Remove errant result files and raise an error from %pesign

0001-Make-the-RHEL-pesign-macro-a-little-better.patch

@@ -0,0 +1,61 @@
+From 2933901ce69d3830e0dad983d20d5d17e8087c75 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 23 Jul 2013 16:58:32 -0400
+Subject: [PATCH 1/8] Make the RHEL %%pesign macro a little better.
+
+Use mktemp to avoid clobering anybody's local files, and document the
+arguments better.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 28 +++++++++++++++++++---------
+ 1 file changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 26f1dd7..8b123fa 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -12,21 +12,31 @@
+ %_pesign /usr/bin/pesign
+ %_pesign_client /usr/bin/pesign-client
+ 
+-%pesign(i:o:C:e:c:s)							\
++# -i <input filename>
++# -o <output filename>
++# -C <output cert filename>
++# -e <output sattr filename>
++# -c <input certificate filename>	# rhel only
++# -n <input certificate name>		# rhel only
++# -a <input ca cert filename>		# rhel only
++# -s 					# perform signing
++%pesign(i:o:C:e:c:n:a:s)						\
+   if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
+     if [ -e /var/run/pesign/socket ]; then				\
+       %{_pesign_client} -t "OpenSC Card (Fedora Signer)"		\\\
+                         -c "/CN=Fedora Secure Boot Signer"		\\\
+                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
+     elif [ -e /etc/rhel-release ]; then					\
+-      mkdir nss								\
+-      certutil -d nss -N						\
+-      certutil -A -n "ca" -t "CT,C," -i %{-c*}.crt -a -d nss		\
+-      certutil -A -n %{-c*} -t ",c," -i %{-c*}.crt -a -d nss		\
+-      %{_pesign} %{-i} -E sattrs.der --certdir nss			\
+-      rpm-sign --key "%{-c*}" --rsasign sattrs.der			\
+-      %{_pesign} -R sattrs.der.sig -I sattrs.der %{-i}			\\\
+-                 --certdir nss %{-c} %{-o}				\
++      nss=$(mktemp -p $PWD -d)						\
++      certutil -d ${nss} -N						\
++      certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss}		\
++      certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss}		\
++      sattrs=$(mktemp -p $PWD --suffix=.der)				\
++      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss}			\
++      rpm-sign --key "%{-n*}" --rsasign ${sattrs}			\
++      %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
++                 --certdir ${nss} -c signer %{-o}			\
++      rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
+     else								\
+       %{_pesign} %{__pesign_token} %{__pesign_cert}			\\\
+                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
+-- 
+1.8.3.1
+

0002-Apparently-we-want-documentation-in-a-non-versioned-.patch

@@ -1,8 +1,8 @@
 From 1079f81298d461583851578ad6afb4a130b675e0 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 5 Aug 2013 09:09:46 -0400
-Subject: [PATCH] Apparently we want documentation in a non-versioned directory
- these days.
+Subject: [PATCH 2/8] Apparently we want documentation in a non-versioned
+ directory these days.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---

0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch

@@ -0,0 +1,41 @@
+From c2d54b835ca3db92c9110a2596429710453c2a95 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 6 Aug 2013 12:32:43 -0400
+Subject: [PATCH 3/8] Make the RHEL bits for macros.pesign a bit cleaner.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 8b123fa..244f576 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -22,11 +22,7 @@
+ # -s 					# perform signing
+ %pesign(i:o:C:e:c:n:a:s)						\
+   if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
+-    if [ -e /var/run/pesign/socket ]; then				\
+-      %{_pesign_client} -t "OpenSC Card (Fedora Signer)"		\\\
+-                        -c "/CN=Fedora Secure Boot Signer"		\\\
+-                        %{-i} %{-o} %{-e} %{-s} %{-C}			\
+-    elif [ -e /etc/rhel-release ]; then					\
++    if [ -e /etc/rhel-release ]; then					\
+       nss=$(mktemp -p $PWD -d)						\
+       certutil -d ${nss} -N						\
+       certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss}		\
+@@ -37,6 +33,10 @@
+       %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
+                  --certdir ${nss} -c signer %{-o}			\
+       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
++    elif [ -S /var/run/pesign/socket ]; then				\
++      %{_pesign_client} -t "OpenSC Card (Fedora Signer)"		\\\
++                        -c "/CN=Fedora Secure Boot Signer"		\\\
++                        %{-i} %{-o} %{-e} %{-s} %{-C}			\
+     else								\
+       %{_pesign} %{__pesign_token} %{__pesign_cert}			\\\
+                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
+-- 
+1.8.3.1
+

0004-Include-the-issuer-s-certificate-only-when-available.patch

@@ -0,0 +1,55 @@
+From 7c25ea77c81e63c88cf1fbeb2fc9baba94bce8b7 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 4 Mar 2013 16:25:08 +0800
+Subject: [PATCH 4/8] Include the issuer's certificate only when available
+
+When pesign generates a signature, it also includes the issuer's certificate.
+In SUSE build server, we only import the signer's certificate and pesign
+complaint the issuer's certificate was not found. Per Authenticode PE, the
+root certificate is typically not included in the certificate list, so I
+modified pesign a bit to include the issuer's certificate only when available.
+Please check the attached patch.
+
+Besides the issuer's certificate, I also found find_named_certificate() didn't
+handle the certificate list properly and it may cause segfault if "node->cert"
+is not valid. The patch also fixes this issue.
+---
+ src/cms_common.c  | 2 +-
+ src/signed_data.c | 8 ++------
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 6b44024..fc9796e 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -592,7 +592,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
+ 	 * in the database, we'll get back what is essentially a template
+ 	 * that's in NSS's cache waiting to be filled out.  We can't use that,
+ 	 * it'll just cause CERT_DupCertificate() to segfault. */
+-	if (!node || !node->cert || !node->cert->derCert.data
++	if (CERT_LIST_END(node) || !node->cert || !node->cert->derCert.data
+ 				 || !node->cert->derCert.len
+ 				 || !node->cert->derIssuer.data
+ 				 || !node->cert->derIssuer.len) {
+diff --git a/src/signed_data.c b/src/signed_data.c
+index 5425271..2f4b498 100644
+--- a/src/signed_data.c
++++ b/src/signed_data.c
+@@ -96,12 +96,8 @@ generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
+ 		CERTCertificate *signer = NULL;
+ 		int rc = find_named_certificate(cms, cms->cert->issuerName,
+ 						&signer);
+-		if (rc < 0) {
+-			PORT_ArenaRelease(cms->arena, mark);
+-			return -1;
+-		}
+-
+-		if (signer && signer->derCert.len && signer->derCert.data) {
++		if (rc == 0 && signer &&
++				signer->derCert.len && signer->derCert.data) {
+ 			if (signer->derCert.len != cms->cert->derCert.len ||
+ 					memcmp(signer->derCert.data,
+ 						cms->cert->derCert.data,
+-- 
+1.8.3.1
+

0005-Try-harder-to-figure-out-if-this-is-RHEL.patch

@@ -0,0 +1,26 @@
+From 39466ae9ed3ce5f78fc20c6e74eb0fb3aa93349e Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 6 Aug 2013 16:49:06 -0400
+Subject: [PATCH 5/8] Try harder to figure out if this is RHEL.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 244f576..f94553d 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -22,7 +22,7 @@
+ # -s 					# perform signing
+ %pesign(i:o:C:e:c:n:a:s)						\
+   if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
+-    if [ -e /etc/rhel-release ]; then					\
++    if [ "0%{?rhel}" -ge "7" ]; then					\
+       nss=$(mktemp -p $PWD -d)						\
+       certutil -d ${nss} -N						\
+       certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss}		\
+-- 
+1.8.3.1
+

0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch

@@ -0,0 +1,28 @@
+From f8b19278775fe8a5c599b94fcae90b99a781a42b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 7 Aug 2013 09:06:33 -0400
+Subject: [PATCH 6/8] Don't use ASCII mode for RHEL certificate imports.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index f94553d..84e87a3 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -25,8 +25,8 @@
+     if [ "0%{?rhel}" -ge "7" ]; then					\
+       nss=$(mktemp -p $PWD -d)						\
+       certutil -d ${nss} -N						\
+-      certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss}		\
+-      certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss}		\
++      certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss}		\
++      certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
+       sattrs=$(mktemp -p $PWD --suffix=.der)				\
+       %{_pesign} %{-i} -E ${sattrs} --certdir ${nss}			\
+       rpm-sign --key "%{-n*}" --rsasign ${sattrs}			\
+-- 
+1.8.3.1
+

0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch

@@ -0,0 +1,30 @@
+From c7318444b811125f26828fd39e8a46de81cd5f86 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 7 Aug 2013 09:13:11 -0400
+Subject: [PATCH 7/8] Apparently if something goes wrong on the HSM, we wind up
+ with 0-size.
+
+Handle zero-sized output by erroring in the rpm macro.  Eventually we
+should make sure pesign is throwing an error there too.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 84e87a3..6b22826 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -47,5 +47,8 @@
+     elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then				\
+       touch %{-e*}							\
+     fi									\
++  fi									\
++  if [ ! -s %{-o} ]; then						\
++    exit 1								\
+   fi ;
+ 
+-- 
+1.8.3.1
+

0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch

@@ -0,0 +1,26 @@
+From 5b8950a8cddad1076fb631c4ef6999bfb4f977f8 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 7 Aug 2013 09:37:33 -0400
+Subject: [PATCH 8/8] Use --force when we've got a sattrs blob from mktemp()
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 6b22826..a0339fe 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -28,7 +28,7 @@
+       certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss}		\
+       certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
+       sattrs=$(mktemp -p $PWD --suffix=.der)				\
+-      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss}			\
++      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force		\
+       rpm-sign --key "%{-n*}" --rsasign ${sattrs}			\
+       %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
+                  --certdir ${nss} -c signer %{-o}			\
+-- 
+1.8.3.1
+

pesign.spec

@@ -1,7 +1,7 @@
 Summary: Signing utility for UEFI binaries
 Name: pesign
 Version: 0.106
-Release: 2%{?dist}
+Release: 4%{?dist}
 Group: Development/System
 License: GPLv2
 URL: https://github.com/vathpela/pesign
@@ -12,13 +12,24 @@ BuildRequires: nss-devel >= 3.13.6-1
 Requires: nspr nss nss-util popt rpm coolkey opensc
 Requires(pre): shadow-utils
 ExclusiveArch: i686 x86_64 ia64
+%if 0%{?rhel} >= 7
+BuildRequires: rh-signing-tools >= 1.20-2
+%endif
 
 # there is no tarball at github, of course.  To get this version do:
 # git clone https://github.com/vathpela/pesign.git
 # git checkout %%{version}
 Source0: pesign-%{version}.tar.bz2
 Source1: rh-test-certs.tar.bz2
-Patch0: 0001-Apparently-we-want-documentation-in-a-non-versioned-.patch
+Patch0001: 0001-Make-the-RHEL-pesign-macro-a-little-better.patch
+Patch0002: 0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
+Patch0003: 0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch
+Patch0004: 0004-Include-the-issuer-s-certificate-only-when-available.patch
+Patch0005: 0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
+Patch0006: 0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
+Patch0007: 0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch
+Patch0008: 0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch
+Patch0009: 0009-Remove-errant-results-from-signing.patch
 
 %description
 This package contains the pesign utility for signing UEFI binaries as
@@ -97,6 +108,12 @@ exit 0
 %endif
 
 %changelog
+* Sat Aug 10 2013 Peter Jones <pjones@redhat.com> - 0.106-4
+- Remove errant result files and raise an error from %%pesign 
+
+* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.106-3
+- Add code for signing in RHEL 7
+
 * Mon Aug 05 2013 Peter Jones <pjones@redhat.com> - 0.106-2
 - Fix for new %%doc rules.