Accepting request 228761 from home:michal-m:branches:Base:System

- Do not sign any files if BRP_PESIGN_FILES is set not an empty
  string (bnc#857599).

- Fix a typo in the last change.

- Default to BRP_PESIGN_FILES="*.ko /lib/firmware" (bnc#857599).

- Add --signatures=<directory> option to modsign-repackage
  (bnc#841627).

OBS-URL: https://build.opensuse.org/request/show/228761
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=20

brp-99-pesign

@@ -22,7 +22,10 @@
 
 set -e
 
-files=${BRP_PESIGN_FILES}
+files="*.ko /lib/firmware"
+if test -n "${BRP_PESIGN_FILES+x}"; then
+	files=${BRP_PESIGN_FILES}
+fi
 output=
 while test $# -gt 0; do
 	case "$1" in

modsign-repackage

@@ -20,7 +20,7 @@
 
 USAGE="$0 --key <private key> --certificate <x509 cert> rpm ..."
 
-options=`getopt -o hk:c: --long help,key:,certificate: -- "$@"`
+options=`getopt -o hk:c:s: --long help,key:,certificate:,signatures: -- "$@"`
 if test $? -ne 0; then
 	echo "$USAGE" >&2
 	exit 1
@@ -28,6 +28,7 @@ fi
 eval set -- "$options"
 key=
 cert=
+sig_dir=
 while :; do
 	case "$1" in
 	-k|--key)
@@ -38,6 +39,10 @@ while :; do
 		cert=$2
 		shift 2
 		;;
+	-s|--signatures)
+		sig_dir=$2
+		shift 2
+		;;
 	-h|--help)
 		echo "$USAGE"
 		exit
@@ -47,13 +52,18 @@ while :; do
 		break
 	esac
 done
-if test -z "$key" -o -z "$cert"; then
-	echo "$0: The --key and --certificate options are mandatory" >&2
-	echo "$USAGE" >&2
-	exit 1
+err=
+if test -n "$key" -a -n "$sig_dir"; then
+	err="Cannot use both --key and --signatures"
+elif test -z "$key" -a -z "$sig_dir"; then
+	err="Please specify either --key or --signatures"
+elif test -z "$cert"; then
+	err="Please specify --certificate"
+elif test "$#" -eq 0; then
+	err="No packages specified"
 fi
-if test "$#" -eq 0; then
-	echo "$0: No packages specified" >&2
+if test -n "$err"; then
+	echo "$0: $err" >&2
 	echo "$USAGE" >&2
 	exit 1
 fi
@@ -107,9 +117,20 @@ for rpm; do
 done
 set -e
 echo "Signing kernel modules..."
-for module in $(find "$buildroot" -type f -name '*.ko'); do
-	/usr/lib/rpm/pesign/kernel-sign-file \
-		sha256 "$key" "$cert" "$module"
+for module in $(find "$buildroot" -type f -name '*.ko' -printf '%P\n'); do
+	if test -n "$key"; then
+		/usr/lib/rpm/pesign/kernel-sign-file \
+			sha256 "$key" "$cert" "$buildroot/$module"
+	else
+		raw_sig="$sig_dir/$module.sig"
+		if test ! -e "$raw_sig"; then
+			echo "$module.sig not found in $sig_dir" >&2
+			exit 1
+		fi
+		/usr/lib/rpm/pesign/kernel-sign-file \
+			-s "$raw_sig" sha256 "$cert" "$buildroot/$module"
+	fi
+
 done
 # Add the certificate
 mkdir -p "$buildroot/etc/uefi/certs"

pesign-obs-integration.changes

@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Thu Jan 16 15:12:22 UTC 2014 - mmarek@suse.cz
+
+- Do not sign any files if BRP_PESIGN_FILES is set not an empty
+  string (bnc#857599).
+
+-------------------------------------------------------------------
+Tue Jan  7 09:50:58 UTC 2014 - mmarek@suse.cz
+
+- Fix a typo in the last change.
+
+-------------------------------------------------------------------
+Mon Jan  6 22:08:41 UTC 2014 - mmarek@suse.cz
+
+- Default to BRP_PESIGN_FILES="*.ko /lib/firmware" (bnc#857599).
+
+-------------------------------------------------------------------
+Mon Jan  6 16:35:30 UTC 2014 - mmarek@suse.cz
+
+- Add --signatures=<directory> option to modsign-repackage
+  (bnc#841627).
+
 -------------------------------------------------------------------
 Fri Jun 14 12:19:47 UTC 2013 - mmarek@suse.cz
 

pesign-obs-integration.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package pesign-obs-integration
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed