diff --git a/SOURCES/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch b/SOURCES/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch index 0c82dcf..d903b07 100644 --- a/SOURCES/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch +++ b/SOURCES/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch @@ -1,8 +1,8 @@ -From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 21 Apr 2016 10:47:34 -0400 -Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686 - and it's unused. +Subject: [PATCH] cms: kill generate_integer(), it doesn't build on i686 and + it's unused. Signed-off-by: Peter Jones --- @@ -67,6 +67,3 @@ index 7d77faf..c7d7268 100644 extern int generate_string(cms_context *cms, SECItem *der, char *str); extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items); extern int wrap_in_seq(cms_context *cms, SECItem *der, --- -2.13.4 - diff --git a/SOURCES/0002-Fix-command-line-parsing.patch b/SOURCES/0002-Fix-command-line-parsing.patch index 9c03eeb..9376740 100644 --- a/SOURCES/0002-Fix-command-line-parsing.patch +++ b/SOURCES/0002-Fix-command-line-parsing.patch @@ -1,7 +1,7 @@ -From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Thu, 9 Jun 2016 14:30:37 +0200 -Subject: [PATCH 02/29] Fix command line parsing +Subject: [PATCH] Fix command line parsing The gettext translation domain should be passed as .arg, not .descrip, otherwise popt won't process any of the command line options (it stops @@ -68,6 +68,3 @@ index 1328fe9..0d49c1a 100644 {.longName = "dbfile", .shortName = 'D', .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST, --- -2.13.4 - diff --git a/SOURCES/0003-gcc-don-t-error-on-stuff-in-includes.patch b/SOURCES/0003-gcc-don-t-error-on-stuff-in-includes.patch index cf4e61d..41a060c 100644 --- a/SOURCES/0003-gcc-don-t-error-on-stuff-in-includes.patch +++ b/SOURCES/0003-gcc-don-t-error-on-stuff-in-includes.patch @@ -1,7 +1,7 @@ -From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 10 Aug 2016 17:12:39 -0400 -Subject: [PATCH 03/29] gcc: don't error on stuff in includes. +Subject: [PATCH] gcc: don't error on stuff in includes. Signed-off-by: Peter Jones --- @@ -21,6 +21,3 @@ index c97b452..3511080 100644 AS := $(CROSS_COMPILE)as AR := $(CROSS_COMPILE)gcc-ar RANLIB := $(CROSS_COMPILE)gcc-ranlib --- -2.13.4 - diff --git a/SOURCES/0004-Fix-certficate-argument-name.patch b/SOURCES/0004-Fix-certficate-argument-name.patch index 08509ff..513e393 100644 --- a/SOURCES/0004-Fix-certficate-argument-name.patch +++ b/SOURCES/0004-Fix-certficate-argument-name.patch @@ -1,7 +1,7 @@ -From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 18 Apr 2017 19:00:34 -0400 -Subject: [PATCH 04/29] Fix "certficate" argument name. +Subject: [PATCH] Fix "certficate" argument name. This fixes our typoed argument name by making the incorrectly spelled version be a popt alias, and fixing the real implementation to be @@ -34,6 +34,3 @@ index 7b3385d..5a97748 100644 pesign alias --cert --certificate +pesign alias --certficate --certificate pesign alias --daemon --daemonize --- -2.13.4 - diff --git a/SOURCES/0005-Fix-description-of-ascii-armor-option-in-manpage.patch b/SOURCES/0005-Fix-description-of-ascii-armor-option-in-manpage.patch index 6a5b02d..832d5fd 100644 --- a/SOURCES/0005-Fix-description-of-ascii-armor-option-in-manpage.patch +++ b/SOURCES/0005-Fix-description-of-ascii-armor-option-in-manpage.patch @@ -1,7 +1,7 @@ -From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Mon, 27 Jun 2016 15:38:38 +0200 -Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage +Subject: [PATCH] Fix description of --ascii-armor option in manpage The --ascii option does not exist. --- @@ -21,6 +21,3 @@ index 47d1aec..29ae060 100644 Use ascii armoring on exported certificates. .TP --- -2.13.4 - diff --git a/SOURCES/0006-Make-ascii-work-since-we-documented-it.patch b/SOURCES/0006-Make-ascii-work-since-we-documented-it.patch index d0165f9..bf83373 100644 --- a/SOURCES/0006-Make-ascii-work-since-we-documented-it.patch +++ b/SOURCES/0006-Make-ascii-work-since-we-documented-it.patch @@ -1,7 +1,7 @@ -From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 18 Apr 2017 19:05:40 -0400 -Subject: [PATCH 06/29] Make --ascii work, since we documented it. +Subject: [PATCH] Make --ascii work, since we documented it. Signed-off-by: Peter Jones --- @@ -17,6 +17,3 @@ index 5a97748..5ae0c5c 100644 pesign alias --certficate --certificate pesign alias --daemon --daemonize +pesign alias --ascii --ascii-armor --- -2.13.4 - diff --git a/SOURCES/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch b/SOURCES/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch index faa78ec..bf9afc6 100644 --- a/SOURCES/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch +++ b/SOURCES/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch @@ -1,8 +1,8 @@ -From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Pat Riehecky Date: Mon, 7 Nov 2016 11:37:08 -0600 -Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros - rather than use hard coded values +Subject: [PATCH] Switch pesign client to also accept token/cert macros rather + than use hard coded values --- src/macros.pesign | 6 +++--- @@ -27,6 +27,3 @@ index 18e5b5e..69280e9 100644 --certdir ${_pesign_nssdir} \\\ %{-i} %{-o} %{-e} %{-s} %{-C} \ fi \ --- -2.13.4 - diff --git a/SOURCES/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch b/SOURCES/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch index 2226498..85e302f 100644 --- a/SOURCES/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch +++ b/SOURCES/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch @@ -1,7 +1,7 @@ -From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: David Michael Date: Thu, 16 Feb 2017 15:08:30 -0800 -Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer +Subject: [PATCH] pesigcheck: Verify with the cert as an object signer --- src/certdb.c | 2 +- @@ -20,6 +20,3 @@ index 2a08042..b7c99bb 100644 digest, HASH_AlgSHA256, PR_FALSE, atTime); if (!result) { --- -2.13.4 - diff --git a/SOURCES/0009-pesigcheck-make-certfile-actually-work.patch b/SOURCES/0009-pesigcheck-make-certfile-actually-work.patch index 8b77417..88ecced 100644 --- a/SOURCES/0009-pesigcheck-make-certfile-actually-work.patch +++ b/SOURCES/0009-pesigcheck-make-certfile-actually-work.patch @@ -1,7 +1,7 @@ -From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 24 Apr 2017 15:18:10 -0400 -Subject: [PATCH 09/29] pesigcheck: make --certfile actually work +Subject: [PATCH] pesigcheck: make --certfile actually work Signed-off-by: Peter Jones --- @@ -42,6 +42,3 @@ index 0d49c1a..d7be542 100644 .argDescrip = "" }, POPT_AUTOALIAS POPT_AUTOHELP --- -2.13.4 - diff --git a/SOURCES/0010-signerInfos-make-sure-err-is-always-initialized.patch b/SOURCES/0010-signerInfos-make-sure-err-is-always-initialized.patch index 08d1da7..8e4afee 100644 --- a/SOURCES/0010-signerInfos-make-sure-err-is-always-initialized.patch +++ b/SOURCES/0010-signerInfos-make-sure-err-is-always-initialized.patch @@ -1,7 +1,7 @@ -From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 16:15:07 -0400 -Subject: [PATCH 10/29] signerInfos: make sure err is always initialized +Subject: [PATCH] signerInfos: make sure err is always initialized Signed-off-by: Peter Jones --- @@ -22,6 +22,3 @@ index 721db90..9e0af23 100644 if (!signerInfo_list_p) return -1; --- -2.13.4 - diff --git a/SOURCES/0011-pesign-make-pesign-h-tell-you-the-file-name.patch b/SOURCES/0011-pesign-make-pesign-h-tell-you-the-file-name.patch index 3e15617..e6e451b 100644 --- a/SOURCES/0011-pesign-make-pesign-h-tell-you-the-file-name.patch +++ b/SOURCES/0011-pesign-make-pesign-h-tell-you-the-file-name.patch @@ -1,7 +1,7 @@ -From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 16:23:36 -0400 -Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name. +Subject: [PATCH] pesign: make "pesign -h" tell you the file name. Signed-off-by: Peter Jones --- @@ -21,6 +21,3 @@ index 279a17a..5879cfc 100644 int j = ctx->selected_digest; for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++) printf("%02x", --- -2.13.4 - diff --git a/SOURCES/0012-Add-coverity-build-scripts.patch b/SOURCES/0012-Add-coverity-build-scripts.patch index f3f0a89..955bb4f 100644 --- a/SOURCES/0012-Add-coverity-build-scripts.patch +++ b/SOURCES/0012-Add-coverity-build-scripts.patch @@ -1,27 +1,18 @@ -From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 10 May 2017 10:49:57 -0400 -Subject: [PATCH 12/29] Add coverity build scripts +Subject: [PATCH] Add coverity build scripts Signed-off-by: Peter Jones --- - .gitignore | 1 + Make.coverity | 37 +++++++++++++++++++++++++++++++++++++ Make.defaults | 2 ++ Make.rules | 4 ++++ Makefile | 1 + + .gitignore | 1 + 5 files changed, 45 insertions(+) create mode 100644 Make.coverity -diff --git a/.gitignore b/.gitignore -index 1635ba2..847e172 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -12,3 +12,4 @@ - *.tar.* - *.rpm - core.* -+cov-int diff --git a/Make.coverity b/Make.coverity new file mode 100644 index 0000000..b80b091 @@ -99,6 +90,12 @@ index db8eb7e..ca1a359 100644 SUBDIRS := include libdpe src --- -2.13.4 - +diff --git a/.gitignore b/.gitignore +index 1635ba2..847e172 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -12,3 +12,4 @@ + *.tar.* + *.rpm + core.* ++cov-int diff --git a/SOURCES/0013-Document-implicit-fallthrough.patch b/SOURCES/0013-Document-implicit-fallthrough.patch index 3731a3f..620c672 100644 --- a/SOURCES/0013-Document-implicit-fallthrough.patch +++ b/SOURCES/0013-Document-implicit-fallthrough.patch @@ -1,7 +1,7 @@ -From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sat, 8 Jul 2017 16:31:18 -0400 -Subject: [PATCH 13/29] Document implicit fallthrough. +Subject: [PATCH] Document implicit fallthrough. Signed-off-by: Peter Jones --- @@ -20,6 +20,3 @@ index ad659ca..03e0c47 100644 case IMPORT|SIGN|EXPORT: default: fprintf(stderr, "authvar: invalid flags: "); --- -2.13.4 - diff --git a/SOURCES/0014-Actually-setfacl-each-directory-of-our-key-storage.patch b/SOURCES/0014-Actually-setfacl-each-directory-of-our-key-storage.patch index 4b62cb3..d349bd7 100644 --- a/SOURCES/0014-Actually-setfacl-each-directory-of-our-key-storage.patch +++ b/SOURCES/0014-Actually-setfacl-each-directory-of-our-key-storage.patch @@ -1,7 +1,7 @@ -From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 16 May 2016 15:25:53 -0400 -Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage. +Subject: [PATCH] Actually setfacl /each/ directory of our key storage. Signed-off-by: Peter Jones --- @@ -45,6 +45,3 @@ index 8b9a885..940138e 100644 setfacl -m g:${username}:rw ${y} done fi --- -2.13.4 - diff --git a/SOURCES/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch b/SOURCES/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch index d5428b5..c763e61 100644 --- a/SOURCES/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch +++ b/SOURCES/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch @@ -1,7 +1,7 @@ -From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 22 Aug 2016 13:31:38 -0400 -Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array +Subject: [PATCH] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array indices. That was all kinds of wrong. @@ -54,6 +54,3 @@ index 599f49d..0e00781 100644 END_OID_LIST } ms_oid_t; --- -2.13.4 - diff --git a/SOURCES/0016-efikeygen-add-modsign.patch b/SOURCES/0016-efikeygen-add-modsign.patch index 8324334..eda6622 100644 --- a/SOURCES/0016-efikeygen-add-modsign.patch +++ b/SOURCES/0016-efikeygen-add-modsign.patch @@ -1,13 +1,13 @@ -From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 22 Aug 2016 13:43:56 -0400 -Subject: [PATCH 16/29] efikeygen: add --modsign +Subject: [PATCH] efikeygen: add --modsign --- - src/cms_common.c | 29 ++++++++++++++++++++++++++++ + src/cms_common.c | 29 +++++++++++++++++++++++++++ + src/efikeygen.c | 61 ++++++++++++++++++++++++++++++++++++++++++++------------ src/cms_common.h | 1 + - src/efikeygen.c | 59 ++++++++++++++++++++++++++++++++++++++++++++------------ - 3 files changed, 77 insertions(+), 12 deletions(-) + 3 files changed, 78 insertions(+), 13 deletions(-) diff --git a/src/cms_common.c b/src/cms_common.c index 6a4e6a7..2df2cfe 100644 @@ -49,18 +49,6 @@ index 6a4e6a7..2df2cfe 100644 int generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original) { -diff --git a/src/cms_common.h b/src/cms_common.h -index c7d7268..7a31273 100644 ---- a/src/cms_common.h -+++ b/src/cms_common.h -@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der, - SECItem *items, int num_items); - extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded, - SECItem *original); -+extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag); - extern int generate_validity(cms_context *cms, SECItem *der, time_t start, - time_t end); - extern int generate_common_name(cms_context *cms, SECItem *der, char *cn); diff --git a/src/efikeygen.c b/src/efikeygen.c index 8a515a5..9390578 100644 --- a/src/efikeygen.c @@ -86,15 +74,17 @@ index 8a515a5..9390578 100644 - .len = 12, - .type = siBuffer - }; +- +- + SECItem values[2]; + SECItem wrapped = { 0 }; -+ SECStatus status; + SECStatus status; + SECOidTag tag; + int rc; + + if (modsign_only < 1 || modsign_only > 2) + cmsreterr(-1, cms, "could not encode extended key usage"); - ++ + rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN); + if (rc < 0) + cmsreterr(-1, cms, "could not encode extended key usage"); @@ -108,8 +98,7 @@ index 8a515a5..9390578 100644 + rc = wrap_in_seq(cms, &wrapped, values, modsign_only); + if (rc < 0) + cmsreterr(-1, cms, "could not encode extended key usage"); - -- SECStatus status; ++ status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, - &value, PR_FALSE, PR_TRUE); @@ -192,6 +181,15 @@ index 8a515a5..9390578 100644 if (rc < 0) exit(1); --- -2.13.4 - +diff --git a/src/cms_common.h b/src/cms_common.h +index c7d7268..7a31273 100644 +--- a/src/cms_common.h ++++ b/src/cms_common.h +@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der, + SECItem *items, int num_items); + extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded, + SECItem *original); ++extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag); + extern int generate_validity(cms_context *cms, SECItem *der, time_t start, + time_t end); + extern int generate_common_name(cms_context *cms, SECItem *der, char *cn); diff --git a/SOURCES/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch b/SOURCES/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch index acebc3a..2398077 100644 --- a/SOURCES/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch +++ b/SOURCES/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch @@ -1,7 +1,7 @@ -From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 16:25:02 -0400 -Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable +Subject: [PATCH] check_cert_db(): try even harder to pick a reasonable validation time. Signed-off-by: Peter Jones @@ -116,6 +116,3 @@ index b7c99bb..1a4baf1 100644 /* Verify the signature */ result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo, certUsageObjectSigner, --- -2.13.4 - diff --git a/SOURCES/0018-show-which-db-we-re-checking.patch b/SOURCES/0018-show-which-db-we-re-checking.patch index 2b92f83..e290356 100644 --- a/SOURCES/0018-show-which-db-we-re-checking.patch +++ b/SOURCES/0018-show-which-db-we-re-checking.patch @@ -1,7 +1,7 @@ -From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 16:58:50 -0400 -Subject: [PATCH 18/29] show which db we're checking +Subject: [PATCH] show which db we're checking --- src/certdb.c | 35 ++++++++++++++++++++++++++++++++++- @@ -132,6 +132,3 @@ index 1b916e3..7b5cc89 100644 int fd; struct dblist *next; size_t size; --- -2.13.4 - diff --git a/SOURCES/0019-more-about-the-time.patch b/SOURCES/0019-more-about-the-time.patch index 2570bf8..55f3e83 100644 --- a/SOURCES/0019-more-about-the-time.patch +++ b/SOURCES/0019-more-about-the-time.patch @@ -1,7 +1,7 @@ -From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 17:00:46 -0400 -Subject: [PATCH 19/29] more about the time +Subject: [PATCH] more about the time --- src/certdb.c | 59 +++++++++++++++++++++++++++++++++-------------------------- @@ -11,7 +11,7 @@ diff --git a/src/certdb.c b/src/certdb.c index 673e074..1078a8a 100644 --- a/src/certdb.c +++ b/src/certdb.c -@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, +@@ -345,14 +345,46 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, PRBool result; SECStatus rv; db_status status = NOT_FOUND; @@ -23,10 +23,14 @@ index 673e074..1078a8a 100644 efi_guid_t efi_x509 = efi_guid_x509_cert; -@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, - if (!cinfo) - goto out; + if (memcmp(sigtype, &efi_x509, sizeof(efi_guid_t)) != 0) + return NOT_FOUND; ++ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL, ++ NULL, NULL); ++ if (!cinfo) ++ goto out; ++ + notBefore = earlyNow; + notAfter = lateNow; + find_cert_times(cinfo, ¬Before, ¬After); @@ -52,14 +56,9 @@ index 673e074..1078a8a 100644 + atTime = earlyNow / 2 + lateNow / 2; + + -+ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL, -+ NULL, NULL); -+ if (!cinfo) -+ goto out; -+ - /* Generate the digest of contentInfo */ - /* XXX support only sha256 for now */ - digest = SECITEM_AllocItem(NULL, NULL, 32); + cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL, + NULL, NULL); + if (!cinfo) @@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype, PORT_ErrorToString(PORT_GetError())); goto out; @@ -92,6 +91,3 @@ index 673e074..1078a8a 100644 /* Verify the signature */ result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo, --- -2.13.4 - diff --git a/SOURCES/0020-try-to-say-why-something-fails.patch b/SOURCES/0020-try-to-say-why-something-fails.patch index 96bdd60..f957f71 100644 --- a/SOURCES/0020-try-to-say-why-something-fails.patch +++ b/SOURCES/0020-try-to-say-why-something-fails.patch @@ -1,13 +1,13 @@ -From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 25 Apr 2017 17:01:13 -0400 -Subject: [PATCH 20/29] try to say why something fails +Subject: [PATCH] try to say why something fails Signed-off-by: Peter Jones --- src/certdb.c | 15 ++- - src/certdb.h | 2 +- src/pesigcheck.c | 244 ++++++++++++++++++++++++++++++++++++++++++----- + src/certdb.h | 2 +- src/pesigcheck_context.h | 1 + 4 files changed, 233 insertions(+), 29 deletions(-) @@ -58,19 +58,6 @@ index 1078a8a..fae80af 100644 - return check_db(which, ctx, check_cert, data, datalen); + return check_db(which, ctx, check_cert, data, datalen, match); } -diff --git a/src/certdb.h b/src/certdb.h -index ccf3c87..8402299 100644 ---- a/src/certdb.h -+++ b/src/certdb.h -@@ -43,7 +43,7 @@ typedef struct { - - extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx); - extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx, -- void *data, ssize_t datalen); -+ void *data, ssize_t datalen, SECItem *match); - - extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs); - extern int add_cert_db(pesigcheck_context *ctx, const char *filename); diff --git a/src/pesigcheck.c b/src/pesigcheck.c index d7be542..c8e1086 100644 --- a/src/pesigcheck.c @@ -402,6 +389,19 @@ index d7be542..c8e1086 100644 pesigcheck_context_fini(&ctx); NSS_Shutdown(); +diff --git a/src/certdb.h b/src/certdb.h +index ccf3c87..8402299 100644 +--- a/src/certdb.h ++++ b/src/certdb.h +@@ -43,7 +43,7 @@ typedef struct { + + extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx); + extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx, +- void *data, ssize_t datalen); ++ void *data, ssize_t datalen, SECItem *match); + + extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs); + extern int add_cert_db(pesigcheck_context *ctx, const char *filename); diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h index 7b5cc89..aec415e 100644 --- a/src/pesigcheck_context.h @@ -414,6 +414,3 @@ index 7b5cc89..aec415e 100644 hashlist *hashes; --- -2.13.4 - diff --git a/SOURCES/0021-Fix-race-condition-in-SEC_GetPassword.patch b/SOURCES/0021-Fix-race-condition-in-SEC_GetPassword.patch index 3088923..0d601e6 100644 --- a/SOURCES/0021-Fix-race-condition-in-SEC_GetPassword.patch +++ b/SOURCES/0021-Fix-race-condition-in-SEC_GetPassword.patch @@ -1,7 +1,7 @@ -From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Sat, 6 May 2017 22:45:34 +0200 -Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword +Subject: [PATCH] Fix race condition in SEC_GetPassword A side effect of echoOff is to discard unread input, so if we print the prompt before echoOff, the user (or process) at the other end might @@ -29,6 +29,3 @@ index cd1c07e..d4eae0d 100644 } fgets ( phrase, sizeof(phrase), input); --- -2.13.4 - diff --git a/SOURCES/0022-sysvinit-Create-the-socket-directory-at-runtime.patch b/SOURCES/0022-sysvinit-Create-the-socket-directory-at-runtime.patch index 06980ee..6a1b131 100644 --- a/SOURCES/0022-sysvinit-Create-the-socket-directory-at-runtime.patch +++ b/SOURCES/0022-sysvinit-Create-the-socket-directory-at-runtime.patch @@ -1,7 +1,7 @@ -From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 13 Jun 2017 13:20:16 -0700 -Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime +Subject: [PATCH] sysvinit: Create the socket directory at runtime This better supports non-systemd configurations with tmpfs on /run. --- @@ -22,6 +22,3 @@ index d8fffca..dc508d8 100644 daemon /usr/bin/pesign --daemonize RETVAL=$? echo --- -2.13.4 - diff --git a/SOURCES/0023-Better-authorization-scripts.-Again.patch b/SOURCES/0023-Better-authorization-scripts.-Again.patch index c778c94..ebefe25 100644 --- a/SOURCES/0023-Better-authorization-scripts.-Again.patch +++ b/SOURCES/0023-Better-authorization-scripts.-Again.patch @@ -1,7 +1,7 @@ -From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 8 Aug 2017 15:44:44 -0400 -Subject: [PATCH 23/29] Better authorization scripts. Again. +Subject: [PATCH] Better authorization scripts. Again. Signed-off-by: Peter Jones --- @@ -212,6 +212,3 @@ index dc508d8..b0e0f84 100644 } stop(){ --- -2.13.4 - diff --git a/SOURCES/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch b/SOURCES/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch index 8f4a380..2c0ea96 100644 --- a/SOURCES/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch +++ b/SOURCES/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch @@ -1,8 +1,7 @@ -From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 8 Aug 2017 17:28:19 -0400 -Subject: [PATCH 24/29] Make the daemon also try to give better errors on - -EPERM etc. +Subject: [PATCH] Make the daemon also try to give better errors on -EPERM etc. Basically 6796e5f but also for the daemon. This also tries to fix them up to save errno better, for more accurate reporting. @@ -90,6 +89,3 @@ index 5879cfc..6ceda34 100644 } status = register_oids(ctxp->cms_ctx); --- -2.13.4 - diff --git a/SOURCES/0025-certdb-fix-PRTime-printfs-for-i686.patch b/SOURCES/0025-certdb-fix-PRTime-printfs-for-i686.patch index 0fc2ad8..6ebc379 100644 --- a/SOURCES/0025-certdb-fix-PRTime-printfs-for-i686.patch +++ b/SOURCES/0025-certdb-fix-PRTime-printfs-for-i686.patch @@ -1,7 +1,7 @@ -From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 9 Aug 2017 17:40:33 -0400 -Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686 +Subject: [PATCH] certdb: fix PRTime printfs for i686 Signed-off-by: Peter Jones --- @@ -26,6 +26,3 @@ index fae80af..29c9502 100644 cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL, NULL, NULL); if (!cinfo) --- -2.13.4 - diff --git a/SOURCES/0026-Clean-up-gcc-command-lines-a-little.patch b/SOURCES/0026-Clean-up-gcc-command-lines-a-little.patch index 928d62d..685e0b9 100644 --- a/SOURCES/0026-Clean-up-gcc-command-lines-a-little.patch +++ b/SOURCES/0026-Clean-up-gcc-command-lines-a-little.patch @@ -1,7 +1,7 @@ -From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 10 Aug 2017 10:02:38 -0400 -Subject: [PATCH 26/29] Clean up gcc command lines a little +Subject: [PATCH] Clean up gcc command lines a little Signed-off-by: Peter Jones --- @@ -36,6 +36,3 @@ index 39b78f0..b6c0381 100644 -std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \ -fno-merge-constants -fkeep-inline-functions \ -D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \ --- -2.13.4 - diff --git a/SOURCES/0027-Make-pesign-users-groups-static-in-the-repo.patch b/SOURCES/0027-Make-pesign-users-groups-static-in-the-repo.patch index 4131de3..993a9f9 100644 --- a/SOURCES/0027-Make-pesign-users-groups-static-in-the-repo.patch +++ b/SOURCES/0027-Make-pesign-users-groups-static-in-the-repo.patch @@ -1,7 +1,7 @@ -From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 10 Aug 2017 10:03:37 -0400 -Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo. +Subject: [PATCH] Make pesign-{users,groups} static in the repo. Signed-off-by: Peter Jones --- @@ -49,6 +49,3 @@ index 0000000..7f57cc5 +++ b/src/pesign-users @@ -0,0 +1 @@ +pesign --- -2.13.4 - diff --git a/SOURCES/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch b/SOURCES/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch index ad9da8d..eb4e89f 100644 --- a/SOURCES/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch +++ b/SOURCES/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch @@ -1,8 +1,8 @@ -From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 9 Aug 2017 17:31:31 -0400 -Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values - unless overridden +Subject: [PATCH] rpm: Make the client signer use the fedora values unless + overridden Signed-off-by: Peter Jones --- @@ -38,6 +38,3 @@ index 69280e9..22a3ee6 100644 --certdir ${_pesign_nssdir} \\\ %{-i} %{-o} %{-e} %{-s} %{-C} \ fi \ --- -2.13.4 - diff --git a/SOURCES/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch b/SOURCES/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch index 753afe8..9ea4d48 100644 --- a/SOURCES/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch +++ b/SOURCES/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch @@ -1,15 +1,15 @@ -From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 14 Aug 2017 11:37:43 -0400 -Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't - have perms on the socket +Subject: [PATCH] Make macros.pesign error in kojibuilder if we don't have + perms on the socket --- - src/macros.pesign | 9 +++++++++ - 1 file changed, 9 insertions(+) + src/macros.pesign | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) diff --git a/src/macros.pesign b/src/macros.pesign -index 22a3ee6..1665b4c 100644 +index 22a3ee6..dfdac02 100644 --- a/src/macros.pesign +++ b/src/macros.pesign @@ -43,6 +43,21 @@ @@ -34,6 +34,3 @@ index 22a3ee6..1665b4c 100644 elif [ -S /var/run/pesign/socket ]; then \ %{_pesign_client} -t %{__pesign_client_token} \\\ -c %{__pesign_client_cert} \\\ --- -2.13.4 - diff --git a/SOURCES/0030-Replace-var-run-with-run.patch b/SOURCES/0030-Replace-var-run-with-run.patch index 8ade2cd..8c052f8 100644 --- a/SOURCES/0030-Replace-var-run-with-run.patch +++ b/SOURCES/0030-Replace-var-run-with-run.patch @@ -1,4 +1,4 @@ -From cd26e9e9a7816efe2c1ce9c36d9cb14988c70dc9 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 8 Nov 2021 17:58:09 -0500 Subject: [PATCH] Replace /var/run with /run @@ -15,8 +15,8 @@ don't backport well. Signed-off-by: Robbie Harwood --- - src/Makefile | 2 +- src/daemon.h | 4 ++-- + src/Makefile | 2 +- src/macros.pesign | 12 ++++++------ src/pesign-authorize | 2 +- src/pesign.service.in | 2 +- @@ -24,19 +24,6 @@ Signed-off-by: Robbie Harwood src/tmpfiles.conf | 2 +- 7 files changed, 17 insertions(+), 17 deletions(-) -diff --git a/src/Makefile b/src/Makefile -index 7d68fa1..a11e2b4 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit - install : - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ -- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ -+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) - $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) - $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) diff --git a/src/daemon.h b/src/daemon.h index d97eab9..db42c16 100644 --- a/src/daemon.h @@ -51,6 +38,19 @@ index d97eab9..db42c16 100644 +#define PIDFILE "/run/pesign.pid" #endif /* DAEMON_H */ +diff --git a/src/Makefile b/src/Makefile +index 7d68fa1..a11e2b4 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit + install : + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ +- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ ++ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) diff --git a/src/macros.pesign b/src/macros.pesign index dfdac02..f135c29 100644 --- a/src/macros.pesign @@ -146,6 +146,3 @@ index c1cf355..3375ad5 100644 @@ -1 +1 @@ -D /var/run/pesign 0770 pesign pesign - +D /run/pesign 0770 pesign pesign - --- -2.33.0 - diff --git a/SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch b/SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch index 7f84af1..f12ce1a 100644 --- a/SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch +++ b/SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch @@ -1,4 +1,4 @@ -From d1a7496d18dc1e230115b30fa09e4481c485a27d Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 14 May 2019 11:28:38 -0400 Subject: [PATCH] efikeygen: Fix the build with nss 3.44 @@ -41,6 +41,3 @@ index 9390578..089e6a7 100644 if (is_ca) type |= NS_CERT_TYPE_SSL_CA | --- -2.33.0 - diff --git a/SOURCES/0032-Use-normal-file-permissions-instead-of-ACLs.patch b/SOURCES/0032-Use-normal-file-permissions-instead-of-ACLs.patch new file mode 100644 index 0000000..5336ea4 --- /dev/null +++ b/SOURCES/0032-Use-normal-file-permissions-instead-of-ACLs.patch @@ -0,0 +1,82 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 18 Jan 2023 14:00:22 -0500 +Subject: [PATCH] Use normal file permissions instead of ACLs + +Fixes a symlink attack that can't be mitigated using getfacl/setfacl. + +pesign-authorize is now deprecated and will be removed in a future +release. + +Resolves: CVE-2022-3560 +Signed-off-by: Robbie Harwood +(cherry picked from commit 21d0c7afe0c0c23eee72a5e144995f0acb73b763) +--- + src/pesign-authorize | 53 +++++----------------------------------------------- + 1 file changed, 5 insertions(+), 48 deletions(-) + +diff --git a/src/pesign-authorize b/src/pesign-authorize +index 83a30cd..b4e89e0 100755 +--- a/src/pesign-authorize ++++ b/src/pesign-authorize +@@ -2,55 +2,12 @@ + set -e + set -u + +-# +-# With /run/pesign/socket on tmpfs, a simple way of restoring the +-# acls for specific users is useful +-# +-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 +-# +- + # License: GPLv2 +-declare -a fileusers=() +-declare -a dirusers=() +-for user in $(cat /etc/pesign/users); do +- dirusers[${#dirusers[@]}]=-m +- dirusers[${#dirusers[@]}]="u:$user:rwx" +- fileusers[${#fileusers[@]}]=-m +- fileusers[${#fileusers[@]}]="u:$user:rw" +-done +- +-declare -a filegroups=() +-declare -a dirgroups=() +-for group in $(cat /etc/pesign/groups); do +- dirgroups[${#dirgroups[@]}]=-m +- dirgroups[${#dirgroups[@]}]="g:$group:rwx" +- filegroups[${#filegroups[@]}]=-m +- filegroups[${#filegroups[@]}]="g:$group:rw" +-done +- +-update_subdir() { +- subdir=$1 && shift + +- setfacl -bk "${subdir}" +- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}" +- for x in "${subdir}"* ; do +- if [ -d "${x}" ]; then +- setfacl -bk ${x} +- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x} +- update_subdir "${x}/" +- elif [ -e "${x}" ]; then +- setfacl -bk ${x} +- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x} +- else +- :; +- fi +- done +-} ++# This script is deprecated and will be removed in a future release. + +-for x in /run/pesign/ /etc/pki/pesign*/ ; do +- if [ -d "${x}" ]; then +- update_subdir "${x}" +- else +- :; +- fi ++sleep 3 ++for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do ++ chown -R pesign:pesign "${x}" || true ++ chmod -R ug+rwX "${x}" || true + done diff --git a/SOURCES/pesign.patches b/SOURCES/pesign.patches new file mode 100644 index 0000000..eb629a2 --- /dev/null +++ b/SOURCES/pesign.patches @@ -0,0 +1,32 @@ +Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch +Patch0002: 0002-Fix-command-line-parsing.patch +Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch +Patch0004: 0004-Fix-certficate-argument-name.patch +Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch +Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch +Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch +Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch +Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch +Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch +Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch +Patch0012: 0012-Add-coverity-build-scripts.patch +Patch0013: 0013-Document-implicit-fallthrough.patch +Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch +Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch +Patch0016: 0016-efikeygen-add-modsign.patch +Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch +Patch0018: 0018-show-which-db-we-re-checking.patch +Patch0019: 0019-more-about-the-time.patch +Patch0020: 0020-try-to-say-why-something-fails.patch +Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch +Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch +Patch0023: 0023-Better-authorization-scripts.-Again.patch +Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch +Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch +Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch +Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch +Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch +Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch +Patch0030: 0030-Replace-var-run-with-run.patch +Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch +Patch0032: 0032-Use-normal-file-permissions-instead-of-ACLs.patch diff --git a/SPECS/pesign.spec b/SPECS/pesign.spec index eb1de3c..9539f97 100644 --- a/SPECS/pesign.spec +++ b/SPECS/pesign.spec @@ -3,7 +3,7 @@ Name: pesign Summary: Signing utility for UEFI binaries Version: 0.112 -Release: 26%{?dist} +Release: 27%{?dist} License: GPLv2 URL: https://github.com/vathpela/pesign @@ -29,38 +29,9 @@ BuildRequires: rh-signing-tools >= 1.20-2 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 Source1: certs.tar.xz Source2: pesign.py +Source3: pesign.patches -Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch -Patch0002: 0002-Fix-command-line-parsing.patch -Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch -Patch0004: 0004-Fix-certficate-argument-name.patch -Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch -Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch -Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch -Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch -Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch -Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch -Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch -Patch0012: 0012-Add-coverity-build-scripts.patch -Patch0013: 0013-Document-implicit-fallthrough.patch -Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch -Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch -Patch0016: 0016-efikeygen-add-modsign.patch -Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch -Patch0018: 0018-show-which-db-we-re-checking.patch -Patch0019: 0019-more-about-the-time.patch -Patch0020: 0020-try-to-say-why-something-fails.patch -Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch -Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch -Patch0023: 0023-Better-authorization-scripts.-Again.patch -Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch -Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch -Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch -Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch -Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch -Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch -Patch0030: 0030-Replace-var-run-with-run.patch -Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch +%include %{SOURCE3} %description This package contains the pesign utility for signing UEFI binaries as @@ -165,6 +136,10 @@ exit 0 %{python3_sitelib}/mockbuild/plugins/pesign.* %changelog +* Wed Jan 18 2023 Robbie Harwood - 0.112-27 +- Deprecate pesign-authorize and drop ACL +- Resolves: CVE-2022-3560 + * Mon Nov 08 2021 Robbie Harwood - 0.112-26 - Perform the /var/run to /run "migration" stupidity - Resolves: rhbz#1801976