diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..920f280 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/certs.tar.xz +SOURCES/pesign-113.tar.bz2 diff --git a/.pesign.metadata b/.pesign.metadata new file mode 100644 index 0000000..c9655cb --- /dev/null +++ b/.pesign.metadata @@ -0,0 +1,2 @@ +b6777cc78ca2d2f250f3142e97e17dd855bc9b88 SOURCES/certs.tar.xz +1fabe291298395b6dd3129e250d8b67345745834 SOURCES/pesign-113.tar.bz2 diff --git a/SOURCES/0001-efikeygen-Fix-the-build-with-nss-3.44.patch b/SOURCES/0001-efikeygen-Fix-the-build-with-nss-3.44.patch new file mode 100644 index 0000000..e583369 --- /dev/null +++ b/SOURCES/0001-efikeygen-Fix-the-build-with-nss-3.44.patch @@ -0,0 +1,45 @@ +From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 May 2019 11:28:38 -0400 +Subject: [PATCH] efikeygen: Fix the build with nss 3.44 + +NSS 3.44 adds some certificate types, which changes a type and makes +some encoding stuff weird. As a result, we get: + +gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o +In file included from /usr/local/include/nss/nss/cert.h:22, + from efikeygen.c:39: +efikeygen.c: In function 'add_cert_type': +/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow] + (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ + ^ +efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP' + unsigned char type = NS_CERT_TYPE_APP; + ^~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors + +This is fixed by just making it an int. + +Fixes github issue #48. + +Signed-off-by: Peter Jones +--- + src/efikeygen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/efikeygen.c b/src/efikeygen.c +index ede76ef0b48..2cd953e9781 100644 +--- a/src/efikeygen.c ++++ b/src/efikeygen.c +@@ -208,7 +208,7 @@ static int + add_cert_type(cms_context *cms, void *extHandle, int is_ca) + { + SECItem bitStringValue; +- unsigned char type = NS_CERT_TYPE_APP; ++ int type = NS_CERT_TYPE_APP; + + if (is_ca) + type |= NS_CERT_TYPE_SSL_CA | +-- +2.23.0 + diff --git a/SOURCES/0002-pesigcheck-Fix-a-wrong-assignment.patch b/SOURCES/0002-pesigcheck-Fix-a-wrong-assignment.patch new file mode 100644 index 0000000..7df5f0b --- /dev/null +++ b/SOURCES/0002-pesigcheck-Fix-a-wrong-assignment.patch @@ -0,0 +1,49 @@ +From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 18 Feb 2020 16:28:56 -0500 +Subject: [PATCH] pesigcheck: Fix a wrong assignment + +gcc says: + + pesigcheck.c: In function 'check_signature': + pesigcheck.c:321:17: error: implicit conversion from 'enum ' to 'enum ' [-Werror=enum-conversion] + 321 | reason->type = siBuffer; + | ^ + pesigcheck.c:333:17: error: implicit conversion from 'enum ' to 'enum ' [-Werror=enum-conversion] + 333 | reason->type = siBuffer; + | ^ + cc1: all warnings being treated as errors + +And indeed, that line of code makes no sense at all - it was supposed to +be reason->sig.type. + +Signed-off-by: Peter Jones +--- + src/pesigcheck.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/pesigcheck.c b/src/pesigcheck.c +index 524cce307bf..8fa0f1ad03d 100644 +--- a/src/pesigcheck.c ++++ b/src/pesigcheck.c +@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons, + reason->type = SIGNATURE; + reason->sig.data = data; + reason->sig.len = datalen; +- reason->type = siBuffer; ++ reason->sig.type = siBuffer; + nreason += 1; + is_invalid = true; + } +@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons, + reason->type = SIGNATURE; + reason->sig.data = data; + reason->sig.len = datalen; +- reason->type = siBuffer; ++ reason->sig.type = siBuffer; + nreason += 1; + has_valid_cert = true; + } +-- +2.24.1 + diff --git a/SOURCES/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch b/SOURCES/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch new file mode 100644 index 0000000..e639675 --- /dev/null +++ b/SOURCES/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch @@ -0,0 +1,317 @@ +From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 11 Jun 2020 16:23:14 -0400 +Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and + vise versa + +This makes the version of the sign API that takes a file type optional, +and makes the client attempt to negotiate which version it's getting. +It also leaves the server able to still handle the version from before +the file type was added. + +Signed-off-by: Peter Jones +--- + src/client.c | 74 +++++++++++++++++++++++++++++++++++++--------------- + src/daemon.c | 63 +++++++++++++++++++++++++++++--------------- + src/daemon.h | 2 ++ + 3 files changed, 97 insertions(+), 42 deletions(-) + +diff --git a/src/client.c b/src/client.c +index aa373abd981..57bcc09cbe8 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -84,8 +85,8 @@ connect_to_server(void) + static int32_t + check_response(int sd, char **srvmsg); + +-static void +-check_cmd_version(int sd, uint32_t command, char *name, int32_t version) ++static int ++check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit) + { + struct msghdr msg; + struct iovec iov[1]; +@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version) + ssize_t n; + n = sendmsg(sd, &msg, 0); + if (n < 0) { +- fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n"); ++ fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n"); + exit(1); + } + +@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version) + + char *srvmsg = NULL; + int32_t rc = check_response(sd, &srvmsg); +- if (rc < 0) ++ ++ if (do_exit && rc < 0) + errx(1, "command \"%s\" not known by server", name); +- if (rc != version) ++ ++ if (do_exit && rc != version) + errx(1, "command \"%s\": client version %d, server version %d", + name, version, rc); ++ ++ if (rc < 0) ++ return rc; ++ return rc == version; + } + + static void +@@ -134,7 +141,7 @@ send_kill_daemon(int sd) + struct iovec iov; + pesignd_msghdr pm; + +- check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0); ++ check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true); + + pm.version = PESIGND_VERSION; + pm.command = CMD_KILL_DAEMON; +@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin) + + uint32_t size1 = pesignd_string_size(pin); + +- check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0); ++ check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true); + + pm.version = PESIGND_VERSION; + pm.command = CMD_UNLOCK_TOKEN; +@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname) + + uint32_t size0 = pesignd_string_size(tokenname); + +- check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0); ++ check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true); + + pm.version = PESIGND_VERSION; + pm.command = CMD_IS_TOKEN_UNLOCKED; +@@ -452,6 +459,9 @@ static void + sign(int sd, char *infile, char *outfile, char *tokenname, char *certname, + int attached, uint32_t format) + { ++ int rc; ++ bool add_file_type; ++ + int infd = open(infile, O_RDONLY); + if (infd < 0) { + fprintf(stderr, "pesign-client: could not open input file " +@@ -481,12 +491,28 @@ oom: + exit(1); + } + +- check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED, +- attached ? "sign-attached" : "sign-detached", 0); ++ rc = check_cmd_version(sd, ++ attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE ++ : CMD_SIGN_DETACHED_WITH_FILE_TYPE, ++ attached ? "sign-attached" : "sign-detached", ++ 0, format == FORMAT_KERNEL_MODULE); ++ if (rc >= 0) { ++ add_file_type = true; ++ } else { ++ add_file_type = false; ++ check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED ++ : CMD_SIGN_DETACHED, ++ attached ? "sign-attached" : "sign-detached", ++ 0, true); ++ } + ++ printf("add_file_type:%d\n", add_file_type); + pm->version = PESIGND_VERSION; +- pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED; +- pm->size = size0 + size1 + sizeof(format); ++ pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE ++ : CMD_SIGN_ATTACHED) ++ : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE ++ : CMD_SIGN_DETACHED); ++ pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0); + iov[0].iov_base = pm; + iov[0].iov_len = sizeof (*pm); + +@@ -503,25 +529,31 @@ oom: + } + + char *buffer; +- buffer = malloc(size0 + size1); ++ buffer = malloc(pm->size); + if (!buffer) + goto oom; + +- iov[0].iov_base = &format; +- iov[0].iov_len = sizeof(format); ++ int pos = 0; ++ ++ if (add_file_type) { ++ iov[pos].iov_base = &format; ++ iov[pos].iov_len = sizeof(format); ++ pos++; ++ } + + pesignd_string *tn = (pesignd_string *)buffer; + pesignd_string_set(tn, tokenname); +- iov[1].iov_base = tn; +- iov[1].iov_len = size0; ++ iov[pos].iov_base = tn; ++ iov[pos].iov_len = size0; ++ pos++; + + pesignd_string *cn = pesignd_string_next(tn); + pesignd_string_set(cn, certname); +- iov[2].iov_base = cn; +- iov[2].iov_len = size1; ++ iov[pos].iov_base = cn; ++ iov[pos].iov_len = size1; + + msg.msg_iov = iov; +- msg.msg_iovlen = 3; ++ msg.msg_iovlen = add_file_type ? 3 : 2; + + n = sendmsg(sd, &msg, 0); + if (n < 0) { +@@ -535,7 +567,7 @@ oom: + send_fd(sd, outfd); + + char *srvmsg = NULL; +- int rc = check_response(sd, &srvmsg); ++ rc = check_response(sd, &srvmsg); + if (rc < 0) { + fprintf(stderr, "pesign-client: signing failed: \"%s\"\n", + srvmsg); +diff --git a/src/daemon.c b/src/daemon.c +index 9374d59be30..494beb9af72 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -561,7 +562,7 @@ out: + + static void + handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size, +- int attached) ++ int attached, bool with_file_type) + { + struct msghdr msg; + struct iovec iov; +@@ -585,8 +586,12 @@ oom: + + n = recvmsg(pollfd->fd, &msg, MSG_WAITALL); + +- file_format = *((uint32_t *) buffer); +- n -= sizeof(uint32_t); ++ if (with_file_type) { ++ file_format = *((uint32_t *) buffer); ++ n -= sizeof(uint32_t); ++ } else { ++ file_format = FORMAT_PE_BINARY; ++ } + + pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t)); + if (n < (long long)sizeof(tn->size)) { +@@ -666,34 +671,44 @@ finish: + teardown_digests(ctx->cms); + } + ++static inline void ++handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size, ++ int attached, bool with_file_type) ++{ ++ int rc = cms_context_alloc(&ctx->cms); ++ if (rc < 0) ++ return; ++ ++ steal_from_cms(ctx->backup_cms, ctx->cms); ++ ++ handle_signing(ctx, pollfd, size, attached, with_file_type); ++ ++ hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms); ++ cms_context_fini(ctx->cms); ++} ++ + static void + handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size) + { +- int rc = cms_context_alloc(&ctx->cms); +- if (rc < 0) +- return; ++ handle_sign_helper(ctx, pollfd, size, 1, false); ++} + +- steal_from_cms(ctx->backup_cms, ctx->cms); +- +- handle_signing(ctx, pollfd, size, 1); +- +- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms); +- cms_context_fini(ctx->cms); ++static void ++handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size) ++{ ++ handle_sign_helper(ctx, pollfd, size, 1, true); + } + + static void + handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size) + { +- int rc = cms_context_alloc(&ctx->cms); +- if (rc < 0) +- return; ++ handle_sign_helper(ctx, pollfd, size, 0, false); ++} + +- steal_from_cms(ctx->backup_cms, ctx->cms); +- +- handle_signing(ctx, pollfd, size, 0); +- +- hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms); +- cms_context_fini(ctx->cms); ++static void ++handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size) ++{ ++ handle_sign_helper(ctx, pollfd, size, 0, true); + } + + static void +@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = { + { CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 }, + { CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 }, + { CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 }, ++ { CMD_SIGN_ATTACHED_WITH_FILE_TYPE, ++ handle_sign_attached_with_file_type, ++ "sign-attached-with-file-type", 0 }, ++ { CMD_SIGN_DETACHED_WITH_FILE_TYPE, ++ handle_sign_detached_with_file_type, ++ "sign-detached-with-file-type", 0 }, + { CMD_RESPONSE, NULL, "response", 0 }, + { CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked, + "is-token-unlocked", 0 }, +diff --git a/src/daemon.h b/src/daemon.h +index dd430512f1a..834d62c72d0 100644 +--- a/src/daemon.h ++++ b/src/daemon.h +@@ -33,6 +33,8 @@ typedef enum { + CMD_RESPONSE, + CMD_IS_TOKEN_UNLOCKED, + CMD_GET_CMD_VERSION, ++ CMD_SIGN_ATTACHED_WITH_FILE_TYPE, ++ CMD_SIGN_DETACHED_WITH_FILE_TYPE, + CMD_LIST_END + } pesignd_cmd; + +-- +2.26.2 + diff --git a/SOURCES/0004-Rename-var-run-to-run.patch b/SOURCES/0004-Rename-var-run-to-run.patch new file mode 100644 index 0000000..593761b --- /dev/null +++ b/SOURCES/0004-Rename-var-run-to-run.patch @@ -0,0 +1,46 @@ +From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 12 Jun 2020 11:49:44 -0400 +Subject: [PATCH] Rename /var/run/ to /run/ + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 12 ++++++------ + src/tmpfiles.conf | 2 +- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 56f75cafbc4..5a6da1c6809 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -45,14 +45,14 @@ + rm -rf ${sattrs} ${sattrs}.sig ${nss} \ + elif [ "$(id -un)" == "kojibuilder" -a \\\ + grep -q ID=fedora /etc/os-release -a \\\ +- ! -S /var/run/pesign/socket ]; then \ ++ ! -S /run/pesign/socket ]; then \ + echo "No socket even though this is kojibuilder" 1>&2 \ +- ls -ld /var/run/pesign 1>&2 \ +- ls -l /var/run/pesign/socket 1>&2 \ +- getfacl /var/run/pesign 1>&2 \ +- getfacl /var/run/pesign/socket 1>&2 \ ++ ls -ld /run/pesign 1>&2 \ ++ ls -l /run/pesign/socket 1>&2 \ ++ getfacl /run/pesign 1>&2 \ ++ getfacl /run/pesign/socket 1>&2 \ + exit 1 \ +- elif [ -S /var/run/pesign/socket ]; then \ ++ elif [ -S /run/pesign/socket ]; then \ + %{_pesign_client} -t %{__pesign_client_token} \\\ + -c %{__pesign_client_cert} \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ +diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf +index c1cf35597d8..3375ad52a44 100644 +--- a/src/tmpfiles.conf ++++ b/src/tmpfiles.conf +@@ -1 +1 @@ +-D /var/run/pesign 0770 pesign pesign - ++D /run/pesign 0770 pesign pesign - +-- +2.26.2 + diff --git a/SOURCES/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch b/SOURCES/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch new file mode 100644 index 0000000..2b47880 --- /dev/null +++ b/SOURCES/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch @@ -0,0 +1,30 @@ +From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001 +From: Jeremy Cline +Date: Tue, 18 Feb 2020 16:37:53 -0500 +Subject: [PATCH] Apparently opensc got updated and the token name changed + +All the kernel builds started failing yesterday because the signing +token could not be found. Update the token name in the macro shipped by +pesign. + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 7c5cba170e9..56f75cafbc4 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -9,7 +9,7 @@ + %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} + %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} + +-%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"} ++%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"} + %__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"} + + %_pesign /usr/bin/pesign +-- +2.26.2 + diff --git a/SOURCES/0006-client-try-run-and-var-run-for-the-socket-path.patch b/SOURCES/0006-client-try-run-and-var-run-for-the-socket-path.patch new file mode 100644 index 0000000..337faab --- /dev/null +++ b/SOURCES/0006-client-try-run-and-var-run-for-the-socket-path.patch @@ -0,0 +1,86 @@ +From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 6 Jul 2020 16:13:09 -0400 +Subject: [PATCH 6/7] client: try /run and /var/run for the socket path. + +Signed-off-by: Peter Jones +--- + src/client.c | 40 +++++++++++++++++++++++++++++----------- + 1 file changed, 29 insertions(+), 11 deletions(-) + +diff --git a/src/client.c b/src/client.c +index 2119ef33bf8..a38383415d5 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag) + } + + static int +-connect_to_server(void) ++connect_to_server_helper(const char * const sockpath) + { +- int rc = access(SOCKPATH, R_OK); ++ int rc = access(sockpath, R_OK); + if (rc != 0) { +- fprintf(stderr, "pesign-client: could not connect to server: " +- "%m\n"); +- exit(1); ++ warn("could not access socket \"%s\"", sockpath); ++ return rc; + } + + struct sockaddr_un addr_un = { + .sun_family = AF_UNIX, +- .sun_path = SOCKPATH, + }; ++ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path)); ++ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0'; + + int sd = socket(AF_UNIX, SOCK_STREAM, 0); + if (sd < 0) { +- fprintf(stderr, "pesign-client: could not open socket: %m\n"); +- exit(1); ++ warn("could not open socket \"%s\"", sockpath); ++ return sd; + } + + socklen_t len = strlen(addr_un.sun_path) + +@@ -74,14 +74,32 @@ connect_to_server(void) + + rc = connect(sd, (struct sockaddr *)&addr_un, len); + if (rc < 0) { +- fprintf(stderr, "pesign-client: could not connect to daemon: " +- "%m\n"); +- exit(1); ++ warn("could not connect to daemon"); ++ return sd; + } + + return sd; + } + ++static int ++connect_to_server(void) ++{ ++ int rc, i; ++ const char * const sockets[] = { ++ "/run/pesign/socket", ++ "/var/run/pesign/socket", ++ NULL ++ }; ++ ++ for (i = 0; sockets[i] != NULL; i++) { ++ rc = connect_to_server_helper(sockets[i]); ++ if (rc >= 0) ++ return rc; ++ } ++ ++ exit(1); ++} ++ + static int32_t + check_response(int sd, char **srvmsg); + +-- +2.26.2 + diff --git a/SOURCES/0007-client-remove-an-extra-debug-print.patch b/SOURCES/0007-client-remove-an-extra-debug-print.patch new file mode 100644 index 0000000..b094ea5 --- /dev/null +++ b/SOURCES/0007-client-remove-an-extra-debug-print.patch @@ -0,0 +1,25 @@ +From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jul 2020 16:44:09 -0400 +Subject: [PATCH 07/11] client: remove an extra debug print + +Signed-off-by: Peter Jones +--- + src/client.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/client.c b/src/client.c +index 0082be1f597..c9966295e5f 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -536,7 +536,6 @@ oom: + 0, true); + } + +- printf("add_file_type:%d\n", add_file_type); + pm->version = PESIGND_VERSION; + pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE + : CMD_SIGN_ATTACHED) +-- +2.26.2 + diff --git a/SOURCES/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch b/SOURCES/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch new file mode 100644 index 0000000..3a62cf6 --- /dev/null +++ b/SOURCES/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch @@ -0,0 +1,379 @@ +From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 6 Jul 2020 13:54:35 -0400 +Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper + +Signed-off-by: Peter Jones +--- + Make.defaults | 1 + + src/Makefile | 8 +- + src/macros.pesign | 74 ++++-------- + src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++ + 4 files changed, 252 insertions(+), 53 deletions(-) + create mode 100644 src/pesign-rpmbuild-helper.in + +diff --git a/Make.defaults b/Make.defaults +index 0bacafe0d01..d4cd626c11e 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR) + + INSTALL ?= install + CROSS_COMPILE ?= ++EFI_ARCHES ?= aa64 ia32 x64 + + PKG_CONFIG = $(CROSS_COMPILE)pkg-config + CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC)) +diff --git a/src/Makefile b/src/Makefile +index 74327ba13f3..a7ca89159c6 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version + include $(TOPDIR)/Make.rules + include $(TOPDIR)/Make.defaults + +-BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign ++BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper + SVCTARGETS=pesign.sysvinit pesign.service + TARGETS=$(BINTARGETS) $(SVCTARGETS) + +@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC + pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a + pesign : PKGS=efivar nss nspr popt + ++pesign-rpmbuild-helper: pesign-rpmbuild-helper.in ++ sed \ ++ -e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \ ++ $^ > $@ ++ + deps : PKGS=efivar nss nspr popt uuid + deps : $(ALL_SOURCES) + $(MAKE) -f $(TOPDIR)/Make.deps \ +@@ -94,6 +99,7 @@ install : + $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ ++ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign + $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users + $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups +diff --git a/src/macros.pesign b/src/macros.pesign +index 5a6da1c6809..2e984b4eeb3 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -6,7 +6,7 @@ + # %pesign -s -i shim.orig -o shim.efi + # And magically get the right thing. + +-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} ++%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"} + %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} + + %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"} +@@ -24,54 +24,24 @@ + # -a # rhel only + # -s # perform signing + %pesign(i:o:C:e:c:n:a:s) \ +- _pesign_nssdir=/etc/pki/pesign \ +- if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \ +- _pesign_nssdir=/etc/pki/pesign-rh-test \ +- fi \ +- if [ -x %{_pesign} ] && \\\ +- [ "%{_target_cpu}" == "x86_64" -o \\\ +- "%{_target_cpu}" == "aarch64" ]; then \ +- if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \ +- nss=$(mktemp -p $PWD -d) \ +- echo > ${nss}/pwfile \ +- certutil -N -d ${nss} -f ${nss}/pwfile \ +- certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \ +- certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ +- sattrs=$(mktemp -p $PWD --suffix=.der) \ +- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \ +- rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \ +- %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ +- --certdir ${nss} -c signer %{-o} \ +- rm -rf ${sattrs} ${sattrs}.sig ${nss} \ +- elif [ "$(id -un)" == "kojibuilder" -a \\\ +- grep -q ID=fedora /etc/os-release -a \\\ +- ! -S /run/pesign/socket ]; then \ +- echo "No socket even though this is kojibuilder" 1>&2 \ +- ls -ld /run/pesign 1>&2 \ +- ls -l /run/pesign/socket 1>&2 \ +- getfacl /run/pesign 1>&2 \ +- getfacl /run/pesign/socket 1>&2 \ +- exit 1 \ +- elif [ -S /run/pesign/socket ]; then \ +- %{_pesign_client} -t %{__pesign_client_token} \\\ +- -c %{__pesign_client_cert} \\\ +- %{-i} %{-o} %{-e} %{-s} %{-C} \ +- else \ +- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ +- --certdir ${_pesign_nssdir} \\\ +- %{-i} %{-o} %{-e} %{-s} %{-C} \ +- fi \ +- else \ +- if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \ +- mv %{-i*} %{-o*} \ +- elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \ +- touch %{-e*} \ +- fi \ +- fi \ +- if [ ! -s %{-o} ]; then \ +- if [ -e "%{-o*}" ]; then \ +- rm -f %{-o*} \ +- fi \ +- exit 1 \ +- fi ; +- ++ %{_libexecdir}/pesign/pesign-rpmbuild-helper \\\ ++ "%{_target_cpu}" \\\ ++ "%{_pesign}" \\\ ++ "%{_pesign_client}" \\\ ++ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\ ++ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\ ++ %{?__pesign_token:%{__pesign_token}} \\\ ++ %{?__pesign_cert:--cert %{__pesign_cert}} \\\ ++ %{?_buildhost:--hostname "%{_buildhost}"} \\\ ++ %{?vendor:--vendor "%{vendor}"} \\\ ++ %{?_rhel:--rhelver "%{_rhel}"} \\\ ++ %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\ ++ %{?-a:--rhelcafile "%{-a*}"} \\\ ++ %{?-c:--rhelcertfile "%{-c*}"} \\\ ++ %{?-C:--certout "%{-C*}"} \\\ ++ %{?-e:--sattrout "%{-e*}"} \\\ ++ %{?-i:--in "%{-i*}"} \\\ ++ %{?-o:--out "%{-o*}"} \\\ ++ %{?-s:--sign} \\\ ++ ; \ ++%{nil} +diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in +new file mode 100644 +index 00000000000..c5287c27e0c +--- /dev/null ++++ b/src/pesign-rpmbuild-helper.in +@@ -0,0 +1,222 @@ ++#!/bin/bash ++# shellcheck shell=bash ++ ++set -eu ++set -x ++ ++usage() { ++ local status="${1}" && shift ++ local out ++ if [[ "${status}" -eq 0 ]] ; then ++ out=/dev/stdout ++ else ++ out=/dev/stderr ++ fi ++ ++ if [[ $# -gt 0 ]] ; then ++ echo "${0}: error: $*" >>"${out}" ++ fi ++ echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}" ++ exit "${status}" ++} ++ ++is_efi_arch() { ++ local arch="${1}" ++ local arches=(@@EFI_ARCHES@@) ++ local x ++ for x in "${arches[@]}" ; do ++ if [[ "${arch}" = "${x}" ]] ; then ++ return 0 ++ fi ++ done ++ return 1 ++} ++ ++error_on_empty() { ++ local f="${1}" ++ if [[ ! -s "${f}" ]] ; then ++ if [[ -e "${f}" ]] ; then ++ rm -f "${f}" ++ fi ++ echo "${0}: error: empty result file \"${f}\"">>/dev/stderr ++ exit 1 ++ fi ++} ++ ++main() { ++ if [[ $# -lt 3 ]] ; then ++ usage 1 not enough arguments ++ fi ++ local target_cpu="${1}" && shift ++ local bin="${1}" && shift ++ local client="${1}" && shift ++ ++ local rhelcafile="" || : ++ local rhelcertfile="" || : ++ ++ local certout=() || : ++ local sattrout=() || : ++ local input=() || : ++ local output=() || : ++ local client_token=() || : ++ local client_cert=() || : ++ local token=() || : ++ local cert=() || : ++ local rhelcert=() || : ++ local rhelver=0 || : ++ local sign="" || : ++ local arch="" || : ++ local vendor="" || : ++ local HOSTNAME="" || : ++ ++ while [[ $# -ge 2 ]] ; do ++ case " ${1} " in ++ " --rhelcafile ") ++ rhelcafile="${2}" ++ ;; ++ " --rhelcertfile ") ++ rhelcertfile="${2}" ++ ;; ++ " --hostname ") ++ HOSTNAME="${2}" ++ ;; ++ " --certout ") ++ certout[0]=-C ++ certout[1]="${2}" ++ ;; ++ " --sattrout ") ++ sattrout[0]=-e ++ sattrout[1]="${2}" ++ ;; ++ " --client-token ") ++ client_token[0]=-t ++ client_token[1]="${2}" ++ ;; ++ " --client-cert ") ++ client_cert[0]=-c ++ client_cert[1]="${2}" ++ ;; ++ " --token ") ++ token[0]=-t ++ token[1]="${2}" ++ ;; ++ " --cert ") ++ cert[0]=-c ++ cert[1]="${2}" ++ ;; ++ " --rhelcert ") ++ rhelcert[0]=-c ++ rhelcert[1]="${2}" ++ ;; ++ " --in ") ++ input[0]=-i ++ input[1]="${2}" ++ ;; ++ " --out ") ++ output[0]=-o ++ output[1]="${2}" ++ ;; ++ " --rhelver ") ++ rhelver="${2}" ++ ;; ++ " --vendor ") ++ vendor="${2}" ++ ;; ++ *) ++ break ++ ;; ++ esac ++ shift ++ shift ++ done ++ if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then ++ sign=-s ++ shift ++ fi ++ ++ if [[ -z "${target_cpu}" ]] ; then ++ target_cpu="$(uname -m)" ++ fi ++ ++ target_cpu="${target_cpu/i?86/ia32}" ++ target_cpu="${target_cpu/x86_64/x64}" ++ target_cpu="${target_cpu/aarch64/aa64}" ++ target_cpu="${target_cpu/arm*/arm/}" ++ ++ local nssdir=/etc/pki/pesign ++ if [[ "${#cert[@]}" -eq 2 ]] && ++ [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then ++ nssdir=/etc/pki/pesign-rh-test ++ fi ++ ++ # is_efi_arch is ultimately returning "is pesign configured to sign these ++ # using the rpm macro", so if it isn't, we're just copying the input to ++ # the output ++ if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then ++ if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then ++ cp -v "${input[1]}" "${output[1]}" ++ elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then ++ touch "${sattrout[1]}" ++ fi ++ ++ # if there's a 0-sized output file, delete it and error out ++ error_on_empty "${output[1]}" ++ return 0 ++ fi ++ ++ USERNAME="${USERNAME:-$(id -un)}" ++ ++ local socket="" || : ++ if grep -q ID=fedora /etc/os-release \ ++ && [[ "${rhelver}" -lt 7 ]] \ ++ && [[ "${USERNAME}" = "mockbuild" ]] \ ++ && [[ "${vendor}" = "Fedora Project" ]] \ ++ && [[ "${HOSTNAME}" =~ bkernel.* ]] ++ then ++ if [[ -S /run/pesign/socket ]] ; then ++ socket=/run/pesign/socket ++ elif [[ -S /var/run/pesign/socket ]]; then ++ socket=/var/run/pesign/socket ++ else ++ echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2 ++ echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2 ++ ls -ld /run/pesign /var/run/pesign 1>&2 ||: ++ ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||: ++ getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||: ++ getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||: ++ fi ++ fi ++ ++ if [[ "${rhelver}" -ge 7 ]] ; then ++ nssdir="$(mktemp -p "${PWD}" -d)" ++ echo > "${nssdir}/pwfile" ++ certutil -N -d "${nssdir}" -f "${nssdir}/pwfile" ++ certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}" ++ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}" ++ sattrs="$(mktemp -p "${PWD}" --suffix=.der)" ++ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \ ++ "${input[@]}" --force ++ rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}" ++ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \ ++ --certdir "${nssdir}" -c signer \ ++ "${input[@]}" "${output[@]}" ++ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" ++ elif [[ -n "${socket}" ]] ; then ++ "${client}" "${client_token[@]}" "${client_cert[@]}" \ ++ "${sattrout[@]}" "${certout[@]}" \ ++ ${sign} "${input[@]}" "${output[@]}" ++ else ++ "${bin}" --certdir "${nssdir}" "${token[@]}" \ ++ "${cert[@]}" ${sign} "${sattrout[@]}" \ ++ "${certout[@]}" "${input[@]}" "${output[@]}" ++ fi ++ ++ # if there's a 0-sized output file, delete it and error out ++ if [[ "${#output[@]}" -eq 2 ]] ; then ++ error_on_empty "${output[1]}" ++ fi ++} ++ ++main "${@}" ++ ++# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4 +-- +2.26.2 + diff --git a/SOURCES/0009-pesign-authorize-shellcheck.patch b/SOURCES/0009-pesign-authorize-shellcheck.patch new file mode 100644 index 0000000..3597f5f --- /dev/null +++ b/SOURCES/0009-pesign-authorize-shellcheck.patch @@ -0,0 +1,60 @@ +From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jul 2020 15:07:32 -0400 +Subject: [PATCH 09/11] pesign-authorize: shellcheck + +Signed-off-by: Peter Jones +--- + src/pesign-authorize | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/pesign-authorize b/src/pesign-authorize +index a496f601ab4..55cd5c4e55b 100755 +--- a/src/pesign-authorize ++++ b/src/pesign-authorize +@@ -12,21 +12,21 @@ set -u + # License: GPLv2 + declare -a fileusers=() + declare -a dirusers=() +-for user in $(cat /etc/pesign/users); do ++while read -r user ; do + dirusers[${#dirusers[@]}]=-m + dirusers[${#dirusers[@]}]="u:$user:rwx" + fileusers[${#fileusers[@]}]=-m + fileusers[${#fileusers[@]}]="u:$user:rw" +-done ++done +Date: Tue, 14 Jul 2020 15:08:15 -0400 +Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/ + +Signed-off-by: Peter Jones +--- + src/pesign-authorize | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pesign-authorize b/src/pesign-authorize +index 55cd5c4e55b..c5448329c2c 100755 +--- a/src/pesign-authorize ++++ b/src/pesign-authorize +@@ -47,7 +47,7 @@ update_subdir() { + done + } + +-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do ++for x in /var/run/pesign/ /etc/pki/pesign/ ; do + if [ -d "${x}" ]; then + update_subdir "${x}" + else +-- +2.26.2 + diff --git a/SOURCES/0011-kernel-building-hack.patch b/SOURCES/0011-kernel-building-hack.patch new file mode 100644 index 0000000..69ffc56 --- /dev/null +++ b/SOURCES/0011-kernel-building-hack.patch @@ -0,0 +1,41 @@ +From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jul 2020 16:42:39 -0400 +Subject: [PATCH 11/11] kernel building hack + +Signed-off-by: Peter Jones +--- + src/pesign-rpmbuild-helper.in | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in +index c5287c27e0c..27b8261bc17 100644 +--- a/src/pesign-rpmbuild-helper.in ++++ b/src/pesign-rpmbuild-helper.in +@@ -202,6 +202,23 @@ main() { + "${input[@]}" "${output[@]}" + rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" + elif [[ -n "${socket}" ]] ; then ++ ### welcome haaaaack city ++ if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then ++ if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \ ++ || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then ++ if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \ ++ || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \ ++ || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then ++ client_cert[1]=kernel-signer ++ elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \ ++ || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then ++ client_cert[1]=grub2-signer ++ elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \ ++ || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then ++ client_cert[1]=fwupd-signer ++ fi ++ fi ++ fi + "${client}" "${client_token[@]}" "${client_cert[@]}" \ + "${sattrout[@]}" "${certout[@]}" \ + ${sign} "${input[@]}" "${output[@]}" +-- +2.26.2 + diff --git a/SOURCES/0012-Use-run-not-var-run.patch b/SOURCES/0012-Use-run-not-var-run.patch new file mode 100644 index 0000000..1b4e0c6 --- /dev/null +++ b/SOURCES/0012-Use-run-not-var-run.patch @@ -0,0 +1,105 @@ +From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 16 Jul 2020 16:28:26 -0400 +Subject: [PATCH] Use /run not /var/run + +Signed-off-by: Peter Jones +--- + src/daemon.h | 4 ++-- + src/Makefile | 2 +- + src/pesign-authorize | 2 +- + src/pesign.service.in | 2 +- + src/pesign.sysvinit.in | 10 +++++----- + 5 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/src/daemon.h b/src/daemon.h +index 0368dc9256c..5fcd97ea717 100644 +--- a/src/daemon.h ++++ b/src/daemon.h +@@ -51,8 +51,8 @@ typedef enum { + } pesignd_cmd; + + #define PESIGND_VERSION 0x2a9edaf0 +-#define SOCKPATH "/var/run/pesign/socket" +-#define PIDFILE "/var/run/pesign.pid" ++#define SOCKPATH "/run/pesign/socket" ++#define PIDFILE "/run/pesign.pid" + + static inline uint32_t UNUSED + pesignd_string_size(char *buffer) +diff --git a/src/Makefile b/src/Makefile +index a7ca89159c6..f7fb5fc9ee5 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit + install : + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ +- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ ++ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) +diff --git a/src/pesign-authorize b/src/pesign-authorize +index c5448329c2c..2381302440c 100755 +--- a/src/pesign-authorize ++++ b/src/pesign-authorize +@@ -47,7 +47,7 @@ update_subdir() { + done + } + +-for x in /var/run/pesign/ /etc/pki/pesign/ ; do ++for x in /run/pesign/ /var/run/pesign/ /etc/pki/pesign/ ; do + if [ -d "${x}" ]; then + update_subdir "${x}" + else +diff --git a/src/pesign.service.in b/src/pesign.service.in +index c75a000892a..4ac2199bce2 100644 +--- a/src/pesign.service.in ++++ b/src/pesign.service.in +@@ -4,6 +4,6 @@ Description=Pesign signing daemon + [Service] + PrivateTmp=true + Type=forking +-PIDFile=/var/run/pesign.pid ++PIDFile=/run/pesign.pid + ExecStart=/usr/bin/pesign --daemonize + ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize +diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in +index b0e0f84ff0b..bf8edec8ff3 100644 +--- a/src/pesign.sysvinit.in ++++ b/src/pesign.sysvinit.in +@@ -4,7 +4,7 @@ + # + # chkconfig: - 50 50 + # processname: /usr/bin/pesign +-# pidfile: /var/run/pesign.pid ++# pidfile: /run/pesign.pid + ### BEGIN INIT INFO + # Provides: pesign + # Default-Start: +@@ -20,9 +20,9 @@ RETVAL=0 + + start(){ + echo -n "Starting pesign: " +- mkdir /var/run/pesign 2>/dev/null && +- chown pesign:pesign /var/run/pesign && +- chmod 0770 /var/run/pesign ++ mkdir /run/pesign 2>/dev/null && ++ chown pesign:pesign /run/pesign && ++ chmod 0770 /run/pesign + daemon /usr/bin/pesign --daemonize + RETVAL=$? + echo +@@ -32,7 +32,7 @@ start(){ + + stop(){ + echo -n "Stopping pesign: " +- killproc -p /var/run/pesign.pid pesignd ++ killproc -p /run/pesign.pid pesignd + RETVAL=$? + echo + rm -f /var/lock/subsys/pesign +-- +2.26.2 + diff --git a/SOURCES/0013-Turn-off-free-nonheap-object.patch b/SOURCES/0013-Turn-off-free-nonheap-object.patch new file mode 100644 index 0000000..3e62bd8 --- /dev/null +++ b/SOURCES/0013-Turn-off-free-nonheap-object.patch @@ -0,0 +1,35 @@ +From 59428daf4863f192419eee4afec15cd099e99c9b Mon Sep 17 00:00:00 2001 +From: Jeff Law +Date: Mon, 16 Nov 2020 12:07:59 -0700 +Subject: [PATCH] Turn off -Wfree-nonheap-object + +authvar.c has a call to free (tokenname) where tokenname is set to a string constant +and never changed. That triggers GCC to issue a diagnostic that the value should not +be passed to free. + +This is a false positive from GCC as the call is guarded by a suitable condition that +always happens to be false. But pesign is being built without optimization and thus +the condition and free call are not optimized away. + +This patch just disables the warning. A better solution would be to fix the sources +or build with the optimizer enabled. +--- + Make.defaults | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Make.defaults b/Make.defaults +index d4cd626..705cc3a 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -40,7 +40,7 @@ gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches -flto + cflags = $(CFLAGS) $(ARCH3264) \ + -Wall -Wextra -Wsign-compare -Wno-unused-result \ + -Wno-unused-function -Wno-missing-field-initializers \ +- -Werror -Wno-error=cpp \ ++ -Werror -Wno-error=cpp -Wno-free-nonheap-object \ + -std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \ + -D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \ + $(if $(filter $(CC),clang),$(clang_cflags), ) \ +-- +2.28.0 + diff --git a/SOURCES/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch b/SOURCES/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch new file mode 100644 index 0000000..f483ec6 --- /dev/null +++ b/SOURCES/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch @@ -0,0 +1,26 @@ +From efb69f149f256631a952e0a0db5b45ed5d391509 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 10 Aug 2021 12:39:08 -0400 +Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 34af57c5b3b..2ca1afb916e 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -35,6 +35,7 @@ + %{?_buildhost:--hostname "%{_buildhost}"} \\\ + %{?vendor:--vendor "%{vendor}"} \\\ +- %{?_rhel:--rhelver "%{_rhel}"} \\\ ++ %{?rhel:--rhelver "%{rhel}"} \\\ ++ %{?centos:--rhelver "%{centos}"} \\\ + %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}} \\\ + %{?-a:--rhelcafile "%{-a*}"} \\\ + %{?-c:--rhelcertfile "%{-c*}"} \\\ +-- +2.31.1 + diff --git a/SOURCES/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch b/SOURCES/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch new file mode 100644 index 0000000..7a4fba6 --- /dev/null +++ b/SOURCES/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch @@ -0,0 +1,27 @@ +From 3956d8a819541578b31c919270e915fbcc791e89 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 1 Oct 2021 17:58:20 -0400 +Subject: [PATCH] Detect the presence of rpm-sign when checking for + "rhel"-ness. + +Signed-off-by: Peter Jones +--- + src/pesign-rpmbuild-helper.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in +index 27b8261bc17..d6ca29683b1 100644 +--- a/src/pesign-rpmbuild-helper.in ++++ b/src/pesign-rpmbuild-helper.in +@@ -187,7 +187,7 @@ main() { + fi + fi + +- if [[ "${rhelver}" -ge 7 ]] ; then ++ if [[ "${rhelver}" -ge 7 ]] && which rpm-sign >&/dev/null ; then + nssdir="$(mktemp -p "${PWD}" -d)" + echo > "${nssdir}/pwfile" + certutil -N -d "${nssdir}" -f "${nssdir}/pwfile" +-- +2.31.1 + diff --git a/SOURCES/pesign.py b/SOURCES/pesign.py new file mode 100644 index 0000000..4ee59f8 --- /dev/null +++ b/SOURCES/pesign.py @@ -0,0 +1,91 @@ +#!/usr/bin/python3 +# +# Copyright 2017 Peter Jones +# +# Distributed under terms of the GPLv3 license. + +""" +mock plugin to make sure pesign and mockbuild users have the right uid and +gid. +""" + +from mockbuild.trace_decorator import getLog, traceLog +import mockbuild.util + +requires_api_version = "1.1" + +@traceLog() +def init(plugins, conf, buildroot): + """ hello """ + Pesign(plugins, conf, buildroot) + +def getuid(name): + """ get a uid for a user name """ + output = mockbuild.util.do(["getent", "passwd", "%s" % (name,)], + returnOutput=1, printOutput=True) + output = output.split(':') + return output[2], output[3] + +def getgid(name): + """ get a gid for a group name """ + output = mockbuild.util.do(["getent", "group", "%s" % (name,)], + returnOutput=1, printOutput=True) + return output.split(':')[2] + +def newgroup(name, gid, rootdir): + """ create a group with a gid """ + getLog().info("creating group %s with gid %s" % (name, gid)) + mockbuild.util.do(["groupadd", + "-g", "%s" % (gid,), + "-R", "%s" % (rootdir,), + "%s" % (name,), + ]) + +def newuser(name, uid, gid, rootdir): + """ create a user with a uid """ + getLog().info("creating user %s with uid %s" % (name, uid)) + mockbuild.util.do(["useradd", + "-u", "%s" % (uid,), + "-g", "%s" % (gid,), + "-R", "%s" % (rootdir,), + "%s" % (name,)]) + +class Pesign(object): + """ Creates some stuff in our mock root """ + # pylint: disable=too-few-public-methods + @traceLog() + def __init__(self, plugins, conf, buildroot): + """ Effectively we're doing: + getent group pesign >/dev/null || groupadd -r pesign + getent passwd pesign >/dev/null || \ + useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \ + -c "Group for the pesign signing daemon" pesign + """ + + self.buildroot = buildroot + self.pesign_opts = conf + self.config = buildroot.config + self.state = buildroot.state + self.users = {} + self.groups = {} + plugins.add_hook("postinit", self._pesignPostInitHook) + + @traceLog() + def _pesignPostInitHook(self): + """ find our uid and gid lists """ + for user in self.pesign_opts['users']: + uid, gid = getuid(user) + self.users[user] = [user, uid, gid] + for group in self.pesign_opts['groups']: + gid = getgid(group) + self.groups[group] = [group, gid] + + # create our users + rootdir = self.buildroot.make_chroot_path() + for name, gid in self.groups.values(): + newgroup(name, gid, rootdir) + for name, uid, gid in self.users.values(): + newuser(name, uid, gid, rootdir) + +# -*- coding: utf-8 -*- +# vim:fenc=utf-8:tw=75 diff --git a/SPECS/pesign.spec b/SPECS/pesign.spec new file mode 100644 index 0000000..5905a96 --- /dev/null +++ b/SPECS/pesign.spec @@ -0,0 +1,521 @@ +%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d) + +Name: pesign +Summary: Signing utility for UEFI binaries +Version: 113 +Release: 21%{?dist} +License: GPLv2 +URL: https://github.com/vathpela/pesign + +Obsoletes: pesign-rh-test-certs <= 0.111-7 +BuildRequires: make +BuildRequires: gcc +BuildRequires: git +BuildRequires: nspr +BuildRequires: nss +BuildRequires: nss-util +BuildRequires: popt-devel +BuildRequires: nss-tools +BuildRequires: nspr-devel >= 4.9.2-1 +BuildRequires: nss-devel >= 3.13.6-1 +BuildRequires: efivar-devel >= 31-1 +BuildRequires: libuuid-devel +BuildRequires: tar +BuildRequires: xz +BuildRequires: python3-rpm-macros +BuildRequires: python3 +%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 +BuildRequires: systemd-rpm-macros +%endif +Requires: nspr +Requires: nss +Requires: nss-tools >= 3.53 +Requires: nss-util +Requires: popt +Requires: rpm +Requires(pre): shadow-utils +ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm} +%if 0%{?rhel} == 7 +BuildRequires: rh-signing-tools >= 1.20-2 +%endif + +Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 +Source1: certs.tar.xz +Source2: pesign.py + +Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch +Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch +Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch +Patch0004: 0004-Rename-var-run-to-run.patch +Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch +Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch +Patch0007: 0007-client-remove-an-extra-debug-print.patch +Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch +Patch0009: 0009-pesign-authorize-shellcheck.patch +Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch +Patch0011: 0011-kernel-building-hack.patch +Patch0012: 0012-Use-run-not-var-run.patch +Patch0013: 0013-Turn-off-free-nonheap-object.patch +Patch0014: 0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch +Patch0015: 0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch + +%description +This package contains the pesign utility for signing UEFI binaries as +well as other associated tools. + +%prep +%setup -q -T -b 0 +%setup -q -T -D -c -n pesign-%{version}/ -a 1 +git init +git config user.email "pesign-owner@fedoraproject.org" +git config user.name "Fedora Ninjas" +git add . +git commit -a -q -m "%{version} baseline." +git am %{patches} = 7 || 0%{?fedora} >= 17 +make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \ + install_systemd +%endif + +# there's some stuff that's not really meant to be shipped yet +rm -rf %{buildroot}/boot %{buildroot}/usr/include +rm -rf %{buildroot}%{_libdir}/libdpe* +mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/ +mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/ +cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/ +cp -a etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/ + +if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then + mkdir -p %{buildroot}%{macrosdir} + mv %{buildroot}%{_sysconfdir}/rpm/macros.pesign \ + %{buildroot}%{macrosdir} + rmdir %{buildroot}%{_sysconfdir}/rpm +fi +rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING + +# and find-debuginfo.sh has some pretty awful deficencies too... +cp -av libdpe/*.[ch] src/ + +install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/ +install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/ + +%pre +getent group pesign >/dev/null || groupadd -r pesign +getent passwd pesign >/dev/null || \ + useradd -r -g pesign -d /run/pesign -s /sbin/nologin \ + -c "Group for the pesign signing daemon" pesign +exit 0 + +%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 +%post +%systemd_post pesign.service + +%preun +%systemd_preun pesign.service + +%postun +%systemd_postun_with_restart pesign.service + +%posttrans +certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null + +# this is disabled currently because it breaks the fedora kernel build root +# generation - because we don't currently have a good way of populating +# /etc/pesign/{users,groups} before the buildroot is installed, or +# populating them and re-running pesign-authorize afterwards but before the +# package build of e.g. kernel +#%%{_libexecdir}/pesign/pesign-authorize +%endif + +%files +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc README TODO +%{_bindir}/authvar +%{_bindir}/efikeygen +%{_bindir}/efisiglist +%{_bindir}/pesigcheck +%{_bindir}/pesign +%{_bindir}/pesign-client +%dir %{_libexecdir}/pesign/ +%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/ +%config(noreplace) %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/* +%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/ +%config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/* +%{_libexecdir}/pesign/pesign-authorize +%{_libexecdir}/pesign/pesign-rpmbuild-helper +%config(noreplace)/%{_sysconfdir}/pesign/users +%config(noreplace)/%{_sysconfdir}/pesign/groups +%{_sysconfdir}/popt.d/pesign.popt +%{macrosdir}/macros.pesign +%{_mandir}/man*/* +%dir %attr(0770, pesign, pesign) %{_rundir}/%{name} +%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket +%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid +%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 +%{_tmpfilesdir}/pesign.conf +%{_unitdir}/pesign.service +%endif +%{python3_sitelib}/mockbuild/plugins/*/pesign.* +%{python3_sitelib}/mockbuild/plugins/pesign.* + +%changelog +* Tue Dec 14 2021 Robbie Harwood - 113-21 +- Sync with beta changes +- Resolves: rhbz#2030501 + +* Tue Aug 10 2021 Peter Jones - 113-18 +- Detect the CentOS version number correctly in rpm pesign macro + Related: rhbz#1991688 + +* Mon Aug 09 2021 Mohan Boddu - 113-17 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Apr 16 2021 Mohan Boddu - 113-16 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Jan 27 2021 Fedora Release Engineering - 113-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Nov 16 2020 Jeff Law - 113-14 +- Turn off -Wfree-nonheap-object + +* Mon Aug 03 2020 Peter Jones - 113-13 +- Add the rundir related stuff that was staged on my f32 checkout. + +* Mon Aug 03 2020 Peter Jones - 113-12 +- Try to make kernel and fwupd both work at the same time. + +* Tue Jul 28 2020 Fedora Release Engineering - 113-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jul 16 2020 Peter Jones - 113-10 +- I really cannot figure out why bkernel01 thinks the certificate nickname + starts with /CN=, but it does, so I'm gonna stop fighting with the sand. + +* Thu Jul 16 2020 Peter Jones - 113-9 +- Even more kernel build debugging... + +* Tue Jul 07 2020 Peter Jones - 113-8 +- More kernel build debugging... + +* Tue Jul 07 2020 Peter Jones - 113-6 +- Disable the pesign-authorize call in posttrans, until we can figure out a + better way to deal with that in the fedora kernel builder chroot setup + +* Tue Jul 07 2020 Peter Jones - 113-5 +- Make pesign require nss-tools for the posttrans scriptlet +- Move most of macros.pesign to /usr/libexec/pesign/pesign-rpmbuild-helper + +* Mon Jul 06 2020 Peter Jones - 113-4 +- Attempt to fix kernel signing failures caused by -3... + +* Fri Jun 12 2020 Peter Jones - 113-3 +- Fix the signer name for fedora and some other minor nits + Related: rhbz#1708773 + Related: rhbz#1678146 + +* Thu Jun 11 2020 Peter Jones - 113-2 +- Fix a signing protocol bug we introduced in 113 that makes the fedora + kernel builders fail. + Related: rhbz#1708773 + +* Thu Jun 11 2020 Javier Martinez Canillas - 113-1 +- Update to 113 release + Resolves: rhbz#1708773 + +* Mon Jun 08 2020 Javier Martinez Canillas - 0.112-31 +- Switch default NSS database to SQLite format (pjones) + Resolves: rhbz#1827902 + +* Mon Feb 24 2020 Peter Jones - 0.112-30 +- Make sure the patch for -29 is actually in the build in f32, and + synchronize with master. + +* Tue Feb 18 2020 Peter Jones - 0.112-29 +- Rebuild to match OpenSC's token name mangling change. + +* Thu Jan 30 2020 Fedora Release Engineering - 0.112-28 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Nov 12 2019 Peter Jones - 0.112-27 +- Rebuild to fix an NSS API issue. + +* Fri Jul 26 2019 Fedora Release Engineering - 0.112-26 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Mar 6 2019 Zbigniew Jędrzejewski-Szmek - 0.112-25 +- Fix build (#1675653) +- Add missing closing quote in macro (#1651020) +- Update obsolete /var/run/ path (#1678146) + +* Sat Feb 02 2019 Fedora Release Engineering - 0.112-25 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 0.112-24 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Feb 09 2018 Fedora Release Engineering - 0.112-23 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Jan 22 2018 Peter Robinson 0.112-22 +- Minor spec cleanups, fix arm conditional + +* Fri Oct 06 2017 Troy Dawson - 0.112-21 +- Cleanup spec file conditionals + +* Tue Aug 15 2017 Peter Jones - 0.112-20 +- Maybe fewer typoes would be better. + +* Tue Aug 15 2017 Peter Jones - 0.112-19 +- Update to match f26's build so new kernel builds will work. + +* Thu Aug 10 2017 Peter Jones - 0.112-10 +- Try to fix the db problem nirik is seeing trying to upgrade the builders. + +* Thu Aug 03 2017 Fedora Release Engineering - 0.112-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.112-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Jul 08 2017 Peter Jones - 0.112-7 +- Rebuild for efivar-31-1.fc26 + Related: rhbz#1468841 + +* Sat Feb 11 2017 Fedora Release Engineering - 0.112-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 06 2017 Peter Jones - 0.112-5 +- Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy + scripts. + Related: rhbz#1349073 + +* Wed Aug 17 2016 Peter Jones - 0.112-4 +- Build as -4 to make bodhi happy. + +* Fri Aug 12 2016 Adam Williamson - 0.112-3 +- backport fix for command line parsing from upstream master + +* Wed Aug 10 2016 Peter Jones - 0.112-2 +- Build with newer efivar. + +* Wed Apr 20 2016 Peter Jones - 0.112-1 +- Update to 0.112 +- Also fix up some spec file woes: + - dumb things in %%setup + - find-debuginfo.sh not working right for some source files... + +* Thu Feb 04 2016 Fedora Release Engineering - 0.111-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Dec 10 2015 Peter Jones - 0.111-7 +- Obsolete pesign-rh-test-certs, it was in -1's update. + Resolves: rhbz#1283475 + +* Wed Dec 02 2015 Peter Jones - 0.111-6 +- *Don't* use --certdir if we're using the socket. + Related: rhbz#1283475 + Related: rhbz#1284063 + Related: rhbz#1284561 + +* Tue Dec 01 2015 Peter Jones - 0.111-5 +- Actually do a better job of choosing which cert to use when, so people will + stop seeing any of this problem. (Thanks for the thought, jforbes.) + Resolves: rhbz#1283475 + Resolves: rhbz#1284063 + Resolves: rhbz#1284561 + +* Mon Nov 30 2015 Peter Jones - 0.111-5 +- setfacl even harder. + Related: rhbz#1283475 + Related: rhbz#1284063 + Related: rhbz#1284561 + +* Fri Nov 20 2015 Peter Jones - 0.111-3 +- Better ACL setting code. + Related: rhbz#1283475 + +* Thu Nov 19 2015 Peter Jones - 0.111-2 +- Allow the mockbuild user to read the nss database if the account exists. + +* Wed Oct 28 2015 Peter Jones - 0.111-1 +- Rebase to 0.111 +- Split test certs out into a "Recommends" subpackage. + +* Thu Jun 18 2015 Fedora Release Engineering - 0.110-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Mar 4 2015 Ville Skyttä - 0.110-2 +- Install macros in %%{_rpmconfigdir}/macros.d where available (#1074281) + +* Fri Oct 24 2014 Peter Jones - 0.110-1 +- Update to pesign-0.110 + +* Sun Aug 17 2014 Fedora Release Engineering - 0.108-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.108-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 29 2014 Peter Jones - 0.108-2 +- Fix a networking problem nirik observed when reinstalling builders. + +* Sat Aug 10 2013 Peter Jones - 0.108-1 +- Remove errant result files and raise an error from %%pesign + +* Tue Aug 06 2013 Peter Jones - 0.106-3 +- Add code for signing in RHEL 7 + +* Mon Aug 05 2013 Peter Jones - 0.106-2 +- Fix for new %%doc rules. + +* Sun Aug 04 2013 Fedora Release Engineering - 0.106-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue May 21 2013 Peter Jones - 0.106-1 +- Update to 0.106 +- Hopefully fix the segfault dgilmore was seeing. + +* Mon May 20 2013 Peter Jones - 0.105-1 +- Various bug fixes. + +* Wed May 15 2013 Peter Jones - 0.104-1 +- Make sure alignment is correct on signature list entries + Resolves: rhbz#963361 +- Make sure section alignment is correct if we have to extend the file + +* Wed Feb 06 2013 Peter Jones - 0.103-2 +- Conditionalize systemd bits so they don't show up in RHEL 6 builds + +* Tue Feb 05 2013 Peter Jones - 0.103-1 +- One more compiler problem. Let's expect a few more, shall we? + +* Tue Feb 05 2013 Peter Jones - 0.102-1 +- Don't use --std=gnu11 because we have to work on RHEL 6 builders. + +* Mon Feb 04 2013 Peter Jones - 0.101-1 +- Update to 0.101 to fix more "pesign -E" issues. + +* Fri Nov 30 2012 Peter Jones - 0.100-1 +- Fix insertion of signatures from a file. + +* Mon Nov 26 2012 Matthew Garrett - 0.99-9 +- Add a patch needed for new shim builds + +* Fri Oct 19 2012 Peter Jones - 0.99-8 +- Get the Fedora signing token name right. + +* Fri Oct 19 2012 Peter Jones +- Add coolkey and opensc modules to pki database during %%install. + +* Fri Oct 19 2012 Peter Jones - 0.99-7 +- setfacl u:kojibuilder:rw /var/run/pesign/socket +- Fix command line checking in client +- Add client stdin pin reading. + +* Thu Oct 18 2012 Peter Jones - 0.99-6 +- Automatically select daemon as signer when using rpm macros. + +* Thu Oct 18 2012 Peter Jones - 0.99-5 +- Make it work on the -el6 branch as well. + +* Wed Oct 17 2012 Peter Jones - 0.99-4 +- Fix some more bugs found by valgrind and coverity. +- Don't build utils/ ; we're not using them and they're not ready anyway. + +* Wed Oct 17 2012 Peter Jones - 0.99-3 +- Fix daemon startup bug from 0.99-2 + +* Wed Oct 17 2012 Peter Jones - 0.99-2 +- Fix various bugs from 0.99-1 +- Don't make the database unreadable just yet. + +* Mon Oct 15 2012 Peter Jones - 0.99-1 +- Update to 0.99 +- Add documentation for client/server mode. +- Add --pinfd and --pinfile to server mode. + +* Fri Oct 12 2012 Peter Jones - 0.98-1 +- Update to 0.98 +- Add client/server mode. + +* Mon Oct 01 2012 Peter Jones - 0.10-5 +- Fix missing section address fixup. + +* Wed Aug 15 2012 Peter Jones - 0.10-4 +- Make macros.pesign even better (and make it work right for i686 packages) + +* Tue Aug 14 2012 Peter Jones - 0.10-3 +- Only sign things on x86_64; all else ignore gracefully. + +* Tue Aug 14 2012 Peter Jones - 0.10-2 +- Make macros.pesign more reliable + +* Mon Aug 13 2012 Peter Jones - 0.10-1 +- Update to 0.10 +- Include rpm macros to support easy custom signing of signed packages. + +* Fri Aug 10 2012 Peter Jones - 0.9-1 +- Update to 0.9 +- Bug fix from Gary Ching-Pang Lin +- Support NSS Token selection for use with smart cards. + +* Wed Aug 08 2012 Peter Jones - 0.8-1 +- Update to 0.8 +- Don't open the db read-write +- Fix permissions on keystore (everybody can sign with test keys) + +* Wed Aug 08 2012 Peter Jones - 0.7-2 +- Include test keys. + +* Mon Jul 30 2012 Peter Jones - 0.7-1 +- Update to 0.7 +- Better fix for MS compatibility. + +* Mon Jul 30 2012 Peter Jones - 0.6-1 +- Update to 0.6 +- Bug-for-bug compatibility with signtool.exe . + +* Fri Jul 20 2012 Fedora Release Engineering - 0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 11 2012 Peter Jones - 0.5-1 +- Rebase to 0.5 +- Do more rigorous bounds checking when hashing a new binary. + +* Tue Jul 10 2012 Peter Jones - 0.3-2 +- Rebase to 0.4 + +* Fri Jun 22 2012 Peter Jones - 0.3-2 +- Move man page to a more reasonable place. + +* Fri Jun 22 2012 Peter Jones - 0.3-1 +- Update to upstream's 0.3 . + +* Thu Jun 21 2012 Peter Jones - 0.2-4 +- Do not build with smp flags. + +* Thu Jun 21 2012 Peter Jones - 0.2-3 +- Make it build on i686, though it's unclear it'll ever be necessary. + +* Thu Jun 21 2012 Peter Jones - 0.2-2 +- Fix compile problem with f18's compiler. + +* Thu Jun 21 2012 Peter Jones - 0.2-1 +- Fix some rpmlint complaints nirik pointed out +- Add popt-devel build dep + +* Fri Jun 15 2012 Peter Jones - 0.1-1 +- First version of SRPM.