pool/pesign
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 702580 from home:gary_lin:branches:Base:System

Browse Source 
Update to 113

OBS-URL: https://build.opensuse.org/request/show/702580
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=46
This commit is contained in:
Gary Ching-Pang Lin 2019-05-13 07:18:23 +00:00 committed by Git OBS Bridge
parent 647c93e403
commit 2820983477
11 changed files with 126 additions and 348 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pesign-0.112.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:99fa1240311a802fa381eebba8d52b7106690322ac00395bf9fc149dc2cb363e
size 90251

3
pesign-113.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0dfb14e6f79288b7983344b88b14f83b0267c002f563e38171f935af107d0132
size 103471

33
pesign-bsc1087742-fix-efisiglist.patch
View File

@ -1,33 +0,0 @@
From 4279d9a36d6c0d09295a76160e26cbe1bbf37591 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 30 Mar 2018 12:25:34 +0800
Subject: [PATCH] efisiglist: Copy the header correctly
signature_list wasn't copied corretly to efi_signature_list because
SignatureType in signature_list is a pointer while that in
efi_signature_list is not.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/siglist.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/siglist.c b/src/siglist.c
index 6e59164..e74eb10 100644
--- a/src/siglist.c
+++ b/src/siglist.c
@@ -217,7 +217,10 @@ signature_list_realize(signature_list *sl, void **out, size_t *outsize)
return -1;
esl = ret;
- memcpy(esl, sl, sizeof (*esl));
+ memcpy(&esl->SignatureType, sl->SignatureType, sizeof(efi_guid_t));
+ esl->SignatureListSize = sl->SignatureListSize;
+ esl->SignatureHeaderSize = sl->SignatureHeaderSize;
+ esl->SignatureSize = sl->SignatureSize;
uint8_t *pos = ret + sizeof (*esl);
for (int i = 0; i < count; i++) {
--
2.16.2

65
pesign-fix-argument-list.patch
View File

@ -1,65 +0,0 @@
commit 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32
Author: Julien Cristau <jcristau@debian.org>
Date: Thu Jun 9 14:30:37 2016 +0200
Fix command line parsing
The gettext translation domain should be passed as .arg, not .descrip,
otherwise popt won't process any of the command line options (it stops
looping over the struct poptOption array when an entry has unset
longName, shortName and arg).
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/client.c b/src/client.c
index 028419f..575c873 100644
--- a/src/client.c
+++ b/src/client.c
@@ -555,7 +555,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "token",
.shortName = 't',
.argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 6278849..8a515a5 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -486,7 +486,7 @@ int main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
/* global nss-ish things */
{.longName = "dbdir",
.shortName = 'd',
diff --git a/src/efisiglist.c b/src/efisiglist.c
index cd3f1ae..40d6a93 100644
--- a/src/efisiglist.c
+++ b/src/efisiglist.c
@@ -126,7 +126,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "infile",
.shortName = 'i',
.argInfo = POPT_ARG_STRING,
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 1328fe9..0d49c1a 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -214,7 +214,7 @@ main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "dbfile",
.shortName = 'D',
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,

22
pesign-fix-authvar-write-loop.patch
View File

@ -1,4 +1,4 @@
From e3aee739b92c4124fc1207fb06a7dd1cd89d03ae Mon Sep 17 00:00:00 2001 From b3c58e3b9237f90e865723837a9389fcb25f6945 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com> From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 1 Jul 2014 14:43:35 +0800 Date: Tue, 1 Jul 2014 14:43:35 +0800
Subject: [PATCH] authvar: fix the write loop Subject: [PATCH] authvar: fix the write loop
@ -13,18 +13,18 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
1 file changed, 7 insertions(+), 9 deletions(-) 1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/src/authvar_context.c b/src/authvar_context.c diff --git a/src/authvar_context.c b/src/authvar_context.c
index c988e96..675967c 100644 index 7a753fc..c51c666 100644
--- a/src/authvar_context.c --- a/src/authvar_context.c
+++ b/src/authvar_context.c +++ b/src/authvar_context.c
@@ -18,6 +18,7 @@ @@ -20,6 +20,7 @@
*/ #include "fix_coverity.h"
#include <unistd.h> #include <unistd.h>
+#include <stddef.h> +#include <stddef.h>
#include <sys/mman.h> #include <sys/mman.h>
#include <prerror.h> #include <prerror.h>
@@ -133,11 +134,7 @@ generate_descriptor(authvar_context *ctx) @@ -135,11 +136,7 @@ generate_descriptor(authvar_context *ctx)
if (rc < 0) if (rc < 0)
cmsreterr(-1, ctx->cms_ctx, "could not create signed data"); cmsreterr(-1, ctx->cms_ctx, "could not create signed data");
@ -37,7 +37,7 @@ index c988e96..675967c 100644
authinfo = calloc(offset + sd_der.len, 1); authinfo = calloc(offset + sd_der.len, 1);
if (!authinfo) if (!authinfo)
cmsreterr(-1, ctx->cms_ctx, "could not allocate authinfo"); cmsreterr(-1, ctx->cms_ctx, "could not allocate authinfo");
@@ -160,6 +157,7 @@ write_authvar(authvar_context *ctx) @@ -162,6 +159,7 @@ write_authvar(authvar_context *ctx)
void *buffer, *ptr; void *buffer, *ptr;
size_t buf_len, des_len, remain; size_t buf_len, des_len, remain;
ssize_t wlen; ssize_t wlen;
@ -45,7 +45,7 @@ index c988e96..675967c 100644
if (!ctx->authinfo) if (!ctx->authinfo)
cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar"); cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar");
@@ -187,17 +185,17 @@ write_authvar(authvar_context *ctx) @@ -189,19 +187,19 @@ write_authvar(authvar_context *ctx)
if (ctx->value_size > 0) if (ctx->value_size > 0)
memcpy(ptr, ctx->value, ctx->value_size); memcpy(ptr, ctx->value, ctx->value_size);
@ -60,13 +60,15 @@ index c988e96..675967c 100644
do { do {
- wlen = write(ctx->exportfd, buffer, remain); - wlen = write(ctx->exportfd, buffer, remain);
+ wlen = write(ctx->exportfd, buffer + offset, remain); + wlen = write(ctx->exportfd, buffer + offset, remain);
if (wlen < 0) if (wlen < 0) {
free(buffer);
cmsreterr(-1, ctx->cms_ctx, "failed to write authvar"); cmsreterr(-1, ctx->cms_ctx, "failed to write authvar");
}
remain -= wlen; remain -= wlen;
+ offset += wlen; + offset += wlen;
} while (remain > 0); } while (remain > 0);
return 0; free(buffer);
-- --
1.8.4.5 2.21.0

119
pesign-fix-build-errors.patch
View File

@ -1,119 +0,0 @@
Index: pesign-0.111/src/daemon.c
===================================================================
--- pesign-0.111.orig/src/daemon.c
+++ pesign-0.111/src/daemon.c
@@ -544,7 +544,11 @@ malformed:
if (rc < 0) {
err_attached:
pe_end(outpe);
- ftruncate(outfd, 0);
+ if (ftruncate(outfd, 0) != 0) {
+ ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
+ "pesignd: could not truncate output "
+ "file: %m");
+ }
goto finish;
}
ssize_t sigspace = calculate_signature_space(ctx->cms, outpe);
@@ -562,21 +566,34 @@ err_attached:
ctx->cms->num_signatures, outpe);
pe_end(outpe);
} else {
- ftruncate(outfd, 0);
+ if (ftruncate(outfd, 0) != 0) {
+ ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
+ "pesignd: could not truncate output "
+ "file: %m");
+ }
rc = generate_digest(ctx->cms, inpe, 1);
if (rc < 0) {
err_detached:
- ftruncate(outfd, 0);
+ if (ftruncate(outfd, 0) != 0) {
+ ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
+ "pesignd: could not truncate output "
+ "file: %m");
+ }
goto finish;
}
rc = generate_signature(ctx->cms);
if (rc < 0)
goto err_detached;
rc = export_signature(ctx->cms, outfd, 0);
- if (rc >= 0)
- ftruncate(outfd, rc);
- else if (rc < 0)
+ if (rc >= 0) {
+ if (ftruncate(outfd, rc) != 0) {
+ ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
+ "pesignd: could not truncate output "
+ "file: %m");
+ }
+ } else if (rc < 0) {
goto err_detached;
+ }
}
finish:
@@ -1182,7 +1199,12 @@ daemonize(cms_context *cms_ctx, char *ce
exit(1);
}
- chdir(homedir ? homedir : "/");
+ if (chdir(homedir ? homedir : "/") != 0) {
+ ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR,
+ "pesignd: could not change working directory "
+ "for pesign: %m");
+ exit(1);
+ }
if (getuid() == 0) {
/* process is running as root, drop privileges */
Index: pesign-0.111/src/password.c
===================================================================
--- pesign-0.111.orig/src/password.c
+++ pesign-0.111/src/password.c
@@ -76,7 +76,8 @@ static char *SEC_GetPassword(FILE *input
echoOff(infd);
}
- fgets ( phrase, sizeof(phrase), input);
+ if (fgets(phrase, sizeof(phrase), input) == NULL)
+ phrase[0] = '\0';
if (isTTY) {
fprintf(output, "\n");
Index: pesign-0.111/src/pesign.c
===================================================================
--- pesign-0.111.orig/src/pesign.c
+++ pesign-0.111/src/pesign.c
@@ -164,9 +164,15 @@ open_output(pesign_context *ctx)
addr = pe_rawfile(ctx->inpe, &size);
- ftruncate(ctx->outfd, size);
+ if (ftruncate(ctx->outfd, size) != 0) {
+ fprintf(stderr, "pesign: could not truncate output file: %m\n");
+ exit(1);
+ }
lseek(ctx->outfd, 0, SEEK_SET);
- write(ctx->outfd, addr, size);
+ if ((size_t)write(ctx->outfd, addr, size) != size) {
+ fprintf(stderr, "pesign: could not write output file: %m\n");
+ exit(1);
+ }
Pe_Cmd cmd = ctx->outfd == STDOUT_FILENO ? PE_C_RDWR : PE_C_RDWR_MMAP;
ctx->outpe = pe_begin(ctx->outfd, cmd, NULL);
Index: pesign-0.111/src/signed_data.c
===================================================================
--- pesign-0.111.orig/src/signed_data.c
+++ pesign-0.111/src/signed_data.c
@@ -133,6 +133,7 @@ generate_signerInfo_list(cms_context *cm
SpcSignerInfo **signerInfo_list;
int err, rc;
+ err = 0;
if (!signerInfo_list_p)
return -1;

32
pesign-privkey_unneeded.diff
View File

@ -4,11 +4,11 @@
src/pesign.c | 1 + src/pesign.c | 1 +
3 files changed, 12 insertions(+), 2 deletions(-) 3 files changed, 12 insertions(+), 2 deletions(-)
Index: pesign-0.111/src/cms_common.c Index: pesign-113/src/cms_common.c
=================================================================== ===================================================================
--- pesign-0.111.orig/src/cms_common.c --- pesign-113.orig/src/cms_common.c
+++ pesign-0.111/src/cms_common.c +++ pesign-113/src/cms_common.c
@@ -280,6 +280,7 @@ struct cbdata { @@ -282,6 +282,7 @@ struct cbdata {
CERTCertificate *cert; CERTCertificate *cert;
PK11SlotListElement *psle; PK11SlotListElement *psle;
secuPWData *pwdata; secuPWData *pwdata;
@ -16,7 +16,7 @@ Index: pesign-0.111/src/cms_common.c
}; };
static SECStatus static SECStatus
@@ -291,6 +292,12 @@ is_valid_cert(CERTCertificate *cert, voi @@ -293,6 +294,12 @@ is_valid_cert(CERTCertificate *cert, voi
void *pwdata = cbdata->pwdata; void *pwdata = cbdata->pwdata;
SECKEYPrivateKey *privkey = NULL; SECKEYPrivateKey *privkey = NULL;
@ -29,7 +29,7 @@ Index: pesign-0.111/src/cms_common.c
privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata); privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata);
if (privkey != NULL) { if (privkey != NULL) {
cbdata->cert = cert; cbdata->cert = cert;
@@ -421,7 +428,7 @@ find_certificate(cms_context *cms, int n @@ -423,7 +430,7 @@ find_certificate(cms_context *cms, int n
} }
SECStatus status; SECStatus status;
@ -38,7 +38,7 @@ Index: pesign-0.111/src/cms_common.c
status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
if (status != SECSuccess) { if (status != SECSuccess) {
PK11_DestroySlotListElement(slots, &psle); PK11_DestroySlotListElement(slots, &psle);
@@ -450,6 +457,7 @@ find_certificate(cms_context *cms, int n @@ -452,6 +459,7 @@ find_certificate(cms_context *cms, int n
.cert = NULL, .cert = NULL,
.psle = psle, .psle = psle,
.pwdata = pwdata, .pwdata = pwdata,
@ -46,7 +46,7 @@ Index: pesign-0.111/src/cms_common.c
}; };
if (needs_private_key) { if (needs_private_key) {
@@ -570,7 +578,7 @@ find_named_certificate(cms_context *cms, @@ -572,7 +580,7 @@ find_named_certificate(cms_context *cms,
} }
SECStatus status; SECStatus status;
@ -55,11 +55,11 @@ Index: pesign-0.111/src/cms_common.c
status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
if (status != SECSuccess) { if (status != SECSuccess) {
PK11_DestroySlotListElement(slots, &psle); PK11_DestroySlotListElement(slots, &psle);
Index: pesign-0.111/src/cms_common.h Index: pesign-113/src/cms_common.h
=================================================================== ===================================================================
--- pesign-0.111.orig/src/cms_common.h --- pesign-113.orig/src/cms_common.h
+++ pesign-0.111/src/cms_common.h +++ pesign-113/src/cms_common.h
@@ -63,6 +63,7 @@ typedef int (*cms_common_logger)(struct @@ -62,6 +62,7 @@ typedef int (*cms_common_logger)(struct
typedef struct cms_context { typedef struct cms_context {
PRArenaPool *arena; PRArenaPool *arena;
void *privkey; void *privkey;
@ -67,11 +67,11 @@ Index: pesign-0.111/src/cms_common.h
char *tokenname; char *tokenname;
char *certname; char *certname;
Index: pesign-0.111/src/pesign.c Index: pesign-113/src/file_pe.c
=================================================================== ===================================================================
--- pesign-0.111.orig/src/pesign.c --- pesign-113.orig/src/file_pe.c
+++ pesign-0.111/src/pesign.c +++ pesign-113/src/file_pe.c
@@ -651,6 +651,7 @@ main(int argc, char *argv[]) @@ -354,6 +354,7 @@ pe_handle_action(pesign_context *ctxp, i
*/ */
case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS: case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS:
check_inputs(ctxp); check_inputs(ctxp);

107
pesign-run.patch
View File

@ -6,11 +6,11 @@
src/tmpfiles.conf | 2 +- src/tmpfiles.conf | 2 +-
5 files changed, 12 insertions(+), 12 deletions(-) 5 files changed, 12 insertions(+), 12 deletions(-)
Index: pesign-0.112/src/Makefile Index: pesign-113/src/Makefile
=================================================================== ===================================================================
--- pesign-0.112.orig/src/Makefile --- pesign-113.orig/src/Makefile
+++ pesign-0.112/src/Makefile +++ pesign-113/src/Makefile
@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit @@ -73,7 +73,7 @@ install_sysvinit: pesign.sysvinit
install : install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
@ -19,11 +19,11 @@ Index: pesign-0.112/src/Makefile
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
Index: pesign-0.112/src/daemon.h Index: pesign-113/src/daemon.h
=================================================================== ===================================================================
--- pesign-0.112.orig/src/daemon.h --- pesign-113.orig/src/daemon.h
+++ pesign-0.112/src/daemon.h +++ pesign-113/src/daemon.h
@@ -49,7 +49,7 @@ typedef enum { @@ -49,8 +49,8 @@ typedef enum {
} pesignd_cmd; } pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0 #define PESIGND_VERSION 0x2a9edaf0
@ -32,31 +32,32 @@ Index: pesign-0.112/src/daemon.h
+#define SOCKPATH "/run/pesign/socket" +#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid" +#define PIDFILE "/run/pesign.pid"
#endif /* DAEMON_H */ static inline uint32_t UNUSED
Index: pesign-0.112/src/macros.pesign pesignd_string_size(char *buffer)
Index: pesign-113/src/macros.pesign
=================================================================== ===================================================================
--- pesign-0.112.orig/src/macros.pesign --- pesign-113.orig/src/macros.pesign
+++ pesign-0.112/src/macros.pesign +++ pesign-113/src/macros.pesign
@@ -40,7 +40,7 @@ @@ -52,7 +52,7 @@
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ getfacl /var/run/pesign 1>&2 \
--certdir ${nss} -c signer %{-o} \ getfacl /var/run/pesign/socket 1>&2 \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \ exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \ - elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \ + elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ %{_pesign_client} -t %{__pesign_client_token} \\\
-c "/CN=Fedora Secure Boot Signer" \\\ -c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \ %{-i} %{-o} %{-e} %{-s} %{-C} \
Index: pesign-0.112/src/tmpfiles.conf Index: pesign-113/src/tmpfiles.conf
=================================================================== ===================================================================
--- pesign-0.112.orig/src/tmpfiles.conf --- pesign-113.orig/src/tmpfiles.conf
+++ pesign-0.112/src/tmpfiles.conf +++ pesign-113/src/tmpfiles.conf
@@ -1 +1 @@ @@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign - -D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign - +D /run/pesign 0770 pesign pesign -
Index: pesign-0.112/src/pesign.sysvinit.in Index: pesign-113/src/pesign.sysvinit.in
=================================================================== ===================================================================
--- pesign-0.112.orig/src/pesign.sysvinit.in --- pesign-113.orig/src/pesign.sysvinit.in
+++ pesign-0.112/src/pesign.sysvinit.in +++ pesign-113/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@ @@ -4,7 +4,7 @@
# #
# chkconfig: - 50 50 # chkconfig: - 50 50
@ -66,54 +67,28 @@ Index: pesign-0.112/src/pesign.sysvinit.in
### BEGIN INIT INFO ### BEGIN INIT INFO
# Provides: pesign # Provides: pesign
# Should-Start: $remote_fs # Should-Start: $remote_fs
Index: pesign-0.112/src/pesign.service.in Index: pesign-113/src/pesign.service.in
=================================================================== ===================================================================
--- pesign-0.112.orig/src/pesign.service.in --- pesign-113.orig/src/pesign.service.in
+++ pesign-0.112/src/pesign.service.in +++ pesign-113/src/pesign.service.in
@@ -4,7 +4,7 @@ Description=Pesign signing daemon @@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service] [Service]
PrivateTmp=true PrivateTmp=true
Type=forking Type=forking
-PIDFile=/var/run/pesign.pid -PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid +PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups Index: pesign-113/src/pesign-authorize
Index: pesign-0.112/src/pesign-authorize-groups
=================================================================== ===================================================================
--- pesign-0.112.orig/src/pesign-authorize-groups --- pesign-113.orig/src/pesign-authorize
+++ pesign-0.112/src/pesign-authorize-groups +++ pesign-113/src/pesign-authorize
@@ -12,10 +12,10 @@ set -e @@ -47,7 +47,7 @@ update_subdir() {
done
}
if [ -r /etc/pesign/groups ]; then -for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
for group in $(cat /etc/pesign/groups); do +for x in /run/pesign/ /etc/pki/pesign*/ ; do
- if [ -d /var/run/pesign ]; then if [ -d "${x}" ]; then
- setfacl -m g:${group}:rx /var/run/pesign update_subdir "${x}"
- if [ -e /var/run/pesign/socket ]; then else
- setfacl -m g:${group}:rw /var/run/pesign/socket
+ if [ -d /run/pesign ]; then
+ setfacl -m g:${group}:rx /run/pesign
+ if [ -e /run/pesign/socket ]; then
+ setfacl -m g:${group}:rw /run/pesign/socket
fi
fi
for x in /etc/pki/pesign* ; do
Index: pesign-0.112/src/pesign-authorize-users
===================================================================
--- pesign-0.112.orig/src/pesign-authorize-users
+++ pesign-0.112/src/pesign-authorize-users
@@ -12,10 +12,10 @@ set -e
if [ -r /etc/pesign/users ]; then
for username in $(cat /etc/pesign/users); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${username}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${username}:rw /var/run/pesign/socket
+ if [ -d /run/pesign ]; then
+ setfacl -m g:${username}:rx /run/pesign
+ if [ -e /run/pesign/socket ]; then
+ setfacl -m g:${username}:rw /run/pesign/socket
fi
fi
for x in /etc/pki/pesign* ; do

41
pesign-suse-build.patch
View File

@ -1,7 +1,7 @@
Index: pesign-0.112/util/Makefile Index: pesign-113/util/Makefile
=================================================================== ===================================================================
--- pesign-0.112.orig/util/Makefile --- pesign-113.orig/util/Makefile
+++ pesign-0.112/util/Makefile +++ pesign-113/util/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules @@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules
include $(TOPDIR)/Make.defaults include $(TOPDIR)/Make.defaults
@ -22,11 +22,11 @@ Index: pesign-0.112/util/Makefile
install_systemd: install_systemd:
Index: pesign-0.112/src/pesign.sysvinit.in Index: pesign-113/src/pesign.sysvinit.in
=================================================================== ===================================================================
--- pesign-0.112.orig/src/pesign.sysvinit.in --- pesign-113.orig/src/pesign.sysvinit.in
+++ pesign-0.112/src/pesign.sysvinit.in +++ pesign-113/src/pesign.sysvinit.in
@@ -6,21 +6,24 @@ @@ -6,16 +6,19 @@
# processname: /usr/bin/pesign # processname: /usr/bin/pesign
# pidfile: /var/run/pesign.pid # pidfile: /var/run/pesign.pid
### BEGIN INIT INFO ### BEGIN INIT INFO
@ -50,13 +50,16 @@ Index: pesign-0.112/src/pesign.sysvinit.in
RETVAL=0 RETVAL=0
start(){ start(){
echo -n "Starting pesign: " @@ -23,7 +26,7 @@ start(){
mkdir /var/run/pesign 2>/dev/null &&
chown pesign:pesign /var/run/pesign &&
chmod 0770 /var/run/pesign
- daemon /usr/bin/pesign --daemonize - daemon /usr/bin/pesign --daemonize
+ startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize + startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize
RETVAL=$? RETVAL=$?
echo echo
touch /var/lock/subsys/pesign touch /var/lock/subsys/pesign
@@ -30,7 +33,7 @@ start(){ @@ -32,7 +35,7 @@ start(){
stop(){ stop(){
echo -n "Stopping pesign: " echo -n "Stopping pesign: "
@ -65,24 +68,24 @@ Index: pesign-0.112/src/pesign.sysvinit.in
RETVAL=$? RETVAL=$?
echo echo
rm -f /var/lock/subsys/pesign rm -f /var/lock/subsys/pesign
Index: pesign-0.112/Make.defaults Index: pesign-113/Make.defaults
=================================================================== ===================================================================
--- pesign-0.112.orig/Make.defaults --- pesign-113.orig/Make.defaults
+++ pesign-0.112/Make.defaults +++ pesign-113/Make.defaults
@@ -57,7 +57,7 @@ efi_cflags = $(cflags) @@ -61,7 +61,7 @@ CPPFLAGS ?=
ASFLAGS = $(ARCH3264) RANLIBFLAGS := $(if $(filter $(CC),gcc),-D)
CPPFLAGS ?= ARFLAGS := $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs)
-LDLIBS = $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) -LDLIBS = $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs)
+LDLIBS = -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) +LDLIBS = -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs)
ifeq ($(ARCH),ia64) ifeq ($(ARCH),ia64)
efi_cflags += -mfixed-range=f32-f127 efi_cflags += -mfixed-range=f32-f127
Index: pesign-0.112/Makefile Index: pesign-113/Makefile
=================================================================== ===================================================================
--- pesign-0.112.orig/Makefile --- pesign-113.orig/Makefile
+++ pesign-0.112/Makefile +++ pesign-113/Makefile
@@ -9,7 +9,6 @@ SUBDIRS := include libdpe src @@ -11,7 +11,6 @@ SUBDIRS := include libdpe src
install : install :
$(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ $(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/

24
pesign.changes
View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Mon May 13 03:57:30 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
- Update to 113
+ Get rid of the 0.Y versioning
+ Make --padding the default
+ Add kmod signing (drake)
+ efisiglist format fixes
+ enforce the use of --kernel or --module in efikeygen
+ RPM macro updates
+ Move the license to GPLv3+
+ Use sql-type NSS database by default
+ Various documentation improvements.
+ Improve /etc/pki/pesign authorization scripts
+ Various pesigcheck improvements
- Refresh patches
+ pesign-suse-build.patch
+ pesign-privkey_unneeded.diff
+ pesign-fix-authvar-write-loop.patch
- Drop upstreamed patches
+ pesign-fix-argument-list.patch
+ pesign-bsc1087742-fix-efisiglist.patch
- Drop pesign-fix-build-errors.patch since those warnings are gone
------------------------------------------------------------------- -------------------------------------------------------------------
Thu May 9 12:25:31 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org> Thu May 9 12:25:31 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>

25
pesign.spec
View File

@ -17,27 +17,21 @@
Name: pesign Name: pesign
Version: 0.112 Version: 113
Release: 0 Release: 0
Summary: Signing tool for PE-COFF binaries Summary: Signing tool for PE-COFF binaries
License: GPL-2.0-only License: GPL-3.0-or-later
Group: Productivity/Security Group: Productivity/Security
Url: https://github.com/rhinstaller/pesign Url: https://github.com/rhinstaller/pesign
Source: https://github.com/rhinstaller/pesign/releases/download/%{version}/%{name}-%{version}.tar.bz2 Source: https://github.com/rhinstaller/pesign/releases/download/%{version}/%{name}-%{version}.tar.bz2
# PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service # PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
Patch1: pesign-suse-build.patch Patch1: pesign-suse-build.patch
# PATCH-FIX-UPSTREAM pesign-fix-build-errors.patch glin@suse.com -- Fix gcc warnings
Patch2: pesign-fix-build-errors.patch
# PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature # PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature
Patch3: pesign-privkey_unneeded.diff Patch2: pesign-privkey_unneeded.diff
# PATCH-FIX-SUSE pesign-run.patch aj@suse.com - Use /run instead of /var/run # PATCH-FIX-SUSE pesign-run.patch aj@suse.com - Use /run instead of /var/run
Patch5: pesign-run.patch Patch3: pesign-run.patch
# PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar # PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar
Patch6: pesign-fix-authvar-write-loop.patch Patch4: pesign-fix-authvar-write-loop.patch
# PATCH-FIX-UPSTREAM pesign-fix-argument-list.patch glin@suse.com -- Fix the argument list parsing
Patch7: pesign-fix-argument-list.patch
# PATCH-FIX-UPSTREAM bsc#1087742 pesign-bsc1087742-fix-efisiglist.patch glin@suse.com -- Fix efi signature list generation
Patch8: pesign-bsc1087742-fix-efisiglist.patch
BuildRequires: efivar-devel BuildRequires: efivar-devel
BuildRequires: libuuid-devel BuildRequires: libuuid-devel
BuildRequires: mozilla-nss-devel BuildRequires: mozilla-nss-devel
@ -57,10 +51,7 @@ with the PE and Authenticode specifications.
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch5 -p1 %patch4 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build %build
make %{?_smp_mflags} CFLAGS="$RPM_OPT_FLAGS" make %{?_smp_mflags} CFLAGS="$RPM_OPT_FLAGS"
@ -96,7 +87,7 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/pesign.conf || :
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%doc COPYING %license COPYING
%{_bindir}/pesign %{_bindir}/pesign
%{_bindir}/pesign-client %{_bindir}/pesign-client
%{_bindir}/efikeygen %{_bindir}/efikeygen
@ -115,7 +106,7 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/pesign.conf || :
%{_unitdir}/pesign.service %{_unitdir}/pesign.service
%{_libexecdir}/tmpfiles.d/pesign.conf %{_libexecdir}/tmpfiles.d/pesign.conf
%dir %{_libexecdir}/pesign %dir %{_libexecdir}/pesign
%{_libexecdir}/pesign/pesign-authorize-* %{_libexecdir}/pesign/pesign-authorize
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign
%ghost %dir %attr(0770,pesign,pesign) /run/%{name} %ghost %dir %attr(0770,pesign,pesign) /run/%{name}
%dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name} %dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name}