From a8c91d83f2eb980e5594b548b44acccfc3de8e39 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 05 2015 13:25:21 +0000 Subject: import pesign-0.109-9.el7 --- diff --git a/SOURCES/0001-Allow-aarch64-in-the-rhel-build-macros.patch b/SOURCES/0001-Allow-aarch64-in-the-rhel-build-macros.patch new file mode 100644 index 0000000..562398e --- /dev/null +++ b/SOURCES/0001-Allow-aarch64-in-the-rhel-build-macros.patch @@ -0,0 +1,28 @@ +From b6572d6ed9c1a1d9b5584ee4307067d9264ca5da Mon Sep 17 00:00:00 2001 +From: "d.marlin" +Date: Wed, 27 Aug 2014 16:26:45 -0400 +Subject: [PATCH] Allow aarch64 in the rhel build macros. + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 7faa4a1..39374ce 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -21,7 +21,9 @@ + # -a # rhel only + # -s # perform signing + %pesign(i:o:C:e:c:n:a:s) \ +- if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \ ++ if [ -x %{_pesign} ] && \\\ ++ [ "%{_target_cpu}" == "x86_64" -o \\\ ++ "%{_target_cpu}" == "aarch64" ]; then \ + if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \ + nss=$(mktemp -p $PWD -d) \ + echo > ${nss}/pwfile \ +-- +1.9.3 + diff --git a/SOURCES/0001-Build-as-PIE-RELRO-binaries.patch b/SOURCES/0001-Build-as-PIE-RELRO-binaries.patch new file mode 100644 index 0000000..36d7dda --- /dev/null +++ b/SOURCES/0001-Build-as-PIE-RELRO-binaries.patch @@ -0,0 +1,59 @@ +From c40c25a50563c6d3a669475b9b6ff954706c98b1 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 2 Sep 2014 11:08:23 -0400 +Subject: [PATCH] Build as PIE+RELRO binaries. + +Resolves: rhbz#1092542 + +Signed-off-by: Peter Jones +--- + Make.defaults | 2 +- + libdpe/Makefile | 3 +++ + src/Makefile | 4 ++-- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/Make.defaults b/Make.defaults +index 0995e5b..5ff74ee 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -6,7 +6,7 @@ ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,) + INCDIR = -I$(TOPDIR)/include + CPPFLAGS = -DCONFIG_$(ARCH) + CFLAGS = -g -O0 +-BUILDFLAGS := $(CFLAGS) $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function ++BUILDFLAGS := $(CFLAGS) $(ARCH3264) -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function + ASFLAGS = $(ARCH3264) + LDFLAGS = -nostdlib + CCLDFLAGS = -shared +diff --git a/libdpe/Makefile b/libdpe/Makefile +index 81d3c0b..a8b0c26 100644 +--- a/libdpe/Makefile ++++ b/libdpe/Makefile +@@ -5,6 +5,9 @@ SONAME = libdpe.so.0 + + include $(TOPDIR)/Make.defaults + ++BUILDFLAGS += -fPIC ++CCLDFLAGS += -fPIC -Wl,-z,relro,-z,now ++ + TARGETS = libdpe.so libdpe.a + all : $(TARGETS) + +diff --git a/src/Makefile b/src/Makefile +index e45d2a3..766ffe8 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -7,8 +7,8 @@ PKLIBS = nss + LIBS = popt + STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a + LDFLAGS = +-CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib))) +-BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror ++CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib))) -pie -fPIE -Wl,-z,relro,-z,now ++BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror -fPIE + + TARGETS = pesign authvar client efisiglist efikeygen peverify + +-- +1.9.3 + diff --git a/SOURCES/0001-Fix-some-man-page-errors.patch b/SOURCES/0001-Fix-some-man-page-errors.patch new file mode 100644 index 0000000..3696932 --- /dev/null +++ b/SOURCES/0001-Fix-some-man-page-errors.patch @@ -0,0 +1,95 @@ +From d5eb3d4a1e4eff14ef99aac1e805c06a1dafad2c Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 2 Sep 2014 11:27:58 -0400 +Subject: [PATCH] Fix some man page errors. + +Resolves: rhbz#948850 + +Signed-off-by: Peter Jones +--- + src/pesign-client.1 | 6 +++--- + src/pesign.1 | 17 ++++++++++++++--- + 2 files changed, 17 insertions(+), 6 deletions(-) + +diff --git a/src/pesign-client.1 b/src/pesign-client.1 +index bca4e88..e00c887 100644 +--- a/src/pesign-client.1 ++++ b/src/pesign-client.1 +@@ -42,15 +42,15 @@ When using \fB-\-unlock\fR, read the token's PIN from the file \fIpinfile\fR. + Sign the binary specified by \fIinfile\fR. + + .TP +-\fB-\-detached\fR ++\fB-\-export\fR + When used with \fB-\-sign\fR, write the signature to \fIoutfile\fR. + + .TP +-\fB-\-in\fR=\fIinfile\fR ++\fB-\-infile\fR=\fIinfile\fR + When used with \fB-\-sign\fR, specify the input binary. + + .TP +-\fB-\-out\fR=\fIoutfile\fR ++\fB-\-outfile\fR=\fIoutfile\fR + When used with \fB-\-sign\fR, specify output file. If \fB-\-detached\fR + is specified, this will be a DER-formatted signature. Otherwise, the + output will be the signed PE binary. +diff --git a/src/pesign.1 b/src/pesign.1 +index f69984e..56732d4 100644 +--- a/src/pesign.1 ++++ b/src/pesign.1 +@@ -5,7 +5,8 @@ pesign \- command line tool for signing UEFI applications + .SH SYNOPSIS + \fBpesign\fR [--in=\fIinfile\fR | -i \fIinfile\fR] + [--out=\fIoutfile\fR | -o \fIoutfile\fR] +- [--token=\fItoken\fR | -t \fItoken\fR] ++ [--certdir=\fIcertdir/fR | -n \fIcertdir\fR] ++ [--nss-token=\fItoken\fR | -t \fItoken\fR] + [--certificate=\fInickname\fR | -c \fInickname\fR] + [--force | -f] [--sign | -s] [--hash | -h] + [--digest_type=\fIdigest\fR | -d \fIdigest\fR] +@@ -13,6 +14,7 @@ pesign \- command line tool for signing UEFI applications + [--export-pubkey=\fIoutkey\fR | -K \fIoutkey\fR] + [--export-cert=\fIoutcert\fR | -C \fIoutcert\fR] + [--ascii-armor | -a] [--daemonize | -D] [--nofork | -N] ++ [--signature-number=\fIsignum\fR | -u \fIsignum\fR] + + .SH DESCRIPTION + \fBpesign\fR is a command line tool for manipulating signatures and +@@ -28,7 +30,11 @@ Specify input binary. + Specify output binary. + + .TP +-\fB-\-token\fR=\fItoken\fR ++\fB-\-certdir\fR=\fIcertdir\fR ++Specify nss certificate database directory. ++ ++.TP ++\fB-\-nss-token\fR=\fItoken\fR + Use the specified NSS token's certificate database. + + .TP +@@ -51,7 +57,8 @@ Display the cryptographic digest of the input binary on standard output. + .TP + \fB-\-digest_type\fR=\fIdigest\fR + Use the specified digest in hashing and signing operations. By default, +-this value is "sha256". Use "--digest=help" to list the available digests. ++this value is "sha256". Use "--digest_type=help" to list the available ++digests. + + .TP + \fB-\-show-signature\fR +@@ -62,6 +69,10 @@ Show information about the signature of the input binary. + Remove the signature section from the binary. + + .TP ++\fB-\-signature-number\fR=\fIsignum\fR ++Specify which signature to operate on. This field is zero-indexed. ++ ++.TP + \fB-\-export-pubkey\fR=\fIoutkey\fR + Export the public key specified by --certificate to \fIoutkey\fR + +-- +1.9.3 + diff --git a/SPECS/pesign.spec b/SPECS/pesign.spec index f17dbcf..989e850 100644 --- a/SPECS/pesign.spec +++ b/SPECS/pesign.spec @@ -1,7 +1,7 @@ Summary: Signing utility for UEFI binaries Name: pesign Version: 0.109 -Release: 6%{?dist} +Release: 9%{?dist} Group: Development/System License: GPLv2 URL: https://github.com/vathpela/pesign @@ -11,7 +11,7 @@ BuildRequires: nspr-devel >= 4.9.2-1 BuildRequires: nss-devel >= 3.13.6-1 Requires: nspr nss nss-util nss-tools popt rpm coolkey opensc Requires(pre): shadow-utils -ExclusiveArch: x86_64 +ExclusiveArch: x86_64 aarch64 # there is no tarball at github, of course. To get this version do: # git clone https://github.com/vathpela/pesign.git @@ -22,6 +22,9 @@ Patch0001: 0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch Patch0002: 0001-Fix-error-detected-by-coverity.patch Patch0003: 0001-One-more-tweak-for-RHEL-signing-rules.patch Patch0004: 0001-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch +Patch0005: 0001-Allow-aarch64-in-the-rhel-build-macros.patch +Patch0006: 0001-Build-as-PIE-RELRO-binaries.patch +Patch0007: 0001-Fix-some-man-page-errors.patch %description This package contains the pesign utility for signing UEFI binaries as @@ -101,6 +104,22 @@ exit 0 %endif %changelog +* Tue Sep 02 2014 Peter Jones - 0.109-9 +- Fix man page errors. + Resolves: rhbz#948850 + +* Tue Sep 02 2014 Peter Jones - 0.109-9 +- Build as PIE+RELRO binaries. + Resolves: rhbz#1092542 + +* Wed Aug 27 2014 Peter Jones - 0.109-8 +- Include aarch64 in the rpm macro + Related: rhbz#1100042 + +* Wed Aug 27 2014 Peter Jones - 0.109-7 +- Add aarch64. + Resolves: rhbz#1100042 + * Thu Mar 20 2014 Peter Jones - 0.109-6 - Make sure CFLAGS is inherited properly for -fstack-protector-strong. Resolves: rhbz#1070782