rpm/pesign-obs-integration
SHA256
1
0
Fork 0
forked from pool/pesign-obs-integration
Code Pull Requests Activity

- switch to normal brp hook

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=3
This commit is contained in:
Michael Schröder 2013-02-06 12:25:06 +00:00 committed by Git OBS Bridge
parent 6a8d32d403
commit c581df2ee9
6 changed files with 25 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README
View File

@ -8,13 +8,13 @@ Packages that need to sign files during build should add the following lines
to the specfile to the specfile
# needssslcertforbuild # needssslcertforbuild
%define sign_files pattern... export BRP_PESIGN_FILES='pattern...'
BuildRequires: pesign-obs-integration BuildRequires: pesign-obs-integration
The "# needssslcertforbuild" comment tells the buildservice to store the The "# needssslcertforbuild" comment tells the buildservice to store the
signing certificate in %_sourcedir/_projectcert.crt. At the end of the signing certificate in %_sourcedir/_projectcert.crt. At the end of the
install phase, the pesign-install-post script computes hashes of all install phase, the brp-99-pesign script computes hashes of all
files matching the patterns in %sign_files. The sha256 hashes are stored files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored
in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a
pesign-repackage.spec file there. When the first rpmbuild finishes, the pesign-repackage.spec file there. When the first rpmbuild finishes, the
buildservice sends the cpio archive to the signing server, which returns buildservice sends the cpio archive to the signing server, which returns

11
pesign-install-post → brp-99-pesign
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# This script is run by rpmbuild at the end of install section. It computes # This script is run by rpmbuild at the end of the brp checks. It computes
# hashes of files listed in the %sign_files macro and stores them in # hashes of files listed in the BRP_PESIGN_FILES environment and stores them in
# %_topdir/OTHER/%name.cpio.rsasign. It also puts a specfile there, that # %_topdir/OTHER/%name.cpio.rsasign. It also puts a specfile there, that
# is later used to repackage the RPMs. # is later used to repackage the RPMs.
# #
@ -22,7 +22,7 @@
set -e set -e
files= files=${BRP_PESIGN_FILES}
output= output=
while test $# -gt 0; do while test $# -gt 0; do
case "$1" in case "$1" in
@ -43,8 +43,7 @@ if test -z "$files"; then
exit 0 exit 0
fi fi
if test -z "$output"; then if test -z "$output"; then
echo "$0: --output not specified" >&2 output=`rpm --eval %_topdir/OTHER`
exit 1
fi fi
if test -z "$RPM_BUILD_ROOT"; then if test -z "$RPM_BUILD_ROOT"; then
echo "$0: warning: \$RPM_BUILD_ROOT not set, using the root directory" >&2 echo "$0: warning: \$RPM_BUILD_ROOT not set, using the root directory" >&2
@ -65,7 +64,7 @@ sed "
r $cert r $cert
d d
} }
" /usr/lib/rpm/pesign-repackage.spec.in >"$output/pesign-repackage.spec" " /usr/lib/rpm/pesign/pesign-repackage.spec.in >"$output/pesign-repackage.spec"
cd "$RPM_BUILD_ROOT" cd "$RPM_BUILD_ROOT"
args=() args=()

5
macros.pesign-obs
View File

@ -1,5 +0,0 @@
# Macros for pesign / modsign OBS integration
# The spec file should define %sign_files to a space-separated list of patterns
# of files to be signed, e.g. %define sign_files /lib/firmware *.ko
%__os_install_post /usr/lib/rpm/pesign-install-post --files "%{?sign_files}" --output %_topdir/OTHER

6
pesign-obs-integration.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Feb 6 13:24:14 CET 2013 - mls@suse.de
- switch to normal brp hook
- mv stuff in pesign directory instead of cluttering /usr/lib/rpm
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Feb 1 17:18:32 CET 2013 - mls@suse.de Fri Feb 1 17:18:32 CET 2013 - mls@suse.de

15
pesign-obs-integration.spec
View File

@ -15,7 +15,6 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via http://bugs.opensuse.org/
# #
Name: pesign-obs-integration Name: pesign-obs-integration
Summary: Macros and scripts to sign the kernel and bootloader Summary: Macros and scripts to sign the kernel and bootloader
License: GPL-2.0 License: GPL-2.0
@ -28,10 +27,9 @@ Requires: pesign
%endif %endif
BuildRequires: openssl BuildRequires: openssl
Url: http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools Url: http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
Source1: macros.pesign-obs
Source2: pesign-repackage.spec.in Source2: pesign-repackage.spec.in
Source3: pesign-gen-repackage-spec Source3: pesign-gen-repackage-spec
Source4: pesign-install-post Source4: brp-99-pesign
Source5: COPYING Source5: COPYING
Source6: README Source6: README
Source7: kernel-sign-file Source7: kernel-sign-file
@ -49,14 +47,14 @@ cp %_sourcedir/{COPYING,README} .
%install %install
mkdir -p %buildroot/usr/lib/rpm %buildroot/etc/rpm mkdir -p %buildroot/usr/lib/rpm/brp-suse.de %buildroot/usr/lib/rpm/pesign
cd %_sourcedir cd %_sourcedir
install -m644 macros.pesign-obs %buildroot/etc/rpm install pesign-gen-repackage-spec kernel-sign-file %buildroot/usr/lib/rpm/pesign
install pesign-gen-repackage-spec pesign-install-post kernel-sign-file %buildroot/usr/lib/rpm install brp-99-pesign %buildroot/usr/lib/rpm/brp-suse.d
install -m644 pesign-repackage.spec.in %buildroot/usr/lib/rpm install -m644 pesign-repackage.spec.in %buildroot/usr/lib/rpm/pesign
if test -e _projectcert.crt; then if test -e _projectcert.crt; then
openssl x509 -inform PEM -in _projectcert.crt \ openssl x509 -inform PEM -in _projectcert.crt \
-outform DER -out %buildroot/usr/lib/rpm/pesign-cert.x509 -outform DER -out %buildroot/usr/lib/rpm/pesign/pesign-cert.x509
else else
echo "No buildservice project certificate available" echo "No buildservice project certificate available"
fi fi
@ -65,6 +63,5 @@ fi
%defattr(-,root,root) %defattr(-,root,root)
%doc COPYING README %doc COPYING README
/usr/lib/rpm/* /usr/lib/rpm/*
/etc/rpm/*
%changelog %changelog

10
pesign-repackage.spec.in
View File

@ -76,8 +76,8 @@ if test "$(wc -l <cert.crt)" -gt 1; then
else else
echo "warning: No buildservice project certificate found, add" echo "warning: No buildservice project certificate found, add"
echo "warning: # needssslcertforbuild to the specfile" echo "warning: # needssslcertforbuild to the specfile"
echo "warning: Using /usr/lib/rpm/pesign-cert.x509 as fallback" echo "warning: Using /usr/lib/rpm/pesign/pesign-cert.x509 as fallback"
cert=/usr/lib/rpm/pesign-cert.x509 cert=/usr/lib/rpm/pesign/pesign-cert.x509
fi fi
mkdir nss-db mkdir nss-db
nss_db=$PWD/nss-db nss_db=$PWD/nss-db
@ -90,10 +90,10 @@ for sig in "${sigs[@]}"; do
f=%buildroot/${sig%.sig} f=%buildroot/${sig%.sig}
case "$sig" in case "$sig" in
*.ko.sig) *.ko.sig)
/usr/lib/rpm/kernel-sign-file -s "$sig" sha256 "$cert" "$f" /usr/lib/rpm/pesign/kernel-sign-file -s "$sig" sha256 "$cert" "$f"
;; ;;
./lib/firmware/*.sig) ./lib/firmware/*.sig)
/usr/lib/rpm/kernel-sign-file -f -s "$sig" sha256 "$cert" "$f" /usr/lib/rpm/pesign/kernel-sign-file -f -s "$sig" sha256 "$cert" "$f"
;; ;;
./boot/* | *.efi.sig) ./boot/* | *.efi.sig)
infile=${sig%.sig} infile=${sig%.sig}
@ -108,7 +108,7 @@ for sig in "${sigs[@]}"; do
esac esac
done done
popd popd
/usr/lib/rpm/pesign-gen-repackage-spec --directory=%buildroot "${rpms[@]}" /usr/lib/rpm/pesign/pesign-gen-repackage-spec --directory=%buildroot "${rpms[@]}"
rpmbuild --define "%%buildroot %buildroot" --define "%%disturl $disturl" \ rpmbuild --define "%%buildroot %buildroot" --define "%%disturl $disturl" \
--define "%%_builddir $PWD" \ --define "%%_builddir $PWD" \
--define "%_suse_insert_debug_package %%{nil}" -bb repackage.spec --define "%_suse_insert_debug_package %%{nil}" -bb repackage.spec