From fce313c28ef75412af2467fdf61cb79443f0c8bb Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 15 2022 06:27:14 +0000 Subject: import pesign-115-4.el9 --- diff --git a/.gitignore b/.gitignore index 920f280..bfa23c7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/certs.tar.xz -SOURCES/pesign-113.tar.bz2 +SOURCES/pesign-115.tar.bz2 diff --git a/.pesign.metadata b/.pesign.metadata index c9655cb..d947d72 100644 --- a/.pesign.metadata +++ b/.pesign.metadata @@ -1,2 +1,2 @@ b6777cc78ca2d2f250f3142e97e17dd855bc9b88 SOURCES/certs.tar.xz -1fabe291298395b6dd3129e250d8b67345745834 SOURCES/pesign-113.tar.bz2 +849099b74a8c54f3fe5090605d2a71c0511acd1a SOURCES/pesign-115.tar.bz2 diff --git a/SOURCES/0001-daemon-remove-always-true-comparison.patch b/SOURCES/0001-daemon-remove-always-true-comparison.patch new file mode 100644 index 0000000..cbb5d32 --- /dev/null +++ b/SOURCES/0001-daemon-remove-always-true-comparison.patch @@ -0,0 +1,24 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 8 Mar 2022 12:59:34 -0500 +Subject: [PATCH] daemon: remove always-true comparison + +Signed-off-by: Robbie Harwood +--- + src/daemon.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/daemon.c b/src/daemon.c +index 0a66deb..ff88210 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -221,8 +221,7 @@ malformed: + if (!ctx->cms->tokenname) + goto oom; + +- if (!tp->value) +- pin = strndup((char *)tp->value, tp->size); ++ pin = strndup((char *)tp->value, tp->size); + if (!pin) + goto oom; + diff --git a/SOURCES/0001-efikeygen-Fix-the-build-with-nss-3.44.patch b/SOURCES/0001-efikeygen-Fix-the-build-with-nss-3.44.patch deleted file mode 100644 index e583369..0000000 --- a/SOURCES/0001-efikeygen-Fix-the-build-with-nss-3.44.patch +++ /dev/null @@ -1,45 +0,0 @@ -From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 14 May 2019 11:28:38 -0400 -Subject: [PATCH] efikeygen: Fix the build with nss 3.44 - -NSS 3.44 adds some certificate types, which changes a type and makes -some encoding stuff weird. As a result, we get: - -gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o -In file included from /usr/local/include/nss/nss/cert.h:22, - from efikeygen.c:39: -efikeygen.c: In function 'add_cert_type': -/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow] - (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ - ^ -efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP' - unsigned char type = NS_CERT_TYPE_APP; - ^~~~~~~~~~~~~~~~ -cc1: all warnings being treated as errors - -This is fixed by just making it an int. - -Fixes github issue #48. - -Signed-off-by: Peter Jones ---- - src/efikeygen.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/efikeygen.c b/src/efikeygen.c -index ede76ef0b48..2cd953e9781 100644 ---- a/src/efikeygen.c -+++ b/src/efikeygen.c -@@ -208,7 +208,7 @@ static int - add_cert_type(cms_context *cms, void *extHandle, int is_ca) - { - SECItem bitStringValue; -- unsigned char type = NS_CERT_TYPE_APP; -+ int type = NS_CERT_TYPE_APP; - - if (is_ca) - type |= NS_CERT_TYPE_SSL_CA | --- -2.23.0 - diff --git a/SOURCES/0002-Disable-pragmas-for-warnings-that-are-too-old.patch b/SOURCES/0002-Disable-pragmas-for-warnings-that-are-too-old.patch new file mode 100644 index 0000000..f88a9ac --- /dev/null +++ b/SOURCES/0002-Disable-pragmas-for-warnings-that-are-too-old.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 9 Feb 2022 14:42:24 -0500 +Subject: [PATCH] Disable pragmas for warnings that are too old + +Signed-off-by: Robbie Harwood +--- + src/daemon.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/daemon.c b/src/daemon.c +index ff88210..d66dd50 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -917,10 +917,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds) + free(pollfds); + } + +-/* GCC -fanalyzer has trouble with realloc +- * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */ +-#pragma GCC diagnostic push +-#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value" + static int + handle_events(context *ctx) + { +@@ -999,7 +995,6 @@ shutdown: + } + return 0; + } +-#pragma GCC diagnostic pop + + static int + get_uid_and_gid(context *ctx, char **homedir) diff --git a/SOURCES/0002-pesigcheck-Fix-a-wrong-assignment.patch b/SOURCES/0002-pesigcheck-Fix-a-wrong-assignment.patch deleted file mode 100644 index 7df5f0b..0000000 --- a/SOURCES/0002-pesigcheck-Fix-a-wrong-assignment.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 18 Feb 2020 16:28:56 -0500 -Subject: [PATCH] pesigcheck: Fix a wrong assignment - -gcc says: - - pesigcheck.c: In function 'check_signature': - pesigcheck.c:321:17: error: implicit conversion from 'enum ' to 'enum ' [-Werror=enum-conversion] - 321 | reason->type = siBuffer; - | ^ - pesigcheck.c:333:17: error: implicit conversion from 'enum ' to 'enum ' [-Werror=enum-conversion] - 333 | reason->type = siBuffer; - | ^ - cc1: all warnings being treated as errors - -And indeed, that line of code makes no sense at all - it was supposed to -be reason->sig.type. - -Signed-off-by: Peter Jones ---- - src/pesigcheck.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/pesigcheck.c b/src/pesigcheck.c -index 524cce307bf..8fa0f1ad03d 100644 ---- a/src/pesigcheck.c -+++ b/src/pesigcheck.c -@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons, - reason->type = SIGNATURE; - reason->sig.data = data; - reason->sig.len = datalen; -- reason->type = siBuffer; -+ reason->sig.type = siBuffer; - nreason += 1; - is_invalid = true; - } -@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons, - reason->type = SIGNATURE; - reason->sig.data = data; - reason->sig.len = datalen; -- reason->type = siBuffer; -+ reason->sig.type = siBuffer; - nreason += 1; - has_valid_cert = true; - } --- -2.24.1 - diff --git a/SOURCES/0003-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch b/SOURCES/0003-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch new file mode 100644 index 0000000..0dca694 --- /dev/null +++ b/SOURCES/0003-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch @@ -0,0 +1,23 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Fri, 25 Mar 2022 15:01:54 -0400 +Subject: [PATCH] Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS + +Signed-off-by: Robbie Harwood +--- + Make.defaults | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Make.defaults b/Make.defaults +index 130c1ee..4b0e77c 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -79,7 +79,7 @@ ccldflags = $(cflags) $(CCLDFLAGS) $(LDFLAGS) \ + $(call pkg-config-ccldflags) + efi_cflags = $(cflags) + ASFLAGS ?= $(ARCH3264) +-CPPFLAGS ?= -D_FORTIFY_SOURCE=2 ++CPPFLAGS ?= -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS + RANLIBFLAGS ?= $(if $(filter $(CC),gcc),-D) + ARFLAGS ?= $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs) + diff --git a/SOURCES/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch b/SOURCES/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch deleted file mode 100644 index e639675..0000000 --- a/SOURCES/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch +++ /dev/null @@ -1,317 +0,0 @@ -From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 11 Jun 2020 16:23:14 -0400 -Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and - vise versa - -This makes the version of the sign API that takes a file type optional, -and makes the client attempt to negotiate which version it's getting. -It also leaves the server able to still handle the version from before -the file type was added. - -Signed-off-by: Peter Jones ---- - src/client.c | 74 +++++++++++++++++++++++++++++++++++++--------------- - src/daemon.c | 63 +++++++++++++++++++++++++++++--------------- - src/daemon.h | 2 ++ - 3 files changed, 97 insertions(+), 42 deletions(-) - -diff --git a/src/client.c b/src/client.c -index aa373abd981..57bcc09cbe8 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -11,6 +11,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -84,8 +85,8 @@ connect_to_server(void) - static int32_t - check_response(int sd, char **srvmsg); - --static void --check_cmd_version(int sd, uint32_t command, char *name, int32_t version) -+static int -+check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit) - { - struct msghdr msg; - struct iovec iov[1]; -@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version) - ssize_t n; - n = sendmsg(sd, &msg, 0); - if (n < 0) { -- fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n"); -+ fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n"); - exit(1); - } - -@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version) - - char *srvmsg = NULL; - int32_t rc = check_response(sd, &srvmsg); -- if (rc < 0) -+ -+ if (do_exit && rc < 0) - errx(1, "command \"%s\" not known by server", name); -- if (rc != version) -+ -+ if (do_exit && rc != version) - errx(1, "command \"%s\": client version %d, server version %d", - name, version, rc); -+ -+ if (rc < 0) -+ return rc; -+ return rc == version; - } - - static void -@@ -134,7 +141,7 @@ send_kill_daemon(int sd) - struct iovec iov; - pesignd_msghdr pm; - -- check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0); -+ check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true); - - pm.version = PESIGND_VERSION; - pm.command = CMD_KILL_DAEMON; -@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin) - - uint32_t size1 = pesignd_string_size(pin); - -- check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0); -+ check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true); - - pm.version = PESIGND_VERSION; - pm.command = CMD_UNLOCK_TOKEN; -@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname) - - uint32_t size0 = pesignd_string_size(tokenname); - -- check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0); -+ check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true); - - pm.version = PESIGND_VERSION; - pm.command = CMD_IS_TOKEN_UNLOCKED; -@@ -452,6 +459,9 @@ static void - sign(int sd, char *infile, char *outfile, char *tokenname, char *certname, - int attached, uint32_t format) - { -+ int rc; -+ bool add_file_type; -+ - int infd = open(infile, O_RDONLY); - if (infd < 0) { - fprintf(stderr, "pesign-client: could not open input file " -@@ -481,12 +491,28 @@ oom: - exit(1); - } - -- check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED, -- attached ? "sign-attached" : "sign-detached", 0); -+ rc = check_cmd_version(sd, -+ attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE -+ : CMD_SIGN_DETACHED_WITH_FILE_TYPE, -+ attached ? "sign-attached" : "sign-detached", -+ 0, format == FORMAT_KERNEL_MODULE); -+ if (rc >= 0) { -+ add_file_type = true; -+ } else { -+ add_file_type = false; -+ check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED -+ : CMD_SIGN_DETACHED, -+ attached ? "sign-attached" : "sign-detached", -+ 0, true); -+ } - -+ printf("add_file_type:%d\n", add_file_type); - pm->version = PESIGND_VERSION; -- pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED; -- pm->size = size0 + size1 + sizeof(format); -+ pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE -+ : CMD_SIGN_ATTACHED) -+ : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE -+ : CMD_SIGN_DETACHED); -+ pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0); - iov[0].iov_base = pm; - iov[0].iov_len = sizeof (*pm); - -@@ -503,25 +529,31 @@ oom: - } - - char *buffer; -- buffer = malloc(size0 + size1); -+ buffer = malloc(pm->size); - if (!buffer) - goto oom; - -- iov[0].iov_base = &format; -- iov[0].iov_len = sizeof(format); -+ int pos = 0; -+ -+ if (add_file_type) { -+ iov[pos].iov_base = &format; -+ iov[pos].iov_len = sizeof(format); -+ pos++; -+ } - - pesignd_string *tn = (pesignd_string *)buffer; - pesignd_string_set(tn, tokenname); -- iov[1].iov_base = tn; -- iov[1].iov_len = size0; -+ iov[pos].iov_base = tn; -+ iov[pos].iov_len = size0; -+ pos++; - - pesignd_string *cn = pesignd_string_next(tn); - pesignd_string_set(cn, certname); -- iov[2].iov_base = cn; -- iov[2].iov_len = size1; -+ iov[pos].iov_base = cn; -+ iov[pos].iov_len = size1; - - msg.msg_iov = iov; -- msg.msg_iovlen = 3; -+ msg.msg_iovlen = add_file_type ? 3 : 2; - - n = sendmsg(sd, &msg, 0); - if (n < 0) { -@@ -535,7 +567,7 @@ oom: - send_fd(sd, outfd); - - char *srvmsg = NULL; -- int rc = check_response(sd, &srvmsg); -+ rc = check_response(sd, &srvmsg); - if (rc < 0) { - fprintf(stderr, "pesign-client: signing failed: \"%s\"\n", - srvmsg); -diff --git a/src/daemon.c b/src/daemon.c -index 9374d59be30..494beb9af72 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -12,6 +12,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -561,7 +562,7 @@ out: - - static void - handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size, -- int attached) -+ int attached, bool with_file_type) - { - struct msghdr msg; - struct iovec iov; -@@ -585,8 +586,12 @@ oom: - - n = recvmsg(pollfd->fd, &msg, MSG_WAITALL); - -- file_format = *((uint32_t *) buffer); -- n -= sizeof(uint32_t); -+ if (with_file_type) { -+ file_format = *((uint32_t *) buffer); -+ n -= sizeof(uint32_t); -+ } else { -+ file_format = FORMAT_PE_BINARY; -+ } - - pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t)); - if (n < (long long)sizeof(tn->size)) { -@@ -666,34 +671,44 @@ finish: - teardown_digests(ctx->cms); - } - -+static inline void -+handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size, -+ int attached, bool with_file_type) -+{ -+ int rc = cms_context_alloc(&ctx->cms); -+ if (rc < 0) -+ return; -+ -+ steal_from_cms(ctx->backup_cms, ctx->cms); -+ -+ handle_signing(ctx, pollfd, size, attached, with_file_type); -+ -+ hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms); -+ cms_context_fini(ctx->cms); -+} -+ - static void - handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size) - { -- int rc = cms_context_alloc(&ctx->cms); -- if (rc < 0) -- return; -+ handle_sign_helper(ctx, pollfd, size, 1, false); -+} - -- steal_from_cms(ctx->backup_cms, ctx->cms); -- -- handle_signing(ctx, pollfd, size, 1); -- -- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms); -- cms_context_fini(ctx->cms); -+static void -+handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size) -+{ -+ handle_sign_helper(ctx, pollfd, size, 1, true); - } - - static void - handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size) - { -- int rc = cms_context_alloc(&ctx->cms); -- if (rc < 0) -- return; -+ handle_sign_helper(ctx, pollfd, size, 0, false); -+} - -- steal_from_cms(ctx->backup_cms, ctx->cms); -- -- handle_signing(ctx, pollfd, size, 0); -- -- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms); -- cms_context_fini(ctx->cms); -+static void -+handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size) -+{ -+ handle_sign_helper(ctx, pollfd, size, 0, true); - } - - static void -@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = { - { CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 }, - { CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 }, - { CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 }, -+ { CMD_SIGN_ATTACHED_WITH_FILE_TYPE, -+ handle_sign_attached_with_file_type, -+ "sign-attached-with-file-type", 0 }, -+ { CMD_SIGN_DETACHED_WITH_FILE_TYPE, -+ handle_sign_detached_with_file_type, -+ "sign-detached-with-file-type", 0 }, - { CMD_RESPONSE, NULL, "response", 0 }, - { CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked, - "is-token-unlocked", 0 }, -diff --git a/src/daemon.h b/src/daemon.h -index dd430512f1a..834d62c72d0 100644 ---- a/src/daemon.h -+++ b/src/daemon.h -@@ -33,6 +33,8 @@ typedef enum { - CMD_RESPONSE, - CMD_IS_TOKEN_UNLOCKED, - CMD_GET_CMD_VERSION, -+ CMD_SIGN_ATTACHED_WITH_FILE_TYPE, -+ CMD_SIGN_DETACHED_WITH_FILE_TYPE, - CMD_LIST_END - } pesignd_cmd; - --- -2.26.2 - diff --git a/SOURCES/0004-Rename-var-run-to-run.patch b/SOURCES/0004-Rename-var-run-to-run.patch deleted file mode 100644 index 593761b..0000000 --- a/SOURCES/0004-Rename-var-run-to-run.patch +++ /dev/null @@ -1,46 +0,0 @@ -From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 12 Jun 2020 11:49:44 -0400 -Subject: [PATCH] Rename /var/run/ to /run/ - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 12 ++++++------ - src/tmpfiles.conf | 2 +- - 2 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 56f75cafbc4..5a6da1c6809 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -45,14 +45,14 @@ - rm -rf ${sattrs} ${sattrs}.sig ${nss} \ - elif [ "$(id -un)" == "kojibuilder" -a \\\ - grep -q ID=fedora /etc/os-release -a \\\ -- ! -S /var/run/pesign/socket ]; then \ -+ ! -S /run/pesign/socket ]; then \ - echo "No socket even though this is kojibuilder" 1>&2 \ -- ls -ld /var/run/pesign 1>&2 \ -- ls -l /var/run/pesign/socket 1>&2 \ -- getfacl /var/run/pesign 1>&2 \ -- getfacl /var/run/pesign/socket 1>&2 \ -+ ls -ld /run/pesign 1>&2 \ -+ ls -l /run/pesign/socket 1>&2 \ -+ getfacl /run/pesign 1>&2 \ -+ getfacl /run/pesign/socket 1>&2 \ - exit 1 \ -- elif [ -S /var/run/pesign/socket ]; then \ -+ elif [ -S /run/pesign/socket ]; then \ - %{_pesign_client} -t %{__pesign_client_token} \\\ - -c %{__pesign_client_cert} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ -diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf -index c1cf35597d8..3375ad52a44 100644 ---- a/src/tmpfiles.conf -+++ b/src/tmpfiles.conf -@@ -1 +1 @@ --D /var/run/pesign 0770 pesign pesign - -+D /run/pesign 0770 pesign pesign - --- -2.26.2 - diff --git a/SOURCES/0004-macros.pesign-handle-centos-like-rhel-with-rhelver.patch b/SOURCES/0004-macros.pesign-handle-centos-like-rhel-with-rhelver.patch new file mode 100644 index 0000000..b9ef70d --- /dev/null +++ b/SOURCES/0004-macros.pesign-handle-centos-like-rhel-with-rhelver.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 10 Aug 2021 12:39:08 -0400 +Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver + +Signed-off-by: Peter Jones +(cherry picked from commit a1bc65c8b0fc20dbe9c9714ee3a31937184ba7f6) +(cherry picked from commit 83190f50505a0744dfb70d3b549914ae713e6713) +--- + src/macros.pesign | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 34af57c..b7d6af1 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -34,7 +34,8 @@ + %{?__pesign_cert:--cert %{__pesign_cert}} \\\ + %{?_buildhost:--hostname "%{_buildhost}"} \\\ + %{?vendor:--vendor "%{vendor}"} \\\ +- %{?_rhel:--rhelver "%{_rhel}"} \\\ ++ %{?rhel:--rhelver "%{rhel}"} \\\ ++ %{?centos:--rhelver "%{centos}"} \\\ + %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\ + %{?-a:--rhelcafile "%{-a*}"} \\\ + %{?-c:--rhelcertfile "%{-c*}"} \\\ diff --git a/SOURCES/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch b/SOURCES/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch deleted file mode 100644 index 2b47880..0000000 --- a/SOURCES/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001 -From: Jeremy Cline -Date: Tue, 18 Feb 2020 16:37:53 -0500 -Subject: [PATCH] Apparently opensc got updated and the token name changed - -All the kernel builds started failing yesterday because the signing -token could not be found. Update the token name in the macro shipped by -pesign. - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 7c5cba170e9..56f75cafbc4 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -9,7 +9,7 @@ - %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} - %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} - --%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"} -+%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"} - %__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"} - - %_pesign /usr/bin/pesign --- -2.26.2 - diff --git a/SOURCES/0005-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch b/SOURCES/0005-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch new file mode 100644 index 0000000..705fb74 --- /dev/null +++ b/SOURCES/0005-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 4 Apr 2022 14:45:29 -0400 +Subject: [PATCH] Detect the presence of rpm-sign when checking for "rhel"-ness + +Signed-off-by: Peter Jones +[rharwood: manually reapply to main] +Signed-off-by: Robbie Harwood +(cherry picked from commit 17e5878cb087e0a766722d3c487f87c41b318f9a) +(cherry picked from commit a1cfd0b6ddb423571d430f3df46af7761c0797e3) +--- + src/pesign-rpmbuild-helper.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in +index 0a845d2..239605a 100644 +--- a/src/pesign-rpmbuild-helper.in ++++ b/src/pesign-rpmbuild-helper.in +@@ -192,7 +192,7 @@ main() { + fi + fi + +- if [[ "${rhelver}" -ge 7 ]] ; then ++ if [[ "${rhelver}" -ge 7 ]] && which rpm-sign >&/dev/null ; then + nssdir="$(mktemp -p "${PWD}" -d)" + echo > "${nssdir}/pwfile" + certutil -N -d "${nssdir}" -f "${nssdir}/pwfile" diff --git a/SOURCES/0006-client-try-run-and-var-run-for-the-socket-path.patch b/SOURCES/0006-client-try-run-and-var-run-for-the-socket-path.patch deleted file mode 100644 index 337faab..0000000 --- a/SOURCES/0006-client-try-run-and-var-run-for-the-socket-path.patch +++ /dev/null @@ -1,86 +0,0 @@ -From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 6 Jul 2020 16:13:09 -0400 -Subject: [PATCH 6/7] client: try /run and /var/run for the socket path. - -Signed-off-by: Peter Jones ---- - src/client.c | 40 +++++++++++++++++++++++++++++----------- - 1 file changed, 29 insertions(+), 11 deletions(-) - -diff --git a/src/client.c b/src/client.c -index 2119ef33bf8..a38383415d5 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag) - } - - static int --connect_to_server(void) -+connect_to_server_helper(const char * const sockpath) - { -- int rc = access(SOCKPATH, R_OK); -+ int rc = access(sockpath, R_OK); - if (rc != 0) { -- fprintf(stderr, "pesign-client: could not connect to server: " -- "%m\n"); -- exit(1); -+ warn("could not access socket \"%s\"", sockpath); -+ return rc; - } - - struct sockaddr_un addr_un = { - .sun_family = AF_UNIX, -- .sun_path = SOCKPATH, - }; -+ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path)); -+ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0'; - - int sd = socket(AF_UNIX, SOCK_STREAM, 0); - if (sd < 0) { -- fprintf(stderr, "pesign-client: could not open socket: %m\n"); -- exit(1); -+ warn("could not open socket \"%s\"", sockpath); -+ return sd; - } - - socklen_t len = strlen(addr_un.sun_path) + -@@ -74,14 +74,32 @@ connect_to_server(void) - - rc = connect(sd, (struct sockaddr *)&addr_un, len); - if (rc < 0) { -- fprintf(stderr, "pesign-client: could not connect to daemon: " -- "%m\n"); -- exit(1); -+ warn("could not connect to daemon"); -+ return sd; - } - - return sd; - } - -+static int -+connect_to_server(void) -+{ -+ int rc, i; -+ const char * const sockets[] = { -+ "/run/pesign/socket", -+ "/var/run/pesign/socket", -+ NULL -+ }; -+ -+ for (i = 0; sockets[i] != NULL; i++) { -+ rc = connect_to_server_helper(sockets[i]); -+ if (rc >= 0) -+ return rc; -+ } -+ -+ exit(1); -+} -+ - static int32_t - check_response(int sd, char **srvmsg); - --- -2.26.2 - diff --git a/SOURCES/0007-client-remove-an-extra-debug-print.patch b/SOURCES/0007-client-remove-an-extra-debug-print.patch deleted file mode 100644 index b094ea5..0000000 --- a/SOURCES/0007-client-remove-an-extra-debug-print.patch +++ /dev/null @@ -1,25 +0,0 @@ -From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 14 Jul 2020 16:44:09 -0400 -Subject: [PATCH 07/11] client: remove an extra debug print - -Signed-off-by: Peter Jones ---- - src/client.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/client.c b/src/client.c -index 0082be1f597..c9966295e5f 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -536,7 +536,6 @@ oom: - 0, true); - } - -- printf("add_file_type:%d\n", add_file_type); - pm->version = PESIGND_VERSION; - pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE - : CMD_SIGN_ATTACHED) --- -2.26.2 - diff --git a/SOURCES/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch b/SOURCES/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch deleted file mode 100644 index 3a62cf6..0000000 --- a/SOURCES/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch +++ /dev/null @@ -1,379 +0,0 @@ -From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 6 Jul 2020 13:54:35 -0400 -Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper - -Signed-off-by: Peter Jones ---- - Make.defaults | 1 + - src/Makefile | 8 +- - src/macros.pesign | 74 ++++-------- - src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++ - 4 files changed, 252 insertions(+), 53 deletions(-) - create mode 100644 src/pesign-rpmbuild-helper.in - -diff --git a/Make.defaults b/Make.defaults -index 0bacafe0d01..d4cd626c11e 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR) - - INSTALL ?= install - CROSS_COMPILE ?= -+EFI_ARCHES ?= aa64 ia32 x64 - - PKG_CONFIG = $(CROSS_COMPILE)pkg-config - CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC)) -diff --git a/src/Makefile b/src/Makefile -index 74327ba13f3..a7ca89159c6 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version - include $(TOPDIR)/Make.rules - include $(TOPDIR)/Make.defaults - --BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign -+BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper - SVCTARGETS=pesign.sysvinit pesign.service - TARGETS=$(BINTARGETS) $(SVCTARGETS) - -@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC - pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a - pesign : PKGS=efivar nss nspr popt - -+pesign-rpmbuild-helper: pesign-rpmbuild-helper.in -+ sed \ -+ -e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \ -+ $^ > $@ -+ - deps : PKGS=efivar nss nspr popt uuid - deps : $(ALL_SOURCES) - $(MAKE) -f $(TOPDIR)/Make.deps \ -@@ -94,6 +99,7 @@ install : - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ -+ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign - $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users - $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups -diff --git a/src/macros.pesign b/src/macros.pesign -index 5a6da1c6809..2e984b4eeb3 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -6,7 +6,7 @@ - # %pesign -s -i shim.orig -o shim.efi - # And magically get the right thing. - --%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} -+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"} - %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} - - %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"} -@@ -24,54 +24,24 @@ - # -a # rhel only - # -s # perform signing - %pesign(i:o:C:e:c:n:a:s) \ -- _pesign_nssdir=/etc/pki/pesign \ -- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \ -- _pesign_nssdir=/etc/pki/pesign-rh-test \ -- fi \ -- if [ -x %{_pesign} ] && \\\ -- [ "%{_target_cpu}" == "x86_64" -o \\\ -- "%{_target_cpu}" == "aarch64" ]; then \ -- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \ -- nss=$(mktemp -p $PWD -d) \ -- echo > ${nss}/pwfile \ -- certutil -N -d ${nss} -f ${nss}/pwfile \ -- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \ -- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ -- sattrs=$(mktemp -p $PWD --suffix=.der) \ -- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \ -- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \ -- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ -- --certdir ${nss} -c signer %{-o} \ -- rm -rf ${sattrs} ${sattrs}.sig ${nss} \ -- elif [ "$(id -un)" == "kojibuilder" -a \\\ -- grep -q ID=fedora /etc/os-release -a \\\ -- ! -S /run/pesign/socket ]; then \ -- echo "No socket even though this is kojibuilder" 1>&2 \ -- ls -ld /run/pesign 1>&2 \ -- ls -l /run/pesign/socket 1>&2 \ -- getfacl /run/pesign 1>&2 \ -- getfacl /run/pesign/socket 1>&2 \ -- exit 1 \ -- elif [ -S /run/pesign/socket ]; then \ -- %{_pesign_client} -t %{__pesign_client_token} \\\ -- -c %{__pesign_client_cert} \\\ -- %{-i} %{-o} %{-e} %{-s} %{-C} \ -- else \ -- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ -- --certdir ${_pesign_nssdir} \\\ -- %{-i} %{-o} %{-e} %{-s} %{-C} \ -- fi \ -- else \ -- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \ -- mv %{-i*} %{-o*} \ -- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \ -- touch %{-e*} \ -- fi \ -- fi \ -- if [ ! -s %{-o} ]; then \ -- if [ -e "%{-o*}" ]; then \ -- rm -f %{-o*} \ -- fi \ -- exit 1 \ -- fi ; -- -+ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\ -+ "%{_target_cpu}" \\\ -+ "%{_pesign}" \\\ -+ "%{_pesign_client}" \\\ -+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\ -+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\ -+ %{?__pesign_token:%{__pesign_token}} \\\ -+ %{?__pesign_cert:--cert %{__pesign_cert}} \\\ -+ %{?_buildhost:--hostname "%{_buildhost}"} \\\ -+ %{?vendor:--vendor "%{vendor}"} \\\ -+ %{?_rhel:--rhelver "%{_rhel}"} \\\ -+ %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\ -+ %{?-a:--rhelcafile "%{-a*}"} \\\ -+ %{?-c:--rhelcertfile "%{-c*}"} \\\ -+ %{?-C:--certout "%{-C*}"} \\\ -+ %{?-e:--sattrout "%{-e*}"} \\\ -+ %{?-i:--in "%{-i*}"} \\\ -+ %{?-o:--out "%{-o*}"} \\\ -+ %{?-s:--sign} \\\ -+ ; \ -+%{nil} -diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in -new file mode 100644 -index 00000000000..c5287c27e0c ---- /dev/null -+++ b/src/pesign-rpmbuild-helper.in -@@ -0,0 +1,222 @@ -+#!/bin/bash -+# shellcheck shell=bash -+ -+set -eu -+set -x -+ -+usage() { -+ local status="${1}" && shift -+ local out -+ if [[ "${status}" -eq 0 ]] ; then -+ out=/dev/stdout -+ else -+ out=/dev/stderr -+ fi -+ -+ if [[ $# -gt 0 ]] ; then -+ echo "${0}: error: $*" >>"${out}" -+ fi -+ echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}" -+ exit "${status}" -+} -+ -+is_efi_arch() { -+ local arch="${1}" -+ local arches=(@@EFI_ARCHES@@) -+ local x -+ for x in "${arches[@]}" ; do -+ if [[ "${arch}" = "${x}" ]] ; then -+ return 0 -+ fi -+ done -+ return 1 -+} -+ -+error_on_empty() { -+ local f="${1}" -+ if [[ ! -s "${f}" ]] ; then -+ if [[ -e "${f}" ]] ; then -+ rm -f "${f}" -+ fi -+ echo "${0}: error: empty result file \"${f}\"">>/dev/stderr -+ exit 1 -+ fi -+} -+ -+main() { -+ if [[ $# -lt 3 ]] ; then -+ usage 1 not enough arguments -+ fi -+ local target_cpu="${1}" && shift -+ local bin="${1}" && shift -+ local client="${1}" && shift -+ -+ local rhelcafile="" || : -+ local rhelcertfile="" || : -+ -+ local certout=() || : -+ local sattrout=() || : -+ local input=() || : -+ local output=() || : -+ local client_token=() || : -+ local client_cert=() || : -+ local token=() || : -+ local cert=() || : -+ local rhelcert=() || : -+ local rhelver=0 || : -+ local sign="" || : -+ local arch="" || : -+ local vendor="" || : -+ local HOSTNAME="" || : -+ -+ while [[ $# -ge 2 ]] ; do -+ case " ${1} " in -+ " --rhelcafile ") -+ rhelcafile="${2}" -+ ;; -+ " --rhelcertfile ") -+ rhelcertfile="${2}" -+ ;; -+ " --hostname ") -+ HOSTNAME="${2}" -+ ;; -+ " --certout ") -+ certout[0]=-C -+ certout[1]="${2}" -+ ;; -+ " --sattrout ") -+ sattrout[0]=-e -+ sattrout[1]="${2}" -+ ;; -+ " --client-token ") -+ client_token[0]=-t -+ client_token[1]="${2}" -+ ;; -+ " --client-cert ") -+ client_cert[0]=-c -+ client_cert[1]="${2}" -+ ;; -+ " --token ") -+ token[0]=-t -+ token[1]="${2}" -+ ;; -+ " --cert ") -+ cert[0]=-c -+ cert[1]="${2}" -+ ;; -+ " --rhelcert ") -+ rhelcert[0]=-c -+ rhelcert[1]="${2}" -+ ;; -+ " --in ") -+ input[0]=-i -+ input[1]="${2}" -+ ;; -+ " --out ") -+ output[0]=-o -+ output[1]="${2}" -+ ;; -+ " --rhelver ") -+ rhelver="${2}" -+ ;; -+ " --vendor ") -+ vendor="${2}" -+ ;; -+ *) -+ break -+ ;; -+ esac -+ shift -+ shift -+ done -+ if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then -+ sign=-s -+ shift -+ fi -+ -+ if [[ -z "${target_cpu}" ]] ; then -+ target_cpu="$(uname -m)" -+ fi -+ -+ target_cpu="${target_cpu/i?86/ia32}" -+ target_cpu="${target_cpu/x86_64/x64}" -+ target_cpu="${target_cpu/aarch64/aa64}" -+ target_cpu="${target_cpu/arm*/arm/}" -+ -+ local nssdir=/etc/pki/pesign -+ if [[ "${#cert[@]}" -eq 2 ]] && -+ [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then -+ nssdir=/etc/pki/pesign-rh-test -+ fi -+ -+ # is_efi_arch is ultimately returning "is pesign configured to sign these -+ # using the rpm macro", so if it isn't, we're just copying the input to -+ # the output -+ if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then -+ if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then -+ cp -v "${input[1]}" "${output[1]}" -+ elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then -+ touch "${sattrout[1]}" -+ fi -+ -+ # if there's a 0-sized output file, delete it and error out -+ error_on_empty "${output[1]}" -+ return 0 -+ fi -+ -+ USERNAME="${USERNAME:-$(id -un)}" -+ -+ local socket="" || : -+ if grep -q ID=fedora /etc/os-release \ -+ && [[ "${rhelver}" -lt 7 ]] \ -+ && [[ "${USERNAME}" = "mockbuild" ]] \ -+ && [[ "${vendor}" = "Fedora Project" ]] \ -+ && [[ "${HOSTNAME}" =~ bkernel.* ]] -+ then -+ if [[ -S /run/pesign/socket ]] ; then -+ socket=/run/pesign/socket -+ elif [[ -S /var/run/pesign/socket ]]; then -+ socket=/var/run/pesign/socket -+ else -+ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2 -+ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2 -+ ls -ld /run/pesign /var/run/pesign 1>&2 ||: -+ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||: -+ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||: -+ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||: -+ fi -+ fi -+ -+ if [[ "${rhelver}" -ge 7 ]] ; then -+ nssdir="$(mktemp -p "${PWD}" -d)" -+ echo > "${nssdir}/pwfile" -+ certutil -N -d "${nssdir}" -f "${nssdir}/pwfile" -+ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}" -+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}" -+ sattrs="$(mktemp -p "${PWD}" --suffix=.der)" -+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \ -+ "${input[@]}" --force -+ rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}" -+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \ -+ --certdir "${nssdir}" -c signer \ -+ "${input[@]}" "${output[@]}" -+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" -+ elif [[ -n "${socket}" ]] ; then -+ "${client}" "${client_token[@]}" "${client_cert[@]}" \ -+ "${sattrout[@]}" "${certout[@]}" \ -+ ${sign} "${input[@]}" "${output[@]}" -+ else -+ "${bin}" --certdir "${nssdir}" "${token[@]}" \ -+ "${cert[@]}" ${sign} "${sattrout[@]}" \ -+ "${certout[@]}" "${input[@]}" "${output[@]}" -+ fi -+ -+ # if there's a 0-sized output file, delete it and error out -+ if [[ "${#output[@]}" -eq 2 ]] ; then -+ error_on_empty "${output[1]}" -+ fi -+} -+ -+main "${@}" -+ -+# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4 --- -2.26.2 - diff --git a/SOURCES/0009-pesign-authorize-shellcheck.patch b/SOURCES/0009-pesign-authorize-shellcheck.patch deleted file mode 100644 index 3597f5f..0000000 --- a/SOURCES/0009-pesign-authorize-shellcheck.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 14 Jul 2020 15:07:32 -0400 -Subject: [PATCH 09/11] pesign-authorize: shellcheck - -Signed-off-by: Peter Jones ---- - src/pesign-authorize | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/src/pesign-authorize b/src/pesign-authorize -index a496f601ab4..55cd5c4e55b 100755 ---- a/src/pesign-authorize -+++ b/src/pesign-authorize -@@ -12,21 +12,21 @@ set -u - # License: GPLv2 - declare -a fileusers=() - declare -a dirusers=() --for user in $(cat /etc/pesign/users); do -+while read -r user ; do - dirusers[${#dirusers[@]}]=-m - dirusers[${#dirusers[@]}]="u:$user:rwx" - fileusers[${#fileusers[@]}]=-m - fileusers[${#fileusers[@]}]="u:$user:rw" --done -+done -Date: Tue, 14 Jul 2020 15:08:15 -0400 -Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/ - -Signed-off-by: Peter Jones ---- - src/pesign-authorize | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/pesign-authorize b/src/pesign-authorize -index 55cd5c4e55b..c5448329c2c 100755 ---- a/src/pesign-authorize -+++ b/src/pesign-authorize -@@ -47,7 +47,7 @@ update_subdir() { - done - } - --for x in /var/run/pesign/ /etc/pki/pesign*/ ; do -+for x in /var/run/pesign/ /etc/pki/pesign/ ; do - if [ -d "${x}" ]; then - update_subdir "${x}" - else --- -2.26.2 - diff --git a/SOURCES/0011-kernel-building-hack.patch b/SOURCES/0011-kernel-building-hack.patch deleted file mode 100644 index 69ffc56..0000000 --- a/SOURCES/0011-kernel-building-hack.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 14 Jul 2020 16:42:39 -0400 -Subject: [PATCH 11/11] kernel building hack - -Signed-off-by: Peter Jones ---- - src/pesign-rpmbuild-helper.in | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in -index c5287c27e0c..27b8261bc17 100644 ---- a/src/pesign-rpmbuild-helper.in -+++ b/src/pesign-rpmbuild-helper.in -@@ -202,6 +202,23 @@ main() { - "${input[@]}" "${output[@]}" - rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" - elif [[ -n "${socket}" ]] ; then -+ ### welcome haaaaack city -+ if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then -+ if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \ -+ || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then -+ if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \ -+ || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \ -+ || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then -+ client_cert[1]=kernel-signer -+ elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \ -+ || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then -+ client_cert[1]=grub2-signer -+ elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \ -+ || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then -+ client_cert[1]=fwupd-signer -+ fi -+ fi -+ fi - "${client}" "${client_token[@]}" "${client_cert[@]}" \ - "${sattrout[@]}" "${certout[@]}" \ - ${sign} "${input[@]}" "${output[@]}" --- -2.26.2 - diff --git a/SOURCES/0012-Use-run-not-var-run.patch b/SOURCES/0012-Use-run-not-var-run.patch deleted file mode 100644 index 1b4e0c6..0000000 --- a/SOURCES/0012-Use-run-not-var-run.patch +++ /dev/null @@ -1,105 +0,0 @@ -From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 16 Jul 2020 16:28:26 -0400 -Subject: [PATCH] Use /run not /var/run - -Signed-off-by: Peter Jones ---- - src/daemon.h | 4 ++-- - src/Makefile | 2 +- - src/pesign-authorize | 2 +- - src/pesign.service.in | 2 +- - src/pesign.sysvinit.in | 10 +++++----- - 5 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/src/daemon.h b/src/daemon.h -index 0368dc9256c..5fcd97ea717 100644 ---- a/src/daemon.h -+++ b/src/daemon.h -@@ -51,8 +51,8 @@ typedef enum { - } pesignd_cmd; - - #define PESIGND_VERSION 0x2a9edaf0 --#define SOCKPATH "/var/run/pesign/socket" --#define PIDFILE "/var/run/pesign.pid" -+#define SOCKPATH "/run/pesign/socket" -+#define PIDFILE "/run/pesign.pid" - - static inline uint32_t UNUSED - pesignd_string_size(char *buffer) -diff --git a/src/Makefile b/src/Makefile -index a7ca89159c6..f7fb5fc9ee5 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit - install : - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ -- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ -+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) - $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) - $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) -diff --git a/src/pesign-authorize b/src/pesign-authorize -index c5448329c2c..2381302440c 100755 ---- a/src/pesign-authorize -+++ b/src/pesign-authorize -@@ -47,7 +47,7 @@ update_subdir() { - done - } - --for x in /var/run/pesign/ /etc/pki/pesign/ ; do -+for x in /run/pesign/ /var/run/pesign/ /etc/pki/pesign/ ; do - if [ -d "${x}" ]; then - update_subdir "${x}" - else -diff --git a/src/pesign.service.in b/src/pesign.service.in -index c75a000892a..4ac2199bce2 100644 ---- a/src/pesign.service.in -+++ b/src/pesign.service.in -@@ -4,6 +4,6 @@ Description=Pesign signing daemon - [Service] - PrivateTmp=true - Type=forking --PIDFile=/var/run/pesign.pid -+PIDFile=/run/pesign.pid - ExecStart=/usr/bin/pesign --daemonize - ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize -diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in -index b0e0f84ff0b..bf8edec8ff3 100644 ---- a/src/pesign.sysvinit.in -+++ b/src/pesign.sysvinit.in -@@ -4,7 +4,7 @@ - # - # chkconfig: - 50 50 - # processname: /usr/bin/pesign --# pidfile: /var/run/pesign.pid -+# pidfile: /run/pesign.pid - ### BEGIN INIT INFO - # Provides: pesign - # Default-Start: -@@ -20,9 +20,9 @@ RETVAL=0 - - start(){ - echo -n "Starting pesign: " -- mkdir /var/run/pesign 2>/dev/null && -- chown pesign:pesign /var/run/pesign && -- chmod 0770 /var/run/pesign -+ mkdir /run/pesign 2>/dev/null && -+ chown pesign:pesign /run/pesign && -+ chmod 0770 /run/pesign - daemon /usr/bin/pesign --daemonize - RETVAL=$? - echo -@@ -32,7 +32,7 @@ start(){ - - stop(){ - echo -n "Stopping pesign: " -- killproc -p /var/run/pesign.pid pesignd -+ killproc -p /run/pesign.pid pesignd - RETVAL=$? - echo - rm -f /var/lock/subsys/pesign --- -2.26.2 - diff --git a/SOURCES/0013-Turn-off-free-nonheap-object.patch b/SOURCES/0013-Turn-off-free-nonheap-object.patch deleted file mode 100644 index 3e62bd8..0000000 --- a/SOURCES/0013-Turn-off-free-nonheap-object.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 59428daf4863f192419eee4afec15cd099e99c9b Mon Sep 17 00:00:00 2001 -From: Jeff Law -Date: Mon, 16 Nov 2020 12:07:59 -0700 -Subject: [PATCH] Turn off -Wfree-nonheap-object - -authvar.c has a call to free (tokenname) where tokenname is set to a string constant -and never changed. That triggers GCC to issue a diagnostic that the value should not -be passed to free. - -This is a false positive from GCC as the call is guarded by a suitable condition that -always happens to be false. But pesign is being built without optimization and thus -the condition and free call are not optimized away. - -This patch just disables the warning. A better solution would be to fix the sources -or build with the optimizer enabled. ---- - Make.defaults | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Make.defaults b/Make.defaults -index d4cd626..705cc3a 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -40,7 +40,7 @@ gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches -flto - cflags = $(CFLAGS) $(ARCH3264) \ - -Wall -Wextra -Wsign-compare -Wno-unused-result \ - -Wno-unused-function -Wno-missing-field-initializers \ -- -Werror -Wno-error=cpp \ -+ -Werror -Wno-error=cpp -Wno-free-nonheap-object \ - -std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \ - -D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \ - $(if $(filter $(CC),clang),$(clang_cflags), ) \ --- -2.28.0 - diff --git a/SOURCES/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch b/SOURCES/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch deleted file mode 100644 index f483ec6..0000000 --- a/SOURCES/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch +++ /dev/null @@ -1,26 +0,0 @@ -From efb69f149f256631a952e0a0db5b45ed5d391509 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 10 Aug 2021 12:39:08 -0400 -Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 34af57c5b3b..2ca1afb916e 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -35,6 +35,7 @@ - %{?_buildhost:--hostname "%{_buildhost}"} \\\ - %{?vendor:--vendor "%{vendor}"} \\\ -- %{?_rhel:--rhelver "%{_rhel}"} \\\ -+ %{?rhel:--rhelver "%{rhel}"} \\\ -+ %{?centos:--rhelver "%{centos}"} \\\ - %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\ - %{?-a:--rhelcafile "%{-a*}"} \\\ - %{?-c:--rhelcertfile "%{-c*}"} \\\ --- -2.31.1 - diff --git a/SOURCES/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch b/SOURCES/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch deleted file mode 100644 index 7a4fba6..0000000 --- a/SOURCES/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3956d8a819541578b31c919270e915fbcc791e89 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 1 Oct 2021 17:58:20 -0400 -Subject: [PATCH] Detect the presence of rpm-sign when checking for - "rhel"-ness. - -Signed-off-by: Peter Jones ---- - src/pesign-rpmbuild-helper.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in -index 27b8261bc17..d6ca29683b1 100644 ---- a/src/pesign-rpmbuild-helper.in -+++ b/src/pesign-rpmbuild-helper.in -@@ -187,7 +187,7 @@ main() { - fi - fi - -- if [[ "${rhelver}" -ge 7 ]] ; then -+ if [[ "${rhelver}" -ge 7 ]] && which rpm-sign >&/dev/null ; then - nssdir="$(mktemp -p "${PWD}" -d)" - echo > "${nssdir}/pwfile" - certutil -N -d "${nssdir}" -f "${nssdir}/pwfile" --- -2.31.1 - diff --git a/SOURCES/pesign.patches b/SOURCES/pesign.patches new file mode 100644 index 0000000..d66e14a --- /dev/null +++ b/SOURCES/pesign.patches @@ -0,0 +1,5 @@ +Patch0001: 0001-daemon-remove-always-true-comparison.patch +Patch0002: 0002-Disable-pragmas-for-warnings-that-are-too-old.patch +Patch0003: 0003-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch +Patch0004: 0004-macros.pesign-handle-centos-like-rhel-with-rhelver.patch +Patch0005: 0005-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch diff --git a/SPECS/pesign.spec b/SPECS/pesign.spec index 5905a96..ce3959a 100644 --- a/SPECS/pesign.spec +++ b/SPECS/pesign.spec @@ -2,28 +2,29 @@ Name: pesign Summary: Signing utility for UEFI binaries -Version: 113 -Release: 21%{?dist} -License: GPLv2 -URL: https://github.com/vathpela/pesign +Version: 115 +Release: 4%{?dist} +License: GPL-2.0-only +URL: https://github.com/rhboot/pesign Obsoletes: pesign-rh-test-certs <= 0.111-7 -BuildRequires: make +BuildRequires: efivar-devel >= 38-1 BuildRequires: gcc BuildRequires: git +BuildRequires: libuuid-devel +BuildRequires: make +#BuildRequires: mandoc BuildRequires: nspr +BuildRequires: nspr-devel >= 4.9.2-1 BuildRequires: nss +BuildRequires: nss-devel >= 3.13.6-1 +BuildRequires: nss-tools BuildRequires: nss-util BuildRequires: popt-devel -BuildRequires: nss-tools -BuildRequires: nspr-devel >= 4.9.2-1 -BuildRequires: nss-devel >= 3.13.6-1 -BuildRequires: efivar-devel >= 31-1 -BuildRequires: libuuid-devel +BuildRequires: python3 +BuildRequires: python3-rpm-macros BuildRequires: tar BuildRequires: xz -BuildRequires: python3-rpm-macros -BuildRequires: python3 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 BuildRequires: systemd-rpm-macros %endif @@ -42,22 +43,9 @@ BuildRequires: rh-signing-tools >= 1.20-2 Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 Source1: certs.tar.xz Source2: pesign.py +Source3: pesign.patches -Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch -Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch -Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch -Patch0004: 0004-Rename-var-run-to-run.patch -Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch -Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch -Patch0007: 0007-client-remove-an-extra-debug-print.patch -Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch -Patch0009: 0009-pesign-authorize-shellcheck.patch -Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch -Patch0011: 0011-kernel-building-hack.patch -Patch0012: 0012-Use-run-not-var-run.patch -Patch0013: 0013-Turn-off-free-nonheap-object.patch -Patch0014: 0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch -Patch0015: 0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch +%include %{SOURCE3} %description This package contains the pesign utility for signing UEFI binaries as @@ -76,6 +64,11 @@ git config --unset user.email git config --unset user.name %build +# Workaround for mandoc not being packaged +for f in authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1; do + cp src/"$f".mdoc src/"$f" +done + make PREFIX=%{_prefix} LIBDIR=%{_libdir} %install @@ -143,7 +136,6 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null %doc README TODO %{_bindir}/authvar %{_bindir}/efikeygen -%{_bindir}/efisiglist %{_bindir}/pesigcheck %{_bindir}/pesign %{_bindir}/pesign-client @@ -170,20 +162,47 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null %{python3_sitelib}/mockbuild/plugins/pesign.* %changelog -* Tue Dec 14 2021 Robbie Harwood - 113-21 -- Sync with beta changes -- Resolves: rhbz#2030501 +* Mon Apr 04 2022 Robbie Harwood +- Detect presence of rpm-sign when checking for rhel-ness +- Resolves: #2044886 + +* Fri Apr 01 2022 Robbie Harwood - 115-3 +- Correct handling of rhel and centos macros +- Resolves: #2044886 + +* Fri Mar 25 2022 Robbie Harwood - 115-2 +- Add -D_GLIBCXX_ASSERTIONS +- Resolves: #2044886 + +* Tue Mar 08 2022 Robbie Harwood - 115-1 +- New upstream version (115) +- Resolves: #2044886 + +* Mon Feb 14 2022 Robbie Harwood - 114-4 +- Fix explicit NULL deref when daemonizing +- Resolves: #2049320 + +* Wed Feb 09 2022 Robbie Harwood - 114-3 +- Rebuild; no code changes +- Resolves: #2049320 + +* Wed Feb 09 2022 Robbie Harwood - 114-2 +- Fix build on aarch64 +- Resolves: #2049320 + +* Tue Feb 08 2022 Robbie Harwood - 114-1 +- New upstream version (114) +- Resolves: #2049320 -* Tue Aug 10 2021 Peter Jones - 113-18 -- Detect the CentOS version number correctly in rpm pesign macro - Related: rhbz#1991688 +* Fri Jan 21 2022 Fedora Release Engineering - 113-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild -* Mon Aug 09 2021 Mohan Boddu - 113-17 -- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Related: rhbz#1991688 +* Fri Jul 23 2021 Fedora Release Engineering - 113-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild -* Fri Apr 16 2021 Mohan Boddu - 113-16 -- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 113-16 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. * Wed Jan 27 2021 Fedora Release Engineering - 113-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild