diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer new file mode 100644 index 0000000..4ff8b79 Binary files /dev/null and b/SOURCES/redhatsecureboot301.cer differ diff --git a/SOURCES/redhatsecureboot503.cer b/SOURCES/redhatsecureboot503.cer new file mode 100644 index 0000000..50e375c Binary files /dev/null and b/SOURCES/redhatsecureboot503.cer differ diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer new file mode 100644 index 0000000..b235400 Binary files /dev/null and b/SOURCES/redhatsecurebootca3.cer differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer new file mode 100644 index 0000000..dfb0284 Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ diff --git a/SOURCES/secureboot.cer b/SOURCES/secureboot.cer deleted file mode 100644 index 4ff8b79..0000000 Binary files a/SOURCES/secureboot.cer and /dev/null differ diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer deleted file mode 100644 index b235400..0000000 Binary files a/SOURCES/securebootca.cer and /dev/null differ diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec index dffaedd..e7655ad 100644 --- a/SPECS/fwupd.spec +++ b/SPECS/fwupd.spec @@ -32,18 +32,24 @@ Summary: Firmware update daemon Name: fwupd Version: 1.4.2 -Release: 2%{?dist} +Release: 4%{?dist} License: LGPLv2+ URL: https://github.com/fwupd/fwupd Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz -Source1: securebootca.cer -Source2: secureboot.cer -Source3: http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz +Source1: http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz + +# these are numbered high just to keep them wildly away from colliding with +# the real package sources, in order to reduce churn. +Source300: redhatsecurebootca3.cer +Source301: redhatsecureboot301.cer +Source500: redhatsecurebootca5.cer +Source503: redhatsecureboot503.cer Patch1: 0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch Patch2: 0001-Do-not-use-the-LVFS.patch Patch3: 0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch +BuildRequires: efi-srpm-macros BuildRequires: gettext BuildRequires: glib2-devel >= %{glib2_version} BuildRequires: libxmlb-devel >= %{libxmlb_version} @@ -118,6 +124,7 @@ Obsoletes: fwupd-sign < 0.1.6 Obsoletes: libebitdo < 0.7.5-3 Obsoletes: libdfu < 1.0.0 Obsoletes: fwupd-labels < 1.1.0-1 +Obsoletes: fwupdate %description fwupd is a daemon to allow session software to update device firmware. @@ -142,7 +149,7 @@ Data files for installed tests. %patch2 -p1 -b .lvfs-disabled mkdir -p subprojects/libjcat -tar xfvs %{SOURCE3} -C subprojects/libjcat --strip-components=1 +tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1 # apply patch to subproject cd subprojects/libjcat @@ -168,7 +175,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 %meson \ -Dgtkdoc=true \ - -Defi_os_dir=redhat \ + -Defi_os_dir=%{efi_vendor} \ -Dplugin_tpm=false \ -Dlibjcat:gtkdoc=false \ -Dlibjcat:introspection=false \ @@ -234,7 +241,9 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 %global efiarch aa64 %endif %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi -%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE1} -c %{SOURCE2} -n redhatsecureboot301 +%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301 +%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503 +rm -fv %{fwup_efi_fn}.tmp %endif mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg @@ -429,6 +438,14 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd %endif %changelog +* Fri Jul 24 2020 Peter Jones - 1.4.2-4 +- Add signing with redhatsecureboot503 cert + Related: CVE-2020-10713 + +* Thu Jul 23 2020 Richard Hughes 1.4.2-3 +- Obsolete the now-dead fwupdate package to prevent file conflicts +- Resolves: #1859202 + * Fri Jun 05 2020 Richard Hughes 1.4.2-2 - Security fix for CVE-2020-10759 - Resolves: #1844324