rpm/pesign
SHA256
1
0
Fork 0
forked from pool/pesign
Code Pull Requests Activity

Accepting request 1069048 from home:gary_lin:branches:Base:System

Browse Source 
Update to 116

OBS-URL: https://build.opensuse.org/request/show/1069048
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=70
This commit is contained in:
Gary Ching-Pang Lin 2023-03-03 03:06:48 +00:00 committed by Git OBS Bridge
parent 88fb4f57d3
commit 361faa327f
19 changed files with 332 additions and 473 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
harden_pesign.service.patch
View File

@ -1,7 +1,7 @@
Index: pesign-113/src/pesign.service.in Index: pesign-115/src/pesign.service.in
=================================================================== ===================================================================
--- pesign-113.orig/src/pesign.service.in --- pesign-115.orig/src/pesign.service.in
+++ pesign-113/src/pesign.service.in +++ pesign-115/src/pesign.service.in
@@ -3,6 +3,19 @@ Description=Pesign signing daemon @@ -3,6 +3,19 @@ Description=Pesign signing daemon
[Service] [Service]
@ -19,6 +19,6 @@ Index: pesign-113/src/pesign.service.in
+ProtectControlGroups=true +ProtectControlGroups=true
+RestrictRealtime=true +RestrictRealtime=true
+# end of automatic additions +# end of automatic additions
Type=forking PIDFile=@@RUNDIR@@/pesign.pid
PIDFile=/run/pesign.pid ExecStart=/usr/bin/pesign --daemonize --nofork
ExecStart=/usr/bin/pesign --daemonize ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize

3
pesign-113.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0dfb14e6f79288b7983344b88b14f83b0267c002f563e38171f935af107d0132
size 103471

BIN
pesign-116.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

12
pesign-boo1143063-remove-var-tracking.patch
View File

@ -1,8 +1,8 @@
diff --git a/Make.defaults b/Make.defaults Index: pesign-115/Make.defaults
index 7892d73..2d18005 100644 ===================================================================
--- a/Make.defaults --- pesign-115.orig/Make.defaults
+++ b/Make.defaults +++ pesign-115/Make.defaults
@@ -47,7 +47,7 @@ cflags = $(CFLAGS) $(ARCH3264) \ @@ -69,7 +69,7 @@ cflags = $(CFLAGS) $(ARCH3264) \
$(call pkg-config-cflags) $(call pkg-config-cflags)
clang_ccldflags = clang_ccldflags =
gcc_ccldflags = -fno-merge-constants \ gcc_ccldflags = -fno-merge-constants \
@ -10,4 +10,4 @@ index 7892d73..2d18005 100644
+ -fvar-tracking-assignments -fkeep-inline-functions \ + -fvar-tracking-assignments -fkeep-inline-functions \
-Wl,--fatal-warnings,--no-allow-shlib-undefined,--default-symver \ -Wl,--fatal-warnings,--no-allow-shlib-undefined,--default-symver \
-Wl,-O2 -Wl,--no-undefined-version -Wl,-z,relro,-z,now \ -Wl,-O2 -Wl,--no-undefined-version -Wl,-z,relro,-z,now \
-Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed -Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed -pie

39
pesign-boo1158197-fix-pesigncheck-gcc10.patch
View File

@ -1,39 +0,0 @@
From b0b740f38da6d4584417d65a7c97fd4faf982cf6 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 4 Dec 2019 10:28:28 +0800
Subject: [PATCH] pesigcheck: remove superfluous type settings
When setting the type of reason in check_signature(), the type was
accidentally set as "siBuffer". Since the type is already set as
"SIGNATURE", we only need to remove those two lines of code.
Fixes: https://github.com/rhboot/pesign/issues/55
Signed-off-by: Gary Lin <glin@suse.com>
---
src/pesigcheck.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 524cce3..d197c30 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -318,7 +318,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
nreason += 1;
is_invalid = true;
}
@@ -330,7 +329,6 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
reason->type = SIGNATURE;
reason->sig.data = data;
reason->sig.len = datalen;
- reason->type = siBuffer;
nreason += 1;
has_valid_cert = true;
}
--
2.24.0

30
pesign-boo1185663-set-rpmmacrodir.patch
View File

@ -1,27 +1,27 @@
diff --git a/Make.defaults b/Make.defaults Index: pesign-115/Make.defaults
index 2d18005..7ecba00 100644 ===================================================================
--- a/Make.defaults --- pesign-115.orig/Make.defaults
+++ b/Make.defaults +++ pesign-115/Make.defaults
@@ -11,6 +11,7 @@ includedir ?= $(prefix)include/ @@ -13,6 +13,7 @@ rundir ?= /run/
bindir ?= $(prefix)bin/ rundir := $(abspath $(rundir))/
pcdir ?= $(libdir)pkgconfig/ pcdir ?= $(libdir)pkgconfig/
docdir ?= $(prefix)share/doc/ docdir ?= $(prefix)share/doc/
+rpmmacrodir ?= /etc/rpm/ +rpmmacrodir ?= /etc/rpm/
DESTDIR ?= DESTDIR ?=
INSTALLROOT = $(DESTDIR) INSTALLROOT = $(DESTDIR)
diff --git a/src/Makefile b/src/Makefile Index: pesign-115/src/Makefile
index 5fb2841..ca546a3 100644 ===================================================================
--- a/src/Makefile --- pesign-115.orig/src/Makefile
+++ b/src/Makefile +++ pesign-115/src/Makefile
@@ -90,8 +90,8 @@ install : @@ -88,8 +88,8 @@ install :
$(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)$(mandir)man1/ $(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/
$(INSTALL) -m 644 authvar.1 $(INSTALLROOT)$(mandir)man1/ $(INSTALL) -d -m 755 $(INSTALLROOT)$(mandir)man1/
$(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/ $(INSTALL) -m 644 $(MAN1TARGETS) $(INSTALLROOT)$(mandir)man1/
- $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
- $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir) + $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir)
+ $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir) + $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir)
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/

22
pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
View File

@ -11,15 +11,15 @@ Signed-off-by: Gary Lin <glin@suse.com>
src/pesign.service.in | 1 + src/pesign.service.in | 1 +
1 file changed, 1 insertion(+) 1 file changed, 1 insertion(+)
diff --git a/src/pesign.service.in b/src/pesign.service.in Index: pesign-116/src/pesign.service.in
index 87accee..8542c63 100644 ===================================================================
--- a/src/pesign.service.in --- pesign-116.orig/src/pesign.service.in
+++ b/src/pesign.service.in +++ pesign-116/src/pesign.service.in
@@ -20,3 +20,4 @@ Type=forking @@ -18,6 +18,7 @@ RestrictRealtime=true
PIDFile=/run/pesign.pid # end of automatic additions
ExecStart=/usr/bin/pesign --daemonize PIDFile=@@RUNDIR@@/pesign.pid
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize ExecStart=/usr/bin/pesign --daemonize --nofork
+ReadWritePaths=/etc/pki/pesign/ +ReadWritePaths=/etc/pki/pesign/
--
2.35.3 [Install]
WantedBy=multi-user.target

91
pesign-bsc1202933-Remove-pesign-authorize.patch Normal file
View File

@ -0,0 +1,91 @@
From 09a41248f9f867e9aaf06e890621c392d36b52ec Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 31 Jan 2023 10:00:18 -0500
Subject: [PATCH] Remove pesign-authorize
The onus of correct file/directory permissions should be a configuration
and systems administration issue, not pesign's.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/.gitignore | 1 -
src/Makefile | 3 +--
src/pesign-authorize.in | 13 -------------
src/pesign.service.in | 1 -
src/pesign.sysvinit.in | 1 -
5 files changed, 1 insertion(+), 18 deletions(-)
delete mode 100644 src/pesign-authorize.in
Index: pesign-116/src/.gitignore
===================================================================
--- pesign-116.orig/src/.gitignore
+++ pesign-116/src/.gitignore
@@ -10,5 +10,4 @@ peverify
pesign.service
pesign.sysvinit
pesign-rpmbuild-helper
-pesign-authorize
tmpfiles.conf
Index: pesign-116/src/Makefile
===================================================================
--- pesign-116.orig/src/Makefile
+++ pesign-116/src/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen pesigcheck pesign \
- pesign-rpmbuild-helper pesign-authorize pesum
+ pesign-rpmbuild-helper pesum
CFGTARGETS=tmpfiles.conf
SVCTARGETS=pesign.sysvinit pesign.service
MAN1TARGETS=authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1
@@ -99,7 +99,6 @@ install :
$(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir)
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir)
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
Index: pesign-116/src/pesign-authorize.in
===================================================================
--- pesign-116.orig/src/pesign-authorize.in
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-set -e
-set -u
-
-# License: GPLv2
-
-# This script is deprecated and will be removed in a future release.
-
-sleep 3
-for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
- chown -R pesign:pesign "${x}" || true
- chmod -R ug+rwX "${x}" || true
-done
Index: pesign-116/src/pesign.service.in
===================================================================
--- pesign-116.orig/src/pesign.service.in
+++ pesign-116/src/pesign.service.in
@@ -18,7 +18,6 @@ RestrictRealtime=true
# end of automatic additions
PIDFile=@@RUNDIR@@/pesign.pid
ExecStart=/usr/bin/pesign --daemonize --nofork
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
[Install]
WantedBy=multi-user.target
Index: pesign-116/src/pesign.sysvinit.in
===================================================================
--- pesign-116.orig/src/pesign.sysvinit.in
+++ pesign-116/src/pesign.sysvinit.in
@@ -30,7 +30,6 @@ start(){
RETVAL=$?
echo
touch /var/lock/subsys/pesign
- @@LIBEXECDIR@@/pesign/pesign-authorize
}
stop(){

81
pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
View File

@ -1,81 +0,0 @@
From cf116c5fc6a98f28144ea0409988a83b22289439 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 18 Jan 2023 14:00:22 -0500
Subject: [PATCH] Use normal file permissions instead of ACLs
Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
pesign-authorize is now deprecated and will be removed in a future
release.
Resolves: CVE-2022-3560
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
src/pesign-authorize | 53 +++++---------------------------------------
1 file changed, 5 insertions(+), 48 deletions(-)
Index: pesign-113/src/pesign-authorize
===================================================================
--- pesign-113.orig/src/pesign-authorize
+++ pesign-113/src/pesign-authorize
@@ -2,55 +2,12 @@
set -e
set -u
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
# License: GPLv2
-declare -a fileusers=()
-declare -a dirusers=()
-for user in $(cat /etc/pesign/users); do
- dirusers[${#dirusers[@]}]=-m
- dirusers[${#dirusers[@]}]="u:$user:rwx"
- fileusers[${#fileusers[@]}]=-m
- fileusers[${#fileusers[@]}]="u:$user:rw"
-done
-
-declare -a filegroups=()
-declare -a dirgroups=()
-for group in $(cat /etc/pesign/groups); do
- dirgroups[${#dirgroups[@]}]=-m
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
- filegroups[${#filegroups[@]}]=-m
- filegroups[${#filegroups[@]}]="g:$group:rw"
-done
-
-update_subdir() {
- subdir=$1 && shift
- setfacl -bk "${subdir}"
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
- for x in "${subdir}"* ; do
- if [ -d "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
- update_subdir "${x}/"
- elif [ -e "${x}" ]; then
- setfacl -bk ${x}
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
- else
- :;
- fi
- done
-}
+# This script is deprecated and will be removed in a future release.
-for x in /run/pesign/ /etc/pki/pesign*/ ; do
- if [ -d "${x}" ]; then
- update_subdir "${x}"
- else
- :;
- fi
+sleep 3
+for x in /run/pesign/ /etc/pki/pesign/ ; do
+ chown -R pesign:pesign "${x}" || true
+ chmod -R ug+rwX "${x}" || true
done

45
pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
View File

@ -1,45 +0,0 @@
From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2019 11:28:38 -0400
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
NSS 3.44 adds some certificate types, which changes a type and makes
some encoding stuff weird. As a result, we get:
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
In file included from /usr/local/include/nss/nss/cert.h:22,
from efikeygen.c:39:
efikeygen.c: In function 'add_cert_type':
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
^
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
unsigned char type = NS_CERT_TYPE_APP;
^~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
This is fixed by just making it an int.
Fixes github issue #48.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/efikeygen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/efikeygen.c b/src/efikeygen.c
index ede76ef..2cd953e 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -208,7 +208,7 @@ static int
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
{
SECItem bitStringValue;
- unsigned char type = NS_CERT_TYPE_APP;
+ int type = NS_CERT_TYPE_APP;
if (is_ca)
type |= NS_CERT_TYPE_SSL_CA |
--
2.22.0

36
pesign-fix-authvar-write-loop.patch
View File

@ -12,32 +12,11 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
src/authvar_context.c | 16 +++++++--------- src/authvar_context.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-) 1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/src/authvar_context.c b/src/authvar_context.c Index: pesign-115/src/authvar_context.c
index 7a753fc..c51c666 100644 ===================================================================
--- a/src/authvar_context.c --- pesign-115.orig/src/authvar_context.c
+++ b/src/authvar_context.c +++ pesign-115/src/authvar_context.c
@@ -20,6 +20,7 @@ @@ -151,6 +151,7 @@ write_authvar(authvar_context *ctx)
#include "fix_coverity.h"
#include <unistd.h>
+#include <stddef.h>
#include <sys/mman.h>
#include <prerror.h>
@@ -135,11 +136,7 @@ generate_descriptor(authvar_context *ctx)
if (rc < 0)
cmsreterr(-1, ctx->cms_ctx, "could not create signed data");
-#if __WORDSIZE == 64
- offset = (uint64_t) &((win_cert_uefi_guid_t *)0)->data;
-#else
- offset = (uint32_t) &((win_cert_uefi_guid_t *)0)->data;
-#endif
+ offset = offsetof(win_cert_uefi_guid_t, data);
authinfo = calloc(offset + sd_der.len, 1);
if (!authinfo)
cmsreterr(-1, ctx->cms_ctx, "could not allocate authinfo");
@@ -162,6 +159,7 @@ write_authvar(authvar_context *ctx)
void *buffer, *ptr; void *buffer, *ptr;
size_t buf_len, des_len, remain; size_t buf_len, des_len, remain;
ssize_t wlen; ssize_t wlen;
@ -45,7 +24,7 @@ index 7a753fc..c51c666 100644
if (!ctx->authinfo) if (!ctx->authinfo)
cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar"); cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar");
@@ -189,19 +187,19 @@ write_authvar(authvar_context *ctx) @@ -179,19 +180,19 @@ write_authvar(authvar_context *ctx)
if (ctx->value_size > 0) if (ctx->value_size > 0)
memcpy(ptr, ctx->value, ctx->value_size); memcpy(ptr, ctx->value, ctx->value_size);
@ -69,6 +48,3 @@ index 7a753fc..c51c666 100644
} while (remain > 0); } while (remain > 0);
free(buffer); free(buffer);
--
2.21.0

29
pesign-fix-cert-match-check.patch Normal file
View File

@ -0,0 +1,29 @@
From a6062702e9f0002b86759f6cd14da6d78de99f22 Mon Sep 17 00:00:00 2001
From: Huaxin Lu <luhuaxin1@huawei.com>
Date: Fri, 11 Nov 2022 11:20:35 +0800
Subject: [PATCH] cms_common: fix cert match check
In find_certificate_by_callback(), the match() returns 1
when cert subject is matched.
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
---
src/cms_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 24576f2..cf572ca 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -872,7 +872,7 @@ find_certificate_by_callback(cms_context *cms,
continue;
int rc = match(tmpnode->cert, cbdata);
- if (rc == 0) {
+ if (rc == 1) {
node = tmpnode;
break;
}
--
2.35.3

29
pesign-fix-efikeygen-segfault.patch Normal file
View File

@ -0,0 +1,29 @@
From 227435af461f38fc4abeafe02884675ad4b1feb4 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Mon, 20 Feb 2023 15:26:20 +0100
Subject: [PATCH] cms_common: Fixed Segmentation fault
When running efikeygen, the binary crashes with a segfault due
to dereferencing a **ptr instead of a *ptr.
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
---
src/cms_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index 44e5cca..4f4707b 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -957,7 +957,7 @@ find_certificate_by_issuer_and_sn(cms_context *cms,
if (!ias)
cnreterr(-1, cms, "invalid issuer and serial number");
- return find_certificate_by_callback(cms, match_issuer_and_serial, &ias, cert);
+ return find_certificate_by_callback(cms, match_issuer_and_serial, ias, cert);
}
int
--
2.35.3

81
pesign-privkey_unneeded.diff
View File

@ -1,81 +0,0 @@
---
src/cms_common.c | 12 ++++++++++--
src/cms_common.h | 1 +
src/pesign.c | 1 +
3 files changed, 12 insertions(+), 2 deletions(-)
Index: pesign-113/src/cms_common.c
===================================================================
--- pesign-113.orig/src/cms_common.c
+++ pesign-113/src/cms_common.c
@@ -282,6 +282,7 @@ struct cbdata {
CERTCertificate *cert;
PK11SlotListElement *psle;
secuPWData *pwdata;
+ int privkey_unneeded;
};
static SECStatus
@@ -293,6 +294,12 @@ is_valid_cert(CERTCertificate *cert, voi
void *pwdata = cbdata->pwdata;
SECKEYPrivateKey *privkey = NULL;
+
+ if (cbdata->privkey_unneeded) {
+ cbdata->cert = cert;
+ return SECSuccess;
+ }
+
privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata);
if (privkey != NULL) {
cbdata->cert = cert;
@@ -423,7 +430,7 @@ find_certificate(cms_context *cms, int n
}
SECStatus status;
- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
+ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
if (status != SECSuccess) {
PK11_DestroySlotListElement(slots, &psle);
@@ -452,6 +459,7 @@ find_certificate(cms_context *cms, int n
.cert = NULL,
.psle = psle,
.pwdata = pwdata,
+ .privkey_unneeded = cms->privkey_unneeded,
};
if (needs_private_key) {
@@ -572,7 +580,7 @@ find_named_certificate(cms_context *cms,
}
SECStatus status;
- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
+ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
if (status != SECSuccess) {
PK11_DestroySlotListElement(slots, &psle);
Index: pesign-113/src/cms_common.h
===================================================================
--- pesign-113.orig/src/cms_common.h
+++ pesign-113/src/cms_common.h
@@ -62,6 +62,7 @@ typedef int (*cms_common_logger)(struct
typedef struct cms_context {
PRArenaPool *arena;
void *privkey;
+ int privkey_unneeded;
char *tokenname;
char *certname;
Index: pesign-113/src/file_pe.c
===================================================================
--- pesign-113.orig/src/file_pe.c
+++ pesign-113/src/file_pe.c
@@ -354,6 +354,7 @@ pe_handle_action(pesign_context *ctxp, i
*/
case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS:
check_inputs(ctxp);
+ ctxp->cms_ctx->privkey_unneeded = 1;
rc = find_certificate(ctxp->cms_ctx, 0);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "

94
pesign-run.patch
View File

@ -1,94 +0,0 @@
---
src/Makefile | 2 +-
src/daemon.h | 4 ++--
src/macros.pesign | 2 +-
src/pesign.sysvinit | 14 +++++++-------
src/tmpfiles.conf | 2 +-
5 files changed, 12 insertions(+), 12 deletions(-)
Index: pesign-113/src/Makefile
===================================================================
--- pesign-113.orig/src/Makefile
+++ pesign-113/src/Makefile
@@ -73,7 +73,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
Index: pesign-113/src/daemon.h
===================================================================
--- pesign-113.orig/src/daemon.h
+++ pesign-113/src/daemon.h
@@ -49,8 +49,8 @@ typedef enum {
} pesignd_cmd;
#define PESIGND_VERSION 0x2a9edaf0
-#define SOCKPATH "/var/run/pesign/socket"
-#define PIDFILE "/var/run/pesign.pid"
+#define SOCKPATH "/run/pesign/socket"
+#define PIDFILE "/run/pesign.pid"
static inline uint32_t UNUSED
pesignd_string_size(char *buffer)
Index: pesign-113/src/macros.pesign
===================================================================
--- pesign-113.orig/src/macros.pesign
+++ pesign-113/src/macros.pesign
@@ -52,7 +52,7 @@
getfacl /var/run/pesign 1>&2 \
getfacl /var/run/pesign/socket 1>&2 \
exit 1 \
- elif [ -S /var/run/pesign/socket ]; then \
+ elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
Index: pesign-113/src/tmpfiles.conf
===================================================================
--- pesign-113.orig/src/tmpfiles.conf
+++ pesign-113/src/tmpfiles.conf
@@ -1 +1 @@
-D /var/run/pesign 0770 pesign pesign -
+D /run/pesign 0770 pesign pesign -
Index: pesign-113/src/pesign.sysvinit.in
===================================================================
--- pesign-113.orig/src/pesign.sysvinit.in
+++ pesign-113/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
#
# chkconfig: - 50 50
# processname: /usr/bin/pesign
-# pidfile: /var/run/pesign.pid
+# pidfile: /run/pesign.pid
### BEGIN INIT INFO
# Provides: pesign
# Should-Start: $remote_fs
Index: pesign-113/src/pesign.service.in
===================================================================
--- pesign-113.orig/src/pesign.service.in
+++ pesign-113/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
[Service]
PrivateTmp=true
Type=forking
-PIDFile=/var/run/pesign.pid
+PIDFile=/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
Index: pesign-113/src/pesign-authorize
===================================================================
--- pesign-113.orig/src/pesign-authorize
+++ pesign-113/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
done
}
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /run/pesign/ /etc/pki/pesign*/ ; do
if [ -d "${x}" ]; then
update_subdir "${x}"
else

44
pesign-skip-auth-on-friendly-slot.patch Normal file
View File

@ -0,0 +1,44 @@
From 616ec5f25adbde1a4bd78cdcacd6dcd7ecfa5a5c Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 22 Dec 2022 13:49:34 +0800
Subject: [PATCH] cms_common: skip authentication on the 'Friendly' slot
When finding a certificate in a 'Friendly' slot without the need of the
private key, it is not necessary to authenticate the slot.
For example, when the signed attributes and the raw signature are
created in a server and the user has the certificate, signkey.x509, and
tries to import them into myapp.efi:
$ certutil -N -d nssdb -f passwd
$ certutil -A -d nssdb -f passwd -n signkey -t CT,CT,CT \
-i signkey.x509
$ pesign -n nssdb -c signkey -i myapp.efi -o myapp.efi.signed \
-d sha256 -I myapp.sattr -R myapp.sig
Since the "signkey" is 'Friendly', i.e. publicly readable, and the
private key is not needed, we can just skip the authentication and find
"signkey" in the slot.
Signed-off-by: Gary Lin <glin@suse.com>
---
src/cms_common.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index cf572ca..44e5cca 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -628,7 +628,8 @@ find_certificate(cms_context *cms, int needs_private_key)
int errnum;
SECStatus status;
- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms)) {
+ if ((needs_private_key || !PK11_IsFriendly(psle->slot)) &&
+ (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms))) {
status = PK11_Authenticate(psle->slot, PR_TRUE, cms);
if (status != SECSuccess) {
save_port_err() {
--
2.35.3

60
pesign-suse-build.patch
View File

@ -1,7 +1,7 @@
Index: pesign-113/util/Makefile Index: pesign-116/util/Makefile
=================================================================== ===================================================================
--- pesign-113.orig/util/Makefile --- pesign-116.orig/util/Makefile
+++ pesign-113/util/Makefile +++ pesign-116/util/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules @@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules
include $(TOPDIR)/Make.defaults include $(TOPDIR)/Make.defaults
@ -17,18 +17,18 @@ Index: pesign-113/util/Makefile
install : install :
- $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/
- $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/ - $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/ + $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/sles/
+ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/ + $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/sles/
install_systemd: install_systemd:
Index: pesign-113/src/pesign.sysvinit.in Index: pesign-116/src/pesign.sysvinit.in
=================================================================== ===================================================================
--- pesign-113.orig/src/pesign.sysvinit.in --- pesign-116.orig/src/pesign.sysvinit.in
+++ pesign-113/src/pesign.sysvinit.in +++ pesign-116/src/pesign.sysvinit.in
@@ -6,16 +6,19 @@ @@ -6,16 +6,19 @@
# processname: /usr/bin/pesign # processname: /usr/bin/pesign
# pidfile: /var/run/pesign.pid # pidfile: @@RUNDIR@@pesign.pid
### BEGIN INIT INFO ### BEGIN INIT INFO
-# Provides: pesign -# Provides: pesign
-# Default-Start: -# Default-Start:
@ -46,50 +46,28 @@ Index: pesign-113/src/pesign.sysvinit.in
-. /etc/init.d/functions -. /etc/init.d/functions
[ -f /usr/bin/pesign ] || exit 1 [ -f /usr/bin/pesign ] || exit 1
+PESIGN_PIDFILE=/var/run/pesign.pid +PESIGN_PIDFILE=@@RUNDIR@@pesign.pid
RETVAL=0 RETVAL=0
start(){ start(){
@@ -23,7 +26,7 @@ start(){ @@ -23,7 +26,7 @@ start(){
mkdir /var/run/pesign 2>/dev/null && mkdir @@RUNDIR@@pesign 2>/dev/null &&
chown pesign:pesign /var/run/pesign && chown pesign:pesign @@RUNDIR@@pesign &&
chmod 0770 /var/run/pesign chmod 0770 @@RUNDIR@@pesign
- daemon /usr/bin/pesign --daemonize - daemon /usr/bin/pesign --daemonize
+ startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize + startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize
RETVAL=$? RETVAL=$?
echo echo
touch /var/lock/subsys/pesign touch /var/lock/subsys/pesign
@@ -32,7 +35,7 @@ start(){ Index: pesign-116/Makefile
stop(){
echo -n "Stopping pesign: "
- killproc -p /var/run/pesign.pid pesignd
+ killproc -p /run/pesign.pid pesignd
RETVAL=$?
echo
rm -f /var/lock/subsys/pesign
Index: pesign-113/Make.defaults
=================================================================== ===================================================================
--- pesign-113.orig/Make.defaults --- pesign-116.orig/Makefile
+++ pesign-113/Make.defaults +++ pesign-116/Makefile
@@ -61,7 +61,7 @@ CPPFLAGS ?=
RANLIBFLAGS := $(if $(filter $(CC),gcc),-D)
ARFLAGS := $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs)
-LDLIBS = $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs)
+LDLIBS = -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs)
ifeq ($(ARCH),ia64)
efi_cflags += -mfixed-range=f32-f127
Index: pesign-113/Makefile
===================================================================
--- pesign-113.orig/Makefile
+++ pesign-113/Makefile
@@ -11,7 +11,6 @@ SUBDIRS := include libdpe src @@ -11,7 +11,6 @@ SUBDIRS := include libdpe src
install : install :
$(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ $(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/
- $(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ - $(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/
@set -e ; for x in $(SUBDIRS) ; do \ @$(call descend)
$(MAKE) -C $$x $@ ; \
done install_systemd install_sysvinit : install

57
pesign.changes
View File

@ -1,3 +1,60 @@
-------------------------------------------------------------------
Wed Feb 22 08:05:20 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update to 116
+ daemon: remove always-true comparison
+ pesum - add a new tool to the shed
+ Fix building signed kernels on setups other than koji
+ Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
+ macros.pesign: handle centos like rhel with --rhelver
+ Detect the presence of rpm-sign when checking for "rhel"-ness
+ Fix typo in efikeygen command
+ pesigcheck: Fix crash on digest match
+ cms: store digest as pointer instead of index
+ Fix mandoc invocation to not produce garbage
+ Password fixes
+ Re-work CMS's selected_digest again...
+ src/certs/make-certs: delete the duplicate codes
+ Free resources if certification cannot be found
+ macros: drop %{_pesign_args}
+ Fix two bugs from package building
+ Fix bad free of cms data (DoS only)
+ Send pesign stdout/err to systemd journal
+ Add missing Install section
+ Add default packages for pkg-config
+ Short delay to ensure /run/pesign/socket exists
+ Resolve crash when signature that is removed is not the end of
the list
+ Enhance error diagnostics about version mismatch
+ Upstream all Fedora changes
+ Add some hardening options to build
+ Add code of conduct
+ Fix build on gcc 12 and non-Fedora
- Add BuildRequires efivar-devel >= 38 for efisec.h
+ efisiglist is replaced by efisecdb in efivar 38
- Add BuildRequires mandoc to generate the manpages
- Replace pesign-privkey_unneeded.diff with
pesign-skip-auth-on-friendly-slot.patch to avoid the unnecessary
authentication
- Add pesign-fix-cert-match-check.patch to fix the subject name
matching
- Add pesign-fix-efikeygen-segfault.patch to fix the potential
crash when executing efikeygen
- Add pesign-bsc1202933-Remove-pesign-authorize.patch to remove
pesign-authorize completely (bsc#1202933)
- Refresh patches
+ harden_pesign.service.patch
+ pesign-boo1143063-remove-var-tracking.patch
+ pesign-boo1185663-set-rpmmacrodir.patch
+ pesign-fix-authvar-write-loop.patch
+ pesign-suse-build.patch
+ pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
- Remove upstreamed/unnecessary patches
+ pesign-boo1158197-fix-pesigncheck-gcc10.patch
+ pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
+ pesign-run.patch
+ pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 7 07:37:20 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com> Tue Feb 7 07:37:20 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>

37
pesign.spec
View File

@ -17,7 +17,7 @@
Name: pesign Name: pesign
Version: 113 Version: 116
Release: 0 Release: 0
Summary: Signing tool for PE-COFF binaries Summary: Signing tool for PE-COFF binaries
License: GPL-3.0-or-later License: GPL-3.0-or-later
@ -27,25 +27,21 @@ Source: https://github.com/rhinstaller/pesign/releases/download/%{versio
Source1: pesign.sysusers Source1: pesign.sysusers
# PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service # PATCH-FIX-SUSE pesign-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
Patch1: pesign-suse-build.patch Patch1: pesign-suse-build.patch
# PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature Patch2: pesign-skip-auth-on-friendly-slot.patch
Patch2: pesign-privkey_unneeded.diff
# PATCH-FIX-SUSE pesign-run.patch aj@suse.com - Use /run instead of /var/run
Patch3: pesign-run.patch
# PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar # PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar
Patch4: pesign-fix-authvar-write-loop.patch Patch3: pesign-fix-authvar-write-loop.patch
# PATCH-FIX-UPSTREAM pesign-efikeygen-Fix-the-build-with-nss-3.44.patch glin@suse.com -- Fix the NSS 3.44 compilation error
Patch5: pesign-efikeygen-Fix-the-build-with-nss-3.44.patch
# PATCH-FIX-SUSE pesign-boo1143063-remove-var-tracking.patch -- boo#1143063 Remove var-tracking from default CFLAGS # PATCH-FIX-SUSE pesign-boo1143063-remove-var-tracking.patch -- boo#1143063 Remove var-tracking from default CFLAGS
Patch6: pesign-boo1143063-remove-var-tracking.patch Patch4: pesign-boo1143063-remove-var-tracking.patch
# PATCH-FIX-UPSTREAM pesign-boo1158197-fix-pesigncheck-gcc10.patch glin@suse.com -- boo#1158197 Fix the gcc10 errors
Patch7: pesign-boo1158197-fix-pesigncheck-gcc10.patch
# PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 glin@suse.com -- Set the rpm macro directory at build time
Patch8: pesign-boo1185663-set-rpmmacrodir.patch Patch5: pesign-boo1185663-set-rpmmacrodir.patch
Patch9: harden_pesign.service.patch Patch6: harden_pesign.service.patch
Patch10: pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch Patch7: pesign-bsc1202933-Remove-pesign-authorize.patch
Patch11: pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch Patch8: pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch
BuildRequires: efivar-devel Patch9: pesign-fix-cert-match-check.patch
Patch10: pesign-fix-efikeygen-segfault.patch
BuildRequires: efivar-devel >= 38
BuildRequires: libuuid-devel BuildRequires: libuuid-devel
BuildRequires: mandoc
BuildRequires: mozilla-nss-devel BuildRequires: mozilla-nss-devel
BuildRequires: pkg-config BuildRequires: pkg-config
BuildRequires: popt-devel BuildRequires: popt-devel
@ -71,10 +67,10 @@ with the PE and Authenticode specifications.
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
%patch11 -p1
%build %build
%sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf %sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf
export CPPFLAGS="%{optflags} -D_GLIBCXX_ASSERTIONS"
make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" libexecdir=%{_libexecdir} make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" libexecdir=%{_libexecdir}
%install %install
@ -115,22 +111,21 @@ systemd-tmpfiles --create %{_tmpfilesdir}/pesign.conf || :
%{_bindir}/pesign-client %{_bindir}/pesign-client
%{_bindir}/efikeygen %{_bindir}/efikeygen
%{_bindir}/pesigcheck %{_bindir}/pesigcheck
%{_bindir}/efisiglist
%{_bindir}/authvar %{_bindir}/authvar
%{_bindir}/pesum
%{_sbindir}/rcpesign %{_sbindir}/rcpesign
%dir %{_sysconfdir}/pesign %dir %{_sysconfdir}/pesign
%{_sysconfdir}/pesign/* %{_sysconfdir}/pesign/*
%dir %{_sysconfdir}/popt.d %dir %{_sysconfdir}/popt.d
%config %{_sysconfdir}/popt.d/pesign.popt %config %{_sysconfdir}/popt.d/pesign.popt
%{_sysconfdir}/pki/
%{_rpmmacrodir}/macros.pesign %{_rpmmacrodir}/macros.pesign
%{_mandir}/man?/* %{_mandir}/man?/*
%{_localstatedir}/lib/pesign
%{_unitdir}/pesign.service %{_unitdir}/pesign.service
%{_sysusersdir}/pesign.conf %{_sysusersdir}/pesign.conf
%{_tmpfilesdir}/pesign.conf %{_tmpfilesdir}/pesign.conf
%dir %{_libexecdir}/pesign %dir %{_libexecdir}/pesign
%{_libexecdir}/pesign/pesign-authorize %{_libexecdir}/pesign/pesign-rpmbuild-helper
%dir %{_sysconfdir}/pki/
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign
%ghost %dir %attr(0770,pesign,pesign) /run/%{name} %ghost %dir %attr(0770,pesign,pesign) /run/%{name}
%dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name} %dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name}