Accepting request 1069048 from home:gary_lin:branches:Base:System

Update to 116 OBS-URL: https://build.opensuse.org/request/show/1069048 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=70
2023-03-03 03:06:48 +00:00 · 2023-03-03 03:06:48 +00:00 · 361faa327f
commit 361faa327f
parent 88fb4f57d3
19 changed files with 332 additions and 473 deletions
--- a/harden_pesign.service.patch
+++ b/harden_pesign.service.patch
@ -1,7 +1,7 @@
-Index: pesign-113/src/pesign.service.in
+Index: pesign-115/src/pesign.service.in
 ===================================================================
--- pesign-113.orig/src/pesign.service.in
-+++ pesign-113/src/pesign.service.in
+--- pesign-115.orig/src/pesign.service.in
+++ pesign-115/src/pesign.service.in
@@ -3,6 +3,19 @@ Description=Pesign signing daemon
 
 [Service]
@ -19,6 +19,6 @@ Index: pesign-113/src/pesign.service.in
 +ProtectControlGroups=true
 +RestrictRealtime=true
 +# end of automatic additions 
- Type=forking
- PIDFile=/run/pesign.pid
- ExecStart=/usr/bin/pesign --daemonize
+ PIDFile=@@RUNDIR@@/pesign.pid
+ ExecStart=/usr/bin/pesign --daemonize --nofork
+ ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
--- a/pesign-113.tar.bz2
+++ b/pesign-113.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0dfb14e6f79288b7983344b88b14f83b0267c002f563e38171f935af107d0132
-size 103471
--- a/pesign-116.tar.bz2
+++ b/pesign-116.tar.bz2
--- a/pesign-boo1143063-remove-var-tracking.patch
+++ b/pesign-boo1143063-remove-var-tracking.patch
@ -1,8 +1,8 @@
-diff --git a/Make.defaults b/Make.defaults
-index 7892d73..2d18005 100644
--- a/Make.defaults
-+++ b/Make.defaults
-@@ -47,7 +47,7 @@ cflags	= $(CFLAGS) $(ARCH3264) \
+Index: pesign-115/Make.defaults
+===================================================================
+--- pesign-115.orig/Make.defaults
+++ pesign-115/Make.defaults
+@@ -69,7 +69,7 @@ cflags	= $(CFLAGS) $(ARCH3264) \
 	$(call pkg-config-cflags)
 clang_ccldflags =
 gcc_ccldflags = -fno-merge-constants \
@ -10,4 +10,4 @@ index 7892d73..2d18005 100644
 +	-fvar-tracking-assignments -fkeep-inline-functions \
 	-Wl,--fatal-warnings,--no-allow-shlib-undefined,--default-symver \
 	-Wl,-O2 -Wl,--no-undefined-version -Wl,-z,relro,-z,now \
- 	-Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed
+ 	-Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed -pie
--- a/pesign-boo1158197-fix-pesigncheck-gcc10.patch
+++ b/pesign-boo1158197-fix-pesigncheck-gcc10.patch
@ -1,39 +0,0 @@
-From b0b740f38da6d4584417d65a7c97fd4faf982cf6 Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Wed, 4 Dec 2019 10:28:28 +0800
-Subject: [PATCH] pesigcheck: remove superfluous type settings
-
-When setting the type of reason in check_signature(), the type was
-accidentally set as "siBuffer". Since the type is already set as
-"SIGNATURE", we only need to remove those two lines of code.
-
-Fixes: https://github.com/rhboot/pesign/issues/55
-
-Signed-off-by: Gary Lin <glin@suse.com>
---
- src/pesigcheck.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/src/pesigcheck.c b/src/pesigcheck.c
-index 524cce3..d197c30 100644
--- a/src/pesigcheck.c
-+++ b/src/pesigcheck.c
-@@ -318,7 +318,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
- 			reason->type = SIGNATURE;
- 			reason->sig.data = data;
- 			reason->sig.len = datalen;
-			reason->type = siBuffer;
- 			nreason += 1;
- 			is_invalid = true;
- 		}
-@@ -330,7 +329,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
- 			reason->type = SIGNATURE;
- 			reason->sig.data = data;
- 			reason->sig.len = datalen;
-			reason->type = siBuffer;
- 			nreason += 1;
- 			has_valid_cert = true;
- 		}
-- 
-2.24.0
-
--- a/pesign-boo1185663-set-rpmmacrodir.patch
+++ b/pesign-boo1185663-set-rpmmacrodir.patch
@ -1,27 +1,27 @@
-diff --git a/Make.defaults b/Make.defaults
-index 2d18005..7ecba00 100644
--- a/Make.defaults
-+++ b/Make.defaults
-@@ -11,6 +11,7 @@ includedir ?= $(prefix)include/
- bindir	?= $(prefix)bin/
+Index: pesign-115/Make.defaults
+===================================================================
+--- pesign-115.orig/Make.defaults
+++ pesign-115/Make.defaults
+@@ -13,6 +13,7 @@ rundir  ?= /run/
+ rundir	:= $(abspath $(rundir))/
 pcdir	?= $(libdir)pkgconfig/
 docdir	?= $(prefix)share/doc/
 +rpmmacrodir ?= /etc/rpm/
 DESTDIR	?=
 INSTALLROOT = $(DESTDIR)
 
-diff --git a/src/Makefile b/src/Makefile
-index 5fb2841..ca546a3 100644
--- a/src/Makefile
-+++ b/src/Makefile
-@@ -90,8 +90,8 @@ install :
- 	$(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)$(mandir)man1/
- 	$(INSTALL) -m 644 authvar.1 $(INSTALLROOT)$(mandir)man1/
- 	$(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/
+Index: pesign-115/src/Makefile
+===================================================================
+--- pesign-115.orig/src/Makefile
+++ pesign-115/src/Makefile
+@@ -88,8 +88,8 @@ install :
+ 	$(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(mandir)man1/
+ 	$(INSTALL) -m 644 $(MAN1TARGETS) $(INSTALLROOT)$(mandir)man1/
 -	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
 -	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
 +	$(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir)
 +	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir)
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
 	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
+ 	$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
--- a/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
+++ b/pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
@ -11,15 +11,15 @@ Signed-off-by: Gary Lin <glin@suse.com>
 src/pesign.service.in | 1 +
 1 file changed, 1 insertion(+)

-diff --git a/src/pesign.service.in b/src/pesign.service.in
-index 87accee..8542c63 100644
--- a/src/pesign.service.in
-+++ b/src/pesign.service.in
-@@ -20,3 +20,4 @@ Type=forking
- PIDFile=/run/pesign.pid
- ExecStart=/usr/bin/pesign --daemonize
- ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
+Index: pesign-116/src/pesign.service.in
+===================================================================
+--- pesign-116.orig/src/pesign.service.in
+++ pesign-116/src/pesign.service.in
+@@ -18,6 +18,7 @@ RestrictRealtime=true
+ # end of automatic additions 
+ PIDFile=@@RUNDIR@@/pesign.pid
+ ExecStart=/usr/bin/pesign --daemonize --nofork
 +ReadWritePaths=/etc/pki/pesign/
-- 
-2.35.3
-
+ 
+ [Install]
+ WantedBy=multi-user.target
--- a/pesign-bsc1202933-Remove-pesign-authorize.patch
+++ b/pesign-bsc1202933-Remove-pesign-authorize.patch
@ -0,0 +1,91 @@
+From 09a41248f9f867e9aaf06e890621c392d36b52ec Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 31 Jan 2023 10:00:18 -0500
+Subject: [PATCH] Remove pesign-authorize
+
+The onus of correct file/directory permissions should be a configuration
+and systems administration issue, not pesign's.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ src/.gitignore          |  1 -
+ src/Makefile            |  3 +--
+ src/pesign-authorize.in | 13 -------------
+ src/pesign.service.in   |  1 -
+ src/pesign.sysvinit.in  |  1 -
+ 5 files changed, 1 insertion(+), 18 deletions(-)
+ delete mode 100644 src/pesign-authorize.in
+
+Index: pesign-116/src/.gitignore
+===================================================================
+--- pesign-116.orig/src/.gitignore
+++ pesign-116/src/.gitignore
+@@ -10,5 +10,4 @@ peverify
+ pesign.service
+ pesign.sysvinit
+ pesign-rpmbuild-helper
+-pesign-authorize
+ tmpfiles.conf
+Index: pesign-116/src/Makefile
+===================================================================
+--- pesign-116.orig/src/Makefile
+++ pesign-116/src/Makefile
+@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
+ include $(TOPDIR)/Make.defaults
+ 
+ BINTARGETS=authvar client efikeygen pesigcheck pesign \
+-	   pesign-rpmbuild-helper pesign-authorize pesum
+	   pesign-rpmbuild-helper pesum
+ CFGTARGETS=tmpfiles.conf
+ SVCTARGETS=pesign.sysvinit pesign.service
+ MAN1TARGETS=authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1
+@@ -99,7 +99,6 @@ install :
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir)
+ 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir)
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
+-	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
+ 	$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
+ 	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
+Index: pesign-116/src/pesign-authorize.in
+===================================================================
+--- pesign-116.orig/src/pesign-authorize.in
+++ /dev/null
+@@ -1,13 +0,0 @@
+-#!/bin/bash
+-set -e
+-set -u
+-
+-# License: GPLv2
+-
+-# This script is deprecated and will be removed in a future release.
+-
+-sleep 3
+-for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
+-	chown -R pesign:pesign "${x}" || true
+-	chmod -R ug+rwX "${x}" || true
+-done
+Index: pesign-116/src/pesign.service.in
+===================================================================
+--- pesign-116.orig/src/pesign.service.in
+++ pesign-116/src/pesign.service.in
+@@ -18,7 +18,6 @@ RestrictRealtime=true
+ # end of automatic additions 
+ PIDFile=@@RUNDIR@@/pesign.pid
+ ExecStart=/usr/bin/pesign --daemonize --nofork
+-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
+ 
+ [Install]
+ WantedBy=multi-user.target
+Index: pesign-116/src/pesign.sysvinit.in
+===================================================================
+--- pesign-116.orig/src/pesign.sysvinit.in
+++ pesign-116/src/pesign.sysvinit.in
+@@ -30,7 +30,6 @@ start(){
+     RETVAL=$?
+     echo
+     touch /var/lock/subsys/pesign
+-    @@LIBEXECDIR@@/pesign/pesign-authorize
+ }
+ 
+ stop(){
--- a/pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
+++ b/pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
@ -1,81 +0,0 @@
-From cf116c5fc6a98f28144ea0409988a83b22289439 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Wed, 18 Jan 2023 14:00:22 -0500
-Subject: [PATCH] Use normal file permissions instead of ACLs
-
-Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
-
-pesign-authorize is now deprecated and will be removed in a future
-release.
-
-Resolves: CVE-2022-3560
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
- src/pesign-authorize | 53 +++++---------------------------------------
- 1 file changed, 5 insertions(+), 48 deletions(-)
-
-Index: pesign-113/src/pesign-authorize
-===================================================================
--- pesign-113.orig/src/pesign-authorize
-+++ pesign-113/src/pesign-authorize
-@@ -2,55 +2,12 @@
- set -e
- set -u
- 
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
- # License: GPLv2
-declare -a fileusers=()
-declare -a dirusers=()
-for user in $(cat /etc/pesign/users); do
-	dirusers[${#dirusers[@]}]=-m
-	dirusers[${#dirusers[@]}]="u:$user:rwx"
-	fileusers[${#fileusers[@]}]=-m
-	fileusers[${#fileusers[@]}]="u:$user:rw"
-done
-
-declare -a filegroups=()
-declare -a dirgroups=()
-for group in $(cat /etc/pesign/groups); do
-	dirgroups[${#dirgroups[@]}]=-m
-	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
-	filegroups[${#filegroups[@]}]=-m
-	filegroups[${#filegroups[@]}]="g:$group:rw"
-done
-
-update_subdir() {
-	subdir=$1 && shift
- 
-	setfacl -bk "${subdir}"
-	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
-	for x in "${subdir}"* ; do
-		if [ -d "${x}" ]; then
-			setfacl -bk ${x}
-			setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
-			update_subdir "${x}/"
-		elif [ -e "${x}" ]; then
-			setfacl -bk ${x}
-			setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
-		else
-			:;
-		fi
-	done
-}
-+# This script is deprecated and will be removed in a future release.
- 
-for x in /run/pesign/ /etc/pki/pesign*/ ; do
-	if [ -d "${x}" ]; then
-		update_subdir "${x}"
-	else
-		:;
-	fi
-+sleep 3
-+for x in /run/pesign/ /etc/pki/pesign/ ; do
-+	chown -R pesign:pesign "${x}" || true
-+	chmod -R ug+rwX "${x}" || true
- done
--- a/pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
+++ b/pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
@ -1,45 +0,0 @@
-From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 14 May 2019 11:28:38 -0400
-Subject: [PATCH] efikeygen: Fix the build with nss 3.44
-
-NSS 3.44 adds some certificate types, which changes a type and makes
-some encoding stuff weird.  As a result, we get:
-
-gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe  -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing  -g -O0 -g -O0  -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/  -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr  -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
-In file included from /usr/local/include/nss/nss/cert.h:22,
-                 from efikeygen.c:39:
-efikeygen.c: In function 'add_cert_type':
-/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
-     (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
-     ^
-efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
-  unsigned char type = NS_CERT_TYPE_APP;
-                       ^~~~~~~~~~~~~~~~
-cc1: all warnings being treated as errors
-
-This is fixed by just making it an int.
-
-Fixes github issue #48.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
---
- src/efikeygen.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/efikeygen.c b/src/efikeygen.c
-index ede76ef..2cd953e 100644
--- a/src/efikeygen.c
-+++ b/src/efikeygen.c
-@@ -208,7 +208,7 @@ static int
- add_cert_type(cms_context *cms, void *extHandle, int is_ca)
- {
- 	SECItem bitStringValue;
-	unsigned char type = NS_CERT_TYPE_APP;
-+	int type = NS_CERT_TYPE_APP;
- 
- 	if (is_ca)
- 		type |= NS_CERT_TYPE_SSL_CA |
-- 
-2.22.0
-
--- a/pesign-fix-authvar-write-loop.patch
+++ b/pesign-fix-authvar-write-loop.patch
@ -12,32 +12,11 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 src/authvar_context.c | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

-diff --git a/src/authvar_context.c b/src/authvar_context.c
-index 7a753fc..c51c666 100644
--- a/src/authvar_context.c
-+++ b/src/authvar_context.c
-@@ -20,6 +20,7 @@
- #include "fix_coverity.h"
- 
- #include <unistd.h>
-+#include <stddef.h>
- #include <sys/mman.h>
- 
- #include <prerror.h>
-@@ -135,11 +136,7 @@ generate_descriptor(authvar_context *ctx)
- 	if (rc < 0)
- 		cmsreterr(-1, ctx->cms_ctx, "could not create signed data");
- 
-#if __WORDSIZE == 64
-	offset = (uint64_t) &((win_cert_uefi_guid_t *)0)->data;
-#else
-	offset = (uint32_t) &((win_cert_uefi_guid_t *)0)->data;
-#endif
-+	offset = offsetof(win_cert_uefi_guid_t, data);
- 	authinfo = calloc(offset + sd_der.len, 1);
- 	if (!authinfo)
- 		cmsreterr(-1, ctx->cms_ctx, "could not allocate authinfo");
-@@ -162,6 +159,7 @@ write_authvar(authvar_context *ctx)
+Index: pesign-115/src/authvar_context.c
+===================================================================
+--- pesign-115.orig/src/authvar_context.c
+++ pesign-115/src/authvar_context.c
+@@ -151,6 +151,7 @@ write_authvar(authvar_context *ctx)
 	void *buffer, *ptr;
 	size_t buf_len, des_len, remain;
 	ssize_t wlen;
@ -45,7 +24,7 @@ index 7a753fc..c51c666 100644
 
 	if (!ctx->authinfo)
 		cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar");
-@@ -189,19 +187,19 @@ write_authvar(authvar_context *ctx)
+@@ -179,19 +180,19 @@ write_authvar(authvar_context *ctx)
 	if (ctx->value_size > 0)
 		memcpy(ptr, ctx->value, ctx->value_size);
 
@ -69,6 +48,3 @@ index 7a753fc..c51c666 100644
 	} while (remain > 0);
 
         free(buffer);
-- 
-2.21.0
-
--- a/pesign-fix-cert-match-check.patch
+++ b/pesign-fix-cert-match-check.patch
@ -0,0 +1,29 @@
+From a6062702e9f0002b86759f6cd14da6d78de99f22 Mon Sep 17 00:00:00 2001
+From: Huaxin Lu <luhuaxin1@huawei.com>
+Date: Fri, 11 Nov 2022 11:20:35 +0800
+Subject: [PATCH] cms_common: fix cert match check
+
+In find_certificate_by_callback(), the match() returns 1
+when cert subject is matched.
+
+Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
+---
+ src/cms_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 24576f2..cf572ca 100644
+--- a/src/cms_common.c
+++ b/src/cms_common.c
+@@ -872,7 +872,7 @@ find_certificate_by_callback(cms_context *cms,
+ 			continue;
+ 
+ 		int rc = match(tmpnode->cert, cbdata);
+-		if (rc == 0) {
+		if (rc == 1) {
+ 			node = tmpnode;
+ 			break;
+ 		}
+-- 
+2.35.3
+
--- a/pesign-fix-efikeygen-segfault.patch
+++ b/pesign-fix-efikeygen-segfault.patch
@ -0,0 +1,29 @@
+From 227435af461f38fc4abeafe02884675ad4b1feb4 Mon Sep 17 00:00:00 2001
+From: Nicolas Frayer <nfrayer@redhat.com>
+Date: Mon, 20 Feb 2023 15:26:20 +0100
+Subject: [PATCH] cms_common: Fixed Segmentation fault
+
+When running efikeygen, the binary crashes with a segfault due
+to dereferencing a **ptr instead of a *ptr.
+
+Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
+---
+ src/cms_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 44e5cca..4f4707b 100644
+--- a/src/cms_common.c
+++ b/src/cms_common.c
+@@ -957,7 +957,7 @@ find_certificate_by_issuer_and_sn(cms_context *cms,
+ 	if (!ias)
+ 		cnreterr(-1, cms, "invalid issuer and serial number");
+ 
+-	return find_certificate_by_callback(cms, match_issuer_and_serial, &ias, cert);
+	return find_certificate_by_callback(cms, match_issuer_and_serial, ias, cert);
+ }
+ 
+ int
+-- 
+2.35.3
+
--- a/pesign-privkey_unneeded.diff
+++ b/pesign-privkey_unneeded.diff
@ -1,81 +0,0 @@
---
- src/cms_common.c |   12 ++++++++++--
- src/cms_common.h |    1 +
- src/pesign.c     |    1 +
- 3 files changed, 12 insertions(+), 2 deletions(-)
-
-Index: pesign-113/src/cms_common.c
-===================================================================
--- pesign-113.orig/src/cms_common.c
-+++ pesign-113/src/cms_common.c
-@@ -282,6 +282,7 @@ struct cbdata {
- 	CERTCertificate *cert;
- 	PK11SlotListElement *psle;
- 	secuPWData *pwdata;
-+	int privkey_unneeded;
- };
- 
- static SECStatus
-@@ -293,6 +294,12 @@ is_valid_cert(CERTCertificate *cert, voi
- 	void *pwdata = cbdata->pwdata;
- 
- 	SECKEYPrivateKey *privkey = NULL;
-+
-+	if (cbdata->privkey_unneeded) {
-+		cbdata->cert = cert;
-+		return SECSuccess;
-+	}
-+
- 	privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata);
- 	if (privkey != NULL) {
- 		cbdata->cert = cert;
-@@ -423,7 +430,7 @@ find_certificate(cms_context *cms, int n
- 	}
- 
- 	SECStatus status;
-	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
-+	if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
- 		status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
- 		if (status != SECSuccess) {
- 			PK11_DestroySlotListElement(slots, &psle);
-@@ -452,6 +459,7 @@ find_certificate(cms_context *cms, int n
- 		.cert = NULL,
- 		.psle = psle,
- 		.pwdata = pwdata,
-+		.privkey_unneeded = cms->privkey_unneeded,
- 	};
- 
- 	if (needs_private_key) {
-@@ -572,7 +580,7 @@ find_named_certificate(cms_context *cms,
- 	}
- 
- 	SECStatus status;
-	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
-+	if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
- 		status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
- 		if (status != SECSuccess) {
- 			PK11_DestroySlotListElement(slots, &psle);
-Index: pesign-113/src/cms_common.h
-===================================================================
--- pesign-113.orig/src/cms_common.h
-+++ pesign-113/src/cms_common.h
-@@ -62,6 +62,7 @@ typedef int (*cms_common_logger)(struct
- typedef struct cms_context {
- 	PRArenaPool *arena;
- 	void *privkey;
-+	int privkey_unneeded;
- 
- 	char *tokenname;
- 	char *certname;
-Index: pesign-113/src/file_pe.c
-===================================================================
--- pesign-113.orig/src/file_pe.c
-+++ pesign-113/src/file_pe.c
-@@ -354,6 +354,7 @@ pe_handle_action(pesign_context *ctxp, i
- 		 */
- 		case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS:
- 			check_inputs(ctxp);
-+			ctxp->cms_ctx->privkey_unneeded = 1;
- 			rc = find_certificate(ctxp->cms_ctx, 0);
- 			if (rc < 0) {
- 				fprintf(stderr, "pesign: Could not find "
--- a/pesign-run.patch
+++ b/pesign-run.patch
@ -1,94 +0,0 @@
---
- src/Makefile        |    2 +-
- src/daemon.h        |    4 ++--
- src/macros.pesign   |    2 +-
- src/pesign.sysvinit |   14 +++++++-------
- src/tmpfiles.conf   |    2 +-
- 5 files changed, 12 insertions(+), 12 deletions(-)
-
-Index: pesign-113/src/Makefile
-===================================================================
--- pesign-113.orig/src/Makefile
-+++ pesign-113/src/Makefile
-@@ -73,7 +73,7 @@ install_sysvinit: pesign.sysvinit
- install :
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
-	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
-+	$(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
- 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
- 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
-Index: pesign-113/src/daemon.h
-===================================================================
--- pesign-113.orig/src/daemon.h
-+++ pesign-113/src/daemon.h
-@@ -49,8 +49,8 @@ typedef enum {
- } pesignd_cmd;
- 
- #define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH	"/var/run/pesign/socket"
-#define PIDFILE		"/var/run/pesign.pid"
-+#define SOCKPATH	"/run/pesign/socket"
-+#define PIDFILE		"/run/pesign.pid"
- 
- static inline uint32_t UNUSED
- pesignd_string_size(char *buffer)
-Index: pesign-113/src/macros.pesign
-===================================================================
--- pesign-113.orig/src/macros.pesign
-+++ pesign-113/src/macros.pesign
-@@ -52,7 +52,7 @@
-       getfacl /var/run/pesign 1>&2					\
-       getfacl /var/run/pesign/socket 1>&2				\
-       exit 1								\
-    elif [ -S /var/run/pesign/socket ]; then				\
-+    elif [ -S /run/pesign/socket ]; then				\
-       %{_pesign_client} -t %{__pesign_client_token}			\\\
-                         -c %{__pesign_client_cert}			\\\
-                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
-Index: pesign-113/src/tmpfiles.conf
-===================================================================
--- pesign-113.orig/src/tmpfiles.conf
-+++ pesign-113/src/tmpfiles.conf
-@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
-+D /run/pesign 0770 pesign pesign -
-Index: pesign-113/src/pesign.sysvinit.in
-===================================================================
--- pesign-113.orig/src/pesign.sysvinit.in
-+++ pesign-113/src/pesign.sysvinit.in
-@@ -4,7 +4,7 @@
- #
- # chkconfig: - 50 50
- # processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
-+# pidfile: /run/pesign.pid
- ### BEGIN INIT INFO 
- # Provides:          pesign
- # Should-Start:      $remote_fs
-Index: pesign-113/src/pesign.service.in
-===================================================================
--- pesign-113.orig/src/pesign.service.in
-+++ pesign-113/src/pesign.service.in
-@@ -4,6 +4,6 @@ Description=Pesign signing daemon
- [Service]
- PrivateTmp=true
- Type=forking
-PIDFile=/var/run/pesign.pid
-+PIDFile=/run/pesign.pid
- ExecStart=/usr/bin/pesign --daemonize
- ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
-Index: pesign-113/src/pesign-authorize
-===================================================================
--- pesign-113.orig/src/pesign-authorize
-+++ pesign-113/src/pesign-authorize
-@@ -47,7 +47,7 @@ update_subdir() {
- 	done
- }
- 
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
-+for x in /run/pesign/ /etc/pki/pesign*/ ; do
- 	if [ -d "${x}" ]; then
- 		update_subdir "${x}"
- 	else
--- a/pesign-skip-auth-on-friendly-slot.patch
+++ b/pesign-skip-auth-on-friendly-slot.patch
@ -0,0 +1,44 @@
+From 616ec5f25adbde1a4bd78cdcacd6dcd7ecfa5a5c Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Thu, 22 Dec 2022 13:49:34 +0800
+Subject: [PATCH] cms_common: skip authentication on the 'Friendly' slot
+
+When finding a certificate in a 'Friendly' slot without the need of the
+private key, it is not necessary to authenticate the slot.
+
+For example, when the signed attributes and the raw signature are
+created in a server and the user has the certificate, signkey.x509, and
+tries to import them into myapp.efi:
+
+  $ certutil -N -d nssdb -f passwd
+  $ certutil -A -d nssdb -f passwd -n signkey -t CT,CT,CT \
+      -i signkey.x509
+  $ pesign -n nssdb -c signkey -i myapp.efi -o myapp.efi.signed \
+      -d sha256 -I myapp.sattr -R myapp.sig
+
+Since the "signkey" is 'Friendly', i.e. publicly readable, and the
+private key is not needed, we can just skip the authentication and find
+"signkey" in the slot.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ src/cms_common.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index cf572ca..44e5cca 100644
+--- a/src/cms_common.c
+++ b/src/cms_common.c
+@@ -628,7 +628,8 @@ find_certificate(cms_context *cms, int needs_private_key)
+ 
+ 	int errnum;
+ 	SECStatus status;
+-	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms)) {
+	if ((needs_private_key || !PK11_IsFriendly(psle->slot)) &&
+	    (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms))) {
+ 		status = PK11_Authenticate(psle->slot, PR_TRUE, cms);
+ 		if (status != SECSuccess) {
+ 			save_port_err() {
+-- 
+2.35.3
+
--- a/pesign-suse-build.patch
+++ b/pesign-suse-build.patch
@ -1,7 +1,7 @@
-Index: pesign-113/util/Makefile
+Index: pesign-116/util/Makefile
 ===================================================================
--- pesign-113.orig/util/Makefile
-+++ pesign-113/util/Makefile
+--- pesign-116.orig/util/Makefile
+++ pesign-116/util/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules
 include $(TOPDIR)/Make.defaults
 
@ -17,18 +17,18 @@ Index: pesign-113/util/Makefile
 install :
 -	$(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/
 -	$(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/
-+	$(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/
-+	$(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/
+	$(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/sles/
+	$(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/sles/
 
 install_systemd:
 
-Index: pesign-113/src/pesign.sysvinit.in
+Index: pesign-116/src/pesign.sysvinit.in
 ===================================================================
--- pesign-113.orig/src/pesign.sysvinit.in
-+++ pesign-113/src/pesign.sysvinit.in
+--- pesign-116.orig/src/pesign.sysvinit.in
+++ pesign-116/src/pesign.sysvinit.in
@@ -6,16 +6,19 @@
 # processname: /usr/bin/pesign
- # pidfile: /var/run/pesign.pid
+ # pidfile: @@RUNDIR@@pesign.pid
 ### BEGIN INIT INFO 
 -# Provides: pesign
 -# Default-Start:
@ -46,50 +46,28 @@ Index: pesign-113/src/pesign.sysvinit.in
 -. /etc/init.d/functions
 [ -f /usr/bin/pesign ] || exit 1
 
-+PESIGN_PIDFILE=/var/run/pesign.pid
+PESIGN_PIDFILE=@@RUNDIR@@pesign.pid
 RETVAL=0
 
 start(){
@@ -23,7 +26,7 @@ start(){
-     mkdir /var/run/pesign 2>/dev/null &&
-         chown pesign:pesign /var/run/pesign &&
-         chmod 0770 /var/run/pesign
+     mkdir @@RUNDIR@@pesign 2>/dev/null &&
+         chown pesign:pesign @@RUNDIR@@pesign &&
+         chmod 0770 @@RUNDIR@@pesign
 -    daemon /usr/bin/pesign --daemonize
 +    startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize
     RETVAL=$?
     echo
     touch /var/lock/subsys/pesign
-@@ -32,7 +35,7 @@ start(){
- 
- stop(){
-     echo -n "Stopping pesign: "
-    killproc -p /var/run/pesign.pid pesignd
-+    killproc -p /run/pesign.pid pesignd
-     RETVAL=$?
-     echo
-     rm -f /var/lock/subsys/pesign
-Index: pesign-113/Make.defaults
+Index: pesign-116/Makefile
 ===================================================================
--- pesign-113.orig/Make.defaults
-+++ pesign-113/Make.defaults
-@@ -61,7 +61,7 @@ CPPFLAGS ?=
- RANLIBFLAGS	:= $(if $(filter $(CC),gcc),-D)
- ARFLAGS := $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs)
- 
-LDLIBS	= $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs)
-+LDLIBS	= -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs)
- 
- ifeq ($(ARCH),ia64)
-   efi_cflags += -mfixed-range=f32-f127
-Index: pesign-113/Makefile
-===================================================================
--- pesign-113.orig/Makefile
-+++ pesign-113/Makefile
+--- pesign-116.orig/Makefile
+++ pesign-116/Makefile
@@ -11,7 +11,6 @@ SUBDIRS := include libdpe src
 
 install :
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/
 -	$(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/
- 	@set -e ; for x in $(SUBDIRS) ; do \
- 		$(MAKE) -C $$x $@ ; \
- 	done
+ 	@$(call descend)
+ 
+ install_systemd install_sysvinit : install
--- a/pesign.changes
+++ b/pesign.changes
@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Wed Feb 22 08:05:20 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update to 116
+  + daemon: remove always-true comparison
+  + pesum - add a new tool to the shed
+  + Fix building signed kernels on setups other than koji
+  + Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
+  + macros.pesign: handle centos like rhel with --rhelver
+  + Detect the presence of rpm-sign when checking for "rhel"-ness
+  + Fix typo in efikeygen command
+  + pesigcheck: Fix crash on digest match
+  + cms: store digest as pointer instead of index
+  + Fix mandoc invocation to not produce garbage
+  + Password fixes
+  + Re-work CMS's selected_digest again...
+  + src/certs/make-certs: delete the duplicate codes
+  + Free resources if certification cannot be found
+  + macros: drop %{_pesign_args}
+  + Fix two bugs from package building
+  + Fix bad free of cms data (DoS only)
+  + Send pesign stdout/err to systemd journal
+  + Add missing Install section
+  + Add default packages for pkg-config
+  + Short delay to ensure /run/pesign/socket exists
+  + Resolve crash when signature that is removed is not the end of
+    the list
+  + Enhance error diagnostics about version mismatch
+  + Upstream all Fedora changes
+  + Add some hardening options to build
+  + Add code of conduct
+  + Fix build on gcc 12 and non-Fedora
+- Add BuildRequires efivar-devel >= 38 for efisec.h
+  + efisiglist is replaced by efisecdb in efivar 38
+- Add BuildRequires mandoc to generate the manpages
+- Replace pesign-privkey_unneeded.diff with
+  pesign-skip-auth-on-friendly-slot.patch to avoid the unnecessary
+  authentication
+- Add pesign-fix-cert-match-check.patch to fix the subject name
+  matching
+- Add pesign-fix-efikeygen-segfault.patch to fix the potential
+  crash when executing efikeygen
+- Add pesign-bsc1202933-Remove-pesign-authorize.patch to remove
+  pesign-authorize completely (bsc#1202933)
+- Refresh patches
+  + harden_pesign.service.patch
+  + pesign-boo1143063-remove-var-tracking.patch
+  + pesign-boo1185663-set-rpmmacrodir.patch
+  + pesign-fix-authvar-write-loop.patch
+  + pesign-suse-build.patch
+  + pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
+- Remove upstreamed/unnecessary patches
+  + pesign-boo1158197-fix-pesigncheck-gcc10.patch
+  + pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
+  + pesign-run.patch
+  + pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
+
 -------------------------------------------------------------------
 Tue Feb  7 07:37:20 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>

--- a/pesign.spec
+++ b/pesign.spec
@ -17,7 +17,7 @@


 Name:           pesign
-Version:        113
+Version:        116
 Release:        0
 Summary:        Signing tool for PE-COFF binaries
 License:        GPL-3.0-or-later
@ -27,25 +27,21 @@ Source:         https://github.com/rhinstaller/pesign/releases/download/%{versio
 Source1:        pesign.sysusers
 # PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
 Patch1:         pesign-suse-build.patch
-# PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature
-Patch2:         pesign-privkey_unneeded.diff
-# PATCH-FIX-SUSE pesign-run.patch aj@suse.com - Use /run instead of /var/run
-Patch3:         pesign-run.patch
+Patch2:         pesign-skip-auth-on-friendly-slot.patch
 # PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar
-Patch4:         pesign-fix-authvar-write-loop.patch
-# PATCH-FIX-UPSTREAM pesign-efikeygen-Fix-the-build-with-nss-3.44.patch glin@suse.com -- Fix the NSS 3.44 compilation error
-Patch5:         pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
+Patch3:         pesign-fix-authvar-write-loop.patch
 # PATCH-FIX-SUSE pesign-boo1143063-remove-var-tracking.patch -- boo#1143063 Remove var-tracking from default CFLAGS
-Patch6:         pesign-boo1143063-remove-var-tracking.patch
-# PATCH-FIX-UPSTREAM pesign-boo1158197-fix-pesigncheck-gcc10.patch glin@suse.com -- boo#1158197 Fix the gcc10 errors
-Patch7:         pesign-boo1158197-fix-pesigncheck-gcc10.patch
+Patch4:         pesign-boo1143063-remove-var-tracking.patch
 # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time
-Patch8:         pesign-boo1185663-set-rpmmacrodir.patch
-Patch9:         harden_pesign.service.patch
-Patch10:        pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
-Patch11:        pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
-BuildRequires:  efivar-devel
+Patch5:         pesign-boo1185663-set-rpmmacrodir.patch
+Patch6:         harden_pesign.service.patch
+Patch7:         pesign-bsc1202933-Remove-pesign-authorize.patch
+Patch8:         pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
+Patch9:         pesign-fix-cert-match-check.patch
+Patch10:        pesign-fix-efikeygen-segfault.patch
+BuildRequires:  efivar-devel >= 38
 BuildRequires:  libuuid-devel
+BuildRequires:  mandoc
 BuildRequires:  mozilla-nss-devel
 BuildRequires:  pkg-config
 BuildRequires:  popt-devel
@ -71,10 +67,10 @@ with the PE and Authenticode specifications.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
-%patch11 -p1

 %build
 %sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf
+export CPPFLAGS="%{optflags} -D_GLIBCXX_ASSERTIONS"
 make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" libexecdir=%{_libexecdir}

 %install
@ -115,22 +111,21 @@ systemd-tmpfiles --create %{_tmpfilesdir}/pesign.conf || :
 %{_bindir}/pesign-client
 %{_bindir}/efikeygen
 %{_bindir}/pesigcheck
-%{_bindir}/efisiglist
 %{_bindir}/authvar
+%{_bindir}/pesum
 %{_sbindir}/rcpesign
 %dir %{_sysconfdir}/pesign
 %{_sysconfdir}/pesign/*
 %dir %{_sysconfdir}/popt.d
 %config %{_sysconfdir}/popt.d/pesign.popt
-%{_sysconfdir}/pki/
 %{_rpmmacrodir}/macros.pesign
 %{_mandir}/man?/*
-%{_localstatedir}/lib/pesign
 %{_unitdir}/pesign.service
 %{_sysusersdir}/pesign.conf
 %{_tmpfilesdir}/pesign.conf
 %dir %{_libexecdir}/pesign
-%{_libexecdir}/pesign/pesign-authorize
+%{_libexecdir}/pesign/pesign-rpmbuild-helper
+%dir %{_sysconfdir}/pki/
 %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign
 %ghost %dir %attr(0770,pesign,pesign) /run/%{name}
 %dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name}