From e7dce62cd881b91f858d50daf94782b3ef680e7f74f9293ad92f00a124debc1b Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 19 Oct 2020 08:43:41 +0000 Subject: [PATCH] Accepting request 842009 from home:dirkmueller:branches:Base:System - Sync from git master directly - drop 0001-Add-support-for-kernel-module-compression.patch 0001-Enable-find_provides-and-requires.patch 0001-Initialize-compress-variable.patch 0001-Keep-the-files-in-the-OTHER-directory.patch 0001-Passthrough-license-tag.patch 0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch 0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch pesign-sign-s390x-kernel.patch (upstream) - add parallel-compression.patch OBS-URL: https://build.opensuse.org/request/show/842009 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=94 --- ...upport-for-kernel-module-compression.patch | 122 ------------------ 0001-Enable-find_provides-and-requires.patch | 55 -------- 0001-Initialize-compress-variable.patch | 31 ----- ...eep-the-files-in-the-OTHER-directory.patch | 49 ------- 0001-Passthrough-license-tag.patch | 41 ------ ...vmlinux-support-xz-compressed-vmlinu.patch | 38 ------ ...from-s390-tools-with-sign-files-bsc-.patch | 26 ---- _service | 17 +++ _servicedata | 4 + parallel-compression.patch | 41 ++++++ pesign-obs-integration-10.1+1595385080.tar.gz | 3 + pesign-obs-integration.changes | 14 ++ pesign-obs-integration.spec | 68 ++++------ pesign-obs-integration_10.1.dsc | 2 +- pesign-obs-integration_10.1.tar.gz | 3 - pesign-sign-s390x-kernel.patch | 42 ------ 16 files changed, 105 insertions(+), 451 deletions(-) delete mode 100644 0001-Add-support-for-kernel-module-compression.patch delete mode 100644 0001-Enable-find_provides-and-requires.patch delete mode 100644 0001-Initialize-compress-variable.patch delete mode 100644 0001-Keep-the-files-in-the-OTHER-directory.patch delete mode 100644 0001-Passthrough-license-tag.patch delete mode 100644 0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch delete mode 100644 0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch create mode 100644 _service create mode 100644 _servicedata create mode 100644 parallel-compression.patch create mode 100644 pesign-obs-integration-10.1+1595385080.tar.gz delete mode 100644 pesign-obs-integration_10.1.tar.gz delete mode 100644 pesign-sign-s390x-kernel.patch diff --git a/0001-Add-support-for-kernel-module-compression.patch b/0001-Add-support-for-kernel-module-compression.patch deleted file mode 100644 index 5824903..0000000 --- a/0001-Add-support-for-kernel-module-compression.patch +++ /dev/null @@ -1,122 +0,0 @@ -From b6855233b8f131531b8d55761ed709890632b417 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Tue, 28 May 2019 07:07:56 +0200 -Subject: [PATCH] Add support for kernel module compression - -This adds the support for kernel module compression in -pesign-obs-integration infrastructure. The kernel-binary spec needs -to pass $BRP_PESIGN_COMPRESS_KERNEL for enabling the compression. -Currently only "xz" is supported. - -pesign-gen-repackage-spec received a new option --compress, which is -passed from pesign-repackage.spec, where brp-99-pesign enables it per -the variable above. - -With --compress option, pesign-gen-repackage-spec script just -compresses the kernel object at the last repackaging phase. - -Bugzilla: http://bugzilla.suse.com/show_bug.cgi?id=1135854 -Signed-off-by: Takashi Iwai ---- - README | 7 +++++++ - brp-99-pesign | 8 ++++++++ - pesign-gen-repackage-spec | 13 ++++++++++++- - pesign-repackage.spec.in | 3 ++- - 4 files changed, 29 insertions(+), 2 deletions(-) - -diff --git a/README b/README -index 7593302..32afb8f 100644 ---- a/README -+++ b/README -@@ -36,3 +36,10 @@ Debian packages can use the dh-signobs debhelper to automate signing and - repacking. Build-depend on dh-signobs and add --with signobs to the dh line - in debian/rules to use the fully automated helper. - Consult the dh_signobs manpage for more information. -+ -+When BRP_PESIGN_COMPRESS_MODULE is passed, the script tries to compress the -+kernel modules at the repackaging phase. Currently only xz format is supported. -+For enable the compression feature, put the following along with -+BRP_PESIGN_FILES setup: -+ -+export BRP_PESIGN_COMPRESS_MODULE="xz" -diff --git a/brp-99-pesign b/brp-99-pesign -index 2ebb261..68d9f45 100644 ---- a/brp-99-pesign -+++ b/brp-99-pesign -@@ -57,6 +57,13 @@ if ! mkdir -p "$output"; then - echo "$0: warning: $output cannot be created, giving up" >&2 - exit 0 - fi -+ -+if test "${BRP_PESIGN_COMPRESS_MODULE}" = "xz"; then -+ pesign_repackage_compress="--compress xz" -+else -+ pesign_repackage_compress="" -+fi -+ - cert=$RPM_SOURCE_DIR/_projectcert.crt - if test -e "$cert"; then - echo "Using signing certificate $cert" -@@ -66,6 +73,7 @@ else - fi - sed " - s:@NAME@:$RPM_PACKAGE_NAME:g -+ s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g - /@CERT@/ { - r $cert - d -diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec -index 9cd374a..fef0a9d 100755 ---- a/pesign-gen-repackage-spec -+++ b/pesign-gen-repackage-spec -@@ -30,6 +30,7 @@ my $directory; - my $output = "."; - my $cert_subpackage; - my $kmp_basename; -+my $compress; - my @rpms; - - $ENV{LC_ALL} = "en_US.UTF-8"; -@@ -39,6 +40,7 @@ GetOptions( - "directory|d=s" => \$directory, - "output|o=s" => \$output, - "cert-subpackage|c=s" => \$cert_subpackage, -+ "compress|C=s" => \$compress, - ) or die $USAGE; - @rpms = @ARGV; - if (!@rpms) { -@@ -417,7 +419,16 @@ sub print_files { - $attrs .= "%verify(not $verify_attrs) "; - } - -- print SPEC "$attrs " . quote($f->{name}) . "\n"; -+ if ($compress eq "xz" && -+ $f->{name} =~ /\.ko$/ && S_ISREG($f->{mode})) { -+ system("xz", "-f", "-9", $path); -+ chmod($f->{mode}, $path . ".xz"); -+ utime($f->{mtime}, $f->{mtime}, $path . ".xz"); -+ print SPEC "$attrs " . quote($f->{name}) . ".xz\n"; -+ } else { -+ print SPEC "$attrs " . quote($f->{name}) . "\n"; -+ } -+ - if (-e "$path.sig") { - print SPEC "$attrs " . quote($f->{name}) . ".sig\n"; - } -diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in -index bcaa0e1..ca8d325 100644 ---- a/pesign-repackage.spec.in -+++ b/pesign-repackage.spec.in -@@ -145,7 +145,8 @@ for sig in "${sigs[@]}"; do - esac - done - popd --/usr/lib/rpm/pesign/pesign-gen-repackage-spec --directory=%buildroot "${rpms[@]}" -+/usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \ -+ --directory=%buildroot "${rpms[@]}" - rpmbuild --define "%%buildroot %buildroot" --define "%%disturl $disturl" \ - --define "%%_builddir $PWD" \ - --define "%_suse_insert_debug_package %%{nil}" -bb repackage.spec --- -2.21.0 - diff --git a/0001-Enable-find_provides-and-requires.patch b/0001-Enable-find_provides-and-requires.patch deleted file mode 100644 index e4ece10..0000000 --- a/0001-Enable-find_provides-and-requires.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 42b934760a75cf077d3c5831aaa14d3d104ba5cd Mon Sep 17 00:00:00 2001 -From: "Bernhard M. Wiedemann" -Date: Wed, 3 Apr 2019 05:48:28 +0200 -Subject: [PATCH] Enable find_provides and requires - -to get automatic provides instead of manual ones -like the original package did - -Without this patch, -rpm -qpv --provides $rpm -differed significantly between OBS build and local osc build. ---- - pesign-gen-repackage-spec | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec -index 9cd374a..61eb8ba 100755 ---- a/pesign-gen-repackage-spec -+++ b/pesign-gen-repackage-spec -@@ -246,10 +246,6 @@ sub print_package { - if ($is_main) { - print SPEC "Name: $p->{name}\n"; - print SPEC "Buildroot: $directory\n"; -- print SPEC "\%define _use_internal_dependency_generator 0\n"; -- print SPEC "\%define __find_provides %{nil}\n"; -- print SPEC "\%define __find_requires %{nil}\n"; -- print SPEC "\%define __find_supplements %{nil}\n"; - if ($p->{nosource}) { - # We do not generate any no(src).rpm, but we want the - # %{sourcerpm} tag in the binary packages to match. -@@ -309,14 +305,20 @@ my %depflags = ( - "<" => (1 << 1), - ">" => (1 << 2), - "=" => (1 << 3), -+ find_requires => (1 << 14), -+ find_provides => (1 << 15), - rpmlib => (1 << 24), -+ config => (1 << 28), - ); - - sub print_deps { - my ($depname, $list) = @_; - -+DEPLOOP: - foreach my $d (@$list) { -- next if ($d->{flags} & $depflags{rpmlib}); -+ for my $flag (qw(rpmlib config find_requires find_provides)) { -+ next DEPLOOP if ($d->{flags} & $depflags{$flag}); -+ } - - print SPEC $depname; - my @deptypes; --- -2.25.1 - diff --git a/0001-Initialize-compress-variable.patch b/0001-Initialize-compress-variable.patch deleted file mode 100644 index 9bc1529..0000000 --- a/0001-Initialize-compress-variable.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 1c61b9001cf2053df9d05fa518b2c2a9be99f903 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Thu, 1 Aug 2019 10:38:51 +0800 -Subject: [PATCH] Initialize compress variable - -$compress in pesign-gen-repackage-spec wasn't initialized and this may -caused a warning like this: - -Use of uninitialized value $compress in string eq at /usr/lib/rpm/pesign/pesign-gen-repackage-spec line 422. - -Signed-off-by: Gary Lin ---- - pesign-gen-repackage-spec | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec -index fef0a9d..fa0935e 100755 ---- a/pesign-gen-repackage-spec -+++ b/pesign-gen-repackage-spec -@@ -30,7 +30,7 @@ my $directory; - my $output = "."; - my $cert_subpackage; - my $kmp_basename; --my $compress; -+my $compress = ""; - my @rpms; - - $ENV{LC_ALL} = "en_US.UTF-8"; --- -2.22.0 - diff --git a/0001-Keep-the-files-in-the-OTHER-directory.patch b/0001-Keep-the-files-in-the-OTHER-directory.patch deleted file mode 100644 index 23a814a..0000000 --- a/0001-Keep-the-files-in-the-OTHER-directory.patch +++ /dev/null @@ -1,49 +0,0 @@ -From dafa41a72190c0fa02afe6acdc06f05eb0eda937 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Wed, 6 Nov 2019 11:43:44 +0800 -Subject: [PATCH] Keep the files in the OTHER directory - -We currently only kept the "*.log" files for the repackaging while there -are some use cases that the user might need other types of files. - -Update pesign-repackage.spec.in to filter out the meta and internal files -and keep the files in the OTHER directory. - -Bugzilla entry: - OBS do not export some files to API OTHER on x86_64 - https://bugzilla.suse.com/show_bug.cgi?id=1155474 - -Signed-off-by: Gary Lin ---- - pesign-repackage.spec.in | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in -index ca8d325..1679878 100644 ---- a/pesign-repackage.spec.in -+++ b/pesign-repackage.spec.in -@@ -84,10 +84,18 @@ for rpm in %_sourcedir/*.rpm; do - rpms=("${rpms[@]}" "$rpm") - done - popd --for log in %_sourcedir/*.log; do -- if test -e "$log"; then -+# Copy files other than the meta files and RPMs to %_topdir/OTHER -+OTHER_FILES=`find %_sourcedir/ -maxdepth 1 -type f \ -+ -not -regex '.*\.\(rpm\|spec\|rsasign\|sig\|crt\)' \ -+ -not -name "_buildenv" \ -+ -not -name "_statistics" \ -+ -not -name "logfile" \ -+ -not -name "meta" \ -+ -print` -+for file in $OTHER_FILES; do -+ if test -e "$file"; then - mkdir -p "%_topdir/OTHER" -- cp "$log" "$_" -+ cp "$file" "$_" - fi - done - mkdir rsasigned --- -2.23.0 - diff --git a/0001-Passthrough-license-tag.patch b/0001-Passthrough-license-tag.patch deleted file mode 100644 index a15aa6c..0000000 --- a/0001-Passthrough-license-tag.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 2bd2e52380ba9c568ceba2d8d92b9cd50a22c881 Mon Sep 17 00:00:00 2001 -From: "Bernhard M. Wiedemann" -Date: Tue, 2 Apr 2019 17:02:13 +0200 -Subject: [PATCH 1/2] Passthrough %license tag - -matters for fwupd package file /usr/share/licenses/fwupd/COPYING - -and added 3 more bits from rpm/lib/rpmfiles.h ---- - pesign-gen-repackage-spec | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec -index 1856d9d..9cd374a 100755 ---- a/pesign-gen-repackage-spec -+++ b/pesign-gen-repackage-spec -@@ -345,6 +345,10 @@ my %filetypes = ( - missingok => (1 << 3), - noreplace => (1 << 4), - ghost => (1 << 6), -+ license => (1 << 7), -+ readme => (1 << 8), -+ pubkey => (1 << 11), -+ artifact => (1 << 12), - ); - - my %verifyflags = ( -@@ -381,7 +385,9 @@ sub print_files { - } - $attrs .= "(" . join(",", @cfg_attrs) . ")" if @cfg_attrs; - } -- $attrs .= "%doc " if $f->{flags} & $filetypes{doc}; -+ for my $filetype (qw(doc license readme pubkey artifact)) { -+ $attrs .= "%$filetype " if $f->{flags} & $filetypes{$filetype}; -+ } - if ($f->{flags} & $filetypes{ghost}) { - $attrs .= "%ghost "; - if (S_ISREG($f->{mode})) { --- -2.21.0 - diff --git a/0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch b/0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch deleted file mode 100644 index fbe07af..0000000 --- a/0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Jiri Slaby -Date: Wed, 6 Nov 2019 10:57:01 +0100 -Subject: brp-99-compress-vmlinux: support xz-compressed vmlinux -Patch-mainline: submitted as PR#16 -References: bnc#1155921 - -Signed-off-by: Jiri Slaby ---- - brp-99-compress-vmlinux | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/brp-99-compress-vmlinux b/brp-99-compress-vmlinux -index 2c8222d23024..ffe3841fb836 100755 ---- a/brp-99-compress-vmlinux -+++ b/brp-99-compress-vmlinux -@@ -11,11 +11,13 @@ kernel-*) - exit 0 - esac - for f in $RPM_BUILD_ROOT/boot/vmlinux-*; do -- if test -e "$f" -a -e "$f.gz"; then -- echo "gzip $f" -- # Deliberately not using gzip -n; the vmlinux image has a -- # predictable timestamp (bnc#880848#c20) -- gzip -k -9 -f "$f" -- fi -+ for compression in gz/gzip xz; do -+ if test -e "$f" -a -e "$f.${compression%/*}"; then -+ echo "${compression#*/} $f" -+ # Deliberately not using -n; the vmlinux image has a -+ # predictable timestamp (bnc#880848#c20) -+ ${compression#*/} -k -9 -f "$f" -+ fi -+ done - done - --- -2.24.0 - diff --git a/0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch b/0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch deleted file mode 100644 index e15ecfd..0000000 --- a/0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 2ef935c08c201676665922c913db2fea429e45cc Mon Sep 17 00:00:00 2001 -From: Marcus Meissner -Date: Thu, 13 Feb 2020 16:20:45 +0100 -Subject: [PATCH] sign stage3.bin from s390-tools with sign-files (bsc#1163524) - ---- - pesign-repackage.spec.in | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in -index 1679878..3d3108b 100644 ---- a/pesign-repackage.spec.in -+++ b/pesign-repackage.spec.in -@@ -148,6 +148,9 @@ for sig in "${sigs[@]}"; do - /usr/lib/rpm/pesign/gen-hmac -r %buildroot "/${sig%.sig}" - fi - ;; -+ *stage3.bin.sig) -+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" -+ ;; - *) - echo "Warning: unhandled signature: $sig" >&2 - esac --- -2.16.4 - diff --git a/_service b/_service new file mode 100644 index 0000000..0564c17 --- /dev/null +++ b/_service @@ -0,0 +1,17 @@ + + + https://github.com/openSUSE/pesign-obs-integration.git + git + .git + master + 10.1+%ct + enable + + + pesign-obs-integration-*.tar + gz + + + pesign-obs-integration + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..ca981eb --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/openSUSE/pesign-obs-integration.git + a5e821a6876c15eea5b188385900357993b41e1b \ No newline at end of file diff --git a/parallel-compression.patch b/parallel-compression.patch new file mode 100644 index 0000000..c5a5427 --- /dev/null +++ b/parallel-compression.patch @@ -0,0 +1,41 @@ +Index: pesign-obs-integration/pesign-gen-repackage-spec +=================================================================== +--- pesign-obs-integration.orig/pesign-gen-repackage-spec ++++ pesign-obs-integration/pesign-gen-repackage-spec +@@ -391,6 +391,7 @@ my %verifyflags = ( + + sub print_files { + my $files = shift; ++ my @tocompress; + + for my $f (@$files) { + my $path = "$directory/$f->{name}"; +@@ -445,9 +446,9 @@ sub print_files { + + if ($compress eq "xz" && + $f->{name} =~ /\.ko$/ && S_ISREG($f->{mode})) { +- system("xz", "-f", "-9", $path); +- chmod($f->{mode}, $path . ".xz"); +- utime($f->{mtime}, $f->{mtime}, $path . ".xz"); ++ chmod($f->{mode}, $path); ++ utime($f->{mtime}, $f->{mtime}, $path); ++ push(@tocompress, $path); + print SPEC "$attrs " . quote($f->{name}) . ".xz\n"; + } else { + print SPEC "$attrs " . quote($f->{name}) . "\n"; +@@ -457,6 +458,15 @@ sub print_files { + print SPEC "$attrs " . quote($f->{name}) . ".sig\n"; + } + } ++ ++ if ($#tocompress >= 0) { ++ my $m = "$output/modulelist.txt"; ++ open(M, '>', $m) or die "$m: $!\n"; ++ print M join("\n", @tocompress); ++ close(M); ++ system("xargs -a $m -t -P 4 -n 1 xz -f"); ++ unlink($m); ++ } + } + + my %packages; diff --git a/pesign-obs-integration-10.1+1595385080.tar.gz b/pesign-obs-integration-10.1+1595385080.tar.gz new file mode 100644 index 0000000..f2682c6 --- /dev/null +++ b/pesign-obs-integration-10.1+1595385080.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ae254d8544651b0da0f339dfb8eaf08d49490b556af1267ca8201d4d250299eb +size 36528 diff --git a/pesign-obs-integration.changes b/pesign-obs-integration.changes index 2cb7661..e0432c6 100644 --- a/pesign-obs-integration.changes +++ b/pesign-obs-integration.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Oct 15 21:13:24 UTC 2020 - dmueller@suse.com + +- Sync from git master directly +- drop 0001-Add-support-for-kernel-module-compression.patch + 0001-Enable-find_provides-and-requires.patch + 0001-Initialize-compress-variable.patch + 0001-Keep-the-files-in-the-OTHER-directory.patch + 0001-Passthrough-license-tag.patch + 0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch + 0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch + pesign-sign-s390x-kernel.patch (upstream) +- add parallel-compression.patch + ------------------------------------------------------------------- Wed Sep 2 03:39:46 UTC 2020 - Gary Ching-Pang Lin diff --git a/pesign-obs-integration.spec b/pesign-obs-integration.spec index ed839c4..ca76c46 100644 --- a/pesign-obs-integration.spec +++ b/pesign-obs-integration.spec @@ -18,79 +18,61 @@ Name: pesign-obs-integration +Version: 10.1+1595385080 +Release: 0 Summary: Macros and scripts to sign the kernel and bootloader License: GPL-2.0-only Group: Development/Tools/Other -Version: 10.1 -Release: 0 +URL: https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools +Source: %{name}-%{version}.tar.gz +Patch1: 0001-Forward-_binary_payload-to-the-repackaged-rpm.patch +# https://github.com/openSUSE/pesign-obs-integration/pull/21 +Patch2: parallel-compression.patch +BuildRequires: openssl Requires: fipscheck Requires: mozilla-nss-tools Requires: openssl -%ifarch %ix86 x86_64 ia64 aarch64 %arm -Requires: pesign -%endif -BuildRequires: openssl -URL: http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools -Source: %{name}_%{version}.tar.gz -Patch1: 0001-Passthrough-license-tag.patch -Patch2: 0001-Add-support-for-kernel-module-compression.patch -Patch3: 0001-Initialize-compress-variable.patch -Patch4: 0001-Keep-the-files-in-the-OTHER-directory.patch -Patch5: 0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch -# https://github.com/openSUSE/pesign-obs-integration/pull/17 -Patch6: 0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch -# https://github.com/openSUSE/pesign-obs-integration/pull/18 -Patch7: pesign-sign-s390x-kernel.patch -Patch8: 0001-Enable-find_provides-and-requires.patch -Patch9: 0001-Forward-_binary_payload-to-the-repackaged-rpm.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build # suse-module-tools <= 15.0.10 contains modsign-verify Requires: suse-module-tools >= 15.0.10 +%ifarch %{ix86} x86_64 ia64 aarch64 %{arm} +Requires: pesign +%endif %description This package provides scripts and rpm macros to automate signing of the boot loader, kernel and kernel modules in the openSUSE Buildservice. %prep -%setup -D -n %{name} -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 +%setup -q -D +%autopatch -p1 %build %install -mkdir -p %buildroot/usr/lib/rpm/brp-suse.d %buildroot/usr/lib/rpm/pesign -install pesign-gen-repackage-spec kernel-sign-file gen-hmac %buildroot/usr/lib/rpm/pesign -install brp-99-pesign %buildroot/usr/lib/rpm/brp-suse.d +mkdir -p %{buildroot}%{_prefix}/lib/rpm/brp-suse.d %{buildroot}%{_prefix}/lib/rpm/pesign +install pesign-gen-repackage-spec kernel-sign-file gen-hmac %{buildroot}%{_prefix}/lib/rpm/pesign +install brp-99-pesign %{buildroot}%{_prefix}/lib/rpm/brp-suse.d # brp-99-compress-vmlinux has nothing to do with signing. It is packaged in # pesign-obs-integration because this package is already used by the kernel # build -install brp-99-compress-vmlinux %buildroot/usr/lib/rpm/brp-suse.d -install -m644 pesign-repackage.spec.in %buildroot/usr/lib/rpm/pesign -mkdir -p %buildroot/usr/bin -install modsign-repackage %buildroot/usr/bin/ -install -pm 755 modsign-verify %buildroot/usr/bin/ +install brp-99-compress-vmlinux %{buildroot}%{_prefix}/lib/rpm/brp-suse.d +install -m644 pesign-repackage.spec.in %{buildroot}%{_prefix}/lib/rpm/pesign +mkdir -p %{buildroot}%{_bindir} +install modsign-repackage %{buildroot}%{_bindir}/ +install -pm 755 modsign-verify %{buildroot}%{_bindir}/ if test -e _projectcert.crt; then openssl x509 -inform PEM -in _projectcert.crt \ - -outform DER -out %buildroot/usr/lib/rpm/pesign/pesign-cert.x509 + -outform DER -out %{buildroot}%{_prefix}/lib/rpm/pesign/pesign-cert.x509 else echo "No buildservice project certificate available" fi %files -%defattr(-,root,root) %license COPYING %doc README -/usr/bin/modsign-repackage -/usr/bin/modsign-verify -/usr/lib/rpm/* +%{_bindir}/modsign-repackage +%{_bindir}/modsign-verify +%{_prefix}/lib/rpm/* %changelog diff --git a/pesign-obs-integration_10.1.dsc b/pesign-obs-integration_10.1.dsc index 23f1471..6a85c8f 100644 --- a/pesign-obs-integration_10.1.dsc +++ b/pesign-obs-integration_10.1.dsc @@ -2,7 +2,7 @@ Format: 3.0 (native) Source: pesign-obs-integration Binary: pesign-obs-integration, dh-signobs Architecture: all -Version: 10.1 +Version: 10.1+1595385080 Maintainer: Michal Marek Standards-Version: 3.9.8 Build-Depends: debhelper (>= 7), openssl, shellcheck diff --git a/pesign-obs-integration_10.1.tar.gz b/pesign-obs-integration_10.1.tar.gz deleted file mode 100644 index 71d6345..0000000 --- a/pesign-obs-integration_10.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:aa851dbdad6c83cee002fbe7f4e8b3f72e556da361cbf3843c5bcf479eaeec1e -size 34917 diff --git a/pesign-sign-s390x-kernel.patch b/pesign-sign-s390x-kernel.patch deleted file mode 100644 index 8d0cb02..0000000 --- a/pesign-sign-s390x-kernel.patch +++ /dev/null @@ -1,42 +0,0 @@ -Index: pesign-obs-integration/pesign-repackage.spec.in -=================================================================== ---- pesign-obs-integration.orig/pesign-repackage.spec.in -+++ pesign-obs-integration/pesign-repackage.spec.in -@@ -122,6 +122,8 @@ for sig in "${sigs[@]}"; do - /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" - ;; - /boot/* | *.efi.sig) -+%ifarch %ix86 x86_64 aarch64 %arm -+ # PE style signature injection - infile=${sig%.sig} - cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs - test -s ${infile}.sattrs || exit 1 -@@ -134,6 +136,10 @@ for sig in "${sigs[@]}"; do - echo "hash mismatch error: $ohash $nhash" - exit 1 - fi -+%else -+ # appending to the file itself, e.g. for s390x. -+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" -+%endif - # Regenerate the HMAC if it exists - hmac="${f%%/*}/.${f##*/}.hmac" - if test -e "$hmac"; then -Index: pesign-obs-integration/brp-99-pesign -=================================================================== ---- pesign-obs-integration.orig/brp-99-pesign -+++ pesign-obs-integration/brp-99-pesign -@@ -109,7 +109,12 @@ for f in "${files[@]}"; do - mkdir -p "${dest%/*}" - case "$f" in - ./boot/* | *.efi) -- pesign --certdir="$nss_db" -i "$f" -E $dest -+ if [ -f /usr/bin/pesign ]; then -+ pesign --certdir="$nss_db" -i "$f" -E $dest -+ else -+ # Non PE architectures like s390x -+ cp "$f" "$dest" -+ fi - ;; - *) - cp "$f" "$dest"