diff --git a/SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch b/SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch deleted file mode 100644 index c85d990..0000000 --- a/SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit cfdb8300f6e3aed0abc41406a3c4737eb1192067 -Author: Michal Domonkos -Date: Sun Jul 11 18:08:26 2021 +0200 - - Don't brp-strip .ko files - - Otherwise SecureBoot signatures may be stripped too. - - We used to exclude shared libraries from this strip as they were - supposed to be covered by another brp script (brp-strip-shared), however - it turned out the latter was never really used, so we removed the - exclusion in commit 0ab151ab138fd4fb6d3176fd0270d9cc6f4623f3. - - As it turns out, that was a little too ambitious, since we may now - inadvertently strip SecureBoot signatures from kernel modules too, - provided that they're made during the build, prior to the invocation of - brp-strip. - - Note that this regression currently does *not* affect the following two - cases on Fedora/RHEL systems with redhat-rpm-config installed: - - - in-tree kernel modules; these are built from kernel.spec which - already contains a hack ensuring that module signing only happens - *after* any stripping (see %__modsign_install_post in kernel.spec) - - - out-of-tree kernel modules built with debuginfo enabled; this is - because brp-strip is only called when %debug_package is set to - %{nil} - - Any other combinations may be affected, depending on the macros and - .spec files used, so let's fix this by effectively "reverting" said - commit for .ko files only. - - Fixes: rhbz#1967291 - - Backported into 4.14.3 -diff -up rpm-4.14.3/scripts/brp-strip.orig rpm-4.14.3/scripts/brp-strip ---- rpm-4.14.3/scripts/brp-strip.orig 2021-07-12 17:21:04.446396789 +0200 -+++ rpm-4.14.3/scripts/brp-strip 2021-07-12 17:21:20.673633783 +0200 -@@ -12,7 +12,7 @@ Darwin*) exit 0 ;; - esac - - # Strip ELF binaries --for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \ -+for f in `find "$RPM_BUILD_ROOT" -type f \! -name "*.ko" -exec file {} \; | \ - grep -v "^${RPM_BUILD_ROOT}/\?usr/lib/debug" | \ - sed -n -e 's/^\(.*\):[ ]*ELF.*, not stripped.*/\1/p'`; do - $STRIP -g "$f" || : diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec index 948e0e7..2bbaa61 100644 --- a/SPECS/rpm.spec +++ b/SPECS/rpm.spec @@ -32,7 +32,7 @@ %global rpmver 4.14.3 #global snapver rc2 -%global rel 18 +%global rel 19 %global srcver %{version}%{?snapver:-%{snapver}} %global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x} @@ -106,7 +106,6 @@ Patch151: 0001-Unblock-signals-in-forked-scriptlets.patch Patch152: rpm-4.14.3-fix-ambiguous-diagnostics-on-file-triggers.patch Patch153: rpm-4.14.3-ELF-files-strip-when-debuginfo-disabled.patch Patch154: rpm-4.14.3-more-careful-sig-hdr-copy.patch -Patch155: rpm-4.14.3-preserve-kmod-secure-boot-signature.patch Patch156: rpm-4.14.3-hdrblobInit-add-bounds-check.patch Patch157: rpm-4.14.3-add-read-only-support-for-sqlite.patch Patch158: rpm-4.14.3-imp-covscan-fixes.patch @@ -690,6 +689,9 @@ make check || cat tests/rpmtests.log %doc doc/librpm/html/* %changelog +* Wed Oct 06 2021 Michal Domonkos - 4.14.3-19 +- Unbreak in-tree kmod strip by reverting brp-strip fix (#1967291) + * Thu Aug 26 2021 Michal Domonkos - 4.14.3-18 - Address important covscan issues (#1996665), vol. 2