rpms/pesign
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

another test build

Browse Source 
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2020-07-06 16:43:27 -04:00
parent 15d1a5085d
commit 38e8425bf8
4 changed files with 132 additions and 230 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
0006-client-try-run-and-var-run-for-the-socket-path.patch Normal file
View File

@ -0,0 +1,86 @@
From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 16:13:09 -0400
Subject: [PATCH 6/7] client: try /run and /var/run for the socket path.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 40 +++++++++++++++++++++++++++++-----------
1 file changed, 29 insertions(+), 11 deletions(-)
diff --git a/src/client.c b/src/client.c
index 2119ef33bf8..a38383415d5 100644
--- a/src/client.c
+++ b/src/client.c
@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag)
}
static int
-connect_to_server(void)
+connect_to_server_helper(const char * const sockpath)
{
- int rc = access(SOCKPATH, R_OK);
+ int rc = access(sockpath, R_OK);
if (rc != 0) {
- fprintf(stderr, "pesign-client: could not connect to server: "
- "%m\n");
- exit(1);
+ warn("could not access socket \"%s\"", sockpath);
+ return rc;
}
struct sockaddr_un addr_un = {
.sun_family = AF_UNIX,
- .sun_path = SOCKPATH,
};
+ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path));
+ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0';
int sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sd < 0) {
- fprintf(stderr, "pesign-client: could not open socket: %m\n");
- exit(1);
+ warn("could not open socket \"%s\"", sockpath);
+ return sd;
}
socklen_t len = strlen(addr_un.sun_path) +
@@ -74,14 +74,32 @@ connect_to_server(void)
rc = connect(sd, (struct sockaddr *)&addr_un, len);
if (rc < 0) {
- fprintf(stderr, "pesign-client: could not connect to daemon: "
- "%m\n");
- exit(1);
+ warn("could not connect to daemon");
+ return sd;
}
return sd;
}
+static int
+connect_to_server(void)
+{
+ int rc, i;
+ const char * const sockets[] = {
+ "/run/pesign/socket",
+ "/var/run/pesign/socket",
+ NULL
+ };
+
+ for (i = 0; sockets[i] != NULL; i++) {
+ rc = connect_to_server_helper(sockets[i]);
+ if (rc >= 0)
+ return rc;
+ }
+
+ exit(1);
+}
+
static int32_t
check_response(int sd, char **srvmsg);
--
2.26.2

77
0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch → 0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
View File

@ -1,15 +1,15 @@
From 8499f7b340e4f6fbb5701db21fbabc25b8883c54 Mon Sep 17 00:00:00 2001 From 22658f290fcf66213ca6237e37ae97bba39a8a0b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com> From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 13:54:35 -0400 Date: Mon, 6 Jul 2020 13:54:35 -0400
Subject: [PATCH 6/7] Move most of macros.pesign to pesign-rpmbuild-helper Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Peter Jones <pjones@redhat.com>
--- ---
src/Makefile | 1 + src/Makefile | 1 +
src/macros.pesign | 73 +++++------------- src/macros.pesign | 73 +++++------------
src/pesign-rpmbuild-helper | 153 +++++++++++++++++++++++++++++++++++++ src/pesign-rpmbuild-helper | 163 +++++++++++++++++++++++++++++++++++++
3 files changed, 174 insertions(+), 53 deletions(-) 3 files changed, 184 insertions(+), 53 deletions(-)
create mode 100755 src/pesign-rpmbuild-helper create mode 100644 src/pesign-rpmbuild-helper
diff --git a/src/Makefile b/src/Makefile diff --git a/src/Makefile b/src/Makefile
index 74327ba13f3..c9e9cc6cd1b 100644 index 74327ba13f3..c9e9cc6cd1b 100644
@ -102,7 +102,7 @@ index 5a6da1c6809..e3a0de9c2f4 100644
+ %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\ + %{?__pesign_client_token:--client-token %{__pesign_client_token}} \\\
+ %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\ + %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}} \\\
+ %{?__pesign_token:%{__pesign_token}} \\\ + %{?__pesign_token:%{__pesign_token}} \\\
+ %{?-n:--cert "%{-n*}"}%{?!-n:--cert "%{__pesign_cert}"} \\\ + %{?-n:--cert "\"%{-n*}\""}%{?!-n:--cert "\"%{__pesign_cert}\""} \\\
+ %{?_rhel:--rhelver "%{_rhel}"} \\\ + %{?_rhel:--rhelver "%{_rhel}"} \\\
+ %{?-a:--cafile "%{-a*}"} \\\ + %{?-a:--cafile "%{-a*}"} \\\
+ %{?-c:--certfile "%{-c*}"} \\\ + %{?-c:--certfile "%{-c*}"} \\\
@ -114,14 +114,15 @@ index 5a6da1c6809..e3a0de9c2f4 100644
+ ; \ + ; \
+%{nil} +%{nil}
diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper
new file mode 100755 new file mode 100644
index 00000000000..fd385d1625d index 00000000000..f3d66320bcc
--- /dev/null --- /dev/null
+++ b/src/pesign-rpmbuild-helper +++ b/src/pesign-rpmbuild-helper
@@ -0,0 +1,153 @@ @@ -0,0 +1,162 @@
+#!/bin/sh +#!/bin/sh
+ +
+set -eu +set -eu
+set -x
+ +
+main() { +main() {
+ local target_cpu="${1}" && shift + local target_cpu="${1}" && shift
@ -130,7 +131,6 @@ index 00000000000..fd385d1625d
+ +
+ local cafile="" || : + local cafile="" || :
+ local certfile="" || : + local certfile="" || :
+ local certname="" || :
+ +
+ local certout=() || : + local certout=() || :
+ local sattrout=() || : + local sattrout=() || :
@ -153,32 +153,41 @@ index 00000000000..fd385d1625d
+ " --certfile ") + " --certfile ")
+ certfile="${2}" + certfile="${2}"
+ ;; + ;;
+ " --certname ")
+ certname="${2}"
+ ;;
+ " --certout ") + " --certout ")
+ certout=(-C "${2}") + certout[0]=-C
+ certout[1]="${2}"
+ ;; + ;;
+ " --sattrout ") + " --sattrout ")
+ sattrout=(-e "${2}") + sattrout[0]=-e
+ sattrout[1]="${2}"
+ ;; + ;;
+ " --client-token ") + " --client-token ")
+ client_token=(-t "${2}") + client_token[0]=-t
+ client_token[1]="${2}"
+ ;; + ;;
+ " --client-cert ") + " --client-cert ")
+ client_cert=(-c "${2}") + client_cert[0]=-c
+ client_cert[1]="${2}"
+ ;; + ;;
+ " --token ") + " --token ")
+ token=(-t "${2}") + token[0]=-t
+ token="${2}"
+ ;; + ;;
+ " --cert ") + " --cert ")
+ cert=(-c "${2}") + cert[0]=-c
+ cert[1]="${2}"
+ ;;
+ " --certname ")
+ cert[0]=-c
+ cert[1]="${2}"
+ ;; + ;;
+ " --in ") + " --in ")
+ input=(-i "${2}") + input[0]=-i
+ input[1]="${2}"
+ ;; + ;;
+ " --out ") + " --out ")
+ output=(-o "${2}") + output[0]=-o
+ output[1]="${2}"
+ ;; + ;;
+ " --rhelver ") + " --rhelver ")
+ rhelver="${2}" + rhelver="${2}"
@ -196,8 +205,8 @@ index 00000000000..fd385d1625d
+ fi + fi
+ +
+ local nssdir=/etc/pki/pesign + local nssdir=/etc/pki/pesign
+ if [ "${certname}" == "Red Hat Test Certificate" ] || + if [ "${#cert[@]}" -eq 2 ] &&
+ [ "${#cert[@]}" -eq 2 -a "${cert[1]}" == "Red Hat Test Certificate" ] ; then + [ "${cert[1]}" == "Red Hat Test Certificate" ] ; then
+ nssdir=/etc/pki/pesign-rh-test + nssdir=/etc/pki/pesign-rh-test
+ fi + fi
+ +
@ -246,24 +255,24 @@ index 00000000000..fd385d1625d
+ certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir} + certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir}
+ sattrs="$(mktemp -p $PWD --suffix=.der)" + sattrs="$(mktemp -p $PWD --suffix=.der)"
+ "${bin}" -E "${sattrs}" --certdir "${nssdir}" \ + "${bin}" -E "${sattrs}" --certdir "${nssdir}" \
+ ${input[@]} --force + "${input[@]}" --force
+ rpm-sign --key "${certname}" --rsadgstsign "${sattrs}" + rpm-sign --key "${cert[1]}" --rsadgstsign "${sattrs}"
+ "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \ + "${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
+ --certdir "${nssdir}" -c signer \ + --certdir "${nssdir}" -c signer \
+ ${input[@]} ${output[@]} + "${input[@]}" "${output[@]}"
+ rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}" + rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+ elif [ -n "${socket}" ] ; then + elif [ -n "${socket}" ] ; then
+ "${client}" ${client_token[@]} ${client_cert[@]} \ + "${client}" "${client_token[@]}" "${client_cert[@]}" \
+ ${sattrout[@]} ${certout[@]} \ + "${sattrout[@]}" "${certout[@]}" \
+ ${sign} ${input[@]} ${output[@]} + ${sign} "${input[@]}" "${output[@]}"
+ else + else
+ "${bin}" --certdir "${nssdir}" ${token[@]} ${cert[@]} \ + "${bin}" --certdir "${nssdir}" "${token[@]}" \
+ ${sign} ${sattrout[@]} ${certout[@]} \ + "${cert[@]}" ${sign} "${sattrout[@]}" \
+ ${input[@]} ${output[@]} + "${certout[@]}" "${input[@]}" "${output[@]}"
+ fi + fi
+ +
+ # if there's a 0-sized output file, delete it and error out + # if there's a 0-sized output file, delete it and error out
+ if [ ! -s "${output[1]}" ] ; then + if [ "${#output[@]}" -eq 2 ] && ! [ -s "${output[1]}" ] ; then
+ if [ -e "${output[1]}" ] ; then + if [ -e "${output[1]}" ] ; then
+ rm -f "${output[1]}" + rm -f "${output[1]}"
+ fi + fi

193
0007-client-try-run-and-var-run-for-the-socket-path.patch
View File

@ -1,193 +0,0 @@
From c98b16d890a1e4651b3683853acb69fedd5a10dd Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 16:13:09 -0400
Subject: [PATCH 7/7] client: try /run and /var/run for the socket path.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/client.c | 40 ++++++++++++++++++++--------
src/pesign-rpmbuild-helper | 54 ++++++++++++++++++++++----------------
2 files changed, 61 insertions(+), 33 deletions(-)
diff --git a/src/client.c b/src/client.c
index a4f1d1dbbe7..0082be1f597 100644
--- a/src/client.c
+++ b/src/client.c
@@ -61,24 +61,24 @@ print_flag_name(FILE *f, int flag)
}
static int
-connect_to_server(void)
+connect_to_server_helper(const char * const sockpath)
{
- int rc = access(SOCKPATH, R_OK);
+ int rc = access(sockpath, R_OK);
if (rc != 0) {
- fprintf(stderr, "pesign-client: could not connect to server: "
- "%m\n");
- exit(1);
+ warn("could not access socket \"%s\"", sockpath);
+ return rc;
}
struct sockaddr_un addr_un = {
.sun_family = AF_UNIX,
- .sun_path = SOCKPATH,
};
+ strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path));
+ addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0';
int sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sd < 0) {
- fprintf(stderr, "pesign-client: could not open socket: %m\n");
- exit(1);
+ warn("could not open socket \"%s\"", sockpath);
+ return sd;
}
socklen_t len = strlen(addr_un.sun_path) +
@@ -86,14 +86,32 @@ connect_to_server(void)
rc = connect(sd, (struct sockaddr *)&addr_un, len);
if (rc < 0) {
- fprintf(stderr, "pesign-client: could not connect to daemon: "
- "%m\n");
- exit(1);
+ warn("could not connect to daemon");
+ return sd;
}
return sd;
}
+static int
+connect_to_server(void)
+{
+ int rc, i;
+ const char * const sockets[] = {
+ "/run/pesign/socket",
+ "/var/run/pesign/socket",
+ NULL
+ };
+
+ for (i = 0; sockets[i] != NULL; i++) {
+ rc = connect_to_server_helper(sockets[i]);
+ if (rc >= 0)
+ return rc;
+ }
+
+ exit(1);
+}
+
static int32_t
check_response(int sd, char **srvmsg);
diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper
index fd385d1625d..68b53ddf022 100755
--- a/src/pesign-rpmbuild-helper
+++ b/src/pesign-rpmbuild-helper
@@ -1,6 +1,7 @@
#!/bin/sh
set -eu
+set -x
main() {
local target_cpu="${1}" && shift
@@ -32,32 +33,41 @@ main() {
" --certfile ")
certfile="${2}"
;;
- " --certname ")
- certname="${2}"
- ;;
" --certout ")
- certout=(-C "${2}")
+ certout[0]=-C
+ certout[1]="${2}"
;;
" --sattrout ")
- sattrout=(-e "${2}")
+ sattrout[0]=-e
+ sattrout[1]="${2}"
;;
" --client-token ")
- client_token=(-t "${2}")
+ client_token[0]=-t
+ client_token[1]="${2}"
;;
" --client-cert ")
- client_cert=(-c "${2}")
+ client_cert[0]=-c
+ client_cert[1]="${2}"
;;
" --token ")
- token=(-t "${2}")
+ token[0]=-t
+ token="${2}"
;;
" --cert ")
- cert=(-c "${2}")
+ cert[0]=-c
+ cert[1]="${2}"
+ ;;
+ " --certname ")
+ cert[0]=-c
+ cert[1]="${2}"
;;
" --in ")
- input=(-i "${2}")
+ input[0]=-i
+ input[1]="${2}"
;;
" --out ")
- output=(-o "${2}")
+ output[0]=-o
+ output[1]="${2}"
;;
" --rhelver ")
rhelver="${2}"
@@ -75,8 +85,8 @@ main() {
fi
local nssdir=/etc/pki/pesign
- if [ "${certname}" == "Red Hat Test Certificate" ] ||
- [ "${#cert[@]}" -eq 2 -a "${cert[1]}" == "Red Hat Test Certificate" ] ; then
+ if [ "${#cert[@]}" -eq 2 ] &&
+ [ "${cert[1]}" == "Red Hat Test Certificate" ] ; then
nssdir=/etc/pki/pesign-rh-test
fi
@@ -125,20 +135,20 @@ main() {
certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir}
sattrs="$(mktemp -p $PWD --suffix=.der)"
"${bin}" -E "${sattrs}" --certdir "${nssdir}" \
- ${input[@]} --force
- rpm-sign --key "${certname}" --rsadgstsign "${sattrs}"
+ "${input[@]}" --force
+ rpm-sign --key "${cert[1]}" --rsadgstsign "${sattrs}"
"${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
--certdir "${nssdir}" -c signer \
- ${input[@]} ${output[@]}
+ "${input[@]}" "${output[@]}"
rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
elif [ -n "${socket}" ] ; then
- "${client}" ${client_token[@]} ${client_cert[@]} \
- ${sattrout[@]} ${certout[@]} \
- ${sign} ${input[@]} ${output[@]}
+ "${client}" "${client_token[@]}" "${client_cert[@]}" \
+ "${sattrout[@]}" "${certout[@]}" \
+ ${sign} "${input[@]}" "${output[@]}"
else
- "${bin}" --certdir "${nssdir}" ${token[@]} ${cert[@]} \
- ${sign} ${sattrout[@]} ${certout[@]} \
- ${input[@]} ${output[@]}
+ "${bin}" --certdir "${nssdir}" "${token[@]}" \
+ "${cert[@]}" ${sign} "${sattrout[@]}" \
+ "${certout[@]}" "${input[@]}" "${output[@]}"
fi
# if there's a 0-sized output file, delete it and error out
--
2.26.2

6
pesign.spec
View File

@ -3,7 +3,7 @@
Name: pesign Name: pesign
Summary: Signing utility for UEFI binaries Summary: Signing utility for UEFI binaries
Version: 113 Version: 113
Release: 5~3%{?dist} Release: 5~5%{?dist}
License: GPLv2 License: GPLv2
URL: https://github.com/vathpela/pesign URL: https://github.com/vathpela/pesign
@ -46,8 +46,8 @@ Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
Patch0004: 0004-Rename-var-run-to-run.patch Patch0004: 0004-Rename-var-run-to-run.patch
Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
Patch0006: 0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch
Patch0007: 0007-client-try-run-and-var-run-for-the-socket-path.patch Patch0007: 0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
%description %description
This package contains the pesign utility for signing UEFI binaries as This package contains the pesign utility for signing UEFI binaries as