.786665340 +0100
+@@ -14,7 +14,7 @@ if TEST_BINARY_FORMAT
+ EFILDFLAGS = --defsym=EFI_SUBSYSTEM=0x0a
+ FORMAT = -O binary
+ else
+-FORMAT = --target=efi-app-$(EFI_ARCH)
+FORMAT = --target=efi-app-$(EFI_ARCH:x64=x86_64)
+ endif
+ check_DATA = $(test_key) $(test_cert)
+ check_SCRIPTS = test-wrapper.sh
+@@ -27,7 +27,7 @@ check_SCRIPTS = test-wrapper.sh
+ 		$(FORMAT) $^ $@
+ 
+ .$(OBJEXT).elf:
+-	$(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/crt0-efi-$(EFI_ARCH).o -T elf_$(EFI_ARCH)_efi.lds $< -o $@ -lefi -lgnuefi
+	$(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/$(CRT) -T $(LDS) $< -o $@ $(EFI_PATH)/libefi.a $(EFI_PATH)/libgnuefi.a
+ 
+ AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH)
+ 
--- a/SOURCES/sbsigntools-mktarball.sh
+++ b/SOURCES/sbsigntools-mktarball.sh
@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+tmp=$(mktemp -d)
+
+#trap cleanup EXIT
+#cleanup() {
+#    set +e
+#    [ -z "$tmp" -o ! -d "$tmp" ] || rm -rf "$tmp"
+#}
+
+unset CDPATH
+pwd=$(pwd)
+version=0.9.4
+commit=d52f7bbb73401aab8a1d59e8d0d686ad9641035e
+
+pushd "$tmp"
+git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git
+cd sbsigntools
+git checkout ${commit}
+ccan_modules="talloc read_write_all build_assert array_size endian"
+git submodule init
+git submodule update
+lib/ccan.git/tools/create-ccan-tree --build-type=automake lib/ccan $ccan_modules
+rm -r lib/ccan.git
+(
+	echo "Authors of sbsigntool:"
+	echo
+	git log --format='%an' | sort -u | sed 's,^,\t,'
+) > AUTHORS
+git log --date=short --format='%ad %t %an <%ae>%n%n  * %s%n' > ChangeLog
+cd ..
+mv sbsigntools sbsigntools-${version}
+tar cJf "$pwd"/sbsigntools-${version}.tar.xz --exclude=.git sbsigntools-${version}
+popd
--- a/SOURCES/sbsigntools-no-git.patch
+++ b/SOURCES/sbsigntools-no-git.patch
@ -0,0 +1,35 @@
+diff -up sbsigntools-0.8/autogen.sh.nogit sbsigntools-0.8/autogen.sh
+--- sbsigntools-0.8/autogen.sh.nogit	2017-09-04 18:22:49.244640635 +0200
+++ sbsigntools-0.8/autogen.sh	2017-09-04 18:31:49.136838666 +0200
+@@ -1,31 +1,5 @@
+ #!/bin/bash
+ 
+-ccan_modules="talloc read_write_all build_assert array_size endian"
+-
+-# Add ccan upstream sources
+-if [ ! -e lib/ccan.git/Makefile ]
+-then
+-	git submodule init
+-	git submodule update
+-fi
+-
+-# create ccan build tree
+-if [ ! -e lib/ccan ]
+-then
+-	lib/ccan.git/tools/create-ccan-tree \
+-		--build-type=automake lib/ccan $ccan_modules
+-fi
+-
+-# Create generatable docs from git
+-(
+-	echo "Authors of sbsigntool:"
+-	echo
+-	git log --format='%an' | sort -u | sed 's,^,\t,'
+-) > AUTHORS
+-
+-# Generate simple ChangeLog
+-git log --date=short --format='%ad %t %an <%ae>%n%n  * %s%n' > ChangeLog
+-
+ # automagic
+ aclocal
+ autoheader
--- a/SOURCES/sbsigntools-openssl3.patch
+++ b/SOURCES/sbsigntools-openssl3.patch
@ -0,0 +1,12 @@
+diff -up sbsigntools-0.9.4/src/idc.c.openssl3 sbsigntools-0.9.4/src/idc.c
+--- sbsigntools-0.9.4/src/idc.c.openssl3	2020-07-04 01:14:29.000000000 +0200
+++ sbsigntools-0.9.4/src/idc.c	2021-11-19 16:20:10.082475750 +0100
+@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO
+ 
+ 	idc->data->type = OBJ_nid2obj(peid_nid);
+ 	idc->data->value = ASN1_TYPE_new();
+-	type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
+	type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
+ 
+         idc->digest->alg->parameter = ASN1_TYPE_new();
+         idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
--- a/SPECS/sbsigntools.spec
+++ b/SPECS/sbsigntools.spec
@ -0,0 +1,151 @@
+%bcond_without check
+%define _warning_options -Wall -Werror=format-security -Wno-deprecated-declarations -Wno-maybe-uninitialized
+
+Name:          sbsigntools
+Version:       0.9.4
+Release:       11%{?dist}
+Summary:       Signing utility for UEFI secure boot
+License:       GPLv3+
+URL:           https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools
+# upstream tarballs don't include bundled ccan
+# run sbsigntools-mktarball.sh
+Source0:       %{name}-%{version}.tar.xz
+Source1:       %{name}-mktarball.sh
+# don't fetch ccan or run git from autogen.sh, already done by mktarball.sh
+Patch0:        %{name}-no-git.patch
+# add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a
+Patch1:        %{name}-gnuefi.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1955828
+Patch2:        https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/patch/?id=f12484869c9590682ac3253d583bf59b890bb826#/f12484869c9590682ac3253d583bf59b890bb826.patch
+# https://groups.io/g/sbsigntools/message/54
+Patch3:        %{name}-openssl3.patch
+# same as gnu-efi
+ExclusiveArch: x86_64 aarch64 %{arm} %{ix86}
+BuildRequires: make
+BuildRequires: automake
+BuildRequires: binutils-devel
+BuildRequires: gcc
+BuildRequires: gnu-efi-devel >= 1:3.0.8-3
+BuildRequires: help2man
+BuildRequires: libuuid-devel
+%if %{with check}
+BuildRequires: openssl
+%endif
+BuildRequires: openssl-devel
+Provides: bundled(ccan-array_size)
+Provides: bundled(ccan-build_assert)
+Provides: bundled(ccan-check_type)
+Provides: bundled(ccan-compiler)
+Provides: bundled(ccan-container_of)
+Provides: bundled(ccan-endian)
+Provides: bundled(ccan-failtest)
+Provides: bundled(ccan-hash)
+Provides: bundled(ccan-htable)
+Provides: bundled(ccan-list)
+Provides: bundled(ccan-read_write_all)
+Provides: bundled(ccan-str)
+Provides: bundled(ccan-talloc)
+Provides: bundled(ccan-tcon)
+Provides: bundled(ccan-time)
+Provides: bundled(ccan-tlist)
+Provides: bundled(ccan-typesafe_cb)
+
+%description
+Tools to add signatures to EFI binaries and Drivers.
+
+%prep
+%autosetup -p1
+
+%build
+./autogen.sh
+%configure
+%make_build
+
+%install
+%make_install
+
+%if %{with check}
+%check
+make check
+%endif
+
+%files
+%license COPYING LICENSE.GPLv3 lib/ccan/licenses/*
+%doc AUTHORS ChangeLog
+%{_bindir}/sbattach
+%{_bindir}/sbkeysync
+%{_bindir}/sbsiglist
+%{_bindir}/sbsign
+%{_bindir}/sbvarsign
+%{_bindir}/sbverify
+%{_mandir}/man1/sbattach.1.*
+%{_mandir}/man1/sbkeysync.1.*
+%{_mandir}/man1/sbsiglist.1.*
+%{_mandir}/man1/sbsign.1.*
+%{_mandir}/man1/sbvarsign.1.*
+%{_mandir}/man1/sbverify.1.*
+
+%changelog
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Tue Jan 17 2023 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-10
+- fix build with GCC 13
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Nov 19 2021 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-7
+- fix build with OpenSSL 3.0.0 (fixes rhbz#2021909)
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-6
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon May 17 2021 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-4
+- don't ignore errors from sbkeysync (fixes rhbz#1955828)
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Jul 03 2020 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-1
+- update to 0.9.4 (#1846578)
+
+* Mon Feb 03 2020 Dominik Mierzejewski <dominik@greysector.net> - 0.9.3-1
+- update to 0.9.3
+- update bundled CCAN components list
+- support building with gnu-efi 3.0.11
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Feb 28 2019 Dominik Mierzejewski <dominik@greysector.net> - 0.9.2-1
+- update to 0.9.2
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jul 25 2018 Dominik Mierzejewski <dominik@greysector.net> - 0.9.1-3
+- fix paths to gnu-efi (work around #1608293)
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Feb 22 2018 Dominik Mierzejewski <dominik@greysector.net> - 0.9.1-1
+- update to 0.9.1
+- add Fedora gnu-efi libs location to search path
+- link tests statically against gnu-efi libs, there are no shared versions
+
+* Mon Sep  4 2017 Dominik Mierzejewski <dominik@greysector.net> - 0.8-1
+- initial build
				`@ -0,0 +1 @@`
				`9d252e4f6dbace51bef1e781f3d3ea09f2b313e4 SOURCES/sbsigntools-0.9.4.tar.xz`