Accepting request 539775 from Base:System

OBS-URL: https://build.opensuse.org/request/show/539775
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pesign-obs-integration?expand=0&rev=25

modsign-repackage

@@ -117,6 +117,9 @@ for rpm; do
 done
 set -e
 echo "Signing kernel modules..."
+if test ! -e "$cert.pub"; then
+	openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub"
+fi
 for module in $(find "$buildroot" -type f -name '*.ko' -printf '%P\n'); do
 	if test -n "$key"; then
 		/usr/lib/rpm/pesign/kernel-sign-file \
@@ -127,11 +130,17 @@ for module in $(find "$buildroot" -type f -name '*.ko' -printf '%P\n'); do
 			echo "$module.sig not found in $sig_dir" >&2
 			exit 1
 		fi
+		ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$raw_sig" 2>&1 | grep -i error)
+		if [ -n "$ver_err" ]; then
+			echo "$raw_sig signature can not be decrypted by $cert" >&2
+			exit 1
+		fi
 		/usr/lib/rpm/pesign/kernel-sign-file \
 			-i pkcs7 -s "$raw_sig" sha256 "$cert" "$buildroot/$module"
 	fi
 
 done
+rm "$cert.pub"
 # Add the certificate
 mkdir -p "$buildroot/etc/uefi/certs"
 h=$(openssl x509 -inform DER -fingerprint -noout -in "$cert")

pesign-obs-integration.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Nov  8 04:35:57 UTC 2017 - jlee@suse.com
+
+- Modified modsign-repackage, using certificate to try to decrypt
+  the signature of kernel module. It can be used to verify the
+  integrity of signature.
+
 -------------------------------------------------------------------
 Wed Sep 27 10:53:39 UTC 2017 - jlee@suse.com