diff --git a/pesign-0.110.tar.bz2 b/pesign-0.110.tar.bz2 deleted file mode 100644 index d25c011..0000000 --- a/pesign-0.110.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a03499ffa181fea6086e1966476eccc05e3e014761ac300de1da27a44dba2281 -size 87420 diff --git a/pesign-0.111.tar.bz2 b/pesign-0.111.tar.bz2 new file mode 100644 index 0000000..ff1e495 --- /dev/null +++ b/pesign-0.111.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b11951d06c999c5d7b0e98e6bdc50368b3a9878844b68631e3ef98780f677096 +size 90725 diff --git a/pesign-efivar-pkgconfig.patch b/pesign-efivar-pkgconfig.patch deleted file mode 100644 index 40757e6..0000000 --- a/pesign-efivar-pkgconfig.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 2a1de2b6535161b1bd600ec2262e81e9f7aeffcc Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 26 May 2015 09:43:10 -0400 -Subject: [PATCH] Make efivar compiler parameters come from pkg-config. - -Signed-off-by: Peter Jones ---- - src/Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/Makefile b/src/Makefile -index 007505c..dd69425 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -3,8 +3,8 @@ TOPDIR = $(SRCDIR)/.. - - include $(TOPDIR)/Make.defaults - --PKLIBS = nss --LIBS = popt uuid efivar -+PKLIBS = nss efivar -+LIBS = popt uuid - STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a - LDFLAGS = - CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib))) -pie -fPIE -Wl,-z,relro,-z,now --- -2.1.4 - diff --git a/pesign-fix-build-errors.patch b/pesign-fix-build-errors.patch index 5b47f2e..98ead05 100644 --- a/pesign-fix-build-errors.patch +++ b/pesign-fix-build-errors.patch @@ -1,7 +1,7 @@ -diff --git a/src/daemon.c b/src/daemon.c -index c14b64b..5652ba1 100644 ---- a/src/daemon.c -+++ b/src/daemon.c +Index: pesign-0.111/src/daemon.c +=================================================================== +--- pesign-0.111.orig/src/daemon.c ++++ pesign-0.111/src/daemon.c @@ -544,7 +544,11 @@ malformed: if (rc < 0) { err_attached: @@ -55,7 +55,7 @@ index c14b64b..5652ba1 100644 } finish: -@@ -1182,7 +1199,12 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork) +@@ -1182,7 +1199,12 @@ daemonize(cms_context *cms_ctx, char *ce exit(1); } @@ -69,11 +69,11 @@ index c14b64b..5652ba1 100644 if (getuid() == 0) { /* process is running as root, drop privileges */ -diff --git a/src/password.c b/src/password.c -index 43186df..9a9c911 100644 ---- a/src/password.c -+++ b/src/password.c -@@ -76,7 +76,8 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt, +Index: pesign-0.111/src/password.c +=================================================================== +--- pesign-0.111.orig/src/password.c ++++ pesign-0.111/src/password.c +@@ -76,7 +76,8 @@ static char *SEC_GetPassword(FILE *input echoOff(infd); } @@ -83,10 +83,10 @@ index 43186df..9a9c911 100644 if (isTTY) { fprintf(output, "\n"); -diff --git a/src/pesign.c b/src/pesign.c -index ff4f2bf..40a1e43 100644 ---- a/src/pesign.c -+++ b/src/pesign.c +Index: pesign-0.111/src/pesign.c +=================================================================== +--- pesign-0.111.orig/src/pesign.c ++++ pesign-0.111/src/pesign.c @@ -164,9 +164,15 @@ open_output(pesign_context *ctx) addr = pe_rawfile(ctx->inpe, &size); @@ -98,18 +98,18 @@ index ff4f2bf..40a1e43 100644 + } lseek(ctx->outfd, 0, SEEK_SET); - write(ctx->outfd, addr, size); -+ if (write(ctx->outfd, addr, size) != size) { ++ if ((size_t)write(ctx->outfd, addr, size) != size) { + fprintf(stderr, "pesign: could not write output file: %m\n"); + exit(1); + } Pe_Cmd cmd = ctx->outfd == STDOUT_FILENO ? PE_C_RDWR : PE_C_RDWR_MMAP; ctx->outpe = pe_begin(ctx->outfd, cmd, NULL); -diff --git a/src/signed_data.c b/src/signed_data.c -index 2fa1cdd..247ec57 100644 ---- a/src/signed_data.c -+++ b/src/signed_data.c -@@ -133,6 +133,7 @@ generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, S +Index: pesign-0.111/src/signed_data.c +=================================================================== +--- pesign-0.111.orig/src/signed_data.c ++++ pesign-0.111/src/signed_data.c +@@ -133,6 +133,7 @@ generate_signerInfo_list(cms_context *cm SpcSignerInfo **signerInfo_list; int err, rc; diff --git a/pesign-fix-import-sig-check.patch b/pesign-fix-import-sig-check.patch deleted file mode 100644 index f1e9afa..0000000 --- a/pesign-fix-import-sig-check.patch +++ /dev/null @@ -1,30 +0,0 @@ -From b5f822be1da9c8e4f6e04286b4b7ab73165478ab Mon Sep 17 00:00:00 2001 -From: Gary Ching-Pang Lin -Date: Tue, 25 Nov 2014 15:28:40 +0800 -Subject: [PATCH] Correct the signature size check - -Signed-off-by: Gary Ching-Pang Lin ---- - src/actions.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/actions.c b/src/actions.c -index 74a34e3..44c9675 100644 ---- a/src/actions.c -+++ b/src/actions.c -@@ -416,10 +416,9 @@ check_signature_space(pesign_context *ctx) - ssize_t available = available_cert_space(ctx->outpe); - ssize_t target = ctx->cms_ctx->newsig.len + sizeof (win_certificate); - -- if (available == target) -- return; -+ target += ALIGNMENT_PADDING(target, 8); - -- if (target + 8 > available) -+ if (available >= target) - return; - - fprintf(stderr, "Could not add new signature: insufficient space.\n"); --- -2.1.2 - diff --git a/pesign-fix-signness.patch b/pesign-fix-signness.patch new file mode 100644 index 0000000..3cdf491 --- /dev/null +++ b/pesign-fix-signness.patch @@ -0,0 +1,71 @@ +From ae2520e013caf4f5d0dae89623dc08925d6cd472 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 28 Oct 2015 15:58:07 -0400 +Subject: [PATCH] Fix one more -Wsign-compare problem I missed. + +Signed-off-by: Peter Jones +--- + src/daemon.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/daemon.c b/src/daemon.c +index 02b7352..175c874 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -194,7 +194,7 @@ malformed: + return; + } + n -= sizeof(tn->size); +- if (n < tn->size) ++ if ((size_t)n < tn->size) + goto malformed; + n -= tn->size; + +@@ -202,10 +202,10 @@ malformed: + goto malformed; + + pesignd_string *tp = pesignd_string_next(tn); +- if (n < (long long)sizeof(tp->size)) ++ if ((size_t)n < sizeof(tp->size)) + goto malformed; + n -= sizeof(tp->size); +- if (n < tp->size) ++ if ((size_t)n < tp->size) + goto malformed; + n -= tp->size; + +@@ -298,7 +298,7 @@ malformed: + return; + } + n -= sizeof(tn->size); +- if (n < tn->size) ++ if ((size_t)n < tn->size) + goto malformed; + n -= tn->size; + +@@ -487,7 +487,7 @@ malformed: + } + + n -= sizeof(tn->size); +- if (n < tn->size) ++ if ((size_t)n < tn->size) + goto malformed; + n -= tn->size; + +@@ -497,11 +497,11 @@ malformed: + if (!ctx->cms->tokenname) + goto oom; + +- if (n < (long long)sizeof(tn->size)) ++ if ((size_t)n < sizeof(tn->size)) + goto malformed; + pesignd_string *cn = pesignd_string_next(tn); + n -= sizeof(cn->size); +- if (n < cn->size) ++ if ((size_t)n < cn->size) + goto malformed; + + ctx->cms->certname = PORT_ArenaStrdup(ctx->cms->arena, +-- +2.6.2 + diff --git a/pesign-install-supplementary-programs.patch b/pesign-install-supplementary-programs.patch deleted file mode 100644 index 87befb5..0000000 --- a/pesign-install-supplementary-programs.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/src/Makefile b/src/Makefile -index 4c86a2a..062b544 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -79,14 +79,16 @@ install : - $(INSTALL) -m 755 pesign $(INSTALLROOT)$(PREFIX)/bin/ - $(INSTALL) -m 755 client $(INSTALLROOT)$(PREFIX)/bin/pesign-client - $(INSTALL) -m 755 efikeygen $(INSTALLROOT)$(PREFIX)/bin/ -- #$(INSTALL) -m 755 pesigcheck $(INSTALLROOT)$(PREFIX)/bin/ -+ $(INSTALL) -m 755 pesigcheck $(INSTALLROOT)$(PREFIX)/bin/ -+ $(INSTALL) -m 755 efisiglist $(INSTALLROOT)$(PREFIX)/bin/ -+ $(INSTALL) -m 755 authvar $(INSTALLROOT)$(PREFIX)/bin/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/popt.d/ - $(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/share/man/man1/ - $(INSTALL) -m 644 pesign.1 $(INSTALLROOT)/usr/share/man/man1/ - $(INSTALL) -m 644 pesign-client.1 $(INSTALLROOT)/usr/share/man/man1/ - $(INSTALL) -m 644 efikeygen.1 $(INSTALLROOT)/usr/share/man/man1/ -- #$(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)/usr/share/man/man1/ -+ $(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)/usr/share/man/man1/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ - diff --git a/pesign-make-efi_guid_t-const.patch b/pesign-make-efi_guid_t-const.patch deleted file mode 100644 index 62497fa..0000000 --- a/pesign-make-efi_guid_t-const.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 727f93f8ea3dc467694d541d28ba4f1ed0e0a671 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 7 Nov 2014 14:09:41 -0500 -Subject: [PATCH] make efi_guid_t's const. - -Signed-off-by: Peter Jones ---- - src/cms_common.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index a360961..7e032c8 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -45,7 +45,7 @@ struct digest_param { - SECOidTag digest_tag; - SECOidTag signature_tag; - SECOidTag digest_encryption_tag; -- efi_guid_t *efi_guid; -+ const efi_guid_t *efi_guid; - int size; - }; - --- -2.1.4 - -From ac9de615112114e222527b2eabc9b7f2642f01fe Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 26 May 2015 09:42:32 -0400 -Subject: [PATCH] Propogate some "const" declarations better. - -Signed-off-by: Peter Jones ---- - src/efisiglist.c | 2 +- - src/siglist.c | 8 ++++---- - src/siglist.h | 2 +- - 3 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/efisiglist.c b/src/efisiglist.c -index aedfc4c..a078640 100644 ---- a/src/efisiglist.c -+++ b/src/efisiglist.c -@@ -32,7 +32,7 @@ - - struct hash_param { - char *name; -- efi_guid_t *guid; -+ const efi_guid_t *guid; - int size; - }; - -diff --git a/src/siglist.c b/src/siglist.c -index 38a9a2a..a7154aa 100644 ---- a/src/siglist.c -+++ b/src/siglist.c -@@ -51,7 +51,7 @@ struct efi_signature_list { - }; - - struct signature_list { -- efi_guid_t *SignatureType; -+ const efi_guid_t *SignatureType; - uint32_t SignatureListSize; - uint32_t SignatureHeaderSize; - uint32_t SignatureSize; -@@ -60,7 +60,7 @@ struct signature_list { - }; - - struct sig_type { -- efi_guid_t *type; -+ const efi_guid_t *type; - uint32_t size; - }; - -@@ -78,7 +78,7 @@ static struct sig_type sig_types[] = { - static int num_sig_types = sizeof (sig_types) / sizeof (struct sig_type); - - static int32_t --get_sig_type_size(efi_guid_t *sig_type) -+get_sig_type_size(const efi_guid_t *sig_type) - { - for (int i = 0; i < num_sig_types; i++) { - if (!memcmp(sig_type, sig_types[i].type, sizeof (*sig_type))) -@@ -88,7 +88,7 @@ get_sig_type_size(efi_guid_t *sig_type) - } - - signature_list * --signature_list_new(efi_guid_t *SignatureType) -+signature_list_new(const efi_guid_t *SignatureType) - { - int32_t size = get_sig_type_size(SignatureType); - if (size < 0) -diff --git a/src/siglist.h b/src/siglist.h -index e789264..2b72a27 100644 ---- a/src/siglist.h -+++ b/src/siglist.h -@@ -21,7 +21,7 @@ - - typedef struct signature_list signature_list; - --extern signature_list *signature_list_new(efi_guid_t *SignatureType); -+extern signature_list *signature_list_new(const efi_guid_t *SignatureType); - extern int signature_list_add_sig(signature_list *sl, efi_guid_t owner, - uint8_t *sig, uint32_t sigsize); - extern int signature_list_realize(signature_list *sl, --- -2.1.4 - diff --git a/pesign-privkey_unneeded.diff b/pesign-privkey_unneeded.diff index 5fed9f0..c356292 100644 --- a/pesign-privkey_unneeded.diff +++ b/pesign-privkey_unneeded.diff @@ -4,9 +4,11 @@ src/pesign.c | 1 + 3 files changed, 12 insertions(+), 2 deletions(-) ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -272,6 +272,7 @@ struct cbdata { +Index: pesign-0.111/src/cms_common.c +=================================================================== +--- pesign-0.111.orig/src/cms_common.c ++++ pesign-0.111/src/cms_common.c +@@ -280,6 +280,7 @@ struct cbdata { CERTCertificate *cert; PK11SlotListElement *psle; secuPWData *pwdata; @@ -14,7 +16,7 @@ }; static SECStatus -@@ -283,6 +284,12 @@ is_valid_cert(CERTCertificate *cert, voi +@@ -291,6 +292,12 @@ is_valid_cert(CERTCertificate *cert, voi void *pwdata = cbdata->pwdata; SECKEYPrivateKey *privkey = NULL; @@ -27,7 +29,7 @@ privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata); if (privkey != NULL) { cbdata->cert = cert; -@@ -413,7 +420,7 @@ find_certificate(cms_context *cms, int n +@@ -421,7 +428,7 @@ find_certificate(cms_context *cms, int n } SECStatus status; @@ -36,7 +38,7 @@ status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); if (status != SECSuccess) { PK11_DestroySlotListElement(slots, &psle); -@@ -442,6 +449,7 @@ find_certificate(cms_context *cms, int n +@@ -450,6 +457,7 @@ find_certificate(cms_context *cms, int n .cert = NULL, .psle = psle, .pwdata = pwdata, @@ -44,7 +46,7 @@ }; if (needs_private_key) { -@@ -562,7 +570,7 @@ find_named_certificate(cms_context *cms, +@@ -570,7 +578,7 @@ find_named_certificate(cms_context *cms, } SECStatus status; @@ -53,8 +55,10 @@ status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); if (status != SECSuccess) { PK11_DestroySlotListElement(slots, &psle); ---- a/src/cms_common.h -+++ b/src/cms_common.h +Index: pesign-0.111/src/cms_common.h +=================================================================== +--- pesign-0.111.orig/src/cms_common.h ++++ pesign-0.111/src/cms_common.h @@ -63,6 +63,7 @@ typedef int (*cms_common_logger)(struct typedef struct cms_context { PRArenaPool *arena; @@ -63,9 +67,11 @@ char *tokenname; char *certname; ---- a/src/pesign.c -+++ b/src/pesign.c -@@ -626,6 +626,7 @@ main(int argc, char *argv[]) +Index: pesign-0.111/src/pesign.c +=================================================================== +--- pesign-0.111.orig/src/pesign.c ++++ pesign-0.111/src/pesign.c +@@ -651,6 +651,7 @@ main(int argc, char *argv[]) */ case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS: check_inputs(ctxp); diff --git a/pesign-run.patch b/pesign-run.patch index 0336353..d5e3499 100644 --- a/pesign-run.patch +++ b/pesign-run.patch @@ -6,19 +6,23 @@ src/tmpfiles.conf | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) ---- a/src/Makefile -+++ b/src/Makefile -@@ -74,7 +74,7 @@ install_sysvinit: +Index: pesign-0.111/src/Makefile +=================================================================== +--- pesign-0.111.orig/src/Makefile ++++ pesign-0.111/src/Makefile +@@ -65,7 +65,7 @@ install_sysvinit: pesign.sysvinit install : $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ - $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ + $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)/bin/ - $(INSTALL) -m 755 pesign $(INSTALLROOT)$(PREFIX)/bin/ - $(INSTALL) -m 755 client $(INSTALLROOT)$(PREFIX)/bin/pesign-client ---- a/src/daemon.h -+++ b/src/daemon.h + $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) +Index: pesign-0.111/src/daemon.h +=================================================================== +--- pesign-0.111.orig/src/daemon.h ++++ pesign-0.111/src/daemon.h @@ -49,7 +49,7 @@ typedef enum { } pesignd_cmd; @@ -29,8 +33,10 @@ +#define PIDFILE "/run/pesign.pid" #endif /* DAEMON_H */ ---- a/src/macros.pesign -+++ b/src/macros.pesign +Index: pesign-0.111/src/macros.pesign +=================================================================== +--- pesign-0.111.orig/src/macros.pesign ++++ pesign-0.111/src/macros.pesign @@ -36,7 +36,7 @@ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ --certdir ${nss} -c signer %{-o} \ @@ -40,8 +46,17 @@ %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ -c "/CN=Fedora Secure Boot Signer" \\\ %{-i} %{-o} %{-e} %{-s} %{-C} \ ---- a/src/pesign.sysvinit -+++ b/src/pesign.sysvinit +Index: pesign-0.111/src/tmpfiles.conf +=================================================================== +--- pesign-0.111.orig/src/tmpfiles.conf ++++ pesign-0.111/src/tmpfiles.conf +@@ -1 +1 @@ +-D /var/run/pesign 0770 pesign pesign - ++D /run/pesign 0770 pesign pesign - +Index: pesign-0.111/src/pesign.sysvinit.in +=================================================================== +--- pesign-0.111.orig/src/pesign.sysvinit.in ++++ pesign-0.111/src/pesign.sysvinit.in @@ -4,7 +4,7 @@ # # chkconfig: - 50 50 @@ -51,38 +66,44 @@ ### BEGIN INIT INFO # Provides: pesign # Should-Start: $remote_fs -@@ -19,7 +19,7 @@ +Index: pesign-0.111/src/pesign.service.in +=================================================================== +--- pesign-0.111.orig/src/pesign.service.in ++++ pesign-0.111/src/pesign.service.in +@@ -4,7 +4,7 @@ Description=Pesign signing daemon + [Service] + PrivateTmp=true + Type=forking +-PIDFile=/var/run/pesign.pid ++PIDFile=/run/pesign.pid + ExecStart=/usr/bin/pesign --daemonize + ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users + ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups +Index: pesign-0.111/src/pesign-authorize-groups +=================================================================== +--- pesign-0.111.orig/src/pesign-authorize-groups ++++ pesign-0.111/src/pesign-authorize-groups +@@ -11,7 +11,7 @@ - [ -f /usr/bin/pesign ] || exit 1 + if [[ -r /etc/pesign/groups ]]; then + for group in $(cat /etc/pesign/groups); do +- setfacl -m g:${group}:rx /var/run/pesign +- setfacl -m g:${group}:rw /var/run/pesign/socket ++ setfacl -m g:${group}:rx /run/pesign ++ setfacl -m g:${group}:rw /run/pesign/socket + done + fi +Index: pesign-0.111/src/pesign-authorize-users +=================================================================== +--- pesign-0.111.orig/src/pesign-authorize-users ++++ pesign-0.111/src/pesign-authorize-users +@@ -11,7 +11,7 @@ --PESIGN_PIDFILE=/var/run/pesign.pid -+PESIGN_PIDFILE=/run/pesign.pid - RETVAL=0 - - start(){ -@@ -28,15 +28,15 @@ start(){ - RETVAL=$? - echo - touch /var/lock/subsys/pesign -- setfacl -m u:kojibuilder:x /var/run/pesign -- setfacl -m u:kojibuilder:rw /var/run/pesign/socket -- setfacl -m g:kojibuilder:x /var/run/pesign -- setfacl -m g:kojibuilder:rw /var/run/pesign/socket -+ setfacl -m u:kojibuilder:x /run/pesign -+ setfacl -m u:kojibuilder:rw /run/pesign/socket -+ setfacl -m g:kojibuilder:x /run/pesign -+ setfacl -m g:kojibuilder:rw /run/pesign/socket - } - - stop(){ - echo -n "Stopping pesign: " -- killproc -p /var/run/pesign.pid pesignd -+ killproc -p /run/pesign.pid pesignd - RETVAL=$? - echo - rm -f /var/lock/subsys/pesign ---- a/src/tmpfiles.conf -+++ b/src/tmpfiles.conf -@@ -1 +1 @@ --D /var/run/pesign 0770 pesign pesign - -+D /run/pesign 0770 pesign pesign - + if [[ -r /etc/pesign/users ]]; then + for username in $(cat /etc/pesign/users); do +- setfacl -m u:${username}:rx /var/run/pesign +- setfacl -m u:${username}:rw /var/run/pesign/socket ++ setfacl -m u:${username}:rx /run/pesign ++ setfacl -m u:${username}:rw /run/pesign/socket + done + fi diff --git a/pesign-suse-build.patch b/pesign-suse-build.patch index de8a44c..ea61d83 100644 --- a/pesign-suse-build.patch +++ b/pesign-suse-build.patch @@ -1,67 +1,44 @@ -diff --git a/Make.defaults b/Make.defaults -index 95ba9d5..c03bf70 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -5,7 +5,8 @@ HOSTARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) - ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,) - INCDIR = -I$(TOPDIR)/include - CPPFLAGS = -DCONFIG_$(ARCH) --CFLAGS = -g -O0 -+OPTFLAGS = -g -O0 -+CFLAGS = $(OPTFLAGS) - BUILDFLAGS := $(CFLAGS) $(ARCH3264) -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function - ASFLAGS = $(ARCH3264) - LDFLAGS = -nostdlib -@@ -23,7 +24,7 @@ OBJCOPY = $(bindir)objcopy +Index: pesign-0.111/util/Makefile +=================================================================== +--- pesign-0.111.orig/util/Makefile ++++ pesign-0.111/util/Makefile +@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules + include $(TOPDIR)/Make.defaults - ifeq ($(ARCH),ia64) - CFLAGS += -mfixed-range=f32-f127 -- LIBDIR = $(PREFIX)/lib64 -+ LIBDIR = $(PREFIX)/lib - endif + FORMAT=efi-app-$(HOSTARCH) +-LDFLAGS = -nostdlib -T $(LIBDIR)/gnuefi/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/gnuefi/crt0-efi-$(HOSTARCH).o -L$(LIBDIR) ++LDFLAGS = -nostdlib -T $(LIBDIR)/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/crt0-efi-$(HOSTARCH).o -L$(LIBDIR) + LIBS=-lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name) + CCLDFLAGS = + BUILDFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration +@@ -20,8 +20,8 @@ clean : + @rm -rfv *.o *.a *.so .*.d $(TARGETS) - ifeq ($(ARCH), ia32) -@@ -41,3 +42,6 @@ ifeq ($(ARCH), x86_64) - endif - endif + install : +- $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/ +- $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/ ++ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/ ++ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/ -+ifeq ($(ARCH), aarch64) -+ LIBDIR := $(PREFIX)/lib64 -+endif -diff --git a/Make.rules b/Make.rules -index 2749521..3553a03 100644 ---- a/Make.rules -+++ b/Make.rules -@@ -2,10 +2,11 @@ - $(AR) -cvqs $@ $^ + install_systemd: - % : %.o -- $(CC) $(CCLDFLAGS) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-l --libs-only-other $(pklib))) -lpthread -+ $(CC) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(CCLDFLAGS) $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-l --libs-only-other $(pklib))) -lpthread - - %.so : - $(CC) $(INCDIR) $(BUILDFLAGS) -Wl,-soname,$(SONAME) $(CCLDFLAGS) $^ -o $@ -+ $(CC) $(INCDIR) $(BUILDFLAGS) -Wl,-soname,$(SONAME) $^ $(CCLDFLAGS) -o $@ - - %.o: %.c - $(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -c $< -o $@ -diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit -index ea37c58..120a49c 100644 ---- a/src/pesign.sysvinit -+++ b/src/pesign.sysvinit -@@ -6,21 +6,25 @@ +Index: pesign-0.111/src/pesign.sysvinit.in +=================================================================== +--- pesign-0.111.orig/src/pesign.sysvinit.in ++++ pesign-0.111/src/pesign.sysvinit.in +@@ -6,21 +6,24 @@ # processname: /usr/bin/pesign # pidfile: /var/run/pesign.pid ### BEGIN INIT INFO -# Provides: pesign -# Default-Start: +-# Default-Stop: +# Provides: pesign +# Should-Start: $remote_fs +# Should-Stop: $remote_fs +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 5 - # Default-Stop: # Short-Description: The pesign PE signing daemon # Description: The pesign PE signing daemon ### END INIT INFO @@ -79,27 +56,37 @@ index ea37c58..120a49c 100644 RETVAL=$? echo touch /var/lock/subsys/pesign -diff --git a/util/Makefile b/util/Makefile -index ff11cb8..5d4cebb 100644 ---- a/util/Makefile -+++ b/util/Makefile -@@ -4,7 +4,7 @@ TOPDIR = $(SRCDIR)/.. - include $(TOPDIR)/Make.defaults +@@ -30,7 +33,7 @@ start(){ - FORMAT=efi-app-$(HOSTARCH) --LDFLAGS = -nostdlib -T $(LIBDIR)/gnuefi/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/gnuefi/crt0-efi-$(HOSTARCH).o -L$(LIBDIR) -+LDFLAGS = -nostdlib -T $(LIBDIR)/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/crt0-efi-$(HOSTARCH).o -L$(LIBDIR) - LIBS=-lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name) - CCLDFLAGS = - BUILDFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration -@@ -17,8 +17,8 @@ clean : - @rm -rfv *.o *.a *.so $(TARGETS) + stop(){ + echo -n "Stopping pesign: " +- killproc -p /var/run/pesign.pid pesignd ++ killproc -p /run/pesign.pid pesignd + RETVAL=$? + echo + rm -f /var/lock/subsys/pesign +Index: pesign-0.111/Make.defaults +=================================================================== +--- pesign-0.111.orig/Make.defaults ++++ pesign-0.111/Make.defaults +@@ -55,7 +55,7 @@ efi_cflags = $(cflags) + ASFLAGS = $(ARCH3264) + CPPFLAGS ?= + +-LDLIBS = $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) ++LDLIBS = -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) + + ifeq ($(ARCH),ia64) + efi_cflags += -mfixed-range=f32-f127 +Index: pesign-0.111/Makefile +=================================================================== +--- pesign-0.111.orig/Makefile ++++ pesign-0.111/Makefile +@@ -9,7 +9,6 @@ SUBDIRS := include libdpe src install : -- $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/ -- $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/ -+ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/ -+ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/ - - .PHONY: all clean install - + $(INSTALL) -d -m 755 $(INSTALLROOT)$(prefix)$(docdir)/pesign-$(VERSION)/ +- $(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(prefix)$(docdir)/pesign-$(VERSION)/ + @set -e ; for x in $(SUBDIRS) ; do \ + $(MAKE) -C $$x $@ ; \ + done diff --git a/pesign.changes b/pesign.changes index b880b11..78128ae 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Tue Nov 10 07:59:48 UTC 2015 - glin@suse.com + +- Update to 0.111 +- Add pesign-fix-signness.patch to fix the signness comparison +- Drop upstreamed patches + + pesign-efivar-pkgconfig.patch + + pesign-make-efi_guid_t-const.patch + + pesign-fix-import-sig-check.patch + + pesign-install-supplementary-programs.patch +- Refresh pesign-suse-build.patch, pesign-privkey_unneeded.diff, + and pesign-run.patch +- Update pesign-fix-build-errors.patch +- Merge use-standard-pid-location.patch into pesign-run.patch + ------------------------------------------------------------------- Tue Sep 1 06:11:06 UTC 2015 - dimstar@opensuse.org diff --git a/pesign.spec b/pesign.spec index 07ad17c..463d07f 100644 --- a/pesign.spec +++ b/pesign.spec @@ -17,7 +17,7 @@ Name: pesign -Version: 0.110 +Version: 0.111 Release: 0 Summary: Signing tool for PE-COFF binaries License: GPL-2.0 @@ -30,20 +30,12 @@ Patch1: pesign-suse-build.patch Patch2: pesign-fix-build-errors.patch # PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff glin@suse.com -- Don't check the private key when importing the raw signature Patch3: pesign-privkey_unneeded.diff -# PATCH-FIX-SUSE use-standard-pid-location.patch p.drouand@gmail.com --Use standard /run instead of /var/run for pidfile -Patch4: use-standard-pid-location.patch # PATCH-FIX-SUSE pesign-run.patch aj@suse.com - Use /run instead of /var/run Patch5: pesign-run.patch # PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch glin@suse.com -- Fix the write loop in authvar Patch6: pesign-fix-authvar-write-loop.patch -# PATCH-FIX-SUSE pesign-install-supplementary-programs.patch glin@suse.com -- Install the supplementary programs -Patch7: pesign-install-supplementary-programs.patch -# PATCH-FIX-UPSTREAM pesign-fix-import-sig-check.patch glin@suse.com -- Fix the signature size check while importing a signature -Patch8: pesign-fix-import-sig-check.patch -# PATCH-FIX-UPSTREAM pesign-efivar-pkgconfig.patch glin@suse.com -- Make efivar compiler parameters come from pkg-config -Patch9: pesign-efivar-pkgconfig.patch -# PATCH-FIX-UPSTREAM pesign-make-efi_guid_t-const.patch glin@suse.com -- make efi_guid_t's const -Patch10: pesign-make-efi_guid_t-const.patch +# PATCH-FIX-UPSTREAM pesign-fix-signness.patch glin@suse.com -- Fix the signness comparison +Patch7: pesign-fix-signness.patch BuildRequires: efivar-devel BuildRequires: libuuid-devel BuildRequires: mozilla-nss-devel @@ -63,23 +55,19 @@ with the PE and Authenticode specifications. %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 %build -make %{?_smp_mflags} OPTFLAGS="%{optflags}" +make %{?_smp_mflags} CFLAGS="$RPM_OPT_FLAGS" %install -make INSTALLROOT=%{buildroot} PREFIX=%{_prefix} DOCDIR=/share/doc/packages install +make INSTALLROOT=%{buildroot} libexecdir=%{_libexecdir} install mkdir -p %{buildroot}%{_localstatedir}/lib/pesign mkdir -p %{buildroot}%{_sbindir} -make INSTALLROOT=%{buildroot} UNITDIR=%{_unitdir} install_systemd +make INSTALLROOT=%{buildroot} UNITDIR=%{_unitdir} libexecdir=%{_libexecdir} install_systemd # create rcsymlink ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} @@ -113,6 +101,8 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/pesign.conf || : %{_bindir}/efisiglist %{_bindir}/authvar %{_sbindir}/rcpesign +%dir %{_sysconfdir}/pesign +%{_sysconfdir}/pesign/* %dir %{_sysconfdir}/popt.d %config %{_sysconfdir}/popt.d/pesign.popt %{_sysconfdir}/pki/ @@ -121,6 +111,8 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/pesign.conf || : %{_localstatedir}/lib/pesign %{_unitdir}/pesign.service %{_libexecdir}/tmpfiles.d/pesign.conf +%dir %{_libexecdir}/pesign +%{_libexecdir}/pesign/pesign-authorize-* %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign %ghost %dir %attr(0770,pesign,pesign) /run/%{name} %dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name} diff --git a/use-standard-pid-location.patch b/use-standard-pid-location.patch deleted file mode 100644 index a581412..0000000 --- a/use-standard-pid-location.patch +++ /dev/null @@ -1,9 +0,0 @@ ---- a/src/pesign.service -+++ b/src/pesign.service -@@ -4,5 +4,5 @@ - [Service] - PrivateTmp=true - Type=forking --PIDFile=/var/run/pesign.pid -+PIDFile=/run/pesign.pid - ExecStart=/usr/bin/pesign --daemonize