rpms
/
pesign
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Try a completely different thing for the test certs... 

Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2015-12-01 15:21:31 -05:00
parent 0ee1abe272
commit 23808303ed
10 changed files with 179 additions and 246 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
View File

@ -1,50 +0,0 @@
From 2ced112a031c65791f04d46ce73f6d64a17ad069 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:19:49 -0500
Subject: [PATCH 1/2] Don't setfacl when the socket or dir aren't there.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 8 ++++++--
src/pesign-authorize-users | 8 ++++++--
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index e3864ce..2222809 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -11,7 +11,11 @@
if [[ -r /etc/pesign/groups ]]; then
for group in $(cat /etc/pesign/groups); do
- setfacl -m g:${group}:rx /var/run/pesign
- setfacl -m g:${group}:rw /var/run/pesign/socket
+ if [ -d /var/run/pesign ]; then
+ setfacl -m g:${group}:rx /var/run/pesign
+ if [ -e /var/run/pesign/socket ]; then
+ setfacl -m g:${group}:rw /var/run/pesign/socket
+ fi
+ fi
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index e500204..22bddec 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -11,7 +11,11 @@
if [[ -r /etc/pesign/users ]]; then
for username in $(cat /etc/pesign/users); do
- setfacl -m u:${username}:rx /var/run/pesign
- setfacl -m u:${username}:rw /var/run/pesign/socket
+ if [ -d /var/run/pesign ]; then
+ setfacl -m g:${username}:rx /var/run/pesign
+ if [ -e /var/run/pesign/socket ]; then
+ setfacl -m g:${username}:rw /var/run/pesign/socket
+ fi
+ fi
done
fi
--
2.5.0

63
0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch Normal file
View File

@ -0,0 +1,63 @@
From 6796e5f7b0ab1eb08f92887ae0427cf5a4120e0b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sun, 8 Nov 2015 14:42:29 -0500
Subject: [PATCH 1/5] pesign: when nss fails to tell us -EPERM or -ENOENT,
figure it out.
This should make -EPERM problems much easier for the user to diagnose.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/src/pesign.c b/src/pesign.c
index 1d72657..09b6a2b 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -17,7 +17,9 @@
* Author(s): Peter Jones <pjones@redhat.com>
*/
+#include <err.h>
#include <fcntl.h>
+#include <glob.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -576,14 +578,28 @@ main(int argc, char *argv[])
if (!daemon) {
SECStatus status;
- if (need_db)
+ if (need_db) {
status = NSS_Init(certdir);
- else
+ if (status != SECSuccess) {
+ char *globpattern = NULL;
+ rc = asprintf(&globpattern, "%s/cert*.db",
+ certdir);
+ if (rc > 0) {
+ glob_t globbuf;
+ memset(&globbuf, 0, sizeof(globbuf));
+ rc = glob(globpattern, GLOB_ERR, NULL,
+ &globbuf);
+ if (rc != 0) {
+ err(1, "Could not open NSS database (\"%s\")",
+ PORT_ErrorToString(PORT_GetError()));
+ }
+ }
+ }
+ } else
status = NSS_NoDB_Init(NULL);
if (status != SECSuccess) {
- fprintf(stderr, "Could not initialize nss: %s\n",
+ errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
PORT_ErrorToString(PORT_GetError()));
- exit(1);
}
status = register_oids(ctxp->cms_ctx);
--
2.5.0

41
0002-setfacl-the-db-as-well.patch
View File

@ -1,41 +0,0 @@
From 4abf6bc506a31ae3e21ae736a44cea992c6ba6c1 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:21:39 -0500
Subject: [PATCH 2/2] setfacl the db as well
---
src/pesign-authorize-groups | 4 ++++
src/pesign-authorize-users | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index 2222809..e0f679d 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
setfacl -m g:${group}:rw /var/run/pesign/socket
fi
fi
+ if [ -d /etc/pki/pesign ]; then
+ setfacl -m g:${group}:rx /etc/pki/pesign
+ setfacl -m u:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ fi
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 22bddec..997c8a3 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/users ]]; then
setfacl -m g:${username}:rw /var/run/pesign/socket
fi
fi
+ if [ -d /etc/pki/pesign ]; then
+ setfacl -m g:${username}:rx /etc/pki/pesign
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ fi
done
fi
--
2.5.0

39
0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch Normal file
View File

@ -0,0 +1,39 @@
From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 19 Nov 2015 11:36:59 -0500
Subject: [PATCH 2/5] setfacl the nss DBs to our authorized users, not just the
socket.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 2 ++
src/pesign-authorize-users | 2 ++
2 files changed, 4 insertions(+)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index e3864ce..2236bea 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
for group in $(cat /etc/pesign/groups); do
setfacl -m g:${group}:rx /var/run/pesign
setfacl -m g:${group}:rw /var/run/pesign/socket
+ setfacl -m g:${username}:rx /etc/pki/pesign
+ setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index e500204..9c38a25 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
for username in $(cat /etc/pesign/users); do
setfacl -m u:${username}:rx /var/run/pesign
setfacl -m u:${username}:rw /var/run/pesign/socket
+ setfacl -m u:${username}:rx /etc/pki/pesign
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
done
fi
--
2.5.0

2
0002-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch → 0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
View File

@ -1,7 +1,7 @@
From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001 From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:19:49 -0500 Date: Fri, 20 Nov 2015 19:19:49 -0500
Subject: [PATCH 2/3] Don't setfacl when the socket or dir aren't there. Subject: [PATCH 3/5] Don't setfacl when the socket or dir aren't there.
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Peter Jones <pjones@redhat.com>
--- ---

112
0004-Gripe-about-pesign-rh-test-certs-not-being-installed.patch
View File

@ -1,112 +0,0 @@
From 54dd12c2653dc3aecdd73b9ffb2a85d92e39d858 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 30 Nov 2015 15:34:35 -0500
Subject: [PATCH 4/4] Gripe about pesign-rh-test-certs not being installed
---
src/Makefile | 7 +++++--
src/macros.pesign | 10 ++++++++--
src/missing-stuff.txt | 11 +++++++++++
src/pesign-authorize.service.in | 8 ++++++++
4 files changed, 32 insertions(+), 4 deletions(-)
create mode 100644 src/missing-stuff.txt
create mode 100644 src/pesign-authorize.service.in
diff --git a/src/Makefile b/src/Makefile
index af3fd07..9e27ee6 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
-SVCTARGETS=pesign.sysvinit pesign.service
+SVCTARGETS=pesign.sysvinit pesign.service pesign-authorize.service
TARGETS=$(BINTARGETS) $(SVCTARGETS)
all : deps $(TARGETS)
@@ -53,11 +53,12 @@ clean :
@rm -rfv *.o *.a *.so $(TARGETS)
@rm -rfv .*.d
-install_systemd: pesign.service
+install_systemd: pesign.service pesign-authorize.service
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)tmpfiles.d/
$(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)$(libdatadir)tmpfiles.d/pesign.conf
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)systemd/system/
$(INSTALL) -m 644 pesign.service $(INSTALLROOT)$(libdatadir)systemd/system/
+ $(INSTALL) -m 644 pesign-authorize.service $(INSTALLROOT)$(libdatadir)systemd/system/
install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
@@ -84,6 +85,8 @@ install :
$(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/share/doc/pesign/
+ $(INSTALL) -m 644 missing-stuff.txt $(INSTALLROOT)/usr/share/doc/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
diff --git a/src/macros.pesign b/src/macros.pesign
index 39374ce..3197ed7 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -7,7 +7,7 @@
# And magically get the right thing.
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
+%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
@@ -41,7 +41,13 @@
-c "/CN=Fedora Secure Boot Signer" \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
+ if ! certutil -d /etc/pki/pesign -L -n %{__pesign_cert} >/dev/null 2>&1 ; then \ \
+ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
+ cat /usr/share/doc/pesign/missing-stuff.txt 1>&2 \
+ exit 1 \
+ fi \
+ fi \
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
else \
diff --git a/src/missing-stuff.txt b/src/missing-stuff.txt
new file mode 100644
index 0000000..55b68e3
--- /dev/null
+++ b/src/missing-stuff.txt
@@ -0,0 +1,11 @@
+
+
+You are attempting to sign the with the "Red Hat Test Certificate",
+which is not installed or cannot be accessed. If you mean to be signing
+with this key, ensure that the "pesign-rh-test-certs" package is
+installed and that your user name is listed in "/etc/pesign/users", and
+then run:
+
+ systemctl restart pesign-authorize.service
+
+
diff --git a/src/pesign-authorize.service.in b/src/pesign-authorize.service.in
new file mode 100644
index 0000000..ccb1d4f
--- /dev/null
+++ b/src/pesign-authorize.service.in
@@ -0,0 +1,8 @@
+[Unit]
+Description=Pesign database authentication management service
+
+[Service]
+PrivateTmp=true
+Type=oneshot
+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-users
+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
--
2.5.0

2
0003-setfacl-the-db-as-well.patch → 0004-setfacl-the-db-as-well.patch
View File

@ -1,7 +1,7 @@
From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001 From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:21:39 -0500 Date: Fri, 20 Nov 2015 19:21:39 -0500
Subject: [PATCH 3/3] setfacl the db as well Subject: [PATCH 4/5] setfacl the db as well
And also get all our "-m [ug]:${name}:$perm" arguments right. And also get all our "-m [ug]:${name}:$perm" arguments right.

62
0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch Normal file
View File

@ -0,0 +1,62 @@
From bfa02b50f9bbb60c3b04f159864aa4a87b0020e2 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 30 Nov 2015 15:34:35 -0500
Subject: [PATCH 5/5] Do a better job of isolating pesign-rh-test-crap
---
src/Makefile | 1 +
src/macros.pesign | 10 ++++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/Makefile b/src/Makefile
index af3fd07..1822d3f 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -65,6 +65,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
+ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
diff --git a/src/macros.pesign b/src/macros.pesign
index 39374ce..9644940 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -7,7 +7,7 @@
# And magically get the right thing.
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
+%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
@@ -21,6 +21,10 @@
# -a <input ca cert filename> # rhel only
# -s # perform signing
%pesign(i:o:C:e:c:n:a:s) \
+ _pesign_nssdir=/etc/pki/pesign \
+ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
+ _pesign_nssdir=/etc/pki/pesign-rh-test \
+ fi \
if [ -x %{_pesign} ] && \\\
[ "%{_target_cpu}" == "x86_64" -o \\\
"%{_target_cpu}" == "aarch64" ]; then \
@@ -39,9 +43,11 @@
elif [ -S /var/run/pesign/socket ]; then \
%{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
-c "/CN=Fedora Secure Boot Signer" \\\
+ --certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
+ --certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
else \
--
2.5.0

52
pesign.spec
View File

@ -6,8 +6,8 @@ Version: 0.111
Release: 5%{?dist} Release: 5%{?dist}
Group: Development/System Group: Development/System
License: GPLv2 License: GPLv2
Recommends: pesign-rh-test-certs
URL: https://github.com/vathpela/pesign URL: https://github.com/vathpela/pesign
Obsoletes: rh-test-certs <= 0.111-5
BuildRequires: git nspr nss nss-util popt-devel BuildRequires: git nspr nss nss-util popt-devel
BuildRequires: coolkey opensc nss-tools BuildRequires: coolkey opensc nss-tools
BuildRequires: nspr-devel >= 4.9.2-1 BuildRequires: nspr-devel >= 4.9.2-1
@ -25,24 +25,16 @@ BuildRequires: rh-signing-tools >= 1.20-2
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz Source1: certs.tar.xz
Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
Patch10001: 0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch Patch10001: 0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch
Patch10002: 0002-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch Patch10002: 0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
Patch10003: 0003-setfacl-the-db-as-well.patch Patch10003: 0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
Patch10004: 0004-Gripe-about-pesign-rh-test-certs-not-being-installed.patch Patch10004: 0004-setfacl-the-db-as-well.patch
Patch10005: 0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch
%description %description
This package contains the pesign utility for signing UEFI binaries as This package contains the pesign utility for signing UEFI binaries as
well as other associated tools. well as other associated tools.
%package rh-test-certs
Summary: Test keys for pesign
Group: Development/System
License: GPLv2
Requires: pesign = %{version}-%{release}
%description rh-test-certs
This package contains test keys for use with pesign
%prep %prep
%setup -q -a 0 %setup -q -a 0
%setup -a 1 -D -c -n pesign-%{version}/ %setup -a 1 -D -c -n pesign-%{version}/
@ -72,7 +64,9 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
rm -rf %{buildroot}/boot %{buildroot}/usr/include rm -rf %{buildroot}/boot %{buildroot}/usr/include
rm -rf %{buildroot}%{_libdir}/libdpe* rm -rf %{buildroot}%{_libdir}/libdpe*
mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/ mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/
mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/ cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
cp -a etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
mkdir -p %{buildroot}%{macrosdir} mkdir -p %{buildroot}%{macrosdir}
@ -89,24 +83,6 @@ getent passwd pesign >/dev/null || \
-c "Group for the pesign signing daemon" pesign -c "Group for the pesign signing daemon" pesign
exit 0 exit 0
%post rh-test-certs
certutil --merge -d %{_sysconfdir}/pki/pesign/ --source-dir %{_sysconfdir}/pki/pesign/rh-test-certs/
if getent passwd mockbuild >/dev/null ; then
if ! grep -q mockbuild %{_sysconfdir}/pesign/users ; then
echo mockbuild >> %{_sysconfdir}/pesign/users
%{_libexecdir}/pesign/pesign-authorize-users
fi
fi
%preun rh-test-certs
if [ "$1" -eq 0 ]; then
if certutil -d %{_sysconfdir}/pki/pesign -L -n "Red Hat Test Certificate" >/dev/null 2>&1 ; then
certutil -d %{_sysconfdir}/pki/pesign -F -n "Red Hat Test Certificate" >/dev/null 2>&1 || :
certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test Certificate" >/dev/null 2>&1 || :
certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test CA" >/dev/null 2>&1 || :
fi
fi
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%post %post
%systemd_post pesign.service %systemd_post pesign.service
@ -114,7 +90,6 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null -libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
#modutil -force -dbdir %{_sysconfdir}/pki/pesign -add coolkey \ #modutil -force -dbdir %{_sysconfdir}/pki/pesign -add coolkey \
# -libfile %%{_libdir}/pkcs11/libcoolkeypk11.so # -libfile %%{_libdir}/pkcs11/libcoolkeypk11.so
%preun %preun
%systemd_preun pesign.service %systemd_preun pesign.service
@ -138,14 +113,16 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
%{_bindir}/pesign %{_bindir}/pesign
%{_bindir}/pesign-client %{_bindir}/pesign-client
%dir %{_libexecdir}/pesign/ %dir %{_libexecdir}/pesign/
%exclude %{_sysconfdir}/pki/pesign/rh-test-certs/ %dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
%attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
%{_libexecdir}/pesign/pesign-authorize-users %{_libexecdir}/pesign/pesign-authorize-users
%{_libexecdir}/pesign/pesign-authorize-groups %{_libexecdir}/pesign/pesign-authorize-groups
%config(noreplace)/%{_sysconfdir}/pesign/users %config(noreplace)/%{_sysconfdir}/pesign/users
%config(noreplace)/%{_sysconfdir}/pesign/groups %config(noreplace)/%{_sysconfdir}/pesign/groups
%{_sysconfdir}/popt.d/pesign.popt %{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign %{macrosdir}/macros.pesign
%{_docdir}/pesign/missing-stuff.txt
%{_mandir}/man*/* %{_mandir}/man*/*
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign %dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/* %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
@ -155,13 +132,8 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%{_tmpfilesdir}/pesign.conf %{_tmpfilesdir}/pesign.conf
%{_unitdir}/pesign.service %{_unitdir}/pesign.service
%{_unitdir}/pesign-authorize.service
%endif %endif
%files rh-test-certs
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/*
%changelog %changelog
* Mon Nov 30 2015 Peter Jones <pjones@redhat.com> - 0.111-5 * Mon Nov 30 2015 Peter Jones <pjones@redhat.com> - 0.111-5
- setfacl even harder. - setfacl even harder.

2
sources
View File

@ -1,2 +1,2 @@
37bb2a79934feda0327e0fb4d9e5b08e certs.tar.xz
b2c6b74c2475a1442634d1386d888c24 pesign-0.111.tar.bz2 b2c6b74c2475a1442634d1386d888c24 pesign-0.111.tar.bz2
e377e0bc924287ee09356a239c5f51a8 certs.tar.xz