commit 60c5328ea87ceae8d5e62b5f7e85899935a95f45b027363df3e134e75c08b935 Author: Adrian Schröter Date: Fri May 3 19:19:17 2024 +0200 Sync from SUSE:SLFO:Main pesign revision 69fe8db5c7294b2a994a0d193593c331 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/harden_pesign.service.patch b/harden_pesign.service.patch new file mode 100644 index 0000000..7203425 --- /dev/null +++ b/harden_pesign.service.patch @@ -0,0 +1,24 @@ +Index: pesign-115/src/pesign.service.in +=================================================================== +--- pesign-115.orig/src/pesign.service.in ++++ pesign-115/src/pesign.service.in +@@ -3,6 +3,19 @@ Description=Pesign signing daemon + + [Service] + PrivateTmp=true ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + PIDFile=@@RUNDIR@@/pesign.pid + ExecStart=/usr/bin/pesign --daemonize --nofork + ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize diff --git a/pesign-116.tar.bz2 b/pesign-116.tar.bz2 new file mode 100644 index 0000000..f2328c9 --- /dev/null +++ b/pesign-116.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:35331f75689863e5be595f2bb04a8bc934ce734b8d76fa5d6aeb4d85424e8996 +size 120424 diff --git a/pesign-boo1143063-remove-var-tracking.patch b/pesign-boo1143063-remove-var-tracking.patch new file mode 100644 index 0000000..4b6e0e1 --- /dev/null +++ b/pesign-boo1143063-remove-var-tracking.patch @@ -0,0 +1,13 @@ +Index: pesign-115/Make.defaults +=================================================================== +--- pesign-115.orig/Make.defaults ++++ pesign-115/Make.defaults +@@ -69,7 +69,7 @@ cflags = $(CFLAGS) $(ARCH3264) \ + $(call pkg-config-cflags) + clang_ccldflags = + gcc_ccldflags = -fno-merge-constants \ +- -fvar-tracking -fvar-tracking-assignments -fkeep-inline-functions \ ++ -fvar-tracking-assignments -fkeep-inline-functions \ + -Wl,--fatal-warnings,--no-allow-shlib-undefined,--default-symver \ + -Wl,-O2 -Wl,--no-undefined-version -Wl,-z,relro,-z,now \ + -Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed -pie diff --git a/pesign-boo1185663-set-rpmmacrodir.patch b/pesign-boo1185663-set-rpmmacrodir.patch new file mode 100644 index 0000000..dca7903 --- /dev/null +++ b/pesign-boo1185663-set-rpmmacrodir.patch @@ -0,0 +1,27 @@ +Index: pesign-115/Make.defaults +=================================================================== +--- pesign-115.orig/Make.defaults ++++ pesign-115/Make.defaults +@@ -13,6 +13,7 @@ rundir ?= /run/ + rundir := $(abspath $(rundir))/ + pcdir ?= $(libdir)pkgconfig/ + docdir ?= $(prefix)share/doc/ ++rpmmacrodir ?= /etc/rpm/ + DESTDIR ?= + INSTALLROOT = $(DESTDIR) + +Index: pesign-115/src/Makefile +=================================================================== +--- pesign-115.orig/src/Makefile ++++ pesign-115/src/Makefile +@@ -88,8 +88,8 @@ install : + $(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(mandir)man1/ + $(INSTALL) -m 644 $(MAN1TARGETS) $(INSTALLROOT)$(mandir)man1/ +- $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ +- $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ ++ $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir) ++ $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir) + $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ diff --git a/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch b/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch new file mode 100644 index 0000000..a5166b4 --- /dev/null +++ b/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch @@ -0,0 +1,25 @@ +From 73cd25615367ff1f9a19fdfd38017f68a12a354d Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Tue, 7 Feb 2023 15:34:09 +0800 +Subject: [PATCH] Make /etc/pki/pesign/ writeable + +The default NSS database for the pesign daemon is stored in /etc/pki/pesign/. +Make it writeable after hardening the service. + +Signed-off-by: Gary Lin +--- + src/pesign.service.in | 1 + + 1 file changed, 1 insertion(+) + +Index: pesign-116/src/pesign.service.in +=================================================================== +--- pesign-116.orig/src/pesign.service.in ++++ pesign-116/src/pesign.service.in +@@ -18,6 +18,7 @@ RestrictRealtime=true + # end of automatic additions + PIDFile=@@RUNDIR@@/pesign.pid + ExecStart=/usr/bin/pesign --daemonize --nofork ++ReadWritePaths=/etc/pki/pesign/ + + [Install] + WantedBy=multi-user.target diff --git a/pesign-bsc1202933-Remove-pesign-authorize.patch b/pesign-bsc1202933-Remove-pesign-authorize.patch new file mode 100644 index 0000000..6d6d9b1 --- /dev/null +++ b/pesign-bsc1202933-Remove-pesign-authorize.patch @@ -0,0 +1,91 @@ +From 09a41248f9f867e9aaf06e890621c392d36b52ec Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 31 Jan 2023 10:00:18 -0500 +Subject: [PATCH] Remove pesign-authorize + +The onus of correct file/directory permissions should be a configuration +and systems administration issue, not pesign's. + +Signed-off-by: Robbie Harwood +--- + src/.gitignore | 1 - + src/Makefile | 3 +-- + src/pesign-authorize.in | 13 ------------- + src/pesign.service.in | 1 - + src/pesign.sysvinit.in | 1 - + 5 files changed, 1 insertion(+), 18 deletions(-) + delete mode 100644 src/pesign-authorize.in + +Index: pesign-116/src/.gitignore +=================================================================== +--- pesign-116.orig/src/.gitignore ++++ pesign-116/src/.gitignore +@@ -10,5 +10,4 @@ peverify + pesign.service + pesign.sysvinit + pesign-rpmbuild-helper +-pesign-authorize + tmpfiles.conf +Index: pesign-116/src/Makefile +=================================================================== +--- pesign-116.orig/src/Makefile ++++ pesign-116/src/Makefile +@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules + include $(TOPDIR)/Make.defaults + + BINTARGETS=authvar client efikeygen pesigcheck pesign \ +- pesign-rpmbuild-helper pesign-authorize pesum ++ pesign-rpmbuild-helper pesum + CFGTARGETS=tmpfiles.conf + SVCTARGETS=pesign.sysvinit pesign.service + MAN1TARGETS=authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1 +@@ -99,7 +99,6 @@ install : + $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir) + $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir) + $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ +- $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign + $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users +Index: pesign-116/src/pesign-authorize.in +=================================================================== +--- pesign-116.orig/src/pesign-authorize.in ++++ /dev/null +@@ -1,13 +0,0 @@ +-#!/bin/bash +-set -e +-set -u +- +-# License: GPLv2 +- +-# This script is deprecated and will be removed in a future release. +- +-sleep 3 +-for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do +- chown -R pesign:pesign "${x}" || true +- chmod -R ug+rwX "${x}" || true +-done +Index: pesign-116/src/pesign.service.in +=================================================================== +--- pesign-116.orig/src/pesign.service.in ++++ pesign-116/src/pesign.service.in +@@ -18,7 +18,6 @@ RestrictRealtime=true + # end of automatic additions + PIDFile=@@RUNDIR@@/pesign.pid + ExecStart=/usr/bin/pesign --daemonize --nofork +-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize + + [Install] + WantedBy=multi-user.target +Index: pesign-116/src/pesign.sysvinit.in +=================================================================== +--- pesign-116.orig/src/pesign.sysvinit.in ++++ pesign-116/src/pesign.sysvinit.in +@@ -30,7 +30,6 @@ start(){ + RETVAL=$? + echo + touch /var/lock/subsys/pesign +- @@LIBEXECDIR@@/pesign/pesign-authorize + } + + stop(){ diff --git a/pesign-fix-authvar-write-loop.patch b/pesign-fix-authvar-write-loop.patch new file mode 100644 index 0000000..2004cf0 --- /dev/null +++ b/pesign-fix-authvar-write-loop.patch @@ -0,0 +1,50 @@ +From b3c58e3b9237f90e865723837a9389fcb25f6945 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 1 Jul 2014 14:43:35 +0800 +Subject: [PATCH] authvar: fix the write loop + +I forgot to move the pointer... + +Also use offsetof() instead of the wordsize check. + +Signed-off-by: Gary Ching-Pang Lin +--- + src/authvar_context.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +Index: pesign-115/src/authvar_context.c +=================================================================== +--- pesign-115.orig/src/authvar_context.c ++++ pesign-115/src/authvar_context.c +@@ -151,6 +151,7 @@ write_authvar(authvar_context *ctx) + void *buffer, *ptr; + size_t buf_len, des_len, remain; + ssize_t wlen; ++ off_t offset; + + if (!ctx->authinfo) + cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar"); +@@ -179,19 +180,19 @@ write_authvar(authvar_context *ctx) + if (ctx->value_size > 0) + memcpy(ptr, ctx->value, ctx->value_size); + +- if (!ctx->to_firmware) { +- ftruncate(ctx->exportfd, buf_len); ++ if (!ctx->to_firmware) + lseek(ctx->exportfd, 0, SEEK_SET); +- } + + remain = buf_len; ++ offset = 0; + do { +- wlen = write(ctx->exportfd, buffer, remain); ++ wlen = write(ctx->exportfd, buffer + offset, remain); + if (wlen < 0) { + free(buffer); + cmsreterr(-1, ctx->cms_ctx, "failed to write authvar"); + } + remain -= wlen; ++ offset += wlen; + } while (remain > 0); + + free(buffer); diff --git a/pesign-fix-cert-match-check.patch b/pesign-fix-cert-match-check.patch new file mode 100644 index 0000000..6ea0be8 --- /dev/null +++ b/pesign-fix-cert-match-check.patch @@ -0,0 +1,29 @@ +From a6062702e9f0002b86759f6cd14da6d78de99f22 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Fri, 11 Nov 2022 11:20:35 +0800 +Subject: [PATCH] cms_common: fix cert match check + +In find_certificate_by_callback(), the match() returns 1 +when cert subject is matched. + +Signed-off-by: Huaxin Lu +--- + src/cms_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index 24576f2..cf572ca 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -872,7 +872,7 @@ find_certificate_by_callback(cms_context *cms, + continue; + + int rc = match(tmpnode->cert, cbdata); +- if (rc == 0) { ++ if (rc == 1) { + node = tmpnode; + break; + } +-- +2.35.3 + diff --git a/pesign-fix-efikeygen-segfault.patch b/pesign-fix-efikeygen-segfault.patch new file mode 100644 index 0000000..d9a6b51 --- /dev/null +++ b/pesign-fix-efikeygen-segfault.patch @@ -0,0 +1,29 @@ +From 227435af461f38fc4abeafe02884675ad4b1feb4 Mon Sep 17 00:00:00 2001 +From: Nicolas Frayer +Date: Mon, 20 Feb 2023 15:26:20 +0100 +Subject: [PATCH] cms_common: Fixed Segmentation fault + +When running efikeygen, the binary crashes with a segfault due +to dereferencing a **ptr instead of a *ptr. + +Signed-off-by: Nicolas Frayer +--- + src/cms_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index 44e5cca..4f4707b 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -957,7 +957,7 @@ find_certificate_by_issuer_and_sn(cms_context *cms, + if (!ias) + cnreterr(-1, cms, "invalid issuer and serial number"); + +- return find_certificate_by_callback(cms, match_issuer_and_serial, &ias, cert); ++ return find_certificate_by_callback(cms, match_issuer_and_serial, ias, cert); + } + + int +-- +2.35.3 + diff --git a/pesign-skip-auth-on-friendly-slot.patch b/pesign-skip-auth-on-friendly-slot.patch new file mode 100644 index 0000000..020592c --- /dev/null +++ b/pesign-skip-auth-on-friendly-slot.patch @@ -0,0 +1,44 @@ +From 616ec5f25adbde1a4bd78cdcacd6dcd7ecfa5a5c Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Thu, 22 Dec 2022 13:49:34 +0800 +Subject: [PATCH] cms_common: skip authentication on the 'Friendly' slot + +When finding a certificate in a 'Friendly' slot without the need of the +private key, it is not necessary to authenticate the slot. + +For example, when the signed attributes and the raw signature are +created in a server and the user has the certificate, signkey.x509, and +tries to import them into myapp.efi: + + $ certutil -N -d nssdb -f passwd + $ certutil -A -d nssdb -f passwd -n signkey -t CT,CT,CT \ + -i signkey.x509 + $ pesign -n nssdb -c signkey -i myapp.efi -o myapp.efi.signed \ + -d sha256 -I myapp.sattr -R myapp.sig + +Since the "signkey" is 'Friendly', i.e. publicly readable, and the +private key is not needed, we can just skip the authentication and find +"signkey" in the slot. + +Signed-off-by: Gary Lin +--- + src/cms_common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index cf572ca..44e5cca 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -628,7 +628,8 @@ find_certificate(cms_context *cms, int needs_private_key) + + int errnum; + SECStatus status; +- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms)) { ++ if ((needs_private_key || !PK11_IsFriendly(psle->slot)) && ++ (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms))) { + status = PK11_Authenticate(psle->slot, PR_TRUE, cms); + if (status != SECSuccess) { + save_port_err() { +-- +2.35.3 + diff --git a/pesign-suse-build.patch b/pesign-suse-build.patch new file mode 100644 index 0000000..ef2e3cc --- /dev/null +++ b/pesign-suse-build.patch @@ -0,0 +1,73 @@ +Index: pesign-116/util/Makefile +=================================================================== +--- pesign-116.orig/util/Makefile ++++ pesign-116/util/Makefile +@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules + include $(TOPDIR)/Make.defaults + + FORMAT=efi-app-$(HOSTARCH) +-LDFLAGS = -nostdlib -T $(LIBDIR)/gnuefi/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/gnuefi/crt0-efi-$(HOSTARCH).o -L$(LIBDIR) ++LDFLAGS = -nostdlib -T $(LIBDIR)/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/crt0-efi-$(HOSTARCH).o -L$(LIBDIR) + LIBS=-lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name) + CCLDFLAGS = + BUILDFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration +@@ -20,8 +20,8 @@ clean : + @rm -rfv *.o *.a *.so .*.d $(TARGETS) + + install : +- $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/ +- $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/ ++ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/sles/ ++ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/sles/ + + install_systemd: + +Index: pesign-116/src/pesign.sysvinit.in +=================================================================== +--- pesign-116.orig/src/pesign.sysvinit.in ++++ pesign-116/src/pesign.sysvinit.in +@@ -6,16 +6,19 @@ + # processname: /usr/bin/pesign + # pidfile: @@RUNDIR@@pesign.pid + ### BEGIN INIT INFO +-# Provides: pesign +-# Default-Start: +-# Default-Stop: ++# Provides: pesign ++# Should-Start: $remote_fs ++# Should-Stop: $remote_fs ++# Required-Start: ++# Required-Stop: ++# Default-Start: 2 3 5 + # Short-Description: The pesign PE signing daemon + # Description: The pesign PE signing daemon + ### END INIT INFO + +-. /etc/init.d/functions + [ -f /usr/bin/pesign ] || exit 1 + ++PESIGN_PIDFILE=@@RUNDIR@@pesign.pid + RETVAL=0 + + start(){ +@@ -23,7 +26,7 @@ start(){ + mkdir @@RUNDIR@@pesign 2>/dev/null && + chown pesign:pesign @@RUNDIR@@pesign && + chmod 0770 @@RUNDIR@@pesign +- daemon /usr/bin/pesign --daemonize ++ startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize + RETVAL=$? + echo + touch /var/lock/subsys/pesign +Index: pesign-116/Makefile +=================================================================== +--- pesign-116.orig/Makefile ++++ pesign-116/Makefile +@@ -11,7 +11,6 @@ SUBDIRS := include libdpe src + + install : + $(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ +- $(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ + @$(call descend) + + install_systemd install_sysvinit : install diff --git a/pesign.changes b/pesign.changes new file mode 100644 index 0000000..58c2a07 --- /dev/null +++ b/pesign.changes @@ -0,0 +1,544 @@ +------------------------------------------------------------------- +Wed Feb 22 08:05:20 UTC 2023 - Gary Ching-Pang Lin + +- Update to 116 + + daemon: remove always-true comparison + + pesum - add a new tool to the shed + + Fix building signed kernels on setups other than koji + + Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS + + macros.pesign: handle centos like rhel with --rhelver + + Detect the presence of rpm-sign when checking for "rhel"-ness + + Fix typo in efikeygen command + + pesigcheck: Fix crash on digest match + + cms: store digest as pointer instead of index + + Fix mandoc invocation to not produce garbage + + Password fixes + + Re-work CMS's selected_digest again... + + src/certs/make-certs: delete the duplicate codes + + Free resources if certification cannot be found + + macros: drop %{_pesign_args} + + Fix two bugs from package building + + Fix bad free of cms data (DoS only) + + Send pesign stdout/err to systemd journal + + Add missing Install section + + Add default packages for pkg-config + + Short delay to ensure /run/pesign/socket exists + + Resolve crash when signature that is removed is not the end of + the list + + Enhance error diagnostics about version mismatch + + Upstream all Fedora changes + + Add some hardening options to build + + Add code of conduct + + Fix build on gcc 12 and non-Fedora +- Add BuildRequires efivar-devel >= 38 for efisec.h + + efisiglist is replaced by efisecdb in efivar 38 +- Add BuildRequires mandoc to generate the manpages +- Replace pesign-privkey_unneeded.diff with + pesign-skip-auth-on-friendly-slot.patch to avoid the unnecessary + authentication +- Add pesign-fix-cert-match-check.patch to fix the subject name + matching +- Add pesign-fix-efikeygen-segfault.patch to fix the potential + crash when executing efikeygen +- Add pesign-bsc1202933-Remove-pesign-authorize.patch to remove + pesign-authorize completely (bsc#1202933) +- Refresh patches + + harden_pesign.service.patch + + pesign-boo1143063-remove-var-tracking.patch + + pesign-boo1185663-set-rpmmacrodir.patch + + pesign-fix-authvar-write-loop.patch + + pesign-suse-build.patch + + pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch +- Remove upstreamed/unnecessary patches + + pesign-boo1158197-fix-pesigncheck-gcc10.patch + + pesign-efikeygen-Fix-the-build-with-nss-3.44.patch + + pesign-run.patch + + pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch + +------------------------------------------------------------------- +Tue Feb 7 07:37:20 UTC 2023 - Gary Ching-Pang Lin + +- Add pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch + to use the normal file permissions in pesign-authorize to avoid + the potential security issue (bsc#1202933, CVE-2022-3560) +- Set the libexecdir path for "make" to fix the path to + pesign-authorize in pesign.service (bsc#1202933) +- Add pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch to make + the default NSS datebase writeable (bsc#1202933) + +------------------------------------------------------------------- +Sun Nov 11 10:54:08 UTC 2021 - Andreas Schwab + +- Enable build on riscv64 + +------------------------------------------------------------------- +Tue Nov 9 15:01:59 UTC 2021 - Callum Farmer + +- Change to systemd-sysusers + +------------------------------------------------------------------- +Tue Oct 19 05:58:37 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_pesign.service.patch + +------------------------------------------------------------------- +Tue Jun 8 15:55:09 UTC 2021 - Wolfgang Frisch + +- Link as Position Independent Executable (bsc#1184124). + +------------------------------------------------------------------- +Fri May 7 01:38:34 UTC 2021 - Gary Ching-Pang Lin + +- Stop marking macros.pesign as %config + +------------------------------------------------------------------- +Thu May 6 09:22:38 UTC 2021 - Gary Ching-Pang Lin + +- Add pesign-boo1185663-set-rpmmacrodir.patch to set the rpm macro + directory at build time (boo#1185663) + + Also set rpmmacrodir when installing files +- Remove "make install" since "make install_systemd" invokes + "make install" automatically + +------------------------------------------------------------------- +Tue May 5 12:42:15 UTC 2020 - Dominique Leuenberger + +- Use %_tmpfilesdir instead of %{_libexecdir}/tmpfiles.d. + +------------------------------------------------------------------- +Wed Dec 4 02:38:05 UTC 2019 - Gary Ching-Pang Lin + +- Add pesign-boo1158197-fix-pesigncheck-gcc10.patch to remove the + superfluous type settings in pesigcheck to fix the gcc10 errors + (boo#1158197) + +------------------------------------------------------------------- +Wed Jul 31 03:26:37 UTC 2019 - Gary Ching-Pang Lin + +- Add pesign-boo1143063-remove-var-tracking.patch to remove + var-tracking from the default CFLAGS (boo#1143063) + +------------------------------------------------------------------- +Thu Jul 11 09:00:21 UTC 2019 - Gary Ching-Pang Lin + +- Add pesign-efikeygen-Fix-the-build-with-nss-3.44.patch to fix + the compilation error when building with NSS 3.44 + +------------------------------------------------------------------- +Sun Jun 2 07:01:51 UTC 2019 - Jan Engelhardt + +- Trim conjecture from description. + +------------------------------------------------------------------- +Mon May 13 03:57:30 UTC 2019 - Gary Ching-Pang Lin + +- Update to 113 + + Get rid of the 0.Y versioning + + Make --padding the default + + Add kmod signing (drake) + + efisiglist format fixes + + enforce the use of --kernel or --module in efikeygen + + RPM macro updates + + Move the license to GPLv3+ + + Use sql-type NSS database by default + + Various documentation improvements. + + Improve /etc/pki/pesign authorization scripts + + Various pesigcheck improvements + + Fix wrong oid offsets (bsc#1205323) +- Refresh patches + + pesign-suse-build.patch + + pesign-privkey_unneeded.diff + + pesign-fix-authvar-write-loop.patch +- Drop upstreamed patches + + pesign-fix-argument-list.patch + + pesign-bsc1087742-fix-efisiglist.patch +- Drop pesign-fix-build-errors.patch since those warnings are gone + +------------------------------------------------------------------- +Thu May 9 12:25:31 UTC 2019 - Guillaume GARDET + +- Enable build on %arm as we can sign kernel on %arm (boo#1134670) + +------------------------------------------------------------------- +Fri Apr 26 11:12:46 UTC 2019 - mvetter@suse.com + +- bsc#1130588: Require shadow instead of old pwdutils + +------------------------------------------------------------------- +Mon Apr 2 09:37:36 UTC 2018 - glin@suse.com + +- Add pesign-bsc1087742-fix-efisiglist.patch to fix the generation + of efi signature list. (bsc#1087742) + +------------------------------------------------------------------- +Thu Aug 11 03:22:18 UTC 2016 - glin@suse.com + +- Add pesign-fix-argument-list.patch to fix the argument list + parsing + +------------------------------------------------------------------- +Thu Apr 21 09:36:23 UTC 2016 - glin@suse.com + +- Update to 0.112 +- Refresh patches: pesign-suse-build.patch and pesign-run.patch +- Drop upstreamed pesign-fix-signness.patch + +------------------------------------------------------------------- +Tue Nov 10 07:59:48 UTC 2015 - glin@suse.com + +- Update to 0.111 +- Add pesign-fix-signness.patch to fix the signness comparison +- Drop upstreamed patches + + pesign-efivar-pkgconfig.patch + + pesign-make-efi_guid_t-const.patch + + pesign-fix-import-sig-check.patch + + pesign-install-supplementary-programs.patch +- Refresh pesign-suse-build.patch, pesign-privkey_unneeded.diff, + and pesign-run.patch +- Update pesign-fix-build-errors.patch +- Merge use-standard-pid-location.patch into pesign-run.patch + +------------------------------------------------------------------- +Tue Sep 1 06:11:06 UTC 2015 - dimstar@opensuse.org + +- Do not buildrequire systemd: it conflicts with systemd-mini, + which is pulled in by systemd-mini-devel (due to BuildRequires: + pkgconfig(systemd). +- As we lack systemd-tmpfiles in the build env, we ignore the + errors cast in the %post scriptlet. + +------------------------------------------------------------------- +Fri Aug 14 07:45:31 UTC 2015 - mpluskal@suse.com + +- Update project url +- Use url for download +- Add rcpesign symlink +- Tiny spec file cleanup with spec-cleaner + +------------------------------------------------------------------- +Mon Jul 13 11:07:10 UTC 2015 - werner@suse.de + +- Make it build, tool systemd-tmpfiles is part of systemd + +------------------------------------------------------------------- +Tue Jun 16 06:52:21 UTC 2015 - glin@suse.com + +- Add pesign-efivar-pkgconfig.patch to get the efivar compiler + parameters from pkg-confg +- Add pesign-make-efi_guid_t-const.patch to avoid the error from + gcc + +------------------------------------------------------------------- +Wed Nov 26 09:46:50 UTC 2014 - glin@suse.com + +- Add pesign-fix-import-sig-check.patch to fix the signature size + check while importing a signature +- Amend the spec file with spec-cleaner + +------------------------------------------------------------------- +Fri Oct 31 07:16:40 UTC 2014 - glin@suse.com + +- Update pesign-suse-build.patch to set LIBDIR for AArch64 + +------------------------------------------------------------------- +Tue Oct 28 08:47:34 UTC 2014 - glin@suse.com + +- Update to version 0.110 +- Add pesign-fix-authvar-write-loop.patch to fix the write loop in + authvar +- Add pesign-install-supplementary-programs.patch to install the + supplementary programs +- Refresh patches + + pesign-fix-build-errors.patch + + pesign-run.patch + + pesign-suse-build.patch +- Drop upstreamed patches + + pesign-clear-padding-bits.patch + + pesign-enable-supplementary-programs.patch + + pesign-no-db.patch +- Enable aarch64 + +------------------------------------------------------------------- +Tue Jul 1 06:46:13 UTC 2014 - glin@suse.com + +- Update pesign-enable-supplementary-programs.patch to fix write + loop + +------------------------------------------------------------------- +Thu Jun 12 02:47:55 UTC 2014 - glin@suse.com + +- Add pesign-enable-supplementary-programs.patch to fix and enable + the supplementary programs: pesigcheck, authvar, efisiglist + +------------------------------------------------------------------- +Wed Apr 16 07:12:05 UTC 2014 - aj@suse.com + +- Add pesign-run.patch: Use /run instead of /var/run (bnc#873857). + +------------------------------------------------------------------- +Fri Jan 31 08:49:12 UTC 2014 - lnussel@suse.de + +- mark dir in /var/run as %ghost + +------------------------------------------------------------------- +Thu Nov 7 09:17:04 UTC 2013 - glin@suse.com + +- Add pesign-no-db.patch to allow some commands to proceed without + a NSS database. + +------------------------------------------------------------------- +Thu Oct 24 03:14:05 UTC 2013 - glin@suse.com + +- Revert the dowload Url since it's not valid + +------------------------------------------------------------------- +Tue Oct 22 11:18:39 UTC 2013 - p.drouand@gmail.com + +- Update to version 0.109 +- Remove sysvinit related old stuff +- Remove redundant %clean section +- Add use-standard-pid-location.patch + Use the good location to stock pidfile +- Use download Url as source +- Rebase pesign-suse-build.patch to upstream changes as it has been + partially merged on upstream +- Remove pesign-allow-no-issuer-cert.patch; fixed on upstream + +------------------------------------------------------------------- +Thu Jul 18 06:54:19 UTC 2013 - glin@suse.com + +- Add pesign-allow-no-issuer-cert.patch to avoid crash when the + issuer's certificate is not available + +------------------------------------------------------------------- +Tue Jul 9 04:44:44 UTC 2013 - glin@suse.com + +- Update to 0.106 +- Add pesign-clear-padding-bits.patch to clear the padding bits +- Rebase patches: + + pesign-suse-build.patch + + pesign-fix-build-errors.patch + + pesign-privkey_unneeded.diff +- Drop upstreamed patches + + pesign-client-initialize-action.patch + + pesign-bnc808594-align-signatures.patch + + pesign-upstream-fixes.patch + + pesign-fix-export-attributes.patch + + pesign-no-set-image-size.patch + + pesign-client-read-pin-file.patch + + pesign-local-database.patch + + pesign-bnc801653-teardown-segfault.patch + + pesign-bnc805166-fix-signature-list.patch + +------------------------------------------------------------------- +Tue Mar 26 06:21:15 UTC 2013 - glin@suse.com + +- Add pesign-bnc808594-align-signatures.patch to align signatures + (bnc#808594, bnc#811325) + +------------------------------------------------------------------- +Fri Mar 1 03:04:35 UTC 2013 - glin@suse.com + +- Update pesign-bnc805166-fix-signature-list.patch to avoid the + potential crash when inserting a signature (bnc#805166) +- Add pwdutils to PreReq + +------------------------------------------------------------------- +Mon Feb 25 07:35:59 UTC 2013 - glin@suse.com + +- Update pesign-bnc805166-fix-signature-list.patch to skip the + unneeded private key request. (bnc#805166c#17) + +------------------------------------------------------------------- +Sat Feb 23 04:47:48 UTC 2013 - jlee@suse.com + +- Modified pesign-bnc805166-fix-signature-list.patch, block out the + source code for find/attach Issuer certificate + (bnc#805166 comment#13) + +------------------------------------------------------------------- +Fri Feb 22 08:44:43 UTC 2013 - glin@suse.com + +- Add pesign-bnc805166-fix-signature-list.patch to fix the broken + signature list when inserting signature into a signed EFI binary + (bnc#805166) + +------------------------------------------------------------------- +Tue Feb 12 15:32:11 CET 2013 - mls@suse.de + +- do not try to recalculate the image size, it is included in the + hash and therefore must not change. + +------------------------------------------------------------------- +Wed Feb 6 10:44:48 UTC 2013 - glin@suse.com + +- Merge patches for FATE#314552 + + pesign-fix-export-attributes.patch: fix crash when exporting + the signed attributes + + pesign-privkey_unneeded.diff: Don't check the private key when + importing the raw signature +- Add pesign-bnc801653-teardown-segfault.patch to fix crash when + freeing digests (bnc801653) +- Drop pesign-digestdata.diff which is no longer needed. + +------------------------------------------------------------------- +Mon Jan 21 10:17:28 UTC 2013 - glin@suse.com + +- Add pesign-digestdata.diff to generate digestdata (FATE#314552) + +------------------------------------------------------------------- +Wed Dec 12 13:18:40 UTC 2012 - fcrozat@suse.com + +- Don't call sysv RPM post/pre macros when building for systemd +- Ship rcpesign for systemd, link to /sbin/service +- Update pesign-suse-build.patch to allow change systemd unit + install directory. +- Don't hardcode systemd unit directory, since it changed in + Factory. + +------------------------------------------------------------------- +Tue Dec 11 07:10:04 UTC 2012 - glin@suse.com + +- Add Requires: pwdutils + +------------------------------------------------------------------- +Wed Nov 28 07:42:09 UTC 2012 - glin@suse.com + +- Add pesign-local-database.patch to support the local certificate + database +- Amend the spec file to build on openSUSE:Factory + +------------------------------------------------------------------- +Thu Nov 8 06:32:32 UTC 2012 - glin@suse.com + +- Version bump to 0.99 (FATE#314484) + + Add documentation for --daemonize and --nofork + + Make popt aliases work + + Add documentation for pesign-client + + Add --pinfd and --pinfile to the client +- Update pesign-suse-build.patch and pesign-fix-build-errors.patch +- Add pesign-upstream-fixes.patch to backport fixes from git head + and add sysvinit script +- Add pesign-client-initialize-action.patch to initialize client + action to avoid undetermined flags. +- Add pesign-client-read-pin-file.patch to fix pin file reading + +------------------------------------------------------------------- +Mon Oct 15 09:33:19 UTC 2012 - glin@suse.com + +- Version bump to 0.98 + + close the socket immediately on invalid input + + Slightly better error messages + + Log an error if digest initialization fails + + Add systemd bits for pesignd + + Add actual signing code to the daemon + + Add input and output setup for sign functionality in the daemon + + Audit allocation of CERTCertificateList/PK11SlotList and + friends + + Fix memory leaks +- Refresh pesign-suse-build.patch and pesign-fix-build-errors.patch + +------------------------------------------------------------------- +Mon Aug 13 06:50:35 UTC 2012 - glin@suse.com + +- Version bump to 0.9 + + Add NSS "token" support for smartcards. + + Allocate space for the section header variable +- Refresh pesign-fix-build-errors.patch to fix the warning +- Drop upstreamed pesign-allocate-shdr.patch + +------------------------------------------------------------------- +Fri Aug 10 10:12:53 UTC 2012 - glin@suse.com + +- Add pesign-allocate-shdr.patch to allocate space for the section + header variable + +------------------------------------------------------------------- +Thu Aug 9 03:53:45 UTC 2012 - glin@suse.com + +- Version bump to 0.8 + + Don't open the DB r/w, read-only is fine. + + Attempt to do a better job setting the image size. + + Emit correct OID for encryption type. +- Drop pesign-fix-image-size.patch which is already in 0.8 + +------------------------------------------------------------------- +Tue Aug 7 03:03:17 UTC 2012 - glin@suse.com + +- Add upstream patch pesign-fix-image-size.patch to set the image + size correctly. +- Drop pesign-elilo-workaround.patch + +------------------------------------------------------------------- +Mon Aug 6 08:03:05 UTC 2012 - glin@suse.com + +- Version bump to 0.7 + + Fix incorrect initialization error in (undocumented) -e option. + + Use SEC_OID_PKCS1_RSA_ENCRYPTION like MS + + Initialize the index variable of loop + + Adjust the buffer size to avoid overflow + + Make sure pe_populatecert() always returns a value + +------------------------------------------------------------------- +Mon Jul 23 08:49:13 UTC 2012 - glin@suse.com + +- Add pesign-elilo-workaround.patch to workaround the section + header corruption in some EFI image (elilo for example) + +------------------------------------------------------------------- +Mon Jul 23 03:32:18 UTC 2012 - glin@suse.com + +- Add pesign-fix-build-errors.patch to fix build error/warning +- Don't install the util efi images +- Fix the RPM_OPT_FLAGS warning + +------------------------------------------------------------------- +Thu Jul 12 09:37:55 UTC 2012 - glin@suse.com + +- Version bump to 0.5 + + Handle and report mremap() failure + + Man page should be in section 1. + + Add some basic signature list management. + + Add some more efi-defined constants, flesh out efi_guid_t. + + authver: Find a guid for 'namespace'. + + Add some basic ucs2 functions :( + + Support multiple signatures correctly. + + Add ascii_to_ucs2() + + Add file formats and some code for variables-on-disk. + + Allow the memory map to move when we're allocating space in the + binary. + + Remove extra call to ftruncate() + + Adjust section addresses when we remap the pecoff binary. + + Correctly set win_certificate.length to /include/ + win_certificate. + + Move certificate space iterator to wincert.c so other stuff can + get it. + + Split allocating space for certs and filling it in. + + Put the new signature into the cms ctx instead of keeping it + locally. + + Actually calculate space and extend the file before hashing the + binary. + + Bounds-check everything we're hashing so we don't segfault on a + bad bin. +- Add pesign-always-return-value.patch to fix + no-return-in-nonvoid-function +- Drop upsreamed patch pesign-mem-reallocation.patch + +------------------------------------------------------------------- +Fri Jun 29 07:08:11 UTC 2012 - glin@suse.com + +- Add pesign-mem-reallocation.patch to fix crash when writing + signature + +------------------------------------------------------------------- +Tue Jun 26 07:02:49 UTC 2012 - glin@suse.com + +- Version bump to 0.3 + + it seems to generate working signatures + +------------------------------------------------------------------- +Thu Jun 21 08:31:42 UTC 2012 - glin@suse.com + +- New package pesign 0.2 + diff --git a/pesign.spec b/pesign.spec new file mode 100644 index 0000000..cfabdaf --- /dev/null +++ b/pesign.spec @@ -0,0 +1,133 @@ +# +# spec file for package pesign +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: pesign +Version: 116 +Release: 0 +Summary: Signing tool for PE-COFF binaries +License: GPL-3.0-or-later +Group: Productivity/Security +URL: https://github.com/rhinstaller/pesign +Source: https://github.com/rhinstaller/pesign/releases/download/%{version}/%{name}-%{version}.tar.bz2 +Source1: pesign.sysusers +# PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service +Patch1: pesign-suse-build.patch +Patch2: pesign-skip-auth-on-friendly-slot.patch +# PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar +Patch3: pesign-fix-authvar-write-loop.patch +# PATCH-FIX-SUSE pesign-boo1143063-remove-var-tracking.patch -- boo#1143063 Remove var-tracking from default CFLAGS +Patch4: pesign-boo1143063-remove-var-tracking.patch +# PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time +Patch5: pesign-boo1185663-set-rpmmacrodir.patch +Patch6: harden_pesign.service.patch +Patch7: pesign-bsc1202933-Remove-pesign-authorize.patch +Patch8: pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch +Patch9: pesign-fix-cert-match-check.patch +Patch10: pesign-fix-efikeygen-segfault.patch +BuildRequires: efivar-devel >= 38 +BuildRequires: libuuid-devel +BuildRequires: mandoc +BuildRequires: mozilla-nss-devel +BuildRequires: pkg-config +BuildRequires: popt-devel +BuildRequires: sysuser-tools +BuildRequires: pkgconfig(systemd) +%sysusers_requires +%{?systemd_requires} +ExclusiveArch: ia64 %ix86 x86_64 aarch64 %arm riscv64 + +%description +Signing tool for PE-COFF binaries. It is vaguely compliant +with the PE and Authenticode specifications. + +%prep +%setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 + +%build +%sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf +export CPPFLAGS="%{optflags} -D_GLIBCXX_ASSERTIONS" +make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" libexecdir=%{_libexecdir} + +%install +mkdir -p %{buildroot}%{_localstatedir}/lib/pesign +mkdir -p %{buildroot}%{_sbindir} +make INSTALLROOT=%{buildroot} \ + UNITDIR=%{_unitdir} \ + libexecdir=%{_libexecdir} \ + rpmmacrodir=%{_rpmmacrodir} \ + install_systemd + +# create rcsymlink +ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} + +# there's some stuff that's not really meant to be shipped yet +rm -rf %{buildroot}/boot %{buildroot}%{_prefix}/include +rm -rf %{buildroot}%{_libdir}/libdpe* + +install -Dm0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{name}.conf + +%pre -f %{name}.pre +%service_add_pre pesign.service + +%preun +%service_del_preun pesign.service + +%post +%service_add_post pesign.service +systemd-tmpfiles --create %{_tmpfilesdir}/pesign.conf || : + +%postun +%service_del_postun pesign.service + +%files +%defattr(-,root,root) +%license COPYING +%{_bindir}/pesign +%{_bindir}/pesign-client +%{_bindir}/efikeygen +%{_bindir}/pesigcheck +%{_bindir}/authvar +%{_bindir}/pesum +%{_sbindir}/rcpesign +%dir %{_sysconfdir}/pesign +%{_sysconfdir}/pesign/* +%dir %{_sysconfdir}/popt.d +%config %{_sysconfdir}/popt.d/pesign.popt +%{_rpmmacrodir}/macros.pesign +%{_mandir}/man?/* +%{_unitdir}/pesign.service +%{_sysusersdir}/pesign.conf +%{_tmpfilesdir}/pesign.conf +%dir %{_libexecdir}/pesign +%{_libexecdir}/pesign/pesign-rpmbuild-helper +%dir %{_sysconfdir}/pki/ +%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign +%ghost %dir %attr(0770,pesign,pesign) /run/%{name} +%dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name} + +%changelog diff --git a/pesign.sysusers b/pesign.sysusers new file mode 100644 index 0000000..b163912 --- /dev/null +++ b/pesign.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u pesign - "PE-COFF signing daemon" /var/lib/pesign -