100 lines
3.5 KiB
Diff
100 lines
3.5 KiB
Diff
|
commit 9839db5514a29cf4f58b3de8cc6155088be6d061
|
||
|
gpg: Signature made Sat 12 Aug 2023 02:49:26 PM EDT
|
||
|
gpg: using RSA key 5D38116FA4D3A7CC77E378D37E83610126DCC2E8
|
||
|
gpg: Good signature from "Frank Ch. Eigler <fche@elastic.org>" [full]
|
||
|
Author: Frank Ch. Eigler <fche@redhat.com>
|
||
|
Date: Sat Aug 12 14:28:44 2023 -0400
|
||
|
|
||
|
PR30749: correct stap --sign-module timing
|
||
|
|
||
|
Previous code signed the temp directory copy, after it had already
|
||
|
been copied into the cache -- so the signature never made it to a
|
||
|
permanent artifact.
|
||
|
|
||
|
If the module was being fetched from the cache from a previous build
|
||
|
run, a sign (re)attempt will still be done. This may not be
|
||
|
necessary, but shouldn't be harmful.
|
||
|
|
||
|
Reported-By: Renaud Métrich <rmetrich@redhat.com>
|
||
|
|
||
|
diff --git a/main.cxx b/main.cxx
|
||
|
index 06adb66ad..9f695cbd8 100644
|
||
|
--- a/main.cxx
|
||
|
+++ b/main.cxx
|
||
|
@@ -1190,8 +1190,10 @@ passes_0_4 (systemtap_session &s)
|
||
|
s.mok_fingerprints.clear();
|
||
|
s.mok_fingerprints.push_back(mok_fingerprint);
|
||
|
}
|
||
|
- rc =
|
||
|
- sign_module (s.tmpdir, s.module_filename(), s.mok_fingerprints, mok_path, s.kernel_build_tree);
|
||
|
+ if (s.verbose)
|
||
|
+ clog << _F("Signing %s with mok key %s", s.module_filename().c_str(), mok_path.c_str())
|
||
|
+ << endl;
|
||
|
+ rc = sign_module (s.tmpdir, s.module_filename(), s.mok_fingerprints, mok_path, s.kernel_build_tree);
|
||
|
}
|
||
|
#endif
|
||
|
|
||
|
@@ -1310,8 +1312,30 @@ passes_0_4 (systemtap_session &s)
|
||
|
if (! s.use_script_cache && s.last_pass <= 4)
|
||
|
s.save_module = true;
|
||
|
|
||
|
+#if HAVE_NSS
|
||
|
+ // PR30749
|
||
|
+ if (!rc && s.module_sign_given)
|
||
|
+ {
|
||
|
+ // when run on client as --sign-module, mok fingerprints are result of mokutil -l
|
||
|
+ // when run from server as --sign-module=PATH, mok fingerprint is given by PATH
|
||
|
+ string mok_path;
|
||
|
+ if (!s.module_sign_mok_path.empty())
|
||
|
+ {
|
||
|
+ string mok_fingerprint;
|
||
|
+ split_path (s.module_sign_mok_path, mok_path, mok_fingerprint);
|
||
|
+ s.mok_fingerprints.clear();
|
||
|
+ s.mok_fingerprints.push_back(mok_fingerprint);
|
||
|
+ }
|
||
|
+
|
||
|
+ if (s.verbose)
|
||
|
+ clog << _F("Signing %s with mok key %s", s.module_filename().c_str(), mok_path.c_str())
|
||
|
+ << endl;
|
||
|
+ rc = sign_module (s.tmpdir, s.module_filename(), s.mok_fingerprints, mok_path, s.kernel_build_tree);
|
||
|
+ }
|
||
|
+#endif
|
||
|
+
|
||
|
// Copy module to the current directory.
|
||
|
- if (s.save_module && !pending_interrupts)
|
||
|
+ if (!rc && s.save_module && !pending_interrupts)
|
||
|
{
|
||
|
string module_src_path = s.tmpdir + "/" + s.module_filename();
|
||
|
string module_dest_path = s.module_filename();
|
||
|
@@ -1327,29 +1351,11 @@ passes_0_4 (systemtap_session &s)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
-#if HAVE_NSS
|
||
|
- if (s.module_sign_given)
|
||
|
- {
|
||
|
- // when run on client as --sign-module, mok fingerprints are result of mokutil -l
|
||
|
- // when run from server as --sign-module=PATH, mok fingerprint is given by PATH
|
||
|
- string mok_path;
|
||
|
- if (!s.module_sign_mok_path.empty())
|
||
|
- {
|
||
|
- string mok_fingerprint;
|
||
|
- split_path (s.module_sign_mok_path, mok_path, mok_fingerprint);
|
||
|
- s.mok_fingerprints.clear();
|
||
|
- s.mok_fingerprints.push_back(mok_fingerprint);
|
||
|
- }
|
||
|
-
|
||
|
- rc = sign_module (s.tmpdir, s.module_filename(), s.mok_fingerprints, mok_path, s.kernel_build_tree);
|
||
|
- }
|
||
|
-#endif
|
||
|
-
|
||
|
PROBE1(stap, pass4__end, &s);
|
||
|
|
||
|
return rc;
|
||
|
}
|
||
|
-
|
||
|
+
|
||
|
int
|
||
|
pass_5 (systemtap_session &s, vector<remote*> targets)
|
||
|
{
|