Accepting request 231426 from home:michal-m:branches:Base:System

- Fix matching /boot and /lib/firmware in pesign-repackage.spec - Do not store the buildroot in the .*.hmac file. - Regenerate the HMAC checksum when signing and EFI binary with a checksum (fate#316930, bnc#856310). - Update README. - Add /usr/lib/rpm/pesign/gen-hmac tool to generate a hmac checksum for a given file (fate#316930, bnc#856310). OBS-URL: https://build.opensuse.org/request/show/231426 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=23
2014-04-27 07:52:13 +00:00 · 2014-04-27 07:52:13 +00:00 · 4ee730db27
commit 4ee730db27
parent 35447a6586
5 changed files with 78 additions and 12 deletions
--- a/16
+++ b/16
@ -1,9 +1,6 @@
 Signing kernel modules and EFI binaries in the Open Build Service
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-Note: Not everything that is described here is actually implemented. Even
-those parts that are implemented can change slightly.
-
 Packages that need to sign files during build should add the following lines
 to the specfile

@ -18,10 +15,15 @@ files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored
 in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a
 pesign-repackage.spec file there. When the first rpmbuild finishes, the
 buildservice sends the cpio archive to the signing server, which returns
-a rsasigned.cio archive with RSA signatures of the sha256 hashes.
+a rsasigned.cpio archive with RSA signatures of the sha256 hashes.

 The pesign-repackage.spec takes the original RPMs, unpacks them and
-appends the signatures to the files (TODO: only implemented for firmware
-files). It then uses the pesign-gen-repackage-spec script to generate
-another specfile, which builds new RPMs with signed files.
+appends the signatures to the files. It then uses the
+pesign-gen-repackage-spec script to generate another specfile, which
+builds new RPMs with signed files. The supported file types are:
+
+/lib/firmware/* - Detached signature in $file.sig
+*.ko            - Signature appended to the module
+efi binaries    - Signature embedded in a header. If a HMAC checksum named
+                  .$file.hmac exists, it is regenerated

--- a/31
+++ b/31
@ -0,0 +1,31 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use Getopt::Long;
+
+my $USAGE = "Usage: $0 [-r <build root>] <file>\n";
+
+my $buildroot = "";
+GetOptions("r|root=s" => \$buildroot) or die $USAGE;
+if (scalar(@ARGV) != 1) {
+	die $USAGE;
+}
+if ($buildroot) {
+	$buildroot .= "/";
+}
+
+my $fn = shift @ARGV;
+my $out = `sha512hmac "$buildroot$fn"`;
+if ($?) {
+	exit 1;
+}
+my @t = split(" ", $out);
+my $hmac = $t[0];
+
+(my $hmacfn = "$buildroot$fn") =~ s|([^/]*)$|.$1.hmac|;
+open(my $fd, '>', $hmacfn) or die "$0: Cannot open $hmacfn: $!\n";
+print $fd "$hmac  $fn\n";
+close($fd);
+exit 0;
--- a/pesign-obs-integration.changes
+++ b/pesign-obs-integration.changes
@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Thu Apr 24 09:25:18 UTC 2014 - mmarek@suse.cz
+
+- Fix matching /boot and /lib/firmware in pesign-repackage.spec
+
+-------------------------------------------------------------------
+Wed Apr 23 22:28:05 UTC 2014 - mmarek@suse.com
+
+- Do not store the buildroot in the .*.hmac file.
+
+-------------------------------------------------------------------
+Wed Apr 23 21:48:04 UTC 2014 - mmarek@suse.com
+
+- Regenerate the HMAC checksum when signing and EFI binary with
+  a checksum (fate#316930, bnc#856310).
+
+-------------------------------------------------------------------
+Wed Apr 23 21:38:42 UTC 2014 - mmarek@suse.com
+
+- Update README.
+
+-------------------------------------------------------------------
+Wed Apr 23 19:49:09 UTC 2014 - mmarek@suse.cz
+
+- Add /usr/lib/rpm/pesign/gen-hmac tool to generate a hmac checksum
+  for a given file (fate#316930, bnc#856310).
+
 -------------------------------------------------------------------
 Thu Apr  3 12:01:54 CEST 2014 - ro@suse.de

--- a/pesign-obs-integration.spec
+++ b/pesign-obs-integration.spec
@ -38,6 +38,7 @@ Source5:        COPYING
 Source6:        README
 Source7:        kernel-sign-file
 Source8:        modsign-repackage
+Source9:        gen-hmac
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -54,7 +55,7 @@ cp %_sourcedir/{COPYING,README} .

 mkdir -p %buildroot/usr/lib/rpm/brp-suse.d %buildroot/usr/lib/rpm/pesign
 cd %_sourcedir
-install  pesign-gen-repackage-spec kernel-sign-file %buildroot/usr/lib/rpm/pesign
+install  pesign-gen-repackage-spec kernel-sign-file gen-hmac %buildroot/usr/lib/rpm/pesign
 install  brp-99-pesign %buildroot/usr/lib/rpm/brp-suse.d
 install -m644 pesign-repackage.spec.in %buildroot/usr/lib/rpm/pesign
 mkdir -p %buildroot/usr/bin
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@ -102,17 +102,17 @@ echo foofoofoo > "$nss_db/passwd"
 certutil -N -d "$nss_db" -f "$nss_db/passwd"
 certutil -A -d "$nss_db" -n cert -t CT,CT,CT -i "$cert"

-sigs=($(find -type f -name '*.sig'))
+sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
 for sig in "${sigs[@]}"; do
 	f=%buildroot/${sig%.sig}
-	case "$sig" in
+	case "/$sig" in
 	*.ko.sig)
 		/usr/lib/rpm/pesign/kernel-sign-file -s "$sig" sha256 "$cert" "$f"
 		;;
-	./lib/firmware/*.sig)
+	/lib/firmware/*.sig)
 		/usr/lib/rpm/pesign/kernel-sign-file -f -s "$sig" sha256 "$cert" "$f"
 		;;
-	./boot/* | *.efi.sig)
+	/boot/* | *.efi.sig)
 		infile=${sig%.sig}
 		cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs
 		test -s ${infile}.sattrs || exit 1
@ -125,6 +125,11 @@ for sig in "${sigs[@]}"; do
 		    echo "hash mismatch error: $ohash $nhash"
 		    exit 1
 		fi
+		# Regenerate the HMAC if it exists
+		hmac="${f%%/*}/.${f##*/}.hmac"
+		if test -e "$hmac"; then
+			/usr/lib/rpm/pesign/gen-hmac -r %buildroot "/${sig%.sig}"
+		fi
 		;;
 	*)
 		echo "Warning: unhandled signature: $sig" >&2