From b63590e396711de772a33b8e1f93dc947925405f62ca426d4d8cb65c1cf4aee4 Mon Sep 17 00:00:00 2001
From: Joey Lee <jlee@suse.com>
Date: Sat, 22 Jan 2022 10:58:17 +0000
Subject: [PATCH] Accepting request 947877 from home:michals

- Support signing grub on powerpc (jsc#SLE-18271 bsc#1192764).
   + 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
   + 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
   + 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
   + 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch

Add SLE bug references:
  * Add support for GZIP and ZSTD module compression (bsc#1188636)
  * Compress kernel modules in batch and in parallel (bsc#1188636)
  support kernel module compression (bsc#1135854, jsc#SLE-16661)

OBS-URL: https://build.opensuse.org/request/show/947877
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=110
---
 ...ub-signing-jsc-SLE-18271-bsc-1192764.patch |  86 ++++++
 ...le-Move-x509-parsing-into-a-function.patch | 260 ++++++++++++++++++
 ...-Support-appending-verbatim-PKCS-7-s.patch | 116 ++++++++
 ...rub-signature-correctly-jsc-SLE-1827.patch |  50 ++++
 pesign-obs-integration.changes                |  15 +-
 pesign-obs-integration.spec                   |   6 +-
 6 files changed, 529 insertions(+), 4 deletions(-)
 create mode 100644 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
 create mode 100644 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
 create mode 100644 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
 create mode 100644 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch

diff --git a/0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch b/0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
new file mode 100644
index 0000000..8101108
--- /dev/null
+++ b/0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
@@ -0,0 +1,86 @@
+From 13efe2232909a600531142959b2e4380af46676f Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Tue, 23 Nov 2021 16:40:27 +0100
+Subject: [PATCH 1/4] Support ppc grub signing (jsc#SLE-18271 bsc#1192764).
+
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+---
+ brp-99-pesign            | 14 ++++++++++++++
+ pesign-repackage.spec.in | 22 +++++++++++++++++++++-
+ 2 files changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/brp-99-pesign b/brp-99-pesign
+index 0e415d6..c6e9d54 100644
+--- a/brp-99-pesign
++++ b/brp-99-pesign
+@@ -58,6 +58,19 @@ if ! mkdir -p "$output"; then
+ 	exit 0
+ fi
+ 
++case "$BRP_PESIGN_GRUB_RESERVATION" in
++	'')
++		pesign_grub_reservation="0"
++		;;
++	*[!0-9]*)
++		echo "$0: warning: non-numerc value '$BRP_PESIGN_GRUB_RESERVATION' of BRP_PESIGN_GRUB_RESERVATION" >&2
++		pesign_grub_reservation="0"
++		;;
++	*)
++	pesign_grub_reservation="${BRP_PESIGN_GRUB_RESERVATION}"
++	;;
++esac
++
+ if test "${BRP_PESIGN_COMPRESS_MODULE}" = "xz"; then
+ 	pesign_repackage_compress="--compress xz"
+ elif test "${BRP_PESIGN_COMPRESS_MODULE}" = "gzip"; then
+@@ -77,6 +90,7 @@ else
+ fi
+ sed "
+ 	s:@NAME@:$RPM_PACKAGE_NAME:g
++	s:@PESIGN_GRUB_RESERVATION@:$pesign_grub_reservation:g
+ 	s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g
+ 	/@CERT@/ {
+ 		r $cert
+diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
+index eebc609..f473fa1 100644
+--- a/pesign-repackage.spec.in
++++ b/pesign-repackage.spec.in
+@@ -126,7 +126,7 @@ sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
+ for sig in "${sigs[@]}"; do
+ 	f=%buildroot/${sig%.sig}
+ 	case "/$sig" in
+-	*.ko.sig)
++	*.ko.sig|*.mod.sig)
+ 		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+ 		;;
+ 	/boot/* | *.efi.sig | */lib/modules/*/vmlinu[xz].sig | */lib/modules/*/[Ii]mage.sig | */lib/modules/*/z[Ii]mage.sig)
+@@ -157,6 +157,26 @@ for sig in "${sigs[@]}"; do
+ 	*stage3.bin.sig)
+ 		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+ 		;;
++	*grub.elf.sig)
++		sig_size="$(wc -c < "$sig")"
++		unsigned_grub_size="$(wc -c < "$f")"
++		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" "$f".appendtest
++		signed_grub_size="$(wc -c < "$f".appendtest)"
++		rm "$f".appendtest
++		footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size" - "$sig_size")"
++		if ! [ $(expr "$sig_size" + "$footer_size") -le "@PESIGN_GRUB_RESERVATION@" ] ; then
++			echo "size of '$sig' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
++			exit 1
++		fi
++		sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")"
++		truncate -s $sig_size "$sig"
++		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
++		grub_size="$(wc -c < "$f")"
++		if ! [ "$(expr "$unsigned_grub_size" + "@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then
++			echo "The size of unsigned grub ($unsigned_grub_size) + reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size ($grub_size)"
++			exit 1
++		fi
++		;;
+ 	*)
+ 		echo "Warning: unhandled signature: $sig" >&2
+ 	esac
+-- 
+2.34.1
+
diff --git a/0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch b/0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
new file mode 100644
index 0000000..015d5ee
--- /dev/null
+++ b/0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
@@ -0,0 +1,260 @@
+From 85f8f72c2f055ca2fa48ec1e7ad7911e8e3744ad Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Tue, 4 Jan 2022 12:49:54 +0100
+Subject: [PATCH 2/4] kernel-sign-file: Move x509 parsing into a function.
+
+This should not introduce any functionality change but next patch will
+make the parsing optional.
+
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+---
+ kernel-sign-file | 201 +++++++++++++++++++++++++----------------------
+ 1 file changed, 106 insertions(+), 95 deletions(-)
+
+diff --git a/kernel-sign-file b/kernel-sign-file
+index ce76a40..2e5b7aa 100755
+--- a/kernel-sign-file
++++ b/kernel-sign-file
+@@ -226,113 +226,119 @@ sub asn1_pack($@)
+ # Roughly parse the X.509 certificate
+ #
+ ###############################################################################
+-my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
+-
+-my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
+-my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
+-my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
+-my $serial_number = asn1_extract($tbs->[1], $UNIV | $INTEGER);
+-my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+-my $issuer = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+-my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+-my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+-my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+-my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
+-my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
+-my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
+-
+-my $subject_key_id = ();
+-my $authority_key_id = ();
+-
+-#
+-# Parse the extension list
+-#
+-if ($extension_list->[0] != -1) {
+-    my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE);
+-
+-    while ($extensions->[1]->[1] > 0) {
+-	my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
+-	my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
+-	my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
+-	my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
++sub parse_certificate($)
++{
++    my ($x509_certificate) = @_;
++    my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
++    my %result;
++
++    my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
++    my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
++    my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
++    $result{serial_number} = asn1_extract($tbs->[1], $UNIV | $INTEGER);
++    my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
++    $result{issuer} = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
++    my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
++    my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
++    my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
++    my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
++    my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
++    my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
++
++    $result{subject_key_id} = ();
++    my $authority_key_id = ();
++
++    #
++    # Parse the extension list
++    #
++    if ($extension_list->[0] != -1) {
++	my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE);
++
++	while ($extensions->[1]->[1] > 0) {
++	    my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
++	    my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
++	    my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
++	    my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
++
++	    my $raw_oid = asn1_retrieve($x_oid->[1]);
++	    next if (!exists($OIDs{$raw_oid}));
++	    my $x_type = $OIDs{$raw_oid};
++
++	    my $raw_value = asn1_retrieve($x_val->[1]);
++
++	    if ($x_type eq "subjectKeyIdentifier") {
++		my $vcursor = [ 0, length($raw_value), \$raw_value ];
++
++		$result{subject_key_id} = asn1_extract($vcursor, $UNIV | $OCTET_STRING);
++	    }
++	}
++    }
+ 
+-	my $raw_oid = asn1_retrieve($x_oid->[1]);
++    ###############################################################################
++    #
++    # Determine what we're going to use as the signer's name.  In order of
++    # preference, take one of: commonName, organizationName or emailAddress.
++    #
++    ###############################################################################
++    my $org = "";
++    my $cn = "";
++    my $email = "";
++
++    while ($subject->[1]->[1] > 0) {
++	my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
++	my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
++	my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
++	my $n_val = asn1_extract($attr->[1], -1);
++
++	my $raw_oid = asn1_retrieve($n_oid->[1]);
+ 	next if (!exists($OIDs{$raw_oid}));
+-	my $x_type = $OIDs{$raw_oid};
+-
+-	my $raw_value = asn1_retrieve($x_val->[1]);
++	my $n_type = $OIDs{$raw_oid};
+ 
+-	if ($x_type eq "subjectKeyIdentifier") {
+-	    my $vcursor = [ 0, length($raw_value), \$raw_value ];
++	my $raw_value = asn1_retrieve($n_val->[1]);
+ 
+-	    $subject_key_id = asn1_extract($vcursor, $UNIV | $OCTET_STRING);
++	if ($n_type eq "organizationName") {
++	    $org = $raw_value;
++	} elsif ($n_type eq "commonName") {
++	    $cn = $raw_value;
++	} elsif ($n_type eq "emailAddress") {
++	    $email = $raw_value;
+ 	}
+     }
+-}
+ 
+-###############################################################################
+-#
+-# Determine what we're going to use as the signer's name.  In order of
+-# preference, take one of: commonName, organizationName or emailAddress.
+-#
+-###############################################################################
+-my $org = "";
+-my $cn = "";
+-my $email = "";
+-
+-while ($subject->[1]->[1] > 0) {
+-    my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
+-    my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
+-    my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
+-    my $n_val = asn1_extract($attr->[1], -1);
+-
+-    my $raw_oid = asn1_retrieve($n_oid->[1]);
+-    next if (!exists($OIDs{$raw_oid}));
+-    my $n_type = $OIDs{$raw_oid};
+-
+-    my $raw_value = asn1_retrieve($n_val->[1]);
+-
+-    if ($n_type eq "organizationName") {
+-	$org = $raw_value;
+-    } elsif ($n_type eq "commonName") {
+-	$cn = $raw_value;
+-    } elsif ($n_type eq "emailAddress") {
+-	$email = $raw_value;
+-    }
+-}
++    $result{signers_name} = $email;
+ 
+-my $signers_name = $email;
++    if ($org && $cn) {
++	# Don't use the organizationName if the commonName repeats it
++	if (length($org) <= length($cn) &&
++	    substr($cn, 0, length($org)) eq $org) {
++	    $result{signers_name} = $cn;
++	    goto got_id_name;
++	}
+ 
+-if ($org && $cn) {
+-    # Don't use the organizationName if the commonName repeats it
+-    if (length($org) <= length($cn) &&
+-	substr($cn, 0, length($org)) eq $org) {
+-	$signers_name = $cn;
+-	goto got_id_name;
+-    }
++	# Or a signifcant chunk of it
++	if (length($org) >= 7 &&
++	    length($cn) >= 7 &&
++	    substr($cn, 0, 7) eq substr($org, 0, 7)) {
++	    $result{signers_name} = $cn;
++	    goto got_id_name;
++	}
+ 
+-    # Or a signifcant chunk of it
+-    if (length($org) >= 7 &&
+-	length($cn) >= 7 &&
+-	substr($cn, 0, 7) eq substr($org, 0, 7)) {
+-	$signers_name = $cn;
+-	goto got_id_name;
++	$result{signers_name} = $org . ": " . $cn;
++    } elsif ($org) {
++	$result{signers_name} = $org;
++    } elsif ($cn) {
++	$result{signers_name} = $cn;
+     }
+ 
+-    $signers_name = $org . ": " . $cn;
+-} elsif ($org) {
+-    $signers_name = $org;
+-} elsif ($cn) {
+-    $signers_name = $cn;
+-}
++    got_id_name:
+ 
+-got_id_name:
++    die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
++    if (!$result{subject_key_id});
+ 
+-die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
+-    if (!$subject_key_id);
+-
+-my $key_identifier = asn1_retrieve($subject_key_id->[1]);
++    $result{key_identifier} = asn1_retrieve($result{subject_key_id}->[1]);
+ 
++    return %result;
++}
+ ###############################################################################
+ #
+ # Create and attach the module signature
+@@ -430,8 +436,13 @@ if ($signature_file) {
+ 		     "openssl rsautl -sign -inkey $private_key -keyform PEM");
+ }
+ 
++my %certdata = parse_certificate($x509_certificate);
++my $signers_name;
++my $key_identifier;
+ if ($id_type == 1) {
+     $signature = pack("n", length($signature)) . $signature,
++    $signers_name = $certdata{signers_name};
++    $key_identifier = $certdata{key_identifier};
+ } elsif ($id_type == 2) {
+     # create PKCS7 signature
+     $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
+@@ -439,10 +450,10 @@ if ($id_type == 1) {
+     my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
+     my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
+     my $si_verstion = asn1_pack($UNIV | $INTEGER,  pack('C', $use_keyid ? 3 : 1));
+-    my $si_issuer = asn1_pack($issuer->[0], asn1_retrieve($issuer->[1]));
+-    my $si_serial = asn1_pack($serial_number->[0], asn1_retrieve($serial_number->[1]));
++    my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
++    my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
+     my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
+-    my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($subject_key_id->[1]));
++    my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
+     my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
+     my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
+     my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
+-- 
+2.34.1
+
diff --git a/0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch b/0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
new file mode 100644
index 0000000..bf16d0f
--- /dev/null
+++ b/0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
@@ -0,0 +1,116 @@
+From 68baaf0ca940712d4cfbe5d7c55bc8407efc19ce Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Tue, 4 Jan 2022 12:29:21 +0100
+Subject: [PATCH 3/4] kernel-sign-file: Support appending verbatim PKCS#7
+ signature.
+
+When existing signature is specified upstream appends it verbatim as
+PKCS#7 but kernel-ding-file assumes it's raw RSA signature and wraps
+PKCS#7 around it beforee appending.
+
+Because the certificate is not required for just dumping the whole
+signature after the data but is required to create the PKCS#7 wrapper we
+can support both. When a certificate is specified create a wrapper, when
+not just copy the signature without touching it.
+
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+---
+ kernel-sign-file | 60 +++++++++++++++++++++++++++++-------------------
+ 1 file changed, 37 insertions(+), 23 deletions(-)
+
+diff --git a/kernel-sign-file b/kernel-sign-file
+index 2e5b7aa..9cacefb 100755
+--- a/kernel-sign-file
++++ b/kernel-sign-file
+@@ -42,7 +42,6 @@ if (@ARGV) {
+ 
+ die "Can't read private key\n" if (!$signature_file && !-r $private_key);
+ die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
+-die "Can't read X.509 certificate\n" unless (-r $x509);
+ die "Can't read module\n" unless (-r $module);
+ 
+ #
+@@ -99,7 +98,6 @@ sub openssl_pipe($$) {
+ # we're intending to use to sign the module.
+ #
+ ###############################################################################
+-my $x509_certificate = read_file($x509);
+ 
+ my $UNIV = 0 << 6;
+ my $APPL = 1 << 6;
+@@ -436,35 +434,51 @@ if ($signature_file) {
+ 		     "openssl rsautl -sign -inkey $private_key -keyform PEM");
+ }
+ 
+-my %certdata = parse_certificate($x509_certificate);
++my %certdata;
+ my $signers_name;
+ my $key_identifier;
++my $x509_certificate;
+ if ($id_type == 1) {
++    die "Can't read X.509 certificate\n" unless (-r $x509);
++    $x509_certificate = read_file($x509);
++    %certdata = parse_certificate($x509_certificate);
+     $signature = pack("n", length($signature)) . $signature,
+     $signers_name = $certdata{signers_name};
+     $key_identifier = $certdata{key_identifier};
+ } elsif ($id_type == 2) {
+     # create PKCS7 signature
+-    $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
+-    my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue, 5, 1)));
+-    my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
+-    my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
+-    my $si_verstion = asn1_pack($UNIV | $INTEGER,  pack('C', $use_keyid ? 3 : 1));
+-    my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
+-    my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
+-    my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
+-    my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
+-    my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
+-    my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
+-    my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
+-    my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion, $signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
+-    my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
+-    my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
+-    my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 1));
+-    my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
+-    my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version, $digest_algo_seq_set, $pkcs7_data_seq, $si_set);
+-    my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 2));
+-    $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data, asn1_pack($CONT | $CONS | 0, $sid));
++    if ($x509) {
++	die "Can't read X.509 certificate\n" unless (-r $x509);
++	$x509_certificate = read_file($x509);
++    } else {
++	print "No certificate specified, assuming pre-built PKCS#7 signature.\n" if ($verbose);
++	$x509_certificate = '';
++    }
++    if ($x509_certificate) {
++	%certdata = parse_certificate($x509_certificate);
++	$signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
++	my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue, 5, 1)));
++	my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
++	my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq);
++	my $si_verstion = asn1_pack($UNIV | $INTEGER,  pack('C', $use_keyid ? 3 : 1));
++	my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1]));
++	my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1]));
++	my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial);
++	my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1]));
++	my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1));
++	my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL));
++	my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
++	my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion, $signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
++	my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
++	my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1));
++	my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 1));
++	my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
++	my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version, $digest_algo_seq_set, $pkcs7_data_seq, $si_set);
++	my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 2));
++	$signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data, asn1_pack($CONT | $CONS | 0, $sid));
++    } else {
++	print "Certificate is empty, assuming pre-built PKCS#7 signature.\n" if ($verbose);
++    }
+     # zero out unneeded entries
+     $signers_name = '';
+     $key_identifier = '';
+-- 
+2.34.1
+
diff --git a/0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch b/0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
new file mode 100644
index 0000000..ad2e576
--- /dev/null
+++ b/0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
@@ -0,0 +1,50 @@
+From 5b255595f4101b136db55538a59ef5b1fc3439e5 Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Tue, 4 Jan 2022 12:20:36 +0100
+Subject: [PATCH 4/4] Add padding to grub signature correctly (jsc#SLE-18271
+ bsc#1192764).
+
+Upstream sign-file supports including whole PKCS#7 signature verbatim
+while kernel-sign-file supports building PKCS#7 around raw RSA signature
+as provided by OBS. Now kernel-sign-file also supports what upstream
+does so make use of it. First wrap PKCS#7 around the RSA signature, then
+pad, then append.
+
+Fixes: 13efe22 ("Support ppc grub signing (jsc#SLE-18271 bsc#1192764).")
+---
+ pesign-repackage.spec.in | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
+index f473fa1..8c07fc4 100644
+--- a/pesign-repackage.spec.in
++++ b/pesign-repackage.spec.in
+@@ -160,17 +160,18 @@ for sig in "${sigs[@]}"; do
+ 	*grub.elf.sig)
+ 		sig_size="$(wc -c < "$sig")"
+ 		unsigned_grub_size="$(wc -c < "$f")"
+-		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" "$f".appendtest
+-		signed_grub_size="$(wc -c < "$f".appendtest)"
+-		rm "$f".appendtest
+-		footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size" - "$sig_size")"
++		/usr/lib/rpm/pesign/kernel-sign-file -vpd -i pkcs7 -s "$sig" sha256 "$cert" "$f"
++		sig_size="$(wc -c < "$f.p7s")"
++		footer_size=40
++		grub_size="$(wc -c < "$f")"
+ 		if ! [ $(expr "$sig_size" + "$footer_size") -le "@PESIGN_GRUB_RESERVATION@" ] ; then
+-			echo "size of '$sig' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
++			echo "size of '$f.p7s' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
+ 			exit 1
+ 		fi
+ 		sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")"
+-		truncate -s $sig_size "$sig"
+-		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
++		truncate -s $sig_size "$f.p7s"
++		/usr/lib/rpm/pesign/kernel-sign-file -v -i pkcs7 -s "$f.p7s" sha256 "" "$f"
++		rm "$f.p7s"
+ 		grub_size="$(wc -c < "$f")"
+ 		if ! [ "$(expr "$unsigned_grub_size" + "@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then
+ 			echo "The size of unsigned grub ($unsigned_grub_size) + reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size ($grub_size)"
+-- 
+2.34.1
+
diff --git a/pesign-obs-integration.changes b/pesign-obs-integration.changes
index 1ba17bf..abfd1dc 100644
--- a/pesign-obs-integration.changes
+++ b/pesign-obs-integration.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Jan 21 08:49:34 UTC 2022 - Michal Suchanek <msuchanek@suse.com>
+
+- Support signing grub on powerpc (jsc#SLE-18271 bsc#1192764).
+   + 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
+   + 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
+   + 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
+   + 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
+
 -------------------------------------------------------------------
 Wed Aug 04 12:35:19 UTC 2021 - lnussel@suse.de
 
@@ -16,7 +25,7 @@ Fri Jul 30 11:56:23 UTC 2021 - lnussel@suse.de
 Fri Jul 23 09:11:28 UTC 2021 - dmueller@suse.com
 
 - Update to version git master (10.2):
-  * Add support for GZIP and ZSTD module compression
+  * Add support for GZIP and ZSTD module compression (bsc#1188636)
   * Always pad the EFI image when calculating the hash
   * Version bump to 10.2
   * approach issue#22 false noarch subpackage
@@ -51,7 +60,7 @@ Mon Dec 21 03:50:35 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
 Wed Oct 21 12:44:19 UTC 2020 - dmueller@suse.com
 
 - Update to version 10.1+1602850462:
-  * Compress kernel modules in batch and in parallel
+  * Compress kernel modules in batch and in parallel (bsc#1188636)
   * Forward _binary_payload to the repackaged rpm (bsc#1175882)
 - remove 0001-Forward-_binary_payload-to-the-repackaged-rpm.patch,
   parallel-compression.patch (upstream)
@@ -124,7 +133,7 @@ Thu Aug  1 02:41:28 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
 Wed May 29 06:01:20 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
 
 - Add 0001-Add-support-for-kernel-module-compression.patch to
-  support kernel module compression (bsc#1135854)
+  support kernel module compression (bsc#1135854, jsc#SLE-16661)
 
 -------------------------------------------------------------------
 Fri May 17 14:00:08 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
diff --git a/pesign-obs-integration.spec b/pesign-obs-integration.spec
index 69d7bee..676da40 100644
--- a/pesign-obs-integration.spec
+++ b/pesign-obs-integration.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package pesign-obs-integration
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,6 +25,10 @@ License:        GPL-2.0-only
 Group:          Development/Tools/Other
 URL:            https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
 Source:         %{name}-%{version}.tar.gz
+Patch1:         0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
+Patch2:         0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
+Patch3:         0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
+Patch4:         0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
 BuildRequires:  openssl
 Requires:       fipscheck
 Requires:       mozilla-nss-tools