pesign-obs-integration/modsign-repackage
Gary Ching-Pang Lin f6afa13b96 Accepting request 228761 from home:michal-m:branches:Base:System
- Do not sign any files if BRP_PESIGN_FILES is set not an empty
  string (bnc#857599).

- Fix a typo in the last change.

- Default to BRP_PESIGN_FILES="*.ko /lib/firmware" (bnc#857599).

- Add --signatures=<directory> option to modsign-repackage
  (bnc#841627).

OBS-URL: https://build.opensuse.org/request/show/228761
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=20
2014-04-03 01:54:03 +00:00

164 lines
4.4 KiB
Bash

#!/bin/bash
# Script to sign kernel modules and create new RPM packages with these
# modules. Uses pesign-gen-repackage-spec for the repackaging.
#
# Copyright (c) 2013 SUSE Linux Products GmbH, Nuernberg, Germany.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
USAGE="$0 --key <private key> --certificate <x509 cert> rpm ..."
options=`getopt -o hk:c:s: --long help,key:,certificate:,signatures: -- "$@"`
if test $? -ne 0; then
echo "$USAGE" >&2
exit 1
fi
eval set -- "$options"
key=
cert=
sig_dir=
while :; do
case "$1" in
-k|--key)
key=$2
shift 2
;;
-c|--certificate)
cert=$2
shift 2
;;
-s|--signatures)
sig_dir=$2
shift 2
;;
-h|--help)
echo "$USAGE"
exit
;;
--)
shift
break
esac
done
err=
if test -n "$key" -a -n "$sig_dir"; then
err="Cannot use both --key and --signatures"
elif test -z "$key" -a -z "$sig_dir"; then
err="Please specify either --key or --signatures"
elif test -z "$cert"; then
err="Please specify --certificate"
elif test "$#" -eq 0; then
err="No packages specified"
fi
if test -n "$err"; then
echo "$0: $err" >&2
echo "$USAGE" >&2
exit 1
fi
workdir="$PWD/rpm-files.$$"
buildroot="$workdir/buildroot"
rpmdir=RPMS
srpmdir=SRPMS
disturl=
rpms=()
rm -rf "$workdir"
mkdir "$workdir" || exit
mkdir -p "$rpmdir" "$srpmdir" || exit
mkdir "$buildroot"
echo "Unpacking original RPMs..."
for rpm; do
# XXX: Use a common script in pesign-repackage.spec.in and here
case "$rpm" in
*.src.rpm | *.nosrc.rpm)
cp "$rpm" "$srpmdir/"
continue
;;
# Do not repackage debuginfo packages (bnc#806637)
*-debuginfo-*.rpm | *-debugsource-*.rpm)
dir="$rpmdir/$(rpm -qp --qf '%{arch}' "$rpm")"
mkdir -p "$dir"
cp "$rpm" "$dir"
continue
;;
esac
# do not repackage baselibs packages
# FIXME: needs more generic test (if architecture has different
# bitness => skip)
case "$(rpm -qp --qf '%{name}/%{arch}' "$rpm")" in
*-32bit/x86_64 | *-32bit/s390x | *-32bit/ppc64 | \
*-64bit/ppc | *-x86/ia64)
mkdir -p "$rpmdir/$(rpm -qp --qf '%{arch}')/"
cp "$rpm" "$_"
continue
esac
rpm2cpio "$rpm" | (cd "$buildroot"; cpio -idm --quiet) || exit
d=$(rpm -qp --qf '%{disturl}' "$rpm")
if test -z "$disturl"; then
disturl=$d
fi
if test "$disturl" != "$d"; then
echo "Error: packages have different disturl: $d vs $disturl"
exit 1
fi
rpms=("${rpms[@]}" "$rpm")
done
set -e
echo "Signing kernel modules..."
for module in $(find "$buildroot" -type f -name '*.ko' -printf '%P\n'); do
if test -n "$key"; then
/usr/lib/rpm/pesign/kernel-sign-file \
sha256 "$key" "$cert" "$buildroot/$module"
else
raw_sig="$sig_dir/$module.sig"
if test ! -e "$raw_sig"; then
echo "$module.sig not found in $sig_dir" >&2
exit 1
fi
/usr/lib/rpm/pesign/kernel-sign-file \
-s "$raw_sig" sha256 "$cert" "$buildroot/$module"
fi
done
# Add the certificate
mkdir -p "$buildroot/etc/uefi/certs"
h=$(openssl x509 -inform DER -fingerprint -noout -in "$cert")
filename=/etc/uefi/certs/$(echo "$h" | \
sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt
cp "$cert" "$buildroot/$filename"
echo "Generating new specfile..."
if ! test -e /usr/lib/rpm/kernel-cert-subpackage; then
echo "/usr/lib/rpm/kernel-cert-subpackage missing" >&2
echo "please install the kernel-source package" >&2
exit 1
fi
/usr/lib/rpm/pesign/pesign-gen-repackage-spec \
--cert-subpackage=/usr/lib/rpm/kernel-cert-subpackage \
--directory="$buildroot" --output="$workdir" "${rpms[@]}"
echo "Running rpmbuild..."
rpmbuild --define "buildroot $buildroot" --define "disturl $disturl" \
--define "_builddir $workdir" \
--define "_suse_insert_debug_package %{nil}" \
--define "_rpmdir $rpmdir" \
-bb "$workdir/repackage.spec" >"$workdir/log" 2>&1
grep 'RPMS/.*\.rpm$' "$workdir/log"
echo "Cleaning up $workdir..."
rm -r "$workdir"
echo "Done."
exit 0