diff --git a/SOURCES/0001-Disable-wacomhid-by-default-as-probing-the-device-st.patch b/SOURCES/0001-Disable-wacomhid-by-default-as-probing-the-device-st.patch new file mode 100644 index 0000000..34e23d5 --- /dev/null +++ b/SOURCES/0001-Disable-wacomhid-by-default-as-probing-the-device-st.patch @@ -0,0 +1,28 @@ +From d4a65700c5ed9544b6445213bd5f8a0dbc2cd1e5 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Fri, 29 Nov 2019 14:00:39 +0000 +Subject: [PATCH] Disable wacomhid by default as probing the device stops the + tablet working + +This is fixed properly in fwupd >= 1.2.2 but add this workaround here for +stable distros that cannot rebase to a newer branch. +--- + data/daemon.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/data/daemon.conf b/data/daemon.conf +index 51ab19f4..03965d88 100644 +--- a/data/daemon.conf ++++ b/data/daemon.conf +@@ -6,7 +6,7 @@ BlacklistDevices= + + # Allow blacklisting specific plugins + # Uses semicolons as delimiter +-BlacklistPlugins=test ++BlacklistPlugins=test;wacomhid + + # Maximum archive size that can be loaded in Mb, with 0 for the default + ArchiveSizeMax=0 +-- +2.23.0 + diff --git a/SOURCES/0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch b/SOURCES/0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch new file mode 100644 index 0000000..b6be5f2 --- /dev/null +++ b/SOURCES/0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch @@ -0,0 +1,220 @@ +commit 58f79c3d235290c4cecccc1d55cbcc2da8e988a6 +Author: Richard Hughes +Date: Thu Aug 1 09:45:25 2019 +0100 + + Relax the certificate time checks in the self tests for the legacy certificate + + One test verifies a firmware with a signature from the old LVFS which was + hosted on secure-lvfs.rhcloud.com and used the original PKCS-7 key. This key + had a two year validity (expiring today, ohh the naivety...) rather than the + newer fwupd.org key which expires in the year 2058. + + For this specific test only, disable the certificate time checks to fix CI. + + Fixes https://github.com/hughsie/fwupd/issues/1264 + +diff --git a/src/fu-engine.c b/src/fu-engine.c +index ac102cfa..1a57b0af 100644 +--- a/src/fu-engine.c ++++ b/src/fu-engine.c +@@ -1908,7 +1908,8 @@ fu_engine_get_existing_keyring_result (FuEngine *self, + blob_sig = fu_common_get_contents_bytes (fwupd_remote_get_filename_cache_sig (remote), error); + if (blob_sig == NULL) + return NULL; +- return fu_keyring_verify_data (kr, blob, blob_sig, error); ++ return fu_keyring_verify_data (kr, blob, blob_sig, ++ FU_KEYRING_VERIFY_FLAG_NONE, error); + } + + /** +@@ -1991,7 +1992,9 @@ fu_engine_update_metadata (FuEngine *self, const gchar *remote_id, + pki_dir = g_build_filename (sysconfdir, "pki", "fwupd-metadata", NULL); + if (!fu_keyring_add_public_keys (kr, pki_dir, error)) + return FALSE; +- kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, error); ++ kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, ++ FU_KEYRING_VERIFY_FLAG_NONE, ++ error); + if (kr_result == NULL) + return FALSE; + +diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c +index af0bfbe0..a51ab7a4 100644 +--- a/src/fu-keyring-gpg.c ++++ b/src/fu-keyring-gpg.c +@@ -231,6 +231,7 @@ static FuKeyringResult * + fu_keyring_gpg_verify_data (FuKeyring *keyring, + GBytes *blob, + GBytes *blob_signature, ++ FuKeyringVerifyFlags flags, + GError **error) + { + FuKeyringGpg *self = FU_KEYRING_GPG (keyring); +diff --git a/src/fu-keyring-pkcs7.c b/src/fu-keyring-pkcs7.c +index d48dc5d0..dc310d37 100644 +--- a/src/fu-keyring-pkcs7.c ++++ b/src/fu-keyring-pkcs7.c +@@ -182,6 +182,7 @@ static FuKeyringResult * + fu_keyring_pkcs7_verify_data (FuKeyring *keyring, + GBytes *blob, + GBytes *blob_signature, ++ FuKeyringVerifyFlags flags, + GError **error) + { + FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring); +@@ -231,6 +232,14 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring, + for (gint i = 0; i < count; i++) { + gnutls_pkcs7_signature_info_st info; + gint64 signing_time = 0; ++ gnutls_certificate_verify_flags verify_flags = 0; ++ ++ /* use with care */ ++ if (flags & FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS) { ++ g_debug ("WARNING: disabling time checks"); ++ verify_flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS; ++ verify_flags |= GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS; ++ } + + /* verify the data against the detached signature */ + rc = gnutls_pkcs7_verify (pkcs7, self->tl, +@@ -238,7 +247,7 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring, + 0, /* vdata_size */ + i, /* index */ + &datum, /* data */ +- 0); /* flags */ ++ verify_flags); + if (rc < 0) { + g_set_error (error, + FWUPD_ERROR, +diff --git a/src/fu-keyring-utils.c b/src/fu-keyring-utils.c +index 0c5a7f04..465b4a02 100644 +--- a/src/fu-keyring-utils.c ++++ b/src/fu-keyring-utils.c +@@ -167,7 +167,9 @@ fu_keyring_get_release_trust_flags (AsRelease *release, + fu_keyring_get_name (kr)); + return FALSE; + } +- kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, &error_local); ++ kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, ++ FU_KEYRING_VERIFY_FLAG_NONE, ++ &error_local); + if (kr_result == NULL) { + g_warning ("untrusted as failed to verify from %s keyring: %s", + fu_keyring_get_name (kr), +diff --git a/src/fu-keyring.c b/src/fu-keyring.c +index d8a88e8c..9b582563 100644 +--- a/src/fu-keyring.c ++++ b/src/fu-keyring.c +@@ -40,13 +40,14 @@ FuKeyringResult * + fu_keyring_verify_data (FuKeyring *keyring, + GBytes *blob, + GBytes *blob_signature, ++ FuKeyringVerifyFlags flags, + GError **error) + { + FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring); + g_return_val_if_fail (FU_IS_KEYRING (keyring), NULL); + g_return_val_if_fail (blob != NULL, NULL); + g_return_val_if_fail (blob_signature != NULL, NULL); +- return klass->verify_data (keyring, blob, blob_signature, error); ++ return klass->verify_data (keyring, blob, blob_signature, flags, error); + } + + const gchar * +diff --git a/src/fu-keyring.h b/src/fu-keyring.h +index 6e03694c..f097305d 100644 +--- a/src/fu-keyring.h ++++ b/src/fu-keyring.h +@@ -17,6 +17,20 @@ G_BEGIN_DECLS + #define FU_TYPE_KEYRING (fu_keyring_get_type ()) + G_DECLARE_DERIVABLE_TYPE (FuKeyring, fu_keyring, FU, KEYRING, GObject) + ++/** ++ * FuKeyringVerifyFlags: ++ * @FU_KEYRING_VERIFY_FLAG_NONE: No flags set ++ * @FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS: Disable checking of validity periods ++ * ++ * The flags to use when interacting with a keyring ++ **/ ++typedef enum { ++ FU_KEYRING_VERIFY_FLAG_NONE = 0, ++ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS = 1 << 2, ++ /*< private >*/ ++ FU_KEYRING_VERIFY_FLAG_LAST ++} FuKeyringVerifyFlags; ++ + struct _FuKeyringClass + { + GObjectClass parent_class; +@@ -28,6 +42,7 @@ struct _FuKeyringClass + FuKeyringResult *(*verify_data) (FuKeyring *keyring, + GBytes *payload, + GBytes *payload_signature, ++ FuKeyringVerifyFlags flags, + GError **error); + }; + +@@ -39,6 +54,7 @@ gboolean fu_keyring_add_public_keys (FuKeyring *keyring, + FuKeyringResult *fu_keyring_verify_data (FuKeyring *keyring, + GBytes *blob, + GBytes *blob_signature, ++ FuKeyringVerifyFlags flags, + GError **error); + const gchar *fu_keyring_get_name (FuKeyring *self); + void fu_keyring_set_name (FuKeyring *self, +diff --git a/src/fu-self-test.c b/src/fu-self-test.c +index 4f359614..98fac714 100644 +--- a/src/fu-self-test.c ++++ b/src/fu-self-test.c +@@ -1947,7 +1947,9 @@ fu_keyring_gpg_func (void) + g_assert_no_error (error); + g_assert_nonnull (blob_pass); + blob_sig = g_bytes_new_static (sig_gpgme, strlen (sig_gpgme)); +- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error); ++ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, ++ FU_KEYRING_VERIFY_FLAG_NONE, ++ &error); + g_assert_no_error (error); + g_assert_nonnull (result_pass); + g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), == , 1438072952); +@@ -1960,7 +1962,8 @@ fu_keyring_gpg_func (void) + blob_fail = fu_common_get_contents_bytes (fw_fail, &error); + g_assert_no_error (error); + g_assert_nonnull (blob_fail); +- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error); ++ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, ++ FU_KEYRING_VERIFY_FLAG_NONE, &error); + g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID); + g_assert_null (result_fail); + g_clear_error (&error); +@@ -2010,7 +2013,9 @@ fu_keyring_pkcs7_func (void) + blob_sig = fu_common_get_contents_bytes (sig_fn, &error); + g_assert_no_error (error); + g_assert_nonnull (blob_sig); +- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error); ++ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, ++ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS, ++ &error); + g_assert_no_error (error); + g_assert_nonnull (result_pass); + g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), >= , 1502871248); +@@ -2022,7 +2027,8 @@ fu_keyring_pkcs7_func (void) + blob_sig2 = fu_common_get_contents_bytes (sig_fn2, &error); + g_assert_no_error (error); + g_assert_nonnull (blob_sig2); +- result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2, &error); ++ result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2, ++ FU_KEYRING_VERIFY_FLAG_NONE, &error); + g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID); + g_assert_null (result_fail); + g_clear_error (&error); +@@ -2033,7 +2039,8 @@ fu_keyring_pkcs7_func (void) + blob_fail = fu_common_get_contents_bytes (fw_fail, &error); + g_assert_no_error (error); + g_assert_nonnull (blob_fail); +- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error); ++ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, ++ FU_KEYRING_VERIFY_FLAG_NONE, &error); + g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID); + g_assert_null (result_fail); + g_clear_error (&error); diff --git a/SOURCES/0001-uefi-add-a-new-option-to-specify-the-os-name.patch b/SOURCES/0001-uefi-add-a-new-option-to-specify-the-os-name.patch new file mode 100644 index 0000000..f9f4e43 --- /dev/null +++ b/SOURCES/0001-uefi-add-a-new-option-to-specify-the-os-name.patch @@ -0,0 +1,74 @@ +From 3cd6171c44ef217acef059c871efc726eb9df062 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Thu, 28 Mar 2019 16:20:22 +0800 +Subject: [PATCH] uefi: add a new option to specify the os name + +fu_uefi_get_esp_path_for_os() generates the path to the OS directory +based on "ID" in /etc/os-release, and it may not work for some distros. + +Take openSUSE as an example, the "ID" for openSUSE Leap is +"opensuse-leap" and that for openSUSE Tumbleweed is "opensuse-tumbleweed". +However, both of them use the same OS directory in the ESP, i.e. +"/EFI/opensuse". + +This commit adds a new build option, efi_os_dir, to allow the packager to +specify the name of OS directory at build time instead of the runtime +detection. + +Signed-off-by: Gary Lin +--- + meson_options.txt | 1 + + plugins/uefi/fu-uefi-common.c | 4 ++++ + plugins/uefi/meson.build | 5 +++++ + 3 files changed, 10 insertions(+) + +diff --git a/meson_options.txt b/meson_options.txt +index 23ef8cdb..c1767205 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -24,3 +24,4 @@ option('efi-ld', type : 'string', value : 'ld', description : 'the linker to use + option('efi-libdir', type : 'string', description : 'path to the EFI lib directory') + option('efi-ldsdir', type : 'string', description : 'path to the EFI lds directory') + option('efi-includedir', type : 'string', value : '/usr/include/efi', description : 'path to the EFI header directory') ++option('efi_os_dir', type: 'string', description : 'the name of OS directory in ESP') +diff --git a/plugins/uefi/fu-uefi-common.c b/plugins/uefi/fu-uefi-common.c +index 2e3268aa..4d9d03d7 100644 +--- a/plugins/uefi/fu-uefi-common.c ++++ b/plugins/uefi/fu-uefi-common.c +@@ -246,6 +246,7 @@ gchar * + fu_uefi_get_esp_path_for_os (const gchar *esp_path) + { + const gchar *os_release_id = NULL; ++#ifndef EFI_OS_DIR + g_autoptr(GError) error_local = NULL; + g_autoptr(GHashTable) os_release = fwupd_get_os_release (&error_local); + if (os_release != NULL) { +@@ -255,6 +256,9 @@ fu_uefi_get_esp_path_for_os (const gchar *esp_path) + } + if (os_release_id == NULL) + os_release_id = "unknown"; ++#else ++ os_release_id = EFI_OS_DIR; ++#endif + return g_build_filename (esp_path, "EFI", os_release_id, NULL); + } + +diff --git a/plugins/uefi/meson.build b/plugins/uefi/meson.build +index 140418a8..21d4b6c8 100644 +--- a/plugins/uefi/meson.build ++++ b/plugins/uefi/meson.build +@@ -3,6 +3,11 @@ subdir('efi') + cargs = ['-DG_LOG_DOMAIN="FuPluginUefi"'] + cargs += '-DEFI_APP_LOCATION_BUILD="' + app.full_path() + '"' + ++efi_os_dir = get_option('efi_os_dir') ++if efi_os_dir != '' ++ cargs += '-DEFI_OS_DIR="' + efi_os_dir + '"' ++endif ++ + shared_module('fu_plugin_uefi', + sources : [ + 'fu-plugin-uefi.c', +-- +2.24.1 + diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der deleted file mode 100644 index 44a2563..0000000 Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt deleted file mode 100644 index 321c4ec..0000000 --- a/SOURCES/centossecureboot001.crt +++ /dev/null @@ -1,81 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - b6:16:15:71:72:fb:31:7e - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org - Validity - Not Before: Aug 1 11:47:30 2018 GMT - Not After : Dec 31 11:47:30 2037 GMT - Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa: - 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51: - cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2: - 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3: - 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0: - bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18: - 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97: - a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57: - 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35: - 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0: - aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65: - 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46: - f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f: - 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2: - 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4: - 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28: - 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef: - 94:0f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Key Usage: - Digital Signature - X509v3 Subject Key Identifier: - F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29 - X509v3 Authority Key Identifier: - keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3 - - Signature Algorithm: sha256WithRSAEncryption - 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c: - dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da: - 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b: - 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a: - 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e: - b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef: - f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f: - 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56: - a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30: - 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a: - ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97: - 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c: - 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77: - da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71: - da:7f:89:1d ------BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx -NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg -BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4 -MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP -f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2 -bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/ -VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR -pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud -EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb -Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B -AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G -1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV -IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv -0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ -+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD -bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ== ------END CERTIFICATE----- diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec index 9f523ec..abb2f26 100644 --- a/SPECS/fwupd.spec +++ b/SPECS/fwupd.spec @@ -4,7 +4,6 @@ %global libsoup_version 2.51.92 %global systemd_version 231 %global json_glib_version 1.1.1 -%global pesign_name centossecureboot001 %global enable_tests 1 %global enable_dummy 1 @@ -27,15 +26,18 @@ Summary: Firmware update daemon Name: fwupd Version: 1.1.4 -Release: 1%{?dist} +Release: 6%{?dist} License: LGPLv2+ URL: https://github.com/hughsie/fwupd Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz -Source1: centos-ca-secureboot.der -Source2: centossecureboot001.crt +Source1: securebootca.cer +Source2: secureboot.cer # backport from upstream Patch0: 0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch +Patch1: 0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch +Patch2: 0001-Disable-wacomhid-by-default-as-probing-the-device-st.patch +Patch3: 0001-uefi-add-a-new-option-to-specify-the-os-name.patch BuildRequires: gettext BuildRequires: glib2-devel >= %{glib2_version} @@ -101,8 +103,6 @@ Requires: libgusb%{?_isa} >= %{libgusb_version} Requires: libsoup%{?_isa} >= %{libsoup_version} Requires: bubblewrap -Recommends: python3 - Obsoletes: fwupd-sign < 0.1.6 Obsoletes: libebitdo < 0.7.5-3 Obsoletes: libdfu < 1.0.0 @@ -123,14 +123,13 @@ Files for development with %{name}. %package tests Summary: Data files for installed tests BuildArch: noarch +Recommends: python3 %description tests Data files for installed tests. %prep -%setup -q - -%patch0 -p1 -b .aarch-is-slow +%autosetup -p1 sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \ libfwupd/generate-version-script.py \ @@ -149,6 +148,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 %meson \ -Dgtkdoc=true \ + -Defi_os_dir=redhat \ %if 0%{?enable_tests} -Dtests=true \ %else @@ -200,7 +200,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 %global efiarch aa64 %endif %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi -%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE1} -c %{SOURCE2} -n %{pesign_name} +%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE1} -c %{SOURCE2} -n redhatsecureboot301 %endif mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg @@ -333,8 +333,25 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg %{_datadir}/installed-tests/fwupd/*.py* %changelog -* Tue May 28 2019 Fabian Arrotin 1.1.4-1 -- Rolled in CentOS Secureboot certs +* Wed Feb 19 2020 Richard Hughes 1.1.4-6 +- Rebuild to get the EFI executable signed with the Red Hat key +- Resolves: #1713033 + +* Thu Feb 13 2020 Richard Hughes 1.1.4-5 +- Backport a patch to specify the EFI os name +- Resolves: #1713033 + +* Fri Nov 29 2019 Richard Hughes 1.1.4-4 +- Rebuild to get the EFI executable signed with the Red Hat key +- Resolves: #1680154 + +* Fri Nov 29 2019 Richard Hughes 1.1.4-3 +- Disable wacomhid by default as probing the device stops the tablet working +- Resolves: #1680154 + +* Mon Nov 25 2019 Richard Hughes 1.1.4-2 +- Do not require python3 in the base package +- Resolves: #1724593 * Wed Nov 07 2018 Richard Hughes 1.1.4-1 - New upstream release