Remove errant result files and raise an error from %pesign
This commit is contained in:
parent
2915fd2186
commit
7d6ce00fe5
61
0001-Make-the-RHEL-pesign-macro-a-little-better.patch
Normal file
61
0001-Make-the-RHEL-pesign-macro-a-little-better.patch
Normal file
@ -0,0 +1,61 @@
|
||||
From 2933901ce69d3830e0dad983d20d5d17e8087c75 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 23 Jul 2013 16:58:32 -0400
|
||||
Subject: [PATCH 1/8] Make the RHEL %%pesign macro a little better.
|
||||
|
||||
Use mktemp to avoid clobering anybody's local files, and document the
|
||||
arguments better.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 28 +++++++++++++++++++---------
|
||||
1 file changed, 19 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 26f1dd7..8b123fa 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -12,21 +12,31 @@
|
||||
%_pesign /usr/bin/pesign
|
||||
%_pesign_client /usr/bin/pesign-client
|
||||
|
||||
-%pesign(i:o:C:e:c:s) \
|
||||
+# -i <input filename>
|
||||
+# -o <output filename>
|
||||
+# -C <output cert filename>
|
||||
+# -e <output sattr filename>
|
||||
+# -c <input certificate filename> # rhel only
|
||||
+# -n <input certificate name> # rhel only
|
||||
+# -a <input ca cert filename> # rhel only
|
||||
+# -s # perform signing
|
||||
+%pesign(i:o:C:e:c:n:a:s) \
|
||||
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
|
||||
if [ -e /var/run/pesign/socket ]; then \
|
||||
%{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||
-c "/CN=Fedora Secure Boot Signer" \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
elif [ -e /etc/rhel-release ]; then \
|
||||
- mkdir nss \
|
||||
- certutil -d nss -N \
|
||||
- certutil -A -n "ca" -t "CT,C," -i %{-c*}.crt -a -d nss \
|
||||
- certutil -A -n %{-c*} -t ",c," -i %{-c*}.crt -a -d nss \
|
||||
- %{_pesign} %{-i} -E sattrs.der --certdir nss \
|
||||
- rpm-sign --key "%{-c*}" --rsasign sattrs.der \
|
||||
- %{_pesign} -R sattrs.der.sig -I sattrs.der %{-i} \\\
|
||||
- --certdir nss %{-c} %{-o} \
|
||||
+ nss=$(mktemp -p $PWD -d) \
|
||||
+ certutil -d ${nss} -N \
|
||||
+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||
+ certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \
|
||||
+ sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||
+ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
|
||||
+ rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
|
||||
+ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||
+ --certdir ${nss} -c signer %{-o} \
|
||||
+ rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||
else \
|
||||
%{_pesign} %{__pesign_token} %{__pesign_cert} \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,8 +1,8 @@
|
||||
From 1079f81298d461583851578ad6afb4a130b675e0 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 5 Aug 2013 09:09:46 -0400
|
||||
Subject: [PATCH] Apparently we want documentation in a non-versioned directory
|
||||
these days.
|
||||
Subject: [PATCH 2/8] Apparently we want documentation in a non-versioned
|
||||
directory these days.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
@ -0,0 +1,41 @@
|
||||
From c2d54b835ca3db92c9110a2596429710453c2a95 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 6 Aug 2013 12:32:43 -0400
|
||||
Subject: [PATCH 3/8] Make the RHEL bits for macros.pesign a bit cleaner.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 8b123fa..244f576 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -22,11 +22,7 @@
|
||||
# -s # perform signing
|
||||
%pesign(i:o:C:e:c:n:a:s) \
|
||||
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
|
||||
- if [ -e /var/run/pesign/socket ]; then \
|
||||
- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||
- -c "/CN=Fedora Secure Boot Signer" \\\
|
||||
- %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
- elif [ -e /etc/rhel-release ]; then \
|
||||
+ if [ -e /etc/rhel-release ]; then \
|
||||
nss=$(mktemp -p $PWD -d) \
|
||||
certutil -d ${nss} -N \
|
||||
certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||
@@ -37,6 +33,10 @@
|
||||
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||
--certdir ${nss} -c signer %{-o} \
|
||||
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||
+ elif [ -S /var/run/pesign/socket ]; then \
|
||||
+ %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||
+ -c "/CN=Fedora Secure Boot Signer" \\\
|
||||
+ %{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
else \
|
||||
%{_pesign} %{__pesign_token} %{__pesign_cert} \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,55 @@
|
||||
From 7c25ea77c81e63c88cf1fbeb2fc9baba94bce8b7 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
||||
Date: Mon, 4 Mar 2013 16:25:08 +0800
|
||||
Subject: [PATCH 4/8] Include the issuer's certificate only when available
|
||||
|
||||
When pesign generates a signature, it also includes the issuer's certificate.
|
||||
In SUSE build server, we only import the signer's certificate and pesign
|
||||
complaint the issuer's certificate was not found. Per Authenticode PE, the
|
||||
root certificate is typically not included in the certificate list, so I
|
||||
modified pesign a bit to include the issuer's certificate only when available.
|
||||
Please check the attached patch.
|
||||
|
||||
Besides the issuer's certificate, I also found find_named_certificate() didn't
|
||||
handle the certificate list properly and it may cause segfault if "node->cert"
|
||||
is not valid. The patch also fixes this issue.
|
||||
---
|
||||
src/cms_common.c | 2 +-
|
||||
src/signed_data.c | 8 ++------
|
||||
2 files changed, 3 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||
index 6b44024..fc9796e 100644
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -592,7 +592,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
|
||||
* in the database, we'll get back what is essentially a template
|
||||
* that's in NSS's cache waiting to be filled out. We can't use that,
|
||||
* it'll just cause CERT_DupCertificate() to segfault. */
|
||||
- if (!node || !node->cert || !node->cert->derCert.data
|
||||
+ if (CERT_LIST_END(node) || !node->cert || !node->cert->derCert.data
|
||||
|| !node->cert->derCert.len
|
||||
|| !node->cert->derIssuer.data
|
||||
|| !node->cert->derIssuer.len) {
|
||||
diff --git a/src/signed_data.c b/src/signed_data.c
|
||||
index 5425271..2f4b498 100644
|
||||
--- a/src/signed_data.c
|
||||
+++ b/src/signed_data.c
|
||||
@@ -96,12 +96,8 @@ generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
|
||||
CERTCertificate *signer = NULL;
|
||||
int rc = find_named_certificate(cms, cms->cert->issuerName,
|
||||
&signer);
|
||||
- if (rc < 0) {
|
||||
- PORT_ArenaRelease(cms->arena, mark);
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
- if (signer && signer->derCert.len && signer->derCert.data) {
|
||||
+ if (rc == 0 && signer &&
|
||||
+ signer->derCert.len && signer->derCert.data) {
|
||||
if (signer->derCert.len != cms->cert->derCert.len ||
|
||||
memcmp(signer->derCert.data,
|
||||
cms->cert->derCert.data,
|
||||
--
|
||||
1.8.3.1
|
||||
|
26
0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
Normal file
26
0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 39466ae9ed3ce5f78fc20c6e74eb0fb3aa93349e Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Tue, 6 Aug 2013 16:49:06 -0400
|
||||
Subject: [PATCH 5/8] Try harder to figure out if this is RHEL.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 244f576..f94553d 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -22,7 +22,7 @@
|
||||
# -s # perform signing
|
||||
%pesign(i:o:C:e:c:n:a:s) \
|
||||
if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
|
||||
- if [ -e /etc/rhel-release ]; then \
|
||||
+ if [ "0%{?rhel}" -ge "7" ]; then \
|
||||
nss=$(mktemp -p $PWD -d) \
|
||||
certutil -d ${nss} -N \
|
||||
certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||
--
|
||||
1.8.3.1
|
||||
|
28
0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
Normal file
28
0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From f8b19278775fe8a5c599b94fcae90b99a781a42b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 7 Aug 2013 09:06:33 -0400
|
||||
Subject: [PATCH 6/8] Don't use ASCII mode for RHEL certificate imports.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index f94553d..84e87a3 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -25,8 +25,8 @@
|
||||
if [ "0%{?rhel}" -ge "7" ]; then \
|
||||
nss=$(mktemp -p $PWD -d) \
|
||||
certutil -d ${nss} -N \
|
||||
- certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
|
||||
- certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \
|
||||
+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
|
||||
+ certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
|
||||
sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||
%{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
|
||||
rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,30 @@
|
||||
From c7318444b811125f26828fd39e8a46de81cd5f86 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 7 Aug 2013 09:13:11 -0400
|
||||
Subject: [PATCH 7/8] Apparently if something goes wrong on the HSM, we wind up
|
||||
with 0-size.
|
||||
|
||||
Handle zero-sized output by erroring in the rpm macro. Eventually we
|
||||
should make sure pesign is throwing an error there too.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 84e87a3..6b22826 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -47,5 +47,8 @@
|
||||
elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
|
||||
touch %{-e*} \
|
||||
fi \
|
||||
+ fi \
|
||||
+ if [ ! -s %{-o} ]; then \
|
||||
+ exit 1 \
|
||||
fi ;
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -0,0 +1,26 @@
|
||||
From 5b8950a8cddad1076fb631c4ef6999bfb4f977f8 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 7 Aug 2013 09:37:33 -0400
|
||||
Subject: [PATCH 8/8] Use --force when we've got a sattrs blob from mktemp()
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/macros.pesign | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 6b22826..a0339fe 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -28,7 +28,7 @@
|
||||
certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
|
||||
certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
|
||||
sattrs=$(mktemp -p $PWD --suffix=.der) \
|
||||
- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
|
||||
+ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
|
||||
rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
|
||||
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||
--certdir ${nss} -c signer %{-o} \
|
||||
--
|
||||
1.8.3.1
|
||||
|
21
pesign.spec
21
pesign.spec
@ -1,7 +1,7 @@
|
||||
Summary: Signing utility for UEFI binaries
|
||||
Name: pesign
|
||||
Version: 0.106
|
||||
Release: 2%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Group: Development/System
|
||||
License: GPLv2
|
||||
URL: https://github.com/vathpela/pesign
|
||||
@ -12,13 +12,24 @@ BuildRequires: nss-devel >= 3.13.6-1
|
||||
Requires: nspr nss nss-util popt rpm coolkey opensc
|
||||
Requires(pre): shadow-utils
|
||||
ExclusiveArch: i686 x86_64 ia64
|
||||
%if 0%{?rhel} >= 7
|
||||
BuildRequires: rh-signing-tools >= 1.20-2
|
||||
%endif
|
||||
|
||||
# there is no tarball at github, of course. To get this version do:
|
||||
# git clone https://github.com/vathpela/pesign.git
|
||||
# git checkout %%{version}
|
||||
Source0: pesign-%{version}.tar.bz2
|
||||
Source1: rh-test-certs.tar.bz2
|
||||
Patch0: 0001-Apparently-we-want-documentation-in-a-non-versioned-.patch
|
||||
Patch0001: 0001-Make-the-RHEL-pesign-macro-a-little-better.patch
|
||||
Patch0002: 0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
|
||||
Patch0003: 0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch
|
||||
Patch0004: 0004-Include-the-issuer-s-certificate-only-when-available.patch
|
||||
Patch0005: 0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
|
||||
Patch0006: 0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
|
||||
Patch0007: 0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch
|
||||
Patch0008: 0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch
|
||||
Patch0009: 0009-Remove-errant-results-from-signing.patch
|
||||
|
||||
%description
|
||||
This package contains the pesign utility for signing UEFI binaries as
|
||||
@ -97,6 +108,12 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Aug 10 2013 Peter Jones <pjones@redhat.com> - 0.106-4
|
||||
- Remove errant result files and raise an error from %%pesign
|
||||
|
||||
* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.106-3
|
||||
- Add code for signing in RHEL 7
|
||||
|
||||
* Mon Aug 05 2013 Peter Jones <pjones@redhat.com> - 0.106-2
|
||||
- Fix for new %%doc rules.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user