- update to 0.7.2:

* mokutil: revert the default listing to the verbose form
- update to 0.7.1:
  * Fix an off-by-one reading passwords from a file.
  * Short certificate listing by default
    + c361087 (HEAD -> master, tag: 0.7.0, origin/ssppolicy-v2-fix, origin/master, origin/HEAD) Rename "previous" revocations to "automatic"
	  b15e7c4d7 util: add the missing stdio.h
	  6c9890730 SBAT revocation update support
- spec file cleanup

OBS-URL: https://build.opensuse.org/package/show/Base:System/mokutil?expand=0&rev=62
This commit is contained in:
Dirk Mueller 2025-02-08 21:17:13 +00:00 committed by Git OBS Bridge
commit 972cf1b92c
7 changed files with 493 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

3
0.7.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:736b9a23003d36eba0bc6ee7e56ce70aa7f0f31cb34dde5c9e5bd093c1d2dab1
size 38511

3
0.7.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:839d677c4fc9805f1565703ca32863e4652692c53da66a88ae9b9e30676f9e17
size 39226

View File

@ -0,0 +1,44 @@
From 87eb098c85dcae328924e91bb84e8e68ea15fd15 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 16 Sep 2020 17:02:56 +0800
Subject: [PATCH] Remove libkeyutils pkgconfig check
keyutils didn't provide pkgconfig in 1.5.*
Signed-off-by: Gary Lin <glin@suse.com>
---
configure.ac | 1 -
src/Makefile.am | 3 +--
2 files changed, 1 insertion(+), 3 deletions(-)
Index: mokutil-0.6.0/configure.ac
===================================================================
--- mokutil-0.6.0.orig/configure.ac
+++ mokutil-0.6.0/configure.ac
@@ -85,7 +85,6 @@ AC_CHECK_FUNCS([memset])
PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
-PKG_CHECK_MODULES(LIBKEYUTILS, [libkeyutils >= 1.5])
AC_ARG_WITH([bash-completion-dir],
AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
Index: mokutil-0.6.0/src/Makefile.am
===================================================================
--- mokutil-0.6.0.orig/src/Makefile.am
+++ mokutil-0.6.0/src/Makefile.am
@@ -2,13 +2,12 @@ bin_PROGRAMS = mokutil
mokutil_CFLAGS = $(OPENSSL_CFLAGS) \
$(EFIVAR_CFLAGS) \
- $(LIBKEYUTILS_CFLAGS) \
$(WARNINGFLAGS_C) \
-DVERSION="\"$(VERSION)\""
mokutil_LDADD = $(OPENSSL_LIBS) \
$(EFIVAR_LIBS) \
- $(LIBKEYUTILS_LIBS) \
+ -lkeyutils \
-lcrypt
mokutil_SOURCES = signature.h \

356
mokutil.changes Normal file
View File

@ -0,0 +1,356 @@
-------------------------------------------------------------------
Sat Feb 8 21:16:36 UTC 2025 - Dirk Müller <dmueller@suse.com>
- update to 0.7.2:
* mokutil: revert the default listing to the verbose form
- update to 0.7.1:
* Fix an off-by-one reading passwords from a file.
* Short certificate listing by default
-------------------------------------------------------------------
Fri Mar 1 08:23:24 UTC 2024 - Dennis Tseng <dennis.tseng@suse.com>
- Update to 0.7.0
+ 82694cb Show usage instead of aborting on bad flags
+ 04791c2 mokutil bugfix: del unused opt "-s"
+ d978c18 Fix leak of list in delete_data_from_req_var()
+ e498f64 Fix leak of fd in mok_get_variable()
+ 7b6258a Show the key owner GUID
+ 51b5e55 Use PKG_PROG_PKG_CONFIG macro from pkg.m4 to detect pkg-config
+ 1aefcdb mokutil: handle the parsing error from "mok-variables"
+ 71140ef mokutil: Fix memory leak in export_db_keys
+ 0011d52 mokutil:check the result of malloc() is necessary
+ a0d8702 Fix inconsistency in skip messages
+ ae59d89 man: add "--trust-mok" and "--untrust-mok"
+ dd55c28 Avoid conflicting efi_char16_t type definitions
+ 8b6d116 fix: typo "accesss" -> "access"
+ f68a4f4 Do not exit with non zero status for version query
+ 5f49730 Check for efi variabales support after processing commands
+ 2d6c409 Return 0 after printing help messages
+ c64741d Add support for SSPPolicy, depricate --set-sbat-policy delete
+ 48e3d2a Fix tab alignment for help (set-fallback-verbosity/set-fallback-noreboot)
+ c361087 (HEAD -> master, tag: 0.7.0, origin/ssppolicy-v2-fix, origin/master, origin/HEAD) Rename "previous" revocations to "automatic"
-------------------------------------------------------------------
Fri Feb 23 09:19:54 UTC 2024 - pgajdos@suse.com
- Use %patch -P N instead of deprecated %patchN.
-------------------------------------------------------------------
Tue Sep 19 08:10:49 UTC 2023 - Joey Lee <jlee@suse.com>
- Sync change log to prepare for sending mokutil 0.6.0 to SLE15-SP6
(jsc#PED-6528)
- Removed the following backported patches because they are merged
to 0.6.0:
- mokutil-fix-missing-header.patch
b15e7c4d7 util: add the missing stdio.h
- mokutil-enable-setting-fallback-verbosity-and-norebo.patch (bsc#1198458)
57bc38582 mokutil: enable setting fallback verbosity and noreboot mode
- mokutil-SBAT-revocation-update-support.patch (bsc#1198458)
6c9890730 SBAT revocation update support
-------------------------------------------------------------------
Fri Aug 18 07:07:08 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Remove modhash (bsc#1214358)
+ The modhash script is rarely used and it's impractical to block
a kernel module with the hash.
-------------------------------------------------------------------
Mon Jun 27 05:00:25 UTC 2022 - Joey Lee <jlee@suse.com>
- Update to 0.6.0
+ 6c98907 SBAT revocation update support
+ 0276891 mokutil: Add trust_mok_keys and untrust_mok_keys
+ 57bc385 mokutil: enable setting fallback verbosity and noreboot mode
+ b15e7c4 util: add the missing stdio.h
- Drop mokutil-fix-missing-header.patch (upstream)
-------------------------------------------------------------------
Thu Jul 15 06:39:26 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
- Update to 0.5.0
+ mokutil: delete key/hash from the reverse request
+ efi_x509: fix an error handling in is_immediate_ca()
+ efi_x509: fix certificates fingerprint calculation
+ efi_x509: use EVP_Digest()* functions instead of the deprecated
SHA1_*()
+ src/util.c: fix NULL pointer dereference in mok_get_variable
+ mokutil: Read the SbatLevelRT variable to get the SBAT entries
+ mokutil: add mok-variables parsing support
+ mokutil: Add option to print the UEFI SBAT variable content
+ mokutil: only check for Secure Boot support in options that
need it
+ efi_x509: add the function to fetch SKID
+ keyring: add the function to check kernel keyring
+ mokutil: initialize data for efi_get_variable()
+ mokutil: correct the data for efi_set_variable() in
set_password()
+ mokutil: improve the readability of issue_mok_request()
+ mokutil: drop the checks for PK and KEK
+ mokutil: check the blocklists before enrolling a key
+ mokutil: adjust the command bits
+ mokutil: remove "--simple-hash"
+ make CA check non-fatal
+ mokutil: close file in the error path
+ mokutil: do the CA check
+ efi_x509: add the function to check immediate CA
+ efi_x509: use d2i_X509() to create X509 handling
+ mokutil: rename hash_file as pw_hash_file
+ password-crypt: update the function names
+ password-crypt: fix the types of several functions
+ mokutil: fix the error message in sb_state()
+ mokutil: move x509 functions to efi_x509.c
+ mokutil: move the hash functions to efi_hash.c
+ util: add functions for db_var_name and db_friendly_name
+ Remove the SHA1 code from identify_hash_type()
+ Map the UEFI variable names with a function
+ Fix -Wcast-align warnings
+ Fix 32 bit build
+ Add --timeout to manpage and other corrections.
+ mokutil.c: fix typo enrollement -> enrollment
+ Avoid taking pointer to packed struct
+ Fix name of --enable-validation in the description
+ Remove shebang from bash-completion/mokutil
- Add mokutil-fix-missing-header.patch to fix the compilation error
due to the missing header
- Refresh mokutil-remove-libkeyutils-check.patch and only apply
it to openSUSE Leap 15.*
- Drop upstreamed patches:
+ mokutil-remove-shebang-from-bash-completion-file.patch
+ mokutil-bsc1173115-add-ca-and-keyring-checks.patch
- Drop mokutil-support-revoke-builtin-cert.patch since we don't use
the builtin cert prompt patch in shim anymore.
-------------------------------------------------------------------
Tue May 4 06:52:03 UTC 2021 - Dirk Müller <dmueller@suse.com>
- spec file cleanup
-------------------------------------------------------------------
Wed Sep 16 09:06:02 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
- Add mokutil-bsc1173115-add-ca-and-keyring-checks.patch to add
options for CA and kernel keyring checks (bsc#1173115)
+ Add new BuildRequires: keyutils-devel
+ Add mokutil-remove-libkeyutils-check.patch to disable the
version check of libkeyutils
- Refresh mokutil-support-revoke-builtin-cert.patch
-------------------------------------------------------------------
Fri Aug 14 06:59:46 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
- Update mokutil-support-revoke-builtin-cert.patch
+ Add "--revoke-cert" to the man page
-------------------------------------------------------------------
Fri Dec 13 10:38:44 UTC 2019 - Michel Normand <normand@linux.vnet.ibm.com>
- Add build for ppc64/ppc64le
-------------------------------------------------------------------
Tue May 28 04:38:14 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
- Update to 0.4.0
+ Rename export_moks as export_db_keys
+ Add support for exporting other keys
+ add new --mok argument
+ set list-enrolled command as default for some arguments
+ Add more info to --sb-state: show when we're in SetupMode or
with shim validation disabled
+ Correct help: --set-timeout is really --timeout
+ generate_hash() / generate_pw_hash(): don't use strlen() for
strncpy bounds
+ Add the type casting to silence the warning
+ Add a way for mokutil to configure a timeout for MokManager's
prompt
+ list_keys_in_var(): check errno correctly, not ret twice
+ Fix typo in error message when the system lacks Secure Boot
support
+ Add bash completion file
+ mokutil: be explicit about file modes in all cases
+ Make all efi_guid_t const
+ Don't allow sha1 on the mokutil command line
+ Build with -fshort-wchar so toggle passwords work right
+ Fix the 32bit signedness comparison
+ Fix the potential buffer overflow
- Add mokutil-remove-shebang-from-bash-completion-file.patch to
remove shebang from bash-completion/mokutil
- Drop upstreamed patches
+ mokutil-constify-efi-guid.patch
+ mokutil-fix-overflow.patch
+ mokutil-fshort-wchar.patch
+ mokutil-set-efi-variable-file-mode.patch
- Refresh mokutil-support-revoke-builtin-cert.patch
- Install bash-completion/mokutil
-------------------------------------------------------------------
Thu Mar 21 02:39:46 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
- Add modhash to calculate the hash of kernel module (SLE-5661)
+ Also add openssl to Requires since the script needs it
-------------------------------------------------------------------
Fri Nov 23 08:58:24 UTC 2018 - glin@suse.com
- Enable AArch64 build (bsc#1119769, fate#326541)
-------------------------------------------------------------------
Tue Mar 27 09:54:10 CEST 2018 - kukuk@suse.de
- Use %license instead of %doc [bsc#1082318]
-------------------------------------------------------------------
Wed Jul 13 04:52:23 UTC 2016 - glin@suse.com
- Patches for efivar 0.24
+ Add mokutil-set-efi-variable-file-mode.patch to set the file
mode explicitly.
+ Add mokutil-constify-efi-guid.patch to make all efi_guild_t
variables const.
+ Refresh mokutil-support-revoke-builtin-cert.patch for the
change of efi_set_variable()
-------------------------------------------------------------------
Tue Jun 30 08:43:45 UTC 2015 - glin@suse.com
- Add mokutil-fshort-wchar.patch to make sure the UEFI strings are
UCS-2 encoding.
-------------------------------------------------------------------
Tue Nov 4 07:52:54 UTC 2014 - glin@suse.com
- Update to 0.3.0
- Add mokutil-fix-overflow.patch to fix the buffer overflow
- Drop upstreamed patches
+ mokutil-upstream-fixes.patch
+ mokutil-mokx-support.patch
+ mokutil-check-corrupted-key-list.patch
+ mokutil-check-secure-boot-support.patch
+ mokutil-clean-request.patch
+ mokutil-fix-hash-file-read.patch
+ mokutil-fix-hash-list-size.patch
+ mokutil-more-details-for-skipped-keys.patch
+ mokutil-no-invalid-x509.patch
- Refresh mokutil-support-revoke-builtin-cert.patch
-------------------------------------------------------------------
Wed Apr 16 04:11:50 UTC 2014 - glin@suse.com
- Add mokutil-fix-hash-file-read.patch to fix the error handling of
reading a hash file
-------------------------------------------------------------------
Thu Apr 10 04:44:22 UTC 2014 - glin@suse.com
- Add mokutil-check-corrupted-key-list.patch to check whether the
key list is corrupted or not
- Add mokutil-no-invalid-x509.patch to avoid importing an invalid
x509 certificate
-------------------------------------------------------------------
Mon Mar 24 07:37:39 UTC 2014 - glin@suse.com
- Add mokutil-more-details-for-skipped-keys.patch to show the
reason to skip the key
- Add mokutil-check-secure-boot-support.patch to check whether the
system supports Secure Boot or not
-------------------------------------------------------------------
Fri Feb 21 10:10:15 UTC 2014 - glin@suse.com
- Add mokutil-support-revoke-builtin-cert.patch to add an option to
revoke the built-in certificate in shim
-------------------------------------------------------------------
Wed Feb 12 10:06:31 UTC 2014 - glin@suse.com
- Add mokutil-fix-hash-list-size.patch to update the list size
after merging or deleting a hash
- Add mokutil-clean-request.patch to clean the request if all keys
are removed
-------------------------------------------------------------------
Wed Jan 22 05:55:45 UTC 2014 - glin@suse.com
- Update mokutil-mokx-support.patch to fix the test-key request
check
-------------------------------------------------------------------
Thu Dec 5 02:11:40 UTC 2013 - glin@suse.com
- Add mokutil-upstream-fixes.patch to include upstream fixes for
db signature check, gcc warnings, and error handling
- Add mokutil-mokx-support.patch to support the MOK blacklist
(FATE#316531)
-------------------------------------------------------------------
Thu Jul 25 09:13:44 UTC 2013 - glin@suse.com
- Update to 0.2.0
+ Generate the password hash with crypt() by default instead of
the original sha256 password hash
+ Add an option to import the root password hash
+ Amend error messages, help, and man page
- Drop upstreamed patches
+ mokutil-lcrypt-ldflag.patch
+ mokutil-probe-secure-boot-state.patch
+ mokutil-allow-password-from-pipe.patch
+ mokutil-bnc809703-check-pending-request.patch
+ mokutil-support-delete-keys.patch
+ mokutil-support-crypt-hash-methods.patch
+ mokutil-update-man-page.patch
+ mokutil-bnc809215-improve-wording.patch
+ mokutil-support-new-pw-hash.patch
+ mokutil-no-duplicate-keys-imported.patch
-------------------------------------------------------------------
Tue Apr 2 04:43:59 UTC 2013 - glin@suse.com
- Add mokutil-bnc809215-improve-wording.patch to make the messages
understandable (bnc#809215)
- Add mokutil-bnc809703-check-pending-request.patch to remove the
key from the pending request if necessary (bnc#809703)
-------------------------------------------------------------------
Wed Jan 30 08:00:22 UTC 2013 - glin@suse.com
- Merge patches for FATE#314506
+ Add mokutil-support-crypt-hash-methods.patch to support the
password hashes from /etc/shadow
+ Add mokutil-update-man-page.patch to update man page for the
new added options
- Add mokutil-lcrypt-ldflag.patch to correct LDFLAGS
-------------------------------------------------------------------
Fri Jan 18 10:05:27 UTC 2013 - glin@suse.com
- Update mokutil-support-new-pw-hash.patch to extend the password
hash format
-------------------------------------------------------------------
Wed Jan 16 08:41:15 UTC 2013 - glin@suse.com
- Merge patches for FATE#314506
+ Add mokutil-support-delete-keys.patch to delete specific keys
+ Add mokutil-support-new-pw-hash.patch to support the new
password format
+ Add mokutil-allow-password-from-pipe.patch to allow the
password to be generated in a script and be sent through
pipeline
- Install COPYING
-------------------------------------------------------------------
Tue Dec 11 08:07:32 UTC 2012 - glin@suse.com
- Add mokutil-probe-secure-boot-state.patch to probe the state of
secure boot
- Add mokutil-no-duplicate-keys-imported.patch to avoid importing
duplicate keys
-------------------------------------------------------------------
Wed Nov 7 08:10:45 UTC 2012 - glin@suse.com
- Add new package mokutil-0.1.0 (FATE#314510)

63
mokutil.spec Normal file
View File

@ -0,0 +1,63 @@
#
# spec file for package mokutil
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: mokutil
Version: 0.7.2
Release: 0
Summary: Tools for manipulating machine owner keys
License: GPL-3.0-only
Group: Productivity/Security
URL: https://github.com/lcp/mokutil
Source: https://github.com/lcp/%{name}/archive/%{version}.tar.gz
# PATCH-FIX-SUSE mokutil-remove-libkeyutils-check.patch glin@suse.com -- Disable the check of libkeyutils version
Patch1: mokutil-remove-libkeyutils-check.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: efivar-devel >= 0.12
BuildRequires: keyutils-devel >= 1.5.0
BuildRequires: libopenssl-devel >= 0.9.8
BuildRequires: pkgconfig
Requires: openssl
ExclusiveArch: x86_64 aarch64 ppc64le ppc64
%description
This program provides the means to enroll and erase the machine owner
keys (MOK) stored in the database of shim.
%prep
%setup -q
%if 0%{?suse_version} <= 1500
%patch -P 1 -p1
%endif
%build
./autogen.sh
%configure
%make_build
%install
%make_install
%files
%license COPYING
%{_bindir}/mokutil
%{_mandir}/man?/*
%dir %{_datadir}/bash-completion/completions/
%{_datadir}/bash-completion/completions/mokutil
%changelog