commit 2f0c33f5708b67c30f44db7a989ad94c5530a16c Author: Andrew Lukoshko Date: Wed Sep 13 11:53:32 2023 +0000 import Fedora sbsigntools-0.9.4-11.fc38 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8fd90d8 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/sbsigntools-0.9.4.tar.xz diff --git a/.sbsigntools.metadata b/.sbsigntools.metadata new file mode 100644 index 0000000..cea8e90 --- /dev/null +++ b/.sbsigntools.metadata @@ -0,0 +1 @@ +9d252e4f6dbace51bef1e781f3d3ea09f2b313e4 SOURCES/sbsigntools-0.9.4.tar.xz diff --git a/SOURCES/f12484869c9590682ac3253d583bf59b890bb826.patch b/SOURCES/f12484869c9590682ac3253d583bf59b890bb826.patch new file mode 100644 index 0000000..11bed89 --- /dev/null +++ b/SOURCES/f12484869c9590682ac3253d583bf59b890bb826.patch @@ -0,0 +1,59 @@ +From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Wed, 12 Aug 2020 15:27:08 -0600 +Subject: sbkeysync: Don't ignore errors from insert_new_keys() + +If insert_new_keys() fails, say due to a full variable store, we currently +still exit(0). This can make it difficult to know something is wrong. +For example, Debian and Ubuntu implement a secureboot-db systemd service +to update the DB and DBX, which calls: + + ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose + +But although this seemed to succeed on my system, looking at the logs shows +a different story: + +Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx +Error writing key update: Invalid argument +Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin + +Signed-off-by: dann frazier +Signed-off-by: James Bottomley +--- + src/sbkeysync.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/sbkeysync.c b/src/sbkeysync.c +index e51f177..7748990 100644 +--- a/src/sbkeysync.c ++++ b/src/sbkeysync.c +@@ -889,10 +889,12 @@ int main(int argc, char **argv) + { + bool use_default_keystore_dirs; + struct sync_context *ctx; ++ int rc; + + use_default_keystore_dirs = true; + ctx = talloc_zero(NULL, struct sync_context); + list_head_init(&ctx->new_keys); ++ rc = EXIT_SUCCESS; + + for (;;) { + int idx, c; +@@ -985,10 +987,10 @@ int main(int argc, char **argv) + if (ctx->verbose) + print_new_keys(ctx); + +- if (!ctx->dry_run) +- insert_new_keys(ctx); ++ if (!ctx->dry_run && insert_new_keys(ctx)) ++ rc = EXIT_FAILURE; + + talloc_free(ctx); + +- return EXIT_SUCCESS; ++ return rc; + } +-- +cgit 1.2.3-1.el7 + diff --git a/SOURCES/sbsigntools-gnuefi.patch b/SOURCES/sbsigntools-gnuefi.patch new file mode 100644 index 0000000..2e28883 --- /dev/null +++ b/SOURCES/sbsigntools-gnuefi.patch @@ -0,0 +1,69 @@ +diff -up sbsigntools-0.9.3/configure.ac.gnu-efi sbsigntools-0.9.3/configure.ac +--- sbsigntools-0.9.3/configure.ac.gnu-efi 2020-02-03 09:38:56.000000000 +0100 ++++ sbsigntools-0.9.3/configure.ac 2020-02-04 09:48:53.011259075 +0100 +@@ -64,19 +64,30 @@ PKG_CHECK_MODULES(uuid, uuid, + AC_MSG_ERROR([libuuid (from the uuid package) is required])) + + dnl gnu-efi headers require extra include dirs +-EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/') +-AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ]) ++EFI_ARCH=$(uname -m | sed -e 's/i.86/ia32/;s/arm.*/arm/' -e 's/x86_64/x64/' -e 's/aarch64/aa64/') ++AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aa64" ]) + + ## + # no consistent view of where gnu-efi should dump the efi stuff, so find it + ## +-for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do +- if test -e $path/crt0-efi-$EFI_ARCH.o; then ++AC_MSG_CHECKING([gnu-efi crt path]) ++for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi /usr/lib/gnuefi/$EFI_ARCH ; do ++ if test -e $path/crt0.o; then + CRTPATH=$path ++ CRT=crt0.o ++ LDS=efi.lds ++ EFI_PATH=$path ++ elif test -e $path/crt0-efi-$EFI_ARCH.o; then ++ CRTPATH=$path ++ CRT=crt0-efi-${EFI_ARCH}.o ++ LDS=elf_${EFI_ARCH}_efi.lds ++ EFI_PATH=$libdir + fi + done + if test -z "$CRTPATH"; then + AC_MSG_ERROR([cannot find the gnu-efi crt path]) ++else ++ AC_MSG_RESULT($CRTPATH) + fi + + EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \ +@@ -88,6 +99,9 @@ CPPFLAGS="$CPPFLAGS_save" + AC_SUBST(EFI_CPPFLAGS, $EFI_CPPFLAGS) + AC_SUBST(EFI_ARCH, $EFI_ARCH) + AC_SUBST(CRTPATH, $CRTPATH) ++AC_SUBST(CRT, $CRT) ++AC_SUBST(LDS, $LDS) ++AC_SUBST(EFI_PATH, $EFI_PATH) + + AC_CONFIG_FILES([Makefile src/Makefile lib/ccan/Makefile] + [docs/Makefile tests/Makefile]) +diff -up sbsigntools-0.9.3/tests/Makefile.am.gnu-efi sbsigntools-0.9.3/tests/Makefile.am +--- sbsigntools-0.9.3/tests/Makefile.am.gnu-efi 2020-02-03 09:38:56.000000000 +0100 ++++ sbsigntools-0.9.3/tests/Makefile.am 2020-02-04 09:47:44.786665340 +0100 +@@ -14,7 +14,7 @@ if TEST_BINARY_FORMAT + EFILDFLAGS = --defsym=EFI_SUBSYSTEM=0x0a + FORMAT = -O binary + else +-FORMAT = --target=efi-app-$(EFI_ARCH) ++FORMAT = --target=efi-app-$(EFI_ARCH:x64=x86_64) + endif + check_DATA = $(test_key) $(test_cert) + check_SCRIPTS = test-wrapper.sh +@@ -27,7 +27,7 @@ check_SCRIPTS = test-wrapper.sh + $(FORMAT) $^ $@ + + .$(OBJEXT).elf: +- $(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/crt0-efi-$(EFI_ARCH).o -T elf_$(EFI_ARCH)_efi.lds $< -o $@ -lefi -lgnuefi ++ $(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/$(CRT) -T $(LDS) $< -o $@ $(EFI_PATH)/libefi.a $(EFI_PATH)/libgnuefi.a + + AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH) + diff --git a/SOURCES/sbsigntools-mktarball.sh b/SOURCES/sbsigntools-mktarball.sh new file mode 100755 index 0000000..07f8a30 --- /dev/null +++ b/SOURCES/sbsigntools-mktarball.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +tmp=$(mktemp -d) + +#trap cleanup EXIT +#cleanup() { +# set +e +# [ -z "$tmp" -o ! -d "$tmp" ] || rm -rf "$tmp" +#} + +unset CDPATH +pwd=$(pwd) +version=0.9.4 +commit=d52f7bbb73401aab8a1d59e8d0d686ad9641035e + +pushd "$tmp" +git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git +cd sbsigntools +git checkout ${commit} +ccan_modules="talloc read_write_all build_assert array_size endian" +git submodule init +git submodule update +lib/ccan.git/tools/create-ccan-tree --build-type=automake lib/ccan $ccan_modules +rm -r lib/ccan.git +( + echo "Authors of sbsigntool:" + echo + git log --format='%an' | sort -u | sed 's,^,\t,' +) > AUTHORS +git log --date=short --format='%ad %t %an <%ae>%n%n * %s%n' > ChangeLog +cd .. +mv sbsigntools sbsigntools-${version} +tar cJf "$pwd"/sbsigntools-${version}.tar.xz --exclude=.git sbsigntools-${version} +popd diff --git a/SOURCES/sbsigntools-no-git.patch b/SOURCES/sbsigntools-no-git.patch new file mode 100644 index 0000000..ec83377 --- /dev/null +++ b/SOURCES/sbsigntools-no-git.patch @@ -0,0 +1,35 @@ +diff -up sbsigntools-0.8/autogen.sh.nogit sbsigntools-0.8/autogen.sh +--- sbsigntools-0.8/autogen.sh.nogit 2017-09-04 18:22:49.244640635 +0200 ++++ sbsigntools-0.8/autogen.sh 2017-09-04 18:31:49.136838666 +0200 +@@ -1,31 +1,5 @@ + #!/bin/bash + +-ccan_modules="talloc read_write_all build_assert array_size endian" +- +-# Add ccan upstream sources +-if [ ! -e lib/ccan.git/Makefile ] +-then +- git submodule init +- git submodule update +-fi +- +-# create ccan build tree +-if [ ! -e lib/ccan ] +-then +- lib/ccan.git/tools/create-ccan-tree \ +- --build-type=automake lib/ccan $ccan_modules +-fi +- +-# Create generatable docs from git +-( +- echo "Authors of sbsigntool:" +- echo +- git log --format='%an' | sort -u | sed 's,^,\t,' +-) > AUTHORS +- +-# Generate simple ChangeLog +-git log --date=short --format='%ad %t %an <%ae>%n%n * %s%n' > ChangeLog +- + # automagic + aclocal + autoheader diff --git a/SOURCES/sbsigntools-openssl3.patch b/SOURCES/sbsigntools-openssl3.patch new file mode 100644 index 0000000..3e14327 --- /dev/null +++ b/SOURCES/sbsigntools-openssl3.patch @@ -0,0 +1,12 @@ +diff -up sbsigntools-0.9.4/src/idc.c.openssl3 sbsigntools-0.9.4/src/idc.c +--- sbsigntools-0.9.4/src/idc.c.openssl3 2020-07-04 01:14:29.000000000 +0200 ++++ sbsigntools-0.9.4/src/idc.c 2021-11-19 16:20:10.082475750 +0100 +@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO + + idc->data->type = OBJ_nid2obj(peid_nid); + idc->data->value = ASN1_TYPE_new(); +- type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it); ++ type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID)); + + idc->digest->alg->parameter = ASN1_TYPE_new(); + idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256); diff --git a/SPECS/sbsigntools.spec b/SPECS/sbsigntools.spec new file mode 100644 index 0000000..af4ed2e --- /dev/null +++ b/SPECS/sbsigntools.spec @@ -0,0 +1,151 @@ +%bcond_without check +%define _warning_options -Wall -Werror=format-security -Wno-deprecated-declarations -Wno-maybe-uninitialized + +Name: sbsigntools +Version: 0.9.4 +Release: 11%{?dist} +Summary: Signing utility for UEFI secure boot +License: GPLv3+ +URL: https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools +# upstream tarballs don't include bundled ccan +# run sbsigntools-mktarball.sh +Source0: %{name}-%{version}.tar.xz +Source1: %{name}-mktarball.sh +# don't fetch ccan or run git from autogen.sh, already done by mktarball.sh +Patch0: %{name}-no-git.patch +# add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a +Patch1: %{name}-gnuefi.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1955828 +Patch2: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/patch/?id=f12484869c9590682ac3253d583bf59b890bb826#/f12484869c9590682ac3253d583bf59b890bb826.patch +# https://groups.io/g/sbsigntools/message/54 +Patch3: %{name}-openssl3.patch +# same as gnu-efi +ExclusiveArch: x86_64 aarch64 %{arm} %{ix86} +BuildRequires: make +BuildRequires: automake +BuildRequires: binutils-devel +BuildRequires: gcc +BuildRequires: gnu-efi-devel >= 1:3.0.8-3 +BuildRequires: help2man +BuildRequires: libuuid-devel +%if %{with check} +BuildRequires: openssl +%endif +BuildRequires: openssl-devel +Provides: bundled(ccan-array_size) +Provides: bundled(ccan-build_assert) +Provides: bundled(ccan-check_type) +Provides: bundled(ccan-compiler) +Provides: bundled(ccan-container_of) +Provides: bundled(ccan-endian) +Provides: bundled(ccan-failtest) +Provides: bundled(ccan-hash) +Provides: bundled(ccan-htable) +Provides: bundled(ccan-list) +Provides: bundled(ccan-read_write_all) +Provides: bundled(ccan-str) +Provides: bundled(ccan-talloc) +Provides: bundled(ccan-tcon) +Provides: bundled(ccan-time) +Provides: bundled(ccan-tlist) +Provides: bundled(ccan-typesafe_cb) + +%description +Tools to add signatures to EFI binaries and Drivers. + +%prep +%autosetup -p1 + +%build +./autogen.sh +%configure +%make_build + +%install +%make_install + +%if %{with check} +%check +make check +%endif + +%files +%license COPYING LICENSE.GPLv3 lib/ccan/licenses/* +%doc AUTHORS ChangeLog +%{_bindir}/sbattach +%{_bindir}/sbkeysync +%{_bindir}/sbsiglist +%{_bindir}/sbsign +%{_bindir}/sbvarsign +%{_bindir}/sbverify +%{_mandir}/man1/sbattach.1.* +%{_mandir}/man1/sbkeysync.1.* +%{_mandir}/man1/sbsiglist.1.* +%{_mandir}/man1/sbsign.1.* +%{_mandir}/man1/sbvarsign.1.* +%{_mandir}/man1/sbverify.1.* + +%changelog +* Sat Jan 21 2023 Fedora Release Engineering - 0.9.4-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Tue Jan 17 2023 Dominik Mierzejewski - 0.9.4-10 +- fix build with GCC 13 + +* Sat Jul 23 2022 Fedora Release Engineering - 0.9.4-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Sat Jan 22 2022 Fedora Release Engineering - 0.9.4-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Nov 19 2021 Dominik Mierzejewski - 0.9.4-7 +- fix build with OpenSSL 3.0.0 (fixes rhbz#2021909) + +* Tue Sep 14 2021 Sahana Prasad - 0.9.4-6 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 0.9.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Mon May 17 2021 Dominik Mierzejewski - 0.9.4-4 +- don't ignore errors from sbkeysync (fixes rhbz#1955828) + +* Wed Jan 27 2021 Fedora Release Engineering - 0.9.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 0.9.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jul 03 2020 Dominik Mierzejewski - 0.9.4-1 +- update to 0.9.4 (#1846578) + +* Mon Feb 03 2020 Dominik Mierzejewski - 0.9.3-1 +- update to 0.9.3 +- update bundled CCAN components list +- support building with gnu-efi 3.0.11 + +* Thu Jan 30 2020 Fedora Release Engineering - 0.9.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 0.9.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Feb 28 2019 Dominik Mierzejewski - 0.9.2-1 +- update to 0.9.2 + +* Sat Feb 02 2019 Fedora Release Engineering - 0.9.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jul 25 2018 Dominik Mierzejewski - 0.9.1-3 +- fix paths to gnu-efi (work around #1608293) + +* Sat Jul 14 2018 Fedora Release Engineering - 0.9.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Feb 22 2018 Dominik Mierzejewski - 0.9.1-1 +- update to 0.9.1 +- add Fedora gnu-efi libs location to search path +- link tests statically against gnu-efi libs, there are no shared versions + +* Mon Sep 4 2017 Dominik Mierzejewski - 0.8-1 +- initial build