pool/pesign-obs-integration
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
23 Commits 1 Branch 0 Tags 684 KiB
RPM Spec 100%
9d99969431
Go to file
Stephan Kulow 9d99969431 Accepting request 247328 from home:oertel:factory-relnums 
sanitize release line in specfile

OBS-URL: https://build.opensuse.org/request/show/247328
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=37
2014-09-03 16:27:37 +00:00
.gitattributes osc copypac from project:home:michal-m:modsign package:pesign-obs-integration revision:2 2013-02-05 10:41:47 +00:00
.gitignore osc copypac from project:home:michal-m:modsign package:pesign-obs-integration revision:2 2013-02-05 10:41:47 +00:00
brp-99-compress-vmlinux Accepting request 245477 from home:michal-m:branches:Base:System 2014-08-21 04:08:32 +00:00
brp-99-pesign Accepting request 242969 from home:michal-m:branches:Base:System 2014-07-30 09:43:53 +00:00
COPYING osc copypac from project:home:michal-m:modsign package:pesign-obs-integration revision:2 2013-02-05 10:41:47 +00:00
gen-hmac Accepting request 245477 from home:michal-m:branches:Base:System 2014-08-21 04:08:32 +00:00
kernel-sign-file Accepting request 239464 from home:michal-m:branches:Base:System 2014-07-07 01:50:17 +00:00
modsign-repackage Accepting request 228761 from home:michal-m:branches:Base:System 2014-04-03 01:54:03 +00:00
pesign-gen-repackage-spec Accepting request 228891 from home:michal-m:branches:Base:System 2014-04-03 15:11:38 +00:00
pesign-obs-integration.changes Accepting request 247328 from home:oertel:factory-relnums 2014-09-03 16:27:37 +00:00
pesign-obs-integration.spec Accepting request 247328 from home:oertel:factory-relnums 2014-09-03 16:27:37 +00:00
pesign-repackage.spec.in Accepting request 243599 from home:michal-m:branches:Base:System 2014-08-05 02:30:29 +00:00
README Accepting request 239464 from home:michal-m:branches:Base:System 2014-07-07 01:50:17 +00:00

README 

Signing kernel modules and EFI binaries in the Open Build Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Packages that need to sign files during build should add the following lines
to the specfile

# needssslcertforbuild
export BRP_PESIGN_FILES='pattern...'
BuildRequires: pesign-obs-integration

The "# needssslcertforbuild" comment tells the buildservice to store the
signing certificate in %_sourcedir/_projectcert.crt. At the end of the
install phase, the brp-99-pesign script computes hashes of all
files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored
in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a
pesign-repackage.spec file there. When the first rpmbuild finishes, the
buildservice sends the cpio archive to the signing server, which returns
a rsasigned.cpio archive with RSA signatures of the sha256 hashes.

The pesign-repackage.spec takes the original RPMs, unpacks them and
appends the signatures to the files. It then uses the
pesign-gen-repackage-spec script to generate another specfile, which
builds new RPMs with signed files. The supported file types are:

*.ko            - Signature appended to the module
efi binaries    - Signature embedded in a header. If a HMAC checksum named
                  .$file.hmac exists, it is regenerated