rpms/sbsigntools
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c10
Branches Tags
rpms:c8
rpms:c10
rpms:c9
rpms:imports/c10/sbsigntools-0.9.5-10.el10
rpms:imports/c8/sbsigntools-0.9.4-11.fc38
...
pull from: rpms:c8
Branches Tags
rpms:c10
rpms:c8
rpms:c9
rpms:imports/c10/sbsigntools-0.9.5-10.el10
rpms:imports/c8/sbsigntools-0.9.4-11.fc38

No commits in common. "c10" and "c8" have entirely different histories.
c10 ... c8

11 changed files with 101 additions and 357 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
sbsigntools-0.9.5.tar.xz
SOURCES/sbsigntools-0.9.4.tar.xz

1
.sbsigntools.metadata Normal file
View File

@ -0,0 +1 @@
9d252e4f6dbace51bef1e781f3d3ea09f2b313e4 SOURCES/sbsigntools-0.9.4.tar.xz

59
SOURCES/f12484869c9590682ac3253d583bf59b890bb826.patch Normal file
View File

@ -0,0 +1,59 @@
From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001
From: dann frazier <dann.frazier@canonical.com>
Date: Wed, 12 Aug 2020 15:27:08 -0600
Subject: sbkeysync: Don't ignore errors from insert_new_keys()
If insert_new_keys() fails, say due to a full variable store, we currently
still exit(0). This can make it difficult to know something is wrong.
For example, Debian and Ubuntu implement a secureboot-db systemd service
to update the DB and DBX, which calls:
ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose
But although this seemed to succeed on my system, looking at the logs shows
a different story:
Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
Error writing key update: Invalid argument
Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
src/sbkeysync.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index e51f177..7748990 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -889,10 +889,12 @@ int main(int argc, char **argv)
{
bool use_default_keystore_dirs;
struct sync_context *ctx;
+ int rc;
use_default_keystore_dirs = true;
ctx = talloc_zero(NULL, struct sync_context);
list_head_init(&ctx->new_keys);
+ rc = EXIT_SUCCESS;
for (;;) {
int idx, c;
@@ -985,10 +987,10 @@ int main(int argc, char **argv)
if (ctx->verbose)
print_new_keys(ctx);
- if (!ctx->dry_run)
- insert_new_keys(ctx);
+ if (!ctx->dry_run && insert_new_keys(ctx))
+ rc = EXIT_FAILURE;
talloc_free(ctx);
- return EXIT_SUCCESS;
+ return rc;
}
--
cgit 1.2.3-1.el7

28
sbsigntools-gnuefi.patch → SOURCES/sbsigntools-gnuefi.patch
View File

@ -1,11 +1,14 @@
--- a/configure.ac
+++ b/configure.ac
@@ -68,18 +68,29 @@ PKG_CHECK_MODULES(uuid, uuid,
diff -up sbsigntools-0.9.3/configure.ac.gnu-efi sbsigntools-0.9.3/configure.ac
--- sbsigntools-0.9.3/configure.ac.gnu-efi 2020-02-03 09:38:56.000000000 +0100
+++ sbsigntools-0.9.3/configure.ac 2020-02-04 09:48:53.011259075 +0100
@@ -64,19 +64,30 @@ PKG_CHECK_MODULES(uuid, uuid,
AC_MSG_ERROR([libuuid (from the uuid package) is required]))
dnl gnu-efi headers require extra include dirs
EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
-AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" -o "$EFI_ARCH" = riscv64 ])
+AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = riscv64 ])
-EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
-AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ])
+EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
+AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ])
##
# no consistent view of where gnu-efi should dump the efi stuff, so find it
@ -23,7 +26,7 @@
+ CRTPATH=$path
+ CRT=crt0-efi-${EFI_ARCH}.o
+ LDS=elf_${EFI_ARCH}_efi.lds
+ EFI_PATH=$path
+ EFI_PATH=$libdir
fi
done
if test -z "$CRTPATH"; then
@ -33,7 +36,7 @@
fi
EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
@@ -91,6 +102,9 @@ CPPFLAGS="$CPPFLAGS_save"
@@ -88,6 +99,9 @@ CPPFLAGS="$CPPFLAGS_save"
AC_SUBST(EFI_CPPFLAGS, $EFI_CPPFLAGS)
AC_SUBST(EFI_ARCH, $EFI_ARCH)
AC_SUBST(CRTPATH, $CRTPATH)
@ -43,9 +46,10 @@
AC_CONFIG_FILES([Makefile src/Makefile lib/ccan/Makefile]
[docs/Makefile tests/Makefile])
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -18,7 +18,7 @@ if TEST_BINARY_FORMAT
diff -up sbsigntools-0.9.3/tests/Makefile.am.gnu-efi sbsigntools-0.9.3/tests/Makefile.am
--- sbsigntools-0.9.3/tests/Makefile.am.gnu-efi 2020-02-03 09:38:56.000000000 +0100
+++ sbsigntools-0.9.3/tests/Makefile.am 2020-02-04 09:47:44.786665340 +0100
@@ -14,7 +14,7 @@ if TEST_BINARY_FORMAT
EFILDFLAGS = --defsym=EFI_SUBSYSTEM=0x0a
FORMAT = -O binary
else
@ -54,7 +58,7 @@
endif
check_DATA = $(test_key) $(test_cert)
check_SCRIPTS = test-wrapper.sh
@@ -31,7 +31,7 @@ check_SCRIPTS = test-wrapper.sh
@@ -27,7 +27,7 @@ check_SCRIPTS = test-wrapper.sh
$(FORMAT) $^ $@
.$(OBJEXT).elf:

4
sbsigntools-mktarball.sh → SOURCES/sbsigntools-mktarball.sh
View File

@ -12,8 +12,8 @@ tmp=$(mktemp -d)
unset CDPATH
pwd=$(pwd)
version=0.9.5
commit=9cfca9fe7aa7a8e29b92fe33ce8433e212c9a8ba
version=0.9.4
commit=d52f7bbb73401aab8a1d59e8d0d686ad9641035e
pushd "$tmp"
git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git

0
sbsigntools-no-git.patch → SOURCES/sbsigntools-no-git.patch
View File

12
SOURCES/sbsigntools-openssl3.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up sbsigntools-0.9.4/src/idc.c.openssl3 sbsigntools-0.9.4/src/idc.c
--- sbsigntools-0.9.4/src/idc.c.openssl3 2020-07-04 01:14:29.000000000 +0200
+++ sbsigntools-0.9.4/src/idc.c 2021-11-19 16:20:10.082475750 +0100
@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO
idc->data->type = OBJ_nid2obj(peid_nid);
idc->data->value = ASN1_TYPE_new();
- type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
+ type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
idc->digest->alg->parameter = ASN1_TYPE_new();
idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);

87
sbsigntools.spec → SPECS/sbsigntools.spec
View File

@ -2,32 +2,10 @@
%define _warning_options -Wall -Werror=format-security -Wno-deprecated-declarations -Wno-maybe-uninitialized
Name: sbsigntools
Version: 0.9.5
Release: 10%{?dist}
Version: 0.9.4
Release: 11%{?dist}
Summary: Signing utility for UEFI secure boot
# Most source code is GPL-3.0-or-later, except:
# LicenseRef-Fedora-Public-Domain:
# lib/ccan/ccan/array_size
# lib/ccan/ccan/build_assert
# lib/ccan/ccan/check_type
# lib/ccan/ccan/compiler
# lib/ccan/ccan/container_of
# lib/ccan/ccan/hash
# lib/ccan/ccan/str
# lib/ccan/ccan/tcon
# LGPL-2.1-or-later:
# lib/ccan/ccan/endian
# lib/ccan/ccan/htable
# lib/ccan/ccan/list
# lib/ccan/ccan/read_write_all
# lib/ccan/ccan/talloc
# lib/ccan/ccan/typesafe_cb
# LGPL-3.0-only:
# lib/ccan/ccan/failtest
# lib/ccan/ccan/tlist
# MIT:
# lib/ccan/ccan/time
License: GPL-3.0-or-later AND LicenseRef-Fedora-Public-Domain AND LGPL-2.1-or-later AND LGPL-3.0-only AND MIT
License: GPLv3+
URL: https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools
# upstream tarballs don't include bundled ccan
# run sbsigntools-mktarball.sh
@ -37,27 +15,23 @@ Source1: %{name}-mktarball.sh
Patch0: %{name}-no-git.patch
# add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a
Patch1: %{name}-gnuefi.patch
# fix wchar_t (a.k.a. CHAR16) abuse
Patch2: %{name}-no-wchar_t.patch
# revert addition of openssl engine support
Patch3: %{name}-no-openssl-engines.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1955828
Patch2: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/patch/?id=f12484869c9590682ac3253d583bf59b890bb826#/f12484869c9590682ac3253d583bf59b890bb826.patch
# https://groups.io/g/sbsigntools/message/54
Patch3: %{name}-openssl3.patch
# same as gnu-efi
ExclusiveArch: %{efi}
ExclusiveArch: x86_64 aarch64 %{arm} %{ix86}
BuildRequires: make
BuildRequires: automake
BuildRequires: binutils-devel
BuildRequires: gcc
BuildRequires: gnu-efi-devel >= 1:3.0.18-1
BuildRequires: gnu-efi-devel >= 1:3.0.8-3
BuildRequires: help2man
BuildRequires: libuuid-devel
%if %{with check}
BuildRequires: openssl
%endif
BuildRequires: openssl-devel
%if 0%{?fedora} >= 41
# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
BuildRequires: openssl-devel-engine
%endif
Provides: bundled(ccan-array_size)
Provides: bundled(ccan-build_assert)
Provides: bundled(ccan-check_type)
@ -80,14 +54,7 @@ Provides: bundled(ccan-typesafe_cb)
Tools to add signatures to EFI binaries and Drivers.
%prep
%setup -q
%patch -p 1 -P 0
%patch -p 1 -P 1
%patch -p 1 -P 2
%if %{defined el10}
# EL10 disables openssl engines
%patch -p 1 -P 3
%endif
%autosetup -p1
%build
./autogen.sh
@ -119,40 +86,6 @@ make check
%{_mandir}/man1/sbverify.1.*
%changelog
* Thu Apr 10 2025 Carl George <carlwgeorge@fedoraproject.org> - 0.9.5-10
- Remove openssl engine support on EL10
* Wed Apr 09 2025 Carl George <carlwgeorge@fedoraproject.org> - 0.9.5-9
- Add missing SPDX identifiers to license field
* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Mon Nov 18 2024 Dominik Mierzejewski <dominik@greysector.net> - 0.9.5-7
- fix wchar_t usage in sbvarsign (fixes rhbz#2310759)
* Wed Aug 21 2024 Michel Lind <salimma@fedoraproject.org> - 0.9.5-6
- Fix building with gnu-efi 3.0.18
- Fix building on Fedora 41+ due to OpenSSL engine deprecation
- Fix building on aarch64, need to use non-TEST_BINARY_FORMAT codepath like x86_64
- FIxes: RHBZ#2301267
* Thu Jul 25 2024 Miroslav Suchý <msuchy@redhat.com> - 0.9.5-5
- convert license to SPDX
* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri May 05 2023 Dominik Mierzejewski <dominik@greysector.net> - 0.9.5-1
- update to 0.9.5 (#2179697)
- drop obsolete patches
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild

230
sbsigntools-no-openssl-engines.patch
View File

@ -1,230 +0,0 @@
From 4b6f88a0ad6f1069f3597087058dce028bf67433 Mon Sep 17 00:00:00 2001
From: Carl George <carlwgeorge@gmail.com>
Date: Wed, 9 Apr 2025 22:51:12 -0500
Subject: [PATCH] Revert "sbsign, sbvarsign: support engine based private keys"
This reverts commit efc424c8eea2c398e4371320b4d7266898675ac8.
---
src/fileio.c | 50 -------------------------------------------------
src/fileio.h | 1 -
src/sbsign.c | 16 +++-------------
src/sbvarsign.c | 15 +++------------
4 files changed, 6 insertions(+), 76 deletions(-)
diff --git a/src/fileio.c b/src/fileio.c
index 032eb1e..faab3b7 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -39,7 +39,6 @@
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/err.h>
-#include <openssl/engine.h>
#include <ccan/talloc/talloc.h>
#include <ccan/read_write_all/read_write_all.h>
@@ -48,55 +47,6 @@
#define FLAG_NOERROR (1<<0)
-static int ui_read(UI *ui, UI_STRING *uis)
-{
- char password[128];
-
- if (UI_get_string_type(uis) != UIT_PROMPT)
- return 0;
-
- EVP_read_pw_string(password, sizeof(password), "Enter engine key pass phrase:", 0);
- UI_set_result(ui, uis, password);
- return 1;
-}
-
-EVP_PKEY *fileio_read_engine_key(const char *engine, const char *filename)
-{
- UI_METHOD *ui;
- ENGINE *e;
- EVP_PKEY *pkey = NULL;
-
- ENGINE_load_builtin_engines();
- e = ENGINE_by_id(engine);
-
- if (!e) {
- fprintf(stderr, "Failed to load engine: %s\n", engine);
- ERR_print_errors_fp(stderr);
- return NULL;
- }
-
- ui = UI_create_method("sbsigntools");
- if (!ui) {
- fprintf(stderr, "Failed to create UI method\n");
- ERR_print_errors_fp(stderr);
- goto out_free;
- }
- UI_method_set_reader(ui, ui_read);
-
- if (!ENGINE_init(e)) {
- fprintf(stderr, "Failed to initialize engine %s\n", engine);
- ERR_print_errors_fp(stderr);
- goto out_free;
- }
-
- pkey = ENGINE_load_private_key(e, filename, ui, NULL);
- ENGINE_finish(e);
-
- out_free:
- ENGINE_free(e);
- return pkey;
-}
-
EVP_PKEY *fileio_read_pkey(const char *filename)
{
EVP_PKEY *key = NULL;
diff --git a/src/fileio.h b/src/fileio.h
index b3ed22c..52c3c12 100644
--- a/src/fileio.h
+++ b/src/fileio.h
@@ -38,7 +38,6 @@
#include <openssl/x509.h>
EVP_PKEY *fileio_read_pkey(const char *filename);
-EVP_PKEY *fileio_read_engine_key(const char *engine, const char *filename);
X509 *fileio_read_cert(const char *filename);
int fileio_read_file(void *ctx, const char *filename,
diff --git a/src/sbsign.c b/src/sbsign.c
index 898fe66..3bb42c2 100644
--- a/src/sbsign.c
+++ b/src/sbsign.c
@@ -76,7 +76,6 @@ static struct option options[] = {
{ "verbose", no_argument, NULL, 'v' },
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'V' },
- { "engine", required_argument, NULL, 'e'},
{ "addcert", required_argument, NULL, 'a'},
{ NULL, 0, NULL, 0 },
};
@@ -87,7 +86,6 @@ static void usage(void)
"<efi-boot-image>\n"
"Sign an EFI boot image for use with secure boot.\n\n"
"Options:\n"
- "\t--engine <eng> use the specified engine to load the key\n"
"\t--key <keyfile> signing key (PEM-encoded RSA "
"private key)\n"
"\t--cert <certfile> certificate (x509 certificate)\n"
@@ -152,22 +150,20 @@ static int add_intermediate_certs(PKCS7 *p7, const char *filename)
int main(int argc, char **argv)
{
- const char *keyfilename, *certfilename, *addcertfilename, *engine;
+ const char *keyfilename, *certfilename, *addcertfilename;
struct sign_context *ctx;
uint8_t *buf, *tmp;
int rc, c, sigsize;
- EVP_PKEY *pkey;
ctx = talloc_zero(NULL, struct sign_context);
keyfilename = NULL;
certfilename = NULL;
addcertfilename = NULL;
- engine = NULL;
for (;;) {
int idx;
- c = getopt_long(argc, argv, "o:c:k:dvVhe:a:", options, &idx);
+ c = getopt_long(argc, argv, "o:c:k:dvVha:", options, &idx);
if (c == -1)
break;
@@ -193,9 +189,6 @@ int main(int argc, char **argv)
case 'h':
usage();
return EXIT_SUCCESS;
- case 'e':
- engine = optarg;
- break;
case 'a':
addcertfilename = optarg;
break;
@@ -244,10 +237,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
- if (engine)
- pkey = fileio_read_engine_key(engine, keyfilename);
- else
- pkey = fileio_read_pkey(keyfilename);
+ EVP_PKEY *pkey = fileio_read_pkey(keyfilename);
if (!pkey)
return EXIT_FAILURE;
diff --git a/src/sbvarsign.c b/src/sbvarsign.c
index 58031ec..db43054 100644
--- a/src/sbvarsign.c
+++ b/src/sbvarsign.c
@@ -397,7 +397,6 @@ static struct option options[] = {
{ "verbose", no_argument, NULL, 'v' },
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'V' },
- { "engine", required_argument, NULL, 'e'},
{ NULL, 0, NULL, 0 },
};
@@ -409,7 +408,6 @@ void usage(void)
"<var-name> <var-data-file>\n"
"Sign a blob of data for use in SetVariable().\n\n"
"Options:\n"
- "\t--engine <eng> use the specified engine to load the key\n"
"\t--key <keyfile> signing key (PEM-encoded RSA "
"private key)\n"
"\t--cert <certfile> certificate (x509 certificate)\n"
@@ -438,7 +436,7 @@ static void version(void)
int main(int argc, char **argv)
{
- const char *guid_str, *attr_str, *varname, *engine;
+ const char *guid_str, *attr_str, *varname;
const char *keyfilename, *certfilename;
struct varsign_context *ctx;
bool include_attrs;
@@ -448,14 +446,13 @@ int main(int argc, char **argv)
keyfilename = NULL;
certfilename = NULL;
- engine = NULL;
guid_str = NULL;
attr_str= NULL;
include_attrs = false;
for (;;) {
int idx;
- c = getopt_long(argc, argv, "o:g:a:k:c:ivVhe:", options, &idx);
+ c = getopt_long(argc, argv, "o:g:a:k:c:ivVh", options, &idx);
if (c == -1)
break;
@@ -487,9 +484,6 @@ int main(int argc, char **argv)
case 'h':
usage();
return EXIT_SUCCESS;
- case 'e':
- engine = optarg;
- break;
}
}
@@ -551,10 +545,7 @@ int main(int argc, char **argv)
if (fileio_read_file(ctx, ctx->infilename, &ctx->data, &ctx->data_len))
return EXIT_FAILURE;
- if (engine)
- ctx->key = fileio_read_engine_key(engine, keyfilename);
- else
- ctx->key = fileio_read_pkey(keyfilename);
+ ctx->key = fileio_read_pkey(keyfilename);
if (!ctx->key)
return EXIT_FAILURE;
--
2.49.0

34
sbsigntools-no-wchar_t.patch
View File

@ -1,34 +0,0 @@
diff -up sbsigntools-0.9.5/src/sbvarsign.c.orig sbsigntools-0.9.5/src/sbvarsign.c
--- sbsigntools-0.9.5/src/sbvarsign.c.orig 2023-05-05 12:56:50.000000000 +0200
+++ sbsigntools-0.9.5/src/sbvarsign.c 2024-11-18 23:53:08.764976485 +0100
@@ -67,7 +67,7 @@ struct varsign_context {
uint8_t *data;
size_t data_len;
- CHAR16 *var_name;
+ uint16_t *var_name;
int var_name_bytes;
EFI_GUID var_guid;
uint32_t var_attrs;
@@ -163,18 +163,18 @@ static uint32_t parse_attrs(const char *
static int set_varname(struct varsign_context *ctx, const char *str)
{
- CHAR16 *wstr;
+ uint16_t *wstr;
int i, len;
len = strlen(str);
- wstr = talloc_array(ctx, CHAR16, len);
+ wstr = talloc_array(ctx, uint16_t, len);
for (i = 0; i < len; i++)
wstr[i] = str[i];
ctx->var_name = wstr;
- ctx->var_name_bytes = len * sizeof(CHAR16);
+ ctx->var_name_bytes = len * sizeof(uint16_t);
return 0;
}

1
sources
View File

@ -1 +0,0 @@
SHA512 (sbsigntools-0.9.5.tar.xz) = dbe52b709724eaaa0d5859ca0088190ee417e721a626681ea84cae3f04a7484e5caf64eb469094d3e373724c1f530cc75fa8ac63eaa91f803db2fda2f46c594f