diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fac4d11 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/certs.tar.xz +SOURCES/pesign-0.112.tar.bz2 diff --git a/.pesign.metadata b/.pesign.metadata new file mode 100644 index 0000000..af3820a --- /dev/null +++ b/.pesign.metadata @@ -0,0 +1,2 @@ +53d9b43ef6eadb4512ce9738b5a6efbb40477983 SOURCES/certs.tar.xz +7cba5cfddabc425d0a927edfdd6865cc92f00c7b SOURCES/pesign-0.112.tar.bz2 diff --git a/SOURCES/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch b/SOURCES/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch new file mode 100644 index 0000000..0c82dcf --- /dev/null +++ b/SOURCES/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch @@ -0,0 +1,72 @@ +From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 21 Apr 2016 10:47:34 -0400 +Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686 + and it's unused. + +Signed-off-by: Peter Jones +--- + src/cms_common.c | 34 ---------------------------------- + src/cms_common.h | 1 - + 2 files changed, 35 deletions(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index b19bc62..6a4e6a7 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str) + return 0; + } + +-static SEC_ASN1Template IntegerTemplate[] = { +- {.kind = SEC_ASN1_INTEGER, +- .offset = 0, +- .sub = NULL, +- .size = sizeof(long), +- }, +- { 0 }, +-}; +- +-int +-generate_integer(cms_context *cms, SECItem *der, unsigned long integer) +-{ +- void *ret; +- +- uint32_t u32; +- +- SECItem input = { +- .data = (void *)&integer, +- .len = sizeof(integer), +- .type = siUnsignedInteger, +- }; +- +- if (integer < 0x100000000) { +- u32 = integer & 0xffffffffUL; +- input.data = (void *)&u32; +- input.len = sizeof(u32); +- } +- +- ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate); +- if (ret == NULL) +- cmsreterr(-1, cms, "could not encode data"); +- return 0; +-} +- + int + generate_time(cms_context *cms, SECItem *encoded, time_t when) + { +diff --git a/src/cms_common.h b/src/cms_common.h +index 7d77faf..c7d7268 100644 +--- a/src/cms_common.h ++++ b/src/cms_common.h +@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded, + SECOidTag tag); + extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded); + extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when); +-extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer); + extern int generate_string(cms_context *cms, SECItem *der, char *str); + extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items); + extern int wrap_in_seq(cms_context *cms, SECItem *der, +-- +2.13.4 + diff --git a/SOURCES/0002-Fix-command-line-parsing.patch b/SOURCES/0002-Fix-command-line-parsing.patch new file mode 100644 index 0000000..9c03eeb --- /dev/null +++ b/SOURCES/0002-Fix-command-line-parsing.patch @@ -0,0 +1,73 @@ +From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001 +From: Julien Cristau +Date: Thu, 9 Jun 2016 14:30:37 +0200 +Subject: [PATCH 02/29] Fix command line parsing + +The gettext translation domain should be passed as .arg, not .descrip, +otherwise popt won't process any of the command line options (it stops +looping over the struct poptOption array when an entry has unset +longName, shortName and arg). + +Signed-off-by: Julien Cristau +--- + src/client.c | 2 +- + src/efikeygen.c | 2 +- + src/efisiglist.c | 2 +- + src/pesigcheck.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/client.c b/src/client.c +index 028419f..575c873 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -555,7 +555,7 @@ main(int argc, char *argv[]) + + struct poptOption options[] = { + {.argInfo = POPT_ARG_INTL_DOMAIN, +- .descrip = "pesign" }, ++ .arg = "pesign" }, + {.longName = "token", + .shortName = 't', + .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT, +diff --git a/src/efikeygen.c b/src/efikeygen.c +index 6278849..8a515a5 100644 +--- a/src/efikeygen.c ++++ b/src/efikeygen.c +@@ -486,7 +486,7 @@ int main(int argc, char *argv[]) + poptContext optCon; + struct poptOption options[] = { + {.argInfo = POPT_ARG_INTL_DOMAIN, +- .descrip = "pesign" }, ++ .arg = "pesign" }, + /* global nss-ish things */ + {.longName = "dbdir", + .shortName = 'd', +diff --git a/src/efisiglist.c b/src/efisiglist.c +index cd3f1ae..40d6a93 100644 +--- a/src/efisiglist.c ++++ b/src/efisiglist.c +@@ -126,7 +126,7 @@ main(int argc, char *argv[]) + + struct poptOption options[] = { + {.argInfo = POPT_ARG_INTL_DOMAIN, +- .descrip = "pesign" }, ++ .arg = "pesign" }, + {.longName = "infile", + .shortName = 'i', + .argInfo = POPT_ARG_STRING, +diff --git a/src/pesigcheck.c b/src/pesigcheck.c +index 1328fe9..0d49c1a 100644 +--- a/src/pesigcheck.c ++++ b/src/pesigcheck.c +@@ -214,7 +214,7 @@ main(int argc, char *argv[]) + poptContext optCon; + struct poptOption options[] = { + {.argInfo = POPT_ARG_INTL_DOMAIN, +- .descrip = "pesign" }, ++ .arg = "pesign" }, + {.longName = "dbfile", + .shortName = 'D', + .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST, +-- +2.13.4 + diff --git a/SOURCES/0003-gcc-don-t-error-on-stuff-in-includes.patch b/SOURCES/0003-gcc-don-t-error-on-stuff-in-includes.patch new file mode 100644 index 0000000..cf4e61d --- /dev/null +++ b/SOURCES/0003-gcc-don-t-error-on-stuff-in-includes.patch @@ -0,0 +1,26 @@ +From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 10 Aug 2016 17:12:39 -0400 +Subject: [PATCH 03/29] gcc: don't error on stuff in includes. + +Signed-off-by: Peter Jones +--- + Make.defaults | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Make.defaults b/Make.defaults +index c97b452..3511080 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -19,7 +19,7 @@ PKG_CONFIG = $(CROSS_COMPILE)pkg-config + CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC)) + CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD)) + CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \ +- -Wall -Werror -Wextra ++ -Wall -Werror -Wextra -Wno-error=cpp + AS := $(CROSS_COMPILE)as + AR := $(CROSS_COMPILE)gcc-ar + RANLIB := $(CROSS_COMPILE)gcc-ranlib +-- +2.13.4 + diff --git a/SOURCES/0004-Fix-certficate-argument-name.patch b/SOURCES/0004-Fix-certficate-argument-name.patch new file mode 100644 index 0000000..08509ff --- /dev/null +++ b/SOURCES/0004-Fix-certficate-argument-name.patch @@ -0,0 +1,39 @@ +From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 18 Apr 2017 19:00:34 -0400 +Subject: [PATCH 04/29] Fix "certficate" argument name. + +This fixes our typoed argument name by making the incorrectly spelled +version be a popt alias, and fixing the real implementation to be +spelled right in pesign.c . + +Signed-off-by: Peter Jones +--- + src/pesign.c | 2 +- + src/pesign.popt | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/pesign.c b/src/pesign.c +index af374b6..279a17a 100644 +--- a/src/pesign.c ++++ b/src/pesign.c +@@ -438,7 +438,7 @@ main(int argc, char *argv[]) + .arg = &ctxp->outfile, + .descrip = "specify output file", + .argDescrip = "" }, +- {.longName = "certficate", ++ {.longName = "certificate", + .shortName = 'c', + .argInfo = POPT_ARG_STRING, + .arg = &certname, +diff --git a/src/pesign.popt b/src/pesign.popt +index 7b3385d..5a97748 100644 +--- a/src/pesign.popt ++++ b/src/pesign.popt +@@ -1,2 +1,3 @@ + pesign alias --cert --certificate ++pesign alias --certficate --certificate + pesign alias --daemon --daemonize +-- +2.13.4 + diff --git a/SOURCES/0005-Fix-description-of-ascii-armor-option-in-manpage.patch b/SOURCES/0005-Fix-description-of-ascii-armor-option-in-manpage.patch new file mode 100644 index 0000000..6a5b02d --- /dev/null +++ b/SOURCES/0005-Fix-description-of-ascii-armor-option-in-manpage.patch @@ -0,0 +1,26 @@ +From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001 +From: Julien Cristau +Date: Mon, 27 Jun 2016 15:38:38 +0200 +Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage + +The --ascii option does not exist. +--- + src/pesign.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pesign.1 b/src/pesign.1 +index 47d1aec..29ae060 100644 +--- a/src/pesign.1 ++++ b/src/pesign.1 +@@ -81,7 +81,7 @@ Export the public key specified by \-\-certificate to \fIoutkey\fR + Export the certificate specified by \-\-certificate to \fIoutcert\fR + + .TP +-\fB-\-ascii\fR ++\fB-\-ascii\-armor\fR + Use ascii armoring on exported certificates. + + .TP +-- +2.13.4 + diff --git a/SOURCES/0006-Make-ascii-work-since-we-documented-it.patch b/SOURCES/0006-Make-ascii-work-since-we-documented-it.patch new file mode 100644 index 0000000..d0165f9 --- /dev/null +++ b/SOURCES/0006-Make-ascii-work-since-we-documented-it.patch @@ -0,0 +1,22 @@ +From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 18 Apr 2017 19:05:40 -0400 +Subject: [PATCH 06/29] Make --ascii work, since we documented it. + +Signed-off-by: Peter Jones +--- + src/pesign.popt | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/pesign.popt b/src/pesign.popt +index 5a97748..5ae0c5c 100644 +--- a/src/pesign.popt ++++ b/src/pesign.popt +@@ -1,3 +1,4 @@ + pesign alias --cert --certificate + pesign alias --certficate --certificate + pesign alias --daemon --daemonize ++pesign alias --ascii --ascii-armor +-- +2.13.4 + diff --git a/SOURCES/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch b/SOURCES/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch new file mode 100644 index 0000000..faa78ec --- /dev/null +++ b/SOURCES/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch @@ -0,0 +1,32 @@ +From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001 +From: Pat Riehecky +Date: Mon, 7 Nov 2016 11:37:08 -0600 +Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros + rather than use hard coded values + +--- + src/macros.pesign | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 18e5b5e..69280e9 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -41,11 +41,11 @@ + --certdir ${nss} -c signer %{-o} \ + rm -rf ${sattrs} ${sattrs}.sig ${nss} \ + elif [ -S /var/run/pesign/socket ]; then \ +- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ +- -c "/CN=Fedora Secure Boot Signer" \\\ ++ %{_pesign_client} -t %{__pesign_token} \\\ ++ -c %{__pesign_cert} \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ + else \ +- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ ++ %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\ + --certdir ${_pesign_nssdir} \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ + fi \ +-- +2.13.4 + diff --git a/SOURCES/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch b/SOURCES/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch new file mode 100644 index 0000000..2226498 --- /dev/null +++ b/SOURCES/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch @@ -0,0 +1,25 @@ +From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Thu, 16 Feb 2017 15:08:30 -0800 +Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer + +--- + src/certdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/certdb.c b/src/certdb.c +index 2a08042..b7c99bb 100644 +--- a/src/certdb.c ++++ b/src/certdb.c +@@ -339,7 +339,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, + } + /* Verify the signature */ + result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo, +- certUsageSSLServer, ++ certUsageObjectSigner, + digest, HASH_AlgSHA256, + PR_FALSE, atTime); + if (!result) { +-- +2.13.4 + diff --git a/SOURCES/0009-pesigcheck-make-certfile-actually-work.patch b/SOURCES/0009-pesigcheck-make-certfile-actually-work.patch new file mode 100644 index 0000000..8b77417 --- /dev/null +++ b/SOURCES/0009-pesigcheck-make-certfile-actually-work.patch @@ -0,0 +1,47 @@ +From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 24 Apr 2017 15:18:10 -0400 +Subject: [PATCH 09/29] pesigcheck: make --certfile actually work + +Signed-off-by: Peter Jones +--- + src/pesigcheck.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/pesigcheck.c b/src/pesigcheck.c +index 0d49c1a..d7be542 100644 +--- a/src/pesigcheck.c ++++ b/src/pesigcheck.c +@@ -130,7 +130,7 @@ check_signature(pesigcheck_context *ctx) + cert_iter iter; + + generate_digest(ctx->cms_ctx, ctx->inpe, 1); +- ++ + if (check_db_hash(DBX, ctx) == FOUND) + return -1; + +@@ -225,6 +225,11 @@ main(int argc, char *argv[]) + .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST, + .arg = (void *)callback, + .descrip = (void *)ctxp }, ++ {.longName = "certfile", ++ .shortName = 'c', ++ .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST, ++ .arg = (void *)callback, ++ .descrip = (void *)ctxp }, + {.longName = "in", + .shortName = 'i', + .argInfo = POPT_ARG_STRING, +@@ -258,7 +263,7 @@ main(int argc, char *argv[]) + .shortName = 'c', + .argInfo = POPT_ARG_STRING, + .arg = &certfile, +- .descrip = "the certificate (in DER form) for verification ", ++ .descrip = "import certfile (in DER encoding) for allowed certificate", + .argDescrip = "" }, + POPT_AUTOALIAS + POPT_AUTOHELP +-- +2.13.4 + diff --git a/SOURCES/0010-signerInfos-make-sure-err-is-always-initialized.patch b/SOURCES/0010-signerInfos-make-sure-err-is-always-initialized.patch new file mode 100644 index 0000000..08d1da7 --- /dev/null +++ b/SOURCES/0010-signerInfos-make-sure-err-is-always-initialized.patch @@ -0,0 +1,27 @@ +From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 25 Apr 2017 16:15:07 -0400 +Subject: [PATCH 10/29] signerInfos: make sure err is always initialized + +Signed-off-by: Peter Jones +--- + src/signed_data.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/signed_data.c b/src/signed_data.c +index 721db90..9e0af23 100644 +--- a/src/signed_data.c ++++ b/src/signed_data.c +@@ -132,7 +132,8 @@ int + generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, SignerInfoType type) + { + SpcSignerInfo **signerInfo_list; +- int err, rc; ++ int err = 0; ++ int rc; + + if (!signerInfo_list_p) + return -1; +-- +2.13.4 + diff --git a/SOURCES/0011-pesign-make-pesign-h-tell-you-the-file-name.patch b/SOURCES/0011-pesign-make-pesign-h-tell-you-the-file-name.patch new file mode 100644 index 0000000..3e15617 --- /dev/null +++ b/SOURCES/0011-pesign-make-pesign-h-tell-you-the-file-name.patch @@ -0,0 +1,26 @@ +From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 25 Apr 2017 16:23:36 -0400 +Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name. + +Signed-off-by: Peter Jones +--- + src/pesign.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pesign.c b/src/pesign.c +index 279a17a..5879cfc 100644 +--- a/src/pesign.c ++++ b/src/pesign.c +@@ -387,7 +387,7 @@ print_digest(pesign_context *pctx) + if (!ctx) + return; + +- printf("hash: "); ++ printf("%s ", pctx->infile); + int j = ctx->selected_digest; + for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++) + printf("%02x", +-- +2.13.4 + diff --git a/SOURCES/0012-Add-coverity-build-scripts.patch b/SOURCES/0012-Add-coverity-build-scripts.patch new file mode 100644 index 0000000..f3f0a89 --- /dev/null +++ b/SOURCES/0012-Add-coverity-build-scripts.patch @@ -0,0 +1,104 @@ +From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 10 May 2017 10:49:57 -0400 +Subject: [PATCH 12/29] Add coverity build scripts + +Signed-off-by: Peter Jones +--- + .gitignore | 1 + + Make.coverity | 37 +++++++++++++++++++++++++++++++++++++ + Make.defaults | 2 ++ + Make.rules | 4 ++++ + Makefile | 1 + + 5 files changed, 45 insertions(+) + create mode 100644 Make.coverity + +diff --git a/.gitignore b/.gitignore +index 1635ba2..847e172 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -12,3 +12,4 @@ + *.tar.* + *.rpm + core.* ++cov-int +diff --git a/Make.coverity b/Make.coverity +new file mode 100644 +index 0000000..b80b091 +--- /dev/null ++++ b/Make.coverity +@@ -0,0 +1,37 @@ ++include $(TOPDIR)/Make.version ++include $(TOPDIR)/Make.rules ++include $(TOPDIR)/Make.defaults ++ ++COV_EMAIL=$(call get-config,coverity.email) ++COV_TOKEN=$(call get-config,coverity.token) ++COV_URL=$(call get-config,coverity.url) ++COV_FILE=$(NAME)-coverity-$(VERSION)-$(COMMIT_ID).tar.bz2 ++ ++cov-int : clean ++ cov-build --dir cov-int make all ++ ++cov-clean : ++ @rm -vf $(NAME)-coverity-*.tar.* ++ @if [[ -d cov-int ]]; then rm -rf cov-int && echo "removed 'cov-int'"; fi ++ ++cov-file : | $(COV_FILE) ++ ++$(COV_FILE) : cov-int ++ tar caf $@ cov-int ++ ++cov-upload : ++ @if [[ -n "$(COV_URL)" ]] && \ ++ [[ -n "$(COV_TOKEN)" ]] && \ ++ [[ -n "$(COV_EMAIL)" ]] ; \ ++ then \ ++ echo curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \ ++ curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \ ++ else \ ++ echo Coverity output is in $(COV_FILE) ; \ ++ fi ++ ++coverity : cov-file cov-upload ++ ++clean : | cov-clean ++ ++.PHONY : coverity cov-upload cov-clean cov-file +diff --git a/Make.defaults b/Make.defaults +index 3511080..39b78f0 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -1,3 +1,5 @@ ++NAME = pesign ++COMMIT_ID ?= $(shell git log -1 --pretty=%H 2>/dev/null || echo master) + prefix ?= /usr/ + prefix := $(abspath $(prefix))/ + libdir ?= $(prefix)lib64/ +diff --git a/Make.rules b/Make.rules +index af5ecfe..5e3c83d 100644 +--- a/Make.rules ++++ b/Make.rules +@@ -79,3 +79,7 @@ endef + + $(TOPDIR)/libdpe/%.a $(TOPDIR)/libdpe/% : + $(MAKE) -C $(TOPDIR)/libdpe $(notdir $@) ++ ++define get-config = ++$(shell git config --local --get "$(NAME).$(1)") ++endef +diff --git a/Makefile b/Makefile +index db8eb7e..ca1a359 100644 +--- a/Makefile ++++ b/Makefile +@@ -4,6 +4,7 @@ TOPDIR = $(realpath .) + include $(TOPDIR)/Make.version + include $(TOPDIR)/Make.rules + include $(TOPDIR)/Make.defaults ++include $(TOPDIR)/Make.coverity + + SUBDIRS := include libdpe src + +-- +2.13.4 + diff --git a/SOURCES/0013-Document-implicit-fallthrough.patch b/SOURCES/0013-Document-implicit-fallthrough.patch new file mode 100644 index 0000000..3731a3f --- /dev/null +++ b/SOURCES/0013-Document-implicit-fallthrough.patch @@ -0,0 +1,25 @@ +From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Sat, 8 Jul 2017 16:31:18 -0400 +Subject: [PATCH 13/29] Document implicit fallthrough. + +Signed-off-by: Peter Jones +--- + src/authvar.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/authvar.c b/src/authvar.c +index ad659ca..03e0c47 100644 +--- a/src/authvar.c ++++ b/src/authvar.c +@@ -511,6 +511,7 @@ main(int argc, char *argv[]) + case IMPORT|SET: + case IMPORT|SIGN|SET: + fprintf(stderr, "authvar: not implemented\n"); ++ /* fallthrough. */ + case IMPORT|SIGN|EXPORT: + default: + fprintf(stderr, "authvar: invalid flags: "); +-- +2.13.4 + diff --git a/SOURCES/0014-Actually-setfacl-each-directory-of-our-key-storage.patch b/SOURCES/0014-Actually-setfacl-each-directory-of-our-key-storage.patch new file mode 100644 index 0000000..4b62cb3 --- /dev/null +++ b/SOURCES/0014-Actually-setfacl-each-directory-of-our-key-storage.patch @@ -0,0 +1,50 @@ +From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 16 May 2016 15:25:53 -0400 +Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage. + +Signed-off-by: Peter Jones +--- + src/pesign-authorize-groups | 6 +++--- + src/pesign-authorize-users | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups +index a4f895e..cf51fb6 100644 +--- a/src/pesign-authorize-groups ++++ b/src/pesign-authorize-groups +@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then + setfacl -m g:${group}:rw /var/run/pesign/socket + fi + fi +- for x in /etc/pki/pesign* ; do ++ for x in /etc/pki/pesign*/ ; do + if [ -d ${x} ]; then +- setfacl -m g:${group}:rx /etc/pki/pesign +- for y in ${x}/{cert8,key3,secmod}.db ; do ++ setfacl -m g:${group}:rx ${x} ++ for y in ${x}{cert8,key3,secmod}.db ; do + setfacl -m g:${group}:rw ${y} + done + fi +diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users +index 8b9a885..940138e 100644 +--- a/src/pesign-authorize-users ++++ b/src/pesign-authorize-users +@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then + setfacl -m g:${username}:rw /var/run/pesign/socket + fi + fi +- for x in /etc/pki/pesign* ; do ++ for x in /etc/pki/pesign*/ ; do + if [ -d ${x} ]; then +- setfacl -m g:${username}:rx /etc/pki/pesign +- for y in ${x}/{cert8,key3,secmod}.db ; do ++ setfacl -m g:${username}:rx ${x} ++ for y in ${x}{cert8,key3,secmod}.db ; do + setfacl -m g:${username}:rw ${y} + done + fi +-- +2.13.4 + diff --git a/SOURCES/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch b/SOURCES/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch new file mode 100644 index 0000000..d5428b5 --- /dev/null +++ b/SOURCES/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch @@ -0,0 +1,59 @@ +From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 22 Aug 2016 13:31:38 -0400 +Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array + indices. + +That was all kinds of wrong. + +Signed-off-by: Peter Jones +--- + src/oid.c | 10 +++++++--- + src/oid.h | 1 + + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/oid.c b/src/oid.c +index 9d8154f..7037e1e 100644 +--- a/src/oid.c ++++ b/src/oid.c +@@ -33,6 +33,7 @@ static uint8_t oiddata[] = { + 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f, + 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15, + 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01, ++ 0x2b, 0x06, 0x01, 0x04, 0x01, 0x92, 0x08, 0x10, 0x01, 0x02, + }; + + #define OID(num, desc_s, oidtype, length, value) \ +@@ -53,11 +54,14 @@ static struct { + OID(SPC_STATEMENT_TYPE_OBJID, "Statement Type", siDEROID, 10, + &oiddata[10]), + OID(SPC_PE_IMAGE_DATA_OBJID, "PE Image Data", siDEROID, 10, +- &oiddata[30]), ++ &oiddata[20]), + OID(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, "Individual Key", siDEROID, +- 10, &oiddata[40]), ++ 10, &oiddata[30]), + OID(szOID_CERTSRV_CA_VERSION, "Certification server CA version", +- siAsciiString, 9, &oiddata[50]), ++ siAsciiString, 9, &oiddata[40]), ++ OID(SHIM_EKU_MODULE_SIGNING_ONLY, ++ "Certificate is used for kernel modules only", siDEROID, 10, ++ &oiddata[49]), + { .oid = END_OID_LIST } + }; + +diff --git a/src/oid.h b/src/oid.h +index 599f49d..0e00781 100644 +--- a/src/oid.h ++++ b/src/oid.h +@@ -25,6 +25,7 @@ typedef enum { + SPC_PE_IMAGE_DATA_OBJID, /* 1.3.6.1.4.1.311.2.1.15 */ + SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, /* 1.3.6.1.4.1.311.2.1.21 */ + szOID_CERTSRV_CA_VERSION, /* 1.3.6.1.4.1.311.21.1 */ ++ SHIM_EKU_MODULE_SIGNING_ONLY, /* 1.3.6.1.4.1.2312.16.1.2 */ + END_OID_LIST + } ms_oid_t; + +-- +2.13.4 + diff --git a/SOURCES/0016-efikeygen-add-modsign.patch b/SOURCES/0016-efikeygen-add-modsign.patch new file mode 100644 index 0000000..8324334 --- /dev/null +++ b/SOURCES/0016-efikeygen-add-modsign.patch @@ -0,0 +1,197 @@ +From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 22 Aug 2016 13:43:56 -0400 +Subject: [PATCH 16/29] efikeygen: add --modsign + +--- + src/cms_common.c | 29 ++++++++++++++++++++++++++++ + src/cms_common.h | 1 + + src/efikeygen.c | 59 ++++++++++++++++++++++++++++++++++++++++++++------------ + 3 files changed, 77 insertions(+), 12 deletions(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index 6a4e6a7..2df2cfe 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded, + return 0; + } + ++static SEC_ASN1Template EKUOidSequence[] = { ++ { ++ .kind = SEC_ASN1_OBJECT_ID, ++ .offset = 0, ++ .sub = &SEC_AnyTemplate, ++ .size = sizeof (SECItem), ++ }, ++ { 0 } ++}; ++ ++int ++make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag) ++{ ++ void *rv; ++ SECOidData *oid_data; ++ ++ oid_data = SECOID_FindOIDByTag(oid_tag); ++ if (!oid_data) ++ cmsreterr(-1, cms, "could not encode eku oid data"); ++ ++ rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid, ++ EKUOidSequence); ++ if (rv == NULL) ++ cmsreterr(-1, cms, "could not encode eku oid data"); ++ ++ encoded->type = siBuffer; ++ return 0; ++} ++ + int + generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original) + { +diff --git a/src/cms_common.h b/src/cms_common.h +index c7d7268..7a31273 100644 +--- a/src/cms_common.h ++++ b/src/cms_common.h +@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der, + SECItem *items, int num_items); + extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded, + SECItem *original); ++extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag); + extern int generate_validity(cms_context *cms, SECItem *der, time_t start, + time_t end); + extern int generate_common_name(cms_context *cms, SECItem *der, char *cn); +diff --git a/src/efikeygen.c b/src/efikeygen.c +index 8a515a5..9390578 100644 +--- a/src/efikeygen.c ++++ b/src/efikeygen.c +@@ -49,6 +49,7 @@ + #include + + #include "cms_common.h" ++#include "oid.h" + #include "util.h" + + typedef struct { +@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle) + } + + static int +-add_extended_key_usage(cms_context *cms, void *extHandle) ++add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle) + { +- SECItem value = { +- .data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01" +- "\x05\x05\x07\x03\x03", +- .len = 12, +- .type = siBuffer +- }; ++ SECItem values[2]; ++ SECItem wrapped = { 0 }; ++ SECStatus status; ++ SECOidTag tag; ++ int rc; ++ ++ if (modsign_only < 1 || modsign_only > 2) ++ cmsreterr(-1, cms, "could not encode extended key usage"); + ++ rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN); ++ if (rc < 0) ++ cmsreterr(-1, cms, "could not encode extended key usage"); ++ ++ tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY); ++ printf("tag: %d\n", tag); ++ rc = make_eku_oid(cms, &values[1], tag); ++ if (rc < 0) ++ cmsreterr(-1, cms, "could not encode extended key usage"); ++ ++ rc = wrap_in_seq(cms, &wrapped, values, modsign_only); ++ if (rc < 0) ++ cmsreterr(-1, cms, "could not encode extended key usage"); + +- SECStatus status; + + status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, +- &value, PR_FALSE, PR_TRUE); ++ &wrapped, PR_FALSE, PR_TRUE); + if (status != SECSuccess) + cmsreterr(-1, cms, "could not encode extended key usage"); + +@@ -294,7 +309,7 @@ static int + add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq, + int is_ca, int is_self_signed, SECKEYPublicKey *pubkey, + SECKEYPublicKey *spubkey, +- char *url) ++ char *url, int modsign_only) + { + void *mark = PORT_ArenaMark(cms->arena); + +@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq, + if (rc < 0) + cmsreterr(-1, cms, "could not generate certificate extensions"); + +- rc = add_extended_key_usage(cms, extHandle); ++ rc = add_extended_key_usage(cms, modsign_only, extHandle); + if (rc < 0) + cmsreterr(-1, cms, "could not generate certificate extensions"); + +@@ -469,6 +484,7 @@ int main(int argc, char *argv[]) + { + int is_ca = 0; + int is_self_signed = -1; ++ int modsign_only = 0; + char *tokenname = "NSS Certificate DB"; + char *signer = NULL; + char *nickname = NULL; +@@ -522,6 +538,18 @@ int main(int argc, char *argv[]) + .descrip = "Generate a self-signed certificate" }, + + /* stuff about the generated key */ ++ {.longName = "kernel", ++ .shortName = 'k', ++ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR, ++ .arg = &modsign_only, ++ .val = 1, ++ .descrip = "Generate a kernel-signing certificate" }, ++ {.longName = "module", ++ .shortName = 'm', ++ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR, ++ .arg = &modsign_only, ++ .val = 2, ++ .descrip = "Generate a module-signing certificate" }, + {.longName = "nickname", + .shortName = 'n', + .argInfo = POPT_ARG_STRING, +@@ -628,6 +656,9 @@ int main(int argc, char *argv[]) + liberr(1, "could not allocate cms context"); + } + ++ if (modsign_only < 1 || modsign_only > 2) ++ errx(1, "either --kernel or --module must be used"); ++ + SECStatus status = NSS_InitReadWrite(dbdir); + if (status != SECSuccess) + nsserr(1, "could not initialize NSS"); +@@ -639,6 +670,10 @@ int main(int argc, char *argv[]) + SECKEYPublicKey *pubkey = NULL; + SECKEYPrivateKey *privkey = NULL; + ++ status = register_oids(cms); ++ if (status != SECSuccess) ++ nsserr(1, "Could not register OIDs"); ++ + PK11SlotInfo *slot = NULL; + if (pubfile) { + rc = get_pubkey_from_file(pubfile, &pubkey); +@@ -713,7 +748,7 @@ int main(int argc, char *argv[]) + crq = CERT_CreateCertificateRequest(name, spki, &attributes); + + rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey, +- spubkey, url); ++ spubkey, url, modsign_only); + if (rc < 0) + exit(1); + +-- +2.13.4 + diff --git a/SOURCES/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch b/SOURCES/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch new file mode 100644 index 0000000..acebc3a --- /dev/null +++ b/SOURCES/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch @@ -0,0 +1,121 @@ +From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 25 Apr 2017 16:25:02 -0400 +Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable + validation time. + +Signed-off-by: Peter Jones +--- + src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 66 insertions(+), 9 deletions(-) + +diff --git a/src/certdb.c b/src/certdb.c +index b7c99bb..1a4baf1 100644 +--- a/src/certdb.c ++++ b/src/certdb.c +@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx) + return check_db(which, ctx, check_hash, NULL, 0); + } + +-static PRTime +-determine_reasonable_time(CERTCertificate *cert) ++static void ++find_cert_times(SEC_PKCS7ContentInfo *cinfo, ++ PRTime *notBefore, PRTime *notAfter) + { +- PRTime notBefore, notAfter; +- CERT_GetCertTimes(cert, ¬Before, ¬After); +- return notBefore; ++ CERTCertDBHandle *defaultdb, *certdb; ++ SEC_PKCS7SignedData *sdp; ++ CERTCertificate **certs = NULL; ++ SECItem **rawcerts; ++ int i, certcount; ++ SECStatus rv; ++ ++ if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) { ++err: ++ *notBefore = 0; ++ *notAfter = 0x7fffffffffffffff; ++ return; ++ } ++ ++ sdp = cinfo->content.signedData; ++ rawcerts = sdp->rawCerts; ++ ++ defaultdb = CERT_GetDefaultCertDB(); ++ ++ certdb = defaultdb; ++ if (certdb == NULL) ++ goto err; ++ ++ certcount = 0; ++ if (rawcerts != NULL) { ++ for (; rawcerts[certcount] != NULL; certcount++) ++ ; ++ } ++ rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount, ++ rawcerts, &certs, PR_FALSE, PR_FALSE, NULL); ++ if (rv != SECSuccess) ++ goto err; ++ ++ for (i = 0; i < certcount; i++) { ++ PRTime nb = 0, na = 0x7fffffffffff; ++ CERT_GetCertTimes(certs[i], &nb, &na); ++ if (*notBefore < nb) ++ *notBefore = nb; ++ if (*notAfter > na) ++ *notAfter = na; ++ } ++ ++ CERT_DestroyCertArray(certs, certcount); + } + + static db_status +@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, + PRBool result; + SECStatus rv; + db_status status = NOT_FOUND; ++ PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff; ++ PRTime notBefore = 0, notAfter = 0x7fffffffffffffff; + + efi_guid_t efi_x509 = efi_guid_x509_cert; + +@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, + } + cert->timeOK = PR_TRUE; + ++ find_cert_times(cinfo, ¬Before, ¬After); ++ if (earlyNow < notBefore) ++ earlyNow = notBefore; ++ if (lateNow > notAfter) ++ lateNow = notAfter; ++ + SECItem *eTime; + PRTime atTime; + // atTime = determine_reasonable_time(cert); + eTime = SEC_PKCS7GetSigningTime(cinfo); + if (eTime != NULL) { +- if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess) +- atTime = determine_reasonable_time(cert); +- } else { +- atTime = determine_reasonable_time(cert); ++ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) { ++ if (earlyNow < atTime) ++ earlyNow = atTime; ++ if (lateNow > atTime) ++ lateNow = atTime; ++ } + } ++ ++ if (lateNow < earlyNow) ++ printf("Impossible time constraints: %ld <= %ld\n", ++ earlyNow / 1000000, lateNow / 1000000); ++ atTime = earlyNow / 2 + lateNow / 2; ++ + /* Verify the signature */ + result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo, + certUsageObjectSigner, +-- +2.13.4 + diff --git a/SOURCES/0018-show-which-db-we-re-checking.patch b/SOURCES/0018-show-which-db-we-re-checking.patch new file mode 100644 index 0000000..2b92f83 --- /dev/null +++ b/SOURCES/0018-show-which-db-we-re-checking.patch @@ -0,0 +1,137 @@ +From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 25 Apr 2017 16:58:50 -0400 +Subject: [PATCH 18/29] show which db we're checking + +--- + src/certdb.c | 35 ++++++++++++++++++++++++++++++++++- + src/pesigcheck_context.c | 2 ++ + src/pesigcheck_context.h | 1 + + 3 files changed, 37 insertions(+), 1 deletion(-) + +diff --git a/src/certdb.c b/src/certdb.c +index 1a4baf1..673e074 100644 +--- a/src/certdb.c ++++ b/src/certdb.c +@@ -18,6 +18,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -42,17 +43,33 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile, + return -1; + + db->type = type; +- + db->fd = open(dbfile, O_RDONLY); + if (db->fd < 0) { + save_errno(free(db)); + return -1; + } + ++ char *path = strdup(dbfile); ++ if (!path) { ++ save_errno(close(db->fd); ++ free(db)); ++ return -1; ++ } ++ ++ db->path = basename(path); ++ db->path = strdup(db->path); ++ free(path); ++ if (!db->path) { ++ save_errno(close(db->fd); ++ free(db)); ++ return -1; ++ } ++ + struct stat sb; + int rc = fstat(db->fd, &sb); + if (rc < 0) { + save_errno(close(db->fd); ++ free(db->path); + free(db)); + return -1; + } +@@ -65,6 +82,7 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile, + rc = read_file(db->fd, (char **)&db->map, &sz); + if (rc < 0) { + save_errno(close(db->fd); ++ free(db->path); + free(db)); + return -1; + } +@@ -133,6 +151,7 @@ add_cert_file(pesigcheck_context *ctx, const char *filename) + #define DB_PATH "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f" + #define MOK_PATH "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23" + #define DBX_PATH "/sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f" ++#define MOKX_PATH "/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23" + + void + init_cert_db(pesigcheck_context *ctx, int use_system_dbs) +@@ -167,6 +186,18 @@ init_cert_db(pesigcheck_context *ctx, int use_system_dbs) + "database \"%s\": %m\n", DBX_PATH); + exit(1); + } ++ ++ rc = add_db_file(ctx, DBX, MOKX_PATH, DB_EFIVAR); ++ if (rc < 0 && errno != ENOENT) { ++ fprintf(stderr, "pesigcheck: Could not add key database " ++ "\"%s\": %m\n", MOKX_PATH); ++ exit(1); ++ } ++ ++ if (ctx->dbx == NULL) { ++ fprintf(stderr, "pesigcheck: warning: " ++ "No key recovation database available\n"); ++ } + } + + typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig, +@@ -187,6 +218,8 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check, + sig.type = siBuffer; + + while (dbl) { ++ printf("Searching %s %s\n", which == DB ? "db" : "dbx", ++ dbl->path); + EFI_SIGNATURE_LIST *certlist; + EFI_SIGNATURE_DATA *cert; + size_t dbsize = dbl->datalen; +diff --git a/src/pesigcheck_context.c b/src/pesigcheck_context.c +index b934cbe..5a355b1 100644 +--- a/src/pesigcheck_context.c ++++ b/src/pesigcheck_context.c +@@ -87,6 +87,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx) + munmap(db->map, db->size); + close(db->fd); + ctx->db = db->next; ++ free(db->path); + free(db); + } + while (ctx->dbx) { +@@ -95,6 +96,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx) + if (db->type == DB_CERT) + free(db->data); + munmap(db->map, db->size); ++ free(db->path); + close(db->fd); + ctx->dbx = db->next; + free(db); +diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h +index 1b916e3..7b5cc89 100644 +--- a/src/pesigcheck_context.h ++++ b/src/pesigcheck_context.h +@@ -34,6 +34,7 @@ typedef enum { + + struct dblist { + db_f_type type; ++ char *path; + int fd; + struct dblist *next; + size_t size; +-- +2.13.4 + diff --git a/SOURCES/0019-more-about-the-time.patch b/SOURCES/0019-more-about-the-time.patch new file mode 100644 index 0000000..2570bf8 --- /dev/null +++ b/SOURCES/0019-more-about-the-time.patch @@ -0,0 +1,97 @@ +From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 25 Apr 2017 17:00:46 -0400 +Subject: [PATCH 19/29] more about the time + +--- + src/certdb.c | 59 +++++++++++++++++++++++++++++++++-------------------------- + 1 file changed, 33 insertions(+), 26 deletions(-) + +diff --git a/src/certdb.c b/src/certdb.c +index 673e074..1078a8a 100644 +--- a/src/certdb.c ++++ b/src/certdb.c +@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, + PRBool result; + SECStatus rv; + db_status status = NOT_FOUND; ++ PRTime atTime = PR_Now(); ++ SECItem *eTime; + PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff; +- PRTime notBefore = 0, notAfter = 0x7fffffffffffffff; ++ PRTime notBefore, notAfter; + + efi_guid_t efi_x509 = efi_guid_x509_cert; + +@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, + if (!cinfo) + goto out; + ++ notBefore = earlyNow; ++ notAfter = lateNow; ++ find_cert_times(cinfo, ¬Before, ¬After); ++ if (earlyNow < notBefore) ++ earlyNow = notBefore; ++ if (lateNow > notAfter) ++ lateNow = notAfter; ++ ++ // atTime = determine_reasonable_time(cert); ++ eTime = SEC_PKCS7GetSigningTime(cinfo); ++ if (eTime != NULL) { ++ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) { ++ if (earlyNow < atTime) ++ earlyNow = atTime; ++ if (lateNow > atTime) ++ lateNow = atTime; ++ } ++ } ++ ++ if (lateNow < earlyNow) ++ printf("Signature has impossible time constraint: %ld <= %ld\n", ++ earlyNow / 1000000, lateNow / 1000000); ++ atTime = earlyNow / 2 + lateNow / 2; ++ ++ ++ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL, ++ NULL, NULL); ++ if (!cinfo) ++ goto out; ++ + /* Generate the digest of contentInfo */ + /* XXX support only sha256 for now */ + digest = SECITEM_AllocItem(NULL, NULL, 32); +@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, + PORT_ErrorToString(PORT_GetError())); + goto out; + } +- cert->timeOK = PR_TRUE; +- +- find_cert_times(cinfo, ¬Before, ¬After); +- if (earlyNow < notBefore) +- earlyNow = notBefore; +- if (lateNow > notAfter) +- lateNow = notAfter; +- +- SECItem *eTime; +- PRTime atTime; +- // atTime = determine_reasonable_time(cert); +- eTime = SEC_PKCS7GetSigningTime(cinfo); +- if (eTime != NULL) { +- if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) { +- if (earlyNow < atTime) +- earlyNow = atTime; +- if (lateNow > atTime) +- lateNow = atTime; +- } +- } +- +- if (lateNow < earlyNow) +- printf("Impossible time constraints: %ld <= %ld\n", +- earlyNow / 1000000, lateNow / 1000000); +- atTime = earlyNow / 2 + lateNow / 2; + + /* Verify the signature */ + result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo, +-- +2.13.4 + diff --git a/SOURCES/0020-try-to-say-why-something-fails.patch b/SOURCES/0020-try-to-say-why-something-fails.patch new file mode 100644 index 0000000..96bdd60 --- /dev/null +++ b/SOURCES/0020-try-to-say-why-something-fails.patch @@ -0,0 +1,419 @@ +From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 25 Apr 2017 17:01:13 -0400 +Subject: [PATCH 20/29] try to say why something fails + +Signed-off-by: Peter Jones +--- + src/certdb.c | 15 ++- + src/certdb.h | 2 +- + src/pesigcheck.c | 244 ++++++++++++++++++++++++++++++++++++++++++----- + src/pesigcheck_context.h | 1 + + 4 files changed, 233 insertions(+), 29 deletions(-) + +diff --git a/src/certdb.c b/src/certdb.c +index 1078a8a..fae80af 100644 +--- a/src/certdb.c ++++ b/src/certdb.c +@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig, + + static db_status + check_db(db_specifier which, pesigcheck_context *ctx, checkfn check, +- void *data, ssize_t datalen) ++ void *data, ssize_t datalen, SECItem *match) + { + SECItem pkcs7sig, sig; + dblist *dbl = which == DB ? ctx->db : ctx->dbx; +@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check, + found = check(ctx, &sig, + &certlist->SignatureType, + &pkcs7sig); +- if (found == FOUND) ++ if (found == FOUND) { ++ if (match) ++ memcpy(match, &sig, ++ sizeof(sig)); + return FOUND; ++ } + cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert + + certlist->SignatureSize); + } +@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, + db_status + check_db_hash(db_specifier which, pesigcheck_context *ctx) + { +- return check_db(which, ctx, check_hash, NULL, 0); ++ return check_db(which, ctx, check_hash, NULL, 0, NULL); + } + + static void +@@ -459,7 +463,8 @@ out: + } + + db_status +-check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen) ++check_db_cert(db_specifier which, pesigcheck_context *ctx, ++ void *data, ssize_t datalen, SECItem *match) + { +- return check_db(which, ctx, check_cert, data, datalen); ++ return check_db(which, ctx, check_cert, data, datalen, match); + } +diff --git a/src/certdb.h b/src/certdb.h +index ccf3c87..8402299 100644 +--- a/src/certdb.h ++++ b/src/certdb.h +@@ -43,7 +43,7 @@ typedef struct { + + extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx); + extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx, +- void *data, ssize_t datalen); ++ void *data, ssize_t datalen, SECItem *match); + + extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs); + extern int add_cert_db(pesigcheck_context *ctx, const char *filename); +diff --git a/src/pesigcheck.c b/src/pesigcheck.c +index d7be542..c8e1086 100644 +--- a/src/pesigcheck.c ++++ b/src/pesigcheck.c +@@ -17,7 +17,9 @@ + * Author(s): Peter Jones + */ + ++#include + #include ++#include + #include + #include + #include +@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx) + } + + static int +-cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen) ++cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen, ++ SECItem *digest_out) + { + SECItem sig, *pe_digest, *content; + uint8_t *digest; +@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen) + pe_digest = ctx->cms_ctx->digests[0].pe_digest; + content = cinfo->content.signedData->contentInfo.content.data; + digest = content->data + content->len - pe_digest->len; ++ if (digest_out) { ++ digest_out->data = malloc(pe_digest->len); ++ digest_out->len = pe_digest->len; ++ digest_out->type = pe_digest->type; ++ memcpy(digest_out->data, digest, pe_digest->len); ++ } + if (memcmp(pe_digest->data, digest, pe_digest->len) != 0) + goto out; + +@@ -120,22 +129,149 @@ out: + return ret; + } + ++struct reason { ++ enum { ++ WHITELISTED = 0, ++ INVALID = 1, ++ BLACKLISTED = 2, ++ NO_WHITELIST = 3, ++ } reason; ++ enum { ++ NONE = 0, ++ DIGEST = 1, ++ SIGNATURE = 2, ++ } type; ++ union { ++ struct { ++ SECItem digest; ++ }; ++ struct { ++ SECItem sig; ++ SECItem db_cert; ++ }; ++ }; ++}; ++ ++static void ++print_digest(SECItem *digest) ++{ ++ char buf[digest->len * 2 + 2]; ++ ++ for (unsigned int i = 0; i < digest->len; i++) ++ snprintf(buf + i * 2, digest->len * 2, "%02x", ++ digest->data[i]); ++ buf[digest->len * 2] = '\0'; ++ printf("%s\n", buf); ++} ++ ++static void ++print_certificate(SECItem *cert) ++{ ++ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__); ++ printf("cert: %p\n", cert); ++} ++ ++static void ++print_signatures(SECItem *database_cert, SECItem *signature) ++{ ++ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__); ++ print_certificate(database_cert); ++ print_certificate(signature); ++} ++ ++static void ++print_reason(struct reason *reason) ++{ ++ switch (reason->reason) { ++ case WHITELISTED: ++ printf("Whitelist entry: "); ++ if (reason->type == DIGEST) ++ print_digest(&reason->digest); ++ else if (reason->type == SIGNATURE) ++ print_signatures(&reason->sig, &reason->db_cert); ++ else ++ errx(1, "Unknown data type %d\n", reason->type); ++ break; ++ case INVALID: ++ if (reason->type == DIGEST) { ++ printf("Invalid digest: "); ++ print_digest(&reason->digest); ++ } else if (reason->type == SIGNATURE) { ++ printf("Invalid signature: "); ++ print_signatures(&reason->sig, &reason->db_cert); ++ } else { ++ errx(1, "Unknown data type %d\n", reason->type); ++ } ++ break; ++ case BLACKLISTED: ++ if (reason->type == DIGEST) { ++ printf("Invalid digest: "); ++ print_digest(&reason->digest); ++ } else if (reason->type == SIGNATURE) { ++ printf("Invalid signature: "); ++ print_signatures(&reason->sig, &reason->db_cert); ++ } else { ++ errx(1, "Unknown data type %d\n", reason->type); ++ } ++ break; ++ case NO_WHITELIST: ++ if (reason->type == NONE) ++ printf("No matching whitelist entry.\n"); ++ else ++ errx(1, "Invalid data type %d\n", reason->type); ++ break; ++ default: ++ errx(1, "Unknown reason type %d\n", reason->reason); ++ break; ++ } ++} ++ ++static void ++get_digest(pesigcheck_context *ctx, SECItem *digest) ++{ ++ struct cms_context *cms = ctx->cms_ctx; ++ struct digest *cms_digest = &cms->digests[cms->selected_digest]; ++ ++ memcpy(digest, cms_digest->pe_digest, sizeof (*digest)); ++} ++ + static int +-check_signature(pesigcheck_context *ctx) ++check_signature(pesigcheck_context *ctx, int *nreasons, ++ struct reason **reasons) + { +- int has_valid_cert = 0; +- int has_invalid_cert = 0; ++ bool has_valid_cert = false; ++ bool is_invalid = false; ++ struct reason *reasonps = NULL, *reason; ++ int num_reasons = 16; ++ int nreason = 0; + int rc = 0; ++ int ret = -1; + + cert_iter iter; + ++ reasonps = calloc(sizeof(struct reason), 512); ++ if (!reasonps) ++ err(1, "check_signature"); ++ + generate_digest(ctx->cms_ctx, ctx->inpe, 1); + +- if (check_db_hash(DBX, ctx) == FOUND) +- return -1; ++ if (check_db_hash(DBX, ctx) == FOUND) { ++ reason = &reasonps[nreason]; ++ reason->reason = BLACKLISTED; ++ reason->type = DIGEST; ++ get_digest(ctx, &reason->digest); ++ reason += 1; ++ is_invalid = true; ++ } + +- if (check_db_hash(DB, ctx) == FOUND) +- has_valid_cert = 1; ++ if (check_db_hash(DB, ctx) == FOUND) { ++ reason = &reasonps[nreason]; ++ reason->reason = WHITELISTED; ++ reason->type = DIGEST; ++ get_digest(ctx, &reason->digest); ++ nreason += 1; ++ has_valid_cert = true; ++ } + + rc = cert_iter_init(&iter, ctx->inpe); + if (rc < 0) +@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx) + ssize_t datalen; + + while (1) { ++ /* ++ * Make sure we always have enough for this iteration of the ++ * loop, plus one "NO_WHITELIST" entry at the end. ++ */ ++ if (nreason >= num_reasons - 4) { ++ struct reason *new_reasons; ++ ++ num_reasons += 16; ++ ++ new_reasons = calloc(sizeof(struct reason), num_reasons); ++ if (!new_reasons) ++ err(1, "check_signature"); ++ reasonps = new_reasons; ++ } ++ + rc = next_cert(&iter, &data, &datalen); + if (rc <= 0) + break; + +- if (cert_matches_digest(ctx, data, datalen) < 0) { +- has_invalid_cert = 1; +- break; ++ reason = &reasonps[nreason]; ++ if (cert_matches_digest(ctx, data, datalen, ++ &reason->digest) < 0) { ++ reason->reason = INVALID; ++ reason->type = DIGEST; ++ nreason += 1; ++ is_invalid = true; + } + +- if (check_db_cert(DBX, ctx, data, datalen) == FOUND) { +- has_invalid_cert = 1; +- break; ++ reason = &reasonps[nreason]; ++ if (check_db_cert(DBX, ctx, data, datalen, ++ &reason->db_cert) == FOUND) { ++ reason->reason = INVALID; ++ reason->type = SIGNATURE; ++ reason->sig.data = data; ++ reason->sig.len = datalen; ++ reason->type = siBuffer; ++ nreason += 1; ++ is_invalid = true; + } + +- if (check_db_cert(DB, ctx, data, datalen) == FOUND) +- has_valid_cert = 1; ++ reason = &reasonps[nreason]; ++ if (check_db_cert(DB, ctx, data, datalen, ++ &reason->db_cert) == FOUND) { ++ reason->reason = WHITELISTED; ++ reason->type = SIGNATURE; ++ reason->sig.data = data; ++ reason->sig.len = datalen; ++ reason->type = siBuffer; ++ nreason += 1; ++ has_valid_cert = true; ++ } + } + + err: +- if (has_invalid_cert) +- return -1; ++ if (has_valid_cert != true) { ++ if (is_invalid != true) { ++ reason = &reasonps[nreason]; ++ reason->reason = NO_WHITELIST; ++ reason->type = NONE; ++ nreason += 1; ++ } ++ is_invalid = true; ++ } + +- if (has_valid_cert) +- return 0; ++ if (is_invalid == false) ++ ret = 0; + +- return -1; ++ if (nreasons && reasons) { ++ *nreasons = nreason; ++ *reasons = reasonps; ++ } else { ++ free(reasonps); ++ } ++ ++ return ret; + } + + void +@@ -204,6 +389,9 @@ main(int argc, char *argv[]) + + pesigcheck_context ctx, *ctxp = &ctx; + ++ struct reason *reasons = NULL; ++ int nreasons = 0; ++ + char *dbfile = NULL; + char *dbxfile = NULL; + char *certfile = NULL; +@@ -242,6 +430,12 @@ main(int argc, char *argv[]) + .arg = &ctx.quiet, + .val = 1, + .descrip = "return only; no text output." }, ++ {.longName = "verbose", ++ .shortName = 'v', ++ .argInfo = POPT_BIT_SET, ++ .arg = &ctx.verbose, ++ .val = 1, ++ .descrip = "print reasons for success and failure." }, + {.longName = "no-system-db", + .shortName = 'n', + .argInfo = POPT_ARG_INT, +@@ -308,12 +502,16 @@ main(int argc, char *argv[]) + exit(1); + } + +- rc = check_signature(ctxp); ++ rc = check_signature(ctxp, &nreasons, &reasons); + +- close_input(ctxp); ++ if (!ctx.quiet && ctx.verbose) { ++ for (int i = 0; i < nreasons; i++) ++ print_reason(&reasons[i]); ++ } + if (!ctx.quiet) + printf("pesigcheck: \"%s\" is %s.\n", ctx.infile, + rc >= 0 ? "valid" : "invalid"); ++ close_input(ctxp); + pesigcheck_context_fini(&ctx); + + NSS_Shutdown(); +diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h +index 7b5cc89..aec415e 100644 +--- a/src/pesigcheck_context.h ++++ b/src/pesigcheck_context.h +@@ -61,6 +61,7 @@ typedef struct pesigcheck_context { + Pe *inpe; + + int quiet; ++ int verbose; + + hashlist *hashes; + +-- +2.13.4 + diff --git a/SOURCES/0021-Fix-race-condition-in-SEC_GetPassword.patch b/SOURCES/0021-Fix-race-condition-in-SEC_GetPassword.patch new file mode 100644 index 0000000..3088923 --- /dev/null +++ b/SOURCES/0021-Fix-race-condition-in-SEC_GetPassword.patch @@ -0,0 +1,34 @@ +From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001 +From: Julien Cristau +Date: Sat, 6 May 2017 22:45:34 +0200 +Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword + +A side effect of echoOff is to discard unread input, so if we print the +prompt before echoOff, the user (or process) at the other end might +react to it by writing the password in between those steps, which is +then discarded. This bit me when trying to drive pesign with an expect +script. + +Signed-off-by: Julien Cristau +--- + src/password.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/password.c b/src/password.c +index cd1c07e..d4eae0d 100644 +--- a/src/password.c ++++ b/src/password.c +@@ -71,9 +71,9 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt, + for (;;) { + /* Prompt for password */ + if (isTTY) { ++ echoOff(infd); + fprintf(output, "%s", prompt); + fflush (output); +- echoOff(infd); + } + + fgets ( phrase, sizeof(phrase), input); +-- +2.13.4 + diff --git a/SOURCES/0022-sysvinit-Create-the-socket-directory-at-runtime.patch b/SOURCES/0022-sysvinit-Create-the-socket-directory-at-runtime.patch new file mode 100644 index 0000000..06980ee --- /dev/null +++ b/SOURCES/0022-sysvinit-Create-the-socket-directory-at-runtime.patch @@ -0,0 +1,27 @@ +From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001 +From: David Michael +Date: Tue, 13 Jun 2017 13:20:16 -0700 +Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime + +This better supports non-systemd configurations with tmpfs on /run. +--- + src/pesign.sysvinit.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in +index d8fffca..dc508d8 100644 +--- a/src/pesign.sysvinit.in ++++ b/src/pesign.sysvinit.in +@@ -20,6 +20,9 @@ RETVAL=0 + + start(){ + echo -n "Starting pesign: " ++ mkdir /var/run/pesign 2>/dev/null && ++ chown pesign:pesign /var/run/pesign && ++ chmod 0770 /var/run/pesign + daemon /usr/bin/pesign --daemonize + RETVAL=$? + echo +-- +2.13.4 + diff --git a/SOURCES/0023-Better-authorization-scripts.-Again.patch b/SOURCES/0023-Better-authorization-scripts.-Again.patch new file mode 100644 index 0000000..c778c94 --- /dev/null +++ b/SOURCES/0023-Better-authorization-scripts.-Again.patch @@ -0,0 +1,217 @@ +From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 8 Aug 2017 15:44:44 -0400 +Subject: [PATCH 23/29] Better authorization scripts. Again. + +Signed-off-by: Peter Jones +--- + src/Makefile | 12 ++++++---- + src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++ + src/pesign-authorize-groups | 30 ------------------------ + src/pesign-authorize-users | 30 ------------------------ + src/pesign.service.in | 3 +-- + src/pesign.sysvinit.in | 3 +-- + 6 files changed, 65 insertions(+), 69 deletions(-) + create mode 100755 src/pesign-authorize + delete mode 100644 src/pesign-authorize-groups + delete mode 100644 src/pesign-authorize-users + +diff --git a/src/Makefile b/src/Makefile +index 654b792..84ad130 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults + + BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign + SVCTARGETS=pesign.sysvinit pesign.service +-TARGETS=$(BINTARGETS) $(SVCTARGETS) ++TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups + + all : deps $(TARGETS) + +@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit + $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/ + $(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign + ++pesign-users pesign-groups : ++ echo pesign > $@ ++ + install : + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ +@@ -88,10 +91,9 @@ install : + $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ + $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ +- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/ +- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/ ++ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign +- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users +- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups ++ $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users ++ $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups + + .PHONY: all deps clean install +diff --git a/src/pesign-authorize b/src/pesign-authorize +new file mode 100755 +index 0000000..a496f60 +--- /dev/null ++++ b/src/pesign-authorize +@@ -0,0 +1,56 @@ ++#!/bin/bash ++set -e ++set -u ++ ++# ++# With /run/pesign/socket on tmpfs, a simple way of restoring the ++# acls for specific users is useful ++# ++# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 ++# ++ ++# License: GPLv2 ++declare -a fileusers=() ++declare -a dirusers=() ++for user in $(cat /etc/pesign/users); do ++ dirusers[${#dirusers[@]}]=-m ++ dirusers[${#dirusers[@]}]="u:$user:rwx" ++ fileusers[${#fileusers[@]}]=-m ++ fileusers[${#fileusers[@]}]="u:$user:rw" ++done ++ ++declare -a filegroups=() ++declare -a dirgroups=() ++for group in $(cat /etc/pesign/groups); do ++ dirgroups[${#dirgroups[@]}]=-m ++ dirgroups[${#dirgroups[@]}]="g:$group:rwx" ++ filegroups[${#filegroups[@]}]=-m ++ filegroups[${#filegroups[@]}]="g:$group:rw" ++done ++ ++update_subdir() { ++ subdir=$1 && shift ++ ++ setfacl -bk "${subdir}" ++ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}" ++ for x in "${subdir}"* ; do ++ if [ -d "${x}" ]; then ++ setfacl -bk ${x} ++ setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x} ++ update_subdir "${x}/" ++ elif [ -e "${x}" ]; then ++ setfacl -bk ${x} ++ setfacl "${fileusers[@]}" "${filegroups[@]}" ${x} ++ else ++ :; ++ fi ++ done ++} ++ ++for x in /var/run/pesign/ /etc/pki/pesign*/ ; do ++ if [ -d "${x}" ]; then ++ update_subdir "${x}" ++ else ++ :; ++ fi ++done +diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups +deleted file mode 100644 +index cf51fb6..0000000 +--- a/src/pesign-authorize-groups ++++ /dev/null +@@ -1,30 +0,0 @@ +-#!/bin/bash +-set -e +- +-# +-# With /run/pesign/socket on tmpfs, a simple way of restoring the +-# acls for specific groups is useful +-# +-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 +-# +- +-# License: GPLv2 +- +-if [ -r /etc/pesign/groups ]; then +- for group in $(cat /etc/pesign/groups); do +- if [ -d /var/run/pesign ]; then +- setfacl -m g:${group}:rx /var/run/pesign +- if [ -e /var/run/pesign/socket ]; then +- setfacl -m g:${group}:rw /var/run/pesign/socket +- fi +- fi +- for x in /etc/pki/pesign*/ ; do +- if [ -d ${x} ]; then +- setfacl -m g:${group}:rx ${x} +- for y in ${x}{cert8,key3,secmod}.db ; do +- setfacl -m g:${group}:rw ${y} +- done +- fi +- done +- done +-fi +diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users +deleted file mode 100644 +index 940138e..0000000 +--- a/src/pesign-authorize-users ++++ /dev/null +@@ -1,30 +0,0 @@ +-#!/bin/bash +-set -e +- +-# +-# With /run/pesign/socket on tmpfs, a simple way of restoring the +-# acls for specific users is useful +-# +-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 +-# +- +-# License: GPLv2 +- +-if [ -r /etc/pesign/users ]; then +- for username in $(cat /etc/pesign/users); do +- if [ -d /var/run/pesign ]; then +- setfacl -m g:${username}:rx /var/run/pesign +- if [ -e /var/run/pesign/socket ]; then +- setfacl -m g:${username}:rw /var/run/pesign/socket +- fi +- fi +- for x in /etc/pki/pesign*/ ; do +- if [ -d ${x} ]; then +- setfacl -m g:${username}:rx ${x} +- for y in ${x}{cert8,key3,secmod}.db ; do +- setfacl -m g:${username}:rw ${y} +- done +- fi +- done +- done +-fi +diff --git a/src/pesign.service.in b/src/pesign.service.in +index aaa408e..c75a000 100644 +--- a/src/pesign.service.in ++++ b/src/pesign.service.in +@@ -6,5 +6,4 @@ PrivateTmp=true + Type=forking + PIDFile=/var/run/pesign.pid + ExecStart=/usr/bin/pesign --daemonize +-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users +-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups ++ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize +diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in +index dc508d8..b0e0f84 100644 +--- a/src/pesign.sysvinit.in ++++ b/src/pesign.sysvinit.in +@@ -27,8 +27,7 @@ start(){ + RETVAL=$? + echo + touch /var/lock/subsys/pesign +- @@LIBEXECDIR@@/pesign/pesign-authorize-users +- @@LIBEXECDIR@@/pesign/pesign-authorize-groups ++ @@LIBEXECDIR@@/pesign/pesign-authorize + } + + stop(){ +-- +2.13.4 + diff --git a/SOURCES/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch b/SOURCES/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch new file mode 100644 index 0000000..8f4a380 --- /dev/null +++ b/SOURCES/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch @@ -0,0 +1,95 @@ +From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 8 Aug 2017 17:28:19 -0400 +Subject: [PATCH 24/29] Make the daemon also try to give better errors on + -EPERM etc. + +Basically 6796e5f but also for the daemon. This also tries to fix them +up to save errno better, for more accurate reporting. + +Signed-off-by: Peter Jones +--- + src/daemon.c | 27 +++++++++++++++++++++++++-- + src/pesign.c | 8 ++++++-- + 2 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/src/daemon.c b/src/daemon.c +index 7f694b2..942d576 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -19,6 +19,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -1104,10 +1105,32 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork) + "pesignd starting (pid %d)", ctx.pid); + + SECStatus status = NSS_Init(certdir); ++ int error = errno; + if (status != SECSuccess) { ++ char *globpattern = NULL; ++ rc = asprintf(&globpattern, "%s/cert*.db", ++ certdir); ++ if (rc > 0) { ++ glob_t globbuf; ++ memset(&globbuf, 0, sizeof(globbuf)); ++ rc = glob(globpattern, GLOB_ERR, NULL, ++ &globbuf); ++ if (rc != 0) { ++ errno = error; ++ ctx.backup_cms->log(ctx.backup_cms, ++ ctx.priority|LOG_NOTICE, ++ "Could not open NSS database (\"%s\"): %m", ++ PORT_ErrorToString(PORT_GetError())); ++ exit(1); ++ } ++ } ++ } ++ if (status != SECSuccess) { ++ errno = error; + ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE, +- "Could not initialize nss: %s\n", +- PORT_ErrorToString(PORT_GetError())); ++ "Could not initialize nss.\n" ++ "NSS says \"%s\" errno says \"%m\"\n", ++ PORT_ErrorToString(PORT_GetError())); + exit(1); + } + +diff --git a/src/pesign.c b/src/pesign.c +index 5879cfc..6ceda34 100644 +--- a/src/pesign.c ++++ b/src/pesign.c +@@ -660,10 +660,12 @@ main(int argc, char *argv[]) + + if (!daemon) { + SECStatus status; ++ int error; + if (need_db) { + status = NSS_Init(certdir); + if (status != SECSuccess) { + char *globpattern = NULL; ++ error = errno; + rc = asprintf(&globpattern, "%s/cert*.db", + certdir); + if (rc > 0) { +@@ -680,8 +682,10 @@ main(int argc, char *argv[]) + } else + status = NSS_NoDB_Init(NULL); + if (status != SECSuccess) { +- errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n", +- PORT_ErrorToString(PORT_GetError())); ++ errno = error; ++ errx(1, "Could not initialize nss.\n" ++ "NSS says \"%s\" errno says \"%m\"\n", ++ PORT_ErrorToString(PORT_GetError())); + } + + status = register_oids(ctxp->cms_ctx); +-- +2.13.4 + diff --git a/SOURCES/0025-certdb-fix-PRTime-printfs-for-i686.patch b/SOURCES/0025-certdb-fix-PRTime-printfs-for-i686.patch new file mode 100644 index 0000000..0fc2ad8 --- /dev/null +++ b/SOURCES/0025-certdb-fix-PRTime-printfs-for-i686.patch @@ -0,0 +1,31 @@ +From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 9 Aug 2017 17:40:33 -0400 +Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686 + +Signed-off-by: Peter Jones +--- + src/certdb.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/certdb.c b/src/certdb.c +index fae80af..29c9502 100644 +--- a/src/certdb.c ++++ b/src/certdb.c +@@ -384,11 +384,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, + } + + if (lateNow < earlyNow) +- printf("Signature has impossible time constraint: %ld <= %ld\n", +- earlyNow / 1000000, lateNow / 1000000); ++ printf("Signature has impossible time constraint: %lld <= %lld\n", ++ earlyNow / 1000000LL, lateNow / 1000000LL); + atTime = earlyNow / 2 + lateNow / 2; + +- + cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL, + NULL, NULL); + if (!cinfo) +-- +2.13.4 + diff --git a/SOURCES/0026-Clean-up-gcc-command-lines-a-little.patch b/SOURCES/0026-Clean-up-gcc-command-lines-a-little.patch new file mode 100644 index 0000000..928d62d --- /dev/null +++ b/SOURCES/0026-Clean-up-gcc-command-lines-a-little.patch @@ -0,0 +1,41 @@ +From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 10 Aug 2017 10:02:38 -0400 +Subject: [PATCH 26/29] Clean up gcc command lines a little + +Signed-off-by: Peter Jones +--- + Make.defaults | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/Make.defaults b/Make.defaults +index 39b78f0..b6c0381 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -20,8 +20,7 @@ CROSS_COMPILE ?= $(bindir) + PKG_CONFIG = $(CROSS_COMPILE)pkg-config + CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC)) + CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD)) +-CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \ +- -Wall -Werror -Wextra -Wno-error=cpp ++CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments -Wno-error=cpp + AS := $(CROSS_COMPILE)as + AR := $(CROSS_COMPILE)gcc-ar + RANLIB := $(CROSS_COMPILE)gcc-ranlib +@@ -36,10 +35,10 @@ ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,) + + SOFLAGS = -shared + clang_cflags = +-gcc_cflags = -Wmaybe-uninitialized ++gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches + cflags = $(CFLAGS) $(ARCH3264) \ +- -Wall -Werror -Wno-cpp -Wsign-compare -Wno-unused-result \ +- -Wno-unused-function\ ++ -Wall -Werror -Wextra -Wsign-compare -Wno-unused-result \ ++ -Wno-unused-function -Wsign-compare \ + -std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \ + -fno-merge-constants -fkeep-inline-functions \ + -D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \ +-- +2.13.4 + diff --git a/SOURCES/0027-Make-pesign-users-groups-static-in-the-repo.patch b/SOURCES/0027-Make-pesign-users-groups-static-in-the-repo.patch new file mode 100644 index 0000000..4131de3 --- /dev/null +++ b/SOURCES/0027-Make-pesign-users-groups-static-in-the-repo.patch @@ -0,0 +1,54 @@ +From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 10 Aug 2017 10:03:37 -0400 +Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo. + +Signed-off-by: Peter Jones +--- + src/Makefile | 5 +---- + src/pesign-groups | 1 + + src/pesign-users | 1 + + 3 files changed, 3 insertions(+), 4 deletions(-) + create mode 100644 src/pesign-groups + create mode 100644 src/pesign-users + +diff --git a/src/Makefile b/src/Makefile +index 84ad130..7d68fa1 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults + + BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign + SVCTARGETS=pesign.sysvinit pesign.service +-TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups ++TARGETS=$(BINTARGETS) $(SVCTARGETS) + + all : deps $(TARGETS) + +@@ -65,9 +65,6 @@ install_sysvinit: pesign.sysvinit + $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/ + $(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign + +-pesign-users pesign-groups : +- echo pesign > $@ +- + install : + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ +diff --git a/src/pesign-groups b/src/pesign-groups +new file mode 100644 +index 0000000..7f57cc5 +--- /dev/null ++++ b/src/pesign-groups +@@ -0,0 +1 @@ ++pesign +diff --git a/src/pesign-users b/src/pesign-users +new file mode 100644 +index 0000000..7f57cc5 +--- /dev/null ++++ b/src/pesign-users +@@ -0,0 +1 @@ ++pesign +-- +2.13.4 + diff --git a/SOURCES/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch b/SOURCES/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch new file mode 100644 index 0000000..ad9da8d --- /dev/null +++ b/SOURCES/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch @@ -0,0 +1,43 @@ +From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 9 Aug 2017 17:31:31 -0400 +Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values + unless overridden + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 69280e9..22a3ee6 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -9,6 +9,9 @@ + %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} + %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} + ++%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}} ++%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}} ++ + %_pesign /usr/bin/pesign + %_pesign_client /usr/bin/pesign-client + +@@ -41,11 +44,11 @@ + --certdir ${nss} -c signer %{-o} \ + rm -rf ${sattrs} ${sattrs}.sig ${nss} \ + elif [ -S /var/run/pesign/socket ]; then \ +- %{_pesign_client} -t %{__pesign_token} \\\ +- -c %{__pesign_cert} \\\ ++ %{_pesign_client} -t %{__pesign_client_token} \\\ ++ -c %{__pesign_client_cert} \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ + else \ +- %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\ ++ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ + --certdir ${_pesign_nssdir} \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ + fi \ +-- +2.13.4 + diff --git a/SOURCES/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch b/SOURCES/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch new file mode 100644 index 0000000..753afe8 --- /dev/null +++ b/SOURCES/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch @@ -0,0 +1,39 @@ +From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 14 Aug 2017 11:37:43 -0400 +Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't + have perms on the socket + +--- + src/macros.pesign | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 22a3ee6..1665b4c 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -43,6 +43,21 @@ + %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ + --certdir ${nss} -c signer %{-o} \ + rm -rf ${sattrs} ${sattrs}.sig ${nss} \ ++ elif [ "%{vendor}" == "Fedora Project" -a \\\ ++ "$(id -un)" == "mockbuild" -a \\\ ++ "$(uname -m)" == "x86_64" ] && \\\ ++ grep -q ID=fedora /etc/os-release && \\\ ++ [[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\ ++ ! [ -S /var/run/pesign/socket ]; then \ ++ echo "No socket even though this is %{_buildhost}" \ ++ ls -ld /var/run/pesign || : \ ++ getfacl /var/run/pesign || : \ ++ ls -l /var/run/pesign/socket || : \ ++ getfacl /var/run/pesign/socket || : \ ++ echo =========== env ============== \ ++ set \ ++ echo =========== env ============== \ ++ exit 1 \ + elif [ -S /var/run/pesign/socket ]; then \ + %{_pesign_client} -t %{__pesign_client_token} \\\ + -c %{__pesign_client_cert} \\\ +-- +2.13.4 + diff --git a/SOURCES/pesign.py b/SOURCES/pesign.py new file mode 100644 index 0000000..4ee59f8 --- /dev/null +++ b/SOURCES/pesign.py @@ -0,0 +1,91 @@ +#!/usr/bin/python3 +# +# Copyright 2017 Peter Jones +# +# Distributed under terms of the GPLv3 license. + +""" +mock plugin to make sure pesign and mockbuild users have the right uid and +gid. +""" + +from mockbuild.trace_decorator import getLog, traceLog +import mockbuild.util + +requires_api_version = "1.1" + +@traceLog() +def init(plugins, conf, buildroot): + """ hello """ + Pesign(plugins, conf, buildroot) + +def getuid(name): + """ get a uid for a user name """ + output = mockbuild.util.do(["getent", "passwd", "%s" % (name,)], + returnOutput=1, printOutput=True) + output = output.split(':') + return output[2], output[3] + +def getgid(name): + """ get a gid for a group name """ + output = mockbuild.util.do(["getent", "group", "%s" % (name,)], + returnOutput=1, printOutput=True) + return output.split(':')[2] + +def newgroup(name, gid, rootdir): + """ create a group with a gid """ + getLog().info("creating group %s with gid %s" % (name, gid)) + mockbuild.util.do(["groupadd", + "-g", "%s" % (gid,), + "-R", "%s" % (rootdir,), + "%s" % (name,), + ]) + +def newuser(name, uid, gid, rootdir): + """ create a user with a uid """ + getLog().info("creating user %s with uid %s" % (name, uid)) + mockbuild.util.do(["useradd", + "-u", "%s" % (uid,), + "-g", "%s" % (gid,), + "-R", "%s" % (rootdir,), + "%s" % (name,)]) + +class Pesign(object): + """ Creates some stuff in our mock root """ + # pylint: disable=too-few-public-methods + @traceLog() + def __init__(self, plugins, conf, buildroot): + """ Effectively we're doing: + getent group pesign >/dev/null || groupadd -r pesign + getent passwd pesign >/dev/null || \ + useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \ + -c "Group for the pesign signing daemon" pesign + """ + + self.buildroot = buildroot + self.pesign_opts = conf + self.config = buildroot.config + self.state = buildroot.state + self.users = {} + self.groups = {} + plugins.add_hook("postinit", self._pesignPostInitHook) + + @traceLog() + def _pesignPostInitHook(self): + """ find our uid and gid lists """ + for user in self.pesign_opts['users']: + uid, gid = getuid(user) + self.users[user] = [user, uid, gid] + for group in self.pesign_opts['groups']: + gid = getgid(group) + self.groups[group] = [group, gid] + + # create our users + rootdir = self.buildroot.make_chroot_path() + for name, gid in self.groups.values(): + newgroup(name, gid, rootdir) + for name, uid, gid in self.users.values(): + newuser(name, uid, gid, rootdir) + +# -*- coding: utf-8 -*- +# vim:fenc=utf-8:tw=75 diff --git a/SPECS/pesign.spec b/SPECS/pesign.spec new file mode 100644 index 0000000..99ae141 --- /dev/null +++ b/SPECS/pesign.spec @@ -0,0 +1,427 @@ +%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d) + +Name: pesign +Summary: Signing utility for UEFI binaries +Version: 0.112 +Release: 25%{?dist} +License: GPLv2 +URL: https://github.com/vathpela/pesign + +Obsoletes: pesign-rh-test-certs <= 0.111-7 +BuildRequires: git nspr nss nss-util popt-devel +BuildRequires: nss-tools +BuildRequires: nspr-devel >= 4.9.2-1 +BuildRequires: nss-devel >= 3.13.6-1 +BuildRequires: efivar-devel >= 31-1 +BuildRequires: libuuid-devel +BuildRequires: tar xz +BuildRequires: python3-rpm-macros python3 +%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 +BuildRequires: systemd +%endif +Requires: nspr nss nss-util nss-tools popt rpm +Requires(pre): shadow-utils +ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm} +%if 0%{?rhel} == 7 +BuildRequires: rh-signing-tools >= 1.20-2 +%endif + +Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 +Source1: certs.tar.xz +Source2: pesign.py + +Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch +Patch0002: 0002-Fix-command-line-parsing.patch +Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch +Patch0004: 0004-Fix-certficate-argument-name.patch +Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch +Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch +Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch +Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch +Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch +Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch +Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch +Patch0012: 0012-Add-coverity-build-scripts.patch +Patch0013: 0013-Document-implicit-fallthrough.patch +Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch +Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch +Patch0016: 0016-efikeygen-add-modsign.patch +Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch +Patch0018: 0018-show-which-db-we-re-checking.patch +Patch0019: 0019-more-about-the-time.patch +Patch0020: 0020-try-to-say-why-something-fails.patch +Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch +Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch +Patch0023: 0023-Better-authorization-scripts.-Again.patch +Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch +Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch +Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch +Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch +Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch +Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch + +%description +This package contains the pesign utility for signing UEFI binaries as +well as other associated tools. + +%prep +%setup -q -T -b 0 +%setup -q -T -D -c -n pesign-%{version}/ -a 1 +git init +git config user.email "pesign-owner@fedoraproject.org" +git config user.name "Fedora Ninjas" +git add . +git commit -a -q -m "%{version} baseline." +git am %{patches} = 7 || 0%{?fedora} >= 17 +make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \ + install_systemd +%endif + +# there's some stuff that's not really meant to be shipped yet +rm -rf %{buildroot}/boot %{buildroot}/usr/include +rm -rf %{buildroot}%{_libdir}/libdpe* +mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/ +mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/ +cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/ +cp -a etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/ + +if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then + mkdir -p %{buildroot}%{macrosdir} + mv %{buildroot}%{_sysconfdir}/rpm/macros.pesign \ + %{buildroot}%{macrosdir} + rmdir %{buildroot}%{_sysconfdir}/rpm +fi +rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING + +# and find-debuginfo.sh has some pretty awful deficencies too... +cp -av libdpe/*.[ch] src/ + +install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/ +install -m 0755 -p %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/ + +%pre +getent group pesign >/dev/null || groupadd -r pesign +getent passwd pesign >/dev/null || \ + useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \ + -c "Group for the pesign signing daemon" pesign +exit 0 + +%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 +%post +%systemd_post pesign.service + +#%%posttrans +#%%{_libexecdir}/pesign/pesign-authorize + +%preun +%systemd_preun pesign.service + +%postun +%systemd_postun_with_restart pesign.service +%endif + +%files +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc README TODO +%{_bindir}/authvar +%{_bindir}/efikeygen +%{_bindir}/efisiglist +%{_bindir}/pesigcheck +%{_bindir}/pesign +%{_bindir}/pesign-client +%dir %{_libexecdir}/pesign/ +%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/ +%config(noreplace) %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/* +%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/ +%config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/* +%{_libexecdir}/pesign/pesign-authorize +%config(noreplace)/%{_sysconfdir}/pesign/users +%config(noreplace)/%{_sysconfdir}/pesign/groups +%{_sysconfdir}/popt.d/pesign.popt +%{macrosdir}/macros.pesign +%{_mandir}/man*/* +%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name} +%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket +%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid +%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 +%{_tmpfilesdir}/pesign.conf +%{_unitdir}/pesign.service +%endif +%{python3_sitelib}/mockbuild/plugins/*/pesign.* +%{python3_sitelib}/mockbuild/plugins/pesign.* + +%changelog +* Mon Oct 01 2018 Peter Jones - 0.112-25 +- Preserve .py timestamp during install so .pyc/.pyo files have the same + timestamp on all arches, preventing rpmdiff from complaining. + Related: rhbz#1625388 + +* Fri Sep 28 2018 Peter Jones - 0.112-24 +- Require nss-tools at runtime so the rpm signing macros will have it + Resolves: rhbz#1625388 + +* Wed Aug 01 2018 Charalampos Stratakis - 0.112-23 +- Rebuild for platform-python + +* Mon Jan 22 2018 Peter Robinson 0.112-22 +- Minor spec cleanups, fix arm conditional + +* Fri Oct 06 2017 Troy Dawson - 0.112-21 +- Cleanup spec file conditionals + +* Tue Aug 15 2017 Peter Jones - 0.112-20 +- Maybe fewer typoes would be better. + +* Tue Aug 15 2017 Peter Jones - 0.112-19 +- Update to match f26's build so new kernel builds will work. + +* Thu Aug 10 2017 Peter Jones - 0.112-10 +- Try to fix the db problem nirik is seeing trying to upgrade the builders. + +* Thu Aug 03 2017 Fedora Release Engineering - 0.112-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.112-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Jul 08 2017 Peter Jones - 0.112-7 +- Rebuild for efivar-31-1.fc26 + Related: rhbz#1468841 + +* Sat Feb 11 2017 Fedora Release Engineering - 0.112-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 06 2017 Peter Jones - 0.112-5 +- Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy + scripts. + Related: rhbz#1349073 + +* Wed Aug 17 2016 Peter Jones - 0.112-4 +- Build as -4 to make bodhi happy. + +* Fri Aug 12 2016 Adam Williamson - 0.112-3 +- backport fix for command line parsing from upstream master + +* Wed Aug 10 2016 Peter Jones - 0.112-2 +- Build with newer efivar. + +* Wed Apr 20 2016 Peter Jones - 0.112-1 +- Update to 0.112 +- Also fix up some spec file woes: + - dumb things in %%setup + - find-debuginfo.sh not working right for some source files... + +* Thu Feb 04 2016 Fedora Release Engineering - 0.111-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Dec 10 2015 Peter Jones - 0.111-7 +- Obsolete pesign-rh-test-certs, it was in -1's update. + Resolves: rhbz#1283475 + +* Wed Dec 02 2015 Peter Jones - 0.111-6 +- *Don't* use --certdir if we're using the socket. + Related: rhbz#1283475 + Related: rhbz#1284063 + Related: rhbz#1284561 + +* Tue Dec 01 2015 Peter Jones - 0.111-5 +- Actually do a better job of choosing which cert to use when, so people will + stop seeing any of this problem. (Thanks for the thought, jforbes.) + Resolves: rhbz#1283475 + Resolves: rhbz#1284063 + Resolves: rhbz#1284561 + +* Mon Nov 30 2015 Peter Jones - 0.111-5 +- setfacl even harder. + Related: rhbz#1283475 + Related: rhbz#1284063 + Related: rhbz#1284561 + +* Fri Nov 20 2015 Peter Jones - 0.111-3 +- Better ACL setting code. + Related: rhbz#1283475 + +* Thu Nov 19 2015 Peter Jones - 0.111-2 +- Allow the mockbuild user to read the nss database if the account exists. + +* Wed Oct 28 2015 Peter Jones - 0.111-1 +- Rebase to 0.111 +- Split test certs out into a "Recommends" subpackage. + +* Thu Jun 18 2015 Fedora Release Engineering - 0.110-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Mar 4 2015 Ville Skyttä - 0.110-2 +- Install macros in %%{_rpmconfigdir}/macros.d where available (#1074281) + +* Fri Oct 24 2014 Peter Jones - 0.110-1 +- Update to pesign-0.110 + +* Sun Aug 17 2014 Fedora Release Engineering - 0.108-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.108-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 29 2014 Peter Jones - 0.108-2 +- Fix a networking problem nirik observed when reinstalling builders. + +* Sat Aug 10 2013 Peter Jones - 0.108-1 +- Remove errant result files and raise an error from %%pesign + +* Tue Aug 06 2013 Peter Jones - 0.106-3 +- Add code for signing in RHEL 7 + +* Mon Aug 05 2013 Peter Jones - 0.106-2 +- Fix for new %%doc rules. + +* Sun Aug 04 2013 Fedora Release Engineering - 0.106-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue May 21 2013 Peter Jones - 0.106-1 +- Update to 0.106 +- Hopefully fix the segfault dgilmore was seeing. + +* Mon May 20 2013 Peter Jones - 0.105-1 +- Various bug fixes. + +* Wed May 15 2013 Peter Jones - 0.104-1 +- Make sure alignment is correct on signature list entries + Resolves: rhbz#963361 +- Make sure section alignment is correct if we have to extend the file + +* Wed Feb 06 2013 Peter Jones - 0.103-2 +- Conditionalize systemd bits so they don't show up in RHEL 6 builds + +* Tue Feb 05 2013 Peter Jones - 0.103-1 +- One more compiler problem. Let's expect a few more, shall we? + +* Tue Feb 05 2013 Peter Jones - 0.102-1 +- Don't use --std=gnu11 because we have to work on RHEL 6 builders. + +* Mon Feb 04 2013 Peter Jones - 0.101-1 +- Update to 0.101 to fix more "pesign -E" issues. + +* Fri Nov 30 2012 Peter Jones - 0.100-1 +- Fix insertion of signatures from a file. + +* Mon Nov 26 2012 Matthew Garrett - 0.99-9 +- Add a patch needed for new shim builds + +* Fri Oct 19 2012 Peter Jones - 0.99-8 +- Get the Fedora signing token name right. + +* Fri Oct 19 2012 Peter Jones +- Add coolkey and opensc modules to pki database during %%install. + +* Fri Oct 19 2012 Peter Jones - 0.99-7 +- setfacl u:kojibuilder:rw /var/run/pesign/socket +- Fix command line checking in client +- Add client stdin pin reading. + +* Thu Oct 18 2012 Peter Jones - 0.99-6 +- Automatically select daemon as signer when using rpm macros. + +* Thu Oct 18 2012 Peter Jones - 0.99-5 +- Make it work on the -el6 branch as well. + +* Wed Oct 17 2012 Peter Jones - 0.99-4 +- Fix some more bugs found by valgrind and coverity. +- Don't build utils/ ; we're not using them and they're not ready anyway. + +* Wed Oct 17 2012 Peter Jones - 0.99-3 +- Fix daemon startup bug from 0.99-2 + +* Wed Oct 17 2012 Peter Jones - 0.99-2 +- Fix various bugs from 0.99-1 +- Don't make the database unreadable just yet. + +* Mon Oct 15 2012 Peter Jones - 0.99-1 +- Update to 0.99 +- Add documentation for client/server mode. +- Add --pinfd and --pinfile to server mode. + +* Fri Oct 12 2012 Peter Jones - 0.98-1 +- Update to 0.98 +- Add client/server mode. + +* Mon Oct 01 2012 Peter Jones - 0.10-5 +- Fix missing section address fixup. + +* Wed Aug 15 2012 Peter Jones - 0.10-4 +- Make macros.pesign even better (and make it work right for i686 packages) + +* Tue Aug 14 2012 Peter Jones - 0.10-3 +- Only sign things on x86_64; all else ignore gracefully. + +* Tue Aug 14 2012 Peter Jones - 0.10-2 +- Make macros.pesign more reliable + +* Mon Aug 13 2012 Peter Jones - 0.10-1 +- Update to 0.10 +- Include rpm macros to support easy custom signing of signed packages. + +* Fri Aug 10 2012 Peter Jones - 0.9-1 +- Update to 0.9 +- Bug fix from Gary Ching-Pang Lin +- Support NSS Token selection for use with smart cards. + +* Wed Aug 08 2012 Peter Jones - 0.8-1 +- Update to 0.8 +- Don't open the db read-write +- Fix permissions on keystore (everybody can sign with test keys) + +* Wed Aug 08 2012 Peter Jones - 0.7-2 +- Include test keys. + +* Mon Jul 30 2012 Peter Jones - 0.7-1 +- Update to 0.7 +- Better fix for MS compatibility. + +* Mon Jul 30 2012 Peter Jones - 0.6-1 +- Update to 0.6 +- Bug-for-bug compatibility with signtool.exe . + +* Fri Jul 20 2012 Fedora Release Engineering - 0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 11 2012 Peter Jones - 0.5-1 +- Rebase to 0.5 +- Do more rigorous bounds checking when hashing a new binary. + +* Tue Jul 10 2012 Peter Jones - 0.3-2 +- Rebase to 0.4 + +* Fri Jun 22 2012 Peter Jones - 0.3-2 +- Move man page to a more reasonable place. + +* Fri Jun 22 2012 Peter Jones - 0.3-1 +- Update to upstream's 0.3 . + +* Thu Jun 21 2012 Peter Jones - 0.2-4 +- Do not build with smp flags. + +* Thu Jun 21 2012 Peter Jones - 0.2-3 +- Make it build on i686, though it's unclear it'll ever be necessary. + +* Thu Jun 21 2012 Peter Jones - 0.2-2 +- Fix compile problem with f18's compiler. + +* Thu Jun 21 2012 Peter Jones - 0.2-1 +- Fix some rpmlint complaints nirik pointed out +- Add popt-devel build dep + +* Fri Jun 15 2012 Peter Jones - 0.1-1 +- First version of SRPM.