SLFO-pool/pesign
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main pesign revision 69fe8db5c7294b2a994a0d193593c331

Browse Source
This commit is contained in:
Adrian Schröter 2024-05-03 19:19:17 +02:00
commit 60c5328ea8
15 changed files with 1110 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

24
harden_pesign.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: pesign-115/src/pesign.service.in
===================================================================
--- pesign-115.orig/src/pesign.service.in
+++ pesign-115/src/pesign.service.in
@@ -3,6 +3,19 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
PIDFile=@@RUNDIR@@/pesign.pid
ExecStart=/usr/bin/pesign --daemonize --nofork
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize

BIN
pesign-116.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

13
pesign-boo1143063-remove-var-tracking.patch Normal file
View File

@ -0,0 +1,13 @@
Index: pesign-115/Make.defaults
===================================================================
--- pesign-115.orig/Make.defaults
+++ pesign-115/Make.defaults
@@ -69,7 +69,7 @@ cflags = $(CFLAGS) $(ARCH3264) \
$(call pkg-config-cflags)
clang_ccldflags =
gcc_ccldflags = -fno-merge-constants \
- -fvar-tracking -fvar-tracking-assignments -fkeep-inline-functions \
+ -fvar-tracking-assignments -fkeep-inline-functions \
-Wl,--fatal-warnings,--no-allow-shlib-undefined,--default-symver \
-Wl,-O2 -Wl,--no-undefined-version -Wl,-z,relro,-z,now \
-Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed -pie

27
pesign-boo1185663-set-rpmmacrodir.patch Normal file
View File

@ -0,0 +1,27 @@
Index: pesign-115/Make.defaults
===================================================================
--- pesign-115.orig/Make.defaults
+++ pesign-115/Make.defaults
@@ -13,6 +13,7 @@ rundir ?= /run/
rundir := $(abspath $(rundir))/
pcdir ?= $(libdir)pkgconfig/
docdir ?= $(prefix)share/doc/
+rpmmacrodir ?= /etc/rpm/
DESTDIR ?=
INSTALLROOT = $(DESTDIR)
Index: pesign-115/src/Makefile
===================================================================
--- pesign-115.orig/src/Makefile
+++ pesign-115/src/Makefile
@@ -88,8 +88,8 @@ install :
$(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(mandir)man1/
$(INSTALL) -m 644 $(MAN1TARGETS) $(INSTALLROOT)$(mandir)man1/
- $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
- $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir)
+ $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir)
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/

25
pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch Normal file
View File

@ -0,0 +1,25 @@
From 73cd25615367ff1f9a19fdfd38017f68a12a354d Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 7 Feb 2023 15:34:09 +0800
Subject: [PATCH] Make /etc/pki/pesign/ writeable
The default NSS database for the pesign daemon is stored in /etc/pki/pesign/.
Make it writeable after hardening the service.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/pesign.service.in | 1 +
1 file changed, 1 insertion(+)
Index: pesign-116/src/pesign.service.in
===================================================================
--- pesign-116.orig/src/pesign.service.in
+++ pesign-116/src/pesign.service.in
@@ -18,6 +18,7 @@ RestrictRealtime=true
# end of automatic additions
PIDFile=@@RUNDIR@@/pesign.pid
ExecStart=/usr/bin/pesign --daemonize --nofork
+ReadWritePaths=/etc/pki/pesign/
[Install]
WantedBy=multi-user.target

91
pesign-bsc1202933-Remove-pesign-authorize.patch Normal file
View File

@ -0,0 +1,91 @@
From 09a41248f9f867e9aaf06e890621c392d36b52ec Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 31 Jan 2023 10:00:18 -0500
Subject: [PATCH] Remove pesign-authorize
The onus of correct file/directory permissions should be a configuration
and systems administration issue, not pesign's.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/.gitignore | 1 -
src/Makefile | 3 +--
src/pesign-authorize.in | 13 -------------
src/pesign.service.in | 1 -
src/pesign.sysvinit.in | 1 -
5 files changed, 1 insertion(+), 18 deletions(-)
delete mode 100644 src/pesign-authorize.in
Index: pesign-116/src/.gitignore
===================================================================
--- pesign-116.orig/src/.gitignore
+++ pesign-116/src/.gitignore
@@ -10,5 +10,4 @@ peverify
pesign.service
pesign.sysvinit
pesign-rpmbuild-helper
-pesign-authorize
tmpfiles.conf
Index: pesign-116/src/Makefile
===================================================================
--- pesign-116.orig/src/Makefile
+++ pesign-116/src/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen pesigcheck pesign \
- pesign-rpmbuild-helper pesign-authorize pesum
+ pesign-rpmbuild-helper pesum
CFGTARGETS=tmpfiles.conf
SVCTARGETS=pesign.sysvinit pesign.service
MAN1TARGETS=authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1
@@ -99,7 +99,6 @@ install :
$(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir)
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir)
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
Index: pesign-116/src/pesign-authorize.in
===================================================================
--- pesign-116.orig/src/pesign-authorize.in
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-set -e
-set -u
-
-# License: GPLv2
-
-# This script is deprecated and will be removed in a future release.
-
-sleep 3
-for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
- chown -R pesign:pesign "${x}" || true
- chmod -R ug+rwX "${x}" || true
-done
Index: pesign-116/src/pesign.service.in
===================================================================
--- pesign-116.orig/src/pesign.service.in
+++ pesign-116/src/pesign.service.in
@@ -18,7 +18,6 @@ RestrictRealtime=true
# end of automatic additions
PIDFile=@@RUNDIR@@/pesign.pid
ExecStart=/usr/bin/pesign --daemonize --nofork
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
[Install]
WantedBy=multi-user.target
Index: pesign-116/src/pesign.sysvinit.in
===================================================================
--- pesign-116.orig/src/pesign.sysvinit.in
+++ pesign-116/src/pesign.sysvinit.in
@@ -30,7 +30,6 @@ start(){
RETVAL=$?
echo
touch /var/lock/subsys/pesign
- @@LIBEXECDIR@@/pesign/pesign-authorize
}
stop(){

50
pesign-fix-authvar-write-loop.patch Normal file
View File

@ -0,0 +1,50 @@
From b3c58e3b9237f90e865723837a9389fcb25f6945 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 1 Jul 2014 14:43:35 +0800
Subject: [PATCH] authvar: fix the write loop
I forgot to move the pointer...
Also use offsetof() instead of the wordsize check.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
src/authvar_context.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
Index: pesign-115/src/authvar_context.c
===================================================================
--- pesign-115.orig/src/authvar_context.c
+++ pesign-115/src/authvar_context.c
@@ -151,6 +151,7 @@ write_authvar(authvar_context *ctx)
void *buffer, *ptr;
size_t buf_len, des_len, remain;
ssize_t wlen;
+ off_t offset;
if (!ctx->authinfo)
cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar");
@@ -179,19 +180,19 @@ write_authvar(authvar_context *ctx)
if (ctx->value_size > 0)
memcpy(ptr, ctx->value, ctx->value_size);
- if (!ctx->to_firmware) {
- ftruncate(ctx->exportfd, buf_len);
+ if (!ctx->to_firmware)
lseek(ctx->exportfd, 0, SEEK_SET);
- }
remain = buf_len;
+ offset = 0;
do {
- wlen = write(ctx->exportfd, buffer, remain);
+ wlen = write(ctx->exportfd, buffer + offset, remain);
if (wlen < 0) {
free(buffer);
cmsreterr(-1, ctx->cms_ctx, "failed to write authvar");
}
remain -= wlen;
+ offset += wlen;
} while (remain > 0);
free(buffer);

29
pesign-fix-cert-match-check.patch Normal file
View File

@ -0,0 +1,29 @@
From a6062702e9f0002b86759f6cd14da6d78de99f22 Mon Sep 17 00:00:00 2001
From: Huaxin Lu <luhuaxin1@huawei.com>
Date: Fri, 11 Nov 2022 11:20:35 +0800
Subject: [PATCH] cms_common: fix cert match check
In find_certificate_by_callback(), the match() returns 1
when cert subject is matched.
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
---
src/cms_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 24576f2..cf572ca 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -872,7 +872,7 @@ find_certificate_by_callback(cms_context *cms,
continue;
int rc = match(tmpnode->cert, cbdata);
- if (rc == 0) {
+ if (rc == 1) {
node = tmpnode;
break;
}
--
2.35.3

29
pesign-fix-efikeygen-segfault.patch Normal file
View File

@ -0,0 +1,29 @@
From 227435af461f38fc4abeafe02884675ad4b1feb4 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Mon, 20 Feb 2023 15:26:20 +0100
Subject: [PATCH] cms_common: Fixed Segmentation fault
When running efikeygen, the binary crashes with a segfault due
to dereferencing a **ptr instead of a *ptr.
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
---
src/cms_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 44e5cca..4f4707b 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -957,7 +957,7 @@ find_certificate_by_issuer_and_sn(cms_context *cms,
if (!ias)
cnreterr(-1, cms, "invalid issuer and serial number");
- return find_certificate_by_callback(cms, match_issuer_and_serial, &ias, cert);
+ return find_certificate_by_callback(cms, match_issuer_and_serial, ias, cert);
}
int
--
2.35.3

44
pesign-skip-auth-on-friendly-slot.patch Normal file
View File

@ -0,0 +1,44 @@
From 616ec5f25adbde1a4bd78cdcacd6dcd7ecfa5a5c Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 22 Dec 2022 13:49:34 +0800
Subject: [PATCH] cms_common: skip authentication on the 'Friendly' slot
When finding a certificate in a 'Friendly' slot without the need of the
private key, it is not necessary to authenticate the slot.
For example, when the signed attributes and the raw signature are
created in a server and the user has the certificate, signkey.x509, and
tries to import them into myapp.efi:
$ certutil -N -d nssdb -f passwd
$ certutil -A -d nssdb -f passwd -n signkey -t CT,CT,CT \
-i signkey.x509
$ pesign -n nssdb -c signkey -i myapp.efi -o myapp.efi.signed \
-d sha256 -I myapp.sattr -R myapp.sig
Since the "signkey" is 'Friendly', i.e. publicly readable, and the
private key is not needed, we can just skip the authentication and find
"signkey" in the slot.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/cms_common.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index cf572ca..44e5cca 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -628,7 +628,8 @@ find_certificate(cms_context *cms, int needs_private_key)
int errnum;
SECStatus status;
- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms)) {
+ if ((needs_private_key || !PK11_IsFriendly(psle->slot)) &&
+ (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms))) {
status = PK11_Authenticate(psle->slot, PR_TRUE, cms);
if (status != SECSuccess) {
save_port_err() {
--
2.35.3

73
pesign-suse-build.patch Normal file
View File

@ -0,0 +1,73 @@
Index: pesign-116/util/Makefile
===================================================================
--- pesign-116.orig/util/Makefile
+++ pesign-116/util/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules
include $(TOPDIR)/Make.defaults
FORMAT=efi-app-$(HOSTARCH)
-LDFLAGS = -nostdlib -T $(LIBDIR)/gnuefi/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/gnuefi/crt0-efi-$(HOSTARCH).o -L$(LIBDIR)
+LDFLAGS = -nostdlib -T $(LIBDIR)/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/crt0-efi-$(HOSTARCH).o -L$(LIBDIR)
LIBS=-lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name)
CCLDFLAGS =
BUILDFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration
@@ -20,8 +20,8 @@ clean :
@rm -rfv *.o *.a *.so .*.d $(TARGETS)
install :
- $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/
- $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/sles/
+ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/sles/
install_systemd:
Index: pesign-116/src/pesign.sysvinit.in
===================================================================
--- pesign-116.orig/src/pesign.sysvinit.in
+++ pesign-116/src/pesign.sysvinit.in
@@ -6,16 +6,19 @@
# processname: /usr/bin/pesign
# pidfile: @@RUNDIR@@pesign.pid
### BEGIN INIT INFO
-# Provides: pesign
-# Default-Start:
-# Default-Stop:
+# Provides: pesign
+# Should-Start: $remote_fs
+# Should-Stop: $remote_fs
+# Required-Start:
+# Required-Stop:
+# Default-Start: 2 3 5
# Short-Description: The pesign PE signing daemon
# Description: The pesign PE signing daemon
### END INIT INFO
-. /etc/init.d/functions
[ -f /usr/bin/pesign ] || exit 1
+PESIGN_PIDFILE=@@RUNDIR@@pesign.pid
RETVAL=0
start(){
@@ -23,7 +26,7 @@ start(){
mkdir @@RUNDIR@@pesign 2>/dev/null &&
chown pesign:pesign @@RUNDIR@@pesign &&
chmod 0770 @@RUNDIR@@pesign
- daemon /usr/bin/pesign --daemonize
+ startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize
RETVAL=$?
echo
touch /var/lock/subsys/pesign
Index: pesign-116/Makefile
===================================================================
--- pesign-116.orig/Makefile
+++ pesign-116/Makefile
@@ -11,7 +11,6 @@ SUBDIRS := include libdpe src
install :
$(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/
- $(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/
@$(call descend)
install_systemd install_sysvinit : install

544
pesign.changes Normal file
View File

@ -0,0 +1,544 @@
-------------------------------------------------------------------
Wed Feb 22 08:05:20 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update to 116
+ daemon: remove always-true comparison
+ pesum - add a new tool to the shed
+ Fix building signed kernels on setups other than koji
+ Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
+ macros.pesign: handle centos like rhel with --rhelver
+ Detect the presence of rpm-sign when checking for "rhel"-ness
+ Fix typo in efikeygen command
+ pesigcheck: Fix crash on digest match
+ cms: store digest as pointer instead of index
+ Fix mandoc invocation to not produce garbage
+ Password fixes
+ Re-work CMS's selected_digest again...
+ src/certs/make-certs: delete the duplicate codes
+ Free resources if certification cannot be found
+ macros: drop %{_pesign_args}
+ Fix two bugs from package building
+ Fix bad free of cms data (DoS only)
+ Send pesign stdout/err to systemd journal
+ Add missing Install section
+ Add default packages for pkg-config
+ Short delay to ensure /run/pesign/socket exists
+ Resolve crash when signature that is removed is not the end of
the list
+ Enhance error diagnostics about version mismatch
+ Upstream all Fedora changes
+ Add some hardening options to build
+ Add code of conduct
+ Fix build on gcc 12 and non-Fedora
- Add BuildRequires efivar-devel >= 38 for efisec.h
+ efisiglist is replaced by efisecdb in efivar 38
- Add BuildRequires mandoc to generate the manpages
- Replace pesign-privkey_unneeded.diff with
pesign-skip-auth-on-friendly-slot.patch to avoid the unnecessary
authentication
- Add pesign-fix-cert-match-check.patch to fix the subject name
matching
- Add pesign-fix-efikeygen-segfault.patch to fix the potential
crash when executing efikeygen
- Add pesign-bsc1202933-Remove-pesign-authorize.patch to remove
pesign-authorize completely (bsc#1202933)
- Refresh patches
+ harden_pesign.service.patch
+ pesign-boo1143063-remove-var-tracking.patch
+ pesign-boo1185663-set-rpmmacrodir.patch
+ pesign-fix-authvar-write-loop.patch
+ pesign-suse-build.patch
+ pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
- Remove upstreamed/unnecessary patches
+ pesign-boo1158197-fix-pesigncheck-gcc10.patch
+ pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
+ pesign-run.patch
+ pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
-------------------------------------------------------------------
Tue Feb 7 07:37:20 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Add pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
to use the normal file permissions in pesign-authorize to avoid
the potential security issue (bsc#1202933, CVE-2022-3560)
- Set the libexecdir path for "make" to fix the path to
pesign-authorize in pesign.service (bsc#1202933)
- Add pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch to make
the default NSS datebase writeable (bsc#1202933)
-------------------------------------------------------------------
Sun Nov 11 10:54:08 UTC 2021 - Andreas Schwab <schwab@suse.de>
- Enable build on riscv64
-------------------------------------------------------------------
Tue Nov 9 15:01:59 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
- Change to systemd-sysusers
-------------------------------------------------------------------
Tue Oct 19 05:58:37 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_pesign.service.patch
-------------------------------------------------------------------
Tue Jun 8 15:55:09 UTC 2021 - Wolfgang Frisch <wolfgang.frisch@suse.com>
- Link as Position Independent Executable (bsc#1184124).
-------------------------------------------------------------------
Fri May 7 01:38:34 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
- Stop marking macros.pesign as %config
-------------------------------------------------------------------
Thu May 6 09:22:38 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
- Add pesign-boo1185663-set-rpmmacrodir.patch to set the rpm macro
directory at build time (boo#1185663)
+ Also set rpmmacrodir when installing files
- Remove "make install" since "make install_systemd" invokes
"make install" automatically
-------------------------------------------------------------------
Tue May 5 12:42:15 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
- Use %_tmpfilesdir instead of %{_libexecdir}/tmpfiles.d.
-------------------------------------------------------------------
Wed Dec 4 02:38:05 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
- Add pesign-boo1158197-fix-pesigncheck-gcc10.patch to remove the
superfluous type settings in pesigcheck to fix the gcc10 errors
(boo#1158197)
-------------------------------------------------------------------
Wed Jul 31 03:26:37 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
- Add pesign-boo1143063-remove-var-tracking.patch to remove
var-tracking from the default CFLAGS (boo#1143063)
-------------------------------------------------------------------
Thu Jul 11 09:00:21 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
- Add pesign-efikeygen-Fix-the-build-with-nss-3.44.patch to fix
the compilation error when building with NSS 3.44
-------------------------------------------------------------------
Sun Jun 2 07:01:51 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Trim conjecture from description.
-------------------------------------------------------------------
Mon May 13 03:57:30 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
- Update to 113
+ Get rid of the 0.Y versioning
+ Make --padding the default
+ Add kmod signing (drake)
+ efisiglist format fixes
+ enforce the use of --kernel or --module in efikeygen
+ RPM macro updates
+ Move the license to GPLv3+
+ Use sql-type NSS database by default
+ Various documentation improvements.
+ Improve /etc/pki/pesign authorization scripts
+ Various pesigcheck improvements
+ Fix wrong oid offsets (bsc#1205323)
- Refresh patches
+ pesign-suse-build.patch
+ pesign-privkey_unneeded.diff
+ pesign-fix-authvar-write-loop.patch
- Drop upstreamed patches
+ pesign-fix-argument-list.patch
+ pesign-bsc1087742-fix-efisiglist.patch
- Drop pesign-fix-build-errors.patch since those warnings are gone
-------------------------------------------------------------------
Thu May 9 12:25:31 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
- Enable build on %arm as we can sign kernel on %arm (boo#1134670)
-------------------------------------------------------------------
Fri Apr 26 11:12:46 UTC 2019 - mvetter@suse.com
- bsc#1130588: Require shadow instead of old pwdutils
-------------------------------------------------------------------
Mon Apr 2 09:37:36 UTC 2018 - glin@suse.com
- Add pesign-bsc1087742-fix-efisiglist.patch to fix the generation
of efi signature list. (bsc#1087742)
-------------------------------------------------------------------
Thu Aug 11 03:22:18 UTC 2016 - glin@suse.com
- Add pesign-fix-argument-list.patch to fix the argument list
parsing
-------------------------------------------------------------------
Thu Apr 21 09:36:23 UTC 2016 - glin@suse.com
- Update to 0.112
- Refresh patches: pesign-suse-build.patch and pesign-run.patch
- Drop upstreamed pesign-fix-signness.patch
-------------------------------------------------------------------
Tue Nov 10 07:59:48 UTC 2015 - glin@suse.com
- Update to 0.111
- Add pesign-fix-signness.patch to fix the signness comparison
- Drop upstreamed patches
+ pesign-efivar-pkgconfig.patch
+ pesign-make-efi_guid_t-const.patch
+ pesign-fix-import-sig-check.patch
+ pesign-install-supplementary-programs.patch
- Refresh pesign-suse-build.patch, pesign-privkey_unneeded.diff,
and pesign-run.patch
- Update pesign-fix-build-errors.patch
- Merge use-standard-pid-location.patch into pesign-run.patch
-------------------------------------------------------------------
Tue Sep 1 06:11:06 UTC 2015 - dimstar@opensuse.org
- Do not buildrequire systemd: it conflicts with systemd-mini,
which is pulled in by systemd-mini-devel (due to BuildRequires:
pkgconfig(systemd).
- As we lack systemd-tmpfiles in the build env, we ignore the
errors cast in the %post scriptlet.
-------------------------------------------------------------------
Fri Aug 14 07:45:31 UTC 2015 - mpluskal@suse.com
- Update project url
- Use url for download
- Add rcpesign symlink
- Tiny spec file cleanup with spec-cleaner
-------------------------------------------------------------------
Mon Jul 13 11:07:10 UTC 2015 - werner@suse.de
- Make it build, tool systemd-tmpfiles is part of systemd
-------------------------------------------------------------------
Tue Jun 16 06:52:21 UTC 2015 - glin@suse.com
- Add pesign-efivar-pkgconfig.patch to get the efivar compiler
parameters from pkg-confg
- Add pesign-make-efi_guid_t-const.patch to avoid the error from
gcc
-------------------------------------------------------------------
Wed Nov 26 09:46:50 UTC 2014 - glin@suse.com
- Add pesign-fix-import-sig-check.patch to fix the signature size
check while importing a signature
- Amend the spec file with spec-cleaner
-------------------------------------------------------------------
Fri Oct 31 07:16:40 UTC 2014 - glin@suse.com
- Update pesign-suse-build.patch to set LIBDIR for AArch64
-------------------------------------------------------------------
Tue Oct 28 08:47:34 UTC 2014 - glin@suse.com
- Update to version 0.110
- Add pesign-fix-authvar-write-loop.patch to fix the write loop in
authvar
- Add pesign-install-supplementary-programs.patch to install the
supplementary programs
- Refresh patches
+ pesign-fix-build-errors.patch
+ pesign-run.patch
+ pesign-suse-build.patch
- Drop upstreamed patches
+ pesign-clear-padding-bits.patch
+ pesign-enable-supplementary-programs.patch
+ pesign-no-db.patch
- Enable aarch64
-------------------------------------------------------------------
Tue Jul 1 06:46:13 UTC 2014 - glin@suse.com
- Update pesign-enable-supplementary-programs.patch to fix write
loop
-------------------------------------------------------------------
Thu Jun 12 02:47:55 UTC 2014 - glin@suse.com
- Add pesign-enable-supplementary-programs.patch to fix and enable
the supplementary programs: pesigcheck, authvar, efisiglist
-------------------------------------------------------------------
Wed Apr 16 07:12:05 UTC 2014 - aj@suse.com
- Add pesign-run.patch: Use /run instead of /var/run (bnc#873857).
-------------------------------------------------------------------
Fri Jan 31 08:49:12 UTC 2014 - lnussel@suse.de
- mark dir in /var/run as %ghost
-------------------------------------------------------------------
Thu Nov 7 09:17:04 UTC 2013 - glin@suse.com
- Add pesign-no-db.patch to allow some commands to proceed without
a NSS database.
-------------------------------------------------------------------
Thu Oct 24 03:14:05 UTC 2013 - glin@suse.com
- Revert the dowload Url since it's not valid
-------------------------------------------------------------------
Tue Oct 22 11:18:39 UTC 2013 - p.drouand@gmail.com
- Update to version 0.109
- Remove sysvinit related old stuff
- Remove redundant %clean section
- Add use-standard-pid-location.patch
Use the good location to stock pidfile
- Use download Url as source
- Rebase pesign-suse-build.patch to upstream changes as it has been
partially merged on upstream
- Remove pesign-allow-no-issuer-cert.patch; fixed on upstream
-------------------------------------------------------------------
Thu Jul 18 06:54:19 UTC 2013 - glin@suse.com
- Add pesign-allow-no-issuer-cert.patch to avoid crash when the
issuer's certificate is not available
-------------------------------------------------------------------
Tue Jul 9 04:44:44 UTC 2013 - glin@suse.com
- Update to 0.106
- Add pesign-clear-padding-bits.patch to clear the padding bits
- Rebase patches:
+ pesign-suse-build.patch
+ pesign-fix-build-errors.patch
+ pesign-privkey_unneeded.diff
- Drop upstreamed patches
+ pesign-client-initialize-action.patch
+ pesign-bnc808594-align-signatures.patch
+ pesign-upstream-fixes.patch
+ pesign-fix-export-attributes.patch
+ pesign-no-set-image-size.patch
+ pesign-client-read-pin-file.patch
+ pesign-local-database.patch
+ pesign-bnc801653-teardown-segfault.patch
+ pesign-bnc805166-fix-signature-list.patch
-------------------------------------------------------------------
Tue Mar 26 06:21:15 UTC 2013 - glin@suse.com
- Add pesign-bnc808594-align-signatures.patch to align signatures
(bnc#808594, bnc#811325)
-------------------------------------------------------------------
Fri Mar 1 03:04:35 UTC 2013 - glin@suse.com
- Update pesign-bnc805166-fix-signature-list.patch to avoid the
potential crash when inserting a signature (bnc#805166)
- Add pwdutils to PreReq
-------------------------------------------------------------------
Mon Feb 25 07:35:59 UTC 2013 - glin@suse.com
- Update pesign-bnc805166-fix-signature-list.patch to skip the
unneeded private key request. (bnc#805166c#17)
-------------------------------------------------------------------
Sat Feb 23 04:47:48 UTC 2013 - jlee@suse.com
- Modified pesign-bnc805166-fix-signature-list.patch, block out the
source code for find/attach Issuer certificate
(bnc#805166 comment#13)
-------------------------------------------------------------------
Fri Feb 22 08:44:43 UTC 2013 - glin@suse.com
- Add pesign-bnc805166-fix-signature-list.patch to fix the broken
signature list when inserting signature into a signed EFI binary
(bnc#805166)
-------------------------------------------------------------------
Tue Feb 12 15:32:11 CET 2013 - mls@suse.de
- do not try to recalculate the image size, it is included in the
hash and therefore must not change.
-------------------------------------------------------------------
Wed Feb 6 10:44:48 UTC 2013 - glin@suse.com
- Merge patches for FATE#314552
+ pesign-fix-export-attributes.patch: fix crash when exporting
the signed attributes
+ pesign-privkey_unneeded.diff: Don't check the private key when
importing the raw signature
- Add pesign-bnc801653-teardown-segfault.patch to fix crash when
freeing digests (bnc801653)
- Drop pesign-digestdata.diff which is no longer needed.
-------------------------------------------------------------------
Mon Jan 21 10:17:28 UTC 2013 - glin@suse.com
- Add pesign-digestdata.diff to generate digestdata (FATE#314552)
-------------------------------------------------------------------
Wed Dec 12 13:18:40 UTC 2012 - fcrozat@suse.com
- Don't call sysv RPM post/pre macros when building for systemd
- Ship rcpesign for systemd, link to /sbin/service
- Update pesign-suse-build.patch to allow change systemd unit
install directory.
- Don't hardcode systemd unit directory, since it changed in
Factory.
-------------------------------------------------------------------
Tue Dec 11 07:10:04 UTC 2012 - glin@suse.com
- Add Requires: pwdutils
-------------------------------------------------------------------
Wed Nov 28 07:42:09 UTC 2012 - glin@suse.com
- Add pesign-local-database.patch to support the local certificate
database
- Amend the spec file to build on openSUSE:Factory
-------------------------------------------------------------------
Thu Nov 8 06:32:32 UTC 2012 - glin@suse.com
- Version bump to 0.99 (FATE#314484)
+ Add documentation for --daemonize and --nofork
+ Make popt aliases work
+ Add documentation for pesign-client
+ Add --pinfd and --pinfile to the client
- Update pesign-suse-build.patch and pesign-fix-build-errors.patch
- Add pesign-upstream-fixes.patch to backport fixes from git head
and add sysvinit script
- Add pesign-client-initialize-action.patch to initialize client
action to avoid undetermined flags.
- Add pesign-client-read-pin-file.patch to fix pin file reading
-------------------------------------------------------------------
Mon Oct 15 09:33:19 UTC 2012 - glin@suse.com
- Version bump to 0.98
+ close the socket immediately on invalid input
+ Slightly better error messages
+ Log an error if digest initialization fails
+ Add systemd bits for pesignd
+ Add actual signing code to the daemon
+ Add input and output setup for sign functionality in the daemon
+ Audit allocation of CERTCertificateList/PK11SlotList and
friends
+ Fix memory leaks
- Refresh pesign-suse-build.patch and pesign-fix-build-errors.patch
-------------------------------------------------------------------
Mon Aug 13 06:50:35 UTC 2012 - glin@suse.com
- Version bump to 0.9
+ Add NSS "token" support for smartcards.
+ Allocate space for the section header variable
- Refresh pesign-fix-build-errors.patch to fix the warning
- Drop upstreamed pesign-allocate-shdr.patch
-------------------------------------------------------------------
Fri Aug 10 10:12:53 UTC 2012 - glin@suse.com
- Add pesign-allocate-shdr.patch to allocate space for the section
header variable
-------------------------------------------------------------------
Thu Aug 9 03:53:45 UTC 2012 - glin@suse.com
- Version bump to 0.8
+ Don't open the DB r/w, read-only is fine.
+ Attempt to do a better job setting the image size.
+ Emit correct OID for encryption type.
- Drop pesign-fix-image-size.patch which is already in 0.8
-------------------------------------------------------------------
Tue Aug 7 03:03:17 UTC 2012 - glin@suse.com
- Add upstream patch pesign-fix-image-size.patch to set the image
size correctly.
- Drop pesign-elilo-workaround.patch
-------------------------------------------------------------------
Mon Aug 6 08:03:05 UTC 2012 - glin@suse.com
- Version bump to 0.7
+ Fix incorrect initialization error in (undocumented) -e option.
+ Use SEC_OID_PKCS1_RSA_ENCRYPTION like MS
+ Initialize the index variable of loop
+ Adjust the buffer size to avoid overflow
+ Make sure pe_populatecert() always returns a value
-------------------------------------------------------------------
Mon Jul 23 08:49:13 UTC 2012 - glin@suse.com
- Add pesign-elilo-workaround.patch to workaround the section
header corruption in some EFI image (elilo for example)
-------------------------------------------------------------------
Mon Jul 23 03:32:18 UTC 2012 - glin@suse.com
- Add pesign-fix-build-errors.patch to fix build error/warning
- Don't install the util efi images
- Fix the RPM_OPT_FLAGS warning
-------------------------------------------------------------------
Thu Jul 12 09:37:55 UTC 2012 - glin@suse.com
- Version bump to 0.5
+ Handle and report mremap() failure
+ Man page should be in section 1.
+ Add some basic signature list management.
+ Add some more efi-defined constants, flesh out efi_guid_t.
+ authver: Find a guid for 'namespace'.
+ Add some basic ucs2 functions :(
+ Support multiple signatures correctly.
+ Add ascii_to_ucs2()
+ Add file formats and some code for variables-on-disk.
+ Allow the memory map to move when we're allocating space in the
binary.
+ Remove extra call to ftruncate()
+ Adjust section addresses when we remap the pecoff binary.
+ Correctly set win_certificate.length to /include/
win_certificate.
+ Move certificate space iterator to wincert.c so other stuff can
get it.
+ Split allocating space for certs and filling it in.
+ Put the new signature into the cms ctx instead of keeping it
locally.
+ Actually calculate space and extend the file before hashing the
binary.
+ Bounds-check everything we're hashing so we don't segfault on a
bad bin.
- Add pesign-always-return-value.patch to fix
no-return-in-nonvoid-function
- Drop upsreamed patch pesign-mem-reallocation.patch
-------------------------------------------------------------------
Fri Jun 29 07:08:11 UTC 2012 - glin@suse.com
- Add pesign-mem-reallocation.patch to fix crash when writing
signature
-------------------------------------------------------------------
Tue Jun 26 07:02:49 UTC 2012 - glin@suse.com
- Version bump to 0.3
+ it seems to generate working signatures
-------------------------------------------------------------------
Thu Jun 21 08:31:42 UTC 2012 - glin@suse.com
- New package pesign 0.2

133
pesign.spec Normal file
View File

@ -0,0 +1,133 @@
#
# spec file for package pesign
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: pesign
Version: 116
Release: 0
Summary: Signing tool for PE-COFF binaries
License: GPL-3.0-or-later
Group: Productivity/Security
URL: https://github.com/rhinstaller/pesign
Source: https://github.com/rhinstaller/pesign/releases/download/%{version}/%{name}-%{version}.tar.bz2
Source1: pesign.sysusers
# PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
Patch1: pesign-suse-build.patch
Patch2: pesign-skip-auth-on-friendly-slot.patch
# PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar
Patch3: pesign-fix-authvar-write-loop.patch
# PATCH-FIX-SUSE pesign-boo1143063-remove-var-tracking.patch -- boo#1143063 Remove var-tracking from default CFLAGS
Patch4: pesign-boo1143063-remove-var-tracking.patch
# PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time
Patch5: pesign-boo1185663-set-rpmmacrodir.patch
Patch6: harden_pesign.service.patch
Patch7: pesign-bsc1202933-Remove-pesign-authorize.patch
Patch8: pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
Patch9: pesign-fix-cert-match-check.patch
Patch10: pesign-fix-efikeygen-segfault.patch
BuildRequires: efivar-devel >= 38
BuildRequires: libuuid-devel
BuildRequires: mandoc
BuildRequires: mozilla-nss-devel
BuildRequires: pkg-config
BuildRequires: popt-devel
BuildRequires: sysuser-tools
BuildRequires: pkgconfig(systemd)
%sysusers_requires
%{?systemd_requires}
ExclusiveArch: ia64 %ix86 x86_64 aarch64 %arm riscv64
%description
Signing tool for PE-COFF binaries. It is vaguely compliant
with the PE and Authenticode specifications.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%build
%sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf
export CPPFLAGS="%{optflags} -D_GLIBCXX_ASSERTIONS"
make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" libexecdir=%{_libexecdir}
%install
mkdir -p %{buildroot}%{_localstatedir}/lib/pesign
mkdir -p %{buildroot}%{_sbindir}
make INSTALLROOT=%{buildroot} \
UNITDIR=%{_unitdir} \
libexecdir=%{_libexecdir} \
rpmmacrodir=%{_rpmmacrodir} \
install_systemd
# create rcsymlink
ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
# there's some stuff that's not really meant to be shipped yet
rm -rf %{buildroot}/boot %{buildroot}%{_prefix}/include
rm -rf %{buildroot}%{_libdir}/libdpe*
install -Dm0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{name}.conf
%pre -f %{name}.pre
%service_add_pre pesign.service
%preun
%service_del_preun pesign.service
%post
%service_add_post pesign.service
systemd-tmpfiles --create %{_tmpfilesdir}/pesign.conf || :
%postun
%service_del_postun pesign.service
%files
%defattr(-,root,root)
%license COPYING
%{_bindir}/pesign
%{_bindir}/pesign-client
%{_bindir}/efikeygen
%{_bindir}/pesigcheck
%{_bindir}/authvar
%{_bindir}/pesum
%{_sbindir}/rcpesign
%dir %{_sysconfdir}/pesign
%{_sysconfdir}/pesign/*
%dir %{_sysconfdir}/popt.d
%config %{_sysconfdir}/popt.d/pesign.popt
%{_rpmmacrodir}/macros.pesign
%{_mandir}/man?/*
%{_unitdir}/pesign.service
%{_sysusersdir}/pesign.conf
%{_tmpfilesdir}/pesign.conf
%dir %{_libexecdir}/pesign
%{_libexecdir}/pesign/pesign-rpmbuild-helper
%dir %{_sysconfdir}/pki/
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign
%ghost %dir %attr(0770,pesign,pesign) /run/%{name}
%dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name}
%changelog

2
pesign.sysusers Normal file
View File

@ -0,0 +1,2 @@
#Type Name ID GECOS Home directory Shell
u pesign - "PE-COFF signing daemon" /var/lib/pesign -