diff --git a/0001-Make-the-RHEL-pesign-macro-a-little-better.patch b/0001-Make-the-RHEL-pesign-macro-a-little-better.patch deleted file mode 100644 index 39b72ca..0000000 --- a/0001-Make-the-RHEL-pesign-macro-a-little-better.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 2933901ce69d3830e0dad983d20d5d17e8087c75 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 23 Jul 2013 16:58:32 -0400 -Subject: [PATCH 1/9] Make the RHEL %%pesign macro a little better. - -Use mktemp to avoid clobering anybody's local files, and document the -arguments better. - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 28 +++++++++++++++++++--------- - 1 file changed, 19 insertions(+), 9 deletions(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 26f1dd7..8b123fa 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -12,21 +12,31 @@ - %_pesign /usr/bin/pesign - %_pesign_client /usr/bin/pesign-client - --%pesign(i:o:C:e:c:s) \ -+# -i -+# -o -+# -C -+# -e -+# -c # rhel only -+# -n # rhel only -+# -a # rhel only -+# -s # perform signing -+%pesign(i:o:C:e:c:n:a:s) \ - if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \ - if [ -e /var/run/pesign/socket ]; then \ - %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ - -c "/CN=Fedora Secure Boot Signer" \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ - elif [ -e /etc/rhel-release ]; then \ -- mkdir nss \ -- certutil -d nss -N \ -- certutil -A -n "ca" -t "CT,C," -i %{-c*}.crt -a -d nss \ -- certutil -A -n %{-c*} -t ",c," -i %{-c*}.crt -a -d nss \ -- %{_pesign} %{-i} -E sattrs.der --certdir nss \ -- rpm-sign --key "%{-c*}" --rsasign sattrs.der \ -- %{_pesign} -R sattrs.der.sig -I sattrs.der %{-i} \\\ -- --certdir nss %{-c} %{-o} \ -+ nss=$(mktemp -p $PWD -d) \ -+ certutil -d ${nss} -N \ -+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \ -+ certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \ -+ sattrs=$(mktemp -p $PWD --suffix=.der) \ -+ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \ -+ rpm-sign --key "%{-n*}" --rsasign ${sattrs} \ -+ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ -+ --certdir ${nss} -c signer %{-o} \ -+ rm -rf ${sattrs} ${sattrs}.sig ${nss} \ - else \ - %{_pesign} %{__pesign_token} %{__pesign_cert} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ --- -1.8.3.1 - diff --git a/0002-Apparently-we-want-documentation-in-a-non-versioned-.patch b/0002-Apparently-we-want-documentation-in-a-non-versioned-.patch deleted file mode 100644 index 7239090..0000000 --- a/0002-Apparently-we-want-documentation-in-a-non-versioned-.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1079f81298d461583851578ad6afb4a130b675e0 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 5 Aug 2013 09:09:46 -0400 -Subject: [PATCH 2/9] Apparently we want documentation in a non-versioned - directory these days. - -Signed-off-by: Peter Jones ---- - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index c2395f2..02e01d5 100644 ---- a/Makefile -+++ b/Makefile -@@ -16,8 +16,8 @@ clean : - - install : - @for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done -- $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/ -- $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/ -+ $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/ -+ $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/ - - install_systemd: - @for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done --- -1.8.3.1 - diff --git a/0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch b/0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch deleted file mode 100644 index 31b59fa..0000000 --- a/0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c2d54b835ca3db92c9110a2596429710453c2a95 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 6 Aug 2013 12:32:43 -0400 -Subject: [PATCH 3/9] Make the RHEL bits for macros.pesign a bit cleaner. - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 8b123fa..244f576 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -22,11 +22,7 @@ - # -s # perform signing - %pesign(i:o:C:e:c:n:a:s) \ - if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \ -- if [ -e /var/run/pesign/socket ]; then \ -- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ -- -c "/CN=Fedora Secure Boot Signer" \\\ -- %{-i} %{-o} %{-e} %{-s} %{-C} \ -- elif [ -e /etc/rhel-release ]; then \ -+ if [ -e /etc/rhel-release ]; then \ - nss=$(mktemp -p $PWD -d) \ - certutil -d ${nss} -N \ - certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \ -@@ -37,6 +33,10 @@ - %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ - --certdir ${nss} -c signer %{-o} \ - rm -rf ${sattrs} ${sattrs}.sig ${nss} \ -+ elif [ -S /var/run/pesign/socket ]; then \ -+ %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ -+ -c "/CN=Fedora Secure Boot Signer" \\\ -+ %{-i} %{-o} %{-e} %{-s} %{-C} \ - else \ - %{_pesign} %{__pesign_token} %{__pesign_cert} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ --- -1.8.3.1 - diff --git a/0004-Include-the-issuer-s-certificate-only-when-available.patch b/0004-Include-the-issuer-s-certificate-only-when-available.patch deleted file mode 100644 index 3dacd8b..0000000 --- a/0004-Include-the-issuer-s-certificate-only-when-available.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 7c25ea77c81e63c88cf1fbeb2fc9baba94bce8b7 Mon Sep 17 00:00:00 2001 -From: Gary Ching-Pang Lin -Date: Mon, 4 Mar 2013 16:25:08 +0800 -Subject: [PATCH 4/9] Include the issuer's certificate only when available - -When pesign generates a signature, it also includes the issuer's certificate. -In SUSE build server, we only import the signer's certificate and pesign -complaint the issuer's certificate was not found. Per Authenticode PE, the -root certificate is typically not included in the certificate list, so I -modified pesign a bit to include the issuer's certificate only when available. -Please check the attached patch. - -Besides the issuer's certificate, I also found find_named_certificate() didn't -handle the certificate list properly and it may cause segfault if "node->cert" -is not valid. The patch also fixes this issue. ---- - src/cms_common.c | 2 +- - src/signed_data.c | 8 ++------ - 2 files changed, 3 insertions(+), 7 deletions(-) - -diff --git a/src/cms_common.c b/src/cms_common.c -index 6b44024..fc9796e 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -592,7 +592,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert) - * in the database, we'll get back what is essentially a template - * that's in NSS's cache waiting to be filled out. We can't use that, - * it'll just cause CERT_DupCertificate() to segfault. */ -- if (!node || !node->cert || !node->cert->derCert.data -+ if (CERT_LIST_END(node) || !node->cert || !node->cert->derCert.data - || !node->cert->derCert.len - || !node->cert->derIssuer.data - || !node->cert->derIssuer.len) { -diff --git a/src/signed_data.c b/src/signed_data.c -index 5425271..2f4b498 100644 ---- a/src/signed_data.c -+++ b/src/signed_data.c -@@ -96,12 +96,8 @@ generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p) - CERTCertificate *signer = NULL; - int rc = find_named_certificate(cms, cms->cert->issuerName, - &signer); -- if (rc < 0) { -- PORT_ArenaRelease(cms->arena, mark); -- return -1; -- } -- -- if (signer && signer->derCert.len && signer->derCert.data) { -+ if (rc == 0 && signer && -+ signer->derCert.len && signer->derCert.data) { - if (signer->derCert.len != cms->cert->derCert.len || - memcmp(signer->derCert.data, - cms->cert->derCert.data, --- -1.8.3.1 - diff --git a/0005-Try-harder-to-figure-out-if-this-is-RHEL.patch b/0005-Try-harder-to-figure-out-if-this-is-RHEL.patch deleted file mode 100644 index 52d03df..0000000 --- a/0005-Try-harder-to-figure-out-if-this-is-RHEL.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 39466ae9ed3ce5f78fc20c6e74eb0fb3aa93349e Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 6 Aug 2013 16:49:06 -0400 -Subject: [PATCH 5/9] Try harder to figure out if this is RHEL. - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 244f576..f94553d 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -22,7 +22,7 @@ - # -s # perform signing - %pesign(i:o:C:e:c:n:a:s) \ - if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \ -- if [ -e /etc/rhel-release ]; then \ -+ if [ "0%{?rhel}" -ge "7" ]; then \ - nss=$(mktemp -p $PWD -d) \ - certutil -d ${nss} -N \ - certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \ --- -1.8.3.1 - diff --git a/0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch b/0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch deleted file mode 100644 index 79541be..0000000 --- a/0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch +++ /dev/null @@ -1,28 +0,0 @@ -From f8b19278775fe8a5c599b94fcae90b99a781a42b Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 7 Aug 2013 09:06:33 -0400 -Subject: [PATCH 6/9] Don't use ASCII mode for RHEL certificate imports. - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index f94553d..84e87a3 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -25,8 +25,8 @@ - if [ "0%{?rhel}" -ge "7" ]; then \ - nss=$(mktemp -p $PWD -d) \ - certutil -d ${nss} -N \ -- certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \ -- certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \ -+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \ -+ certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ - sattrs=$(mktemp -p $PWD --suffix=.der) \ - %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \ - rpm-sign --key "%{-n*}" --rsasign ${sattrs} \ --- -1.8.3.1 - diff --git a/0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch b/0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch deleted file mode 100644 index 7a0dcef..0000000 --- a/0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch +++ /dev/null @@ -1,30 +0,0 @@ -From c7318444b811125f26828fd39e8a46de81cd5f86 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 7 Aug 2013 09:13:11 -0400 -Subject: [PATCH 7/9] Apparently if something goes wrong on the HSM, we wind up - with 0-size. - -Handle zero-sized output by erroring in the rpm macro. Eventually we -should make sure pesign is throwing an error there too. - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 84e87a3..6b22826 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -47,5 +47,8 @@ - elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \ - touch %{-e*} \ - fi \ -+ fi \ -+ if [ ! -s %{-o} ]; then \ -+ exit 1 \ - fi ; - --- -1.8.3.1 - diff --git a/0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch b/0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch deleted file mode 100644 index 7a2fc37..0000000 --- a/0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 5b8950a8cddad1076fb631c4ef6999bfb4f977f8 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 7 Aug 2013 09:37:33 -0400 -Subject: [PATCH 8/9] Use --force when we've got a sattrs blob from mktemp() - -Signed-off-by: Peter Jones ---- - src/macros.pesign | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/macros.pesign b/src/macros.pesign -index 6b22826..a0339fe 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -28,7 +28,7 @@ - certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \ - certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ - sattrs=$(mktemp -p $PWD --suffix=.der) \ -- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \ -+ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \ - rpm-sign --key "%{-n*}" --rsasign ${sattrs} \ - %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ - --certdir ${nss} -c signer %{-o} \ --- -1.8.3.1 - diff --git a/0009-Remove-errant-results-from-signing.patch b/0009-Remove-errant-results-from-signing.patch deleted file mode 100644 index 6d50863..0000000 --- a/0009-Remove-errant-results-from-signing.patch +++ /dev/null @@ -1,26 +0,0 @@ -From a8f70c0745fcc5b0e522bd3a6ed5871b0eea9397 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Sat, 10 Aug 2013 10:28:49 -0400 -Subject: [PATCH 9/9] Remove errant results from signing. - ---- - src/macros.pesign | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/macros.pesign b/src/macros.pesign -index a0339fe..8bf47c1 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -49,6 +49,9 @@ - fi \ - fi \ - if [ ! -s %{-o} ]; then \ -+ if [ -e "%{-o*}" ]; then \ -+ rm -f %{-o*} \ -+ fi \ - exit 1 \ - fi ; - --- -1.8.3.1 - diff --git a/pesign.spec b/pesign.spec index 9d34782..2dc8770 100644 --- a/pesign.spec +++ b/pesign.spec @@ -1,7 +1,7 @@ Summary: Signing utility for UEFI binaries Name: pesign -Version: 0.106 -Release: 4%{?dist} +Version: 0.107 +Release: 1%{?dist} Group: Development/System License: GPLv2 URL: https://github.com/vathpela/pesign @@ -21,15 +21,6 @@ BuildRequires: rh-signing-tools >= 1.20-2 # git checkout %%{version} Source0: pesign-%{version}.tar.bz2 Source1: rh-test-certs.tar.bz2 -Patch0001: 0001-Make-the-RHEL-pesign-macro-a-little-better.patch -Patch0002: 0002-Apparently-we-want-documentation-in-a-non-versioned-.patch -Patch0003: 0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch -Patch0004: 0004-Include-the-issuer-s-certificate-only-when-available.patch -Patch0005: 0005-Try-harder-to-figure-out-if-this-is-RHEL.patch -Patch0006: 0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch -Patch0007: 0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch -Patch0008: 0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch -Patch0009: 0009-Remove-errant-results-from-signing.patch %description This package contains the pesign utility for signing UEFI binaries as diff --git a/sources b/sources index 2d465cc..89b75ee 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 328db7cb27847cb610b7cf8f9c470455 rh-test-certs.tar.bz2 -dbe4d91dc9677275fe32c9238c1ea881 pesign-0.106.tar.bz2 +0f0cd4bdf207a33841cab2b22dcbb5e2 pesign-0.107.tar.bz2