From 38e8425bf80f012c095921af7fc344c4a6dc930f Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 6 Jul 2020 16:43:27 -0400 Subject: [PATCH] another test build Signed-off-by: Peter Jones --- ...-run-and-var-run-for-the-socket-path.patch | 86 ++++++++ ...ros.pesign-to-pesign-rpmbuild-helper.patch | 77 ++++--- ...-run-and-var-run-for-the-socket-path.patch | 193 ------------------ pesign.spec | 6 +- 4 files changed, 132 insertions(+), 230 deletions(-) create mode 100644 0006-client-try-run-and-var-run-for-the-socket-path.patch rename 0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch => 0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch (84%) delete mode 100644 0007-client-try-run-and-var-run-for-the-socket-path.patch diff --git a/0006-client-try-run-and-var-run-for-the-socket-path.patch b/0006-client-try-run-and-var-run-for-the-socket-path.patch new file mode 100644 index 0000000..337faab --- /dev/null +++ b/0006-client-try-run-and-var-run-for-the-socket-path.patch @@ -0,0 +1,86 @@ +From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 6 Jul 2020 16:13:09 -0400 +Subject: [PATCH 6/7] client: try /run and /var/run for the socket path. + +Signed-off-by: Peter Jones +--- + src/client.c | 40 +++++++++++++++++++++++++++++----------- + 1 file changed, 29 insertions(+), 11 deletions(-) + +diff --git a/src/client.c b/src/client.c +index 2119ef33bf8..a38383415d5 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag) + } + + static int +-connect_to_server(void) ++connect_to_server_helper(const char * const sockpath) + { +- int rc = access(SOCKPATH, R_OK); ++ int rc = access(sockpath, R_OK); + if (rc != 0) { +- fprintf(stderr, "pesign-client: could not connect to server: " +- "%m\n"); +- exit(1); ++ warn("could not access socket \"%s\"", sockpath); ++ return rc; + } + + struct sockaddr_un addr_un = { + .sun_family = AF_UNIX, +- .sun_path = SOCKPATH, + }; ++ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path)); ++ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0'; + + int sd = socket(AF_UNIX, SOCK_STREAM, 0); + if (sd < 0) { +- fprintf(stderr, "pesign-client: could not open socket: %m\n"); +- exit(1); ++ warn("could not open socket \"%s\"", sockpath); ++ return sd; + } + + socklen_t len = strlen(addr_un.sun_path) + +@@ -74,14 +74,32 @@ connect_to_server(void) + + rc = connect(sd, (struct sockaddr *)&addr_un, len); + if (rc < 0) { +- fprintf(stderr, "pesign-client: could not connect to daemon: " +- "%m\n"); +- exit(1); ++ warn("could not connect to daemon"); ++ return sd; + } + + return sd; + } + ++static int ++connect_to_server(void) ++{ ++ int rc, i; ++ const char * const sockets[] = { ++ "/run/pesign/socket", ++ "/var/run/pesign/socket", ++ NULL ++ }; ++ ++ for (i = 0; sockets[i] != NULL; i++) { ++ rc = connect_to_server_helper(sockets[i]); ++ if (rc >= 0) ++ return rc; ++ } ++ ++ exit(1); ++} ++ + static int32_t + check_response(int sd, char **srvmsg); + +-- +2.26.2 + diff --git a/0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch b/0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch similarity index 84% rename from 0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch rename to 0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch index d948caa..020d468 100644 --- a/0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch +++ b/0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch @@ -1,15 +1,15 @@ -From 8499f7b340e4f6fbb5701db21fbabc25b8883c54 Mon Sep 17 00:00:00 2001 +From 22658f290fcf66213ca6237e37ae97bba39a8a0b Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 6 Jul 2020 13:54:35 -0400 -Subject: [PATCH 6/7] Move most of macros.pesign to pesign-rpmbuild-helper +Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper Signed-off-by: Peter Jones --- src/Makefile | 1 + - src/macros.pesign | 73 +++++------------- - src/pesign-rpmbuild-helper | 153 +++++++++++++++++++++++++++++++++++++ - 3 files changed, 174 insertions(+), 53 deletions(-) - create mode 100755 src/pesign-rpmbuild-helper + src/macros.pesign | 73 +++++------------ + src/pesign-rpmbuild-helper | 163 +++++++++++++++++++++++++++++++++++++ + 3 files changed, 184 insertions(+), 53 deletions(-) + create mode 100644 src/pesign-rpmbuild-helper diff --git a/src/Makefile b/src/Makefile index 74327ba13f3..c9e9cc6cd1b 100644 @@ -102,7 +102,7 @@ index 5a6da1c6809..e3a0de9c2f4 100644 + %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\ + %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\ + %{?__pesign_token:%{__pesign_token}} \\\ -+ %{?-n:--cert "%{-n*}"}%{?!-n:--cert "%{__pesign_cert}"} \\\ ++ %{?-n:--cert "\"%{-n*}\""}%{?!-n:--cert "\"%{__pesign_cert}\""} \\\ + %{?_rhel:--rhelver "%{_rhel}"} \\\ + %{?-a:--cafile "%{-a*}"} \\\ + %{?-c:--certfile "%{-c*}"} \\\ @@ -114,14 +114,15 @@ index 5a6da1c6809..e3a0de9c2f4 100644 + ; \ +%{nil} diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper -new file mode 100755 -index 00000000000..fd385d1625d +new file mode 100644 +index 00000000000..f3d66320bcc --- /dev/null +++ b/src/pesign-rpmbuild-helper -@@ -0,0 +1,153 @@ +@@ -0,0 +1,162 @@ +#!/bin/sh + +set -eu ++set -x + +main() { + local target_cpu="${1}" && shift @@ -130,7 +131,6 @@ index 00000000000..fd385d1625d + + local cafile="" || : + local certfile="" || : -+ local certname="" || : + + local certout=() || : + local sattrout=() || : @@ -153,32 +153,41 @@ index 00000000000..fd385d1625d + " --certfile ") + certfile="${2}" + ;; -+ " --certname ") -+ certname="${2}" -+ ;; + " --certout ") -+ certout=(-C "${2}") ++ certout[0]=-C ++ certout[1]="${2}" + ;; + " --sattrout ") -+ sattrout=(-e "${2}") ++ sattrout[0]=-e ++ sattrout[1]="${2}" + ;; + " --client-token ") -+ client_token=(-t "${2}") ++ client_token[0]=-t ++ client_token[1]="${2}" + ;; + " --client-cert ") -+ client_cert=(-c "${2}") ++ client_cert[0]=-c ++ client_cert[1]="${2}" + ;; + " --token ") -+ token=(-t "${2}") ++ token[0]=-t ++ token="${2}" + ;; + " --cert ") -+ cert=(-c "${2}") ++ cert[0]=-c ++ cert[1]="${2}" ++ ;; ++ " --certname ") ++ cert[0]=-c ++ cert[1]="${2}" + ;; + " --in ") -+ input=(-i "${2}") ++ input[0]=-i ++ input[1]="${2}" + ;; + " --out ") -+ output=(-o "${2}") ++ output[0]=-o ++ output[1]="${2}" + ;; + " --rhelver ") + rhelver="${2}" @@ -196,8 +205,8 @@ index 00000000000..fd385d1625d + fi + + local nssdir=/etc/pki/pesign -+ if [ "${certname}" == "Red Hat Test Certificate" ] || -+ [ "${#cert[@]}" -eq 2 -a "${cert[1]}" == "Red Hat Test Certificate" ] ; then ++ if [ "${#cert[@]}" -eq 2 ] && ++ [ "${cert[1]}" == "Red Hat Test Certificate" ] ; then + nssdir=/etc/pki/pesign-rh-test + fi + @@ -246,24 +255,24 @@ index 00000000000..fd385d1625d + certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir} + sattrs="$(mktemp -p $PWD --suffix=.der)" + "${bin}" -E "${sattrs}" --certdir "${nssdir}" \ -+ ${input[@]} --force -+ rpm-sign --key "${certname}" --rsadgstsign "${sattrs}" ++ "${input[@]}" --force ++ rpm-sign --key "${cert[1]}" --rsadgstsign "${sattrs}" + "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \ + --certdir "${nssdir}" -c signer \ -+ ${input[@]} ${output[@]} ++ "${input[@]}" "${output[@]}" + rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" + elif [ -n "${socket}" ] ; then -+ "${client}" ${client_token[@]} ${client_cert[@]} \ -+ ${sattrout[@]} ${certout[@]} \ -+ ${sign} ${input[@]} ${output[@]} ++ "${client}" "${client_token[@]}" "${client_cert[@]}" \ ++ "${sattrout[@]}" "${certout[@]}" \ ++ ${sign} "${input[@]}" "${output[@]}" + else -+ "${bin}" --certdir "${nssdir}" ${token[@]} ${cert[@]} \ -+ ${sign} ${sattrout[@]} ${certout[@]} \ -+ ${input[@]} ${output[@]} ++ "${bin}" --certdir "${nssdir}" "${token[@]}" \ ++ "${cert[@]}" ${sign} "${sattrout[@]}" \ ++ "${certout[@]}" "${input[@]}" "${output[@]}" + fi + + # if there's a 0-sized output file, delete it and error out -+ if [ ! -s "${output[1]}" ] ; then ++ if [ "${#output[@]}" -eq 2 ] && ! [ -s "${output[1]}" ] ; then + if [ -e "${output[1]}" ] ; then + rm -f "${output[1]}" + fi diff --git a/0007-client-try-run-and-var-run-for-the-socket-path.patch b/0007-client-try-run-and-var-run-for-the-socket-path.patch deleted file mode 100644 index e9e89e5..0000000 --- a/0007-client-try-run-and-var-run-for-the-socket-path.patch +++ /dev/null @@ -1,193 +0,0 @@ -From c98b16d890a1e4651b3683853acb69fedd5a10dd Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 6 Jul 2020 16:13:09 -0400 -Subject: [PATCH 7/7] client: try /run and /var/run for the socket path. - -Signed-off-by: Peter Jones ---- - src/client.c | 40 ++++++++++++++++++++-------- - src/pesign-rpmbuild-helper | 54 ++++++++++++++++++++++---------------- - 2 files changed, 61 insertions(+), 33 deletions(-) - -diff --git a/src/client.c b/src/client.c -index a4f1d1dbbe7..0082be1f597 100644 ---- a/src/client.c -+++ b/src/client.c -@@ -61,24 +61,24 @@ print_flag_name(FILE *f, int flag) - } - - static int --connect_to_server(void) -+connect_to_server_helper(const char * const sockpath) - { -- int rc = access(SOCKPATH, R_OK); -+ int rc = access(sockpath, R_OK); - if (rc != 0) { -- fprintf(stderr, "pesign-client: could not connect to server: " -- "%m\n"); -- exit(1); -+ warn("could not access socket \"%s\"", sockpath); -+ return rc; - } - - struct sockaddr_un addr_un = { - .sun_family = AF_UNIX, -- .sun_path = SOCKPATH, - }; -+ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path)); -+ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0'; - - int sd = socket(AF_UNIX, SOCK_STREAM, 0); - if (sd < 0) { -- fprintf(stderr, "pesign-client: could not open socket: %m\n"); -- exit(1); -+ warn("could not open socket \"%s\"", sockpath); -+ return sd; - } - - socklen_t len = strlen(addr_un.sun_path) + -@@ -86,14 +86,32 @@ connect_to_server(void) - - rc = connect(sd, (struct sockaddr *)&addr_un, len); - if (rc < 0) { -- fprintf(stderr, "pesign-client: could not connect to daemon: " -- "%m\n"); -- exit(1); -+ warn("could not connect to daemon"); -+ return sd; - } - - return sd; - } - -+static int -+connect_to_server(void) -+{ -+ int rc, i; -+ const char * const sockets[] = { -+ "/run/pesign/socket", -+ "/var/run/pesign/socket", -+ NULL -+ }; -+ -+ for (i = 0; sockets[i] != NULL; i++) { -+ rc = connect_to_server_helper(sockets[i]); -+ if (rc >= 0) -+ return rc; -+ } -+ -+ exit(1); -+} -+ - static int32_t - check_response(int sd, char **srvmsg); - -diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper -index fd385d1625d..68b53ddf022 100755 ---- a/src/pesign-rpmbuild-helper -+++ b/src/pesign-rpmbuild-helper -@@ -1,6 +1,7 @@ - #!/bin/sh - - set -eu -+set -x - - main() { - local target_cpu="${1}" && shift -@@ -32,32 +33,41 @@ main() { - " --certfile ") - certfile="${2}" - ;; -- " --certname ") -- certname="${2}" -- ;; - " --certout ") -- certout=(-C "${2}") -+ certout[0]=-C -+ certout[1]="${2}" - ;; - " --sattrout ") -- sattrout=(-e "${2}") -+ sattrout[0]=-e -+ sattrout[1]="${2}" - ;; - " --client-token ") -- client_token=(-t "${2}") -+ client_token[0]=-t -+ client_token[1]="${2}" - ;; - " --client-cert ") -- client_cert=(-c "${2}") -+ client_cert[0]=-c -+ client_cert[1]="${2}" - ;; - " --token ") -- token=(-t "${2}") -+ token[0]=-t -+ token="${2}" - ;; - " --cert ") -- cert=(-c "${2}") -+ cert[0]=-c -+ cert[1]="${2}" -+ ;; -+ " --certname ") -+ cert[0]=-c -+ cert[1]="${2}" - ;; - " --in ") -- input=(-i "${2}") -+ input[0]=-i -+ input[1]="${2}" - ;; - " --out ") -- output=(-o "${2}") -+ output[0]=-o -+ output[1]="${2}" - ;; - " --rhelver ") - rhelver="${2}" -@@ -75,8 +85,8 @@ main() { - fi - - local nssdir=/etc/pki/pesign -- if [ "${certname}" == "Red Hat Test Certificate" ] || -- [ "${#cert[@]}" -eq 2 -a "${cert[1]}" == "Red Hat Test Certificate" ] ; then -+ if [ "${#cert[@]}" -eq 2 ] && -+ [ "${cert[1]}" == "Red Hat Test Certificate" ] ; then - nssdir=/etc/pki/pesign-rh-test - fi - -@@ -125,20 +135,20 @@ main() { - certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir} - sattrs="$(mktemp -p $PWD --suffix=.der)" - "${bin}" -E "${sattrs}" --certdir "${nssdir}" \ -- ${input[@]} --force -- rpm-sign --key "${certname}" --rsadgstsign "${sattrs}" -+ "${input[@]}" --force -+ rpm-sign --key "${cert[1]}" --rsadgstsign "${sattrs}" - "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \ - --certdir "${nssdir}" -c signer \ -- ${input[@]} ${output[@]} -+ "${input[@]}" "${output[@]}" - rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" - elif [ -n "${socket}" ] ; then -- "${client}" ${client_token[@]} ${client_cert[@]} \ -- ${sattrout[@]} ${certout[@]} \ -- ${sign} ${input[@]} ${output[@]} -+ "${client}" "${client_token[@]}" "${client_cert[@]}" \ -+ "${sattrout[@]}" "${certout[@]}" \ -+ ${sign} "${input[@]}" "${output[@]}" - else -- "${bin}" --certdir "${nssdir}" ${token[@]} ${cert[@]} \ -- ${sign} ${sattrout[@]} ${certout[@]} \ -- ${input[@]} ${output[@]} -+ "${bin}" --certdir "${nssdir}" "${token[@]}" \ -+ "${cert[@]}" ${sign} "${sattrout[@]}" \ -+ "${certout[@]}" "${input[@]}" "${output[@]}" - fi - - # if there's a 0-sized output file, delete it and error out --- -2.26.2 - diff --git a/pesign.spec b/pesign.spec index 40bff5d..fa2ac3c 100644 --- a/pesign.spec +++ b/pesign.spec @@ -3,7 +3,7 @@ Name: pesign Summary: Signing utility for UEFI binaries Version: 113 -Release: 5~3%{?dist} +Release: 5~5%{?dist} License: GPLv2 URL: https://github.com/vathpela/pesign @@ -46,8 +46,8 @@ Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch Patch0004: 0004-Rename-var-run-to-run.patch Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch -Patch0006: 0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch -Patch0007: 0007-client-try-run-and-var-run-for-the-socket-path.patch +Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch +Patch0007: 0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch %description This package contains the pesign utility for signing UEFI binaries as