From 00bb6286581dcfbfa0233ed2b25ef4789ce8d127a1cba87998e0c6e7872c05f1 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 6 Jun 2018 04:32:27 +0000 Subject: [PATCH] Accepting request 614417 from home:gary_lin:branches:Base:System Switch to tarball release OBS-URL: https://build.opensuse.org/request/show/614417 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=58 --- _service | 79 --- _service:extract_file:debian.changelog | 5 - _service:extract_file:debian.compat | 1 - _service:extract_file:debian.control | 22 - _service:extract_file:debian.copyright | 47 -- ...ice:extract_file:debian.dh-signobs.install | 2 - _service:extract_file:debian.dh-signobs.links | 6 - ...ce:extract_file:debian.dh-signobs.manpages | 1 - _service:extract_file:debian.docs | 1 - ...file:debian.pesign-obs-integration.install | 7 - _service:extract_file:debian.rules | 28 - ...ress:tar_scm:pesign-obs-integration.tar.gz | 3 - _service:tar_scm:COPYING | 339 ------------ _service:tar_scm:README | 38 -- _service:tar_scm:brp-99-compress-vmlinux | 21 - _service:tar_scm:brp-99-pesign | 121 ----- _service:tar_scm:gen-hmac | 23 - _service:tar_scm:kernel-sign-file | 510 ------------------ _service:tar_scm:modsign-repackage | 172 ------ _service:tar_scm:pesign-gen-repackage-spec | 496 ----------------- _service:tar_scm:pesign-repackage.spec.in | 160 ------ ....changes => pesign-obs-integration.changes | 5 + pesign-obs-integration.dsc | 6 +- ...ration.spec => pesign-obs-integration.spec | 19 +- pesign-obs-integration_10.0.tar.gz | 3 + 25 files changed, 16 insertions(+), 2099 deletions(-) delete mode 100644 _service delete mode 100644 _service:extract_file:debian.changelog delete mode 100644 _service:extract_file:debian.compat delete mode 100644 _service:extract_file:debian.control delete mode 100644 _service:extract_file:debian.copyright delete mode 100644 _service:extract_file:debian.dh-signobs.install delete mode 100644 _service:extract_file:debian.dh-signobs.links delete mode 100644 _service:extract_file:debian.dh-signobs.manpages delete mode 100644 _service:extract_file:debian.docs delete mode 100644 _service:extract_file:debian.pesign-obs-integration.install delete mode 100644 _service:extract_file:debian.rules delete mode 100644 _service:recompress:tar_scm:pesign-obs-integration.tar.gz delete mode 100644 _service:tar_scm:COPYING delete mode 100644 _service:tar_scm:README delete mode 100644 _service:tar_scm:brp-99-compress-vmlinux delete mode 100644 _service:tar_scm:brp-99-pesign delete mode 100644 _service:tar_scm:gen-hmac delete mode 100644 _service:tar_scm:kernel-sign-file delete mode 100644 _service:tar_scm:modsign-repackage delete mode 100644 _service:tar_scm:pesign-gen-repackage-spec delete mode 100644 _service:tar_scm:pesign-repackage.spec.in rename _service:tar_scm:pesign-obs-integration.changes => pesign-obs-integration.changes (98%) rename _service:tar_scm:pesign-obs-integration.spec => pesign-obs-integration.spec (85%) create mode 100644 pesign-obs-integration_10.0.tar.gz diff --git a/_service b/_service deleted file mode 100644 index 9eccebb..0000000 --- a/_service +++ /dev/null @@ -1,79 +0,0 @@ - - - git://github.com/opensuse/pesign-obs-integration.git - git - _none_ - .git - disable - pesign-obs-integration - pesign-obs-integration.changes - pesign-obs-integration.spec - brp-99-compress-vmlinux - brp-99-pesign - COPYING - gen-hmac - kernel-sign-file - modsign-repackage - pesign-gen-repackage-spec - pesign-obs-integration.changes - pesign-obs-integration.spec - pesign-repackage.spec.in - README - - - - *.tar - */debian/changelog - debian.changelog - - - *.tar - */debian/compat - debian.compat - - - *.tar - */debian/control - debian.control - - - *.tar - */debian/copyright - debian.copyright - - - *.tar - */debian/rules - debian.rules - - - *.tar - */debian/docs - debian.docs - - - *.tar - */debian/pesign-obs-integration.install - debian.pesign-obs-integration.install - - - *.tar - */debian/dh-signobs.manpages - debian.dh-signobs.manpages - - - *.tar - */debian/dh-signobs.install - debian.dh-signobs.install - - - *.tar - */debian/dh-signobs.links - debian.dh-signobs.links - - - - *.tar - gz - - diff --git a/_service:extract_file:debian.changelog b/_service:extract_file:debian.changelog deleted file mode 100644 index 9f79845..0000000 --- a/_service:extract_file:debian.changelog +++ /dev/null @@ -1,5 +0,0 @@ -pesign-obs-integration (10.0) unstable; urgency=medium - - * Initial Debian packaging. - - -- Michal Marek Tue, 31 Oct 2017 17:44:08 +0000 diff --git a/_service:extract_file:debian.compat b/_service:extract_file:debian.compat deleted file mode 100644 index 79115bb..0000000 --- a/_service:extract_file:debian.compat +++ /dev/null @@ -1 +0,0 @@ -7 diff --git a/_service:extract_file:debian.control b/_service:extract_file:debian.control deleted file mode 100644 index b91dc88..0000000 --- a/_service:extract_file:debian.control +++ /dev/null @@ -1,22 +0,0 @@ -Source: pesign-obs-integration -Section: devel -Priority: optional -Maintainer: Michal Marek -Build-Depends: debhelper (>= 7), openssl, shellcheck -Standards-Version: 3.9.8 - -Package: pesign-obs-integration -Architecture: all -Depends: ${perl:Depends}, ${misc:Depends}, libnss3-tools, openssl, pesign -Description: Automate signing EFI binaries and kernel modules on OBS - This package provides scripts and rpm macros to automate signing of the - boot loader, kernel and kernel modules in the openSUSE Buildservice. - -Package: dh-signobs -Architecture: all -Enhances: debhelper -Depends: ${misc:Depends}, debhelper, cpio, libnss3-tools, jq, pesign, - pesign-obs-integration, openssl -Description: Debian Helper for EFI signing on OBS - Adds a helper sequence to dh to send EFI signatures to OBS and to - re-package them using the templates. diff --git a/_service:extract_file:debian.copyright b/_service:extract_file:debian.copyright deleted file mode 100644 index 3f69718..0000000 --- a/_service:extract_file:debian.copyright +++ /dev/null @@ -1,47 +0,0 @@ -Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Source: https://github.com/openSUSE/pesign-obs-integration - -Files: * -Copyright: 2013-2017 SUSE LINUX Products GmbH -License: GPL-2 - This package is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License version 2 as - published by the Free Software Foundation. - . - This package is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - . - You should have received a copy of the GNU General Public License - along with this package; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA - . - On Debian systems, the complete text of the GNU General Public - License version 2 can be found in `/usr/share/common-licenses/GPL-2'. - -Files: dh_signobs - signobs.pm - debian/* -Copyright: 2018 Luca Boccassi -License: GPL-2+ - This program is free software; you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation; either - version 2 of the License, or (at your option) any later - version. - . - This program is distributed in the hope that it will be - useful, but WITHOUT ANY WARRANTY; without even the implied - warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR - PURPOSE. See the GNU General Public License for more - details. - . - You should have received a copy of the GNU General Public - License along with this package; if not, write to the Free - Software Foundation, Inc., 51 Franklin St, Fifth Floor, - Boston, MA 02110-1301 USA - . - On Debian systems, the full text of the GNU General Public - License version 2 can be found in the file - `/usr/share/common-licenses/GPL-2'. diff --git a/_service:extract_file:debian.dh-signobs.install b/_service:extract_file:debian.dh-signobs.install deleted file mode 100644 index a88294e..0000000 --- a/_service:extract_file:debian.dh-signobs.install +++ /dev/null @@ -1,2 +0,0 @@ -dh_signobs usr/bin/ -signobs.pm usr/share/perl5/Debian/Debhelper/Sequence diff --git a/_service:extract_file:debian.dh-signobs.links b/_service:extract_file:debian.dh-signobs.links deleted file mode 100644 index b3e6c09..0000000 --- a/_service:extract_file:debian.dh-signobs.links +++ /dev/null @@ -1,6 +0,0 @@ -usr/bin/dh_signobs usr/bin/dh_signobs_pack -usr/bin/dh_signobs usr/bin/dh_signobs_unpack -usr/bin/dh_signobs usr/bin/dh_signobs_getcert -usr/share/man/man1/dh_signobs.1 usr/share/man/man1/dh_signobs_pack.1 -usr/share/man/man1/dh_signobs.1 usr/share/man/man1/dh_signobs_unpack.1 -usr/share/man/man1/dh_signobs.1 usr/share/man/man1/dh_signobs_getcert.1 diff --git a/_service:extract_file:debian.dh-signobs.manpages b/_service:extract_file:debian.dh-signobs.manpages deleted file mode 100644 index 2732943..0000000 --- a/_service:extract_file:debian.dh-signobs.manpages +++ /dev/null @@ -1 +0,0 @@ -dh_signobs.1 diff --git a/_service:extract_file:debian.docs b/_service:extract_file:debian.docs deleted file mode 100644 index 0960002..0000000 --- a/_service:extract_file:debian.docs +++ /dev/null @@ -1 +0,0 @@ -README diff --git a/_service:extract_file:debian.pesign-obs-integration.install b/_service:extract_file:debian.pesign-obs-integration.install deleted file mode 100644 index 81ac33f..0000000 --- a/_service:extract_file:debian.pesign-obs-integration.install +++ /dev/null @@ -1,7 +0,0 @@ -pesign-gen-repackage-spec usr/lib/rpm/pesign/ -kernel-sign-file usr/lib/rpm/pesign/ -gen-hmac usr/lib/rpm/pesign/ -pesign-repackage.spec.in usr/lib/rpm/pesign/ -brp-99-pesign usr/lib/rpm/brp-suse.d/ -brp-99-compress-vmlinux usr/lib/rpm/brp-suse.d/ -modsign-repackage usr/bin/ diff --git a/_service:extract_file:debian.rules b/_service:extract_file:debian.rules deleted file mode 100644 index 807f8f1..0000000 --- a/_service:extract_file:debian.rules +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/make -f -# -*- makefile -*- - -# Uncomment this to turn on verbose mode. -#export DH_VERBOSE=1 - -%: - dh $@ - -override_dh_auto_clean: - rm -f pesign-cert.x509 - dh_auto_clean - -override_dh_auto_build: - if test -e ../SOURCES/_projectcert.crt; then \ - openssl x509 -inform PEM -in ../SOURCES/_projectcert.crt \ - -outform DER -out pesign-cert.x509; \ - fi - dh_auto_build - -override_dh_install: - dh_install - if test -e pesign-cert.x509; then \ - dh_install -p pesign-obs-integration pesign-cert.x509 /usr/lib/rpm/pesign; \ - fi - -override_dh_auto_test: - shellcheck dh_signobs diff --git a/_service:recompress:tar_scm:pesign-obs-integration.tar.gz b/_service:recompress:tar_scm:pesign-obs-integration.tar.gz deleted file mode 100644 index df33ea1..0000000 --- a/_service:recompress:tar_scm:pesign-obs-integration.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:570ab90869469403e2b86640b27441f7f7e722b8a5763370afa3592ffc84f487 -size 31207 diff --git a/_service:tar_scm:COPYING b/_service:tar_scm:COPYING deleted file mode 100644 index 122a28c..0000000 --- a/_service:tar_scm:COPYING +++ /dev/null @@ -1,339 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Lesser General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - , 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. diff --git a/_service:tar_scm:README b/_service:tar_scm:README deleted file mode 100644 index 73aa695..0000000 --- a/_service:tar_scm:README +++ /dev/null @@ -1,38 +0,0 @@ -Signing kernel modules and EFI binaries in the Open Build Service -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -RPM packages that need to sign files during build should add the following lines -to the specfile - -# needssslcertforbuild -export BRP_PESIGN_FILES='pattern...' -BuildRequires: pesign-obs-integration - -Debian packages need to add the following line to the Source stanza in the -debian/control file, which will add "Obs: needssslcertforbuild" to the generated -.dsc file: - -XS-Obs: needssslcertforbuild - -The "# needssslcertforbuild" comment tells the buildservice to store the -signing certificate in %_sourcedir/_projectcert.crt. At the end of the -install phase, the brp-99-pesign script computes hashes of all -files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored -in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a -pesign-repackage.spec file there. When the first rpmbuild finishes, the -buildservice sends the cpio archive to the signing server, which returns -a rsasigned.cpio archive with RSA signatures of the sha256 hashes. - -The pesign-repackage.spec takes the original RPMs, unpacks them and -appends the signatures to the files. It then uses the -pesign-gen-repackage-spec script to generate another specfile, which -builds new RPMs with signed files. The supported file types are: - -*.ko - Signature appended to the module -efi binaries - Signature embedded in a header. If a HMAC checksum named - .$file.hmac exists, it is regenerated - -Debian packages can use the dh-signobs debhelper to automate signing and -repacking. Build-depend on dh-signobs and add --with signobs to the dh line -in debian/rules to use the fully automated helper. -Consult the dh_signobs manpage for more information. diff --git a/_service:tar_scm:brp-99-compress-vmlinux b/_service:tar_scm:brp-99-compress-vmlinux deleted file mode 100644 index 1701ed7..0000000 --- a/_service:tar_scm:brp-99-compress-vmlinux +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -# Compress the /boot/vmlinux image after find-debuginfo.sh has done its job - -set -e - -case "$RPM_PACKAGE_NAME" in -kernel-*) - ;; -*) - exit 0 -esac -for f in $RPM_BUILD_ROOT/boot/vmlinux-*; do - if test -e "$f" -a -e "$f.gz"; then - echo "gzip $f" - # Deliberately not using gzip -n; the vmlinux image has a - # predictable timestamp (bnc#880848#c20) - gzip -k -9 -f "$f" - fi -done - diff --git a/_service:tar_scm:brp-99-pesign b/_service:tar_scm:brp-99-pesign deleted file mode 100644 index f3a07dc..0000000 --- a/_service:tar_scm:brp-99-pesign +++ /dev/null @@ -1,121 +0,0 @@ -#!/bin/bash -# This script is run by rpmbuild at the end of the brp checks. It computes -# hashes of files listed in the BRP_PESIGN_FILES environment and stores them in -# %_topdir/OTHER/%name.cpio.rsasign. It also puts a specfile there, that -# is later used to repackage the RPMs. -# -# Copyright (c) 2013 SUSE Linux Products GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA - -set -e - -files="*.ko" -if test -n "${BRP_PESIGN_FILES+x}"; then - files=${BRP_PESIGN_FILES} -fi -output= -while test $# -gt 0; do - case "$1" in - --files) - files=$2 - shift 2 - ;; - --output) - output=$2 - shift 2 - ;; - *) - echo "$0: Unknown option: $1" >&2 - exit 1 - esac -done -if test -z "$files"; then - exit 0 -fi -if test -z "$output"; then - output=`rpm --eval %_topdir/OTHER` -fi -if test -z "$RPM_BUILD_ROOT"; then - echo "$0: warning: \$RPM_BUILD_ROOT not set, using the root directory" >&2 - RPM_BUILD_ROOT=/ -fi - -if ! mkdir -p "$output"; then - echo "$0: warning: $output cannot be created, giving up" >&2 - exit 0 -fi -cert=$RPM_SOURCE_DIR/_projectcert.crt -if test -e "$cert"; then - echo "Using signing certificate $cert" -else - echo "No buildservice signing certificate" - cert=/dev/null -fi -sed " - s:@NAME@:$RPM_PACKAGE_NAME:g - /@CERT@/ { - r $cert - d - } -" /usr/lib/rpm/pesign/pesign-repackage.spec.in >"$output/pesign-repackage.spec" - -for rpmlintrc in $RPM_SOURCE_DIR/*rpmlintrc; do - if test -e "$rpmlintrc"; then - cp "$rpmlintrc" "$output/" - fi -done - -cd "$RPM_BUILD_ROOT" -args=() -for pattern in $files; do - pattern=${pattern#/} - if test "${pattern:0:2}" != "./"; then - pattern="./$pattern" - fi - if test -d "$pattern"; then - pattern="$pattern/*" - fi - args=("${args[@]}" -o -path "$pattern") -done -# delete the leading -o -unset args[0] - -archive=$output/$RPM_PACKAGE_NAME.cpio.rsasign -archive_dir=$output/$RPM_PACKAGE_NAME -mkdir -p "$archive_dir" -# create an empty nss database to make pesign happy -nss_db=$(mktemp -d) -trap 'rm -rf "$nss_db"' EXIT -echo foofoofoo > "$nss_db/passwd" -certutil -N -d "$nss_db" -f "$nss_db/passwd" - -echo "Creating $archive" -files=($(find . -type f \( "${args[@]}" \))) -for f in "${files[@]}"; do - dest="$archive_dir/$f" - mkdir -p "${dest%/*}" - case "$f" in - ./boot/* | *.efi) - pesign --certdir="$nss_db" -i "$f" -E $dest - ;; - *) - cp "$f" "$dest" - esac -done -cd "$archive_dir" -find . -type f | cpio -H newc -o >"$archive" -rm -rf "$archive_dir" - diff --git a/_service:tar_scm:gen-hmac b/_service:tar_scm:gen-hmac deleted file mode 100644 index ec33f99..0000000 --- a/_service:tar_scm:gen-hmac +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/perl - -use strict; -use warnings; - -use Getopt::Long; - -my $USAGE = "Usage: $0 [-r ] \n"; - -my $buildroot = ""; -GetOptions("r|root=s" => \$buildroot) or die $USAGE; -if (scalar(@ARGV) != 1) { - die $USAGE; -} -if ($buildroot) { - $buildroot .= "/"; -} - -my $fn = shift @ARGV; - -system("fipshmac $buildroot$fn"); - -exit 0; diff --git a/_service:tar_scm:kernel-sign-file b/_service:tar_scm:kernel-sign-file deleted file mode 100644 index cfda78c..0000000 --- a/_service:tar_scm:kernel-sign-file +++ /dev/null @@ -1,510 +0,0 @@ -#!/usr/bin/perl -w -# -# Sign a module file using the given key. -# - -my $USAGE = -"Usage: scripts/sign-file [-dkpv] [-i ] []\n" . -" scripts/sign-file [-dkpv] [-i ] -s []\n"; - -use strict; -use FileHandle; -use IPC::Open2; -use Getopt::Std; - -my %opts; -getopts('vkpds:i:', \%opts) or die $USAGE; -my $verbose = $opts{'v'}; -my $signature_file = $opts{'s'}; -my $use_keyid = $opts{'k'}; -my $sign_only = $opts{'d'}; -my $save_sig = $opts{'p'}; -$save_sig = 1 if $sign_only; -my $id_type_name = $opts{'i'}; - -die $USAGE if ($#ARGV > 4); -die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2); - -my $dgst = shift @ARGV; -my $private_key; -if (!$signature_file) { - $private_key = shift @ARGV; -} -my $x509 = shift @ARGV; -my $module = shift @ARGV; -my ($dest, $keep_orig); -if (@ARGV) { - $dest = $ARGV[0]; - $keep_orig = 1; -} else { - $dest = $module . "~"; -} - -die "Can't read private key\n" if (!$signature_file && !-r $private_key); -die "Can't read signature file\n" if ($signature_file && !-r $signature_file); -die "Can't read X.509 certificate\n" unless (-r $x509); -die "Can't read module\n" unless (-r $module); - -# -# Function to read the contents of a file into a variable. -# -sub read_file($) -{ - my ($file) = @_; - my $contents; - my $len; - - open(FD, "<$file") || die $file; - binmode FD; - my @st = stat(FD); - die $file if (!@st); - $len = read(FD, $contents, $st[7]) || die $file; - close(FD) || die $file; - die "$file: Wanted length ", $st[7], ", got ", $len, "\n" - if ($len != $st[7]); - return $contents; -} - -sub openssl_pipe($$) { - my ($input, $cmd) = @_; - my ($pid, $res); - - $pid = open2(*read_from, *write_to, $cmd) || die $cmd; - binmode write_to; - print write_to $input || die "pipe to $cmd"; - close(write_to) || die "pipe to $cmd"; - - binmode read_from; - read(read_from, $res, 4096) || die "pipe from $cmd"; - close(read_from) || die "pipe from $cmd"; - waitpid($pid, 0) || die; - die "$cmd died: $?" if ($? >> 8); - return $res; -} - -############################################################################### -# -# First of all, we have to parse the X.509 certificate to find certain details -# about it. -# -# We read the DER-encoded X509 certificate and parse it to extract the Subject -# name and Subject Key Identifier. Theis provides the data we need to build -# the certificate identifier. -# -# The signer's name part of the identifier is fabricated from the commonName, -# the organizationName or the emailAddress components of the X.509 subject -# name. -# -# The subject key ID is used to select which of that signer's certificates -# we're intending to use to sign the module. -# -############################################################################### -my $x509_certificate = read_file($x509); - -my $UNIV = 0 << 6; -my $APPL = 1 << 6; -my $CONT = 2 << 6; -my $PRIV = 3 << 6; - -my $CONS = 0x20; - -my $BOOLEAN = 0x01; -my $INTEGER = 0x02; -my $BIT_STRING = 0x03; -my $OCTET_STRING = 0x04; -my $NULL = 0x05; -my $OBJ_ID = 0x06; -my $UTF8String = 0x0c; -my $SEQUENCE = 0x10; -my $SET = 0x11; -my $UTCTime = 0x17; -my $GeneralizedTime = 0x18; - -my %OIDs = ( - pack("CCC", 85, 4, 3) => "commonName", - pack("CCC", 85, 4, 6) => "countryName", - pack("CCC", 85, 4, 10) => "organizationName", - pack("CCC", 85, 4, 11) => "organizationUnitName", - pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1) => "rsaEncryption", - pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 5) => "sha1WithRSAEncryption", - pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 9, 1) => "emailAddress", - pack("CCC", 85, 29, 35) => "authorityKeyIdentifier", - pack("CCC", 85, 29, 14) => "subjectKeyIdentifier", - pack("CCC", 85, 29, 19) => "basicConstraints" -); - -############################################################################### -# -# Extract an ASN.1 element from a string and return information about it. -# -############################################################################### -sub asn1_extract($$@) -{ - my ($cursor, $expected_tag, $optional) = @_; - - return [ -1 ] - if ($cursor->[1] == 0 && $optional); - - die $x509, ": ", $cursor->[0], ": ASN.1 data underrun (elem ", $cursor->[1], ")\n" - if ($cursor->[1] < 2); - - my ($tag, $len) = unpack("CC", substr(${$cursor->[2]}, $cursor->[0], 2)); - - if ($expected_tag != -1 && $tag != $expected_tag) { - return [ -1 ] - if ($optional); - die $x509, ": ", $cursor->[0], ": ASN.1 unexpected tag (", $tag, - " not ", $expected_tag, ")\n"; - } - - $cursor->[0] += 2; - $cursor->[1] -= 2; - - die $x509, ": ", $cursor->[0], ": ASN.1 long tag\n" - if (($tag & 0x1f) == 0x1f); - die $x509, ": ", $cursor->[0], ": ASN.1 indefinite length\n" - if ($len == 0x80); - - if ($len > 0x80) { - my $l = $len - 0x80; - die $x509, ": ", $cursor->[0], ": ASN.1 data underrun (len len $l)\n" - if ($cursor->[1] < $l); - - if ($l == 0x1) { - $len = unpack("C", substr(${$cursor->[2]}, $cursor->[0], 1)); - } elsif ($l == 0x2) { - $len = unpack("n", substr(${$cursor->[2]}, $cursor->[0], 2)); - } elsif ($l == 0x3) { - $len = unpack("C", substr(${$cursor->[2]}, $cursor->[0], 1)) << 16; - $len = unpack("n", substr(${$cursor->[2]}, $cursor->[0] + 1, 2)); - } elsif ($l == 0x4) { - $len = unpack("N", substr(${$cursor->[2]}, $cursor->[0], 4)); - } else { - die $x509, ": ", $cursor->[0], ": ASN.1 element too long (", $l, ")\n"; - } - - $cursor->[0] += $l; - $cursor->[1] -= $l; - } - - die $x509, ": ", $cursor->[0], ": ASN.1 data underrun (", $len, ")\n" - if ($cursor->[1] < $len); - - my $ret = [ $tag, [ $cursor->[0], $len, $cursor->[2] ] ]; - $cursor->[0] += $len; - $cursor->[1] -= $len; - - return $ret; -} - -############################################################################### -# -# Retrieve the data referred to by a cursor -# -############################################################################### -sub asn1_retrieve($) -{ - my ($cursor) = @_; - my ($offset, $len, $data) = @$cursor; - return substr($$data, $offset, $len); -} - - -sub asn1_pack($@) -{ - my ($tag, @data) = @_; - my $ret = pack("C", $tag); - my $data = join('', @data); - my $l = length($data); - return pack("CC", $tag, $l) . $data if $l < 127; - my $ll = $l >> 8 ? $l >> 16 ? $l >> 24 ? 4 : 3 : 2 : 1; - return pack("CCa*", $tag, $ll | 0x80, substr(pack("N", $l), -$ll)) . $data; -} - -############################################################################### -# -# Roughly parse the X.509 certificate -# -############################################################################### -my $cursor = [ 0, length($x509_certificate), \$x509_certificate ]; - -my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE); -my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE); -my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1); -my $serial_number = asn1_extract($tbs->[1], $UNIV | $INTEGER); -my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); -my $issuer = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); -my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); -my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); -my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); -my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1); -my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1); -my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1); - -my $subject_key_id = (); -my $authority_key_id = (); - -# -# Parse the extension list -# -if ($extension_list->[0] != -1) { - my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE); - - while ($extensions->[1]->[1] > 0) { - my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE); - my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID); - my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1); - my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING); - - my $raw_oid = asn1_retrieve($x_oid->[1]); - next if (!exists($OIDs{$raw_oid})); - my $x_type = $OIDs{$raw_oid}; - - my $raw_value = asn1_retrieve($x_val->[1]); - - if ($x_type eq "subjectKeyIdentifier") { - my $vcursor = [ 0, length($raw_value), \$raw_value ]; - - $subject_key_id = asn1_extract($vcursor, $UNIV | $OCTET_STRING); - } - } -} - -############################################################################### -# -# Determine what we're going to use as the signer's name. In order of -# preference, take one of: commonName, organizationName or emailAddress. -# -############################################################################### -my $org = ""; -my $cn = ""; -my $email = ""; - -while ($subject->[1]->[1] > 0) { - my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET); - my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE); - my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID); - my $n_val = asn1_extract($attr->[1], -1); - - my $raw_oid = asn1_retrieve($n_oid->[1]); - next if (!exists($OIDs{$raw_oid})); - my $n_type = $OIDs{$raw_oid}; - - my $raw_value = asn1_retrieve($n_val->[1]); - - if ($n_type eq "organizationName") { - $org = $raw_value; - } elsif ($n_type eq "commonName") { - $cn = $raw_value; - } elsif ($n_type eq "emailAddress") { - $email = $raw_value; - } -} - -my $signers_name = $email; - -if ($org && $cn) { - # Don't use the organizationName if the commonName repeats it - if (length($org) <= length($cn) && - substr($cn, 0, length($org)) eq $org) { - $signers_name = $cn; - goto got_id_name; - } - - # Or a signifcant chunk of it - if (length($org) >= 7 && - length($cn) >= 7 && - substr($cn, 0, 7) eq substr($org, 0, 7)) { - $signers_name = $cn; - goto got_id_name; - } - - $signers_name = $org . ": " . $cn; -} elsif ($org) { - $signers_name = $org; -} elsif ($cn) { - $signers_name = $cn; -} - -got_id_name: - -die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n" - if (!$subject_key_id); - -my $key_identifier = asn1_retrieve($subject_key_id->[1]); - -############################################################################### -# -# Create and attach the module signature -# -############################################################################### - -# -# Signature parameters -# -my $algo = 1; # Public-key crypto algorithm: RSA -my $hash = 0; # Digest algorithm -my $id_type = 1; # Identifier type: X.509 - -if ($id_type_name) { - if ($id_type_name eq 'x509') { - $id_type = 1; # Identifier type: X.509 - } elsif ($id_type_name eq 'pkcs7') { - $id_type = 2; # Identifier type: PKCS7 - } else { - die("unknown id type: $id_type_name\n"); - } -} - -# -# Digest the data -# -my $prologue; -if ($dgst eq "sha1") { - $prologue = pack("C*", - 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, - 0x2B, 0x0E, 0x03, 0x02, 0x1A, - 0x05, 0x00, 0x04, 0x14); - $hash = 2; -} elsif ($dgst eq "sha224") { - $prologue = pack("C*", - 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, - 0x05, 0x00, 0x04, 0x1C); - $hash = 7; -} elsif ($dgst eq "sha256") { - $prologue = pack("C*", - 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, - 0x05, 0x00, 0x04, 0x20); - $hash = 4; -} elsif ($dgst eq "sha384") { - $prologue = pack("C*", - 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, - 0x05, 0x00, 0x04, 0x30); - $hash = 5; -} elsif ($dgst eq "sha512") { - $prologue = pack("C*", - 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, - 0x05, 0x00, 0x04, 0x40); - $hash = 6; -} else { - die "Unknown hash algorithm: $dgst\n"; -} - -my $unsigned_module = read_file($module); - -my $magic_number = "~Module signature appended~\n"; -my $magic_len = length($magic_number); -my $info_len = 12; - -# Truncate existing signarure, if any -if (substr($unsigned_module, -$magic_len) eq $magic_number) { - my $info = substr($unsigned_module, -$magic_len - $info_len, $info_len); - my ($name_len, $key_len, $sig_len) = unpack("xxxCCxxxN", $info); - my $subtract = $name_len + $key_len + $sig_len + $info_len + $magic_len; - if ($subtract > length($unsigned_module)) { - die "$module: Existing signature is malformed\n"; - } - $unsigned_module = substr($unsigned_module, 0, - length($unsigned_module) - $subtract); -} - -my $signature; -if ($signature_file) { - $signature = read_file($signature_file); -} else { - # - # Generate the digest and read from openssl's stdout - # - my $digest = openssl_pipe($unsigned_module, - "openssl dgst -$dgst -binary"); - - # - # Generate the binary signature, which will be just the integer that - # comprises the signature with no metadata attached. - # - $signature = openssl_pipe($prologue . $digest, - "openssl rsautl -sign -inkey $private_key -keyform PEM"); -} - -if ($id_type == 1) { - $signature = pack("n", length($signature)) . $signature, -} elsif ($id_type == 2) { - # create PKCS7 signature - $signature = asn1_pack($UNIV | $OCTET_STRING, $signature); - my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue, 5, 1))); - my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo); - my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq); - my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1)); - my $si_issuer = asn1_pack($issuer->[0], asn1_retrieve($issuer->[1])); - my $si_serial = asn1_pack($serial_number->[0], asn1_retrieve($serial_number->[1])); - my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial); - my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($subject_key_id->[1])); - my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1)); - my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL)); - my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial; - my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion, $signer_identifier, $digest_algo_seq, $encryption_seq, $signature); - my $si_set = asn1_pack($UNIV | $CONS | $SET, $si); - my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1)); - my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 1)); - my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data); - my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version, $digest_algo_seq_set, $pkcs7_data_seq, $si_set); - my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 2)); - $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data, asn1_pack($CONT | $CONS | 0, $sid)); - # zero out unneeded entries - $signers_name = ''; - $key_identifier = ''; - $algo = $hash = 0; -} else { - die("unknown signature id type: $id_type\n"); -} - -if ($save_sig) { - open(FD, ">$module.p7s") || die "$module.p7s"; - binmode FD; - print FD $signature; -} -exit(0) if $sign_only; - -# -# Build the signed binary -# -my $info = pack("CCCCCxxxN", - $algo, $hash, $id_type, - length($signers_name), - length($key_identifier), - length($signature)); -# Make sure that $info_len value used above matches reality -if (length($info) != $info_len) { - die "Signature info size changed ($info_len -> @{[length($info)]}"; -} - -if ($verbose) { - print "Size of unsigned module: ", length($unsigned_module), "\n"; - print "Size of signer's name : ", length($signers_name), "\n"; - print "Size of key identifier : ", length($key_identifier), "\n"; - print "Size of signature : ", length($signature), "\n"; - print "Size of informaton : ", length($info), "\n"; - print "Size of magic number : ", length($magic_number), "\n"; - print "Signer's name : '", $signers_name, "'\n"; - print "Digest : $dgst\n"; -} - -open(FD, ">$dest") || die $dest; -binmode FD; -print FD - $unsigned_module, - $signers_name, - $key_identifier, - $signature, - $info, - $magic_number - ; -close FD || die $dest; - -if (!$keep_orig) { - rename($dest, $module) || die $module; -} diff --git a/_service:tar_scm:modsign-repackage b/_service:tar_scm:modsign-repackage deleted file mode 100644 index 494a3f7..0000000 --- a/_service:tar_scm:modsign-repackage +++ /dev/null @@ -1,172 +0,0 @@ -#!/bin/bash -# Script to sign kernel modules and create new RPM packages with these -# modules. Uses pesign-gen-repackage-spec for the repackaging. -# -# Copyright (c) 2013 SUSE Linux Products GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA - -USAGE="$0 --key --certificate rpm ..." - -options=`getopt -o hk:c:s: --long help,key:,certificate:,signatures: -- "$@"` -if test $? -ne 0; then - echo "$USAGE" >&2 - exit 1 -fi -eval set -- "$options" -key= -cert= -sig_dir= -while :; do - case "$1" in - -k|--key) - key=$2 - shift 2 - ;; - -c|--certificate) - cert=$2 - shift 2 - ;; - -s|--signatures) - sig_dir=$2 - shift 2 - ;; - -h|--help) - echo "$USAGE" - exit - ;; - --) - shift - break - esac -done -err= -if test -n "$key" -a -n "$sig_dir"; then - err="Cannot use both --key and --signatures" -elif test -z "$key" -a -z "$sig_dir"; then - err="Please specify either --key or --signatures" -elif test -z "$cert"; then - err="Please specify --certificate" -elif test "$#" -eq 0; then - err="No packages specified" -fi -if test -n "$err"; then - echo "$0: $err" >&2 - echo "$USAGE" >&2 - exit 1 -fi - -workdir="$PWD/rpm-files.$$" -buildroot="$workdir/buildroot" -rpmdir=RPMS -srpmdir=SRPMS -disturl= -rpms=() -rm -rf "$workdir" -mkdir "$workdir" || exit -mkdir -p "$rpmdir" "$srpmdir" || exit -mkdir "$buildroot" -echo "Unpacking original RPMs..." -for rpm; do - # XXX: Use a common script in pesign-repackage.spec.in and here - case "$rpm" in - *.src.rpm | *.nosrc.rpm) - cp "$rpm" "$srpmdir/" - continue - ;; - # Do not repackage debuginfo packages (bnc#806637) - *-debuginfo-*.rpm | *-debugsource-*.rpm) - dir="$rpmdir/$(rpm -qp --qf '%{arch}' "$rpm")" - mkdir -p "$dir" - cp "$rpm" "$dir" - continue - ;; - esac - # do not repackage baselibs packages - # FIXME: needs more generic test (if architecture has different - # bitness => skip) - case "$(rpm -qp --qf '%{name}/%{arch}' "$rpm")" in - *-32bit/x86_64 | *-32bit/s390x | *-32bit/ppc64 | \ - *-64bit/ppc | *-x86/ia64) - mkdir -p "$rpmdir/$(rpm -qp --qf '%{arch}')/" - cp "$rpm" "$_" - continue - esac - rpm2cpio "$rpm" | (cd "$buildroot"; cpio -idm --quiet) || exit - d=$(rpm -qp --qf '%{disturl}' "$rpm") - if test -z "$disturl"; then - disturl=$d - fi - if test "$disturl" != "$d"; then - echo "Error: packages have different disturl: $d vs $disturl" - exit 1 - fi - rpms=("${rpms[@]}" "$rpm") -done -set -e -echo "Signing kernel modules..." -if test ! -e "$cert.pub"; then - openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub" -fi -for module in $(find "$buildroot" -type f -name '*.ko' -printf '%P\n'); do - if test -n "$key"; then - /usr/lib/rpm/pesign/kernel-sign-file \ - -i pkcs7 sha256 "$key" "$cert" "$buildroot/$module" - else - raw_sig="$sig_dir/$module.sig" - if test ! -e "$raw_sig"; then - echo "$module.sig not found in $sig_dir" >&2 - exit 1 - fi - ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$raw_sig" 2>&1 | grep -i error) - if [ -n "$ver_err" ]; then - echo "$raw_sig signature can not be decrypted by $cert" >&2 - exit 1 - fi - /usr/lib/rpm/pesign/kernel-sign-file \ - -i pkcs7 -s "$raw_sig" sha256 "$cert" "$buildroot/$module" - fi - -done -rm "$cert.pub" -# Add the certificate -mkdir -p "$buildroot/etc/uefi/certs" -h=$(openssl x509 -inform DER -fingerprint -noout -in "$cert") -filename=/etc/uefi/certs/$(echo "$h" | \ - sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt -cp "$cert" "$buildroot/$filename" - -echo "Generating new specfile..." -if ! test -e /usr/lib/rpm/kernel-cert-subpackage; then - echo "/usr/lib/rpm/kernel-cert-subpackage missing" >&2 - echo "please install the kernel-source package" >&2 - exit 1 -fi -/usr/lib/rpm/pesign/pesign-gen-repackage-spec \ - --cert-subpackage=/usr/lib/rpm/kernel-cert-subpackage \ - --directory="$buildroot" --output="$workdir" "${rpms[@]}" -echo "Running rpmbuild..." -rpmbuild --define "buildroot $buildroot" --define "disturl $disturl" \ - --define "_builddir $workdir" \ - --define "_suse_insert_debug_package %{nil}" \ - --define "_rpmdir $rpmdir" \ - -bb "$workdir/repackage.spec" >"$workdir/log" 2>&1 -grep 'RPMS/.*\.rpm$' "$workdir/log" -echo "Cleaning up $workdir..." -rm -r "$workdir" -echo "Done." -exit 0 - - diff --git a/_service:tar_scm:pesign-gen-repackage-spec b/_service:tar_scm:pesign-gen-repackage-spec deleted file mode 100644 index 099059b..0000000 --- a/_service:tar_scm:pesign-gen-repackage-spec +++ /dev/null @@ -1,496 +0,0 @@ -#!/usr/bin/perl -# Given a set of rpm packages and directory with their new content, -# generate a specfile that generates new packages -# -# Copyright (c) 2013 SUSE Linux Products GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA - -use strict; -use warnings; - -my $USAGE = "Usage: $0 --directory rpm...\n"; - -use Getopt::Long; -use Fcntl qw(:mode :seek); - -my $directory; -my $output = "."; -my $cert_subpackage; -my $kmp_basename; -my @rpms; - -$ENV{LC_ALL} = "en_US.UTF-8"; - -GetOptions( - "help|h" => sub { print $USAGE; exit; }, - "directory|d=s" => \$directory, - "output|o=s" => \$output, - "cert-subpackage|c=s" => \$cert_subpackage, -) or die $USAGE; -@rpms = @ARGV; -if (!@rpms) { - print STDERR "$0: No packages given\n"; - die $USAGE; -} -if (!$directory || substr($directory, 0, 1) ne '/' || ! -d $directory) { - print STDERR "$0: --directory must be an absolute path\n"; - die $USAGE; -} - -sub query_array { - my ($rpm, @tags) = @_; - my @res; - - my $format = "[" . join("|", map { "\%{$_}" } @tags) . "\\n]"; - open(my $fh, '-|', "rpm", "-qp", "--qf", $format, $rpm) - or die "rpm: $!\n"; - while (<$fh>) { - chomp; - my @t = split(/\|/, $_, -1); - push(@res, \@t); - } - close($fh); - return @res; -} - -sub query_multiline_array { - my ($rpm, $tag) = @_; - my @res; - my $delim = "|||"; # XXX - dangerous - - my $format = "[$delim\\n\%{$tag}\\n]"; - open(my $fh, '-|', "rpm", "-qp", "--qf", $format, $rpm) - or die "rpm: $!\n"; - my $line = <$fh>; - return unless $line; - chomp($line); - return if $line eq "(none)"; - die "Expected \"$delim\" at beginning of rpm output, got \"$line\"" - if $line ne $delim; - my $cur = ""; - while ($line = <$fh>) { - chomp($line); - if ($line eq $delim) { - $cur = "" if $cur eq "\n"; - push(@res, $cur); - $cur = ""; - } else { - $cur .= $line . "\n"; - } - } - $cur = "" if $cur eq "\n"; - push(@res, $cur); - close($fh); - return @res; -} - -sub query_single { - my ($rpm, $tag) = @_; - my $res; - - open(my $fh, '-|', "rpm", "-qp", "--qf", "\%{$tag}\\n", $rpm) - or die "rpm: $!\n"; - { - local $/ = undef; - $res = <$fh>; - } - chomp $res; - if ($res eq "(none)") { - $res = ""; - } - close($fh); - return $res; - -} - -# specfile dependency => rpm tag name -my %dep2tag = ( - conflicts => "conflict", - obsoletes => "obsolete", - provides => "provide", - requires => "require", - suggests => "suggest", - enhances => "enhance", - recommends => "recommend", - supplements => "supplement", -); - -# specfile scriptlet => rpm tag name -my %script2tag = ( - pre => "prein", - post => "postin", - preun => "preun", - postun => "postun", - pretrans => "pretrans", - posttrans => "posttrans", - verifyscript => "verifyscript", - # FIXME: triggers -); - -# tags which are printed verbatim in the specfile -my @simple_tags = qw(version release license group summary packager vendor - url distribution); - -sub load_package { - my $rpm = shift; - my %res; - - for my $tag (qw(name arch sourcerpm description), @simple_tags) { - $res{$tag} = query_single($rpm, $tag); - } - my @files; - my @list = query_array($rpm, qw(filenames fileflags filemodes fileusername filegroupname filesizes filemtimes filelinktos fileverifyflags)); - for my $file (@list) { - my $new = { - name => $file->[0], - flags => $file->[1], - mode => $file->[2], - owner => $file->[3], - group => $file->[4], - size => $file->[5], - mtime => $file->[6], - target => $file->[7], - verify => $file->[8], - }; - push(@files, $new); - if ($new->{name} =~ /\.ko$/ && S_ISREG($new->{mode})) { - $res{is_kmp} = 1; - } - } - $res{files} = \@files; - while (my ($dep, $tag) = each(%dep2tag)) { - my @deps; - my @list = query_array($rpm, "${tag}name", "${tag}flags", "${tag}version"); - for my $d (@list) { - next if $d->[0] eq "(none)"; - push(@deps, { - name => $d->[0], - flags => $d->[1], - version => $d->[2], - }); - } - $res{$dep} = \@deps; - } - - while (my ($script, $tag) = each(%script2tag)) { - my $interp = query_single($rpm, "${tag}prog"); - next unless $interp; - my $s = query_single($rpm, $tag); - $res{$script} = { - interp => $interp, - script => $s, - }; - } - my @triggers = query_array($rpm, qw(triggertype triggerscriptprog triggerconds)); - my @triggerscripts = query_multiline_array($rpm, "triggerscripts"); - if (scalar(@triggers) != scalar(@triggerscripts)) { - die "# of %%{triggertype} tags (" . scalar(@triggers) . - ") != # of %%{triggerscripts} tags (" . scalar(@triggerscripts) - . ")"; - } - for (my $i = 0; $i < scalar(@triggers); $i++) { - $res{triggers} ||= []; - push(@{$res{triggers}}, { - type => $triggers[$i]->[0], - interp => $triggers[$i]->[1], - conds => $triggers[$i]->[2], - script => $triggerscripts[$i], - }); - } - open(my $fh, '-|', "rpm", "-qp", "--changelog", $rpm) or die "rpm: $!\n"; - { - local $/ = undef; - my $changelog = <$fh>; - close($fh); - $res{changelog} = $changelog; - } - - return \%res; -} - -# quote percent signs in text -sub quote { - my $text = shift; - - $text =~ s/%/%%/g; - return $text; -} - -sub print_script { - my ($file, $script) = @_; - - return unless $script->{script}; - open(my $fh, '>', "$output/$file") - or die "$output/$file: $!\n"; - print $fh $script->{script}; - close($fh); - print SPEC " -f $file"; -} - -sub print_package { - my ($p, $is_main) = @_; - - if ($is_main) { - print SPEC "Name: $p->{name}\n"; - print SPEC "Buildroot: $directory\n"; - print SPEC "\%define _use_internal_dependency_generator 0\n"; - print SPEC "\%define __find_provides %{nil}\n"; - print SPEC "\%define __find_requires %{nil}\n"; - print SPEC "\%define __find_supplements %{nil}\n"; - if ($p->{nosource}) { - # We do not generate any no(src).rpm, but we want the - # %{sourcerpm} tag in the binary packages to match. - # So we add a dummy source and mark it as nosource. - print SPEC "Source0: repackage.spec\n"; - print SPEC "NoSource: 0\n"; - } - } else { - print SPEC "\%package -n $p->{name}\n"; - } - for my $tag (@simple_tags) { - next if $p->{$tag} eq ""; - print SPEC "$tag: " . quote($p->{$tag}) . "\n"; - } - print SPEC "BuildArch: noarch\n" if $p->{arch} eq "noarch"; - for my $dep (sort(keys(%dep2tag))) { - print_deps($dep, $p->{$dep}); - } - if ($cert_subpackage && $p->{is_kmp}) { - print SPEC "Requires: $kmp_basename-ueficert\n"; - } - print SPEC "\%description -n $p->{name}\n"; - print SPEC quote($p->{description}) . "\n\n"; - - for my $script (sort(keys(%script2tag))) { - next unless $p->{$script}; - print SPEC "\%$script -p $p->{$script}{interp} -n $p->{name}"; - print_script("$script-$p->{name}", $p->{$script}); - print SPEC "\n"; - } - my $i = 0; - for my $trigger (@{$p->{triggers}}) { - print SPEC "\%trigger$trigger->{type} -p $trigger->{interp} -n $p->{name}"; - print_script("trigger$i-$p->{name}", $trigger); - print SPEC " -- $trigger->{conds}\n"; - $i++; - } - if ($p->{files}) { - print SPEC "\%files -n $p->{name}\n"; - print_files($p->{files}); - } - print SPEC "\n"; -} - -# /usr/include/rpm/rpmds.h -my %deptypes = ( - pre => (1 << 9), - post => (1 << 10), - preun => (1 << 11), - postun => (1 << 12), - verify => (1 << 13), -); -my %depflags = ( - "<" => (1 << 1), - ">" => (1 << 2), - "=" => (1 << 3), - rpmlib => (1 << 24), -); - -sub print_deps { - my ($depname, $list) = @_; - - foreach my $d (@$list) { - next if ($d->{flags} & $depflags{rpmlib}); - - print SPEC $depname; - my @deptypes; - while (my ($type, $bit) = each(%deptypes)) { - push(@deptypes, $type) if $d->{flags} & $bit; - } - print SPEC "(", join(",", @deptypes), ")" if @deptypes; - print SPEC ": "; - - print SPEC quote($d->{name}); - if ($d->{version}) { - print SPEC " "; - for my $op (qw(< > =)) { - print SPEC $op if $d->{flags} & $depflags{$op}; - } - print SPEC " " . quote($d->{version}); - } - print SPEC "\n"; - } -} - -# /usr/include/rpm/rpmfi.h -my %filetypes = ( - config => (1 << 0), - doc => (1 << 1), - missingok => (1 << 3), - noreplace => (1 << 4), - ghost => (1 << 6), -); - -my %verifyflags = ( - filedigest=> (1 << 0), - size => (1 << 1), - link => (1 << 2), - user => (1 << 3), - group => (1 << 4), - mtime => (1 << 5), - mode => (1 << 6), - rdev => (1 << 7), - caps => (1 << 8), -); - -sub print_files { - my $files = shift; - - for my $f (@$files) { - my $path = "$directory/$f->{name}"; - my $attrs = ""; - # Fix mtime of directories, which cpio -idm fails to preserve - if (S_ISDIR($f->{mode})) { - $attrs .= "\%dir "; - utime($f->{mtime}, $f->{mtime}, $path); - } - $attrs .= sprintf('%%attr(%04o, %s, %s) ', ($f->{mode} & 0777), - $f->{owner}, $f->{group}); - if ($f->{flags} & $filetypes{config}) { - $attrs .= "%config "; - my @cfg_attrs; - for my $attr (qw(missingok noreplace)) { - next unless $f->{flags} & $filetypes{$attr}; - push(@cfg_attrs, $attr); - } - $attrs .= "(" . join(",", @cfg_attrs) . ")" if @cfg_attrs; - } - $attrs .= "%doc " if $f->{flags} & $filetypes{doc}; - if ($f->{flags} & $filetypes{ghost}) { - $attrs .= "%ghost "; - if (S_ISREG($f->{mode})) { - open(my $fh, '>', $path) or die "$path: $!\n"; - if ($f->{size} > 0) { - sysseek($fh, $f->{size} - 1, SEEK_SET); - syswrite($fh, ' ', 1); - } - close($fh); - utime($f->{mtime}, $f->{mtime}, $path); - } elsif (S_ISLNK($f->{mode})) { - symlink($f->{target}, $path); - } - } - # mtime of symlinks is also not preserved by cpio - if (S_ISLNK($f->{mode})) { - # perl core does not provide lutimes()/utimensat() - system("touch", "-h", "-d\@$f->{mtime}", $path); - } - my $verify_attrs = ""; - for my $flag (sort(keys(%verifyflags))) { - if (!($f->{verify} & $verifyflags{$flag})) { - $verify_attrs .= "$flag "; - } - } - if ($verify_attrs) { - $attrs .= "%verify(not $verify_attrs) "; - } - - print SPEC "$attrs " . quote($f->{name}) . "\n"; - if (-e "$path.sig") { - print SPEC "$attrs " . quote($f->{name}) . ".sig\n"; - } - } -} - -my %packages; -for my $rpm (@rpms) { - my $p = load_package($rpm); - $packages{$p->{name}} = $p; -} - -my $sourcerpm; -for my $p (values(%packages)) { - $sourcerpm = $p->{sourcerpm} unless $sourcerpm; - if ($p->{sourcerpm} ne $sourcerpm) { - die "Error: packages built from different source rpm: $sourcerpm vs $p->{sourcerpm}\n"; - } -} -if ($sourcerpm !~ /^(.+)-([^-]+)-([^-]+)\.(no)?src\.rpm$/) { - die "Error: malformed %{sourcerpm} tag: $sourcerpm\n"; -} -my ($main_name, $main_ver, $main_rel, $nosrc) = ($1, $2, $3, $4); -if (!exists($packages{$main_name})) { - # create an empty main package - my $first = (sort(keys(%packages)))[0]; - $packages{$main_name} = { - name => $main_name, - version => $main_ver, - release => $main_rel, - }; - for my $tag (qw(description changelog arch), @simple_tags) { - next if $packages{$main_name}->{$tag}; - $packages{$main_name}->{$tag} = $packages{$first}->{$tag}; - } -} -$packages{$main_name}->{nosource} = $nosrc ? 1 : 0; - -# Find out the basename of -kmp-, falling back to the -# main package name -for my $p (values(%packages)) { - next unless $p->{is_kmp}; - (my $n = $p->{name}) =~ s/-kmp-.*//; - $kmp_basename = $n unless $kmp_basename; - if ($n ne $kmp_basename) { - $kmp_basename = undef; - last; - } -} -$kmp_basename = $main_name unless $kmp_basename; - -open(SPEC, '>', "$output/repackage.spec") or die "$output/repackage.spec: $!\n"; -print_package($packages{$main_name}, 1); -for my $name (sort(keys(%packages))) { - next if $name eq $main_name; - print_package($packages{$name}, 0); -} -if ($cert_subpackage) { - my $certdir = "/etc/uefi/certs"; - my $certs = ""; - if (-d "$directory/$certdir") { - opendir(my $dh, "$directory/$certdir") or die "$directory/$certdir"; - while (my $cert = readdir($dh)) { - next if $cert =~ /^\.\.?$/; - if ($cert !~ /\.crt$/) { - print STDERR "warning: Ignoring $directory/$certdir/$cert (no .crt suffix)\n"; - next; - } - $certs .= " $certdir/$cert"; - } - } - if (!$certs) { - print STDERR "warning: --cert-subpackage specified, but no certs found in $directory/$certdir\n"; - } - local $/ = undef; - open(my $fh, '<', $cert_subpackage) or die "$cert_subpackage: $!\n"; - my $template = <$fh>; - close($fh); - $template =~ s/\%\{-n\*}/$kmp_basename/g; - $template =~ s/\@CERTS\@/$certs/g; - print SPEC $template; -} -print SPEC "\%changelog\n"; -print SPEC quote($packages{$main_name}->{changelog}); -close(SPEC); diff --git a/_service:tar_scm:pesign-repackage.spec.in b/_service:tar_scm:pesign-repackage.spec.in deleted file mode 100644 index 5e2d2d3..0000000 --- a/_service:tar_scm:pesign-repackage.spec.in +++ /dev/null @@ -1,160 +0,0 @@ -#!/bin/bash -# This specfile unpacks the original RPMs, runs pesign-gen-repackage-spec -# to create a second repackage specfile, and runs another rpmbuild to -# actually do the repackaging. -# -# Copyright (c) 2013 SUSE Linux Products GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA - -# Do not generate any debug packages from the repackage specfile -%undefine _build_create_debug - -Name: pesign-repackage -Version: 1.0 -Release: 1 -BuildRequires: openssl mozilla-nss-tools -%ifarch %ix86 x86_64 ia64 -BuildRequires: pesign -%endif -License: GPL-2.0 -Group: Development/Tools/Other -Summary: Spec file to rebuild RPMs with signatures -BuildRoot: %{_tmppath}/%{name}-%{version}-build -%description -Rebuilds RPMs with signatures - -%prep -%setup -c -T - -%build - -%install - -# avoid loops -export BRP_PESIGN_FILES="" - -pushd %buildroot -disturl= -rpms=() -for rpm in %_sourcedir/*.rpm; do - case "$rpm" in - *.src.rpm | *.nosrc.rpm) - cp "$rpm" %_srcrpmdir/ - continue - ;; - # Do not repackage debuginfo packages (bnc#806637) - *-debuginfo-*.rpm | *-debugsource-*.rpm) - mkdir -p "%_topdir/OTHER" - cp "$rpm" "$_" - continue - ;; - esac - # do not repackage baselibs packages - # FIXME: needs more generic test (if architecture has different - # bitness => skip) - case "$(rpm -qp --qf '%%{name}/%%{arch}' "$rpm")" in - *-32bit/x86_64 | *-32bit/s390x | *-32bit/ppc64 | \ - *-64bit/ppc | *-x86/ia64) - mkdir -p "%_topdir/OTHER" - cp "$rpm" "$_" - continue - esac - rpm2cpio "$rpm" | cpio -idm - d=$(rpm -qp --qf '%%{disturl}' "$rpm") - if test -z "$disturl"; then - disturl=$d - fi - if test "$disturl" != "$d"; then - echo "Error: packages have different disturl: $d vs $disturl" - exit 1 - fi - rpms=("${rpms[@]}" "$rpm") -done -popd -for log in %_sourcedir/*.log; do - if test -e "$log"; then - mkdir -p "%_topdir/OTHER" - cp "$log" "$_" - fi -done -mkdir rsasigned -pushd rsasigned -cpio -idm <%_sourcedir/@NAME@.cpio.rsasign.sig -cat >cert.crt < "$nss_db/passwd" -certutil -N -d "$nss_db" -f "$nss_db/passwd" -certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert" - -sigs=($(find -type f -name '*.sig' -printf '%%P\n')) -for sig in "${sigs[@]}"; do - f=%buildroot/${sig%.sig} - case "/$sig" in - *.ko.sig) - /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" - ;; - /boot/* | *.efi.sig) - infile=${sig%.sig} - cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs - test -s ${infile}.sattrs || exit 1 - ohash=$(pesign -n "$nss_db" -h -P -i "$f") - pesign -n "$nss_db" -c cert -i "$f" -o "$f.tmp" -d sha256 -I "${infile}.sattrs" -R "$sig" - rm -f "${infile}.sattrs" - mv "$f.tmp" "$f" - nhash=$(pesign -n "$nss_db" -h -i "$f") - if test "$ohash" != "$nhash" ; then - echo "hash mismatch error: $ohash $nhash" - exit 1 - fi - # Regenerate the HMAC if it exists - hmac="${f%%/*}/.${f##*/}.hmac" - if test -e "$hmac"; then - /usr/lib/rpm/pesign/gen-hmac -r %buildroot "/${sig%.sig}" - fi - ;; - *) - echo "Warning: unhandled signature: $sig" >&2 - esac -done -popd -/usr/lib/rpm/pesign/pesign-gen-repackage-spec --directory=%buildroot "${rpms[@]}" -rpmbuild --define "%%buildroot %buildroot" --define "%%disturl $disturl" \ - --define "%%_builddir $PWD" \ - --define "%_suse_insert_debug_package %%{nil}" -bb repackage.spec - -# This is needed by the kernel packages. Ideally, we should not run _any_ brp -# checks, because the RPMs passed them once already -export NO_BRP_STALE_LINK_ERROR=yes - -# Make sure that our rpmbuild does not complain about unpackaged files -rm -rf %buildroot -mkdir %buildroot - diff --git a/_service:tar_scm:pesign-obs-integration.changes b/pesign-obs-integration.changes similarity index 98% rename from _service:tar_scm:pesign-obs-integration.changes rename to pesign-obs-integration.changes index f4a162a..68cb6bd 100644 --- a/_service:tar_scm:pesign-obs-integration.changes +++ b/pesign-obs-integration.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jun 4 10:23:24 UTC 2018 - glin@suse.com + +- Switch to tarball release + ------------------------------------------------------------------- Thu Feb 22 09:16:35 UTC 2018 - glin@suse.com diff --git a/pesign-obs-integration.dsc b/pesign-obs-integration.dsc index f4f8592..9416c55 100644 --- a/pesign-obs-integration.dsc +++ b/pesign-obs-integration.dsc @@ -10,8 +10,8 @@ Package-List: dh-signobs deb devel optional arch=all pesign-obs-integration deb devel optional arch=all Checksums-Sha1: - e6339c1f0f8f9ea015d673ccc1083cfb67e1fc1b 254957 pesign-obs-integration_10.0.tar.gz + d2d451f6ea862ab97a5ec517765ec25d8d3ca425 30309 pesign-obs-integration_10.0.tar.gz Checksums-Sha256: - 64a5bf9f4ccc32525c33f9e231679786327424e9668b6a252c24cf14a30054fa 254957 pesign-obs-integration_10.0.tar.gz + c5e5ad71631255cf2a740c005b9166236ee3707c71a4c04a5be3652b34dc9ea7 30309 pesign-obs-integration_10.0.tar.gz Files: - 983834c7295faecd090ffceaff24a61d 254957 pesign-obs-integration_10.0.tar.gz + 6e6e3451b729d9f5b74c045d45fd9ec5 30309 pesign-obs-integration_10.0.tar.gz diff --git a/_service:tar_scm:pesign-obs-integration.spec b/pesign-obs-integration.spec similarity index 85% rename from _service:tar_scm:pesign-obs-integration.spec rename to pesign-obs-integration.spec index 0aefce4..9a50e75 100644 --- a/_service:tar_scm:pesign-obs-integration.spec +++ b/pesign-obs-integration.spec @@ -19,7 +19,7 @@ Name: pesign-obs-integration Summary: Macros and scripts to sign the kernel and bootloader -License: GPL-2.0 +License: GPL-2.0-only Group: Development/Tools/Other Version: 10.0 Release: 0 @@ -31,15 +31,7 @@ Requires: pesign %endif BuildRequires: openssl Url: http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools -Source2: pesign-repackage.spec.in -Source3: pesign-gen-repackage-spec -Source4: brp-99-pesign -Source5: COPYING -Source6: README -Source7: kernel-sign-file -Source8: modsign-repackage -Source9: gen-hmac -Source10: brp-99-compress-vmlinux +Source: https://github.com/openSUSE/%{name}/releases/download/%{version}/%{name}_%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -47,15 +39,13 @@ This package provides scripts and rpm macros to automate signing of the boot loader, kernel and kernel modules in the openSUSE Buildservice. %prep -%setup -cT -cp %_sourcedir/{COPYING,README} . +%setup -D -n %{name}-%{version} %build %install mkdir -p %buildroot/usr/lib/rpm/brp-suse.d %buildroot/usr/lib/rpm/pesign -cd %_sourcedir install pesign-gen-repackage-spec kernel-sign-file gen-hmac %buildroot/usr/lib/rpm/pesign install brp-99-pesign %buildroot/usr/lib/rpm/brp-suse.d # brp-99-compress-vmlinux has nothing to do with signing. It is packaged in @@ -74,7 +64,8 @@ fi %files %defattr(-,root,root) -%doc COPYING README +%license COPYING +%doc README /usr/bin/modsign-repackage /usr/lib/rpm/* diff --git a/pesign-obs-integration_10.0.tar.gz b/pesign-obs-integration_10.0.tar.gz new file mode 100644 index 0000000..ccef0b9 --- /dev/null +++ b/pesign-obs-integration_10.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c5e5ad71631255cf2a740c005b9166236ee3707c71a4c04a5be3652b34dc9ea7 +size 30309