rpm/pesign
SHA256
1
0
Fork 0
forked from pool/pesign
Code Pull Requests Activity

Accepting request 148393 from home:gary_lin:UEFI

Browse Source 
Pesign is a tool to sign PE-COFF binaries which is the format
used in UEFI. The UEFI loader, shim, needs pesign for package
building.

OBS-URL: https://build.opensuse.org/request/show/148393
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=1
This commit is contained in:
Andreas Jaeger 2013-01-14 10:49:40 +00:00 committed by Git OBS Bridge
commit 0ad967d243
11 changed files with 3203 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

3
pesign-0.99.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:476d2cb79104167fa9147d1fee954e8545fe902931d2e449bf7c410963f2bbb1
size 72907

26
pesign-client-initialize-action.patch Normal file
View File

@ -0,0 +1,26 @@
diff --git a/src/client.c b/src/client.c
index 1ec582b..dcc5257 100644
--- a/src/client.c
+++ b/src/client.c
@@ -435,7 +435,7 @@ main(int argc, char *argv[])
char *certname = NULL;
poptContext optCon;
int rc;
- int action;
+ int action = 0;
char *infile = NULL;
char *outfile = NULL;
char *exportfile = NULL;
@@ -500,6 +500,12 @@ main(int argc, char *argv[])
exit(1);
}
+ if (action == NO_FLAGS) {
+ poptPrintUsage(optCon, stdout, 0);
+ poptFreeContext(optCon);
+ exit(0);
+ }
+
if (action & SIGN_BINARY && (!outfile && !exportfile)) {
fprintf(stderr, "pesign-client: neither --outfile nor --export "
"specified\n");

14
pesign-client-read-pin-file.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/src/client.c b/src/client.c
index dcc5257..9bcaf3e 100644
--- a/src/client.c
+++ b/src/client.c
@@ -201,7 +201,8 @@ get_token_pin(int pinfd, char *pinfile, char *envname)
if (!pinf)
return NULL;
- ssize_t n = getline(&pin, 0, pinf);
+ size_t pin_n;
+ ssize_t n = getline(&pin, &pin_n, pinf);
if (n < 0 || !pin) {
fclose(pinf);
return NULL;

106
pesign-fix-build-errors.patch Normal file
View File

@ -0,0 +1,106 @@
---
src/daemon.c | 35 ++++++++++++++++++++++++++++-------
src/password.c | 3 ++-
src/pesign.c | 10 ++++++++--
3 files changed, 38 insertions(+), 10 deletions(-)
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -436,7 +436,11 @@ malformed:
if (rc < 0) {
err_attached:
pe_end(outpe);
- ftruncate(outfd, 0);
+ if (ftruncate(outfd, 0) != 0) {
+ ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
+ "pesignd: could not truncate output "
+ "file: %m");
+ }
goto finish;
}
ssize_t sigspace = calculate_signature_space(ctx->cms, outpe);
@@ -453,21 +457,33 @@ err_attached:
finalize_signatures(ctx->cms, outpe);
pe_end(outpe);
} else {
- ftruncate(outfd, 0);
+ if (ftruncate(outfd, 0) != 0) {
+ ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
+ "pesignd: could not truncate output file: %m");
+ }
rc = generate_digest(ctx->cms, inpe);
if (rc < 0) {
err_detached:
- ftruncate(outfd, 0);
+ if (ftruncate(outfd, 0) != 0) {
+ ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
+ "pesignd: could not truncate output "
+ "file: %m");
+ }
goto finish;
}
rc = generate_signature(ctx->cms);
if (rc < 0)
goto err_detached;
rc = export_signature(ctx->cms, outfd, 0);
- if (rc >= 0)
- ftruncate(outfd, rc);
- else if (rc < 0)
+ if (rc >= 0) {
+ if (ftruncate(outfd, rc) != 0) {
+ ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
+ "pesignd: could not truncate output "
+ "file: %m");
+ }
+ } else if (rc < 0) {
goto err_detached;
+ }
}
finish:
@@ -979,7 +995,12 @@ daemonize(cms_context *cms_ctx, int do_f
exit(1);
}
- chdir(homedir ? homedir : "/");
+ if (chdir(homedir ? homedir : "/") != 0) {
+ ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR,
+ "pesignd: could not change working directory "
+ "for pesign: %m");
+ exit(1);
+ }
if (getuid() == 0) {
/* process is running as root, drop privileges */
--- a/src/password.c
+++ b/src/password.c
@@ -76,7 +76,8 @@ static char *SEC_GetPassword(FILE *input
echoOff(infd);
}
- fgets ( phrase, sizeof(phrase), input);
+ if (fgets(phrase, sizeof(phrase), input) == NULL)
+ phrase[0] = '\0';
if (isTTY) {
fprintf(output, "\n");
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -161,9 +161,15 @@ open_output(pesign_context *ctx)
addr = pe_rawfile(ctx->inpe, &size);
- ftruncate(ctx->outfd, size);
+ if (ftruncate(ctx->outfd, size) != 0) {
+ fprintf(stderr, "pesign: could not truncate output file: %m\n");
+ exit(1);
+ }
lseek(ctx->outfd, 0, SEEK_SET);
- write(ctx->outfd, addr, size);
+ if (write(ctx->outfd, addr, size) != size) {
+ fprintf(stderr, "pesign: could not write output file: %m\n");
+ exit(1);
+ }
Pe_Cmd cmd = ctx->outfd == STDOUT_FILENO ? PE_C_RDWR : PE_C_RDWR_MMAP;
ctx->outpe = pe_begin(ctx->outfd, cmd, NULL);

85
pesign-local-database.patch Normal file
View File

@ -0,0 +1,85 @@
commit 21439f502b16cd168950cc2e38bfd6b6353ee428
Author: Matthew Garrett <mjg59@srcf.ucam.org>
Date: Tue Nov 27 10:11:36 2012 -0500
Add support for local certificate database directories
Users may wish to use a certificate database other than the systemwide
one. Add an option for that.
---
src/daemon.c | 4 ++--
src/daemon.h | 2 +-
src/pesign.c | 9 +++++++--
3 files changed, 10 insertions(+), 5 deletions(-)
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -877,7 +877,7 @@ err:
}
int
-daemonize(cms_context *cms_ctx, int do_fork)
+daemonize(cms_context *cms_ctx, char *certdir, int do_fork)
{
int rc = 0;
context ctx = {
@@ -913,7 +913,7 @@ daemonize(cms_context *cms_ctx, int do_f
"pesignd starting (pid %d)", ctx.pid);
- SECStatus status = NSS_Init("/etc/pki/pesign");
+ SECStatus status = NSS_Init(certdir);
if (status != SECSuccess) {
fprintf(stderr, "Could not initialize nss: %s\n",
PORT_ErrorToString(PORT_GetError()));
--- a/src/daemon.h
+++ b/src/daemon.h
@@ -19,7 +19,7 @@
#ifndef DAEMON_H
#define DAEMON_H 1
-extern int daemonize(cms_context *ctx, int do_fork);
+extern int daemonize(cms_context *ctx, char *certdir, int do_fork);
typedef struct {
uint32_t version;
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -443,6 +443,7 @@ main(int argc, char *argv[])
char *tokenname = "NSS Certificate DB";
char *origtoken = tokenname;
char *certname = NULL;
+ char *certdir = "/etc/pki/pesign";
rc = pesign_context_new(&ctxp);
if (rc < 0) {
@@ -460,6 +461,10 @@ main(int argc, char *argv[])
{"certficate", 'c', POPT_ARG_STRING, &certname, 0,
"specify certificate nickname",
"<certificate nickname>" },
+ {"certdir", 'n', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
+ &certdir, 0,
+ "specify nss certificate database directory",
+ "<certificate directory path>" },
{"privkey", 'p', POPT_ARG_STRING, &ctxp->privkeyfile, 0,
"specify private key file", "<privkey>" },
{"force", 'f', POPT_ARG_VAL, &ctxp->force, 1,
@@ -542,7 +547,7 @@ main(int argc, char *argv[])
poptFreeContext(optCon);
if (!daemon) {
- SECStatus status = NSS_Init("/etc/pki/pesign");
+ SECStatus status = NSS_Init(certdir);
if (status != SECSuccess) {
fprintf(stderr, "Could not initialize nss: %s\n",
PORT_ErrorToString(PORT_GetError()));
@@ -796,7 +801,7 @@ main(int argc, char *argv[])
close_output(ctxp);
break;
case DAEMONIZE:
- rc = daemonize(ctxp->cms_ctx, fork);
+ rc = daemonize(ctxp->cms_ctx, certdir, fork);
break;
default:
fprintf(stderr, "Incompatible flags (0x%08x): ", action);

163
pesign-suse-build.patch Normal file
View File

@ -0,0 +1,163 @@
---
Make.defaults | 5 +++--
Make.rules | 4 ++--
Makefile | 6 +++---
src/Makefile | 10 +++++-----
src/pesign.sysvinit | 12 ++++++++----
util/Makefile | 6 +++---
6 files changed, 24 insertions(+), 19 deletions(-)
Index: pesign-0.99/Make.defaults
===================================================================
--- pesign-0.99.orig/Make.defaults
+++ pesign-0.99/Make.defaults
@@ -5,7 +5,8 @@ HOSTARCH = $(shell uname -m | sed s,i[
ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,)
INCDIR = -I$(TOPDIR)/include
CPPFLAGS = -DCONFIG_$(ARCH)
-CFLAGS = $(ARCH3264) -g -O0 -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE
+OPTFLAGS = -O0 -g
+CFLAGS = $(ARCH3264) $(OPTFLAGS) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE
ASFLAGS = $(ARCH3264)
LDFLAGS = -nostdlib
CCLDFLAGS = -shared
@@ -22,7 +23,7 @@ OBJCOPY = $(bindir)objcopy
ifeq ($(ARCH),ia64)
CFLAGS += -mfixed-range=f32-f127
- LIBDIR = $(PREFIX)/lib64
+ LIBDIR = $(PREFIX)/lib
endif
ifeq ($(ARCH), ia32)
Index: pesign-0.99/Make.rules
===================================================================
--- pesign-0.99.orig/Make.rules
+++ pesign-0.99/Make.rules
@@ -2,10 +2,10 @@
$(AR) -cvqs $@ $^
% : %.o
- $(CC) $(CCLDFLAGS) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib))
+ $(CC) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(CCLDFLAGS)
%.so :
- $(CC) $(INCDIR) $(CFLAGS) -Wl,-soname,$(SONAME) $(CCLDFLAGS) $^ -o $@
+ $(CC) $(INCDIR) $(CFLAGS) -Wl,-soname,$(SONAME) $^ $(CCLDFLAGS) -o $@
%.o: %.c
$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
Index: pesign-0.99/Makefile
===================================================================
--- pesign-0.99.orig/Makefile
+++ pesign-0.99/Makefile
@@ -2,7 +2,7 @@ TOPDIR = $(shell echo $$PWD)
include $(TOPDIR)/Make.defaults
-SUBDIRS := include libdpe src util
+SUBDIRS := include libdpe src
DOCDIR := /share/doc/
VERSION = 0.99
@@ -16,8 +16,8 @@ clean :
install :
@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
- $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/
- $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/
+ $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/
install_systemd:
@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
Index: pesign-0.99/src/Makefile
===================================================================
--- pesign-0.99.orig/src/Makefile
+++ pesign-0.99/src/Makefile
@@ -7,8 +7,9 @@ LIBS = popt
STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a
PKLIBS = nss
LDFLAGS =
-CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags --libs $(pklib)))
+CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags --libs $(pklib))) -lpthread
CFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror
+UNITDIR = /lib/systemd/system
TARGETS = pesign authvar client
@@ -60,12 +61,12 @@ clean : depclean
install_systemd:
$(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/tmpfiles.d/
$(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)/usr/lib/tmpfiles.d/pesign.conf
- $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/systemd/system/
- $(INSTALL) -m 644 pesign.service $(INSTALLROOT)/usr/lib/systemd/system/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/$(UNITDIR)
+ $(INSTALL) -m 644 pesign.service $(INSTALLROOT)/$(UNITDIR)
install_sysvinit:
- $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
- $(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/init.d/
+ $(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/init.d/pesign
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
Index: pesign-0.99/util/Makefile
===================================================================
--- pesign-0.99.orig/util/Makefile
+++ pesign-0.99/util/Makefile
@@ -4,7 +4,7 @@ TOPDIR = $(SRCDIR)/..
include $(TOPDIR)/Make.defaults
FORMAT=efi-app-$(HOSTARCH)
-LDFLAGS = -nostdlib -T $(LIBDIR)/gnuefi/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/gnuefi/crt0-efi-$(HOSTARCH).o -L$(LIBDIR)
+LDFLAGS = -nostdlib -T $(LIBDIR)/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/crt0-efi-$(HOSTARCH).o -L$(LIBDIR)
LIBS=-lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name)
CCLDFLAGS =
CFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration
@@ -17,8 +17,8 @@ clean :
@rm -rfv *.o *.a *.so $(TARGETS)
install :
- $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/
- $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/
+ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/
.PHONY: all clean install
Index: pesign-0.99/src/pesign.sysvinit
===================================================================
--- pesign-0.99.orig/src/pesign.sysvinit
+++ pesign-0.99/src/pesign.sysvinit
@@ -6,21 +6,25 @@
# processname: /usr/bin/pesign
# pidfile: /var/run/pesign.pid
### BEGIN INIT INFO
-# Provides: pesign
-# Default-Start:
+# Provides: pesign
+# Should-Start: $remote_fs
+# Should-Stop: $remote_fs
+# Required-Start:
+# Required-Stop:
+# Default-Start: 2 3 5
# Default-Stop:
# Short-Description: The pesign PE signing daemon
# Description: The pesign PE signing daemon
### END INIT INFO
-. /etc/init.d/functions
[ -f /usr/bin/pesign ] || exit 1
+PESIGN_PIDFILE=/var/run/pesign.pid
RETVAL=0
start(){
echo -n "Starting pesign: "
- daemon /usr/bin/pesign --daemonize
+ startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize
RETVAL=$?
echo
touch /var/lock/subsys/pesign

2482
pesign-upstream-fixes.patch Normal file
View File

File diff suppressed because it is too large Load Diff

155
pesign.changes Normal file
View File

@ -0,0 +1,155 @@
-------------------------------------------------------------------
Wed Dec 12 13:18:40 UTC 2012 - fcrozat@suse.com
- Don't call sysv RPM post/pre macros when building for systemd
- Ship rcpesign for systemd, link to /sbin/service
- Update pesign-suse-build.patch to allow change systemd unit
install directory.
- Don't hardcode systemd unit directory, since it changed in
Factory.
-------------------------------------------------------------------
Tue Dec 11 07:10:04 UTC 2012 - glin@suse.com
- Add Requires: pwdutils
-------------------------------------------------------------------
Wed Nov 28 07:42:09 UTC 2012 - glin@suse.com
- Add pesign-local-database.patch to support the local certificate
database
- Amend the spec file to build on openSUSE:Factory
-------------------------------------------------------------------
Thu Nov 8 06:32:32 UTC 2012 - glin@suse.com
- Version bump to 0.99 (FATE#314484)
+ Add documentation for --daemonize and --nofork
+ Make popt aliases work
+ Add documentation for pesign-client
+ Add --pinfd and --pinfile to the client
- Update pesign-suse-build.patch and pesign-fix-build-errors.patch
- Add pesign-upstream-fixes.patch to backport fixes from git head
and add sysvinit script
- Add pesign-client-initialize-action.patch to initialize client
action to avoid undetermined flags.
- Add pesign-client-read-pin-file.patch to fix pin file reading
-------------------------------------------------------------------
Mon Oct 15 09:33:19 UTC 2012 - glin@suse.com
- Version bump to 0.98
+ close the socket immediately on invalid input
+ Slightly better error messages
+ Log an error if digest initialization fails
+ Add systemd bits for pesignd
+ Add actual signing code to the daemon
+ Add input and output setup for sign functionality in the daemon
+ Audit allocation of CERTCertificateList/PK11SlotList and
friends
+ Fix memory leaks
- Refresh pesign-suse-build.patch and pesign-fix-build-errors.patch
-------------------------------------------------------------------
Mon Aug 13 06:50:35 UTC 2012 - glin@suse.com
- Version bump to 0.9
+ Add NSS "token" support for smartcards.
+ Allocate space for the section header variable
- Refresh pesign-fix-build-errors.patch to fix the warning
- Drop upstreamed pesign-allocate-shdr.patch
-------------------------------------------------------------------
Fri Aug 10 10:12:53 UTC 2012 - glin@suse.com
- Add pesign-allocate-shdr.patch to allocate space for the section
header variable
-------------------------------------------------------------------
Thu Aug 9 03:53:45 UTC 2012 - glin@suse.com
- Version bump to 0.8
+ Don't open the DB r/w, read-only is fine.
+ Attempt to do a better job setting the image size.
+ Emit correct OID for encryption type.
- Drop pesign-fix-image-size.patch which is already in 0.8
-------------------------------------------------------------------
Tue Aug 7 03:03:17 UTC 2012 - glin@suse.com
- Add upstream patch pesign-fix-image-size.patch to set the image
size correctly.
- Drop pesign-elilo-workaround.patch
-------------------------------------------------------------------
Mon Aug 6 08:03:05 UTC 2012 - glin@suse.com
- Version bump to 0.7
+ Fix incorrect initialization error in (undocumented) -e option.
+ Use SEC_OID_PKCS1_RSA_ENCRYPTION like MS
+ Initialize the index variable of loop
+ Adjust the buffer size to avoid overflow
+ Make sure pe_populatecert() always returns a value
-------------------------------------------------------------------
Mon Jul 23 08:49:13 UTC 2012 - glin@suse.com
- Add pesign-elilo-workaround.patch to workaround the section
header corruption in some EFI image (elilo for example)
-------------------------------------------------------------------
Mon Jul 23 03:32:18 UTC 2012 - glin@suse.com
- Add pesign-fix-build-errors.patch to fix build error/warning
- Don't install the util efi images
- Fix the RPM_OPT_FLAGS warning
-------------------------------------------------------------------
Thu Jul 12 09:37:55 UTC 2012 - glin@suse.com
- Version bump to 0.5
+ Handle and report mremap() failure
+ Man page should be in section 1.
+ Add some basic signature list management.
+ Add some more efi-defined constants, flesh out efi_guid_t.
+ authver: Find a guid for 'namespace'.
+ Add some basic ucs2 functions :(
+ Support multiple signatures correctly.
+ Add ascii_to_ucs2()
+ Add file formats and some code for variables-on-disk.
+ Allow the memory map to move when we're allocating space in the
binary.
+ Remove extra call to ftruncate()
+ Adjust section addresses when we remap the pecoff binary.
+ Correctly set win_certificate.length to /include/
win_certificate.
+ Move certificate space iterator to wincert.c so other stuff can
get it.
+ Split allocating space for certs and filling it in.
+ Put the new signature into the cms ctx instead of keeping it
locally.
+ Actually calculate space and extend the file before hashing the
binary.
+ Bounds-check everything we're hashing so we don't segfault on a
bad bin.
- Add pesign-always-return-value.patch to fix
no-return-in-nonvoid-function
- Drop upsreamed patch pesign-mem-reallocation.patch
-------------------------------------------------------------------
Fri Jun 29 07:08:11 UTC 2012 - glin@suse.com
- Add pesign-mem-reallocation.patch to fix crash when writing
signature
-------------------------------------------------------------------
Tue Jun 26 07:02:49 UTC 2012 - glin@suse.com
- Version bump to 0.3
+ it seems to generate working signatures
-------------------------------------------------------------------
Thu Jun 21 08:31:42 UTC 2012 - glin@suse.com
- New package pesign 0.2

145
pesign.spec Normal file
View File

@ -0,0 +1,145 @@
#
# spec file for package pesign
#
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: pesign
Version: 0.99
Release: 1
License: GPL-2.0
Summary: Signing tool for PE-COFF binaries
Url: https://github.com/vathpela/pesign
Group: Productivity/Security
Source: %{name}-%{version}.tar.bz2
# PATCH-FIX-UPSTREAM pesign-upstream-fixes.patch glin@suse.com -- fixes from upstream
Patch0: pesign-upstream-fixes.patch
# PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
Patch1: pesign-suse-build.patch
# PATCH-FIX-UPSTREAM pesign-fix-build-errors.patch glin@suse.com -- Fix gcc warnings
Patch2: pesign-fix-build-errors.patch
# PATCH-FIX-UPSTREAM pesign-client-initialize-action.patch glin@suse.com -- Initialize the actions variable
Patch3: pesign-client-initialize-action.patch
# PATCH-FIX-UPSTREAM pesign-client-read-pin-file.patch glin@suse.com -- Fix pin file reading error
Patch4: pesign-client-read-pin-file.patch
# PATCH-FIX-UPSTREAM pesign-local-database.patch glin@suse.com -- Support local certificate database
Patch5: pesign-local-database.patch
BuildRequires: mozilla-nss-devel
BuildRequires: popt-devel
BuildRequires: pkg-config
%if 0%{?suse_version} > 1140
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%define has_systemd 1
%endif
BuildRequires: pwdutils
Requires: pwdutils
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExclusiveArch: ia64 %ix86 x86_64
%description
Signing tool for PE-COFF binaries, hopefully at least vaguely compliant
with the PE and Authenticode specifications.
Authors:
--------
Peter Jones <pjones@redhat.com>
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
make OPTFLAGS="$RPM_OPT_FLAGS"
%install
make INSTALLROOT=%{buildroot} PREFIX=/usr DOCDIR=/share/doc/packages install
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/pesign
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
%if 0%{?has_systemd}
make INSTALLROOT=%{buildroot} UNITDIR=%{_unitdir} install_systemd
ln -sf /sbin/service $RPM_BUILD_ROOT/%{_sbindir}/rcpesign
%else
make INSTALLROOT=%{buildroot} install_sysvinit
ln -sf %{_sysconfdir}/init.d/pesign $RPM_BUILD_ROOT/%{_sbindir}/rcpesign
%endif
# there's some stuff that's not really meant to be shipped yet
rm -rf %{buildroot}/boot %{buildroot}/usr/include
rm -rf %{buildroot}%{_libdir}/libdpe*
%clean
%{?buildroot:%__rm -rf "%{buildroot}"}
%pre
getent group pesign >/dev/null || groupadd -r pesign
getent passwd pesign >/dev/null || useradd -r -g pesign -d /var/lib/pesign -s /bin/false -c "PE-COFF signing daemon" pesign
%if 0%{?has_systemd}
%service_add_pre pesign.service
%endif
%preun
%if 0%{?has_systemd}
%service_del_preun pesign.service
%else
%stop_on_removal pesign
%endif
%post
%if 0%{?has_systemd}
%service_add_post pesign.service
systemd-tmpfiles --create /usr/lib/tmpfiles.d/pesign.conf
%endif
%postun
%if 0%{?has_systemd}
%service_del_preun pesign.service
%else
%restart_on_update pesign
%insserv_cleanup
%endif
%files
%defattr(-,root,root)
%doc COPYING
%{_bindir}/pesign
%{_bindir}/pesign-client
%dir %{_sysconfdir}/popt.d
%config %{_sysconfdir}/popt.d/pesign.popt
%{_sysconfdir}/pki/
%config %{_sysconfdir}/rpm/macros.pesign
%{_mandir}/man?/*
/var/lib/pesign
%if 0%{?has_systemd}
%{_unitdir}/pesign.service
/usr/lib/tmpfiles.d/pesign.conf
%else
%{_sysconfdir}/init.d/pesign
%endif
%{_sbindir}/rcpesign
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign
%dir %attr(0770,pesign,pesign) %{_localstatedir}/run/%{name}
%dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name}
%changelog