forked from pool/pesign-obs-integration
Accepting request 1006620 from home:gary_lin:branches:Base:System
- Add verify-sig.patch to verify the signatures before attaching them (bsc#1200108, bsc#1203679) OBS-URL: https://build.opensuse.org/request/show/1006620 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=117
This commit is contained in:
Joey Lee
Git OBS Bridge
parent
62b873db57
commit
a3ca55835f
@ -1,3 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 28 06:36:56 UTC 2022 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Add verify-sig.patch to verify the signatures before attaching
|
||||||
|
them (bsc#1200108, bsc#1203679)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sat Jul 9 16:19:57 UTC 2022 - Callum Farmer <gmbr3@opensuse.org>
|
Sat Jul 9 16:19:57 UTC 2022 - Callum Farmer <gmbr3@opensuse.org>
|
||||||
|
|
||||||
|
|||||||
@ -29,6 +29,7 @@ Patch: order.patch
|
|||||||
Patch1: attr.patch
|
Patch1: attr.patch
|
||||||
Patch2: lang.patch
|
Patch2: lang.patch
|
||||||
Patch3: rpmlintrc.patch
|
Patch3: rpmlintrc.patch
|
||||||
|
Patch4: verify-sig.patch
|
||||||
BuildRequires: openssl
|
BuildRequires: openssl
|
||||||
Requires: fipscheck
|
Requires: fipscheck
|
||||||
Requires: mozilla-nss-tools
|
Requires: mozilla-nss-tools
|
||||||
|
|||||||
52
verify-sig.patch
Normal file
52
verify-sig.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From 3219b56af4f8f396b194ea81ab715831469260e5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Lin <glin@suse.com>
|
||||||
|
Date: Wed, 28 Sep 2022 14:27:31 +0800
|
||||||
|
Subject: [PATCH] Verfiy the signatures before attaching them
|
||||||
|
|
||||||
|
Sometime the build service may sign the target binaries with the wrong
|
||||||
|
key due to misconfiguration. Verfiy the signature first so that we can
|
||||||
|
detect the error earily.
|
||||||
|
|
||||||
|
Ref: bsc#1200108, bsc#1203679
|
||||||
|
|
||||||
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
|
---
|
||||||
|
pesign-repackage.spec.in | 13 +++++++++++++
|
||||||
|
1 file changed, 13 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
|
||||||
|
index 7b3d2e5..0b59360 100644
|
||||||
|
--- a/pesign-repackage.spec.in
|
||||||
|
+++ b/pesign-repackage.spec.in
|
||||||
|
@@ -122,8 +122,17 @@ echo foofoofoo > "$nss_db/passwd"
|
||||||
|
certutil -N -d "$nss_db" -f "$nss_db/passwd"
|
||||||
|
certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
|
||||||
|
|
||||||
|
+# Extract the public key of the certificate
|
||||||
|
+openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub"
|
||||||
|
+
|
||||||
|
sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
|
||||||
|
for sig in "${sigs[@]}"; do
|
||||||
|
+ # Verify the signature with the public key of the certificate
|
||||||
|
+ ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$sig" 2>&1 | grep -i error) || true
|
||||||
|
+ if [ -n "$ver_err" ]; then
|
||||||
|
+ echo "$sig signature can not be decrypted by $cert" >&2
|
||||||
|
+ exit 1
|
||||||
|
+ fi
|
||||||
|
f=%buildroot/${sig%.sig}
|
||||||
|
case "/$sig" in
|
||||||
|
*.ko.sig|*.mod.sig)
|
||||||
|
@@ -182,6 +191,10 @@ for sig in "${sigs[@]}"; do
|
||||||
|
echo "Warning: unhandled signature: $sig" >&2
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
+
|
||||||
|
+# Remove the public key file
|
||||||
|
+rm "$cert.pub"
|
||||||
|
+
|
||||||
|
popd
|
||||||
|
/usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \
|
||||||
|
--directory=%buildroot "${rpms[@]}"
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
Loading…
x
Reference in New Issue
Block a user