86 lines
3.4 KiB
Plaintext
86 lines
3.4 KiB
Plaintext
Upgrade openssl tarball
|
|
======================
|
|
|
|
Sometimes you need also update openssl source code tarball when
|
|
upgrading EDK2 source code. Normally you should see similar patch
|
|
commit in EDK2 git repo:
|
|
|
|
commit 4ca4041b0dbb310109d9cb047ed428a0082df395
|
|
Author: Sheng Wei <w.sheng@intel.com>
|
|
Date: Tue Feb 28 10:43:57 2023 +0800
|
|
|
|
CryptoPkg/OpensslLib: Upgrade OpenSSL to 1.1.1t
|
|
|
|
Then you will need to update openssl-%{openssl_version}.tar.gz and
|
|
openssl-%{openssl_version}.tar.gz.asc signature. You can find them
|
|
from https://www.openssl.org/source/old/1.1.1/
|
|
e.g.
|
|
https://www.openssl.org/source/old/1.1.1/openssl-1.1.1t.tar.gz
|
|
https://www.openssl.org/source/old/1.1.1/openssl-1.1.1t.tar.gz.asc
|
|
|
|
Update the key of signature for tarball
|
|
----------------------------------------
|
|
You will use "osc ci" command to commit new openssl tarball to OBS.
|
|
But sometimes you will see fail like this:
|
|
|
|
ovmf> osc ci -m "Upgrade OpenSSL to 1.1.1t"
|
|
- package has ovmf-rpmlintrc: (unchanged)
|
|
gpg: Signature made Tue 07 Feb 2023 09:37:18 PM CST
|
|
gpg: using RSA key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
|
|
gpg: Can't check signature: No public key
|
|
ERROR: signature ovmf/openssl-1.1.1t.tar.gz.asc does not validate
|
|
|
|
It means that osc caommand didn't find corresponding key to validate
|
|
openssl-%{openssl_version}.tar.gz.asc. It will stop to submit your change
|
|
to OBS.
|
|
|
|
In the above example, it indicates that the signature is using RSA key
|
|
7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C. You should go to openssl's
|
|
"OpenSSL Technical Committee" page to download the corresponding key
|
|
to local. In this case:
|
|
|
|
https://www.openssl.org/community/otc.html
|
|
Richard Levitte (I) 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C
|
|
|
|
Then you just use downloaded key to overwrite openssl.keyring file.
|
|
e.g.
|
|
ovmf> cp 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C openssl.keyring
|
|
|
|
Then the osc verification of openssl-%{openssl_version}.tar.gz.asc will pass.
|
|
Like this:
|
|
|
|
ovmf> osc ci -m "Upgrade OpenSSL to 1.1.1t"
|
|
(W) Attention, 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C is not mentioned in spec files as source or patch.
|
|
###ASK ovmf/7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
|
|
- package has ovmf-rpmlintrc: (unchanged)
|
|
gpg: Signature made Tue 07 Feb 2023 09:37:18 PM CST
|
|
gpg: using RSA key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C
|
|
gpg: Good signature from "Richard Levitte <richard@levitte.org>" [unknown]
|
|
gpg: aka "Richard Levitte <levitte@lp.se>" [unknown]
|
|
gpg: aka "Richard Levitte <levitte@openssl.org>" [unknown]
|
|
|
|
Please maintain the openssl.keyring file in ovmf package with new openssl
|
|
tarball and signature.
|
|
|
|
Take the key of signature from gpg server
|
|
-----------------------------------------
|
|
|
|
Sometimes that the gpg key will be removed or changed from otc.html on
|
|
www.openssl.org, you can NOT find the key for tarball verification.
|
|
|
|
Another way for getting the gpg key is from key server.
|
|
e.g.
|
|
gpg --keyserver 'keys.openpgp.org' --recv-keys 'DC7032662AF885E2F47F243F527466A21CA79E6D'
|
|
|
|
The above command will download the key from gpg key server to your local
|
|
machine. Then you can use it to verify openssl source code tarball:
|
|
|
|
gpg --verify openssl-1.1.1u.tar.gz.asc openssl-1.1.1u.tar.gz
|
|
|
|
If you confirmed that the key can be used to verify tarball. Then you can
|
|
export it to openssl.keyring file for uploading to OBS/IBS:
|
|
|
|
gpg2 -a --export DC7032662AF885E2F47F243F527466A21CA79E6D > openssl.keyring
|
|
|
|
|