forked from pool/pesign-obs-integration
Accepting request 239464 from home:michal-m:branches:Base:System
- Drop support for signing firmware files (bnc#867199) OBS-URL: https://build.opensuse.org/request/show/239464 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=25
This commit is contained in:
Gary Ching-Pang Lin
Git OBS Bridge
parent
4ee730db27
commit
4af437f4e6
1
README
1
README
@ -22,7 +22,6 @@ appends the signatures to the files. It then uses the
|
|||||||
pesign-gen-repackage-spec script to generate another specfile, which
|
pesign-gen-repackage-spec script to generate another specfile, which
|
||||||
builds new RPMs with signed files. The supported file types are:
|
builds new RPMs with signed files. The supported file types are:
|
||||||
|
|
||||||
/lib/firmware/* - Detached signature in $file.sig
|
|
||||||
*.ko - Signature appended to the module
|
*.ko - Signature appended to the module
|
||||||
efi binaries - Signature embedded in a header. If a HMAC checksum named
|
efi binaries - Signature embedded in a header. If a HMAC checksum named
|
||||||
.$file.hmac exists, it is regenerated
|
.$file.hmac exists, it is regenerated
|
||||||
|
|||||||
@ -22,7 +22,7 @@
|
|||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
files="*.ko /lib/firmware"
|
files="*.ko"
|
||||||
if test -n "${BRP_PESIGN_FILES+x}"; then
|
if test -n "${BRP_PESIGN_FILES+x}"; then
|
||||||
files=${BRP_PESIGN_FILES}
|
files=${BRP_PESIGN_FILES}
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -4,11 +4,8 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
my $USAGE =
|
my $USAGE =
|
||||||
"Usage: scripts/sign-file [-v] [-f] <hash algo> <key> <x509> <module> [<dest>]\n" .
|
"Usage: scripts/sign-file [-v] <hash algo> <key> <x509> <module> [<dest>]\n" .
|
||||||
" scripts/sign-file [-v] [-f] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n" .
|
" scripts/sign-file [-v] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
|
||||||
" -v verbose output\n" .
|
|
||||||
" -f create a firmware signature file\n";
|
|
||||||
|
|
||||||
|
|
||||||
use strict;
|
use strict;
|
||||||
use FileHandle;
|
use FileHandle;
|
||||||
@ -16,10 +13,9 @@ use IPC::Open2;
|
|||||||
use Getopt::Std;
|
use Getopt::Std;
|
||||||
|
|
||||||
my %opts;
|
my %opts;
|
||||||
getopts('vfs:', \%opts) or die $USAGE;
|
getopts('vs:', \%opts) or die $USAGE;
|
||||||
my $verbose = $opts{'v'};
|
my $verbose = $opts{'v'};
|
||||||
my $signature_file = $opts{'s'};
|
my $signature_file = $opts{'s'};
|
||||||
my $sign_fw = $opts{'f'};
|
|
||||||
|
|
||||||
die $USAGE if ($#ARGV > 4);
|
die $USAGE if ($#ARGV > 4);
|
||||||
die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);
|
die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV < 2);
|
||||||
@ -35,18 +31,14 @@ my ($dest, $keep_orig);
|
|||||||
if (@ARGV) {
|
if (@ARGV) {
|
||||||
$dest = $ARGV[0];
|
$dest = $ARGV[0];
|
||||||
$keep_orig = 1;
|
$keep_orig = 1;
|
||||||
} elsif ($sign_fw) {
|
|
||||||
$dest = $module . ".sig";
|
|
||||||
$keep_orig = 1;
|
|
||||||
} else {
|
} else {
|
||||||
$dest = $module . "~";
|
$dest = $module . "~";
|
||||||
}
|
}
|
||||||
my $mode_name = $sign_fw ? "firmware" : "module";
|
|
||||||
|
|
||||||
die "Can't read private key\n" if (!$signature_file && !-r $private_key);
|
die "Can't read private key\n" if (!$signature_file && !-r $private_key);
|
||||||
die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
|
die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
|
||||||
die "Can't read X.509 certificate\n" unless (-r $x509);
|
die "Can't read X.509 certificate\n" unless (-r $x509);
|
||||||
die "Can't read $mode_name\n" unless (-r $module);
|
die "Can't read module\n" unless (-r $module);
|
||||||
|
|
||||||
#
|
#
|
||||||
# Function to read the contents of a file into a variable.
|
# Function to read the contents of a file into a variable.
|
||||||
@ -377,14 +369,12 @@ if ($dgst eq "sha1") {
|
|||||||
|
|
||||||
my $unsigned_module = read_file($module);
|
my $unsigned_module = read_file($module);
|
||||||
|
|
||||||
my $magic_number = $sign_fw ?
|
my $magic_number = "~Module signature appended~\n";
|
||||||
"~Linux firmware signature~\n" :
|
|
||||||
"~Module signature appended~\n";
|
|
||||||
my $magic_len = length($magic_number);
|
my $magic_len = length($magic_number);
|
||||||
my $info_len = 12;
|
my $info_len = 12;
|
||||||
|
|
||||||
# Truncate existing signarure, if any
|
# Truncate existing signarure, if any
|
||||||
if (!$sign_fw && substr($unsigned_module, -$magic_len) eq $magic_number) {
|
if (substr($unsigned_module, -$magic_len) eq $magic_number) {
|
||||||
my $info = substr($unsigned_module, -$magic_len - $info_len, $info_len);
|
my $info = substr($unsigned_module, -$magic_len - $info_len, $info_len);
|
||||||
my ($name_len, $key_len, $sig_len) = unpack("xxxCCxxxN", $info);
|
my ($name_len, $key_len, $sig_len) = unpack("xxxCCxxxN", $info);
|
||||||
my $subtract = $name_len + $key_len + $sig_len + $info_len + $magic_len;
|
my $subtract = $name_len + $key_len + $sig_len + $info_len + $magic_len;
|
||||||
@ -428,7 +418,7 @@ if (length($info) != $info_len) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($verbose) {
|
if ($verbose) {
|
||||||
print "Size of unsigned $mode_name: ", length($unsigned_module), "\n";
|
print "Size of unsigned module: ", length($unsigned_module), "\n";
|
||||||
print "Size of signer's name : ", length($signers_name), "\n";
|
print "Size of signer's name : ", length($signers_name), "\n";
|
||||||
print "Size of key identifier : ", length($key_identifier), "\n";
|
print "Size of key identifier : ", length($key_identifier), "\n";
|
||||||
print "Size of signature : ", length($signature), "\n";
|
print "Size of signature : ", length($signature), "\n";
|
||||||
@ -440,15 +430,6 @@ if ($verbose) {
|
|||||||
|
|
||||||
open(FD, ">$dest") || die $dest;
|
open(FD, ">$dest") || die $dest;
|
||||||
binmode FD;
|
binmode FD;
|
||||||
if ($sign_fw) {
|
|
||||||
print FD
|
|
||||||
$magic_number,
|
|
||||||
$info,
|
|
||||||
$signers_name,
|
|
||||||
$key_identifier,
|
|
||||||
$signature
|
|
||||||
;
|
|
||||||
} else {
|
|
||||||
print FD
|
print FD
|
||||||
$unsigned_module,
|
$unsigned_module,
|
||||||
$signers_name,
|
$signers_name,
|
||||||
@ -457,7 +438,6 @@ if ($sign_fw) {
|
|||||||
$info,
|
$info,
|
||||||
$magic_number
|
$magic_number
|
||||||
;
|
;
|
||||||
}
|
|
||||||
close FD || die $dest;
|
close FD || die $dest;
|
||||||
|
|
||||||
if (!$keep_orig) {
|
if (!$keep_orig) {
|
||||||
|
|||||||
@ -1,3 +1,8 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jul 3 14:01:24 UTC 2014 - mmarek@suse.cz
|
||||||
|
|
||||||
|
- Drop support for signing firmware files (bnc#867199)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Apr 24 09:25:18 UTC 2014 - mmarek@suse.cz
|
Thu Apr 24 09:25:18 UTC 2014 - mmarek@suse.cz
|
||||||
|
|
||||||
|
|||||||
@ -109,9 +109,6 @@ for sig in "${sigs[@]}"; do
|
|||||||
*.ko.sig)
|
*.ko.sig)
|
||||||
/usr/lib/rpm/pesign/kernel-sign-file -s "$sig" sha256 "$cert" "$f"
|
/usr/lib/rpm/pesign/kernel-sign-file -s "$sig" sha256 "$cert" "$f"
|
||||||
;;
|
;;
|
||||||
/lib/firmware/*.sig)
|
|
||||||
/usr/lib/rpm/pesign/kernel-sign-file -f -s "$sig" sha256 "$cert" "$f"
|
|
||||||
;;
|
|
||||||
/boot/* | *.efi.sig)
|
/boot/* | *.efi.sig)
|
||||||
infile=${sig%.sig}
|
infile=${sig%.sig}
|
||||||
cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs
|
cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user