- fix pesign calls

OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=2
2013-02-05 13:35:22 +00:00 · 2013-02-05 13:35:22 +00:00 · 6a8d32d403
commit 6a8d32d403
parent 184dbd8a83
5 changed files with 47 additions and 25 deletions
--- a/4
+++ b/4
@ -74,6 +74,9 @@ sub query_single {
 		$res = <$fh>;
 	}
 	chomp $res;
+	if ($res eq "(none)") {
+		$res = "";
+	}
 	close($fh);
 	return $res;

@ -196,6 +199,7 @@ sub print_package {
 		print SPEC "\%package -n $p->{name}\n";
 	}
 	for my $tag (@simple_tags) {
+		next if $p->{$tag} eq "";
 		print SPEC "$tag: " . quote($p->{$tag}) . "\n";
 	}
 	print SPEC "BuildArch: noarch\n" if $p->{arch} eq "noarch";
--- a/6
+++ b/6
@ -88,8 +88,8 @@ mkdir -p "$archive_dir"
 # create an empty nss database to make pesign happy
 nss_db=$(mktemp -d)
 trap 'rm -rf "$nss_db"' EXIT
-echo >"$nss_db/password"
-certutil -N -f "$nss_db/password" -d "$nss_db"
+echo foofoofoo > "$nss_db/passwd"
+certutil -N -d "$nss_db" -f "$nss_db/passwd"

 echo "Creating $archive"
 files=($(find . -type f \( "${args[@]}" \)))
@ -98,7 +98,7 @@ for f in "${files[@]}"; do
 	mkdir -p "${dest%/*}"
 	case "$f" in
 	./boot/* | *.efi)
-		pesign --certdir="$nss_db" -i "$f" --digestdata "$dest"
+		pesign --certdir="$nss_db" -i "$f" -E $dest
 		;;
 	*)
 		cp "$f" "$dest"
--- a/pesign-obs-integration.changes
+++ b/pesign-obs-integration.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri Feb  1 17:18:32 CET 2013 - mls@suse.de
+
+- fix pesign calls
+
+-------------------------------------------------------------------
+Fri Feb  1 10:19:52 UTC 2013 - mmarek@suse.cz
+
+- Add some preliminary code to sign EFI binaries, marked with
+  FIXMEs.
+
 -------------------------------------------------------------------
 Wed Jan 30 09:47:25 UTC 2013 - mmarek@suse.cz

--- a/pesign-obs-integration.spec
+++ b/pesign-obs-integration.spec
@ -1,40 +1,33 @@
 #
-# spec file for package pesign-obs-integration (Version 1.0)
+# spec file for package pesign-obs-integration
 #
 # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
-#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #

-# norootforbuild
-# needssslcertforbuild

 Name:           pesign-obs-integration
 Summary:        Macros and scripts to sign the kernel and bootloader
+License:        GPL-2.0
+Group:          Development/Tools/Other
 Version:        6.0
-Release:        1
+Release:        0
 Requires:       openssl mozilla-nss-tools
 %ifarch %ix86 x86_64 ia64
 Requires:       pesign
 %endif
 BuildRequires:  openssl
-License:        GPL v2 only
-Group:          Development/Tools/Other
-URL:            http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
+Url:            http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
 Source1:        macros.pesign-obs
 Source2:        pesign-repackage.spec.in
 Source3:        pesign-gen-repackage-spec
@ -43,6 +36,7 @@ Source5:        COPYING
 Source6:        README
 Source7:        kernel-sign-file
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+
 %description
 This package provides scripts and rpm macros to automate signing of the
 boot loader, kernel and kernel modules in the openSUSE Buildservice.
@ -74,4 +68,3 @@ fi
 /etc/rpm/*

 %changelog
-
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@ -79,6 +79,12 @@ else
 	echo "warning: Using /usr/lib/rpm/pesign-cert.x509 as fallback"
 	cert=/usr/lib/rpm/pesign-cert.x509
 fi
+mkdir nss-db
+nss_db=$PWD/nss-db
+echo foofoofoo > "$nss_db/passwd"
+certutil -N -d "$nss_db" -f "$nss_db/passwd"
+certutil -A -d "$nss_db" -n cert -t CT,CT,CT -i "$cert"
+
 sigs=($(find -type f -name '*.sig'))
 for sig in "${sigs[@]}"; do
 	f=%buildroot/${sig%.sig}
@ -89,6 +95,14 @@ for sig in "${sigs[@]}"; do
 	./lib/firmware/*.sig)
 		/usr/lib/rpm/kernel-sign-file -f -s "$sig" sha256 "$cert" "$f"
 		;;
+	./boot/* | *.efi.sig)
+		infile=${sig%.sig}
+		cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs
+		test -s ${infile}.sattrs || exit 1
+		pesign -n "$nss_db" -c cert -i "$f" -o "$f.tmp" -d sha256 -I "${infile}.sattrs" -R "$sig"
+		rm -f "${infile}.sattrs"
+		mv "$f.tmp" "$f"
+		;;
 	*)
 		echo "Warning: unhandled signature: $sig" >&2
 	esac