Accepting request 789612 from home:msmeissn:branches:Base:System

- pesign-sign-s390x-kernel.patch: Sign also the non-PE (e.g. s390x)
  kernels with just kernel-sign-file (bsc#1163524)

OBS-URL: https://build.opensuse.org/request/show/789612
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=88
This commit is contained in:
Marcus Meissner 2020-03-30 06:19:47 +00:00 committed by Git OBS Bridge
parent b14ebb7b0a
commit eee6f816df
3 changed files with 51 additions and 0 deletions

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Feb 26 13:35:18 UTC 2020 - Marcus Meissner <meissner@suse.com>
- pesign-sign-s390x-kernel.patch: Sign also the non-PE (e.g. s390x)
kernels with just kernel-sign-file (bsc#1163524)
-------------------------------------------------------------------
Wed Feb 19 14:25:32 UTC 2020 - Marcus Meissner <meissner@suse.com>

View File

@ -39,6 +39,8 @@ Patch4: 0001-Keep-the-files-in-the-OTHER-directory.patch
Patch5: 0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch
# https://github.com/openSUSE/pesign-obs-integration/pull/17
Patch6: 0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch
# https://github.com/openSUSE/pesign-obs-integration/pull/18
Patch7: pesign-sign-s390x-kernel.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# suse-module-tools <= 15.0.10 contains modsign-verify
Requires: suse-module-tools >= 15.0.10
@ -55,6 +57,7 @@ boot loader, kernel and kernel modules in the openSUSE Buildservice.
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build

View File

@ -0,0 +1,42 @@
Index: pesign-obs-integration/pesign-repackage.spec.in
===================================================================
--- pesign-obs-integration.orig/pesign-repackage.spec.in
+++ pesign-obs-integration/pesign-repackage.spec.in
@@ -122,6 +122,8 @@ for sig in "${sigs[@]}"; do
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
;;
/boot/* | *.efi.sig)
+%ifarch %ix86 x86_64 aarch64 %arm
+ # PE style signature injection
infile=${sig%.sig}
cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs
test -s ${infile}.sattrs || exit 1
@@ -134,6 +136,10 @@ for sig in "${sigs[@]}"; do
echo "hash mismatch error: $ohash $nhash"
exit 1
fi
+%else
+ # appending to the file itself, e.g. for s390x.
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+%endif
# Regenerate the HMAC if it exists
hmac="${f%%/*}/.${f##*/}.hmac"
if test -e "$hmac"; then
Index: pesign-obs-integration/brp-99-pesign
===================================================================
--- pesign-obs-integration.orig/brp-99-pesign
+++ pesign-obs-integration/brp-99-pesign
@@ -109,7 +109,12 @@ for f in "${files[@]}"; do
mkdir -p "${dest%/*}"
case "$f" in
./boot/* | *.efi)
- pesign --certdir="$nss_db" -i "$f" -E $dest
+ if [ -f /usr/bin/pesign ]; then
+ pesign --certdir="$nss_db" -i "$f" -E $dest
+ else
+ # Non PE architectures like s390x
+ cp "$f" "$dest"
+ fi
;;
*)
cp "$f" "$dest"