forked from pool/pesign
Accepting request 1069048 from home:gary_lin:branches:Base:System
Update to 116 OBS-URL: https://build.opensuse.org/request/show/1069048 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=70
This commit is contained in:
parent
88fb4f57d3
commit
361faa327f
@ -1,7 +1,7 @@
|
||||
Index: pesign-113/src/pesign.service.in
|
||||
Index: pesign-115/src/pesign.service.in
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/pesign.service.in
|
||||
+++ pesign-113/src/pesign.service.in
|
||||
--- pesign-115.orig/src/pesign.service.in
|
||||
+++ pesign-115/src/pesign.service.in
|
||||
@@ -3,6 +3,19 @@ Description=Pesign signing daemon
|
||||
|
||||
[Service]
|
||||
@ -19,6 +19,6 @@ Index: pesign-113/src/pesign.service.in
|
||||
+ProtectControlGroups=true
|
||||
+RestrictRealtime=true
|
||||
+# end of automatic additions
|
||||
Type=forking
|
||||
PIDFile=/run/pesign.pid
|
||||
ExecStart=/usr/bin/pesign --daemonize
|
||||
PIDFile=@@RUNDIR@@/pesign.pid
|
||||
ExecStart=/usr/bin/pesign --daemonize --nofork
|
||||
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:0dfb14e6f79288b7983344b88b14f83b0267c002f563e38171f935af107d0132
|
||||
size 103471
|
BIN
pesign-116.tar.bz2
(Stored with Git LFS)
Normal file
BIN
pesign-116.tar.bz2
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -1,8 +1,8 @@
|
||||
diff --git a/Make.defaults b/Make.defaults
|
||||
index 7892d73..2d18005 100644
|
||||
--- a/Make.defaults
|
||||
+++ b/Make.defaults
|
||||
@@ -47,7 +47,7 @@ cflags = $(CFLAGS) $(ARCH3264) \
|
||||
Index: pesign-115/Make.defaults
|
||||
===================================================================
|
||||
--- pesign-115.orig/Make.defaults
|
||||
+++ pesign-115/Make.defaults
|
||||
@@ -69,7 +69,7 @@ cflags = $(CFLAGS) $(ARCH3264) \
|
||||
$(call pkg-config-cflags)
|
||||
clang_ccldflags =
|
||||
gcc_ccldflags = -fno-merge-constants \
|
||||
@ -10,4 +10,4 @@ index 7892d73..2d18005 100644
|
||||
+ -fvar-tracking-assignments -fkeep-inline-functions \
|
||||
-Wl,--fatal-warnings,--no-allow-shlib-undefined,--default-symver \
|
||||
-Wl,-O2 -Wl,--no-undefined-version -Wl,-z,relro,-z,now \
|
||||
-Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed
|
||||
-Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed -pie
|
||||
|
@ -1,39 +0,0 @@
|
||||
From b0b740f38da6d4584417d65a7c97fd4faf982cf6 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Wed, 4 Dec 2019 10:28:28 +0800
|
||||
Subject: [PATCH] pesigcheck: remove superfluous type settings
|
||||
|
||||
When setting the type of reason in check_signature(), the type was
|
||||
accidentally set as "siBuffer". Since the type is already set as
|
||||
"SIGNATURE", we only need to remove those two lines of code.
|
||||
|
||||
Fixes: https://github.com/rhboot/pesign/issues/55
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
src/pesigcheck.c | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
|
||||
index 524cce3..d197c30 100644
|
||||
--- a/src/pesigcheck.c
|
||||
+++ b/src/pesigcheck.c
|
||||
@@ -318,7 +318,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
|
||||
reason->type = SIGNATURE;
|
||||
reason->sig.data = data;
|
||||
reason->sig.len = datalen;
|
||||
- reason->type = siBuffer;
|
||||
nreason += 1;
|
||||
is_invalid = true;
|
||||
}
|
||||
@@ -330,7 +329,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
|
||||
reason->type = SIGNATURE;
|
||||
reason->sig.data = data;
|
||||
reason->sig.len = datalen;
|
||||
- reason->type = siBuffer;
|
||||
nreason += 1;
|
||||
has_valid_cert = true;
|
||||
}
|
||||
--
|
||||
2.24.0
|
||||
|
@ -1,27 +1,27 @@
|
||||
diff --git a/Make.defaults b/Make.defaults
|
||||
index 2d18005..7ecba00 100644
|
||||
--- a/Make.defaults
|
||||
+++ b/Make.defaults
|
||||
@@ -11,6 +11,7 @@ includedir ?= $(prefix)include/
|
||||
bindir ?= $(prefix)bin/
|
||||
Index: pesign-115/Make.defaults
|
||||
===================================================================
|
||||
--- pesign-115.orig/Make.defaults
|
||||
+++ pesign-115/Make.defaults
|
||||
@@ -13,6 +13,7 @@ rundir ?= /run/
|
||||
rundir := $(abspath $(rundir))/
|
||||
pcdir ?= $(libdir)pkgconfig/
|
||||
docdir ?= $(prefix)share/doc/
|
||||
+rpmmacrodir ?= /etc/rpm/
|
||||
DESTDIR ?=
|
||||
INSTALLROOT = $(DESTDIR)
|
||||
|
||||
diff --git a/src/Makefile b/src/Makefile
|
||||
index 5fb2841..ca546a3 100644
|
||||
--- a/src/Makefile
|
||||
+++ b/src/Makefile
|
||||
@@ -90,8 +90,8 @@ install :
|
||||
$(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)$(mandir)man1/
|
||||
$(INSTALL) -m 644 authvar.1 $(INSTALLROOT)$(mandir)man1/
|
||||
$(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/
|
||||
Index: pesign-115/src/Makefile
|
||||
===================================================================
|
||||
--- pesign-115.orig/src/Makefile
|
||||
+++ pesign-115/src/Makefile
|
||||
@@ -88,8 +88,8 @@ install :
|
||||
$(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(mandir)man1/
|
||||
$(INSTALL) -m 644 $(MAN1TARGETS) $(INSTALLROOT)$(mandir)man1/
|
||||
- $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
|
||||
- $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
|
||||
+ $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir)
|
||||
+ $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir)
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
|
||||
$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
|
@ -11,15 +11,15 @@ Signed-off-by: Gary Lin <glin@suse.com>
|
||||
src/pesign.service.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/pesign.service.in b/src/pesign.service.in
|
||||
index 87accee..8542c63 100644
|
||||
--- a/src/pesign.service.in
|
||||
+++ b/src/pesign.service.in
|
||||
@@ -20,3 +20,4 @@ Type=forking
|
||||
PIDFile=/run/pesign.pid
|
||||
ExecStart=/usr/bin/pesign --daemonize
|
||||
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|
||||
Index: pesign-116/src/pesign.service.in
|
||||
===================================================================
|
||||
--- pesign-116.orig/src/pesign.service.in
|
||||
+++ pesign-116/src/pesign.service.in
|
||||
@@ -18,6 +18,7 @@ RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
PIDFile=@@RUNDIR@@/pesign.pid
|
||||
ExecStart=/usr/bin/pesign --daemonize --nofork
|
||||
+ReadWritePaths=/etc/pki/pesign/
|
||||
--
|
||||
2.35.3
|
||||
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
91
pesign-bsc1202933-Remove-pesign-authorize.patch
Normal file
91
pesign-bsc1202933-Remove-pesign-authorize.patch
Normal file
@ -0,0 +1,91 @@
|
||||
From 09a41248f9f867e9aaf06e890621c392d36b52ec Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 31 Jan 2023 10:00:18 -0500
|
||||
Subject: [PATCH] Remove pesign-authorize
|
||||
|
||||
The onus of correct file/directory permissions should be a configuration
|
||||
and systems administration issue, not pesign's.
|
||||
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/.gitignore | 1 -
|
||||
src/Makefile | 3 +--
|
||||
src/pesign-authorize.in | 13 -------------
|
||||
src/pesign.service.in | 1 -
|
||||
src/pesign.sysvinit.in | 1 -
|
||||
5 files changed, 1 insertion(+), 18 deletions(-)
|
||||
delete mode 100644 src/pesign-authorize.in
|
||||
|
||||
Index: pesign-116/src/.gitignore
|
||||
===================================================================
|
||||
--- pesign-116.orig/src/.gitignore
|
||||
+++ pesign-116/src/.gitignore
|
||||
@@ -10,5 +10,4 @@ peverify
|
||||
pesign.service
|
||||
pesign.sysvinit
|
||||
pesign-rpmbuild-helper
|
||||
-pesign-authorize
|
||||
tmpfiles.conf
|
||||
Index: pesign-116/src/Makefile
|
||||
===================================================================
|
||||
--- pesign-116.orig/src/Makefile
|
||||
+++ pesign-116/src/Makefile
|
||||
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
|
||||
include $(TOPDIR)/Make.defaults
|
||||
|
||||
BINTARGETS=authvar client efikeygen pesigcheck pesign \
|
||||
- pesign-rpmbuild-helper pesign-authorize pesum
|
||||
+ pesign-rpmbuild-helper pesum
|
||||
CFGTARGETS=tmpfiles.conf
|
||||
SVCTARGETS=pesign.sysvinit pesign.service
|
||||
MAN1TARGETS=authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1
|
||||
@@ -99,7 +99,6 @@ install :
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir)
|
||||
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir)
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
- $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
|
||||
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
|
||||
Index: pesign-116/src/pesign-authorize.in
|
||||
===================================================================
|
||||
--- pesign-116.orig/src/pesign-authorize.in
|
||||
+++ /dev/null
|
||||
@@ -1,13 +0,0 @@
|
||||
-#!/bin/bash
|
||||
-set -e
|
||||
-set -u
|
||||
-
|
||||
-# License: GPLv2
|
||||
-
|
||||
-# This script is deprecated and will be removed in a future release.
|
||||
-
|
||||
-sleep 3
|
||||
-for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
|
||||
- chown -R pesign:pesign "${x}" || true
|
||||
- chmod -R ug+rwX "${x}" || true
|
||||
-done
|
||||
Index: pesign-116/src/pesign.service.in
|
||||
===================================================================
|
||||
--- pesign-116.orig/src/pesign.service.in
|
||||
+++ pesign-116/src/pesign.service.in
|
||||
@@ -18,7 +18,6 @@ RestrictRealtime=true
|
||||
# end of automatic additions
|
||||
PIDFile=@@RUNDIR@@/pesign.pid
|
||||
ExecStart=/usr/bin/pesign --daemonize --nofork
|
||||
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Index: pesign-116/src/pesign.sysvinit.in
|
||||
===================================================================
|
||||
--- pesign-116.orig/src/pesign.sysvinit.in
|
||||
+++ pesign-116/src/pesign.sysvinit.in
|
||||
@@ -30,7 +30,6 @@ start(){
|
||||
RETVAL=$?
|
||||
echo
|
||||
touch /var/lock/subsys/pesign
|
||||
- @@LIBEXECDIR@@/pesign/pesign-authorize
|
||||
}
|
||||
|
||||
stop(){
|
@ -1,81 +0,0 @@
|
||||
From cf116c5fc6a98f28144ea0409988a83b22289439 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 18 Jan 2023 14:00:22 -0500
|
||||
Subject: [PATCH] Use normal file permissions instead of ACLs
|
||||
|
||||
Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
|
||||
|
||||
pesign-authorize is now deprecated and will be removed in a future
|
||||
release.
|
||||
|
||||
Resolves: CVE-2022-3560
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
src/pesign-authorize | 53 +++++---------------------------------------
|
||||
1 file changed, 5 insertions(+), 48 deletions(-)
|
||||
|
||||
Index: pesign-113/src/pesign-authorize
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/pesign-authorize
|
||||
+++ pesign-113/src/pesign-authorize
|
||||
@@ -2,55 +2,12 @@
|
||||
set -e
|
||||
set -u
|
||||
|
||||
-#
|
||||
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
||||
-# acls for specific users is useful
|
||||
-#
|
||||
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
||||
-#
|
||||
-
|
||||
# License: GPLv2
|
||||
-declare -a fileusers=()
|
||||
-declare -a dirusers=()
|
||||
-for user in $(cat /etc/pesign/users); do
|
||||
- dirusers[${#dirusers[@]}]=-m
|
||||
- dirusers[${#dirusers[@]}]="u:$user:rwx"
|
||||
- fileusers[${#fileusers[@]}]=-m
|
||||
- fileusers[${#fileusers[@]}]="u:$user:rw"
|
||||
-done
|
||||
-
|
||||
-declare -a filegroups=()
|
||||
-declare -a dirgroups=()
|
||||
-for group in $(cat /etc/pesign/groups); do
|
||||
- dirgroups[${#dirgroups[@]}]=-m
|
||||
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
||||
- filegroups[${#filegroups[@]}]=-m
|
||||
- filegroups[${#filegroups[@]}]="g:$group:rw"
|
||||
-done
|
||||
-
|
||||
-update_subdir() {
|
||||
- subdir=$1 && shift
|
||||
|
||||
- setfacl -bk "${subdir}"
|
||||
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
||||
- for x in "${subdir}"* ; do
|
||||
- if [ -d "${x}" ]; then
|
||||
- setfacl -bk ${x}
|
||||
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
||||
- update_subdir "${x}/"
|
||||
- elif [ -e "${x}" ]; then
|
||||
- setfacl -bk ${x}
|
||||
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
||||
- else
|
||||
- :;
|
||||
- fi
|
||||
- done
|
||||
-}
|
||||
+# This script is deprecated and will be removed in a future release.
|
||||
|
||||
-for x in /run/pesign/ /etc/pki/pesign*/ ; do
|
||||
- if [ -d "${x}" ]; then
|
||||
- update_subdir "${x}"
|
||||
- else
|
||||
- :;
|
||||
- fi
|
||||
+sleep 3
|
||||
+for x in /run/pesign/ /etc/pki/pesign/ ; do
|
||||
+ chown -R pesign:pesign "${x}" || true
|
||||
+ chmod -R ug+rwX "${x}" || true
|
||||
done
|
@ -1,45 +0,0 @@
|
||||
From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 14 May 2019 11:28:38 -0400
|
||||
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
|
||||
|
||||
NSS 3.44 adds some certificate types, which changes a type and makes
|
||||
some encoding stuff weird. As a result, we get:
|
||||
|
||||
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
|
||||
In file included from /usr/local/include/nss/nss/cert.h:22,
|
||||
from efikeygen.c:39:
|
||||
efikeygen.c: In function 'add_cert_type':
|
||||
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
|
||||
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
|
||||
^
|
||||
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
|
||||
unsigned char type = NS_CERT_TYPE_APP;
|
||||
^~~~~~~~~~~~~~~~
|
||||
cc1: all warnings being treated as errors
|
||||
|
||||
This is fixed by just making it an int.
|
||||
|
||||
Fixes github issue #48.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/efikeygen.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/efikeygen.c b/src/efikeygen.c
|
||||
index ede76ef..2cd953e 100644
|
||||
--- a/src/efikeygen.c
|
||||
+++ b/src/efikeygen.c
|
||||
@@ -208,7 +208,7 @@ static int
|
||||
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
|
||||
{
|
||||
SECItem bitStringValue;
|
||||
- unsigned char type = NS_CERT_TYPE_APP;
|
||||
+ int type = NS_CERT_TYPE_APP;
|
||||
|
||||
if (is_ca)
|
||||
type |= NS_CERT_TYPE_SSL_CA |
|
||||
--
|
||||
2.22.0
|
||||
|
@ -12,32 +12,11 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
|
||||
src/authvar_context.c | 16 +++++++---------
|
||||
1 file changed, 7 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/authvar_context.c b/src/authvar_context.c
|
||||
index 7a753fc..c51c666 100644
|
||||
--- a/src/authvar_context.c
|
||||
+++ b/src/authvar_context.c
|
||||
@@ -20,6 +20,7 @@
|
||||
#include "fix_coverity.h"
|
||||
|
||||
#include <unistd.h>
|
||||
+#include <stddef.h>
|
||||
#include <sys/mman.h>
|
||||
|
||||
#include <prerror.h>
|
||||
@@ -135,11 +136,7 @@ generate_descriptor(authvar_context *ctx)
|
||||
if (rc < 0)
|
||||
cmsreterr(-1, ctx->cms_ctx, "could not create signed data");
|
||||
|
||||
-#if __WORDSIZE == 64
|
||||
- offset = (uint64_t) &((win_cert_uefi_guid_t *)0)->data;
|
||||
-#else
|
||||
- offset = (uint32_t) &((win_cert_uefi_guid_t *)0)->data;
|
||||
-#endif
|
||||
+ offset = offsetof(win_cert_uefi_guid_t, data);
|
||||
authinfo = calloc(offset + sd_der.len, 1);
|
||||
if (!authinfo)
|
||||
cmsreterr(-1, ctx->cms_ctx, "could not allocate authinfo");
|
||||
@@ -162,6 +159,7 @@ write_authvar(authvar_context *ctx)
|
||||
Index: pesign-115/src/authvar_context.c
|
||||
===================================================================
|
||||
--- pesign-115.orig/src/authvar_context.c
|
||||
+++ pesign-115/src/authvar_context.c
|
||||
@@ -151,6 +151,7 @@ write_authvar(authvar_context *ctx)
|
||||
void *buffer, *ptr;
|
||||
size_t buf_len, des_len, remain;
|
||||
ssize_t wlen;
|
||||
@ -45,7 +24,7 @@ index 7a753fc..c51c666 100644
|
||||
|
||||
if (!ctx->authinfo)
|
||||
cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar");
|
||||
@@ -189,19 +187,19 @@ write_authvar(authvar_context *ctx)
|
||||
@@ -179,19 +180,19 @@ write_authvar(authvar_context *ctx)
|
||||
if (ctx->value_size > 0)
|
||||
memcpy(ptr, ctx->value, ctx->value_size);
|
||||
|
||||
@ -69,6 +48,3 @@ index 7a753fc..c51c666 100644
|
||||
} while (remain > 0);
|
||||
|
||||
free(buffer);
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
29
pesign-fix-cert-match-check.patch
Normal file
29
pesign-fix-cert-match-check.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From a6062702e9f0002b86759f6cd14da6d78de99f22 Mon Sep 17 00:00:00 2001
|
||||
From: Huaxin Lu <luhuaxin1@huawei.com>
|
||||
Date: Fri, 11 Nov 2022 11:20:35 +0800
|
||||
Subject: [PATCH] cms_common: fix cert match check
|
||||
|
||||
In find_certificate_by_callback(), the match() returns 1
|
||||
when cert subject is matched.
|
||||
|
||||
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
|
||||
---
|
||||
src/cms_common.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||
index 24576f2..cf572ca 100644
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -872,7 +872,7 @@ find_certificate_by_callback(cms_context *cms,
|
||||
continue;
|
||||
|
||||
int rc = match(tmpnode->cert, cbdata);
|
||||
- if (rc == 0) {
|
||||
+ if (rc == 1) {
|
||||
node = tmpnode;
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.35.3
|
||||
|
29
pesign-fix-efikeygen-segfault.patch
Normal file
29
pesign-fix-efikeygen-segfault.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From 227435af461f38fc4abeafe02884675ad4b1feb4 Mon Sep 17 00:00:00 2001
|
||||
From: Nicolas Frayer <nfrayer@redhat.com>
|
||||
Date: Mon, 20 Feb 2023 15:26:20 +0100
|
||||
Subject: [PATCH] cms_common: Fixed Segmentation fault
|
||||
|
||||
When running efikeygen, the binary crashes with a segfault due
|
||||
to dereferencing a **ptr instead of a *ptr.
|
||||
|
||||
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
|
||||
---
|
||||
src/cms_common.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||
index 44e5cca..4f4707b 100644
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -957,7 +957,7 @@ find_certificate_by_issuer_and_sn(cms_context *cms,
|
||||
if (!ias)
|
||||
cnreterr(-1, cms, "invalid issuer and serial number");
|
||||
|
||||
- return find_certificate_by_callback(cms, match_issuer_and_serial, &ias, cert);
|
||||
+ return find_certificate_by_callback(cms, match_issuer_and_serial, ias, cert);
|
||||
}
|
||||
|
||||
int
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,81 +0,0 @@
|
||||
---
|
||||
src/cms_common.c | 12 ++++++++++--
|
||||
src/cms_common.h | 1 +
|
||||
src/pesign.c | 1 +
|
||||
3 files changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: pesign-113/src/cms_common.c
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/cms_common.c
|
||||
+++ pesign-113/src/cms_common.c
|
||||
@@ -282,6 +282,7 @@ struct cbdata {
|
||||
CERTCertificate *cert;
|
||||
PK11SlotListElement *psle;
|
||||
secuPWData *pwdata;
|
||||
+ int privkey_unneeded;
|
||||
};
|
||||
|
||||
static SECStatus
|
||||
@@ -293,6 +294,12 @@ is_valid_cert(CERTCertificate *cert, voi
|
||||
void *pwdata = cbdata->pwdata;
|
||||
|
||||
SECKEYPrivateKey *privkey = NULL;
|
||||
+
|
||||
+ if (cbdata->privkey_unneeded) {
|
||||
+ cbdata->cert = cert;
|
||||
+ return SECSuccess;
|
||||
+ }
|
||||
+
|
||||
privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata);
|
||||
if (privkey != NULL) {
|
||||
cbdata->cert = cert;
|
||||
@@ -423,7 +430,7 @@ find_certificate(cms_context *cms, int n
|
||||
}
|
||||
|
||||
SECStatus status;
|
||||
- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
|
||||
+ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
|
||||
status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
|
||||
if (status != SECSuccess) {
|
||||
PK11_DestroySlotListElement(slots, &psle);
|
||||
@@ -452,6 +459,7 @@ find_certificate(cms_context *cms, int n
|
||||
.cert = NULL,
|
||||
.psle = psle,
|
||||
.pwdata = pwdata,
|
||||
+ .privkey_unneeded = cms->privkey_unneeded,
|
||||
};
|
||||
|
||||
if (needs_private_key) {
|
||||
@@ -572,7 +580,7 @@ find_named_certificate(cms_context *cms,
|
||||
}
|
||||
|
||||
SECStatus status;
|
||||
- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
|
||||
+ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
|
||||
status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
|
||||
if (status != SECSuccess) {
|
||||
PK11_DestroySlotListElement(slots, &psle);
|
||||
Index: pesign-113/src/cms_common.h
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/cms_common.h
|
||||
+++ pesign-113/src/cms_common.h
|
||||
@@ -62,6 +62,7 @@ typedef int (*cms_common_logger)(struct
|
||||
typedef struct cms_context {
|
||||
PRArenaPool *arena;
|
||||
void *privkey;
|
||||
+ int privkey_unneeded;
|
||||
|
||||
char *tokenname;
|
||||
char *certname;
|
||||
Index: pesign-113/src/file_pe.c
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/file_pe.c
|
||||
+++ pesign-113/src/file_pe.c
|
||||
@@ -354,6 +354,7 @@ pe_handle_action(pesign_context *ctxp, i
|
||||
*/
|
||||
case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS:
|
||||
check_inputs(ctxp);
|
||||
+ ctxp->cms_ctx->privkey_unneeded = 1;
|
||||
rc = find_certificate(ctxp->cms_ctx, 0);
|
||||
if (rc < 0) {
|
||||
fprintf(stderr, "pesign: Could not find "
|
@ -1,94 +0,0 @@
|
||||
---
|
||||
src/Makefile | 2 +-
|
||||
src/daemon.h | 4 ++--
|
||||
src/macros.pesign | 2 +-
|
||||
src/pesign.sysvinit | 14 +++++++-------
|
||||
src/tmpfiles.conf | 2 +-
|
||||
5 files changed, 12 insertions(+), 12 deletions(-)
|
||||
|
||||
Index: pesign-113/src/Makefile
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/Makefile
|
||||
+++ pesign-113/src/Makefile
|
||||
@@ -73,7 +73,7 @@ install_sysvinit: pesign.sysvinit
|
||||
install :
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
|
||||
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
|
||||
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
|
||||
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
|
||||
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
|
||||
Index: pesign-113/src/daemon.h
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/daemon.h
|
||||
+++ pesign-113/src/daemon.h
|
||||
@@ -49,8 +49,8 @@ typedef enum {
|
||||
} pesignd_cmd;
|
||||
|
||||
#define PESIGND_VERSION 0x2a9edaf0
|
||||
-#define SOCKPATH "/var/run/pesign/socket"
|
||||
-#define PIDFILE "/var/run/pesign.pid"
|
||||
+#define SOCKPATH "/run/pesign/socket"
|
||||
+#define PIDFILE "/run/pesign.pid"
|
||||
|
||||
static inline uint32_t UNUSED
|
||||
pesignd_string_size(char *buffer)
|
||||
Index: pesign-113/src/macros.pesign
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/macros.pesign
|
||||
+++ pesign-113/src/macros.pesign
|
||||
@@ -52,7 +52,7 @@
|
||||
getfacl /var/run/pesign 1>&2 \
|
||||
getfacl /var/run/pesign/socket 1>&2 \
|
||||
exit 1 \
|
||||
- elif [ -S /var/run/pesign/socket ]; then \
|
||||
+ elif [ -S /run/pesign/socket ]; then \
|
||||
%{_pesign_client} -t %{__pesign_client_token} \\\
|
||||
-c %{__pesign_client_cert} \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
Index: pesign-113/src/tmpfiles.conf
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/tmpfiles.conf
|
||||
+++ pesign-113/src/tmpfiles.conf
|
||||
@@ -1 +1 @@
|
||||
-D /var/run/pesign 0770 pesign pesign -
|
||||
+D /run/pesign 0770 pesign pesign -
|
||||
Index: pesign-113/src/pesign.sysvinit.in
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/pesign.sysvinit.in
|
||||
+++ pesign-113/src/pesign.sysvinit.in
|
||||
@@ -4,7 +4,7 @@
|
||||
#
|
||||
# chkconfig: - 50 50
|
||||
# processname: /usr/bin/pesign
|
||||
-# pidfile: /var/run/pesign.pid
|
||||
+# pidfile: /run/pesign.pid
|
||||
### BEGIN INIT INFO
|
||||
# Provides: pesign
|
||||
# Should-Start: $remote_fs
|
||||
Index: pesign-113/src/pesign.service.in
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/pesign.service.in
|
||||
+++ pesign-113/src/pesign.service.in
|
||||
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
|
||||
[Service]
|
||||
PrivateTmp=true
|
||||
Type=forking
|
||||
-PIDFile=/var/run/pesign.pid
|
||||
+PIDFile=/run/pesign.pid
|
||||
ExecStart=/usr/bin/pesign --daemonize
|
||||
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|
||||
Index: pesign-113/src/pesign-authorize
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/pesign-authorize
|
||||
+++ pesign-113/src/pesign-authorize
|
||||
@@ -47,7 +47,7 @@ update_subdir() {
|
||||
done
|
||||
}
|
||||
|
||||
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
|
||||
+for x in /run/pesign/ /etc/pki/pesign*/ ; do
|
||||
if [ -d "${x}" ]; then
|
||||
update_subdir "${x}"
|
||||
else
|
44
pesign-skip-auth-on-friendly-slot.patch
Normal file
44
pesign-skip-auth-on-friendly-slot.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 616ec5f25adbde1a4bd78cdcacd6dcd7ecfa5a5c Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 22 Dec 2022 13:49:34 +0800
|
||||
Subject: [PATCH] cms_common: skip authentication on the 'Friendly' slot
|
||||
|
||||
When finding a certificate in a 'Friendly' slot without the need of the
|
||||
private key, it is not necessary to authenticate the slot.
|
||||
|
||||
For example, when the signed attributes and the raw signature are
|
||||
created in a server and the user has the certificate, signkey.x509, and
|
||||
tries to import them into myapp.efi:
|
||||
|
||||
$ certutil -N -d nssdb -f passwd
|
||||
$ certutil -A -d nssdb -f passwd -n signkey -t CT,CT,CT \
|
||||
-i signkey.x509
|
||||
$ pesign -n nssdb -c signkey -i myapp.efi -o myapp.efi.signed \
|
||||
-d sha256 -I myapp.sattr -R myapp.sig
|
||||
|
||||
Since the "signkey" is 'Friendly', i.e. publicly readable, and the
|
||||
private key is not needed, we can just skip the authentication and find
|
||||
"signkey" in the slot.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
src/cms_common.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||
index cf572ca..44e5cca 100644
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -628,7 +628,8 @@ find_certificate(cms_context *cms, int needs_private_key)
|
||||
|
||||
int errnum;
|
||||
SECStatus status;
|
||||
- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms)) {
|
||||
+ if ((needs_private_key || !PK11_IsFriendly(psle->slot)) &&
|
||||
+ (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms))) {
|
||||
status = PK11_Authenticate(psle->slot, PR_TRUE, cms);
|
||||
if (status != SECSuccess) {
|
||||
save_port_err() {
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,7 +1,7 @@
|
||||
Index: pesign-113/util/Makefile
|
||||
Index: pesign-116/util/Makefile
|
||||
===================================================================
|
||||
--- pesign-113.orig/util/Makefile
|
||||
+++ pesign-113/util/Makefile
|
||||
--- pesign-116.orig/util/Makefile
|
||||
+++ pesign-116/util/Makefile
|
||||
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules
|
||||
include $(TOPDIR)/Make.defaults
|
||||
|
||||
@ -17,18 +17,18 @@ Index: pesign-113/util/Makefile
|
||||
install :
|
||||
- $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/
|
||||
- $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/
|
||||
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/
|
||||
+ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/
|
||||
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/sles/
|
||||
+ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/sles/
|
||||
|
||||
install_systemd:
|
||||
|
||||
Index: pesign-113/src/pesign.sysvinit.in
|
||||
Index: pesign-116/src/pesign.sysvinit.in
|
||||
===================================================================
|
||||
--- pesign-113.orig/src/pesign.sysvinit.in
|
||||
+++ pesign-113/src/pesign.sysvinit.in
|
||||
--- pesign-116.orig/src/pesign.sysvinit.in
|
||||
+++ pesign-116/src/pesign.sysvinit.in
|
||||
@@ -6,16 +6,19 @@
|
||||
# processname: /usr/bin/pesign
|
||||
# pidfile: /var/run/pesign.pid
|
||||
# pidfile: @@RUNDIR@@pesign.pid
|
||||
### BEGIN INIT INFO
|
||||
-# Provides: pesign
|
||||
-# Default-Start:
|
||||
@ -46,50 +46,28 @@ Index: pesign-113/src/pesign.sysvinit.in
|
||||
-. /etc/init.d/functions
|
||||
[ -f /usr/bin/pesign ] || exit 1
|
||||
|
||||
+PESIGN_PIDFILE=/var/run/pesign.pid
|
||||
+PESIGN_PIDFILE=@@RUNDIR@@pesign.pid
|
||||
RETVAL=0
|
||||
|
||||
start(){
|
||||
@@ -23,7 +26,7 @@ start(){
|
||||
mkdir /var/run/pesign 2>/dev/null &&
|
||||
chown pesign:pesign /var/run/pesign &&
|
||||
chmod 0770 /var/run/pesign
|
||||
mkdir @@RUNDIR@@pesign 2>/dev/null &&
|
||||
chown pesign:pesign @@RUNDIR@@pesign &&
|
||||
chmod 0770 @@RUNDIR@@pesign
|
||||
- daemon /usr/bin/pesign --daemonize
|
||||
+ startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize
|
||||
RETVAL=$?
|
||||
echo
|
||||
touch /var/lock/subsys/pesign
|
||||
@@ -32,7 +35,7 @@ start(){
|
||||
|
||||
stop(){
|
||||
echo -n "Stopping pesign: "
|
||||
- killproc -p /var/run/pesign.pid pesignd
|
||||
+ killproc -p /run/pesign.pid pesignd
|
||||
RETVAL=$?
|
||||
echo
|
||||
rm -f /var/lock/subsys/pesign
|
||||
Index: pesign-113/Make.defaults
|
||||
Index: pesign-116/Makefile
|
||||
===================================================================
|
||||
--- pesign-113.orig/Make.defaults
|
||||
+++ pesign-113/Make.defaults
|
||||
@@ -61,7 +61,7 @@ CPPFLAGS ?=
|
||||
RANLIBFLAGS := $(if $(filter $(CC),gcc),-D)
|
||||
ARFLAGS := $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs)
|
||||
|
||||
-LDLIBS = $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs)
|
||||
+LDLIBS = -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs)
|
||||
|
||||
ifeq ($(ARCH),ia64)
|
||||
efi_cflags += -mfixed-range=f32-f127
|
||||
Index: pesign-113/Makefile
|
||||
===================================================================
|
||||
--- pesign-113.orig/Makefile
|
||||
+++ pesign-113/Makefile
|
||||
--- pesign-116.orig/Makefile
|
||||
+++ pesign-116/Makefile
|
||||
@@ -11,7 +11,6 @@ SUBDIRS := include libdpe src
|
||||
|
||||
install :
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/
|
||||
- $(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/
|
||||
@set -e ; for x in $(SUBDIRS) ; do \
|
||||
$(MAKE) -C $$x $@ ; \
|
||||
done
|
||||
@$(call descend)
|
||||
|
||||
install_systemd install_sysvinit : install
|
||||
|
@ -1,3 +1,60 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 22 08:05:20 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Update to 116
|
||||
+ daemon: remove always-true comparison
|
||||
+ pesum - add a new tool to the shed
|
||||
+ Fix building signed kernels on setups other than koji
|
||||
+ Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
|
||||
+ macros.pesign: handle centos like rhel with --rhelver
|
||||
+ Detect the presence of rpm-sign when checking for "rhel"-ness
|
||||
+ Fix typo in efikeygen command
|
||||
+ pesigcheck: Fix crash on digest match
|
||||
+ cms: store digest as pointer instead of index
|
||||
+ Fix mandoc invocation to not produce garbage
|
||||
+ Password fixes
|
||||
+ Re-work CMS's selected_digest again...
|
||||
+ src/certs/make-certs: delete the duplicate codes
|
||||
+ Free resources if certification cannot be found
|
||||
+ macros: drop %{_pesign_args}
|
||||
+ Fix two bugs from package building
|
||||
+ Fix bad free of cms data (DoS only)
|
||||
+ Send pesign stdout/err to systemd journal
|
||||
+ Add missing Install section
|
||||
+ Add default packages for pkg-config
|
||||
+ Short delay to ensure /run/pesign/socket exists
|
||||
+ Resolve crash when signature that is removed is not the end of
|
||||
the list
|
||||
+ Enhance error diagnostics about version mismatch
|
||||
+ Upstream all Fedora changes
|
||||
+ Add some hardening options to build
|
||||
+ Add code of conduct
|
||||
+ Fix build on gcc 12 and non-Fedora
|
||||
- Add BuildRequires efivar-devel >= 38 for efisec.h
|
||||
+ efisiglist is replaced by efisecdb in efivar 38
|
||||
- Add BuildRequires mandoc to generate the manpages
|
||||
- Replace pesign-privkey_unneeded.diff with
|
||||
pesign-skip-auth-on-friendly-slot.patch to avoid the unnecessary
|
||||
authentication
|
||||
- Add pesign-fix-cert-match-check.patch to fix the subject name
|
||||
matching
|
||||
- Add pesign-fix-efikeygen-segfault.patch to fix the potential
|
||||
crash when executing efikeygen
|
||||
- Add pesign-bsc1202933-Remove-pesign-authorize.patch to remove
|
||||
pesign-authorize completely (bsc#1202933)
|
||||
- Refresh patches
|
||||
+ harden_pesign.service.patch
|
||||
+ pesign-boo1143063-remove-var-tracking.patch
|
||||
+ pesign-boo1185663-set-rpmmacrodir.patch
|
||||
+ pesign-fix-authvar-write-loop.patch
|
||||
+ pesign-suse-build.patch
|
||||
+ pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
|
||||
- Remove upstreamed/unnecessary patches
|
||||
+ pesign-boo1158197-fix-pesigncheck-gcc10.patch
|
||||
+ pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
|
||||
+ pesign-run.patch
|
||||
+ pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 7 07:37:20 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
|
37
pesign.spec
37
pesign.spec
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: pesign
|
||||
Version: 113
|
||||
Version: 116
|
||||
Release: 0
|
||||
Summary: Signing tool for PE-COFF binaries
|
||||
License: GPL-3.0-or-later
|
||||
@ -27,25 +27,21 @@ Source: https://github.com/rhinstaller/pesign/releases/download/%{versio
|
||||
Source1: pesign.sysusers
|
||||
# PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
|
||||
Patch1: pesign-suse-build.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature
|
||||
Patch2: pesign-privkey_unneeded.diff
|
||||
# PATCH-FIX-SUSE pesign-run.patch aj@suse.com - Use /run instead of /var/run
|
||||
Patch3: pesign-run.patch
|
||||
Patch2: pesign-skip-auth-on-friendly-slot.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar
|
||||
Patch4: pesign-fix-authvar-write-loop.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-efikeygen-Fix-the-build-with-nss-3.44.patch glin@suse.com -- Fix the NSS 3.44 compilation error
|
||||
Patch5: pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
|
||||
Patch3: pesign-fix-authvar-write-loop.patch
|
||||
# PATCH-FIX-SUSE pesign-boo1143063-remove-var-tracking.patch -- boo#1143063 Remove var-tracking from default CFLAGS
|
||||
Patch6: pesign-boo1143063-remove-var-tracking.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-boo1158197-fix-pesigncheck-gcc10.patch glin@suse.com -- boo#1158197 Fix the gcc10 errors
|
||||
Patch7: pesign-boo1158197-fix-pesigncheck-gcc10.patch
|
||||
Patch4: pesign-boo1143063-remove-var-tracking.patch
|
||||
# PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time
|
||||
Patch8: pesign-boo1185663-set-rpmmacrodir.patch
|
||||
Patch9: harden_pesign.service.patch
|
||||
Patch10: pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
|
||||
Patch11: pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
|
||||
BuildRequires: efivar-devel
|
||||
Patch5: pesign-boo1185663-set-rpmmacrodir.patch
|
||||
Patch6: harden_pesign.service.patch
|
||||
Patch7: pesign-bsc1202933-Remove-pesign-authorize.patch
|
||||
Patch8: pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
|
||||
Patch9: pesign-fix-cert-match-check.patch
|
||||
Patch10: pesign-fix-efikeygen-segfault.patch
|
||||
BuildRequires: efivar-devel >= 38
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: mandoc
|
||||
BuildRequires: mozilla-nss-devel
|
||||
BuildRequires: pkg-config
|
||||
BuildRequires: popt-devel
|
||||
@ -71,10 +67,10 @@ with the PE and Authenticode specifications.
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
|
||||
%build
|
||||
%sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf
|
||||
export CPPFLAGS="%{optflags} -D_GLIBCXX_ASSERTIONS"
|
||||
make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" libexecdir=%{_libexecdir}
|
||||
|
||||
%install
|
||||
@ -115,22 +111,21 @@ systemd-tmpfiles --create %{_tmpfilesdir}/pesign.conf || :
|
||||
%{_bindir}/pesign-client
|
||||
%{_bindir}/efikeygen
|
||||
%{_bindir}/pesigcheck
|
||||
%{_bindir}/efisiglist
|
||||
%{_bindir}/authvar
|
||||
%{_bindir}/pesum
|
||||
%{_sbindir}/rcpesign
|
||||
%dir %{_sysconfdir}/pesign
|
||||
%{_sysconfdir}/pesign/*
|
||||
%dir %{_sysconfdir}/popt.d
|
||||
%config %{_sysconfdir}/popt.d/pesign.popt
|
||||
%{_sysconfdir}/pki/
|
||||
%{_rpmmacrodir}/macros.pesign
|
||||
%{_mandir}/man?/*
|
||||
%{_localstatedir}/lib/pesign
|
||||
%{_unitdir}/pesign.service
|
||||
%{_sysusersdir}/pesign.conf
|
||||
%{_tmpfilesdir}/pesign.conf
|
||||
%dir %{_libexecdir}/pesign
|
||||
%{_libexecdir}/pesign/pesign-authorize
|
||||
%{_libexecdir}/pesign/pesign-rpmbuild-helper
|
||||
%dir %{_sysconfdir}/pki/
|
||||
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign
|
||||
%ghost %dir %attr(0770,pesign,pesign) /run/%{name}
|
||||
%dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name}
|
||||
|
Loading…
Reference in New Issue
Block a user