import Fedora sbsigntools-0.9.4-11.fc38

This commit is contained in:
Andrew Lukoshko 2023-09-13 11:53:32 +00:00
commit 2f0c33f570
8 changed files with 364 additions and 0 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/sbsigntools-0.9.4.tar.xz

1
.sbsigntools.metadata Normal file
View File

@ -0,0 +1 @@
9d252e4f6dbace51bef1e781f3d3ea09f2b313e4 SOURCES/sbsigntools-0.9.4.tar.xz

View File

@ -0,0 +1,59 @@
From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001
From: dann frazier <dann.frazier@canonical.com>
Date: Wed, 12 Aug 2020 15:27:08 -0600
Subject: sbkeysync: Don't ignore errors from insert_new_keys()
If insert_new_keys() fails, say due to a full variable store, we currently
still exit(0). This can make it difficult to know something is wrong.
For example, Debian and Ubuntu implement a secureboot-db systemd service
to update the DB and DBX, which calls:
ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose
But although this seemed to succeed on my system, looking at the logs shows
a different story:
Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
Error writing key update: Invalid argument
Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
src/sbkeysync.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index e51f177..7748990 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -889,10 +889,12 @@ int main(int argc, char **argv)
{
bool use_default_keystore_dirs;
struct sync_context *ctx;
+ int rc;
use_default_keystore_dirs = true;
ctx = talloc_zero(NULL, struct sync_context);
list_head_init(&ctx->new_keys);
+ rc = EXIT_SUCCESS;
for (;;) {
int idx, c;
@@ -985,10 +987,10 @@ int main(int argc, char **argv)
if (ctx->verbose)
print_new_keys(ctx);
- if (!ctx->dry_run)
- insert_new_keys(ctx);
+ if (!ctx->dry_run && insert_new_keys(ctx))
+ rc = EXIT_FAILURE;
talloc_free(ctx);
- return EXIT_SUCCESS;
+ return rc;
}
--
cgit 1.2.3-1.el7

View File

@ -0,0 +1,69 @@
diff -up sbsigntools-0.9.3/configure.ac.gnu-efi sbsigntools-0.9.3/configure.ac
--- sbsigntools-0.9.3/configure.ac.gnu-efi 2020-02-03 09:38:56.000000000 +0100
+++ sbsigntools-0.9.3/configure.ac 2020-02-04 09:48:53.011259075 +0100
@@ -64,19 +64,30 @@ PKG_CHECK_MODULES(uuid, uuid,
AC_MSG_ERROR([libuuid (from the uuid package) is required]))
dnl gnu-efi headers require extra include dirs
-EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
-AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ])
+EFI_ARCH=$(uname -m | sed -e 's/i.86/ia32/;s/arm.*/arm/' -e 's/x86_64/x64/' -e 's/aarch64/aa64/')
+AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aa64" ])
##
# no consistent view of where gnu-efi should dump the efi stuff, so find it
##
-for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do
- if test -e $path/crt0-efi-$EFI_ARCH.o; then
+AC_MSG_CHECKING([gnu-efi crt path])
+for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi /usr/lib/gnuefi/$EFI_ARCH ; do
+ if test -e $path/crt0.o; then
CRTPATH=$path
+ CRT=crt0.o
+ LDS=efi.lds
+ EFI_PATH=$path
+ elif test -e $path/crt0-efi-$EFI_ARCH.o; then
+ CRTPATH=$path
+ CRT=crt0-efi-${EFI_ARCH}.o
+ LDS=elf_${EFI_ARCH}_efi.lds
+ EFI_PATH=$libdir
fi
done
if test -z "$CRTPATH"; then
AC_MSG_ERROR([cannot find the gnu-efi crt path])
+else
+ AC_MSG_RESULT($CRTPATH)
fi
EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
@@ -88,6 +99,9 @@ CPPFLAGS="$CPPFLAGS_save"
AC_SUBST(EFI_CPPFLAGS, $EFI_CPPFLAGS)
AC_SUBST(EFI_ARCH, $EFI_ARCH)
AC_SUBST(CRTPATH, $CRTPATH)
+AC_SUBST(CRT, $CRT)
+AC_SUBST(LDS, $LDS)
+AC_SUBST(EFI_PATH, $EFI_PATH)
AC_CONFIG_FILES([Makefile src/Makefile lib/ccan/Makefile]
[docs/Makefile tests/Makefile])
diff -up sbsigntools-0.9.3/tests/Makefile.am.gnu-efi sbsigntools-0.9.3/tests/Makefile.am
--- sbsigntools-0.9.3/tests/Makefile.am.gnu-efi 2020-02-03 09:38:56.000000000 +0100
+++ sbsigntools-0.9.3/tests/Makefile.am 2020-02-04 09:47:44.786665340 +0100
@@ -14,7 +14,7 @@ if TEST_BINARY_FORMAT
EFILDFLAGS = --defsym=EFI_SUBSYSTEM=0x0a
FORMAT = -O binary
else
-FORMAT = --target=efi-app-$(EFI_ARCH)
+FORMAT = --target=efi-app-$(EFI_ARCH:x64=x86_64)
endif
check_DATA = $(test_key) $(test_cert)
check_SCRIPTS = test-wrapper.sh
@@ -27,7 +27,7 @@ check_SCRIPTS = test-wrapper.sh
$(FORMAT) $^ $@
.$(OBJEXT).elf:
- $(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/crt0-efi-$(EFI_ARCH).o -T elf_$(EFI_ARCH)_efi.lds $< -o $@ -lefi -lgnuefi
+ $(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/$(CRT) -T $(LDS) $< -o $@ $(EFI_PATH)/libefi.a $(EFI_PATH)/libgnuefi.a
AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH)

View File

@ -0,0 +1,36 @@
#!/bin/bash
set -e
tmp=$(mktemp -d)
#trap cleanup EXIT
#cleanup() {
# set +e
# [ -z "$tmp" -o ! -d "$tmp" ] || rm -rf "$tmp"
#}
unset CDPATH
pwd=$(pwd)
version=0.9.4
commit=d52f7bbb73401aab8a1d59e8d0d686ad9641035e
pushd "$tmp"
git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git
cd sbsigntools
git checkout ${commit}
ccan_modules="talloc read_write_all build_assert array_size endian"
git submodule init
git submodule update
lib/ccan.git/tools/create-ccan-tree --build-type=automake lib/ccan $ccan_modules
rm -r lib/ccan.git
(
echo "Authors of sbsigntool:"
echo
git log --format='%an' | sort -u | sed 's,^,\t,'
) > AUTHORS
git log --date=short --format='%ad %t %an <%ae>%n%n * %s%n' > ChangeLog
cd ..
mv sbsigntools sbsigntools-${version}
tar cJf "$pwd"/sbsigntools-${version}.tar.xz --exclude=.git sbsigntools-${version}
popd

View File

@ -0,0 +1,35 @@
diff -up sbsigntools-0.8/autogen.sh.nogit sbsigntools-0.8/autogen.sh
--- sbsigntools-0.8/autogen.sh.nogit 2017-09-04 18:22:49.244640635 +0200
+++ sbsigntools-0.8/autogen.sh 2017-09-04 18:31:49.136838666 +0200
@@ -1,31 +1,5 @@
#!/bin/bash
-ccan_modules="talloc read_write_all build_assert array_size endian"
-
-# Add ccan upstream sources
-if [ ! -e lib/ccan.git/Makefile ]
-then
- git submodule init
- git submodule update
-fi
-
-# create ccan build tree
-if [ ! -e lib/ccan ]
-then
- lib/ccan.git/tools/create-ccan-tree \
- --build-type=automake lib/ccan $ccan_modules
-fi
-
-# Create generatable docs from git
-(
- echo "Authors of sbsigntool:"
- echo
- git log --format='%an' | sort -u | sed 's,^,\t,'
-) > AUTHORS
-
-# Generate simple ChangeLog
-git log --date=short --format='%ad %t %an <%ae>%n%n * %s%n' > ChangeLog
-
# automagic
aclocal
autoheader

View File

@ -0,0 +1,12 @@
diff -up sbsigntools-0.9.4/src/idc.c.openssl3 sbsigntools-0.9.4/src/idc.c
--- sbsigntools-0.9.4/src/idc.c.openssl3 2020-07-04 01:14:29.000000000 +0200
+++ sbsigntools-0.9.4/src/idc.c 2021-11-19 16:20:10.082475750 +0100
@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO
idc->data->type = OBJ_nid2obj(peid_nid);
idc->data->value = ASN1_TYPE_new();
- type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
+ type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
idc->digest->alg->parameter = ASN1_TYPE_new();
idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);

151
SPECS/sbsigntools.spec Normal file
View File

@ -0,0 +1,151 @@
%bcond_without check
%define _warning_options -Wall -Werror=format-security -Wno-deprecated-declarations -Wno-maybe-uninitialized
Name: sbsigntools
Version: 0.9.4
Release: 11%{?dist}
Summary: Signing utility for UEFI secure boot
License: GPLv3+
URL: https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools
# upstream tarballs don't include bundled ccan
# run sbsigntools-mktarball.sh
Source0: %{name}-%{version}.tar.xz
Source1: %{name}-mktarball.sh
# don't fetch ccan or run git from autogen.sh, already done by mktarball.sh
Patch0: %{name}-no-git.patch
# add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a
Patch1: %{name}-gnuefi.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1955828
Patch2: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/patch/?id=f12484869c9590682ac3253d583bf59b890bb826#/f12484869c9590682ac3253d583bf59b890bb826.patch
# https://groups.io/g/sbsigntools/message/54
Patch3: %{name}-openssl3.patch
# same as gnu-efi
ExclusiveArch: x86_64 aarch64 %{arm} %{ix86}
BuildRequires: make
BuildRequires: automake
BuildRequires: binutils-devel
BuildRequires: gcc
BuildRequires: gnu-efi-devel >= 1:3.0.8-3
BuildRequires: help2man
BuildRequires: libuuid-devel
%if %{with check}
BuildRequires: openssl
%endif
BuildRequires: openssl-devel
Provides: bundled(ccan-array_size)
Provides: bundled(ccan-build_assert)
Provides: bundled(ccan-check_type)
Provides: bundled(ccan-compiler)
Provides: bundled(ccan-container_of)
Provides: bundled(ccan-endian)
Provides: bundled(ccan-failtest)
Provides: bundled(ccan-hash)
Provides: bundled(ccan-htable)
Provides: bundled(ccan-list)
Provides: bundled(ccan-read_write_all)
Provides: bundled(ccan-str)
Provides: bundled(ccan-talloc)
Provides: bundled(ccan-tcon)
Provides: bundled(ccan-time)
Provides: bundled(ccan-tlist)
Provides: bundled(ccan-typesafe_cb)
%description
Tools to add signatures to EFI binaries and Drivers.
%prep
%autosetup -p1
%build
./autogen.sh
%configure
%make_build
%install
%make_install
%if %{with check}
%check
make check
%endif
%files
%license COPYING LICENSE.GPLv3 lib/ccan/licenses/*
%doc AUTHORS ChangeLog
%{_bindir}/sbattach
%{_bindir}/sbkeysync
%{_bindir}/sbsiglist
%{_bindir}/sbsign
%{_bindir}/sbvarsign
%{_bindir}/sbverify
%{_mandir}/man1/sbattach.1.*
%{_mandir}/man1/sbkeysync.1.*
%{_mandir}/man1/sbsiglist.1.*
%{_mandir}/man1/sbsign.1.*
%{_mandir}/man1/sbvarsign.1.*
%{_mandir}/man1/sbverify.1.*
%changelog
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Tue Jan 17 2023 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-10
- fix build with GCC 13
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Nov 19 2021 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-7
- fix build with OpenSSL 3.0.0 (fixes rhbz#2021909)
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-6
- Rebuilt with OpenSSL 3.0.0
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon May 17 2021 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-4
- don't ignore errors from sbkeysync (fixes rhbz#1955828)
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jul 03 2020 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-1
- update to 0.9.4 (#1846578)
* Mon Feb 03 2020 Dominik Mierzejewski <dominik@greysector.net> - 0.9.3-1
- update to 0.9.3
- update bundled CCAN components list
- support building with gnu-efi 3.0.11
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Feb 28 2019 Dominik Mierzejewski <dominik@greysector.net> - 0.9.2-1
- update to 0.9.2
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Jul 25 2018 Dominik Mierzejewski <dominik@greysector.net> - 0.9.1-3
- fix paths to gnu-efi (work around #1608293)
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Feb 22 2018 Dominik Mierzejewski <dominik@greysector.net> - 0.9.1-1
- update to 0.9.1
- add Fedora gnu-efi libs location to search path
- link tests statically against gnu-efi libs, there are no shared versions
* Mon Sep 4 2017 Dominik Mierzejewski <dominik@greysector.net> - 0.8-1
- initial build