Accepting request 1006626 from Base:System

OBS-URL: https://build.opensuse.org/request/show/1006626 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pesign-obs-integration?expand=0&rev=50
2022-10-01 15:42:31 +00:00 · 2022-10-01 15:42:31 +00:00 · f30d829d80
commit f30d829d80
parent ae6d185a9c a3ca55835f
3 changed files with 59 additions and 0 deletions
--- a/pesign-obs-integration.changes
+++ b/pesign-obs-integration.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Sep 28 06:36:56 UTC 2022 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add verify-sig.patch to verify the signatures before attaching
+  them (bsc#1200108, bsc#1203679)
+
 -------------------------------------------------------------------
 Sat Jul  9 16:19:57 UTC 2022 - Callum Farmer <gmbr3@opensuse.org>

--- a/pesign-obs-integration.spec
+++ b/pesign-obs-integration.spec
@ -29,6 +29,7 @@ Patch:          order.patch
 Patch1:         attr.patch
 Patch2:         lang.patch
 Patch3:         rpmlintrc.patch
+Patch4:         verify-sig.patch
 BuildRequires:  openssl
 Requires:       fipscheck
 Requires:       mozilla-nss-tools
--- a/verify-sig.patch
+++ b/verify-sig.patch
@ -0,0 +1,52 @@
+From 3219b56af4f8f396b194ea81ab715831469260e5 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 28 Sep 2022 14:27:31 +0800
+Subject: [PATCH] Verfiy the signatures before attaching them
+
+Sometime the build service may sign the target binaries with the wrong
+key due to misconfiguration. Verfiy the signature first so that we can
+detect the error earily.
+
+Ref: bsc#1200108, bsc#1203679
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ pesign-repackage.spec.in | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
+index 7b3d2e5..0b59360 100644
+--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
+@@ -122,8 +122,17 @@ echo foofoofoo > "$nss_db/passwd"
+ certutil -N -d "$nss_db" -f "$nss_db/passwd"
+ certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
+ 
+# Extract the public key of the certificate
+openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub"
+
+ sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
+ for sig in "${sigs[@]}"; do
+	# Verify the signature with the public key of the certificate
+	ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$sig" 2>&1 | grep -i error) || true
+	if [ -n "$ver_err" ]; then
+		echo "$sig signature can not be decrypted by $cert" >&2
+		exit 1
+	fi
+ 	f=%buildroot/${sig%.sig}
+ 	case "/$sig" in
+ 	*.ko.sig|*.mod.sig)
+@@ -182,6 +191,10 @@ for sig in "${sigs[@]}"; do
+ 		echo "Warning: unhandled signature: $sig" >&2
+ 	esac
+ done
+
+# Remove the public key file
+rm "$cert.pub"
+
+ popd
+ /usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \
+ 	--directory=%buildroot "${rpms[@]}"
+-- 
+2.35.3
+