Marcus Meissner
eee6f816df
- pesign-sign-s390x-kernel.patch: Sign also the non-PE (e.g. s390x) kernels with just kernel-sign-file (bsc#1163524) OBS-URL: https://build.opensuse.org/request/show/789612 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=88
43 lines
1.5 KiB
Diff
43 lines
1.5 KiB
Diff
Index: pesign-obs-integration/pesign-repackage.spec.in
|
|
===================================================================
|
|
--- pesign-obs-integration.orig/pesign-repackage.spec.in
|
|
+++ pesign-obs-integration/pesign-repackage.spec.in
|
|
@@ -122,6 +122,8 @@ for sig in "${sigs[@]}"; do
|
|
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
|
|
;;
|
|
/boot/* | *.efi.sig)
|
|
+%ifarch %ix86 x86_64 aarch64 %arm
|
|
+ # PE style signature injection
|
|
infile=${sig%.sig}
|
|
cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs
|
|
test -s ${infile}.sattrs || exit 1
|
|
@@ -134,6 +136,10 @@ for sig in "${sigs[@]}"; do
|
|
echo "hash mismatch error: $ohash $nhash"
|
|
exit 1
|
|
fi
|
|
+%else
|
|
+ # appending to the file itself, e.g. for s390x.
|
|
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
|
|
+%endif
|
|
# Regenerate the HMAC if it exists
|
|
hmac="${f%%/*}/.${f##*/}.hmac"
|
|
if test -e "$hmac"; then
|
|
Index: pesign-obs-integration/brp-99-pesign
|
|
===================================================================
|
|
--- pesign-obs-integration.orig/brp-99-pesign
|
|
+++ pesign-obs-integration/brp-99-pesign
|
|
@@ -109,7 +109,12 @@ for f in "${files[@]}"; do
|
|
mkdir -p "${dest%/*}"
|
|
case "$f" in
|
|
./boot/* | *.efi)
|
|
- pesign --certdir="$nss_db" -i "$f" -E $dest
|
|
+ if [ -f /usr/bin/pesign ]; then
|
|
+ pesign --certdir="$nss_db" -i "$f" -E $dest
|
|
+ else
|
|
+ # Non PE architectures like s390x
|
|
+ cp "$f" "$dest"
|
|
+ fi
|
|
;;
|
|
*)
|
|
cp "$f" "$dest"
|