diff --git a/.pesign.metadata b/.pesign.metadata new file mode 100644 index 0000000..257cce9 --- /dev/null +++ b/.pesign.metadata @@ -0,0 +1,2 @@ +d3bee4233c8d6bb712a9a54467f3eaea3a52c703 SOURCES/pesign-0.109.tar.bz2 +36df9ec87e76174c354441f516032faf9341f647 SOURCES/rh-test-certs.tar.bz2 diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0001-Fix-error-detected-by-coverity.patch b/SOURCES/0001-Fix-error-detected-by-coverity.patch new file mode 100644 index 0000000..0404ee0 --- /dev/null +++ b/SOURCES/0001-Fix-error-detected-by-coverity.patch @@ -0,0 +1,26 @@ +From 8beb32309aec95f1e367553bf5fa3e0a1ddf547d Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 25 Oct 2013 10:08:32 -0400 +Subject: [PATCH] Fix error detected by coverity. + +Signed-off-by: Peter Jones +--- + src/siglist.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/siglist.c b/src/siglist.c +index ca097e6..2080b98 100644 +--- a/src/siglist.c ++++ b/src/siglist.c +@@ -147,6 +147,8 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner, + } + + struct efi_signature_data *sd = calloc(1, sl->SignatureSize); ++ if (!sd) ++ return -1; + memcpy(&sd->SignatureOwner, &owner, sizeof (owner)); + memcpy(sd->SignatureData, sig, sl->SignatureSize - + sizeof (efi_guid_t)); +-- +1.8.3.1 + diff --git a/SOURCES/0001-One-more-tweak-for-RHEL-signing-rules.patch b/SOURCES/0001-One-more-tweak-for-RHEL-signing-rules.patch new file mode 100644 index 0000000..c218c5d --- /dev/null +++ b/SOURCES/0001-One-more-tweak-for-RHEL-signing-rules.patch @@ -0,0 +1,28 @@ +From 44d896bec9124d42e2ca2035e46599c446640ba3 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 29 Oct 2013 11:27:31 -0400 +Subject: [PATCH] One more tweak for RHEL signing rules. + +It never ends. + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 143ef8e..7faa4a1 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -22,7 +22,7 @@ + # -s # perform signing + %pesign(i:o:C:e:c:n:a:s) \ + if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \ +- if [ "0%{?rhel}" -ge "7" ]; then \ ++ if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \ + nss=$(mktemp -p $PWD -d) \ + echo > ${nss}/pwfile \ + certutil -N -d ${nss} -f ${nss}/pwfile \ +-- +1.8.3.1 + diff --git a/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch b/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch new file mode 100644 index 0000000..6e2855f --- /dev/null +++ b/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch @@ -0,0 +1,26 @@ +From 776e724687ebc2958ac6c78cd30e9d8b6a0c6eec Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 24 Oct 2013 15:22:13 -0400 +Subject: [PATCH] Use the right signing method on the RHEL signing macro. + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 7f6e6ef..143ef8e 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -30,7 +30,7 @@ + certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ + sattrs=$(mktemp -p $PWD --suffix=.der) \ + %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \ +- rpm-sign --key "%{-n*}" --rsasign ${sattrs} \ ++ rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \ + %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ + --certdir ${nss} -c signer %{-o} \ + rm -rf ${sattrs} ${sattrs}.sig ${nss} \ +-- +1.8.3.1 + diff --git a/SPECS/pesign.spec b/SPECS/pesign.spec new file mode 100644 index 0000000..bc2d42e --- /dev/null +++ b/SPECS/pesign.spec @@ -0,0 +1,269 @@ +Summary: Signing utility for UEFI binaries +Name: pesign +Version: 0.109 +Release: 4%{?dist} +Group: Development/System +License: GPLv2 +URL: https://github.com/vathpela/pesign +BuildRequires: git gnu-efi gnu-efi-devel nspr nss nss-util popt-devel +BuildRequires: coolkey opensc nss-tools +BuildRequires: nspr-devel >= 4.9.2-1 +BuildRequires: nss-devel >= 3.13.6-1 +Requires: nspr nss nss-util nss-tools popt rpm coolkey opensc +Requires(pre): shadow-utils +ExclusiveArch: x86_64 + +# there is no tarball at github, of course. To get this version do: +# git clone https://github.com/vathpela/pesign.git +# git checkout %%{version} +Source0: pesign-%{version}.tar.bz2 +Source1: rh-test-certs.tar.bz2 +Patch0001: 0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch +Patch0002: 0001-Fix-error-detected-by-coverity.patch +Patch0003: 0001-One-more-tweak-for-RHEL-signing-rules.patch + +%description +This package contains the pesign utility for signing UEFI binaries as +well as other associated tools. + +%prep +%setup -q -a 1 +git init +git config user.email "pesign-owner@fedoraproject.org" +git config user.name "Fedora Ninjas" +git add . +git commit -a -q -m "%{version} baseline." +git am %{patches} = 7 || 0%{?fedora} >= 17 +make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \ + install_systemd +%endif + +# there's some stuff that's not really meant to be shipped yet +rm -rf %{buildroot}/boot %{buildroot}/usr/include +rm -rf %{buildroot}%{_libdir}/libdpe* +mv rh-test-certs/etc/pki/pesign/* %{buildroot}/etc/pki/pesign/ + +#modutil -force -dbdir %{buildroot}/etc/pki/pesign -add coolkey \ +# -libfile %{_libdir}/pkcs11/libcoolkeypk11.so +#modutil -force -dbdir %{buildroot}/etc/pki/pesign -add opensc \ +# -libfile %{_libdir}/pkcs11/opensc-pkcs11.so + +%clean +rm -rf %{buildroot} + +%pre +getent group pesign >/dev/null || groupadd -r pesign +getent passwd pesign >/dev/null || \ + useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \ + -c "Group for the pesign signing daemon" pesign +exit 0 + +%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 +%post +%systemd_post pesign.service + +%preun +%systemd_preun pesign.service + +%postun +%systemd_postun_with_restart pesign.service +%endif + +%files +%defattr(-,root,root,-) +%doc README TODO COPYING +%{_bindir}/pesign +%{_bindir}/pesign-client +%{_bindir}/efikeygen +%{_sysconfdir}/popt.d/pesign.popt +%{_sysconfdir}/rpm/macros.pesign +%{_mandir}/man*/* +%dir %attr(0775,pesign,pesign) /etc/pki/pesign +%attr(0664,pesign,pesign) /etc/pki/pesign/* +%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name} +%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket +%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid +%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 +%{_prefix}/lib/tmpfiles.d/pesign.conf +%{_unitdir}/pesign.service +%endif + +%changelog +* Tue Oct 29 2013 Peter Jones - 0.109-4 +- Tweak the signing rules just a bit more. + Related: rhbz1017857 + +* Fri Oct 25 2013 Peter Jones - 0.109-3 +- Update to fix a bug coverity found. + Related: rhbz1017857 + +* Fri Oct 25 2013 Peter Jones - 0.109-2 +- Fix the pesign macro for RHEL packages. + Related: rhbz1017857 + +* Wed Oct 09 2013 Peter Jones - 0.109-1 +- Update to 0.109 + Related: rhbz#893260 + +* Tue Oct 08 2013 Peter Jones - 0.106-6 +- Don't create a new certificate database when signing on RHEL. + +* Wed Aug 07 2013 Peter Jones - 0.106-5 +- Use --force with sattrs blob from mktemp() +- Error if we get a zero-sized signed file result + +* Wed Aug 07 2013 Peter Jones - 0.106-4 +- Don't require ascii mode for RHEL CA/signer cert import. + +* Tue Aug 06 2013 Peter Jones - 0.106-3 +- More work on the RHEL %%pesign macro + +* Tue Aug 06 2013 Peter Jones - 0.106-2 +- Add rhel %%pesign macro definitions. + +* Tue May 21 2013 Peter Jones - 0.106-1 +- Update to 0.106 +- Hopefully fix the segfault dgilmore was seeing. + +* Mon May 20 2013 Peter Jones - 0.105-1 +- Various bug fixes. + +* Wed May 15 2013 Peter Jones - 0.104-1 +- Make sure alignment is correct on signature list entries + Resolves: rhbz#963361 +- Make sure section alignment is correct if we have to extend the file + +* Wed Feb 06 2013 Peter Jones - 0.103-2 +- Conditionalize systemd bits so they don't show up in RHEL 6 builds + +* Tue Feb 05 2013 Peter Jones - 0.103-1 +- One more compiler problem. Let's expect a few more, shall we? + +* Tue Feb 05 2013 Peter Jones - 0.102-1 +- Don't use --std=gnu11 because we have to work on RHEL 6 builders. + +* Mon Feb 04 2013 Peter Jones - 0.101-1 +- Update to 0.101 to fix more "pesign -E" issues. + +* Fri Nov 30 2012 Peter Jones - 0.100-1 +- Fix insertion of signatures from a file. + +* Mon Nov 26 2012 Matthew Garrett - 0.99-9 +- Add a patch needed for new shim builds + +* Fri Oct 19 2012 Peter Jones - 0.99-8 +- Get the Fedora signing token name right. + +* Fri Oct 19 2012 Peter Jones +- Add coolkey and opensc modules to pki database during %%install. + +* Fri Oct 19 2012 Peter Jones - 0.99-7 +- setfacl u:kojibuilder:rw /var/run/pesign/socket +- Fix command line checking in client +- Add client stdin pin reading. + +* Thu Oct 18 2012 Peter Jones - 0.99-6 +- Automatically select daemon as signer when using rpm macros. + +* Thu Oct 18 2012 Peter Jones - 0.99-5 +- Make it work on the -el6 branch as well. + +* Wed Oct 17 2012 Peter Jones - 0.99-4 +- Fix some more bugs found by valgrind and coverity. +- Don't build utils/ ; we're not using them and they're not ready anyway. + +* Wed Oct 17 2012 Peter Jones - 0.99-3 +- Fix daemon startup bug from 0.99-2 + +* Wed Oct 17 2012 Peter Jones - 0.99-2 +- Fix various bugs from 0.99-1 +- Don't make the database unreadable just yet. + +* Mon Oct 15 2012 Peter Jones - 0.99-1 +- Update to 0.99 +- Add documentation for client/server mode. +- Add --pinfd and --pinfile to server mode. + +* Fri Oct 12 2012 Peter Jones - 0.98-1 +- Update to 0.98 +- Add client/server mode. + +* Mon Oct 01 2012 Peter Jones - 0.10-5 +- Fix missing section address fixup. + +* Wed Aug 15 2012 Peter Jones - 0.10-4 +- Make macros.pesign even better (and make it work right for i686 packages) + +* Tue Aug 14 2012 Peter Jones - 0.10-3 +- Only sign things on x86_64; all else ignore gracefully. + +* Tue Aug 14 2012 Peter Jones - 0.10-2 +- Make macros.pesign more reliable + +* Mon Aug 13 2012 Peter Jones - 0.10-1 +- Update to 0.10 +- Include rpm macros to support easy custom signing of signed packages. + +* Fri Aug 10 2012 Peter Jones - 0.9-1 +- Update to 0.9 +- Bug fix from Gary Ching-Pang Lin +- Support NSS Token selection for use with smart cards. + +* Wed Aug 08 2012 Peter Jones - 0.8-1 +- Update to 0.8 +- Don't open the db read-write +- Fix permissions on keystore (everybody can sign with test keys) + +* Wed Aug 08 2012 Peter Jones - 0.7-2 +- Include test keys. + +* Mon Jul 30 2012 Peter Jones - 0.7-1 +- Update to 0.7 +- Better fix for MS compatibility. + +* Mon Jul 30 2012 Peter Jones - 0.6-1 +- Update to 0.6 +- Bug-for-bug compatibility with signtool.exe . + +* Fri Jul 20 2012 Fedora Release Engineering - 0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 11 2012 Peter Jones - 0.5-1 +- Rebase to 0.5 +- Do more rigorous bounds checking when hashing a new binary. + +* Tue Jul 10 2012 Peter Jones - 0.3-2 +- Rebase to 0.4 + +* Fri Jun 22 2012 Peter Jones - 0.3-2 +- Move man page to a more reasonable place. + +* Fri Jun 22 2012 Peter Jones - 0.3-1 +- Update to upstream's 0.3 . + +* Thu Jun 21 2012 Peter Jones - 0.2-4 +- Do not build with smp flags. + +* Thu Jun 21 2012 Peter Jones - 0.2-3 +- Make it build on i686, though it's unclear it'll ever be necessary. + +* Thu Jun 21 2012 Peter Jones - 0.2-2 +- Fix compile problem with f18's compiler. + +* Thu Jun 21 2012 Peter Jones - 0.2-1 +- Fix some rpmlint complaints nirik pointed out +- Add popt-devel build dep + +* Fri Jun 15 2012 Peter Jones - 0.1-1 +- First version of SRPM.