Accepting request 1092483 from Base:System

OBS-URL: https://build.opensuse.org/request/show/1092483
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pesign-obs-integration?expand=0&rev=52

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/openSUSE/pesign-obs-integration.git</param>
-              <param name="changesrevision">8690743c1c82e6a37d50c522ba01b4f34c2cb795</param></service></servicedata>
+              <param name="changesrevision">4699910cf20591bcf3d06e42189ad8cb1326ab08</param></service></servicedata>

attr.patch

@@ -1,35 +0,0 @@
-From f2d245886ad2e734922b17a8f1a3d24b5075c023 Mon Sep 17 00:00:00 2001
-From: Callum Farmer <gmbr3@opensuse.org>
-Date: Sat, 9 Jul 2022 16:15:26 +0100
-Subject: [PATCH] Fix %attr issues
-
-1) Avoid assigning %attr's to symlinks which causes rpmbuild spam
-2) Change perms mask to 07777 to ensure SUID/SGID is copied over
----
- pesign-gen-repackage-spec | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
-index 688c375..ae7eba8 100755
---- a/pesign-gen-repackage-spec
-+++ b/pesign-gen-repackage-spec
-@@ -416,8 +416,6 @@ sub print_files {
- 			$attrs .= "\%dir ";
- 			utime($f->{mtime}, $f->{mtime}, $path);
- 		}
--		$attrs .= sprintf('%%attr(%04o, %s, %s) ', ($f->{mode} & 0777),
--			$f->{owner}, $f->{group});
- 		if ($f->{flags} & $filetypes{config}) {
- 			$attrs .= "%config ";
- 			my @cfg_attrs;
-@@ -448,6 +446,10 @@ sub print_files {
- 				symlink($f->{target}, $path);
- 			}
- 		}
-+		unless (S_ISLNK($f->{mode})) {
-+			$attrs .= sprintf('%%attr(%04o, %s, %s) ', ($f->{mode} & 07777),
-+				$f->{owner}, $f->{group});
-+		}
- 		# mtime of symlinks is also not preserved by cpio
- 		if (S_ISLNK($f->{mode})) {
- 			# perl core does not provide lutimes()/utimensat()

dependency-generators.patch

@@ -1,199 +0,0 @@
-From a17ffb01430468f411acc5488cc9a6d27ceb1428 Mon Sep 17 00:00:00 2001
-From: Callum Farmer <gmbr3@opensuse.org>
-Date: Sat, 9 Jul 2022 19:26:56 +0100
-Subject: [PATCH] Add support for dependency generators
-
-1) Add support for including macros in pesign-repackage.spec by using pesign-spec-macros
-2) Add support for copying sources to the new build directory by using pesign-copy-sources
-
-Update README for dependency generation
-
-1) Add Dependency Generation section
-2) Convert to Markdown
----
- README => README.md       | 40 ++++++++++++++++++++++++++++++++-------
- brp-99-pesign             | 24 +++++++++++++++++++++++
- pesign-gen-repackage-spec |  3 +++
- pesign-repackage.spec.in  |  9 ++++++++-
- 4 files changed, 68 insertions(+), 8 deletions(-)
- rename README => README.md (59%)
-
-diff --git a/README b/README.md
-similarity index 59%
-rename from README
-rename to README.md
-index aaa5da0..c8090cd 100644
---- a/README
-+++ b/README.md
-@@ -1,18 +1,19 @@
--Signing kernel modules and EFI binaries in the Open Build Service
--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-+ # Signing kernel modules and EFI binaries in the Open Build Service
- 
- RPM packages that need to sign files during build should add the following lines
- to the specfile
- 
-+```
- # needssslcertforbuild
- export BRP_PESIGN_FILES='pattern...'
- BuildRequires: pesign-obs-integration
-+```
- 
- Debian packages need to add the following line to the Source stanza in the
- debian/control file, which will add "Obs: needssslcertforbuild" to the generated
- .dsc file:
- 
--XS-Obs: needssslcertforbuild
-+```XS-Obs: needssslcertforbuild```
- 
- The "# needssslcertforbuild" comment tells the buildservice to store the
- signing certificate in %_sourcedir/_projectcert.crt. At the end of the
-@@ -28,18 +29,43 @@ appends the signatures to the files. It then uses the
- pesign-gen-repackage-spec script to generate another specfile, which
- builds new RPMs with signed files. The supported file types are:
- 
--*.ko            - Signature appended to the module
--efi binaries    - Signature embedded in a header. If a HMAC checksum named
--                  .$file.hmac exists, it is regenerated
-+- *.ko
-+  - Signature appended to the module
-+- efi binaries
-+  - Signature embedded in a header. If a HMAC checksum named
-+    .$file.hmac exists, it is regenerated
- 
- Debian packages can use the dh-signobs debhelper to automate signing and
- repacking. Build-depend on dh-signobs and add --with signobs to the dh line
- in debian/rules to use the fully automated helper.
- Consult the dh_signobs manpage for more information.
- 
-+## Options
-+
-+### Kernel Module Compression
- When BRP_PESIGN_COMPRESS_MODULE is passed, the script tries to compress the
- kernel modules at the repackaging phase. Currently xz, gzip and zstd format is supported.
- For enable the compression feature, put the following along with
- BRP_PESIGN_FILES setup:
- 
--export BRP_PESIGN_COMPRESS_MODULE="xz"
-+```export BRP_PESIGN_COMPRESS_MODULE="xz"```
-+
-+### Dependency Generation
-+If you need macros within the pesign-repackage specfile to adjust [dependency generation](https://rpm-software-management.github.io/rpm/manual/dependency_generators.html)
-+, then place these in a source file called pesign-spec-macros, this will subseqently be loaded.
-+
-+Example of pesign-spec-macros:
-+
-+```%__kmp_supplements %_sourcedir/my-find-supplements %_sourcedir/pci_ids-%{version}```
-+
-+To save creating duplicate copies of macros, load this file from your existing spec file by using the following:
-+
-+```%{load:%{_sourcedir}/pesign-spec-macros}```
-+
-+If you need some source files such as dependency generation scripts then place the names of these source files in a source file called pesign-copy-sources.
-+
-+Example of pesign-copy-sources:
-+```
-+my-find-supplements
-+pci_ids-%{version}
-+```
-diff --git a/brp-99-pesign b/brp-99-pesign
-index c6e9d54..b4ec89e 100644
---- a/brp-99-pesign
-+++ b/brp-99-pesign
-@@ -88,10 +88,34 @@ else
- 	echo "No buildservice signing certificate"
- 	cert=/dev/null
- fi
-+
-+if test -e $RPM_SOURCE_DIR/pesign-spec-macros; then
-+	sed "
-+		s:%{name}:$RPM_PACKAGE_NAME:g
-+		s:%{version}:$RPM_PACKAGE_VERSION:g
-+	" $RPM_SOURCE_DIR/pesign-spec-macros > $output/pesign-spec-macros
-+	spec_macros="--macros pesign-spec-macros"
-+fi
-+if test -e $RPM_SOURCE_DIR/pesign-copy-sources; then
-+	sed "
-+		s:%{name}:$RPM_PACKAGE_NAME:g
-+		s:%{version}:$RPM_PACKAGE_VERSION:g
-+	" $RPM_SOURCE_DIR/pesign-copy-sources > $output/pesign-copy-sources
-+	while read -r line; do
-+		if [ -n "${line}" ]; then
-+			source_files="${source_files}${RPM_SOURCE_DIR}/${line}\n"
-+		fi
-+	done < $output/pesign-copy-sources
-+	echo -e "$source_files" | head -c -1 | cpio -o > $output/source_files.cpio
-+	rm $output/pesign-copy-sources
-+fi
-+
-+
- sed "
- 	s:@NAME@:$RPM_PACKAGE_NAME:g
- 	s:@PESIGN_GRUB_RESERVATION@:$pesign_grub_reservation:g
- 	s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g
-+	s:@PESIGN_LOAD_SPEC_MACROS@:$spec_macros:g
- 	/@CERT@/ {
- 		r $cert
- 		d
-diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
-index 688c375..078d806 100755
---- a/pesign-gen-repackage-spec
-+++ b/pesign-gen-repackage-spec
-@@ -33,6 +33,7 @@ my $output = ".";
- my $cert_subpackage;
- my $kmp_basename;
- my $compress = "";
-+my $macros_file = "";
- my @rpms;
- 
- $ENV{LC_ALL} = "en_US.UTF-8";
-@@ -43,6 +44,7 @@ GetOptions(
- 	"output|o=s" => \$output,
- 	"cert-subpackage|c=s" => \$cert_subpackage,
- 	"compress|C=s" => \$compress,
-+	"macros|M=s" => \$macros_file,
- ) or die $USAGE;
- @rpms = @ARGV;
- if (!@rpms) {
-@@ -270,6 +272,7 @@ sub print_package {
- 	print SPEC "\%define _binary_payload $payloadstr\n";
- 
- 	if ($is_main) {
-+		print SPEC "\%{load:\%_sourcedir/$macros_file}\n" if $macros_file ne "";
- 		print SPEC "Name: $p->{name}\n";
- 		print SPEC "Buildroot: $directory\n";
- 		if ($p->{nosource}) {
-diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
-index 7b3d2e5..ca78fea 100644
---- a/pesign-repackage.spec.in
-+++ b/pesign-repackage.spec.in
-@@ -91,6 +91,8 @@ OTHER_FILES=`find %_sourcedir/ -maxdepth 1 -type f \
- 	-not -name "_statistics" \
- 	-not -name "logfile" \
- 	-not -name "meta" \
-+	-not -name "pesign-spec-macros" \
-+	-not -name "source_files.cpio" \
- 	-print`
- for file in $OTHER_FILES; do
- 	if test -e "$file"; then
-@@ -98,6 +100,11 @@ for file in $OTHER_FILES; do
- 		cp "$file" "$_"
- 	fi
- done
-+if test -e %_sourcedir/source_files.cpio; then
-+	pushd %_sourcedir
-+	cpio -i < source_files.cpio
-+	popd
-+fi
- mkdir rsasigned
- pushd rsasigned
- cpio -idm <%_sourcedir/@NAME@.cpio.rsasign.sig
-@@ -183,7 +190,7 @@ for sig in "${sigs[@]}"; do
- rm "$cert.pub"
- 
- popd
--/usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \
-+/usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ @PESIGN_LOAD_SPEC_MACROS@ \
- 	--directory=%buildroot "${rpms[@]}"
- rpmbuild --define "%%buildroot %buildroot" --define "%%disturl $disturl" \
- 	--define "%%_builddir $PWD" \

lang.patch

@@ -1,41 +0,0 @@
-From bce11d8c51c7298887a5c576ba0f577cac80eb5e Mon Sep 17 00:00:00 2001
-From: Callum Farmer <gmbr3@opensuse.org>
-Date: Thu, 23 Jun 2022 13:20:37 +0100
-Subject: [PATCH] Support %lang
-
----
- pesign-gen-repackage-spec | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
-index 688c375..3d1e1d2 100755
---- a/pesign-gen-repackage-spec
-+++ b/pesign-gen-repackage-spec
-@@ -166,7 +166,7 @@ sub load_package {
- 		$res{$tag} = query_single($rpm, $tag);
- 	}
- 	my @files;
--	my @list = query_array($rpm, qw(filenames fileflags filemodes fileusername filegroupname filesizes filemtimes filelinktos fileverifyflags));
-+	my @list = query_array($rpm, qw(filenames fileflags filemodes fileusername filegroupname filesizes filemtimes filelinktos fileverifyflags filelangs));
- 	for my $file (@list) {
- 		my $new = {
- 				name   => $file->[0],
-@@ -178,6 +178,7 @@ sub load_package {
- 				mtime  => $file->[6],
- 				target => $file->[7],
- 				verify => $file->[8],
-+				lang   => $file->[9],
- 		};
- 		push(@files, $new);
- 		if ($new->{name} =~ /\.ko$/ && S_ISREG($new->{mode})) {
-@@ -462,7 +463,9 @@ sub print_files {
- 		if ($verify_attrs) {
- 			$attrs .= "%verify(not $verify_attrs) ";
- 		}
--
-+		if ($f->{lang} ne "") {
-+			$attrs .= sprintf('%%lang(%s) ', $f->{lang});
-+		}
- 		if ($compress ne "" &&
- 		    $f->{name} =~ /\.ko$/ && S_ISREG($f->{mode})) {
- 			chmod($f->{mode}, $path);

order.patch

@@ -1,21 +0,0 @@
-From 729accc5eeefbd6accfa3244ce5c5dbd868e6d63 Mon Sep 17 00:00:00 2001
-From: Callum Farmer <gmbr3@opensuse.org>
-Date: Thu, 21 Apr 2022 11:17:36 +0100
-Subject: [PATCH] Support OrderWithRequires
-
----
- pesign-gen-repackage-spec | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
-index ca493f6..8746a52 100755
---- a/pesign-gen-repackage-spec
-+++ b/pesign-gen-repackage-spec
-@@ -130,6 +130,7 @@ my %dep2tag = (
- 	enhances => "enhance",
- 	recommends => "recommend",
- 	supplements => "supplement",
-+	orderwithrequires => "order",
- );
- 
- # specfile scriptlet => rpm tag name

pesign-obs-integration.changes

@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Mon Jun 12 05:20:28 UTC 2023 - jlee@suse.com
+
+- Update to version 10.2+git20230612.4699910:
+  * pesign-gen-repackage-spec: support filetriggers and transfiletriggers
+  * Add support for dependency generators
+  * pesign-gen-repackage-spec: fix the filename issue in the scripts of generated ueficert package
+  * Verfiy the signatures before attaching them
+  * Don't copy rpmlintrc to OTHER
+  * Fix %attr issues
+  * Support %lang
+  * Support OrderWithRequires
+  * pesign-repackage.spec.in: Add description for footer_size
+- Removed the following patches becuase they are merged to
+  10.2+git20230612.4699910:
+         Patch:          order.patch
+         Patch1:         attr.patch
+         Patch2:         lang.patch
+         Patch3:         rpmlintrc.patch
+         Patch4:         verify-sig.patch
+         Patch5:         dependency-generators.patch
+- Use README.md instead of README in pesign-obs-integration.spec. 
+
 -------------------------------------------------------------------
 Mon Jan 23 14:16:22 UTC 2023 - Callum Farmer <gmbr3@opensuse.org>
 

pesign-obs-integration.obsinfo

@@ -1,4 +1,4 @@
 name: pesign-obs-integration
-version: 10.2+git20220504.8690743
-mtime: 1651698422
-commit: 8690743c1c82e6a37d50c522ba01b4f34c2cb795
+version: 10.2+git20230612.4699910
+mtime: 1686546992
+commit: 4699910cf20591bcf3d06e42189ad8cb1326ab08

pesign-obs-integration.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package pesign-obs-integration
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,19 +18,13 @@
 
 
 Name:           pesign-obs-integration
-Version:        10.2+git20220504.8690743
+Version:        10.2+git20230612.4699910
 Release:        0
 Summary:        Macros and scripts to sign the kernel and bootloader
 License:        GPL-2.0-only
 Group:          Development/Tools/Other
 URL:            https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
 Source:         %{name}-%{version}.tar.gz
-Patch:          order.patch
-Patch1:         attr.patch
-Patch2:         lang.patch
-Patch3:         rpmlintrc.patch
-Patch4:         verify-sig.patch
-Patch5:         dependency-generators.patch
 BuildRequires:  openssl
 Requires:       fipscheck
 Requires:       mozilla-nss-tools

rpmlintrc.patch

@@ -1,21 +0,0 @@
-From 1441e0e2b3ece30febd88a0476189865b6738695 Mon Sep 17 00:00:00 2001
-From: Callum Farmer <gmbr3@opensuse.org>
-Date: Tue, 12 Jul 2022 11:44:57 +0100
-Subject: [PATCH] Don't copy rpmlintrc to OTHER
-
----
- pesign-repackage.spec.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
-index 7b3d2e5..0c77133 100644
---- a/pesign-repackage.spec.in
-+++ b/pesign-repackage.spec.in
-@@ -87,6 +87,7 @@ popd
- # Copy files other than the meta files and RPMs to %_topdir/OTHER
- OTHER_FILES=`find %_sourcedir/ -maxdepth 1 -type f \
- 	-not -regex '.*\.\(rpm\|spec\|rsasign\|sig\|crt\)' \
-+	-not -regex '.*\rpmlintrc' \
- 	-not -name "_buildenv" \
- 	-not -name "_statistics" \
- 	-not -name "logfile" \

verify-sig.patch

@@ -1,52 +0,0 @@
-From 3219b56af4f8f396b194ea81ab715831469260e5 Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Wed, 28 Sep 2022 14:27:31 +0800
-Subject: [PATCH] Verfiy the signatures before attaching them
-
-Sometime the build service may sign the target binaries with the wrong
-key due to misconfiguration. Verfiy the signature first so that we can
-detect the error earily.
-
-Ref: bsc#1200108, bsc#1203679
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- pesign-repackage.spec.in | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
-index 7b3d2e5..0b59360 100644
---- a/pesign-repackage.spec.in
-+++ b/pesign-repackage.spec.in
-@@ -122,8 +122,17 @@ echo foofoofoo > "$nss_db/passwd"
- certutil -N -d "$nss_db" -f "$nss_db/passwd"
- certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
- 
-+# Extract the public key of the certificate
-+openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub"
-+
- sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
- for sig in "${sigs[@]}"; do
-+	# Verify the signature with the public key of the certificate
-+	ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$sig" 2>&1 | grep -i error) || true
-+	if [ -n "$ver_err" ]; then
-+		echo "$sig signature can not be decrypted by $cert" >&2
-+		exit 1
-+	fi
- 	f=%buildroot/${sig%.sig}
- 	case "/$sig" in
- 	*.ko.sig|*.mod.sig)
-@@ -182,6 +191,10 @@ for sig in "${sigs[@]}"; do
- 		echo "Warning: unhandled signature: $sig" >&2
- 	esac
- done
-+
-+# Remove the public key file
-+rm "$cert.pub"
-+
- popd
- /usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \
- 	--directory=%buildroot "${rpms[@]}"
--- 
-2.35.3
-