Revert the testing 115 change

OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=67
This commit is contained in:
Gary Ching-Pang Lin 2022-12-02 08:34:18 +00:00 committed by Git OBS Bridge
parent 2a0da6d5f1
commit 9d2a16ba0d
13 changed files with 370 additions and 97 deletions

View File

@ -1,7 +1,7 @@
Index: pesign-115/src/pesign.service.in Index: pesign-113/src/pesign.service.in
=================================================================== ===================================================================
--- pesign-115.orig/src/pesign.service.in --- pesign-113.orig/src/pesign.service.in
+++ pesign-115/src/pesign.service.in +++ pesign-113/src/pesign.service.in
@@ -3,6 +3,19 @@ Description=Pesign signing daemon @@ -3,6 +3,19 @@ Description=Pesign signing daemon
[Service] [Service]
@ -19,6 +19,6 @@ Index: pesign-115/src/pesign.service.in
+ProtectControlGroups=true +ProtectControlGroups=true
+RestrictRealtime=true +RestrictRealtime=true
+# end of automatic additions +# end of automatic additions
PIDFile=@@RUNDIR@@/pesign.pid Type=forking
ExecStart=/usr/bin/pesign --daemonize --nofork PIDFile=/run/pesign.pid
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize ExecStart=/usr/bin/pesign --daemonize

3
pesign-113.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0dfb14e6f79288b7983344b88b14f83b0267c002f563e38171f935af107d0132
size 103471

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ac1ef561b82de175f2a876944d3a806384b34d3e6c58a037cf7a611f41ccf07e
size 119564

View File

@ -1,8 +1,8 @@
Index: pesign-115/Make.defaults diff --git a/Make.defaults b/Make.defaults
=================================================================== index 7892d73..2d18005 100644
--- pesign-115.orig/Make.defaults --- a/Make.defaults
+++ pesign-115/Make.defaults +++ b/Make.defaults
@@ -69,7 +69,7 @@ cflags = $(CFLAGS) $(ARCH3264) \ @@ -47,7 +47,7 @@ cflags = $(CFLAGS) $(ARCH3264) \
$(call pkg-config-cflags) $(call pkg-config-cflags)
clang_ccldflags = clang_ccldflags =
gcc_ccldflags = -fno-merge-constants \ gcc_ccldflags = -fno-merge-constants \
@ -10,4 +10,4 @@ Index: pesign-115/Make.defaults
+ -fvar-tracking-assignments -fkeep-inline-functions \ + -fvar-tracking-assignments -fkeep-inline-functions \
-Wl,--fatal-warnings,--no-allow-shlib-undefined,--default-symver \ -Wl,--fatal-warnings,--no-allow-shlib-undefined,--default-symver \
-Wl,-O2 -Wl,--no-undefined-version -Wl,-z,relro,-z,now \ -Wl,-O2 -Wl,--no-undefined-version -Wl,-z,relro,-z,now \
-Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed -pie -Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed

View File

@ -0,0 +1,39 @@
From b0b740f38da6d4584417d65a7c97fd4faf982cf6 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 4 Dec 2019 10:28:28 +0800
Subject: [PATCH] pesigcheck: remove superfluous type settings
When setting the type of reason in check_signature(), the type was
accidentally set as "siBuffer". Since the type is already set as
"SIGNATURE", we only need to remove those two lines of code.
Fixes: https://github.com/rhboot/pesign/issues/55
Signed-off-by: Gary Lin <glin@suse.com>
---
src/pesigcheck.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 524cce3..d197c30 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -318,7 +318,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
nreason += 1;
is_invalid = true;
}
@@ -330,7 +329,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
nreason += 1;
has_valid_cert = true;
}
--
2.24.0

View File

@ -1,27 +1,27 @@
Index: pesign-115/Make.defaults diff --git a/Make.defaults b/Make.defaults
=================================================================== index 2d18005..7ecba00 100644
--- pesign-115.orig/Make.defaults --- a/Make.defaults
+++ pesign-115/Make.defaults +++ b/Make.defaults
@@ -13,6 +13,7 @@ rundir ?= /run/ @@ -11,6 +11,7 @@ includedir ?= $(prefix)include/
rundir := $(abspath $(rundir))/ bindir ?= $(prefix)bin/
pcdir ?= $(libdir)pkgconfig/ pcdir ?= $(libdir)pkgconfig/
docdir ?= $(prefix)share/doc/ docdir ?= $(prefix)share/doc/
+rpmmacrodir ?= /etc/rpm/ +rpmmacrodir ?= /etc/rpm/
DESTDIR ?= DESTDIR ?=
INSTALLROOT = $(DESTDIR) INSTALLROOT = $(DESTDIR)
Index: pesign-115/src/Makefile diff --git a/src/Makefile b/src/Makefile
=================================================================== index 5fb2841..ca546a3 100644
--- pesign-115.orig/src/Makefile --- a/src/Makefile
+++ pesign-115/src/Makefile +++ b/src/Makefile
@@ -88,8 +88,8 @@ install : @@ -90,8 +90,8 @@ install :
$(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/ $(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)$(mandir)man1/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(mandir)man1/ $(INSTALL) -m 644 authvar.1 $(INSTALLROOT)$(mandir)man1/
$(INSTALL) -m 644 $(MAN1TARGETS) $(INSTALLROOT)$(mandir)man1/ $(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/
- $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
- $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir) + $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir)
+ $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir) + $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir)
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign

View File

@ -0,0 +1,45 @@
From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2019 11:28:38 -0400
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
NSS 3.44 adds some certificate types, which changes a type and makes
some encoding stuff weird. As a result, we get:
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
In file included from /usr/local/include/nss/nss/cert.h:22,
from efikeygen.c:39:
efikeygen.c: In function 'add_cert_type':
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
^
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
unsigned char type = NS_CERT_TYPE_APP;
^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
This is fixed by just making it an int.
Fixes github issue #48.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/efikeygen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index ede76ef..2cd953e 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -208,7 +208,7 @@ static int
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
{
SECItem bitStringValue;
- unsigned char type = NS_CERT_TYPE_APP;
+ int type = NS_CERT_TYPE_APP;
if (is_ca)
type |= NS_CERT_TYPE_SSL_CA |
--
2.22.0

View File

@ -12,11 +12,32 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
src/authvar_context.c | 16 +++++++--------- src/authvar_context.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-) 1 file changed, 7 insertions(+), 9 deletions(-)
Index: pesign-115/src/authvar_context.c diff --git a/src/authvar_context.c b/src/authvar_context.c
=================================================================== index 7a753fc..c51c666 100644
--- pesign-115.orig/src/authvar_context.c --- a/src/authvar_context.c
+++ pesign-115/src/authvar_context.c +++ b/src/authvar_context.c
@@ -151,6 +151,7 @@ write_authvar(authvar_context *ctx) @@ -20,6 +20,7 @@
#include "fix_coverity.h"
#include <unistd.h>
+#include <stddef.h>
#include <sys/mman.h>
#include <prerror.h>
@@ -135,11 +136,7 @@ generate_descriptor(authvar_context *ctx)
if (rc < 0)
cmsreterr(-1, ctx->cms_ctx, "could not create signed data");
-#if __WORDSIZE == 64
- offset = (uint64_t) &((win_cert_uefi_guid_t *)0)->data;
-#else
- offset = (uint32_t) &((win_cert_uefi_guid_t *)0)->data;
-#endif
+ offset = offsetof(win_cert_uefi_guid_t, data);
authinfo = calloc(offset + sd_der.len, 1);
if (!authinfo)
cmsreterr(-1, ctx->cms_ctx, "could not allocate authinfo");
@@ -162,6 +159,7 @@ write_authvar(authvar_context *ctx)
void *buffer, *ptr; void *buffer, *ptr;
size_t buf_len, des_len, remain; size_t buf_len, des_len, remain;
ssize_t wlen; ssize_t wlen;
@ -24,7 +45,7 @@ Index: pesign-115/src/authvar_context.c
if (!ctx->authinfo) if (!ctx->authinfo)
cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar"); cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar");
@@ -179,19 +180,19 @@ write_authvar(authvar_context *ctx) @@ -189,19 +187,19 @@ write_authvar(authvar_context *ctx)
if (ctx->value_size > 0) if (ctx->value_size > 0)
memcpy(ptr, ctx->value, ctx->value_size); memcpy(ptr, ctx->value, ctx->value_size);
@ -48,3 +69,6 @@ Index: pesign-115/src/authvar_context.c
} while (remain > 0); } while (remain > 0);
free(buffer); free(buffer);
--
2.21.0

View File

@ -0,0 +1,81 @@
---
src/cms_common.c | 12 ++++++++++--
src/cms_common.h | 1 +
src/pesign.c | 1 +
3 files changed, 12 insertions(+), 2 deletions(-)
Index: pesign-113/src/cms_common.c
===================================================================
--- pesign-113.orig/src/cms_common.c
+++ pesign-113/src/cms_common.c
@@ -282,6 +282,7 @@ struct cbdata {
CERTCertificate *cert;
PK11SlotListElement *psle;
secuPWData *pwdata;
+ int privkey_unneeded;
};
static SECStatus
@@ -293,6 +294,12 @@ is_valid_cert(CERTCertificate *cert, voi
void *pwdata = cbdata->pwdata;
SECKEYPrivateKey *privkey = NULL;
+
+ if (cbdata->privkey_unneeded) {
+ cbdata->cert = cert;
+ return SECSuccess;
+ }
+
privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata);
if (privkey != NULL) {
cbdata->cert = cert;
@@ -423,7 +430,7 @@ find_certificate(cms_context *cms, int n
}
SECStatus status;
- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
+ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
if (status != SECSuccess) {
PK11_DestroySlotListElement(slots, &psle);
@@ -452,6 +459,7 @@ find_certificate(cms_context *cms, int n
.cert = NULL,
.psle = psle,
.pwdata = pwdata,
+ .privkey_unneeded = cms->privkey_unneeded,
};
if (needs_private_key) {
@@ -572,7 +580,7 @@ find_named_certificate(cms_context *cms,
}
SECStatus status;
- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
+ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
if (status != SECSuccess) {
PK11_DestroySlotListElement(slots, &psle);
Index: pesign-113/src/cms_common.h
===================================================================
--- pesign-113.orig/src/cms_common.h
+++ pesign-113/src/cms_common.h
@@ -62,6 +62,7 @@ typedef int (*cms_common_logger)(struct
typedef struct cms_context {
PRArenaPool *arena;
void *privkey;
+ int privkey_unneeded;
char *tokenname;
char *certname;
Index: pesign-113/src/file_pe.c
===================================================================
--- pesign-113.orig/src/file_pe.c
+++ pesign-113/src/file_pe.c
@@ -354,6 +354,7 @@ pe_handle_action(pesign_context *ctxp, i
*/
case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS:
check_inputs(ctxp);
+ ctxp->cms_ctx->privkey_unneeded = 1;
rc = find_certificate(ctxp->cms_ctx, 0);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "

94
pesign-run.patch Normal file
View File

@ -0,0 +1,94 @@
---
src/Makefile | 2 +-
src/daemon.h | 4 ++--
src/macros.pesign | 2 +-
src/pesign.sysvinit | 14 +++++++-------
src/tmpfiles.conf | 2 +-
5 files changed, 12 insertions(+), 12 deletions(-)
Index: pesign-113/src/Makefile
===================================================================
--- pesign-113.orig/src/Makefile
+++ pesign-113/src/Makefile
@@ -73,7 +73,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
Index: pesign-113/src/daemon.h
===================================================================
--- pesign-113.orig/src/daemon.h
+++ pesign-113/src/daemon.h
@@ -49,8 +49,8 @@ typedef enum {
} pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH "/var/run/pesign/socket"
-#define PIDFILE "/var/run/pesign.pid"
+#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid"
static inline uint32_t UNUSED
pesignd_string_size(char *buffer)
Index: pesign-113/src/macros.pesign
===================================================================
--- pesign-113.orig/src/macros.pesign
+++ pesign-113/src/macros.pesign
@@ -52,7 +52,7 @@
getfacl /var/run/pesign 1>&2 \
getfacl /var/run/pesign/socket 1>&2 \
exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
Index: pesign-113/src/tmpfiles.conf
===================================================================
--- pesign-113.orig/src/tmpfiles.conf
+++ pesign-113/src/tmpfiles.conf
@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
Index: pesign-113/src/pesign.sysvinit.in
===================================================================
--- pesign-113.orig/src/pesign.sysvinit.in
+++ pesign-113/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
#
# chkconfig: - 50 50
# processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
### BEGIN INIT INFO
# Provides: pesign
# Should-Start: $remote_fs
Index: pesign-113/src/pesign.service.in
===================================================================
--- pesign-113.orig/src/pesign.service.in
+++ pesign-113/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
Type=forking
-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
Index: pesign-113/src/pesign-authorize
===================================================================
--- pesign-113.orig/src/pesign-authorize
+++ pesign-113/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /run/pesign/ /etc/pki/pesign*/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else

View File

@ -1,7 +1,7 @@
Index: pesign-115/util/Makefile Index: pesign-113/util/Makefile
=================================================================== ===================================================================
--- pesign-115.orig/util/Makefile --- pesign-113.orig/util/Makefile
+++ pesign-115/util/Makefile +++ pesign-113/util/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules @@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules
include $(TOPDIR)/Make.defaults include $(TOPDIR)/Make.defaults
@ -17,18 +17,18 @@ Index: pesign-115/util/Makefile
install : install :
- $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/
- $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/ - $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/sles/ + $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/
+ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/sles/ + $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/
install_systemd: install_systemd:
Index: pesign-115/src/pesign.sysvinit.in Index: pesign-113/src/pesign.sysvinit.in
=================================================================== ===================================================================
--- pesign-115.orig/src/pesign.sysvinit.in --- pesign-113.orig/src/pesign.sysvinit.in
+++ pesign-115/src/pesign.sysvinit.in +++ pesign-113/src/pesign.sysvinit.in
@@ -6,16 +6,19 @@ @@ -6,16 +6,19 @@
# processname: /usr/bin/pesign # processname: /usr/bin/pesign
# pidfile: @@RUNDIR@@pesign.pid # pidfile: /var/run/pesign.pid
### BEGIN INIT INFO ### BEGIN INIT INFO
-# Provides: pesign -# Provides: pesign
-# Default-Start: -# Default-Start:
@ -46,41 +46,50 @@ Index: pesign-115/src/pesign.sysvinit.in
-. /etc/init.d/functions -. /etc/init.d/functions
[ -f /usr/bin/pesign ] || exit 1 [ -f /usr/bin/pesign ] || exit 1
+PESIGN_PIDFILE=@@RUNDIR@@pesign.pid +PESIGN_PIDFILE=/var/run/pesign.pid
RETVAL=0 RETVAL=0
start(){ start(){
@@ -23,7 +26,7 @@ start(){ @@ -23,7 +26,7 @@ start(){
mkdir @@RUNDIR@@pesign 2>/dev/null && mkdir /var/run/pesign 2>/dev/null &&
chown pesign:pesign @@RUNDIR@@pesign && chown pesign:pesign /var/run/pesign &&
chmod 0770 @@RUNDIR@@pesign chmod 0770 /var/run/pesign
- daemon /usr/bin/pesign --daemonize - daemon /usr/bin/pesign --daemonize
+ startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize + startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize
RETVAL=$? RETVAL=$?
echo echo
touch /var/lock/subsys/pesign touch /var/lock/subsys/pesign
Index: pesign-115/Make.defaults @@ -32,7 +35,7 @@ start(){
stop(){
echo -n "Stopping pesign: "
- killproc -p /var/run/pesign.pid pesignd
+ killproc -p /run/pesign.pid pesignd
RETVAL=$?
echo
rm -f /var/lock/subsys/pesign
Index: pesign-113/Make.defaults
=================================================================== ===================================================================
--- pesign-115.orig/Make.defaults --- pesign-113.orig/Make.defaults
+++ pesign-115/Make.defaults +++ pesign-113/Make.defaults
@@ -83,7 +83,7 @@ CPPFLAGS ?= -D_FORTIFY_SOURCE=2 @@ -61,7 +61,7 @@ CPPFLAGS ?=
RANLIBFLAGS ?= $(if $(filter $(CC),gcc),-D) RANLIBFLAGS := $(if $(filter $(CC),gcc),-D)
ARFLAGS ?= $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs) ARFLAGS := $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs)
-LDLIBS = $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) -LDLIBS = $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs)
+LDLIBS = -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) +LDLIBS = -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs)
ifeq ($(ARCH),ia64) ifeq ($(ARCH),ia64)
efi_cflags += -mfixed-range=f32-f127 efi_cflags += -mfixed-range=f32-f127
Index: pesign-115/Makefile Index: pesign-113/Makefile
=================================================================== ===================================================================
--- pesign-115.orig/Makefile --- pesign-113.orig/Makefile
+++ pesign-115/Makefile +++ pesign-113/Makefile
@@ -11,7 +11,6 @@ SUBDIRS := include libdpe src @@ -11,7 +11,6 @@ SUBDIRS := include libdpe src
install : install :
$(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ $(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/
- $(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ - $(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/
@$(call descend) @set -e ; for x in $(SUBDIRS) ; do \
$(MAKE) -C $$x $@ ; \
install_systemd install_sysvinit : install done

View File

@ -1,33 +1,3 @@
-------------------------------------------------------------------
Fri Dec 2 08:20:44 UTC 2022 - Gary Ching-Pang Lin <glin@suse.com>
- Update to 115
+ macros: drop %{_pesign_args}
+ Fix two bugs from package building
+ Fix bad free of cms data (DoS only)
+ Send pesign stdout/err to systemd journal
+ Add missing Install section
+ Add default packages for pkg-config
+ Short delay to ensure /run/pesign/socket exists
+ Resolve crash when signature that is removed is not the end of
the list
+ Enhance error diagnostics about version mismatch
+ Upstream all Fedora changes
+ Add some hardening options to build
+ Add code of conduct
+ Fix build on gcc 12 and non-Fedora
- Refresh patches
+ harden_pesign.service.patch
+ pesign-boo1143063-remove-var-tracking.patch
+ pesign-boo1185663-set-rpmmacrodir.patch
+ pesign-fix-authvar-write-loop.patch
+ pesign-suse-build.patch
- Remove upstreamed/unnecessary patches
+ pesign-boo1158197-fix-pesigncheck-gcc10.patch
+ pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
+ pesign-privkey_unneeded.diff
+ pesign-run.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Nov 11 10:54:08 UTC 2021 - Andreas Schwab <schwab@suse.de> Sun Nov 11 10:54:08 UTC 2021 - Andreas Schwab <schwab@suse.de>
@ -107,7 +77,6 @@ Mon May 13 03:57:30 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
+ Various documentation improvements. + Various documentation improvements.
+ Improve /etc/pki/pesign authorization scripts + Improve /etc/pki/pesign authorization scripts
+ Various pesigcheck improvements + Various pesigcheck improvements
+ Fix wrong oid offsets (bsc#1205323)
- Refresh patches - Refresh patches
+ pesign-suse-build.patch + pesign-suse-build.patch
+ pesign-privkey_unneeded.diff + pesign-privkey_unneeded.diff

View File

@ -17,7 +17,7 @@
Name: pesign Name: pesign
Version: 115 Version: 113
Release: 0 Release: 0
Summary: Signing tool for PE-COFF binaries Summary: Signing tool for PE-COFF binaries
License: GPL-3.0-or-later License: GPL-3.0-or-later
@ -27,13 +27,21 @@ Source: https://github.com/rhinstaller/pesign/releases/download/%{versio
Source1: pesign.sysusers Source1: pesign.sysusers
# PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service # PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
Patch1: pesign-suse-build.patch Patch1: pesign-suse-build.patch
# PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature
Patch2: pesign-privkey_unneeded.diff
# PATCH-FIX-SUSE pesign-run.patch aj@suse.com - Use /run instead of /var/run
Patch3: pesign-run.patch
# PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar # PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar
Patch2: pesign-fix-authvar-write-loop.patch Patch4: pesign-fix-authvar-write-loop.patch
# PATCH-FIX-UPSTREAM pesign-efikeygen-Fix-the-build-with-nss-3.44.patch glin@suse.com -- Fix the NSS 3.44 compilation error
Patch5: pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
# PATCH-FIX-SUSE pesign-boo1143063-remove-var-tracking.patch -- boo#1143063 Remove var-tracking from default CFLAGS # PATCH-FIX-SUSE pesign-boo1143063-remove-var-tracking.patch -- boo#1143063 Remove var-tracking from default CFLAGS
Patch3: pesign-boo1143063-remove-var-tracking.patch Patch6: pesign-boo1143063-remove-var-tracking.patch
# PATCH-FIX-UPSTREAM pesign-boo1158197-fix-pesigncheck-gcc10.patch glin@suse.com -- boo#1158197 Fix the gcc10 errors
Patch7: pesign-boo1158197-fix-pesigncheck-gcc10.patch
# PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time
Patch4: pesign-boo1185663-set-rpmmacrodir.patch Patch8: pesign-boo1185663-set-rpmmacrodir.patch
Patch5: harden_pesign.service.patch Patch9: harden_pesign.service.patch
BuildRequires: efivar-devel BuildRequires: efivar-devel
BuildRequires: libuuid-devel BuildRequires: libuuid-devel
BuildRequires: mozilla-nss-devel BuildRequires: mozilla-nss-devel
@ -56,6 +64,10 @@ with the PE and Authenticode specifications.
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build %build
%sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf %sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf