From a3ca55835fed9115c7cb4b50f79abf728ba46e525e7d64f4fb8580b2056b5437 Mon Sep 17 00:00:00 2001 From: Joey Lee Date: Wed, 28 Sep 2022 09:42:39 +0000 Subject: [PATCH] Accepting request 1006620 from home:gary_lin:branches:Base:System - Add verify-sig.patch to verify the signatures before attaching them (bsc#1200108, bsc#1203679) OBS-URL: https://build.opensuse.org/request/show/1006620 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=117 --- pesign-obs-integration.changes | 6 ++++ pesign-obs-integration.spec | 1 + verify-sig.patch | 52 ++++++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+) create mode 100644 verify-sig.patch diff --git a/pesign-obs-integration.changes b/pesign-obs-integration.changes index 860c1d4..bd41390 100644 --- a/pesign-obs-integration.changes +++ b/pesign-obs-integration.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Sep 28 06:36:56 UTC 2022 - Gary Ching-Pang Lin + +- Add verify-sig.patch to verify the signatures before attaching + them (bsc#1200108, bsc#1203679) + ------------------------------------------------------------------- Sat Jul 9 16:19:57 UTC 2022 - Callum Farmer diff --git a/pesign-obs-integration.spec b/pesign-obs-integration.spec index 09fe64d..d99d526 100644 --- a/pesign-obs-integration.spec +++ b/pesign-obs-integration.spec @@ -29,6 +29,7 @@ Patch: order.patch Patch1: attr.patch Patch2: lang.patch Patch3: rpmlintrc.patch +Patch4: verify-sig.patch BuildRequires: openssl Requires: fipscheck Requires: mozilla-nss-tools diff --git a/verify-sig.patch b/verify-sig.patch new file mode 100644 index 0000000..33a53c3 --- /dev/null +++ b/verify-sig.patch @@ -0,0 +1,52 @@ +From 3219b56af4f8f396b194ea81ab715831469260e5 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 28 Sep 2022 14:27:31 +0800 +Subject: [PATCH] Verfiy the signatures before attaching them + +Sometime the build service may sign the target binaries with the wrong +key due to misconfiguration. Verfiy the signature first so that we can +detect the error earily. + +Ref: bsc#1200108, bsc#1203679 + +Signed-off-by: Gary Lin +--- + pesign-repackage.spec.in | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in +index 7b3d2e5..0b59360 100644 +--- a/pesign-repackage.spec.in ++++ b/pesign-repackage.spec.in +@@ -122,8 +122,17 @@ echo foofoofoo > "$nss_db/passwd" + certutil -N -d "$nss_db" -f "$nss_db/passwd" + certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert" + ++# Extract the public key of the certificate ++openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub" ++ + sigs=($(find -type f -name '*.sig' -printf '%%P\n')) + for sig in "${sigs[@]}"; do ++ # Verify the signature with the public key of the certificate ++ ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$sig" 2>&1 | grep -i error) || true ++ if [ -n "$ver_err" ]; then ++ echo "$sig signature can not be decrypted by $cert" >&2 ++ exit 1 ++ fi + f=%buildroot/${sig%.sig} + case "/$sig" in + *.ko.sig|*.mod.sig) +@@ -182,6 +191,10 @@ for sig in "${sigs[@]}"; do + echo "Warning: unhandled signature: $sig" >&2 + esac + done ++ ++# Remove the public key file ++rm "$cert.pub" ++ + popd + /usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \ + --directory=%buildroot "${rpms[@]}" +-- +2.35.3 +