Accepting request 982769 from home:gmbr3:POBSI
- Update to version 10.2+git20220504.8690743: * Don't repackage aarch64_ilp32 *-64bit packages * Use pesign for signing on riscv64 * Add padding to grub signature correctly (jsc#SLE-18271 bsc#1192764). * kernel-sign-file: Support appending verbatim PKCS#7 signature. * kernel-sign-file: Move x509 parsing into a function. * Support ppc grub signing (jsc#SLE-18271 bsc#1192764). * Handle packages with epochs as well * Turn off rpm fatal warnings for noarch packages - Upstreamed patches: * 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch * 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch * 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch * 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch - Added patches: * order.patch - support OrderWithRequires OBS-URL: https://build.opensuse.org/request/show/982769 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=111
This commit is contained in:
parent
b63590e396
commit
14512d1906
@ -1,86 +0,0 @@
|
||||
From 13efe2232909a600531142959b2e4380af46676f Mon Sep 17 00:00:00 2001
|
||||
From: Michal Suchanek <msuchanek@suse.de>
|
||||
Date: Tue, 23 Nov 2021 16:40:27 +0100
|
||||
Subject: [PATCH 1/4] Support ppc grub signing (jsc#SLE-18271 bsc#1192764).
|
||||
|
||||
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
|
||||
---
|
||||
brp-99-pesign | 14 ++++++++++++++
|
||||
pesign-repackage.spec.in | 22 +++++++++++++++++++++-
|
||||
2 files changed, 35 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/brp-99-pesign b/brp-99-pesign
|
||||
index 0e415d6..c6e9d54 100644
|
||||
--- a/brp-99-pesign
|
||||
+++ b/brp-99-pesign
|
||||
@@ -58,6 +58,19 @@ if ! mkdir -p "$output"; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
+case "$BRP_PESIGN_GRUB_RESERVATION" in
|
||||
+ '')
|
||||
+ pesign_grub_reservation="0"
|
||||
+ ;;
|
||||
+ *[!0-9]*)
|
||||
+ echo "$0: warning: non-numerc value '$BRP_PESIGN_GRUB_RESERVATION' of BRP_PESIGN_GRUB_RESERVATION" >&2
|
||||
+ pesign_grub_reservation="0"
|
||||
+ ;;
|
||||
+ *)
|
||||
+ pesign_grub_reservation="${BRP_PESIGN_GRUB_RESERVATION}"
|
||||
+ ;;
|
||||
+esac
|
||||
+
|
||||
if test "${BRP_PESIGN_COMPRESS_MODULE}" = "xz"; then
|
||||
pesign_repackage_compress="--compress xz"
|
||||
elif test "${BRP_PESIGN_COMPRESS_MODULE}" = "gzip"; then
|
||||
@@ -77,6 +90,7 @@ else
|
||||
fi
|
||||
sed "
|
||||
s:@NAME@:$RPM_PACKAGE_NAME:g
|
||||
+ s:@PESIGN_GRUB_RESERVATION@:$pesign_grub_reservation:g
|
||||
s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g
|
||||
/@CERT@/ {
|
||||
r $cert
|
||||
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
|
||||
index eebc609..f473fa1 100644
|
||||
--- a/pesign-repackage.spec.in
|
||||
+++ b/pesign-repackage.spec.in
|
||||
@@ -126,7 +126,7 @@ sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
|
||||
for sig in "${sigs[@]}"; do
|
||||
f=%buildroot/${sig%.sig}
|
||||
case "/$sig" in
|
||||
- *.ko.sig)
|
||||
+ *.ko.sig|*.mod.sig)
|
||||
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
|
||||
;;
|
||||
/boot/* | *.efi.sig | */lib/modules/*/vmlinu[xz].sig | */lib/modules/*/[Ii]mage.sig | */lib/modules/*/z[Ii]mage.sig)
|
||||
@@ -157,6 +157,26 @@ for sig in "${sigs[@]}"; do
|
||||
*stage3.bin.sig)
|
||||
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
|
||||
;;
|
||||
+ *grub.elf.sig)
|
||||
+ sig_size="$(wc -c < "$sig")"
|
||||
+ unsigned_grub_size="$(wc -c < "$f")"
|
||||
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" "$f".appendtest
|
||||
+ signed_grub_size="$(wc -c < "$f".appendtest)"
|
||||
+ rm "$f".appendtest
|
||||
+ footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size" - "$sig_size")"
|
||||
+ if ! [ $(expr "$sig_size" + "$footer_size") -le "@PESIGN_GRUB_RESERVATION@" ] ; then
|
||||
+ echo "size of '$sig' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
|
||||
+ exit 1
|
||||
+ fi
|
||||
+ sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")"
|
||||
+ truncate -s $sig_size "$sig"
|
||||
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
|
||||
+ grub_size="$(wc -c < "$f")"
|
||||
+ if ! [ "$(expr "$unsigned_grub_size" + "@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then
|
||||
+ echo "The size of unsigned grub ($unsigned_grub_size) + reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size ($grub_size)"
|
||||
+ exit 1
|
||||
+ fi
|
||||
+ ;;
|
||||
*)
|
||||
echo "Warning: unhandled signature: $sig" >&2
|
||||
esac
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,260 +0,0 @@
|
||||
From 85f8f72c2f055ca2fa48ec1e7ad7911e8e3744ad Mon Sep 17 00:00:00 2001
|
||||
From: Michal Suchanek <msuchanek@suse.de>
|
||||
Date: Tue, 4 Jan 2022 12:49:54 +0100
|
||||
Subject: [PATCH 2/4] kernel-sign-file: Move x509 parsing into a function.
|
||||
|
||||
This should not introduce any functionality change but next patch will
|
||||
make the parsing optional.
|
||||
|
||||
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
|
||||
---
|
||||
kernel-sign-file | 201 +++++++++++++++++++++++++----------------------
|
||||
1 file changed, 106 insertions(+), 95 deletions(-)
|
||||
|
||||
diff --git a/kernel-sign-file b/kernel-sign-file
|
||||
index ce76a40..2e5b7aa 100755
|
||||
--- a/kernel-sign-file
|
||||
+++ b/kernel-sign-file
|
||||
@@ -226,113 +226,119 @@ sub asn1_pack($@)
|
||||
# Roughly parse the X.509 certificate
|
||||
#
|
||||
###############################################################################
|
||||
-my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
|
||||
-
|
||||
-my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
|
||||
-my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
-my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
|
||||
-my $serial_number = asn1_extract($tbs->[1], $UNIV | $INTEGER);
|
||||
-my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
-my $issuer = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
-my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
-my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
-my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
-my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
|
||||
-my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
|
||||
-my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
|
||||
-
|
||||
-my $subject_key_id = ();
|
||||
-my $authority_key_id = ();
|
||||
-
|
||||
-#
|
||||
-# Parse the extension list
|
||||
-#
|
||||
-if ($extension_list->[0] != -1) {
|
||||
- my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
-
|
||||
- while ($extensions->[1]->[1] > 0) {
|
||||
- my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
- my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
|
||||
- my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
|
||||
- my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
|
||||
+sub parse_certificate($)
|
||||
+{
|
||||
+ my ($x509_certificate) = @_;
|
||||
+ my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
|
||||
+ my %result;
|
||||
+
|
||||
+ my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
|
||||
+ my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
+ my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
|
||||
+ $result{serial_number} = asn1_extract($tbs->[1], $UNIV | $INTEGER);
|
||||
+ my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
+ $result{issuer} = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
+ my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
+ my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
+ my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
+ my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
|
||||
+ my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
|
||||
+ my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
|
||||
+
|
||||
+ $result{subject_key_id} = ();
|
||||
+ my $authority_key_id = ();
|
||||
+
|
||||
+ #
|
||||
+ # Parse the extension list
|
||||
+ #
|
||||
+ if ($extension_list->[0] != -1) {
|
||||
+ my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
+
|
||||
+ while ($extensions->[1]->[1] > 0) {
|
||||
+ my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
+ my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
|
||||
+ my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
|
||||
+ my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
|
||||
+
|
||||
+ my $raw_oid = asn1_retrieve($x_oid->[1]);
|
||||
+ next if (!exists($OIDs{$raw_oid}));
|
||||
+ my $x_type = $OIDs{$raw_oid};
|
||||
+
|
||||
+ my $raw_value = asn1_retrieve($x_val->[1]);
|
||||
+
|
||||
+ if ($x_type eq "subjectKeyIdentifier") {
|
||||
+ my $vcursor = [ 0, length($raw_value), \$raw_value ];
|
||||
+
|
||||
+ $result{subject_key_id} = asn1_extract($vcursor, $UNIV | $OCTET_STRING);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- my $raw_oid = asn1_retrieve($x_oid->[1]);
|
||||
+ ###############################################################################
|
||||
+ #
|
||||
+ # Determine what we're going to use as the signer's name. In order of
|
||||
+ # preference, take one of: commonName, organizationName or emailAddress.
|
||||
+ #
|
||||
+ ###############################################################################
|
||||
+ my $org = "";
|
||||
+ my $cn = "";
|
||||
+ my $email = "";
|
||||
+
|
||||
+ while ($subject->[1]->[1] > 0) {
|
||||
+ my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
|
||||
+ my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
+ my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
|
||||
+ my $n_val = asn1_extract($attr->[1], -1);
|
||||
+
|
||||
+ my $raw_oid = asn1_retrieve($n_oid->[1]);
|
||||
next if (!exists($OIDs{$raw_oid}));
|
||||
- my $x_type = $OIDs{$raw_oid};
|
||||
-
|
||||
- my $raw_value = asn1_retrieve($x_val->[1]);
|
||||
+ my $n_type = $OIDs{$raw_oid};
|
||||
|
||||
- if ($x_type eq "subjectKeyIdentifier") {
|
||||
- my $vcursor = [ 0, length($raw_value), \$raw_value ];
|
||||
+ my $raw_value = asn1_retrieve($n_val->[1]);
|
||||
|
||||
- $subject_key_id = asn1_extract($vcursor, $UNIV | $OCTET_STRING);
|
||||
+ if ($n_type eq "organizationName") {
|
||||
+ $org = $raw_value;
|
||||
+ } elsif ($n_type eq "commonName") {
|
||||
+ $cn = $raw_value;
|
||||
+ } elsif ($n_type eq "emailAddress") {
|
||||
+ $email = $raw_value;
|
||||
}
|
||||
}
|
||||
-}
|
||||
|
||||
-###############################################################################
|
||||
-#
|
||||
-# Determine what we're going to use as the signer's name. In order of
|
||||
-# preference, take one of: commonName, organizationName or emailAddress.
|
||||
-#
|
||||
-###############################################################################
|
||||
-my $org = "";
|
||||
-my $cn = "";
|
||||
-my $email = "";
|
||||
-
|
||||
-while ($subject->[1]->[1] > 0) {
|
||||
- my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
|
||||
- my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
|
||||
- my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
|
||||
- my $n_val = asn1_extract($attr->[1], -1);
|
||||
-
|
||||
- my $raw_oid = asn1_retrieve($n_oid->[1]);
|
||||
- next if (!exists($OIDs{$raw_oid}));
|
||||
- my $n_type = $OIDs{$raw_oid};
|
||||
-
|
||||
- my $raw_value = asn1_retrieve($n_val->[1]);
|
||||
-
|
||||
- if ($n_type eq "organizationName") {
|
||||
- $org = $raw_value;
|
||||
- } elsif ($n_type eq "commonName") {
|
||||
- $cn = $raw_value;
|
||||
- } elsif ($n_type eq "emailAddress") {
|
||||
- $email = $raw_value;
|
||||
- }
|
||||
-}
|
||||
+ $result{signers_name} = $email;
|
||||
|
||||
-my $signers_name = $email;
|
||||
+ if ($org && $cn) {
|
||||
+ # Don't use the organizationName if the commonName repeats it
|
||||
+ if (length($org) <= length($cn) &&
|
||||
+ substr($cn, 0, length($org)) eq $org) {
|
||||
+ $result{signers_name} = $cn;
|
||||
+ goto got_id_name;
|
||||
+ }
|
||||
|
||||
-if ($org && $cn) {
|
||||
- # Don't use the organizationName if the commonName repeats it
|
||||
- if (length($org) <= length($cn) &&
|
||||
- substr($cn, 0, length($org)) eq $org) {
|
||||
- $signers_name = $cn;
|
||||
- goto got_id_name;
|
||||
- }
|
||||
+ # Or a signifcant chunk of it
|
||||
+ if (length($org) >= 7 &&
|
||||
+ length($cn) >= 7 &&
|
||||
+ substr($cn, 0, 7) eq substr($org, 0, 7)) {
|
||||
+ $result{signers_name} = $cn;
|
||||
+ goto got_id_name;
|
||||
+ }
|
||||
|
||||
- # Or a signifcant chunk of it
|
||||
- if (length($org) >= 7 &&
|
||||
- length($cn) >= 7 &&
|
||||
- substr($cn, 0, 7) eq substr($org, 0, 7)) {
|
||||
- $signers_name = $cn;
|
||||
- goto got_id_name;
|
||||
+ $result{signers_name} = $org . ": " . $cn;
|
||||
+ } elsif ($org) {
|
||||
+ $result{signers_name} = $org;
|
||||
+ } elsif ($cn) {
|
||||
+ $result{signers_name} = $cn;
|
||||
}
|
||||
|
||||
- $signers_name = $org . ": " . $cn;
|
||||
-} elsif ($org) {
|
||||
- $signers_name = $org;
|
||||
-} elsif ($cn) {
|
||||
- $signers_name = $cn;
|
||||
-}
|
||||
+ got_id_name:
|
||||
|
||||
-got_id_name:
|
||||
+ die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
|
||||
+ if (!$result{subject_key_id});
|
||||
|
||||
-die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
|
||||
- if (!$subject_key_id);
|
||||
-
|
||||
-my $key_identifier = asn1_retrieve($subject_key_id->[1]);
|
||||
+ $result{key_identifier} = asn1_retrieve($result{subject_key_id}->[1]);
|
||||
|
||||
+ return %result;
|
||||
+}
|
||||
###############################################################################
|
||||
#
|
||||
# Create and attach the module signature
|
||||
@@ -430,8 +436,13 @@ if ($signature_file) {
|
||||
"openssl rsautl -sign -inkey $private_key -keyform PEM");
|
||||
}
|
||||
|
||||
+my %certdata = parse_certificate($x509_certificate);
|
||||
+my $signers_name;
|
||||
+my $key_identifier;
|
||||
if ($id_type == 1) {
|
||||
$signature = pack("n", length($signature)) . $signature,
|
||||
+ $signers_name = $certdata{signers_name};
|
||||
+ $key_identifier = $certdata{key_identifier};
|
||||
} elsif ($id_type == 2) {
|
||||
# create PKCS7 signature
|
||||
$signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
|
||||
@@ -439,10 +450,10 @@ if ($id_type == 1) {
|
||||
my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
|
||||
my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
|
||||
my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
|
||||
- my $si_issuer = asn1_pack($issuer->[0], asn1_retrieve($issuer->[1]));
|
||||
- my $si_serial = asn1_pack($serial_number->[0], asn1_retrieve($serial_number->[1]));
|
||||
+ my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
|
||||
+ my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
|
||||
my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
|
||||
- my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($subject_key_id->[1]));
|
||||
+ my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
|
||||
my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
|
||||
my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
|
||||
my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,116 +0,0 @@
|
||||
From 68baaf0ca940712d4cfbe5d7c55bc8407efc19ce Mon Sep 17 00:00:00 2001
|
||||
From: Michal Suchanek <msuchanek@suse.de>
|
||||
Date: Tue, 4 Jan 2022 12:29:21 +0100
|
||||
Subject: [PATCH 3/4] kernel-sign-file: Support appending verbatim PKCS#7
|
||||
signature.
|
||||
|
||||
When existing signature is specified upstream appends it verbatim as
|
||||
PKCS#7 but kernel-ding-file assumes it's raw RSA signature and wraps
|
||||
PKCS#7 around it beforee appending.
|
||||
|
||||
Because the certificate is not required for just dumping the whole
|
||||
signature after the data but is required to create the PKCS#7 wrapper we
|
||||
can support both. When a certificate is specified create a wrapper, when
|
||||
not just copy the signature without touching it.
|
||||
|
||||
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
|
||||
---
|
||||
kernel-sign-file | 60 +++++++++++++++++++++++++++++-------------------
|
||||
1 file changed, 37 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/kernel-sign-file b/kernel-sign-file
|
||||
index 2e5b7aa..9cacefb 100755
|
||||
--- a/kernel-sign-file
|
||||
+++ b/kernel-sign-file
|
||||
@@ -42,7 +42,6 @@ if (@ARGV) {
|
||||
|
||||
die "Can't read private key\n" if (!$signature_file && !-r $private_key);
|
||||
die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
|
||||
-die "Can't read X.509 certificate\n" unless (-r $x509);
|
||||
die "Can't read module\n" unless (-r $module);
|
||||
|
||||
#
|
||||
@@ -99,7 +98,6 @@ sub openssl_pipe($$) {
|
||||
# we're intending to use to sign the module.
|
||||
#
|
||||
###############################################################################
|
||||
-my $x509_certificate = read_file($x509);
|
||||
|
||||
my $UNIV = 0 << 6;
|
||||
my $APPL = 1 << 6;
|
||||
@@ -436,35 +434,51 @@ if ($signature_file) {
|
||||
"openssl rsautl -sign -inkey $private_key -keyform PEM");
|
||||
}
|
||||
|
||||
-my %certdata = parse_certificate($x509_certificate);
|
||||
+my %certdata;
|
||||
my $signers_name;
|
||||
my $key_identifier;
|
||||
+my $x509_certificate;
|
||||
if ($id_type == 1) {
|
||||
+ die "Can't read X.509 certificate\n" unless (-r $x509);
|
||||
+ $x509_certificate = read_file($x509);
|
||||
+ %certdata = parse_certificate($x509_certificate);
|
||||
$signature = pack("n", length($signature)) . $signature,
|
||||
$signers_name = $certdata{signers_name};
|
||||
$key_identifier = $certdata{key_identifier};
|
||||
} elsif ($id_type == 2) {
|
||||
# create PKCS7 signature
|
||||
- $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
|
||||
- my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue, 5, 1)));
|
||||
- my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
|
||||
- my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
|
||||
- my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
|
||||
- my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
|
||||
- my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
|
||||
- my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
|
||||
- my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
|
||||
- my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
|
||||
- my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
|
||||
- my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
|
||||
- my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion, $signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
|
||||
- my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
|
||||
- my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
|
||||
- my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 1));
|
||||
- my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
|
||||
- my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version, $digest_algo_seq_set, $pkcs7_data_seq, $si_set);
|
||||
- my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 2));
|
||||
- $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data, asn1_pack($CONT | $CONS | 0, $sid));
|
||||
+ if ($x509) {
|
||||
+ die "Can't read X.509 certificate\n" unless (-r $x509);
|
||||
+ $x509_certificate = read_file($x509);
|
||||
+ } else {
|
||||
+ print "No certificate specified, assuming pre-built PKCS#7 signature.\n" if ($verbose);
|
||||
+ $x509_certificate = '';
|
||||
+ }
|
||||
+ if ($x509_certificate) {
|
||||
+ %certdata = parse_certificate($x509_certificate);
|
||||
+ $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
|
||||
+ my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue, 5, 1)));
|
||||
+ my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
|
||||
+ my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
|
||||
+ my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
|
||||
+ my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
|
||||
+ my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
|
||||
+ my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
|
||||
+ my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
|
||||
+ my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
|
||||
+ my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
|
||||
+ my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
|
||||
+ my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion, $signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
|
||||
+ my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
|
||||
+ my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
|
||||
+ my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 1));
|
||||
+ my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
|
||||
+ my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version, $digest_algo_seq_set, $pkcs7_data_seq, $si_set);
|
||||
+ my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 2));
|
||||
+ $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data, asn1_pack($CONT | $CONS | 0, $sid));
|
||||
+ } else {
|
||||
+ print "Certificate is empty, assuming pre-built PKCS#7 signature.\n" if ($verbose);
|
||||
+ }
|
||||
# zero out unneeded entries
|
||||
$signers_name = '';
|
||||
$key_identifier = '';
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,50 +0,0 @@
|
||||
From 5b255595f4101b136db55538a59ef5b1fc3439e5 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Suchanek <msuchanek@suse.de>
|
||||
Date: Tue, 4 Jan 2022 12:20:36 +0100
|
||||
Subject: [PATCH 4/4] Add padding to grub signature correctly (jsc#SLE-18271
|
||||
bsc#1192764).
|
||||
|
||||
Upstream sign-file supports including whole PKCS#7 signature verbatim
|
||||
while kernel-sign-file supports building PKCS#7 around raw RSA signature
|
||||
as provided by OBS. Now kernel-sign-file also supports what upstream
|
||||
does so make use of it. First wrap PKCS#7 around the RSA signature, then
|
||||
pad, then append.
|
||||
|
||||
Fixes: 13efe22 ("Support ppc grub signing (jsc#SLE-18271 bsc#1192764).")
|
||||
---
|
||||
pesign-repackage.spec.in | 15 ++++++++-------
|
||||
1 file changed, 8 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
|
||||
index f473fa1..8c07fc4 100644
|
||||
--- a/pesign-repackage.spec.in
|
||||
+++ b/pesign-repackage.spec.in
|
||||
@@ -160,17 +160,18 @@ for sig in "${sigs[@]}"; do
|
||||
*grub.elf.sig)
|
||||
sig_size="$(wc -c < "$sig")"
|
||||
unsigned_grub_size="$(wc -c < "$f")"
|
||||
- /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" "$f".appendtest
|
||||
- signed_grub_size="$(wc -c < "$f".appendtest)"
|
||||
- rm "$f".appendtest
|
||||
- footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size" - "$sig_size")"
|
||||
+ /usr/lib/rpm/pesign/kernel-sign-file -vpd -i pkcs7 -s "$sig" sha256 "$cert" "$f"
|
||||
+ sig_size="$(wc -c < "$f.p7s")"
|
||||
+ footer_size=40
|
||||
+ grub_size="$(wc -c < "$f")"
|
||||
if ! [ $(expr "$sig_size" + "$footer_size") -le "@PESIGN_GRUB_RESERVATION@" ] ; then
|
||||
- echo "size of '$sig' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
|
||||
+ echo "size of '$f.p7s' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
|
||||
exit 1
|
||||
fi
|
||||
sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")"
|
||||
- truncate -s $sig_size "$sig"
|
||||
- /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
|
||||
+ truncate -s $sig_size "$f.p7s"
|
||||
+ /usr/lib/rpm/pesign/kernel-sign-file -v -i pkcs7 -s "$f.p7s" sha256 "" "$f"
|
||||
+ rm "$f.p7s"
|
||||
grub_size="$(wc -c < "$f")"
|
||||
if ! [ "$(expr "$unsigned_grub_size" + "@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then
|
||||
echo "The size of unsigned grub ($unsigned_grub_size) + reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size ($grub_size)"
|
||||
--
|
||||
2.34.1
|
||||
|
@ -1,4 +1,4 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://github.com/openSUSE/pesign-obs-integration.git</param>
|
||||
<param name="changesrevision">ceb23130f31ccfc02049b944bd82167678186d27</param></service></servicedata>
|
||||
<param name="changesrevision">8690743c1c82e6a37d50c522ba01b4f34c2cb795</param></service></servicedata>
|
21
order.patch
Normal file
21
order.patch
Normal file
@ -0,0 +1,21 @@
|
||||
From 729accc5eeefbd6accfa3244ce5c5dbd868e6d63 Mon Sep 17 00:00:00 2001
|
||||
From: Callum Farmer <gmbr3@opensuse.org>
|
||||
Date: Thu, 21 Apr 2022 11:17:36 +0100
|
||||
Subject: [PATCH] Support OrderWithRequires
|
||||
|
||||
---
|
||||
pesign-gen-repackage-spec | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
|
||||
index ca493f6..8746a52 100755
|
||||
--- a/pesign-gen-repackage-spec
|
||||
+++ b/pesign-gen-repackage-spec
|
||||
@@ -130,6 +130,7 @@ my %dep2tag = (
|
||||
enhances => "enhance",
|
||||
recommends => "recommend",
|
||||
supplements => "supplement",
|
||||
+ orderwithrequires => "order",
|
||||
);
|
||||
|
||||
# specfile scriptlet => rpm tag name
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:2f2ed79ed4651e5a02937cd17e761ae4f863c9098fad88de91b86ec4fc869b07
|
||||
size 130059
|
BIN
pesign-obs-integration-10.2+git20220504.8690743.obscpio
(Stored with Git LFS)
Normal file
BIN
pesign-obs-integration-10.2+git20220504.8690743.obscpio
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -1,3 +1,23 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 15 11:13:51 UTC 2022 - gmbr3@opensuse.org
|
||||
|
||||
- Update to version 10.2+git20220504.8690743:
|
||||
* Don't repackage aarch64_ilp32 *-64bit packages
|
||||
* Use pesign for signing on riscv64
|
||||
* Add padding to grub signature correctly (jsc#SLE-18271 bsc#1192764).
|
||||
* kernel-sign-file: Support appending verbatim PKCS#7 signature.
|
||||
* kernel-sign-file: Move x509 parsing into a function.
|
||||
* Support ppc grub signing (jsc#SLE-18271 bsc#1192764).
|
||||
* Handle packages with epochs as well
|
||||
* Turn off rpm fatal warnings for noarch packages
|
||||
- Upstreamed patches:
|
||||
* 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
|
||||
* 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
|
||||
* 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
|
||||
* 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
|
||||
- Added patches:
|
||||
* order.patch - support OrderWithRequires
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 21 08:49:34 UTC 2022 - Michal Suchanek <msuchanek@suse.com>
|
||||
|
||||
|
@ -1,5 +1,4 @@
|
||||
name: pesign-obs-integration
|
||||
version: 10.2+git20210804.ff18da1
|
||||
mtime: 1628080410
|
||||
commit: ff18da1d43b41939a4cb0fc85f1d3713de0ed3c2
|
||||
|
||||
version: 10.2+git20220504.8690743
|
||||
mtime: 1651698422
|
||||
commit: 8690743c1c82e6a37d50c522ba01b4f34c2cb795
|
||||
|
@ -18,24 +18,21 @@
|
||||
|
||||
|
||||
Name: pesign-obs-integration
|
||||
Version: 10.2+git20210804.ff18da1
|
||||
Version: 10.2+git20220504.8690743
|
||||
Release: 0
|
||||
Summary: Macros and scripts to sign the kernel and bootloader
|
||||
License: GPL-2.0-only
|
||||
Group: Development/Tools/Other
|
||||
URL: https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
|
||||
Source: %{name}-%{version}.tar.gz
|
||||
Patch1: 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
|
||||
Patch2: 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
|
||||
Patch3: 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
|
||||
Patch4: 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
|
||||
Patch: order.patch
|
||||
BuildRequires: openssl
|
||||
Requires: fipscheck
|
||||
Requires: mozilla-nss-tools
|
||||
Requires: openssl
|
||||
# suse-module-tools <= 15.0.10 contains modsign-verify
|
||||
Requires: suse-module-tools >= 15.0.10
|
||||
%ifarch %{ix86} x86_64 ia64 aarch64 %{arm}
|
||||
%ifarch %{ix86} x86_64 ia64 aarch64 %{arm} riscv64
|
||||
Requires: pesign
|
||||
%endif
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user