Obsolete pesign-rh-test-certs

Signed-off-by: Peter Jones <pjones@redhat.com>
*Don't* use --certdir if we're using the socket.
2015-12-10 15:11:31 -05:00 · 2015-12-02 13:53:30 -05:00 · 2015-12-01 15:37:28 -05:00 · 2015-12-01 15:37:28 -05:00 · 2015-12-01 14:59:11 -05:00 · 2015-11-20 19:26:17 -05:00
11 changed files with 419 additions and 133 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,6 @@
 clog
 /rh-test-certs.tar.bz2
 *.rpm
 /certs.tar.xz
 .build*.log
 /pesign-*/
--- a/0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
+++ b/0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
@ -0,0 +1,71 @@
 From ae2520e013caf4f5d0dae89623dc08925d6cd472 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 28 Oct 2015 15:58:07 -0400
 Subject: [PATCH] Fix one more -Wsign-compare problem I missed.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/daemon.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
 diff --git a/src/daemon.c b/src/daemon.c
 index 02b7352..175c874 100644
 --- a/src/daemon.c
 +++ b/src/daemon.c
@@ -194,7 +194,7 @@ malformed:
 		return;
 	}
 	n -= sizeof(tn->size);
 -	if (n < tn->size)
 +	if ((size_t)n < tn->size)
 		goto malformed;
 	n -= tn->size;
@@ -202,10 +202,10 @@ malformed:
 		goto malformed;
 	pesignd_string *tp = pesignd_string_next(tn);
 -	if (n < (long long)sizeof(tp->size))
 +	if ((size_t)n < sizeof(tp->size))
 		goto malformed;
 	n -= sizeof(tp->size);
 -	if (n < tp->size)
 +	if ((size_t)n < tp->size)
 		goto malformed;
 	n -= tp->size;
@@ -298,7 +298,7 @@ malformed:
 		return;
 	}
 	n -= sizeof(tn->size);
 -	if (n < tn->size)
 +	if ((size_t)n < tn->size)
 		goto malformed;
 	n -= tn->size;
@@ -487,7 +487,7 @@ malformed:
 	}
 	n -= sizeof(tn->size);
 -	if (n < tn->size)
 +	if ((size_t)n < tn->size)
 		goto malformed;
 	n -= tn->size;
@@ -497,11 +497,11 @@ malformed:
 	if (!ctx->cms->tokenname)
 		goto oom;
 -	if (n < (long long)sizeof(tn->size))
 +	if ((size_t)n < sizeof(tn->size))
 		goto malformed;
 	pesignd_string *cn = pesignd_string_next(tn);
 	n -= sizeof(cn->size);
 -	if (n < cn->size)
 +	if ((size_t)n < cn->size)
 		goto malformed;
 	ctx->cms->certname = PORT_ArenaStrdup(ctx->cms->arena,
 -- 
 2.5.0
--- a/0001-Make-make-install_systemd-and-make-install_sysvinit-.patch
+++ b/0001-Make-make-install_systemd-and-make-install_sysvinit-.patch
@ -1,75 +0,0 @@
 From fd52dc1631d46cdf4eac9053be7e2e7a19977df2 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 24 Oct 2014 16:26:26 -0400
 Subject: [PATCH 1/2] Make "make install_systemd" and "make install_sysvinit"
 not error.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 include/Makefile        | 4 ++++
 include/libdpe/Makefile | 4 ++++
 libdpe/Makefile         | 4 ++++
 util/Makefile           | 4 ++++
 4 files changed, 16 insertions(+)
 diff --git a/include/Makefile b/include/Makefile
 index 4314287..2b1f0ff 100644
 --- a/include/Makefile
 +++ b/include/Makefile
@@ -16,6 +16,10 @@ clean :
 install :
 	@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
 +install_systemd:
 +
 +install_sysvinit:
 +
 .PHONY: all $(SUBDIRS) clean install
 include $(TOPDIR)/Make.rules
 diff --git a/include/libdpe/Makefile b/include/libdpe/Makefile
 index f8a1e2c..f94001e 100644
 --- a/include/libdpe/Makefile
 +++ b/include/libdpe/Makefile
@@ -13,4 +13,8 @@ install:
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)/include/libdpe/
 	$(INSTALL) -m 644 *.h $(INSTALLROOT)$(PREFIX)/include/libdpe/
 +install_systemd:
 +
 +install_sysvinit:
 +
 include $(TOPDIR)/Make.rules
 diff --git a/libdpe/Makefile b/libdpe/Makefile
 index a8b0c26..b94379c 100644
 --- a/libdpe/Makefile
 +++ b/libdpe/Makefile
@@ -37,6 +37,10 @@ install :
 		$(INSTALL) -m 755  $$x $(INSTALLROOT)$(LIBDIR) ; \
 	done
 +install_systemd:
 +
 +install_sysvinit:
 +
 .PHONY: all clean install
 include $(TOPDIR)/Make.rules
 diff --git a/util/Makefile b/util/Makefile
 index ff11cb8..2f71b73 100644
 --- a/util/Makefile
 +++ b/util/Makefile
@@ -20,6 +20,10 @@ install :
 	$(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/
 	$(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/
 +install_systemd:
 +
 +install_sysvinit:
 +
 .PHONY: all clean install
 include $(TOPDIR)/Make.efirules
 -- 
 1.9.3
--- a/0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch
+++ b/0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch
@ -0,0 +1,63 @@
 From 6796e5f7b0ab1eb08f92887ae0427cf5a4120e0b Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Sun, 8 Nov 2015 14:42:29 -0500
 Subject: [PATCH 1/5] pesign: when nss fails to tell us -EPERM or -ENOENT,
 figure it out.
 This should make -EPERM problems much easier for the user to diagnose.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)
 diff --git a/src/pesign.c b/src/pesign.c
 index 1d72657..09b6a2b 100644
 --- a/src/pesign.c
 +++ b/src/pesign.c
@@ -17,7 +17,9 @@
  * Author(s): Peter Jones <pjones@redhat.com>
  */
 +#include <err.h>
 #include <fcntl.h>
 +#include <glob.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -576,14 +578,28 @@ main(int argc, char *argv[])
 	if (!daemon) {
 		SECStatus status;
 -		if (need_db)
 +		if (need_db) {
 			status = NSS_Init(certdir);
 -		else
 +			if (status != SECSuccess) {
 +				char *globpattern = NULL;
 +				rc = asprintf(&globpattern, "%s/cert*.db",
 +					      certdir);
 +				if (rc > 0) {
 +					glob_t globbuf;
 +					memset(&globbuf, 0, sizeof(globbuf));
 +					rc = glob(globpattern, GLOB_ERR, NULL,
 +						  &globbuf);
 +					if (rc != 0) {
 +						err(1, "Could not open NSS database (\"%s\")",
 +						     PORT_ErrorToString(PORT_GetError()));
 +					}
 +				}
 +			}
 +		} else
 			status = NSS_NoDB_Init(NULL);
 		if (status != SECSuccess) {
 -			fprintf(stderr, "Could not initialize nss: %s\n",
 +			errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
 				PORT_ErrorToString(PORT_GetError()));
 -			exit(1);
 		}
 		status = register_oids(ctxp->cms_ctx);
 -- 
 2.5.0
--- a/0002-Install-authvar-and-efisiglist.patch
+++ b/0002-Install-authvar-and-efisiglist.patch
@ -1,39 +0,0 @@
 From 5a293fb24da9ee68f43bf94f08b07569d3556ce1 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 24 Oct 2014 16:29:19 -0400
 Subject: [PATCH 2/2] Install authvar and efisiglist
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/Makefile | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/src/Makefile b/src/Makefile
 index 4c86a2a..007505c 100644
 --- a/src/Makefile
 +++ b/src/Makefile
@@ -76,17 +76,19 @@ install :
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
 	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)/bin/
 +	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(PREFIX)/bin/
 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(PREFIX)/bin/
 	$(INSTALL) -m 755 client $(INSTALLROOT)$(PREFIX)/bin/pesign-client
 	$(INSTALL) -m 755 efikeygen $(INSTALLROOT)$(PREFIX)/bin/
 -	#$(INSTALL) -m 755 pesigcheck $(INSTALLROOT)$(PREFIX)/bin/
 +	$(INSTALL) -m 755 efisiglist $(INSTALLROOT)$(PREFIX)/bin/
 +	$(INSTALL) -m 755 pesigcheck $(INSTALLROOT)$(PREFIX)/bin/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/popt.d/
 	$(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)/usr/share/man/man1/
 	$(INSTALL) -m 644 pesign.1 $(INSTALLROOT)/usr/share/man/man1/
 	$(INSTALL) -m 644 pesign-client.1 $(INSTALLROOT)/usr/share/man/man1/
 	$(INSTALL) -m 644 efikeygen.1 $(INSTALLROOT)/usr/share/man/man1/
 -	#$(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)/usr/share/man/man1/
 +	$(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)/usr/share/man/man1/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
 -- 
 1.9.3
--- a/0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
+++ b/0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
@ -0,0 +1,39 @@
 From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 19 Nov 2015 11:36:59 -0500
 Subject: [PATCH 2/5] setfacl the nss DBs to our authorized users, not just the
 socket.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign-authorize-groups | 2 ++
 src/pesign-authorize-users  | 2 ++
 2 files changed, 4 insertions(+)
 diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
 index e3864ce..2236bea 100644
 --- a/src/pesign-authorize-groups
 +++ b/src/pesign-authorize-groups
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
     for group in $(cat /etc/pesign/groups); do
         setfacl -m g:${group}:rx /var/run/pesign
         setfacl -m g:${group}:rw /var/run/pesign/socket
 +        setfacl -m g:${username}:rx /etc/pki/pesign
 +        setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
     done
 fi
 diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
 index e500204..9c38a25 100644
 --- a/src/pesign-authorize-users
 +++ b/src/pesign-authorize-users
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
     for username in $(cat /etc/pesign/users); do
         setfacl -m u:${username}:rx /var/run/pesign
         setfacl -m u:${username}:rw /var/run/pesign/socket
 +        setfacl -m u:${username}:rx /etc/pki/pesign
 +        setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
     done
 fi
 -- 
 2.5.0
--- a/0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
+++ b/0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
@ -0,0 +1,54 @@
 From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 20 Nov 2015 19:19:49 -0500
 Subject: [PATCH 3/5] Don't setfacl when the socket or dir aren't there.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign-authorize-groups | 10 ++++++----
 src/pesign-authorize-users  | 10 ++++++----
 2 files changed, 12 insertions(+), 8 deletions(-)
 diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
 index 2236bea..2222809 100644
 --- a/src/pesign-authorize-groups
 +++ b/src/pesign-authorize-groups
@@ -11,9 +11,11 @@
 if [[ -r /etc/pesign/groups ]]; then
     for group in $(cat /etc/pesign/groups); do
 -        setfacl -m g:${group}:rx /var/run/pesign
 -        setfacl -m g:${group}:rw /var/run/pesign/socket
 -        setfacl -m g:${username}:rx /etc/pki/pesign
 -        setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
 +	if [ -d /var/run/pesign ]; then
 +	    setfacl -m g:${group}:rx /var/run/pesign
 +	    if [ -e /var/run/pesign/socket ]; then
 +		setfacl -m g:${group}:rw /var/run/pesign/socket
 +	    fi
 +	fi
     done
 fi
 diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
 index 9c38a25..22bddec 100644
 --- a/src/pesign-authorize-users
 +++ b/src/pesign-authorize-users
@@ -11,9 +11,11 @@
 if [[ -r /etc/pesign/users ]]; then
     for username in $(cat /etc/pesign/users); do
 -        setfacl -m u:${username}:rx /var/run/pesign
 -        setfacl -m u:${username}:rw /var/run/pesign/socket
 -        setfacl -m u:${username}:rx /etc/pki/pesign
 -        setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
 +	if [ -d /var/run/pesign ]; then
 +	    setfacl -m g:${username}:rx /var/run/pesign
 +	    if [ -e /var/run/pesign/socket ]; then
 +		setfacl -m g:${username}:rw /var/run/pesign/socket
 +	    fi
 +	fi
     done
 fi
 -- 
 2.5.0
--- a/0004-setfacl-the-db-as-well.patch
+++ b/0004-setfacl-the-db-as-well.patch
@ -0,0 +1,51 @@
 From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 20 Nov 2015 19:21:39 -0500
 Subject: [PATCH 4/5] setfacl the db as well
 And also get all our "-m [ug]:${name}:$perm" arguments right.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign-authorize-groups | 4 ++++
 src/pesign-authorize-users  | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)
 diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
 index 2222809..13aefa6 100644
 --- a/src/pesign-authorize-groups
 +++ b/src/pesign-authorize-groups
@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
 		setfacl -m g:${group}:rw /var/run/pesign/socket
 	    fi
 	fi
 +	if [ -d /etc/pki/pesign ]; then
 +	    setfacl -m g:${group}:rx /etc/pki/pesign
 +	    setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
 +	fi
     done
 fi
 diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
 index 22bddec..a43ce44 100644
 --- a/src/pesign-authorize-users
 +++ b/src/pesign-authorize-users
@@ -12,10 +12,14 @@
 if [[ -r /etc/pesign/users ]]; then
     for username in $(cat /etc/pesign/users); do
 	if [ -d /var/run/pesign ]; then
 -	    setfacl -m g:${username}:rx /var/run/pesign
 +	    setfacl -m u:${username}:rx /var/run/pesign
 	    if [ -e /var/run/pesign/socket ]; then
 -		setfacl -m g:${username}:rw /var/run/pesign/socket
 +		setfacl -m u:${username}:rw /var/run/pesign/socket
 	    fi
 	fi
 +	if [ -d /etc/pki/pesign ]; then
 +	    setfacl -m u:${username}:rx /etc/pki/pesign
 +	    setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
 +	fi
     done
 fi
 -- 
 2.5.0
--- a/0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch
+++ b/0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch
@ -0,0 +1,61 @@
 From bfa02b50f9bbb60c3b04f159864aa4a87b0020e2 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 30 Nov 2015 15:34:35 -0500
 Subject: [PATCH 5/5] Do a better job of isolating pesign-rh-test-crap
 ---
 src/Makefile      |  1 +
 src/macros.pesign | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)
 diff --git a/src/Makefile b/src/Makefile
 index af3fd07..1822d3f 100644
 --- a/src/Makefile
 +++ b/src/Makefile
@@ -65,6 +65,7 @@ install_sysvinit: pesign.sysvinit
 install :
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
 +	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
 	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 39374ce..9644940 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -7,7 +7,7 @@
 # And magically get the right thing.
 %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
 -%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
 +%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
 %_pesign /usr/bin/pesign
 %_pesign_client /usr/bin/pesign-client
@@ -21,6 +21,10 @@
 # -a <input ca cert filename>		# rhel only
 # -s 					# perform signing
 %pesign(i:o:C:e:c:n:a:s)						\
 +  _pesign_nssdir=/etc/pki/pesign					\
 +  if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then		\
 +    _pesign_nssdir=/etc/pki/pesign-rh-test				\
 +  fi									\
   if [ -x %{_pesign} ] &&  						\\\
        [ "%{_target_cpu}" == "x86_64" -o 				\\\
          "%{_target_cpu}" == "aarch64" ]; then				\
@@ -39,9 +43,10 @@
     elif [ -S /var/run/pesign/socket ]; then				\
       %{_pesign_client} -t "OpenSC Card (Fedora Signer)"		\\\
                         -c "/CN=Fedora Secure Boot Signer"		\\\
                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
     else								\
 -      %{_pesign} %{__pesign_token} %{__pesign_cert}			\\\
 +      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
 +		 --certdir ${_pesign_nssdir}				\\\
                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
     fi									\
   else									\
 -- 
 2.5.0
--- a/pesign.spec
+++ b/pesign.spec
@ -2,17 +2,19 @@
 Summary: Signing utility for UEFI binaries
 Name: pesign
-Version: 0.110
+Version: 0.111
-Release: 3%{?dist}
+Release: 7%{?dist}
 Group: Development/System
 License: GPLv2
 URL: https://github.com/vathpela/pesign
 Obsoletes: pesign-rh-test-certs <= 0.111-7
 BuildRequires: git nspr nss nss-util popt-devel
 BuildRequires: coolkey opensc nss-tools
 BuildRequires: nspr-devel >= 4.9.2-1
 BuildRequires: nss-devel >= 3.13.6-1
 BuildRequires: efivar-devel >= 0.14-1
 BuildRequires: libuuid-devel
 BuildRequires: tar xz
 Requires: nspr nss nss-util popt rpm coolkey opensc
 Requires(pre): shadow-utils
 ExclusiveArch: i686 x86_64 ia64 aarch64
@ -21,16 +23,21 @@ BuildRequires: rh-signing-tools >= 1.20-2
 %endif
 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
-Source1: rh-test-certs.tar.bz2
+Source1: certs.tar.xz
-Patch0001: 0001-Make-make-install_systemd-and-make-install_sysvinit-.patch
+Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
-Patch0002: 0002-Install-authvar-and-efisiglist.patch
+Patch10001: 0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch
 Patch10002: 0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
 Patch10003: 0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
 Patch10004: 0004-setfacl-the-db-as-well.patch
 Patch10005: 0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch
 %description
 This package contains the pesign utility for signing UEFI binaries as
 well as other associated tools.
 %prep
-%setup -q -a 1
+%setup -q -a 0 
 %setup -a 1 -D -c -n pesign-%{version}/
 git init
 git config user.email "pesign-owner@fedoraproject.org"
 git config user.name "Fedora Ninjas"
@ -56,12 +63,10 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
 # there's some stuff that's not really meant to be shipped yet
 rm -rf %{buildroot}/boot %{buildroot}/usr/include
 rm -rf %{buildroot}%{_libdir}/libdpe*
-mv rh-test-certs/etc/pki/pesign/* %{buildroot}/etc/pki/pesign/
+mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/
-
+mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
-#modutil -force -dbdir %{buildroot}/etc/pki/pesign -add coolkey \
+cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
-#	-libfile %{_libdir}/pkcs11/libcoolkeypk11.so
+cp -a etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
 modutil -force -dbdir %{buildroot}/etc/pki/pesign -add opensc \
 	-libfile %{_libdir}/pkcs11/opensc-pkcs11.so
 if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
 	mkdir -p %{buildroot}%{macrosdir}
@ -69,6 +74,7 @@ if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
 		%{buildroot}%{macrosdir}
 	rmdir %{buildroot}%{_sysconfdir}/rpm
 fi
 rm -f %{buildroot}/usr/usr/share/doc/pesign-0.111/COPYING
 %pre
 getent group pesign >/dev/null || groupadd -r pesign
@ -80,37 +86,89 @@ exit 0
 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
 %post
 %systemd_post pesign.service
-
+modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
 	-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
 #modutil -force -dbdir %{_sysconfdir}/pki/pesign -add coolkey \
 #	-libfile %%{_libdir}/pkcs11/libcoolkeypk11.so
 %preun
 %systemd_preun pesign.service
 %postun
 %systemd_postun_with_restart pesign.service
 %else
 %post
 modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
 	-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
 %endif
 %files
 %defattr(-,root,root,-)
-%doc README TODO COPYING
+%{!?_licensedir:%global license %%doc}
 %license COPYING
 %doc README TODO
 %{_bindir}/authvar
 %{_bindir}/efikeygen
 %{_bindir}/efisiglist
 %{_bindir}/pesigcheck
 %{_bindir}/pesign
 %{_bindir}/pesign-client
 %dir %{_libexecdir}/pesign/
 %dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
 %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
 %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
 %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
 %{_libexecdir}/pesign/pesign-authorize-users
 %{_libexecdir}/pesign/pesign-authorize-groups
 %config(noreplace)/%{_sysconfdir}/pesign/users
 %config(noreplace)/%{_sysconfdir}/pesign/groups
 %{_sysconfdir}/popt.d/pesign.popt
 %{macrosdir}/macros.pesign
 %{_mandir}/man*/*
-%dir %attr(0775,pesign,pesign) /etc/pki/pesign
+%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign
-%attr(0664,pesign,pesign) /etc/pki/pesign/*
+%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
 %dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
 %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
 %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
-%{_prefix}/lib/tmpfiles.d/pesign.conf
+%{_tmpfilesdir}/pesign.conf
 %{_unitdir}/pesign.service
 %endif
 %changelog
 * Thu Dec 10 2015 Peter Jones <pjones@redhat.com> - 0.111-7
 - Obsolete pesign-rh-test-certs, it was in -1's update.
  Resolves: rhbz#1283475
 * Wed Dec 02 2015 Peter Jones <pjones@redhat.com> - 0.111-6
 - *Don't* use --certdir if we're using the socket.
  Related: rhbz#1283475
  Related: rhbz#1284063
  Related: rhbz#1284561
 * Tue Dec 01 2015 Peter Jones <pjones@redhat.com> - 0.111-5
 - Actually do a better job of choosing which cert to use when, so people will
  stop seeing any of this problem.  (Thanks for the thought, jforbes.)
  Resolves: rhbz#1283475
  Resolves: rhbz#1284063
  Resolves: rhbz#1284561
 * Mon Nov 30 2015 Peter Jones <pjones@redhat.com> - 0.111-5
 - setfacl even harder.
  Related: rhbz#1283475
  Related: rhbz#1284063
  Related: rhbz#1284561
 * Fri Nov 20 2015 Peter Jones <pjones@redhat.com> - 0.111-3
 - Better ACL setting code.
  Related: rhbz#1283475
 * Thu Nov 19 2015 Peter Jones <pjones@redhat.com> - 0.111-2
 - Allow the mockbuild user to read the nss database if the account exists.
 * Wed Oct 28 2015 Peter Jones <pjones@redhat.com> - 0.111-1
 - Rebase to 0.111
 - Split test certs out into a "Recommends" subpackage.
 * Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.110-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-328db7cb27847cb610b7cf8f9c470455  rh-test-certs.tar.bz2
+b2c6b74c2475a1442634d1386d888c24  pesign-0.111.tar.bz2
-a136d0b4fcbcb96b08e743368c31f83c  pesign-0.110.tar.bz2
+e377e0bc924287ee09356a239c5f51a8  certs.tar.xz
Author	SHA1	Message	Date
Peter Jones	0da9ef3c65	Obsolete pesign-rh-test-certs Signed-off-by: Peter Jones <pjones@redhat.com>	2015-12-10 15:11:31 -05:00
Peter Jones	54662220c6	Don't use --certdir if we're using the socket. Related: rhbz#1283475 Related: rhbz#1284063 Related: rhbz#1284561 Signed-off-by: Peter Jones <pjones@redhat.com>	2015-12-02 13:53:30 -05:00
Peter Jones	b475194e38	Actually do a better job of choosing which cert to use when, so people will stop seeing any of this problem. (Thanks for the thought, jforbes.) Resolves: rhbz#1283475 Resolves: rhbz#1284063 Resolves: rhbz#1284561 Signed-off-by: Peter Jones <pjones@redhat.com>	2015-12-01 15:37:28 -05:00
Peter Jones	c2226db9c8	Try a completely different thing for the test certs... Signed-off-by: Peter Jones <pjones@redhat.com>	2015-12-01 15:37:28 -05:00
Peter Jones	78c38032d7	Setfacl even harder. Resolves: rhbz#1284561 Resolves: rhbz#1283475 Signed-off-by: Peter Jones <pjones@redhat.com>	2015-12-01 14:59:11 -05:00
Peter Jones	2ad806160d	Better ACL setting code. Signed-off-by: Peter Jones <pjones@redhat.com>	2015-11-20 19:26:17 -05:00
Peter Jones	78fe18a501	Allow the mockbuild user to read the nss database if the account exists. Signed-off-by: Peter Jones <pjones@redhat.com>	2015-11-19 13:37:20 -05:00
Peter Jones	e53252edeb	Rebase to 0.111 - Split test certs out into a "Recommends" subpackage. Signed-off-by: Peter Jones <pjones@redhat.com>	2015-10-28 16:07:14 -04:00
Peter Jones	4c49c8a31a	Rebase to 0.111 - Split test certs out into a "Recommends" subpackage. Signed-off-by: Peter Jones <pjones@redhat.com>	2015-10-28 15:42:00 -04:00
`@ -1,2 +1,2 @@`
	`328db7cb27847cb610b7cf8f9c470455 rh-test-certs.tar.bz2`	`b2c6b74c2475a1442634d1386d888c24 pesign-0.111.tar.bz2`
	`a136d0b4fcbcb96b08e743368c31f83c pesign-0.110.tar.bz2`	`e377e0bc924287ee09356a239c5f51a8 certs.tar.xz`