import Fedora sbsigntools-0.9.4-11.fc38
This commit is contained in:
commit
2f0c33f570
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/sbsigntools-0.9.4.tar.xz
|
1
.sbsigntools.metadata
Normal file
1
.sbsigntools.metadata
Normal file
@ -0,0 +1 @@
|
||||
9d252e4f6dbace51bef1e781f3d3ea09f2b313e4 SOURCES/sbsigntools-0.9.4.tar.xz
|
59
SOURCES/f12484869c9590682ac3253d583bf59b890bb826.patch
Normal file
59
SOURCES/f12484869c9590682ac3253d583bf59b890bb826.patch
Normal file
@ -0,0 +1,59 @@
|
||||
From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001
|
||||
From: dann frazier <dann.frazier@canonical.com>
|
||||
Date: Wed, 12 Aug 2020 15:27:08 -0600
|
||||
Subject: sbkeysync: Don't ignore errors from insert_new_keys()
|
||||
|
||||
If insert_new_keys() fails, say due to a full variable store, we currently
|
||||
still exit(0). This can make it difficult to know something is wrong.
|
||||
For example, Debian and Ubuntu implement a secureboot-db systemd service
|
||||
to update the DB and DBX, which calls:
|
||||
|
||||
ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose
|
||||
|
||||
But although this seemed to succeed on my system, looking at the logs shows
|
||||
a different story:
|
||||
|
||||
Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
|
||||
Error writing key update: Invalid argument
|
||||
Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
|
||||
|
||||
Signed-off-by: dann frazier <dann.frazier@canonical.com>
|
||||
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||
---
|
||||
src/sbkeysync.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
|
||||
index e51f177..7748990 100644
|
||||
--- a/src/sbkeysync.c
|
||||
+++ b/src/sbkeysync.c
|
||||
@@ -889,10 +889,12 @@ int main(int argc, char **argv)
|
||||
{
|
||||
bool use_default_keystore_dirs;
|
||||
struct sync_context *ctx;
|
||||
+ int rc;
|
||||
|
||||
use_default_keystore_dirs = true;
|
||||
ctx = talloc_zero(NULL, struct sync_context);
|
||||
list_head_init(&ctx->new_keys);
|
||||
+ rc = EXIT_SUCCESS;
|
||||
|
||||
for (;;) {
|
||||
int idx, c;
|
||||
@@ -985,10 +987,10 @@ int main(int argc, char **argv)
|
||||
if (ctx->verbose)
|
||||
print_new_keys(ctx);
|
||||
|
||||
- if (!ctx->dry_run)
|
||||
- insert_new_keys(ctx);
|
||||
+ if (!ctx->dry_run && insert_new_keys(ctx))
|
||||
+ rc = EXIT_FAILURE;
|
||||
|
||||
talloc_free(ctx);
|
||||
|
||||
- return EXIT_SUCCESS;
|
||||
+ return rc;
|
||||
}
|
||||
--
|
||||
cgit 1.2.3-1.el7
|
||||
|
69
SOURCES/sbsigntools-gnuefi.patch
Normal file
69
SOURCES/sbsigntools-gnuefi.patch
Normal file
@ -0,0 +1,69 @@
|
||||
diff -up sbsigntools-0.9.3/configure.ac.gnu-efi sbsigntools-0.9.3/configure.ac
|
||||
--- sbsigntools-0.9.3/configure.ac.gnu-efi 2020-02-03 09:38:56.000000000 +0100
|
||||
+++ sbsigntools-0.9.3/configure.ac 2020-02-04 09:48:53.011259075 +0100
|
||||
@@ -64,19 +64,30 @@ PKG_CHECK_MODULES(uuid, uuid,
|
||||
AC_MSG_ERROR([libuuid (from the uuid package) is required]))
|
||||
|
||||
dnl gnu-efi headers require extra include dirs
|
||||
-EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
|
||||
-AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ])
|
||||
+EFI_ARCH=$(uname -m | sed -e 's/i.86/ia32/;s/arm.*/arm/' -e 's/x86_64/x64/' -e 's/aarch64/aa64/')
|
||||
+AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aa64" ])
|
||||
|
||||
##
|
||||
# no consistent view of where gnu-efi should dump the efi stuff, so find it
|
||||
##
|
||||
-for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do
|
||||
- if test -e $path/crt0-efi-$EFI_ARCH.o; then
|
||||
+AC_MSG_CHECKING([gnu-efi crt path])
|
||||
+for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi /usr/lib/gnuefi/$EFI_ARCH ; do
|
||||
+ if test -e $path/crt0.o; then
|
||||
CRTPATH=$path
|
||||
+ CRT=crt0.o
|
||||
+ LDS=efi.lds
|
||||
+ EFI_PATH=$path
|
||||
+ elif test -e $path/crt0-efi-$EFI_ARCH.o; then
|
||||
+ CRTPATH=$path
|
||||
+ CRT=crt0-efi-${EFI_ARCH}.o
|
||||
+ LDS=elf_${EFI_ARCH}_efi.lds
|
||||
+ EFI_PATH=$libdir
|
||||
fi
|
||||
done
|
||||
if test -z "$CRTPATH"; then
|
||||
AC_MSG_ERROR([cannot find the gnu-efi crt path])
|
||||
+else
|
||||
+ AC_MSG_RESULT($CRTPATH)
|
||||
fi
|
||||
|
||||
EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
|
||||
@@ -88,6 +99,9 @@ CPPFLAGS="$CPPFLAGS_save"
|
||||
AC_SUBST(EFI_CPPFLAGS, $EFI_CPPFLAGS)
|
||||
AC_SUBST(EFI_ARCH, $EFI_ARCH)
|
||||
AC_SUBST(CRTPATH, $CRTPATH)
|
||||
+AC_SUBST(CRT, $CRT)
|
||||
+AC_SUBST(LDS, $LDS)
|
||||
+AC_SUBST(EFI_PATH, $EFI_PATH)
|
||||
|
||||
AC_CONFIG_FILES([Makefile src/Makefile lib/ccan/Makefile]
|
||||
[docs/Makefile tests/Makefile])
|
||||
diff -up sbsigntools-0.9.3/tests/Makefile.am.gnu-efi sbsigntools-0.9.3/tests/Makefile.am
|
||||
--- sbsigntools-0.9.3/tests/Makefile.am.gnu-efi 2020-02-03 09:38:56.000000000 +0100
|
||||
+++ sbsigntools-0.9.3/tests/Makefile.am 2020-02-04 09:47:44.786665340 +0100
|
||||
@@ -14,7 +14,7 @@ if TEST_BINARY_FORMAT
|
||||
EFILDFLAGS = --defsym=EFI_SUBSYSTEM=0x0a
|
||||
FORMAT = -O binary
|
||||
else
|
||||
-FORMAT = --target=efi-app-$(EFI_ARCH)
|
||||
+FORMAT = --target=efi-app-$(EFI_ARCH:x64=x86_64)
|
||||
endif
|
||||
check_DATA = $(test_key) $(test_cert)
|
||||
check_SCRIPTS = test-wrapper.sh
|
||||
@@ -27,7 +27,7 @@ check_SCRIPTS = test-wrapper.sh
|
||||
$(FORMAT) $^ $@
|
||||
|
||||
.$(OBJEXT).elf:
|
||||
- $(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/crt0-efi-$(EFI_ARCH).o -T elf_$(EFI_ARCH)_efi.lds $< -o $@ -lefi -lgnuefi
|
||||
+ $(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/$(CRT) -T $(LDS) $< -o $@ $(EFI_PATH)/libefi.a $(EFI_PATH)/libgnuefi.a
|
||||
|
||||
AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH)
|
||||
|
36
SOURCES/sbsigntools-mktarball.sh
Executable file
36
SOURCES/sbsigntools-mktarball.sh
Executable file
@ -0,0 +1,36 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
tmp=$(mktemp -d)
|
||||
|
||||
#trap cleanup EXIT
|
||||
#cleanup() {
|
||||
# set +e
|
||||
# [ -z "$tmp" -o ! -d "$tmp" ] || rm -rf "$tmp"
|
||||
#}
|
||||
|
||||
unset CDPATH
|
||||
pwd=$(pwd)
|
||||
version=0.9.4
|
||||
commit=d52f7bbb73401aab8a1d59e8d0d686ad9641035e
|
||||
|
||||
pushd "$tmp"
|
||||
git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git
|
||||
cd sbsigntools
|
||||
git checkout ${commit}
|
||||
ccan_modules="talloc read_write_all build_assert array_size endian"
|
||||
git submodule init
|
||||
git submodule update
|
||||
lib/ccan.git/tools/create-ccan-tree --build-type=automake lib/ccan $ccan_modules
|
||||
rm -r lib/ccan.git
|
||||
(
|
||||
echo "Authors of sbsigntool:"
|
||||
echo
|
||||
git log --format='%an' | sort -u | sed 's,^,\t,'
|
||||
) > AUTHORS
|
||||
git log --date=short --format='%ad %t %an <%ae>%n%n * %s%n' > ChangeLog
|
||||
cd ..
|
||||
mv sbsigntools sbsigntools-${version}
|
||||
tar cJf "$pwd"/sbsigntools-${version}.tar.xz --exclude=.git sbsigntools-${version}
|
||||
popd
|
35
SOURCES/sbsigntools-no-git.patch
Normal file
35
SOURCES/sbsigntools-no-git.patch
Normal file
@ -0,0 +1,35 @@
|
||||
diff -up sbsigntools-0.8/autogen.sh.nogit sbsigntools-0.8/autogen.sh
|
||||
--- sbsigntools-0.8/autogen.sh.nogit 2017-09-04 18:22:49.244640635 +0200
|
||||
+++ sbsigntools-0.8/autogen.sh 2017-09-04 18:31:49.136838666 +0200
|
||||
@@ -1,31 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
-ccan_modules="talloc read_write_all build_assert array_size endian"
|
||||
-
|
||||
-# Add ccan upstream sources
|
||||
-if [ ! -e lib/ccan.git/Makefile ]
|
||||
-then
|
||||
- git submodule init
|
||||
- git submodule update
|
||||
-fi
|
||||
-
|
||||
-# create ccan build tree
|
||||
-if [ ! -e lib/ccan ]
|
||||
-then
|
||||
- lib/ccan.git/tools/create-ccan-tree \
|
||||
- --build-type=automake lib/ccan $ccan_modules
|
||||
-fi
|
||||
-
|
||||
-# Create generatable docs from git
|
||||
-(
|
||||
- echo "Authors of sbsigntool:"
|
||||
- echo
|
||||
- git log --format='%an' | sort -u | sed 's,^,\t,'
|
||||
-) > AUTHORS
|
||||
-
|
||||
-# Generate simple ChangeLog
|
||||
-git log --date=short --format='%ad %t %an <%ae>%n%n * %s%n' > ChangeLog
|
||||
-
|
||||
# automagic
|
||||
aclocal
|
||||
autoheader
|
12
SOURCES/sbsigntools-openssl3.patch
Normal file
12
SOURCES/sbsigntools-openssl3.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up sbsigntools-0.9.4/src/idc.c.openssl3 sbsigntools-0.9.4/src/idc.c
|
||||
--- sbsigntools-0.9.4/src/idc.c.openssl3 2020-07-04 01:14:29.000000000 +0200
|
||||
+++ sbsigntools-0.9.4/src/idc.c 2021-11-19 16:20:10.082475750 +0100
|
||||
@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO
|
||||
|
||||
idc->data->type = OBJ_nid2obj(peid_nid);
|
||||
idc->data->value = ASN1_TYPE_new();
|
||||
- type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
|
||||
+ type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
|
||||
|
||||
idc->digest->alg->parameter = ASN1_TYPE_new();
|
||||
idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
|
151
SPECS/sbsigntools.spec
Normal file
151
SPECS/sbsigntools.spec
Normal file
@ -0,0 +1,151 @@
|
||||
%bcond_without check
|
||||
%define _warning_options -Wall -Werror=format-security -Wno-deprecated-declarations -Wno-maybe-uninitialized
|
||||
|
||||
Name: sbsigntools
|
||||
Version: 0.9.4
|
||||
Release: 11%{?dist}
|
||||
Summary: Signing utility for UEFI secure boot
|
||||
License: GPLv3+
|
||||
URL: https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools
|
||||
# upstream tarballs don't include bundled ccan
|
||||
# run sbsigntools-mktarball.sh
|
||||
Source0: %{name}-%{version}.tar.xz
|
||||
Source1: %{name}-mktarball.sh
|
||||
# don't fetch ccan or run git from autogen.sh, already done by mktarball.sh
|
||||
Patch0: %{name}-no-git.patch
|
||||
# add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a
|
||||
Patch1: %{name}-gnuefi.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1955828
|
||||
Patch2: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/patch/?id=f12484869c9590682ac3253d583bf59b890bb826#/f12484869c9590682ac3253d583bf59b890bb826.patch
|
||||
# https://groups.io/g/sbsigntools/message/54
|
||||
Patch3: %{name}-openssl3.patch
|
||||
# same as gnu-efi
|
||||
ExclusiveArch: x86_64 aarch64 %{arm} %{ix86}
|
||||
BuildRequires: make
|
||||
BuildRequires: automake
|
||||
BuildRequires: binutils-devel
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gnu-efi-devel >= 1:3.0.8-3
|
||||
BuildRequires: help2man
|
||||
BuildRequires: libuuid-devel
|
||||
%if %{with check}
|
||||
BuildRequires: openssl
|
||||
%endif
|
||||
BuildRequires: openssl-devel
|
||||
Provides: bundled(ccan-array_size)
|
||||
Provides: bundled(ccan-build_assert)
|
||||
Provides: bundled(ccan-check_type)
|
||||
Provides: bundled(ccan-compiler)
|
||||
Provides: bundled(ccan-container_of)
|
||||
Provides: bundled(ccan-endian)
|
||||
Provides: bundled(ccan-failtest)
|
||||
Provides: bundled(ccan-hash)
|
||||
Provides: bundled(ccan-htable)
|
||||
Provides: bundled(ccan-list)
|
||||
Provides: bundled(ccan-read_write_all)
|
||||
Provides: bundled(ccan-str)
|
||||
Provides: bundled(ccan-talloc)
|
||||
Provides: bundled(ccan-tcon)
|
||||
Provides: bundled(ccan-time)
|
||||
Provides: bundled(ccan-tlist)
|
||||
Provides: bundled(ccan-typesafe_cb)
|
||||
|
||||
%description
|
||||
Tools to add signatures to EFI binaries and Drivers.
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
./autogen.sh
|
||||
%configure
|
||||
%make_build
|
||||
|
||||
%install
|
||||
%make_install
|
||||
|
||||
%if %{with check}
|
||||
%check
|
||||
make check
|
||||
%endif
|
||||
|
||||
%files
|
||||
%license COPYING LICENSE.GPLv3 lib/ccan/licenses/*
|
||||
%doc AUTHORS ChangeLog
|
||||
%{_bindir}/sbattach
|
||||
%{_bindir}/sbkeysync
|
||||
%{_bindir}/sbsiglist
|
||||
%{_bindir}/sbsign
|
||||
%{_bindir}/sbvarsign
|
||||
%{_bindir}/sbverify
|
||||
%{_mandir}/man1/sbattach.1.*
|
||||
%{_mandir}/man1/sbkeysync.1.*
|
||||
%{_mandir}/man1/sbsiglist.1.*
|
||||
%{_mandir}/man1/sbsign.1.*
|
||||
%{_mandir}/man1/sbvarsign.1.*
|
||||
%{_mandir}/man1/sbverify.1.*
|
||||
|
||||
%changelog
|
||||
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-11
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Tue Jan 17 2023 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-10
|
||||
- fix build with GCC 13
|
||||
|
||||
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
* Fri Nov 19 2021 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-7
|
||||
- fix build with OpenSSL 3.0.0 (fixes rhbz#2021909)
|
||||
|
||||
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-6
|
||||
- Rebuilt with OpenSSL 3.0.0
|
||||
|
||||
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
* Mon May 17 2021 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-4
|
||||
- don't ignore errors from sbkeysync (fixes rhbz#1955828)
|
||||
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Fri Jul 03 2020 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-1
|
||||
- update to 0.9.4 (#1846578)
|
||||
|
||||
* Mon Feb 03 2020 Dominik Mierzejewski <dominik@greysector.net> - 0.9.3-1
|
||||
- update to 0.9.3
|
||||
- update bundled CCAN components list
|
||||
- support building with gnu-efi 3.0.11
|
||||
|
||||
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Thu Feb 28 2019 Dominik Mierzejewski <dominik@greysector.net> - 0.9.2-1
|
||||
- update to 0.9.2
|
||||
|
||||
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Wed Jul 25 2018 Dominik Mierzejewski <dominik@greysector.net> - 0.9.1-3
|
||||
- fix paths to gnu-efi (work around #1608293)
|
||||
|
||||
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Thu Feb 22 2018 Dominik Mierzejewski <dominik@greysector.net> - 0.9.1-1
|
||||
- update to 0.9.1
|
||||
- add Fedora gnu-efi libs location to search path
|
||||
- link tests statically against gnu-efi libs, there are no shared versions
|
||||
|
||||
* Mon Sep 4 2017 Dominik Mierzejewski <dominik@greysector.net> - 0.8-1
|
||||
- initial build
|
Loading…
Reference in New Issue
Block a user