michal-grzedzicki / rpms / rpm

Forked from rpms/rpm 4 months ago
Clone
Blob Blame History Raw
From 5e74846046e06f5a3401c4d2eb4ccfadacd4ab53 Mon Sep 17 00:00:00 2001
From: Jes Sorensen <jsorensen@fb.com>
Date: Fri, 3 Apr 2020 16:26:06 -0400
Subject: [PATCH 18/33] rpmsign: Handle --certpath for signing certificate

fsverirty needs a certificate for signing, in addition to the signing key.

Signed-off-by: Jes Sorensen <jsorensen@fb.com>
---
 rpmsign.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/rpmsign.c b/rpmsign.c
index 94cbf1d1a..074dd8b13 100644
--- a/rpmsign.c
+++ b/rpmsign.c
@@ -22,6 +22,9 @@ static int mode = MODE_NONE;
 static int fskpass = 0;
 static char * fileSigningKey = NULL;
 #endif
+#ifdef WITH_FSVERITY
+static char * fileSigningCert = NULL;
+#endif
 
 static struct rpmSignArgs sargs = {NULL, 0, 0};
 
@@ -44,6 +47,9 @@ static struct poptOption signOptsTable[] = {
     { "signverity", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),
 	&sargs.signflags, RPMSIGN_FLAG_FSVERITY,
 	N_("generate fsverity signatures for package(s) files"), NULL},
+    { "certpath", '\0', POPT_ARG_STRING, &fileSigningCert, 0,
+	N_("use file signing cert <cert>"),
+	N_("<cert>") },
 #endif
 #if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
     { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
@@ -123,6 +129,12 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
 	rpmPushMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL);
     }
 
+#ifdef WITH_FSVERITY
+    if (fileSigningCert) {
+	rpmPushMacro(NULL, "_file_signing_cert", NULL, fileSigningCert, RMIL_GLOBAL);
+    }
+#endif
+
     if (flags_sign_files(sargs->signflags)) {
 	char *fileSigningKeyPassword = NULL;
 	char *key = rpmExpand("%{?_file_signing_key}", NULL);
-- 
2.27.0