rpm/pesign-obs-integration
SHA256
1
0
Fork 0
forked from pool/pesign-obs-integration
Code Pull Requests Activity

Accepting request 842009 from home:dirkmueller:branches:Base:System

Browse Source 
- Sync from git master directly
- drop 0001-Add-support-for-kernel-module-compression.patch
  0001-Enable-find_provides-and-requires.patch
  0001-Initialize-compress-variable.patch
  0001-Keep-the-files-in-the-OTHER-directory.patch
  0001-Passthrough-license-tag.patch
  0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch
  0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch
  pesign-sign-s390x-kernel.patch (upstream)
- add parallel-compression.patch

OBS-URL: https://build.opensuse.org/request/show/842009
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=94
This commit is contained in:
Gary Ching-Pang Lin 2020-10-19 08:43:41 +00:00 committed by Git OBS Bridge
parent bb7f067c5f
commit e7dce62cd8
16 changed files with 105 additions and 451 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
0001-Add-support-for-kernel-module-compression.patch
View File

@ -1,122 +0,0 @@
From b6855233b8f131531b8d55761ed709890632b417 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Tue, 28 May 2019 07:07:56 +0200
Subject: [PATCH] Add support for kernel module compression
This adds the support for kernel module compression in
pesign-obs-integration infrastructure. The kernel-binary spec needs
to pass $BRP_PESIGN_COMPRESS_KERNEL for enabling the compression.
Currently only "xz" is supported.
pesign-gen-repackage-spec received a new option --compress, which is
passed from pesign-repackage.spec, where brp-99-pesign enables it per
the variable above.
With --compress option, pesign-gen-repackage-spec script just
compresses the kernel object at the last repackaging phase.
Bugzilla: http://bugzilla.suse.com/show_bug.cgi?id=1135854
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
README | 7 +++++++
brp-99-pesign | 8 ++++++++
pesign-gen-repackage-spec | 13 ++++++++++++-
pesign-repackage.spec.in | 3 ++-
4 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/README b/README
index 7593302..32afb8f 100644
--- a/README
+++ b/README
@@ -36,3 +36,10 @@ Debian packages can use the dh-signobs debhelper to automate signing and
repacking. Build-depend on dh-signobs and add --with signobs to the dh line
in debian/rules to use the fully automated helper.
Consult the dh_signobs manpage for more information.
+
+When BRP_PESIGN_COMPRESS_MODULE is passed, the script tries to compress the
+kernel modules at the repackaging phase. Currently only xz format is supported.
+For enable the compression feature, put the following along with
+BRP_PESIGN_FILES setup:
+
+export BRP_PESIGN_COMPRESS_MODULE="xz"
diff --git a/brp-99-pesign b/brp-99-pesign
index 2ebb261..68d9f45 100644
--- a/brp-99-pesign
+++ b/brp-99-pesign
@@ -57,6 +57,13 @@ if ! mkdir -p "$output"; then
echo "$0: warning: $output cannot be created, giving up" >&2
exit 0
fi
+
+if test "${BRP_PESIGN_COMPRESS_MODULE}" = "xz"; then
+ pesign_repackage_compress="--compress xz"
+else
+ pesign_repackage_compress=""
+fi
+
cert=$RPM_SOURCE_DIR/_projectcert.crt
if test -e "$cert"; then
echo "Using signing certificate $cert"
@@ -66,6 +73,7 @@ else
fi
sed "
s:@NAME@:$RPM_PACKAGE_NAME:g
+ s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g
/@CERT@/ {
r $cert
d
diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
index 9cd374a..fef0a9d 100755
--- a/pesign-gen-repackage-spec
+++ b/pesign-gen-repackage-spec
@@ -30,6 +30,7 @@ my $directory;
my $output = ".";
my $cert_subpackage;
my $kmp_basename;
+my $compress;
my @rpms;
$ENV{LC_ALL} = "en_US.UTF-8";
@@ -39,6 +40,7 @@ GetOptions(
"directory|d=s" => \$directory,
"output|o=s" => \$output,
"cert-subpackage|c=s" => \$cert_subpackage,
+ "compress|C=s" => \$compress,
) or die $USAGE;
@rpms = @ARGV;
if (!@rpms) {
@@ -417,7 +419,16 @@ sub print_files {
$attrs .= "%verify(not $verify_attrs) ";
}
- print SPEC "$attrs " . quote($f->{name}) . "\n";
+ if ($compress eq "xz" &&
+ $f->{name} =~ /\.ko$/ && S_ISREG($f->{mode})) {
+ system("xz", "-f", "-9", $path);
+ chmod($f->{mode}, $path . ".xz");
+ utime($f->{mtime}, $f->{mtime}, $path . ".xz");
+ print SPEC "$attrs " . quote($f->{name}) . ".xz\n";
+ } else {
+ print SPEC "$attrs " . quote($f->{name}) . "\n";
+ }
+
if (-e "$path.sig") {
print SPEC "$attrs " . quote($f->{name}) . ".sig\n";
}
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index bcaa0e1..ca8d325 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -145,7 +145,8 @@ for sig in "${sigs[@]}"; do
esac
done
popd
-/usr/lib/rpm/pesign/pesign-gen-repackage-spec --directory=%buildroot "${rpms[@]}"
+/usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \
+ --directory=%buildroot "${rpms[@]}"
rpmbuild --define "%%buildroot %buildroot" --define "%%disturl $disturl" \
--define "%%_builddir $PWD" \
--define "%_suse_insert_debug_package %%{nil}" -bb repackage.spec
--
2.21.0

55
0001-Enable-find_provides-and-requires.patch
View File

@ -1,55 +0,0 @@
From 42b934760a75cf077d3c5831aaa14d3d104ba5cd Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Wed, 3 Apr 2019 05:48:28 +0200
Subject: [PATCH] Enable find_provides and requires
to get automatic provides instead of manual ones
like the original package did
Without this patch,
rpm -qpv --provides $rpm
differed significantly between OBS build and local osc build.
---
pesign-gen-repackage-spec | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
index 9cd374a..61eb8ba 100755
--- a/pesign-gen-repackage-spec
+++ b/pesign-gen-repackage-spec
@@ -246,10 +246,6 @@ sub print_package {
if ($is_main) {
print SPEC "Name: $p->{name}\n";
print SPEC "Buildroot: $directory\n";
- print SPEC "\%define _use_internal_dependency_generator 0\n";
- print SPEC "\%define __find_provides %{nil}\n";
- print SPEC "\%define __find_requires %{nil}\n";
- print SPEC "\%define __find_supplements %{nil}\n";
if ($p->{nosource}) {
# We do not generate any no(src).rpm, but we want the
# %{sourcerpm} tag in the binary packages to match.
@@ -309,14 +305,20 @@ my %depflags = (
"<" => (1 << 1),
">" => (1 << 2),
"=" => (1 << 3),
+ find_requires => (1 << 14),
+ find_provides => (1 << 15),
rpmlib => (1 << 24),
+ config => (1 << 28),
);
sub print_deps {
my ($depname, $list) = @_;
+DEPLOOP:
foreach my $d (@$list) {
- next if ($d->{flags} & $depflags{rpmlib});
+ for my $flag (qw(rpmlib config find_requires find_provides)) {
+ next DEPLOOP if ($d->{flags} & $depflags{$flag});
+ }
print SPEC $depname;
my @deptypes;
--
2.25.1

31
0001-Initialize-compress-variable.patch
View File

@ -1,31 +0,0 @@
From 1c61b9001cf2053df9d05fa518b2c2a9be99f903 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 1 Aug 2019 10:38:51 +0800
Subject: [PATCH] Initialize compress variable
$compress in pesign-gen-repackage-spec wasn't initialized and this may
caused a warning like this:
Use of uninitialized value $compress in string eq at /usr/lib/rpm/pesign/pesign-gen-repackage-spec line 422.
Signed-off-by: Gary Lin <glin@suse.com>
---
pesign-gen-repackage-spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
index fef0a9d..fa0935e 100755
--- a/pesign-gen-repackage-spec
+++ b/pesign-gen-repackage-spec
@@ -30,7 +30,7 @@ my $directory;
my $output = ".";
my $cert_subpackage;
my $kmp_basename;
-my $compress;
+my $compress = "";
my @rpms;
$ENV{LC_ALL} = "en_US.UTF-8";
--
2.22.0

49
0001-Keep-the-files-in-the-OTHER-directory.patch
View File

@ -1,49 +0,0 @@
From dafa41a72190c0fa02afe6acdc06f05eb0eda937 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 6 Nov 2019 11:43:44 +0800
Subject: [PATCH] Keep the files in the OTHER directory
We currently only kept the "*.log" files for the repackaging while there
are some use cases that the user might need other types of files.
Update pesign-repackage.spec.in to filter out the meta and internal files
and keep the files in the OTHER directory.
Bugzilla entry:
OBS do not export some files to API OTHER on x86_64
https://bugzilla.suse.com/show_bug.cgi?id=1155474
Signed-off-by: Gary Lin <glin@suse.com>
---
pesign-repackage.spec.in | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index ca8d325..1679878 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -84,10 +84,18 @@ for rpm in %_sourcedir/*.rpm; do
rpms=("${rpms[@]}" "$rpm")
done
popd
-for log in %_sourcedir/*.log; do
- if test -e "$log"; then
+# Copy files other than the meta files and RPMs to %_topdir/OTHER
+OTHER_FILES=`find %_sourcedir/ -maxdepth 1 -type f \
+ -not -regex '.*\.\(rpm\|spec\|rsasign\|sig\|crt\)' \
+ -not -name "_buildenv" \
+ -not -name "_statistics" \
+ -not -name "logfile" \
+ -not -name "meta" \
+ -print`
+for file in $OTHER_FILES; do
+ if test -e "$file"; then
mkdir -p "%_topdir/OTHER"
- cp "$log" "$_"
+ cp "$file" "$_"
fi
done
mkdir rsasigned
--
2.23.0

41
0001-Passthrough-license-tag.patch
View File

@ -1,41 +0,0 @@
From 2bd2e52380ba9c568ceba2d8d92b9cd50a22c881 Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Tue, 2 Apr 2019 17:02:13 +0200
Subject: [PATCH 1/2] Passthrough %license tag
matters for fwupd package file /usr/share/licenses/fwupd/COPYING
and added 3 more bits from rpm/lib/rpmfiles.h
---
pesign-gen-repackage-spec | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
index 1856d9d..9cd374a 100755
--- a/pesign-gen-repackage-spec
+++ b/pesign-gen-repackage-spec
@@ -345,6 +345,10 @@ my %filetypes = (
missingok => (1 << 3),
noreplace => (1 << 4),
ghost => (1 << 6),
+ license => (1 << 7),
+ readme => (1 << 8),
+ pubkey => (1 << 11),
+ artifact => (1 << 12),
);
my %verifyflags = (
@@ -381,7 +385,9 @@ sub print_files {
}
$attrs .= "(" . join(",", @cfg_attrs) . ")" if @cfg_attrs;
}
- $attrs .= "%doc " if $f->{flags} & $filetypes{doc};
+ for my $filetype (qw(doc license readme pubkey artifact)) {
+ $attrs .= "%$filetype " if $f->{flags} & $filetypes{$filetype};
+ }
if ($f->{flags} & $filetypes{ghost}) {
$attrs .= "%ghost ";
if (S_ISREG($f->{mode})) {
--
2.21.0

38
0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch
View File

@ -1,38 +0,0 @@
From: Jiri Slaby <jslaby@suse.cz>
Date: Wed, 6 Nov 2019 10:57:01 +0100
Subject: brp-99-compress-vmlinux: support xz-compressed vmlinux
Patch-mainline: submitted as PR#16
References: bnc#1155921
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
brp-99-compress-vmlinux | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/brp-99-compress-vmlinux b/brp-99-compress-vmlinux
index 2c8222d23024..ffe3841fb836 100755
--- a/brp-99-compress-vmlinux
+++ b/brp-99-compress-vmlinux
@@ -11,11 +11,13 @@ kernel-*)
exit 0
esac
for f in $RPM_BUILD_ROOT/boot/vmlinux-*; do
- if test -e "$f" -a -e "$f.gz"; then
- echo "gzip $f"
- # Deliberately not using gzip -n; the vmlinux image has a
- # predictable timestamp (bnc#880848#c20)
- gzip -k -9 -f "$f"
- fi
+ for compression in gz/gzip xz; do
+ if test -e "$f" -a -e "$f.${compression%/*}"; then
+ echo "${compression#*/} $f"
+ # Deliberately not using -n; the vmlinux image has a
+ # predictable timestamp (bnc#880848#c20)
+ ${compression#*/} -k -9 -f "$f"
+ fi
+ done
done
--
2.24.0

26
0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch
View File

@ -1,26 +0,0 @@
From 2ef935c08c201676665922c913db2fea429e45cc Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.de>
Date: Thu, 13 Feb 2020 16:20:45 +0100
Subject: [PATCH] sign stage3.bin from s390-tools with sign-files (bsc#1163524)
---
pesign-repackage.spec.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index 1679878..3d3108b 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -148,6 +148,9 @@ for sig in "${sigs[@]}"; do
/usr/lib/rpm/pesign/gen-hmac -r %buildroot "/${sig%.sig}"
fi
;;
+ *stage3.bin.sig)
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+ ;;
*)
echo "Warning: unhandled signature: $sig" >&2
esac
--
2.16.4

17
_service Normal file
View File

@ -0,0 +1,17 @@
<services>
<service name="tar_scm" mode="disabled">
<param name="url">https://github.com/openSUSE/pesign-obs-integration.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="revision">master</param>
<param name="versionformat">10.1+%ct</param>
<param name="changesgenerate">enable</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">pesign-obs-integration-*.tar</param>
<param name="compression">gz</param>
</service>
<service name="set_version" mode="disabled">
<param name="basename">pesign-obs-integration</param>
</service>
</services>

4
_servicedata Normal file
View File

@ -0,0 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/openSUSE/pesign-obs-integration.git</param>
<param name="changesrevision">a5e821a6876c15eea5b188385900357993b41e1b</param></service></servicedata>

41
parallel-compression.patch Normal file
View File

@ -0,0 +1,41 @@
Index: pesign-obs-integration/pesign-gen-repackage-spec
===================================================================
--- pesign-obs-integration.orig/pesign-gen-repackage-spec
+++ pesign-obs-integration/pesign-gen-repackage-spec
@@ -391,6 +391,7 @@ my %verifyflags = (
sub print_files {
my $files = shift;
+ my @tocompress;
for my $f (@$files) {
my $path = "$directory/$f->{name}";
@@ -445,9 +446,9 @@ sub print_files {
if ($compress eq "xz" &&
$f->{name} =~ /\.ko$/ && S_ISREG($f->{mode})) {
- system("xz", "-f", "-9", $path);
- chmod($f->{mode}, $path . ".xz");
- utime($f->{mtime}, $f->{mtime}, $path . ".xz");
+ chmod($f->{mode}, $path);
+ utime($f->{mtime}, $f->{mtime}, $path);
+ push(@tocompress, $path);
print SPEC "$attrs " . quote($f->{name}) . ".xz\n";
} else {
print SPEC "$attrs " . quote($f->{name}) . "\n";
@@ -457,6 +458,15 @@ sub print_files {
print SPEC "$attrs " . quote($f->{name}) . ".sig\n";
}
}
+
+ if ($#tocompress >= 0) {
+ my $m = "$output/modulelist.txt";
+ open(M, '>', $m) or die "$m: $!\n";
+ print M join("\n", @tocompress);
+ close(M);
+ system("xargs -a $m -t -P 4 -n 1 xz -f");
+ unlink($m);
+ }
}
my %packages;

3
pesign-obs-integration-10.1+1595385080.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ae254d8544651b0da0f339dfb8eaf08d49490b556af1267ca8201d4d250299eb
size 36528

14
pesign-obs-integration.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Thu Oct 15 21:13:24 UTC 2020 - dmueller@suse.com
- Sync from git master directly
- drop 0001-Add-support-for-kernel-module-compression.patch
0001-Enable-find_provides-and-requires.patch
0001-Initialize-compress-variable.patch
0001-Keep-the-files-in-the-OTHER-directory.patch
0001-Passthrough-license-tag.patch
0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch
0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch
pesign-sign-s390x-kernel.patch (upstream)
- add parallel-compression.patch
-------------------------------------------------------------------
Wed Sep 2 03:39:46 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>

68
pesign-obs-integration.spec
View File

@ -18,79 +18,61 @@
Name: pesign-obs-integration
Version: 10.1+1595385080
Release: 0
Summary: Macros and scripts to sign the kernel and bootloader
License: GPL-2.0-only
Group: Development/Tools/Other
Version: 10.1
Release: 0
URL: https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
Source: %{name}-%{version}.tar.gz
Patch1: 0001-Forward-_binary_payload-to-the-repackaged-rpm.patch
# https://github.com/openSUSE/pesign-obs-integration/pull/21
Patch2: parallel-compression.patch
BuildRequires: openssl
Requires: fipscheck
Requires: mozilla-nss-tools
Requires: openssl
%ifarch %ix86 x86_64 ia64 aarch64 %arm
Requires: pesign
%endif
BuildRequires: openssl
URL: http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
Source: %{name}_%{version}.tar.gz
Patch1: 0001-Passthrough-license-tag.patch
Patch2: 0001-Add-support-for-kernel-module-compression.patch
Patch3: 0001-Initialize-compress-variable.patch
Patch4: 0001-Keep-the-files-in-the-OTHER-directory.patch
Patch5: 0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch
# https://github.com/openSUSE/pesign-obs-integration/pull/17
Patch6: 0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch
# https://github.com/openSUSE/pesign-obs-integration/pull/18
Patch7: pesign-sign-s390x-kernel.patch
Patch8: 0001-Enable-find_provides-and-requires.patch
Patch9: 0001-Forward-_binary_payload-to-the-repackaged-rpm.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# suse-module-tools <= 15.0.10 contains modsign-verify
Requires: suse-module-tools >= 15.0.10
%ifarch %{ix86} x86_64 ia64 aarch64 %{arm}
Requires: pesign
%endif
%description
This package provides scripts and rpm macros to automate signing of the
boot loader, kernel and kernel modules in the openSUSE Buildservice.
%prep
%setup -D -n %{name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%setup -q -D
%autopatch -p1
%build
%install
mkdir -p %buildroot/usr/lib/rpm/brp-suse.d %buildroot/usr/lib/rpm/pesign
install pesign-gen-repackage-spec kernel-sign-file gen-hmac %buildroot/usr/lib/rpm/pesign
install brp-99-pesign %buildroot/usr/lib/rpm/brp-suse.d
mkdir -p %{buildroot}%{_prefix}/lib/rpm/brp-suse.d %{buildroot}%{_prefix}/lib/rpm/pesign
install pesign-gen-repackage-spec kernel-sign-file gen-hmac %{buildroot}%{_prefix}/lib/rpm/pesign
install brp-99-pesign %{buildroot}%{_prefix}/lib/rpm/brp-suse.d
# brp-99-compress-vmlinux has nothing to do with signing. It is packaged in
# pesign-obs-integration because this package is already used by the kernel
# build
install brp-99-compress-vmlinux %buildroot/usr/lib/rpm/brp-suse.d
install -m644 pesign-repackage.spec.in %buildroot/usr/lib/rpm/pesign
mkdir -p %buildroot/usr/bin
install modsign-repackage %buildroot/usr/bin/
install -pm 755 modsign-verify %buildroot/usr/bin/
install brp-99-compress-vmlinux %{buildroot}%{_prefix}/lib/rpm/brp-suse.d
install -m644 pesign-repackage.spec.in %{buildroot}%{_prefix}/lib/rpm/pesign
mkdir -p %{buildroot}%{_bindir}
install modsign-repackage %{buildroot}%{_bindir}/
install -pm 755 modsign-verify %{buildroot}%{_bindir}/
if test -e _projectcert.crt; then
openssl x509 -inform PEM -in _projectcert.crt \
-outform DER -out %buildroot/usr/lib/rpm/pesign/pesign-cert.x509
-outform DER -out %{buildroot}%{_prefix}/lib/rpm/pesign/pesign-cert.x509
else
echo "No buildservice project certificate available"
fi
%files
%defattr(-,root,root)
%license COPYING
%doc README
/usr/bin/modsign-repackage
/usr/bin/modsign-verify
/usr/lib/rpm/*
%{_bindir}/modsign-repackage
%{_bindir}/modsign-verify
%{_prefix}/lib/rpm/*
%changelog

2
pesign-obs-integration_10.1.dsc
View File

@ -2,7 +2,7 @@ Format: 3.0 (native)
Source: pesign-obs-integration
Binary: pesign-obs-integration, dh-signobs
Architecture: all
Version: 10.1
Version: 10.1+1595385080
Maintainer: Michal Marek <mmarek@suse.cz>
Standards-Version: 3.9.8
Build-Depends: debhelper (>= 7), openssl, shellcheck

3
pesign-obs-integration_10.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:aa851dbdad6c83cee002fbe7f4e8b3f72e556da361cbf3843c5bcf479eaeec1e
size 34917

42
pesign-sign-s390x-kernel.patch
View File

@ -1,42 +0,0 @@
Index: pesign-obs-integration/pesign-repackage.spec.in
===================================================================
--- pesign-obs-integration.orig/pesign-repackage.spec.in
+++ pesign-obs-integration/pesign-repackage.spec.in
@@ -122,6 +122,8 @@ for sig in "${sigs[@]}"; do
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
;;
/boot/* | *.efi.sig)
+%ifarch %ix86 x86_64 aarch64 %arm
+ # PE style signature injection
infile=${sig%.sig}
cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs
test -s ${infile}.sattrs || exit 1
@@ -134,6 +136,10 @@ for sig in "${sigs[@]}"; do
echo "hash mismatch error: $ohash $nhash"
exit 1
fi
+%else
+ # appending to the file itself, e.g. for s390x.
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+%endif
# Regenerate the HMAC if it exists
hmac="${f%%/*}/.${f##*/}.hmac"
if test -e "$hmac"; then
Index: pesign-obs-integration/brp-99-pesign
===================================================================
--- pesign-obs-integration.orig/brp-99-pesign
+++ pesign-obs-integration/brp-99-pesign
@@ -109,7 +109,12 @@ for f in "${files[@]}"; do
mkdir -p "${dest%/*}"
case "$f" in
./boot/* | *.efi)
- pesign --certdir="$nss_db" -i "$f" -E $dest
+ if [ -f /usr/bin/pesign ]; then
+ pesign --certdir="$nss_db" -i "$f" -E $dest
+ else
+ # Non PE architectures like s390x
+ cp "$f" "$dest"
+ fi
;;
*)
cp "$f" "$dest"