pool/pesign-obs-integration
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 982769 from home:gmbr3:POBSI

Browse Source 
- Update to version 10.2+git20220504.8690743:
  * Don't repackage aarch64_ilp32 *-64bit packages
  * Use pesign for signing on riscv64
  * Add padding to grub signature correctly (jsc#SLE-18271 bsc#1192764).
  * kernel-sign-file: Support appending verbatim PKCS#7 signature.
  * kernel-sign-file: Move x509 parsing into a function.
  * Support ppc grub signing (jsc#SLE-18271 bsc#1192764).
  * Handle packages with epochs as well
  * Turn off rpm fatal warnings for noarch packages
- Upstreamed patches:
  * 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
  * 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
  * 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
  * 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
- Added patches:
  * order.patch - support OrderWithRequires

OBS-URL: https://build.opensuse.org/request/show/982769
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=111
This commit is contained in:
Dirk Mueller 2022-06-16 07:55:52 +00:00 committed by Git OBS Bridge
parent b63590e396
commit 14512d1906
11 changed files with 51 additions and 526 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
View File

@ -1,86 +0,0 @@
From 13efe2232909a600531142959b2e4380af46676f Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 23 Nov 2021 16:40:27 +0100
Subject: [PATCH 1/4] Support ppc grub signing (jsc#SLE-18271 bsc#1192764).
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
brp-99-pesign | 14 ++++++++++++++
pesign-repackage.spec.in | 22 +++++++++++++++++++++-
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/brp-99-pesign b/brp-99-pesign
index 0e415d6..c6e9d54 100644
--- a/brp-99-pesign
+++ b/brp-99-pesign
@@ -58,6 +58,19 @@ if ! mkdir -p "$output"; then
exit 0
fi
+case "$BRP_PESIGN_GRUB_RESERVATION" in
+ '')
+ pesign_grub_reservation="0"
+ ;;
+ *[!0-9]*)
+ echo "$0: warning: non-numerc value '$BRP_PESIGN_GRUB_RESERVATION' of BRP_PESIGN_GRUB_RESERVATION" >&2
+ pesign_grub_reservation="0"
+ ;;
+ *)
+ pesign_grub_reservation="${BRP_PESIGN_GRUB_RESERVATION}"
+ ;;
+esac
+
if test "${BRP_PESIGN_COMPRESS_MODULE}" = "xz"; then
pesign_repackage_compress="--compress xz"
elif test "${BRP_PESIGN_COMPRESS_MODULE}" = "gzip"; then
@@ -77,6 +90,7 @@ else
fi
sed "
s:@NAME@:$RPM_PACKAGE_NAME:g
+ s:@PESIGN_GRUB_RESERVATION@:$pesign_grub_reservation:g
s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g
/@CERT@/ {
r $cert
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index eebc609..f473fa1 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -126,7 +126,7 @@ sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
for sig in "${sigs[@]}"; do
f=%buildroot/${sig%.sig}
case "/$sig" in
- *.ko.sig)
+ *.ko.sig|*.mod.sig)
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
;;
/boot/* | *.efi.sig | */lib/modules/*/vmlinu[xz].sig | */lib/modules/*/[Ii]mage.sig | */lib/modules/*/z[Ii]mage.sig)
@@ -157,6 +157,26 @@ for sig in "${sigs[@]}"; do
*stage3.bin.sig)
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
;;
+ *grub.elf.sig)
+ sig_size="$(wc -c < "$sig")"
+ unsigned_grub_size="$(wc -c < "$f")"
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" "$f".appendtest
+ signed_grub_size="$(wc -c < "$f".appendtest)"
+ rm "$f".appendtest
+ footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size" - "$sig_size")"
+ if ! [ $(expr "$sig_size" + "$footer_size") -le "@PESIGN_GRUB_RESERVATION@" ] ; then
+ echo "size of '$sig' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
+ exit 1
+ fi
+ sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")"
+ truncate -s $sig_size "$sig"
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+ grub_size="$(wc -c < "$f")"
+ if ! [ "$(expr "$unsigned_grub_size" + "@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then
+ echo "The size of unsigned grub ($unsigned_grub_size) + reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size ($grub_size)"
+ exit 1
+ fi
+ ;;
*)
echo "Warning: unhandled signature: $sig" >&2
esac
--
2.34.1

260
0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
View File

@ -1,260 +0,0 @@
From 85f8f72c2f055ca2fa48ec1e7ad7911e8e3744ad Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 4 Jan 2022 12:49:54 +0100
Subject: [PATCH 2/4] kernel-sign-file: Move x509 parsing into a function.
This should not introduce any functionality change but next patch will
make the parsing optional.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
kernel-sign-file | 201 +++++++++++++++++++++++++----------------------
1 file changed, 106 insertions(+), 95 deletions(-)
diff --git a/kernel-sign-file b/kernel-sign-file
index ce76a40..2e5b7aa 100755
--- a/kernel-sign-file
+++ b/kernel-sign-file
@@ -226,113 +226,119 @@ sub asn1_pack($@)
# Roughly parse the X.509 certificate
#
###############################################################################
-my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
-
-my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
-my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
-my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
-my $serial_number = asn1_extract($tbs->[1], $UNIV | $INTEGER);
-my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $issuer = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
-my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
-my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
-
-my $subject_key_id = ();
-my $authority_key_id = ();
-
-#
-# Parse the extension list
-#
-if ($extension_list->[0] != -1) {
- my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE);
-
- while ($extensions->[1]->[1] > 0) {
- my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
- my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
- my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
- my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
+sub parse_certificate($)
+{
+ my ($x509_certificate) = @_;
+ my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
+ my %result;
+
+ my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
+ my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
+ my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
+ $result{serial_number} = asn1_extract($tbs->[1], $UNIV | $INTEGER);
+ my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ $result{issuer} = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
+ my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
+ my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
+
+ $result{subject_key_id} = ();
+ my $authority_key_id = ();
+
+ #
+ # Parse the extension list
+ #
+ if ($extension_list->[0] != -1) {
+ my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE);
+
+ while ($extensions->[1]->[1] > 0) {
+ my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
+ my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
+ my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
+ my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
+
+ my $raw_oid = asn1_retrieve($x_oid->[1]);
+ next if (!exists($OIDs{$raw_oid}));
+ my $x_type = $OIDs{$raw_oid};
+
+ my $raw_value = asn1_retrieve($x_val->[1]);
+
+ if ($x_type eq "subjectKeyIdentifier") {
+ my $vcursor = [ 0, length($raw_value), \$raw_value ];
+
+ $result{subject_key_id} = asn1_extract($vcursor, $UNIV | $OCTET_STRING);
+ }
+ }
+ }
- my $raw_oid = asn1_retrieve($x_oid->[1]);
+ ###############################################################################
+ #
+ # Determine what we're going to use as the signer's name. In order of
+ # preference, take one of: commonName, organizationName or emailAddress.
+ #
+ ###############################################################################
+ my $org = "";
+ my $cn = "";
+ my $email = "";
+
+ while ($subject->[1]->[1] > 0) {
+ my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
+ my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
+ my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
+ my $n_val = asn1_extract($attr->[1], -1);
+
+ my $raw_oid = asn1_retrieve($n_oid->[1]);
next if (!exists($OIDs{$raw_oid}));
- my $x_type = $OIDs{$raw_oid};
-
- my $raw_value = asn1_retrieve($x_val->[1]);
+ my $n_type = $OIDs{$raw_oid};
- if ($x_type eq "subjectKeyIdentifier") {
- my $vcursor = [ 0, length($raw_value), \$raw_value ];
+ my $raw_value = asn1_retrieve($n_val->[1]);
- $subject_key_id = asn1_extract($vcursor, $UNIV | $OCTET_STRING);
+ if ($n_type eq "organizationName") {
+ $org = $raw_value;
+ } elsif ($n_type eq "commonName") {
+ $cn = $raw_value;
+ } elsif ($n_type eq "emailAddress") {
+ $email = $raw_value;
}
}
-}
-###############################################################################
-#
-# Determine what we're going to use as the signer's name. In order of
-# preference, take one of: commonName, organizationName or emailAddress.
-#
-###############################################################################
-my $org = "";
-my $cn = "";
-my $email = "";
-
-while ($subject->[1]->[1] > 0) {
- my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
- my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
- my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
- my $n_val = asn1_extract($attr->[1], -1);
-
- my $raw_oid = asn1_retrieve($n_oid->[1]);
- next if (!exists($OIDs{$raw_oid}));
- my $n_type = $OIDs{$raw_oid};
-
- my $raw_value = asn1_retrieve($n_val->[1]);
-
- if ($n_type eq "organizationName") {
- $org = $raw_value;
- } elsif ($n_type eq "commonName") {
- $cn = $raw_value;
- } elsif ($n_type eq "emailAddress") {
- $email = $raw_value;
- }
-}
+ $result{signers_name} = $email;
-my $signers_name = $email;
+ if ($org && $cn) {
+ # Don't use the organizationName if the commonName repeats it
+ if (length($org) <= length($cn) &&
+ substr($cn, 0, length($org)) eq $org) {
+ $result{signers_name} = $cn;
+ goto got_id_name;
+ }
-if ($org && $cn) {
- # Don't use the organizationName if the commonName repeats it
- if (length($org) <= length($cn) &&
- substr($cn, 0, length($org)) eq $org) {
- $signers_name = $cn;
- goto got_id_name;
- }
+ # Or a signifcant chunk of it
+ if (length($org) >= 7 &&
+ length($cn) >= 7 &&
+ substr($cn, 0, 7) eq substr($org, 0, 7)) {
+ $result{signers_name} = $cn;
+ goto got_id_name;
+ }
- # Or a signifcant chunk of it
- if (length($org) >= 7 &&
- length($cn) >= 7 &&
- substr($cn, 0, 7) eq substr($org, 0, 7)) {
- $signers_name = $cn;
- goto got_id_name;
+ $result{signers_name} = $org . ": " . $cn;
+ } elsif ($org) {
+ $result{signers_name} = $org;
+ } elsif ($cn) {
+ $result{signers_name} = $cn;
}
- $signers_name = $org . ": " . $cn;
-} elsif ($org) {
- $signers_name = $org;
-} elsif ($cn) {
- $signers_name = $cn;
-}
+ got_id_name:
-got_id_name:
+ die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
+ if (!$result{subject_key_id});
-die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
- if (!$subject_key_id);
-
-my $key_identifier = asn1_retrieve($subject_key_id->[1]);
+ $result{key_identifier} = asn1_retrieve($result{subject_key_id}->[1]);
+ return %result;
+}
###############################################################################
#
# Create and attach the module signature
@@ -430,8 +436,13 @@ if ($signature_file) {
"openssl rsautl -sign -inkey $private_key -keyform PEM");
}
+my %certdata = parse_certificate($x509_certificate);
+my $signers_name;
+my $key_identifier;
if ($id_type == 1) {
$signature = pack("n", length($signature)) . $signature,
+ $signers_name = $certdata{signers_name};
+ $key_identifier = $certdata{key_identifier};
} elsif ($id_type == 2) {
# create PKCS7 signature
$signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
@@ -439,10 +450,10 @@ if ($id_type == 1) {
my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
- my $si_issuer = asn1_pack($issuer->[0], asn1_retrieve($issuer->[1]));
- my $si_serial = asn1_pack($serial_number->[0], asn1_retrieve($serial_number->[1]));
+ my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
+ my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
- my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($subject_key_id->[1]));
+ my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
--
2.34.1

116
0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
View File

@ -1,116 +0,0 @@
From 68baaf0ca940712d4cfbe5d7c55bc8407efc19ce Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 4 Jan 2022 12:29:21 +0100
Subject: [PATCH 3/4] kernel-sign-file: Support appending verbatim PKCS#7
signature.
When existing signature is specified upstream appends it verbatim as
PKCS#7 but kernel-ding-file assumes it's raw RSA signature and wraps
PKCS#7 around it beforee appending.
Because the certificate is not required for just dumping the whole
signature after the data but is required to create the PKCS#7 wrapper we
can support both. When a certificate is specified create a wrapper, when
not just copy the signature without touching it.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
kernel-sign-file | 60 +++++++++++++++++++++++++++++-------------------
1 file changed, 37 insertions(+), 23 deletions(-)
diff --git a/kernel-sign-file b/kernel-sign-file
index 2e5b7aa..9cacefb 100755
--- a/kernel-sign-file
+++ b/kernel-sign-file
@@ -42,7 +42,6 @@ if (@ARGV) {
die "Can't read private key\n" if (!$signature_file && !-r $private_key);
die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
-die "Can't read X.509 certificate\n" unless (-r $x509);
die "Can't read module\n" unless (-r $module);
#
@@ -99,7 +98,6 @@ sub openssl_pipe($$) {
# we're intending to use to sign the module.
#
###############################################################################
-my $x509_certificate = read_file($x509);
my $UNIV = 0 << 6;
my $APPL = 1 << 6;
@@ -436,35 +434,51 @@ if ($signature_file) {
"openssl rsautl -sign -inkey $private_key -keyform PEM");
}
-my %certdata = parse_certificate($x509_certificate);
+my %certdata;
my $signers_name;
my $key_identifier;
+my $x509_certificate;
if ($id_type == 1) {
+ die "Can't read X.509 certificate\n" unless (-r $x509);
+ $x509_certificate = read_file($x509);
+ %certdata = parse_certificate($x509_certificate);
$signature = pack("n", length($signature)) . $signature,
$signers_name = $certdata{signers_name};
$key_identifier = $certdata{key_identifier};
} elsif ($id_type == 2) {
# create PKCS7 signature
- $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
- my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue, 5, 1)));
- my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
- my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
- my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
- my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
- my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
- my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
- my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
- my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
- my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
- my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
- my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion, $signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
- my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
- my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
- my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 1));
- my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
- my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version, $digest_algo_seq_set, $pkcs7_data_seq, $si_set);
- my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 2));
- $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data, asn1_pack($CONT | $CONS | 0, $sid));
+ if ($x509) {
+ die "Can't read X.509 certificate\n" unless (-r $x509);
+ $x509_certificate = read_file($x509);
+ } else {
+ print "No certificate specified, assuming pre-built PKCS#7 signature.\n" if ($verbose);
+ $x509_certificate = '';
+ }
+ if ($x509_certificate) {
+ %certdata = parse_certificate($x509_certificate);
+ $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
+ my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue, 5, 1)));
+ my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
+ my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
+ my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
+ my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
+ my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
+ my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
+ my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
+ my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
+ my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
+ my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
+ my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion, $signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
+ my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
+ my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
+ my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 1));
+ my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
+ my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version, $digest_algo_seq_set, $pkcs7_data_seq, $si_set);
+ my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 2));
+ $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data, asn1_pack($CONT | $CONS | 0, $sid));
+ } else {
+ print "Certificate is empty, assuming pre-built PKCS#7 signature.\n" if ($verbose);
+ }
# zero out unneeded entries
$signers_name = '';
$key_identifier = '';
--
2.34.1

50
0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
View File

@ -1,50 +0,0 @@
From 5b255595f4101b136db55538a59ef5b1fc3439e5 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Tue, 4 Jan 2022 12:20:36 +0100
Subject: [PATCH 4/4] Add padding to grub signature correctly (jsc#SLE-18271
bsc#1192764).
Upstream sign-file supports including whole PKCS#7 signature verbatim
while kernel-sign-file supports building PKCS#7 around raw RSA signature
as provided by OBS. Now kernel-sign-file also supports what upstream
does so make use of it. First wrap PKCS#7 around the RSA signature, then
pad, then append.
Fixes: 13efe22 ("Support ppc grub signing (jsc#SLE-18271 bsc#1192764).")
---
pesign-repackage.spec.in | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index f473fa1..8c07fc4 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -160,17 +160,18 @@ for sig in "${sigs[@]}"; do
*grub.elf.sig)
sig_size="$(wc -c < "$sig")"
unsigned_grub_size="$(wc -c < "$f")"
- /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" "$f".appendtest
- signed_grub_size="$(wc -c < "$f".appendtest)"
- rm "$f".appendtest
- footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size" - "$sig_size")"
+ /usr/lib/rpm/pesign/kernel-sign-file -vpd -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+ sig_size="$(wc -c < "$f.p7s")"
+ footer_size=40
+ grub_size="$(wc -c < "$f")"
if ! [ $(expr "$sig_size" + "$footer_size") -le "@PESIGN_GRUB_RESERVATION@" ] ; then
- echo "size of '$sig' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
+ echo "size of '$f.p7s' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
exit 1
fi
sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")"
- truncate -s $sig_size "$sig"
- /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+ truncate -s $sig_size "$f.p7s"
+ /usr/lib/rpm/pesign/kernel-sign-file -v -i pkcs7 -s "$f.p7s" sha256 "" "$f"
+ rm "$f.p7s"
grub_size="$(wc -c < "$f")"
if ! [ "$(expr "$unsigned_grub_size" + "@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then
echo "The size of unsigned grub ($unsigned_grub_size) + reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size ($grub_size)"
--
2.34.1

2
_servicedata
View File

@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/openSUSE/pesign-obs-integration.git</param>
<param name="changesrevision">ceb23130f31ccfc02049b944bd82167678186d27</param></service></servicedata>
<param name="changesrevision">8690743c1c82e6a37d50c522ba01b4f34c2cb795</param></service></servicedata>

21
order.patch Normal file
View File

@ -0,0 +1,21 @@
From 729accc5eeefbd6accfa3244ce5c5dbd868e6d63 Mon Sep 17 00:00:00 2001
From: Callum Farmer <gmbr3@opensuse.org>
Date: Thu, 21 Apr 2022 11:17:36 +0100
Subject: [PATCH] Support OrderWithRequires
---
pesign-gen-repackage-spec | 1 +
1 file changed, 1 insertion(+)
diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
index ca493f6..8746a52 100755
--- a/pesign-gen-repackage-spec
+++ b/pesign-gen-repackage-spec
@@ -130,6 +130,7 @@ my %dep2tag = (
enhances => "enhance",
recommends => "recommend",
supplements => "supplement",
+ orderwithrequires => "order",
);
# specfile scriptlet => rpm tag name

3
pesign-obs-integration-10.2+git20210804.ff18da1.obscpio
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2f2ed79ed4651e5a02937cd17e761ae4f863c9098fad88de91b86ec4fc869b07
size 130059

BIN
pesign-obs-integration-10.2+git20220504.8690743.obscpio (Stored with Git LFS) Normal file
View File

Binary file not shown.

20
pesign-obs-integration.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Wed Jun 15 11:13:51 UTC 2022 - gmbr3@opensuse.org
- Update to version 10.2+git20220504.8690743:
* Don't repackage aarch64_ilp32 *-64bit packages
* Use pesign for signing on riscv64
* Add padding to grub signature correctly (jsc#SLE-18271 bsc#1192764).
* kernel-sign-file: Support appending verbatim PKCS#7 signature.
* kernel-sign-file: Move x509 parsing into a function.
* Support ppc grub signing (jsc#SLE-18271 bsc#1192764).
* Handle packages with epochs as well
* Turn off rpm fatal warnings for noarch packages
- Upstreamed patches:
* 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
* 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
* 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
* 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
- Added patches:
* order.patch - support OrderWithRequires
-------------------------------------------------------------------
Fri Jan 21 08:49:34 UTC 2022 - Michal Suchanek <msuchanek@suse.com>

7
pesign-obs-integration.obsinfo
View File

@ -1,5 +1,4 @@
name: pesign-obs-integration
version: 10.2+git20210804.ff18da1
mtime: 1628080410
commit: ff18da1d43b41939a4cb0fc85f1d3713de0ed3c2
version: 10.2+git20220504.8690743
mtime: 1651698422
commit: 8690743c1c82e6a37d50c522ba01b4f34c2cb795

9
pesign-obs-integration.spec
View File

@ -18,24 +18,21 @@
Name: pesign-obs-integration
Version: 10.2+git20210804.ff18da1
Version: 10.2+git20220504.8690743
Release: 0
Summary: Macros and scripts to sign the kernel and bootloader
License: GPL-2.0-only
Group: Development/Tools/Other
URL: https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
Source: %{name}-%{version}.tar.gz
Patch1: 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
Patch2: 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
Patch3: 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
Patch4: 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
Patch: order.patch
BuildRequires: openssl
Requires: fipscheck
Requires: mozilla-nss-tools
Requires: openssl
# suse-module-tools <= 15.0.10 contains modsign-verify
Requires: suse-module-tools >= 15.0.10
%ifarch %{ix86} x86_64 ia64 aarch64 %{arm}
%ifarch %{ix86} x86_64 ia64 aarch64 %{arm} riscv64
Requires: pesign
%endif