Update to 0.112
- Also fix up some spec file woes: - dumb things in %setup - find-debuginfo.sh not working right for some source files... Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones
parent
3fceb7af7d
commit
ecaa79e058
|
|
@ -1,71 +0,0 @@
|
|||
From ae2520e013caf4f5d0dae89623dc08925d6cd472 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 28 Oct 2015 15:58:07 -0400
|
||||
Subject: [PATCH] Fix one more -Wsign-compare problem I missed.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/daemon.c | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/daemon.c b/src/daemon.c
|
||||
index 02b7352..175c874 100644
|
||||
--- a/src/daemon.c
|
||||
+++ b/src/daemon.c
|
||||
@@ -194,7 +194,7 @@ malformed:
|
||||
return;
|
||||
}
|
||||
n -= sizeof(tn->size);
|
||||
- if (n < tn->size)
|
||||
+ if ((size_t)n < tn->size)
|
||||
goto malformed;
|
||||
n -= tn->size;
|
||||
|
||||
@@ -202,10 +202,10 @@ malformed:
|
||||
goto malformed;
|
||||
|
||||
pesignd_string *tp = pesignd_string_next(tn);
|
||||
- if (n < (long long)sizeof(tp->size))
|
||||
+ if ((size_t)n < sizeof(tp->size))
|
||||
goto malformed;
|
||||
n -= sizeof(tp->size);
|
||||
- if (n < tp->size)
|
||||
+ if ((size_t)n < tp->size)
|
||||
goto malformed;
|
||||
n -= tp->size;
|
||||
|
||||
@@ -298,7 +298,7 @@ malformed:
|
||||
return;
|
||||
}
|
||||
n -= sizeof(tn->size);
|
||||
- if (n < tn->size)
|
||||
+ if ((size_t)n < tn->size)
|
||||
goto malformed;
|
||||
n -= tn->size;
|
||||
|
||||
@@ -487,7 +487,7 @@ malformed:
|
||||
}
|
||||
|
||||
n -= sizeof(tn->size);
|
||||
- if (n < tn->size)
|
||||
+ if ((size_t)n < tn->size)
|
||||
goto malformed;
|
||||
n -= tn->size;
|
||||
|
||||
@@ -497,11 +497,11 @@ malformed:
|
||||
if (!ctx->cms->tokenname)
|
||||
goto oom;
|
||||
|
||||
- if (n < (long long)sizeof(tn->size))
|
||||
+ if ((size_t)n < sizeof(tn->size))
|
||||
goto malformed;
|
||||
pesignd_string *cn = pesignd_string_next(tn);
|
||||
n -= sizeof(cn->size);
|
||||
- if (n < cn->size)
|
||||
+ if ((size_t)n < cn->size)
|
||||
goto malformed;
|
||||
|
||||
ctx->cms->certname = PORT_ArenaStrdup(ctx->cms->arena,
|
||||
--
|
||||
2.5.0
|
||||
|
||||
|
|
@ -1,63 +0,0 @@
|
|||
From 6796e5f7b0ab1eb08f92887ae0427cf5a4120e0b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sun, 8 Nov 2015 14:42:29 -0500
|
||||
Subject: [PATCH 1/5] pesign: when nss fails to tell us -EPERM or -ENOENT,
|
||||
figure it out.
|
||||
|
||||
This should make -EPERM problems much easier for the user to diagnose.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign.c | 24 ++++++++++++++++++++----
|
||||
1 file changed, 20 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/pesign.c b/src/pesign.c
|
||||
index 1d72657..09b6a2b 100644
|
||||
--- a/src/pesign.c
|
||||
+++ b/src/pesign.c
|
||||
@@ -17,7 +17,9 @@
|
||||
* Author(s): Peter Jones <pjones@redhat.com>
|
||||
*/
|
||||
|
||||
+#include <err.h>
|
||||
#include <fcntl.h>
|
||||
+#include <glob.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
@@ -576,14 +578,28 @@ main(int argc, char *argv[])
|
||||
|
||||
if (!daemon) {
|
||||
SECStatus status;
|
||||
- if (need_db)
|
||||
+ if (need_db) {
|
||||
status = NSS_Init(certdir);
|
||||
- else
|
||||
+ if (status != SECSuccess) {
|
||||
+ char *globpattern = NULL;
|
||||
+ rc = asprintf(&globpattern, "%s/cert*.db",
|
||||
+ certdir);
|
||||
+ if (rc > 0) {
|
||||
+ glob_t globbuf;
|
||||
+ memset(&globbuf, 0, sizeof(globbuf));
|
||||
+ rc = glob(globpattern, GLOB_ERR, NULL,
|
||||
+ &globbuf);
|
||||
+ if (rc != 0) {
|
||||
+ err(1, "Could not open NSS database (\"%s\")",
|
||||
+ PORT_ErrorToString(PORT_GetError()));
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ } else
|
||||
status = NSS_NoDB_Init(NULL);
|
||||
if (status != SECSuccess) {
|
||||
- fprintf(stderr, "Could not initialize nss: %s\n",
|
||||
+ errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
|
||||
PORT_ErrorToString(PORT_GetError()));
|
||||
- exit(1);
|
||||
}
|
||||
|
||||
status = register_oids(ctxp->cms_ctx);
|
||||
--
|
||||
2.5.0
|
||||
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 19 Nov 2015 11:36:59 -0500
|
||||
Subject: [PATCH 2/5] setfacl the nss DBs to our authorized users, not just the
|
||||
socket.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize-groups | 2 ++
|
||||
src/pesign-authorize-users | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
||||
index e3864ce..2236bea 100644
|
||||
--- a/src/pesign-authorize-groups
|
||||
+++ b/src/pesign-authorize-groups
|
||||
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
|
||||
for group in $(cat /etc/pesign/groups); do
|
||||
setfacl -m g:${group}:rx /var/run/pesign
|
||||
setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
+ setfacl -m g:${username}:rx /etc/pki/pesign
|
||||
+ setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
done
|
||||
fi
|
||||
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
||||
index e500204..9c38a25 100644
|
||||
--- a/src/pesign-authorize-users
|
||||
+++ b/src/pesign-authorize-users
|
||||
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
|
||||
for username in $(cat /etc/pesign/users); do
|
||||
setfacl -m u:${username}:rx /var/run/pesign
|
||||
setfacl -m u:${username}:rw /var/run/pesign/socket
|
||||
+ setfacl -m u:${username}:rx /etc/pki/pesign
|
||||
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
done
|
||||
fi
|
||||
--
|
||||
2.5.0
|
||||
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 20 Nov 2015 19:19:49 -0500
|
||||
Subject: [PATCH 3/5] Don't setfacl when the socket or dir aren't there.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize-groups | 10 ++++++----
|
||||
src/pesign-authorize-users | 10 ++++++----
|
||||
2 files changed, 12 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
||||
index 2236bea..2222809 100644
|
||||
--- a/src/pesign-authorize-groups
|
||||
+++ b/src/pesign-authorize-groups
|
||||
@@ -11,9 +11,11 @@
|
||||
|
||||
if [[ -r /etc/pesign/groups ]]; then
|
||||
for group in $(cat /etc/pesign/groups); do
|
||||
- setfacl -m g:${group}:rx /var/run/pesign
|
||||
- setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
- setfacl -m g:${username}:rx /etc/pki/pesign
|
||||
- setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ if [ -d /var/run/pesign ]; then
|
||||
+ setfacl -m g:${group}:rx /var/run/pesign
|
||||
+ if [ -e /var/run/pesign/socket ]; then
|
||||
+ setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
+ fi
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
||||
index 9c38a25..22bddec 100644
|
||||
--- a/src/pesign-authorize-users
|
||||
+++ b/src/pesign-authorize-users
|
||||
@@ -11,9 +11,11 @@
|
||||
|
||||
if [[ -r /etc/pesign/users ]]; then
|
||||
for username in $(cat /etc/pesign/users); do
|
||||
- setfacl -m u:${username}:rx /var/run/pesign
|
||||
- setfacl -m u:${username}:rw /var/run/pesign/socket
|
||||
- setfacl -m u:${username}:rx /etc/pki/pesign
|
||||
- setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ if [ -d /var/run/pesign ]; then
|
||||
+ setfacl -m g:${username}:rx /var/run/pesign
|
||||
+ if [ -e /var/run/pesign/socket ]; then
|
||||
+ setfacl -m g:${username}:rw /var/run/pesign/socket
|
||||
+ fi
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
--
|
||||
2.5.0
|
||||
|
||||
|
|
@ -1,51 +0,0 @@
|
|||
From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 20 Nov 2015 19:21:39 -0500
|
||||
Subject: [PATCH 4/5] setfacl the db as well
|
||||
|
||||
And also get all our "-m [ug]:${name}:$perm" arguments right.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize-groups | 4 ++++
|
||||
src/pesign-authorize-users | 8 ++++++--
|
||||
2 files changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
||||
index 2222809..13aefa6 100644
|
||||
--- a/src/pesign-authorize-groups
|
||||
+++ b/src/pesign-authorize-groups
|
||||
@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
|
||||
setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
fi
|
||||
fi
|
||||
+ if [ -d /etc/pki/pesign ]; then
|
||||
+ setfacl -m g:${group}:rx /etc/pki/pesign
|
||||
+ setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
||||
index 22bddec..a43ce44 100644
|
||||
--- a/src/pesign-authorize-users
|
||||
+++ b/src/pesign-authorize-users
|
||||
@@ -12,10 +12,14 @@
|
||||
if [[ -r /etc/pesign/users ]]; then
|
||||
for username in $(cat /etc/pesign/users); do
|
||||
if [ -d /var/run/pesign ]; then
|
||||
- setfacl -m g:${username}:rx /var/run/pesign
|
||||
+ setfacl -m u:${username}:rx /var/run/pesign
|
||||
if [ -e /var/run/pesign/socket ]; then
|
||||
- setfacl -m g:${username}:rw /var/run/pesign/socket
|
||||
+ setfacl -m u:${username}:rw /var/run/pesign/socket
|
||||
fi
|
||||
fi
|
||||
+ if [ -d /etc/pki/pesign ]; then
|
||||
+ setfacl -m u:${username}:rx /etc/pki/pesign
|
||||
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
--
|
||||
2.5.0
|
||||
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
From bfa02b50f9bbb60c3b04f159864aa4a87b0020e2 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 30 Nov 2015 15:34:35 -0500
|
||||
Subject: [PATCH 5/5] Do a better job of isolating pesign-rh-test-crap
|
||||
|
||||
---
|
||||
src/Makefile | 1 +
|
||||
src/macros.pesign | 10 ++++++++--
|
||||
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/Makefile b/src/Makefile
|
||||
index af3fd07..1822d3f 100644
|
||||
--- a/src/Makefile
|
||||
+++ b/src/Makefile
|
||||
@@ -65,6 +65,7 @@ install_sysvinit: pesign.sysvinit
|
||||
|
||||
install :
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
|
||||
+ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
|
||||
$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
|
||||
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 39374ce..9644940 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -7,7 +7,7 @@
|
||||
# And magically get the right thing.
|
||||
|
||||
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
||||
-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
|
||||
+%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
||||
|
||||
%_pesign /usr/bin/pesign
|
||||
%_pesign_client /usr/bin/pesign-client
|
||||
@@ -21,6 +21,10 @@
|
||||
# -a <input ca cert filename> # rhel only
|
||||
# -s # perform signing
|
||||
%pesign(i:o:C:e:c:n:a:s) \
|
||||
+ _pesign_nssdir=/etc/pki/pesign \
|
||||
+ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
|
||||
+ _pesign_nssdir=/etc/pki/pesign-rh-test \
|
||||
+ fi \
|
||||
if [ -x %{_pesign} ] && \\\
|
||||
[ "%{_target_cpu}" == "x86_64" -o \\\
|
||||
"%{_target_cpu}" == "aarch64" ]; then \
|
||||
@@ -39,9 +43,10 @@
|
||||
elif [ -S /var/run/pesign/socket ]; then \
|
||||
%{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||
-c "/CN=Fedora Secure Boot Signer" \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
else \
|
||||
- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
|
||||
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
|
||||
+ --certdir ${_pesign_nssdir} \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
fi \
|
||||
else \
|
||||
--
|
||||
2.5.0
|
||||
|
||||
27
pesign.spec
27
pesign.spec
|
|
@ -2,8 +2,8 @@
|
|||
|
||||
Summary: Signing utility for UEFI binaries
|
||||
Name: pesign
|
||||
Version: 0.111
|
||||
Release: 8%{?dist}
|
||||
Version: 0.112
|
||||
Release: 1%{?dist}
|
||||
Group: Development/System
|
||||
License: GPLv2
|
||||
URL: https://github.com/vathpela/pesign
|
||||
|
|
@ -17,27 +17,21 @@ BuildRequires: libuuid-devel
|
|||
BuildRequires: tar xz
|
||||
Requires: nspr nss nss-util popt rpm coolkey opensc
|
||||
Requires(pre): shadow-utils
|
||||
ExclusiveArch: i686 x86_64 ia64 aarch64
|
||||
ExclusiveArch: %{ix86} x86_64 ia64 aarch64 arm
|
||||
%if 0%{?rhel} >= 7
|
||||
BuildRequires: rh-signing-tools >= 1.20-2
|
||||
%endif
|
||||
|
||||
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
|
||||
Source1: certs.tar.xz
|
||||
Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
|
||||
Patch10001: 0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch
|
||||
Patch10002: 0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
|
||||
Patch10003: 0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
|
||||
Patch10004: 0004-setfacl-the-db-as-well.patch
|
||||
Patch10005: 0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch
|
||||
|
||||
%description
|
||||
This package contains the pesign utility for signing UEFI binaries as
|
||||
well as other associated tools.
|
||||
|
||||
%prep
|
||||
%setup -q -a 0
|
||||
%setup -a 1 -D -c -n pesign-%{version}/
|
||||
%setup -q -T -b 0
|
||||
%setup -q -T -D -c -n pesign-%{version}/ -a 1
|
||||
git init
|
||||
git config user.email "pesign-owner@fedoraproject.org"
|
||||
git config user.name "Fedora Ninjas"
|
||||
|
|
@ -74,7 +68,10 @@ if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
|
|||
%{buildroot}%{macrosdir}
|
||||
rmdir %{buildroot}%{_sysconfdir}/rpm
|
||||
fi
|
||||
rm -f %{buildroot}/usr/usr/share/doc/pesign-0.111/COPYING
|
||||
rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
|
||||
|
||||
# and find-debuginfo.sh has some pretty awful deficencies too...
|
||||
cp -av libdpe/*.[ch] src/
|
||||
|
||||
%pre
|
||||
getent group pesign >/dev/null || groupadd -r pesign
|
||||
|
|
@ -135,6 +132,12 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Apr 20 2016 Peter Jones <pjones@redhat.com> - 0.112-1
|
||||
- Update to 0.112
|
||||
- Also fix up some spec file woes:
|
||||
- dumb things in %%setup
|
||||
- find-debuginfo.sh not working right for some source files...
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.111-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue