commit 37ac1055991c12129a8adb0c23acf1683f325fc3 Author: Adrian Schröter Date: Tue Jun 27 09:43:30 2023 +0200 Sync from SUSE:ALP:Source:Standard:1.0 pesign-obs-integration revision 2da37331df92f08073713d7e04fd968a diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/_service b/_service new file mode 100644 index 0000000..2c798a4 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/openSUSE/pesign-obs-integration.git + git + .git + master + @PARENT_TAG@+git%cd.%h + enable + pesign-obs-integration.spec + + + + + gz + *.tar + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..68875eb --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/openSUSE/pesign-obs-integration.git + 4699910cf20591bcf3d06e42189ad8cb1326ab08 \ No newline at end of file diff --git a/pesign-obs-integration-10.2+git20230612.4699910.obscpio b/pesign-obs-integration-10.2+git20230612.4699910.obscpio new file mode 100644 index 0000000..ae6ada8 --- /dev/null +++ b/pesign-obs-integration-10.2+git20230612.4699910.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:57194a4533d7b95ad6ccc0332351b6ece5cc30984d8b13644a07a42e57c5d6ef +size 138763 diff --git a/pesign-obs-integration-10.2+git20230612.4699910.tar.gz b/pesign-obs-integration-10.2+git20230612.4699910.tar.gz new file mode 100644 index 0000000..60c4645 --- /dev/null +++ b/pesign-obs-integration-10.2+git20230612.4699910.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:74043950aab273c549b16baad5368808e8069ec4eb4fd3c94716036f0b7f7f54 +size 40703 diff --git a/pesign-obs-integration.changes b/pesign-obs-integration.changes new file mode 100644 index 0000000..ba16e71 --- /dev/null +++ b/pesign-obs-integration.changes @@ -0,0 +1,541 @@ +------------------------------------------------------------------- +Thu Jun 22 13:11:39 UTC 2023 - Joey Lee + +- Modify pesign-obs-integration.changes, add bsc#1211849 to changelog. + The supporting of filetriggers and transfiletriggers in + pesign-gen-repackage-spec in 10.2+git20230612.4699910 is for + bsc#1211849. + +------------------------------------------------------------------- +Mon Jun 12 05:20:28 UTC 2023 - jlee@suse.com + +- Update to version 10.2+git20230612.4699910: + * pesign-gen-repackage-spec: support filetriggers and transfiletriggers (bsc#1211849) + * Add support for dependency generators + * pesign-gen-repackage-spec: fix the filename issue in the scripts of generated ueficert package + * Verfiy the signatures before attaching them + * Don't copy rpmlintrc to OTHER + * Fix %attr issues + * Support %lang + * Support OrderWithRequires + * pesign-repackage.spec.in: Add description for footer_size +- Removed the following patches becuase they are merged to + 10.2+git20230612.4699910: + Patch: order.patch + Patch1: attr.patch + Patch2: lang.patch + Patch3: rpmlintrc.patch + Patch4: verify-sig.patch + Patch5: dependency-generators.patch +- Use README.md instead of README in pesign-obs-integration.spec. + +------------------------------------------------------------------- +Mon Jan 23 14:16:22 UTC 2023 - Callum Farmer + +- Add dependency-generators.patch to support copying source files + and macros to the re-package build (jsc#PED-2658) + +------------------------------------------------------------------- +Wed Sep 28 06:36:56 UTC 2022 - Gary Ching-Pang Lin + +- Add verify-sig.patch to verify the signatures before attaching + them (bsc#1200108, bsc#1203679) + +------------------------------------------------------------------- +Sat Jul 9 16:19:57 UTC 2022 - Callum Farmer + +- Update attr.patch to fix ghost symlinks still being affected +- Add rpmlintrc.patch to stop copying it to the build output + +------------------------------------------------------------------- +Wed Jun 22 20:02:36 UTC 2022 - Callum Farmer + +- Add attr.patch to fix: + * Avoid assigning %attr's to symlinks which causes rpmbuild spam + * Change perms mask to 07777 to ensure SUID/SGID is copied over +- Add lang.patch to support %lang + +------------------------------------------------------------------- +Wed Jun 15 11:13:51 UTC 2022 - gmbr3@opensuse.org + +- Update to version 10.2+git20220504.8690743: + * Don't repackage aarch64_ilp32 *-64bit packages + * Use pesign for signing on riscv64 + * Add padding to grub signature correctly (jsc#SLE-18271 bsc#1192764). + * kernel-sign-file: Support appending verbatim PKCS#7 signature. + * kernel-sign-file: Move x509 parsing into a function. + * Support ppc grub signing (jsc#SLE-18271 bsc#1192764). + * Handle packages with epochs as well + * Turn off rpm fatal warnings for noarch packages +- Upstreamed patches: + * 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch + * 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch + * 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch + * 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch +- Added patches: + * order.patch - support OrderWithRequires + +------------------------------------------------------------------- +Fri Jan 21 08:49:34 UTC 2022 - Michal Suchanek + +- Support signing grub on powerpc (jsc#SLE-18271 bsc#1192764). + + 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch + + 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch + + 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch + + 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch + +------------------------------------------------------------------- +Wed Aug 04 12:35:19 UTC 2021 - lnussel@suse.de + +- Update to version 10.2+git20210804.ff18da1: + * brp-99-pesign: fix that the signature of shim be broken + +------------------------------------------------------------------- +Fri Jul 30 11:56:23 UTC 2021 - lnussel@suse.de + +- Update to version 10.2+git20210730.0cb100c: + * Sign kernel also in module dir (boo#1184804) + (replaces pesign-kernel-in-lib.diff) +- switch package to obs_scm to avoid recompression + +------------------------------------------------------------------- +Fri Jul 23 09:11:28 UTC 2021 - dmueller@suse.com + +- Update to version git master (10.2): + * Add support for GZIP and ZSTD module compression (bsc#1188636) + * Always pad the EFI image when calculating the hash + * Version bump to 10.2 + * approach issue#22 false noarch subpackage +- drop pesign-obs-integration-bsc1183747-always-pad-efi-images.patch + pesign-obs-integration-support-gzip-zstd-compression.patch (merged) + +------------------------------------------------------------------- +Mon Jun 21 03:23:54 UTC 2021 - Gary Ching-Pang Lin + +- Add pesign-obs-integration-support-gzip-zstd-compression.patch + to support gzip and zstd module compression + +------------------------------------------------------------------- +Fri Apr 23 09:34:17 UTC 2021 - Ludwig Nussel + +- find kernel also in /lib (boo#1184804, pesign-kernel-in-lib.diff) + +------------------------------------------------------------------- +Fri Mar 19 03:45:11 UTC 2021 - Gary Ching-Pang Lin + +- Add pesign-obs-integration-bsc1183747-always-pad-efi-images.patch + to fix the potential hash mismatching (bsc#1183747) + +------------------------------------------------------------------- +Mon Dec 21 03:50:35 UTC 2020 - Gary Ching-Pang Lin + +- Update to version 10.2: + * Fix the wrongly created noarch subpackages + (issue#22, bsc#1180242) + +------------------------------------------------------------------- +Wed Oct 21 12:44:19 UTC 2020 - dmueller@suse.com + +- Update to version 10.1+1602850462: + * Compress kernel modules in batch and in parallel (bsc#1188636) + * Forward _binary_payload to the repackaged rpm (bsc#1175882) +- remove 0001-Forward-_binary_payload-to-the-repackaged-rpm.patch, + parallel-compression.patch (upstream) + +------------------------------------------------------------------- +Thu Oct 15 21:13:24 UTC 2020 - dmueller@suse.com + +- Sync from git master directly +- drop 0001-Add-support-for-kernel-module-compression.patch + 0001-Enable-find_provides-and-requires.patch + 0001-Initialize-compress-variable.patch + 0001-Keep-the-files-in-the-OTHER-directory.patch + 0001-Passthrough-license-tag.patch + 0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch + 0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch + pesign-sign-s390x-kernel.patch (upstream) +- add parallel-compression.patch + +------------------------------------------------------------------- +Wed Sep 2 03:39:46 UTC 2020 - Gary Ching-Pang Lin + +- Add 0001-Forward-_binary_payload-to-the-repackaged-rpm.patch to + forward _binary_payload to the repackaged rpm (bsc#1175882) + +------------------------------------------------------------------- +Fri Jul 17 07:25:34 UTC 2020 - Gary Ching-Pang Lin + +- Add 0001-Enable-find_provides-and-requires.patch + (bsc#1114605, bsc#1180279) + + Enable this patch again since virtualbox-kmp is split from + the main package so the customized %find_provides for + virtualbox-x11-guest won't be affected anymore. + +------------------------------------------------------------------- +Wed Feb 26 13:35:18 UTC 2020 - Marcus Meissner + +- pesign-sign-s390x-kernel.patch: Sign also the non-PE (e.g. s390x) + kernels with just kernel-sign-file (bsc#1163524) + +------------------------------------------------------------------- +Wed Feb 19 14:25:32 UTC 2020 - Marcus Meissner + +- 0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch + Hard code signing of stage3.bin of s390-tools (bsc#1163524) + +------------------------------------------------------------------- +Wed Nov 6 09:58:34 UTC 2019 - Jiri Slaby + +- 0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch + to support xz-compressed vmlinux (bnc#1155921) + +------------------------------------------------------------------- +Wed Nov 6 03:52:16 UTC 2019 - Gary Ching-Pang Lin + +- 0001-Keep-the-files-in-the-OTHER-directory.patch to keep the + files in the OTHER directory (boo#1155474) + +------------------------------------------------------------------- +Wed Sep 4 12:18:39 UTC 2019 - Michal Suchanek + +- Require pesign on arm (boo#1134303). + +------------------------------------------------------------------- +Thu Aug 1 02:41:28 UTC 2019 - Gary Ching-Pang Lin + +- Add 0001-Initialize-compress-variable.patch to initialize + $compress in pesign-gen-repackage-spec to avoid warning + +------------------------------------------------------------------- +Wed May 29 06:01:20 UTC 2019 - Gary Ching-Pang Lin + +- Add 0001-Add-support-for-kernel-module-compression.patch to + support kernel module compression (bsc#1135854, jsc#SLE-16661) + +------------------------------------------------------------------- +Fri May 17 14:00:08 UTC 2019 - Guillaume GARDET + +- pesign is also available on %arm (boo#1134303). + +------------------------------------------------------------------- +Tue Apr 16 03:53:05 UTC 2019 - Gary Ching-Pang Lin + +- Drop 0002-Enable-find_provides-and-requires.patch due to the + build failure of virtualbox-guest-x11 + +------------------------------------------------------------------- +Thu Apr 11 03:45:03 UTC 2019 - Gary Ching-Pang Lin + +- rpm: forward the missing rpm bits (bsc#1114605, bsc#1180279) + + 0001-Passthrough-license-tag.patch + + 0002-Enable-find_provides-and-requires.patch + +------------------------------------------------------------------- +Tue Dec 11 10:19:44 UTC 2018 - glin@suse.com +- Version 10.1 +- Add modsign-verify for the signature verification (bsc#1118953) + +------------------------------------------------------------------- +Wed Oct 31 10:11:48 UTC 2018 - glin@suse.com + +- rpm: properly forward dep flags (bsc#1114605) +- Fix new Lintian Error from Debian 10 + +------------------------------------------------------------------- +Tue Jun 12 03:30:33 UTC 2018 - glin@suse.com + +- debhelper: restrict wildcard package unpacking + +------------------------------------------------------------------- +Mon Jun 11 03:17:37 UTC 2018 - glin@suse.com + +- debhelper: fix conffiles corner case + +------------------------------------------------------------------- +Fri Jun 8 03:08:29 UTC 2018 - glin@suse.com + +- Remove the unstable source url +- Update the debian scripts + +------------------------------------------------------------------- +Mon Jun 4 10:23:24 UTC 2018 - glin@suse.com + +- Switch to tarball release + +------------------------------------------------------------------- +Thu Feb 22 09:16:35 UTC 2018 - glin@suse.com + +- Provide password file for 'certutil -A' due to the change in + mozilla-nss 3.35 (boo#1082235) + +------------------------------------------------------------------- +Wed Nov 8 04:35:57 UTC 2017 - jlee@suse.com + +- Modified modsign-repackage, using certificate to try to decrypt + the signature of kernel module. It can be used to verify the + integrity of signature. + +------------------------------------------------------------------- +Wed Sep 27 10:53:39 UTC 2017 - jlee@suse.com + +- Michael Schröder improved the original kernel-sign-file script to + support PKCS#7 kernel module signing. Replacing sign-file.c with + new kernel-sign-file script. (bsc#1049122) + +------------------------------------------------------------------- +Sun Sep 24 09:20:31 UTC 2017 - coolo@suse.com + +- escape regexp in pesign-gen-repackage-spec for perl 5.26 + +------------------------------------------------------------------- +Wed Sep 6 02:47:26 UTC 2017 - jlee@suse.com + +- To support PKCS#7 kernel module signing, copy sign-file.c from + SLE-15 v4.12 kernel source to replace the kernel-sign-file script + to align upstream. (bsc#1049122) + +------------------------------------------------------------------- +Tue Nov 29 08:29:36 UTC 2016 - mmarek@suse.cz + +- Copy over any *.log files from the first build (bsc#1012422) + +------------------------------------------------------------------- +Thu Mar 3 10:17:32 UTC 2016 - glin@suse.com + +- Add aarch64 support since pesign also build on aarch64 + +------------------------------------------------------------------- +Thu Jan 22 15:56:41 UTC 2015 - mmarek@suse.cz + +- Add support for file verify flags (bnc#905420). + +------------------------------------------------------------------- +Thu Jan 22 15:55:26 UTC 2015 - mmarek@suse.cz + +- Sort the parts of the repackage spec file for easier debugging. + +------------------------------------------------------------------- +Tue Sep 16 17:08:36 CEST 2014 - mls@suse.de + +- fall back to project cert in the followup spec if it + exists + +------------------------------------------------------------------- +Wed Sep 3 01:41:37 CEST 2014 - ro@suse.de + +- sanitize release line in specfile + +------------------------------------------------------------------- +Wed Aug 20 15:09:50 UTC 2014 - mmarek@suse.cz + +- brp-99-compress-vmlinux: Compress the vmlinux image after + find-debuginfo (bnc#880848, bnc#884459) + +------------------------------------------------------------------- +Tue Aug 12 13:38:14 UTC 2014 - meissner@suse.com + +- switch gen-hmac to use fipscheck instead of sha256hmac + +------------------------------------------------------------------- +Mon Aug 4 12:52:40 UTC 2014 - mmarek@suse.cz + +- Set BRP_PESIGN_FILES="" in the repackage build to avoid loops. + +------------------------------------------------------------------- +Wed Jul 30 09:32:58 UTC 2014 - mmarek@suse.cz + +- Accept also rpmlintrc files without any - prefix. + +------------------------------------------------------------------- +Mon Jul 28 14:14:39 UTC 2014 - mmarek@suse.cz + +- Use package's rpmlintrc files in the second build. + +------------------------------------------------------------------- +Thu Jul 3 14:01:24 UTC 2014 - mmarek@suse.cz + +- Drop support for signing firmware files (bnc#867199) + +------------------------------------------------------------------- +Thu Apr 24 09:25:18 UTC 2014 - mmarek@suse.cz + +- Fix matching /boot and /lib/firmware in pesign-repackage.spec + +------------------------------------------------------------------- +Wed Apr 23 22:28:05 UTC 2014 - mmarek@suse.com + +- Do not store the buildroot in the .*.hmac file. + +------------------------------------------------------------------- +Wed Apr 23 21:48:04 UTC 2014 - mmarek@suse.com + +- Regenerate the HMAC checksum when signing and EFI binary with + a checksum (fate#316930, bnc#856310). + +------------------------------------------------------------------- +Wed Apr 23 21:38:42 UTC 2014 - mmarek@suse.com + +- Update README. + +------------------------------------------------------------------- +Wed Apr 23 19:49:09 UTC 2014 - mmarek@suse.cz + +- Add /usr/lib/rpm/pesign/gen-hmac tool to generate a hmac checksum + for a given file (fate#316930, bnc#856310). + +------------------------------------------------------------------- +Thu Apr 3 12:01:54 CEST 2014 - ro@suse.de + +- pesign-gen-repackage-spec: switch to new rpm style handling + of weak dependencies + +------------------------------------------------------------------- +Thu Jan 16 15:12:22 UTC 2014 - mmarek@suse.cz + +- Do not sign any files if BRP_PESIGN_FILES is set not an empty + string (bnc#857599). + +------------------------------------------------------------------- +Tue Jan 7 09:50:58 UTC 2014 - mmarek@suse.cz + +- Fix a typo in the last change. + +------------------------------------------------------------------- +Mon Jan 6 22:08:41 UTC 2014 - mmarek@suse.cz + +- Default to BRP_PESIGN_FILES="*.ko /lib/firmware" (bnc#857599). + +------------------------------------------------------------------- +Mon Jan 6 16:35:30 UTC 2014 - mmarek@suse.cz + +- Add --signatures= option to modsign-repackage + (bnc#841627). + +------------------------------------------------------------------- +Fri Jun 14 12:19:47 UTC 2013 - mmarek@suse.cz + +- Put debuginfo packages to %_topdir/OTHER (bnc#824971). + +------------------------------------------------------------------- +Thu Mar 28 15:55:10 UTC 2013 - mmarek@suse.cz + +- Version 10 +- Add modsign-repackage tool to repackage RPMs outside the buildservice + +------------------------------------------------------------------- +Tue Mar 26 06:19:45 UTC 2013 - glin@suse.com + +- Calculate the digest of the padded data section to be consistent + with the output file (bnc#808594, bnc#811325) + +------------------------------------------------------------------- +Fri Mar 15 06:19:39 UTC 2013 - coolo@suse.com + +- correct the license of the generated package to fix build + +------------------------------------------------------------------- +Tue Mar 5 08:23:48 UTC 2013 - mmarek@suse.cz + +- Do not repackage debuginfo package (bnc#806637) + +------------------------------------------------------------------- +Mon Mar 4 16:08:34 UTC 2013 - mmarek@suse.cz + +- Version 9 +- Add support for triggers (bnc#806737) + +------------------------------------------------------------------- +Wed Feb 20 09:16:24 UTC 2013 - mmarek@suse.cz + +- Do not fail the build if %_topdir/OTHER cannot be created + +------------------------------------------------------------------- +Wed Feb 13 14:51:47 UTC 2013 - mmarek@suse.cz + +- Version 8 +- Hide baselibs from post-build-checks + +------------------------------------------------------------------- +Wed Feb 13 09:34:27 UTC 2013 - mmarek@suse.cz + +- Do not repackage baselibs + +------------------------------------------------------------------- +Wed Feb 13 08:28:31 UTC 2013 - mmarek@suse.cz + +- Version 7 +- Fix for scriptlets with empty body + +------------------------------------------------------------------- +Tue Feb 12 15:42:22 CET 2013 - mls@suse.de + +- reduce debugging as pesign is now fixed + +------------------------------------------------------------------- +Tue Feb 12 12:33:41 CET 2013 - mls@suse.de + +- add a bit of debug output to find out why the kernel signatures + are bad + +------------------------------------------------------------------- +Wed Feb 6 13:24:14 CET 2013 - mls@suse.de + +- switch to normal brp hook +- mv stuff in pesign directory instead of cluttering /usr/lib/rpm + +------------------------------------------------------------------- +Fri Feb 1 17:18:32 CET 2013 - mls@suse.de + +- fix pesign calls + +------------------------------------------------------------------- +Fri Feb 1 10:19:52 UTC 2013 - mmarek@suse.cz + +- Add some preliminary code to sign EFI binaries, marked with + FIXMEs. + +------------------------------------------------------------------- +Wed Jan 30 09:47:25 UTC 2013 - mmarek@suse.cz + +- Version 6 +- Fix handling packages with NoSource +- Fix for multiple patterns in %sign_files + +------------------------------------------------------------------- +Tue Jan 29 13:44:43 UTC 2013 - mmarek@suse.cz + +- Version 5 +- Use newc-style cpio archives, as required by the buildservice. +- Use signing certificates provided by the buildservice. +- Minor fixes. + +------------------------------------------------------------------- +Mon Jan 28 15:01:17 UTC 2013 - mmarek@suse.cz + +- Version 4 +- Support for firmware signatures. +- Expect the correct archive with signatures (.cpio.rsasign.sig). +- Minor fixes. + +------------------------------------------------------------------- +Wed Jan 23 22:01:40 UTC 2013 - mmarek@suse.cz + +- Version 3 +- Switch to storing whole files in the *.cpio.rsasign archive. +- Append the signatures to kernel modules. + +------------------------------------------------------------------- +Fri Jan 18 12:51:17 UTC 2013 - mmarek@suse.cz + +- Version 2 +- Generates another specfile in pesign-repackage.spec to + be able to copy nearly all RPM tags from the original packages. +- Changed to only store sha256 hashes in the *.cpio.rsasign file, + instead of whole files. + +------------------------------------------------------------------- +Thu Dec 13 12:06:00 UTC 2012 - mmarek@suse.com + +- Created package with macros and scripts to integrate kernel and + bootloader signing into OBS (fate#314552). + diff --git a/pesign-obs-integration.obsinfo b/pesign-obs-integration.obsinfo new file mode 100644 index 0000000..02282e6 --- /dev/null +++ b/pesign-obs-integration.obsinfo @@ -0,0 +1,4 @@ +name: pesign-obs-integration +version: 10.2+git20230612.4699910 +mtime: 1686546992 +commit: 4699910cf20591bcf3d06e42189ad8cb1326ab08 diff --git a/pesign-obs-integration.spec b/pesign-obs-integration.spec new file mode 100644 index 0000000..2e19676 --- /dev/null +++ b/pesign-obs-integration.spec @@ -0,0 +1,75 @@ +# +# spec file for package pesign-obs-integration +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# +# needssslcertforbuild + + +Name: pesign-obs-integration +Version: 10.2+git20230612.4699910 +Release: 0 +Summary: Macros and scripts to sign the kernel and bootloader +License: GPL-2.0-only +Group: Development/Tools/Other +URL: https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools +Source: %{name}-%{version}.tar.gz +BuildRequires: openssl +Requires: fipscheck +Requires: mozilla-nss-tools +Requires: openssl +# suse-module-tools <= 15.0.10 contains modsign-verify +Requires: suse-module-tools >= 15.0.10 +%ifarch %{ix86} x86_64 ia64 aarch64 %{arm} riscv64 +Requires: pesign +%endif + +%description +This package provides scripts and rpm macros to automate signing of the +boot loader, kernel and kernel modules in the openSUSE Buildservice. + +%prep +%setup -q -D +%autopatch -p1 + +%build + +%install + +mkdir -p %{buildroot}%{_prefix}/lib/rpm/brp-suse.d %{buildroot}%{_prefix}/lib/rpm/pesign +install pesign-gen-repackage-spec kernel-sign-file gen-hmac %{buildroot}%{_prefix}/lib/rpm/pesign +install brp-99-pesign %{buildroot}%{_prefix}/lib/rpm/brp-suse.d +# brp-99-compress-vmlinux has nothing to do with signing. It is packaged in +# pesign-obs-integration because this package is already used by the kernel +# build +install brp-99-compress-vmlinux %{buildroot}%{_prefix}/lib/rpm/brp-suse.d +install -m644 pesign-repackage.spec.in %{buildroot}%{_prefix}/lib/rpm/pesign +mkdir -p %{buildroot}%{_bindir} +install modsign-repackage %{buildroot}%{_bindir}/ +install -pm 755 modsign-verify %{buildroot}%{_bindir}/ +if test -e _projectcert.crt; then + openssl x509 -inform PEM -in _projectcert.crt \ + -outform DER -out %{buildroot}%{_prefix}/lib/rpm/pesign/pesign-cert.x509 +else + echo "No buildservice project certificate available" +fi + +%files +%license COPYING +%doc README.md +%{_bindir}/modsign-repackage +%{_bindir}/modsign-verify +%{_prefix}/lib/rpm/* + +%changelog