Compare commits
4 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
e0d1414ea1 | ||
|
8bee723b19 | ||
|
aaccfd9c53 | ||
|
3c8bdc13ed |
@ -1,71 +0,0 @@
|
||||
From ae2520e013caf4f5d0dae89623dc08925d6cd472 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Wed, 28 Oct 2015 15:58:07 -0400
|
||||
Subject: [PATCH] Fix one more -Wsign-compare problem I missed.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/daemon.c | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/daemon.c b/src/daemon.c
|
||||
index 02b7352..175c874 100644
|
||||
--- a/src/daemon.c
|
||||
+++ b/src/daemon.c
|
||||
@@ -194,7 +194,7 @@ malformed:
|
||||
return;
|
||||
}
|
||||
n -= sizeof(tn->size);
|
||||
- if (n < tn->size)
|
||||
+ if ((size_t)n < tn->size)
|
||||
goto malformed;
|
||||
n -= tn->size;
|
||||
|
||||
@@ -202,10 +202,10 @@ malformed:
|
||||
goto malformed;
|
||||
|
||||
pesignd_string *tp = pesignd_string_next(tn);
|
||||
- if (n < (long long)sizeof(tp->size))
|
||||
+ if ((size_t)n < sizeof(tp->size))
|
||||
goto malformed;
|
||||
n -= sizeof(tp->size);
|
||||
- if (n < tp->size)
|
||||
+ if ((size_t)n < tp->size)
|
||||
goto malformed;
|
||||
n -= tp->size;
|
||||
|
||||
@@ -298,7 +298,7 @@ malformed:
|
||||
return;
|
||||
}
|
||||
n -= sizeof(tn->size);
|
||||
- if (n < tn->size)
|
||||
+ if ((size_t)n < tn->size)
|
||||
goto malformed;
|
||||
n -= tn->size;
|
||||
|
||||
@@ -487,7 +487,7 @@ malformed:
|
||||
}
|
||||
|
||||
n -= sizeof(tn->size);
|
||||
- if (n < tn->size)
|
||||
+ if ((size_t)n < tn->size)
|
||||
goto malformed;
|
||||
n -= tn->size;
|
||||
|
||||
@@ -497,11 +497,11 @@ malformed:
|
||||
if (!ctx->cms->tokenname)
|
||||
goto oom;
|
||||
|
||||
- if (n < (long long)sizeof(tn->size))
|
||||
+ if ((size_t)n < sizeof(tn->size))
|
||||
goto malformed;
|
||||
pesignd_string *cn = pesignd_string_next(tn);
|
||||
n -= sizeof(cn->size);
|
||||
- if (n < cn->size)
|
||||
+ if ((size_t)n < cn->size)
|
||||
goto malformed;
|
||||
|
||||
ctx->cms->certname = PORT_ArenaStrdup(ctx->cms->arena,
|
||||
--
|
||||
2.5.0
|
||||
|
@ -0,0 +1,72 @@
|
||||
From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 21 Apr 2016 10:47:34 -0400
|
||||
Subject: [PATCH] cms: kill generate_integer(), it doesn't build on i686 and
|
||||
it's unused.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/cms_common.c | 34 ----------------------------------
|
||||
src/cms_common.h | 1 -
|
||||
2 files changed, 35 deletions(-)
|
||||
|
||||
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||
index b19bc62..6a4e6a7 100644
|
||||
--- a/src/cms_common.c
|
||||
+++ b/src/cms_common.c
|
||||
@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static SEC_ASN1Template IntegerTemplate[] = {
|
||||
- {.kind = SEC_ASN1_INTEGER,
|
||||
- .offset = 0,
|
||||
- .sub = NULL,
|
||||
- .size = sizeof(long),
|
||||
- },
|
||||
- { 0 },
|
||||
-};
|
||||
-
|
||||
-int
|
||||
-generate_integer(cms_context *cms, SECItem *der, unsigned long integer)
|
||||
-{
|
||||
- void *ret;
|
||||
-
|
||||
- uint32_t u32;
|
||||
-
|
||||
- SECItem input = {
|
||||
- .data = (void *)&integer,
|
||||
- .len = sizeof(integer),
|
||||
- .type = siUnsignedInteger,
|
||||
- };
|
||||
-
|
||||
- if (integer < 0x100000000) {
|
||||
- u32 = integer & 0xffffffffUL;
|
||||
- input.data = (void *)&u32;
|
||||
- input.len = sizeof(u32);
|
||||
- }
|
||||
-
|
||||
- ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate);
|
||||
- if (ret == NULL)
|
||||
- cmsreterr(-1, cms, "could not encode data");
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
int
|
||||
generate_time(cms_context *cms, SECItem *encoded, time_t when)
|
||||
{
|
||||
diff --git a/src/cms_common.h b/src/cms_common.h
|
||||
index 7d77faf..c7d7268 100644
|
||||
--- a/src/cms_common.h
|
||||
+++ b/src/cms_common.h
|
||||
@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded,
|
||||
SECOidTag tag);
|
||||
extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded);
|
||||
extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when);
|
||||
-extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer);
|
||||
extern int generate_string(cms_context *cms, SECItem *der, char *str);
|
||||
extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
|
||||
extern int wrap_in_seq(cms_context *cms, SECItem *der,
|
||||
--
|
||||
2.5.5
|
||||
|
@ -1,63 +0,0 @@
|
||||
From 6796e5f7b0ab1eb08f92887ae0427cf5a4120e0b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Sun, 8 Nov 2015 14:42:29 -0500
|
||||
Subject: [PATCH 1/5] pesign: when nss fails to tell us -EPERM or -ENOENT,
|
||||
figure it out.
|
||||
|
||||
This should make -EPERM problems much easier for the user to diagnose.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign.c | 24 ++++++++++++++++++++----
|
||||
1 file changed, 20 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/pesign.c b/src/pesign.c
|
||||
index 1d72657..09b6a2b 100644
|
||||
--- a/src/pesign.c
|
||||
+++ b/src/pesign.c
|
||||
@@ -17,7 +17,9 @@
|
||||
* Author(s): Peter Jones <pjones@redhat.com>
|
||||
*/
|
||||
|
||||
+#include <err.h>
|
||||
#include <fcntl.h>
|
||||
+#include <glob.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
@@ -576,14 +578,28 @@ main(int argc, char *argv[])
|
||||
|
||||
if (!daemon) {
|
||||
SECStatus status;
|
||||
- if (need_db)
|
||||
+ if (need_db) {
|
||||
status = NSS_Init(certdir);
|
||||
- else
|
||||
+ if (status != SECSuccess) {
|
||||
+ char *globpattern = NULL;
|
||||
+ rc = asprintf(&globpattern, "%s/cert*.db",
|
||||
+ certdir);
|
||||
+ if (rc > 0) {
|
||||
+ glob_t globbuf;
|
||||
+ memset(&globbuf, 0, sizeof(globbuf));
|
||||
+ rc = glob(globpattern, GLOB_ERR, NULL,
|
||||
+ &globbuf);
|
||||
+ if (rc != 0) {
|
||||
+ err(1, "Could not open NSS database (\"%s\")",
|
||||
+ PORT_ErrorToString(PORT_GetError()));
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ } else
|
||||
status = NSS_NoDB_Init(NULL);
|
||||
if (status != SECSuccess) {
|
||||
- fprintf(stderr, "Could not initialize nss: %s\n",
|
||||
+ errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
|
||||
PORT_ErrorToString(PORT_GetError()));
|
||||
- exit(1);
|
||||
}
|
||||
|
||||
status = register_oids(ctxp->cms_ctx);
|
||||
--
|
||||
2.5.0
|
||||
|
73
0002-Fix-command-line-parsing.patch
Normal file
73
0002-Fix-command-line-parsing.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Cristau <jcristau@debian.org>
|
||||
Date: Thu, 9 Jun 2016 14:30:37 +0200
|
||||
Subject: [PATCH 2/2] Fix command line parsing
|
||||
|
||||
The gettext translation domain should be passed as .arg, not .descrip,
|
||||
otherwise popt won't process any of the command line options (it stops
|
||||
looping over the struct poptOption array when an entry has unset
|
||||
longName, shortName and arg).
|
||||
|
||||
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
||||
---
|
||||
src/client.c | 2 +-
|
||||
src/efikeygen.c | 2 +-
|
||||
src/efisiglist.c | 2 +-
|
||||
src/pesigcheck.c | 2 +-
|
||||
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/client.c b/src/client.c
|
||||
index 028419f..575c873 100644
|
||||
--- a/src/client.c
|
||||
+++ b/src/client.c
|
||||
@@ -555,7 +555,7 @@ main(int argc, char *argv[])
|
||||
|
||||
struct poptOption options[] = {
|
||||
{.argInfo = POPT_ARG_INTL_DOMAIN,
|
||||
- .descrip = "pesign" },
|
||||
+ .arg = "pesign" },
|
||||
{.longName = "token",
|
||||
.shortName = 't',
|
||||
.argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
|
||||
diff --git a/src/efikeygen.c b/src/efikeygen.c
|
||||
index 6278849..8a515a5 100644
|
||||
--- a/src/efikeygen.c
|
||||
+++ b/src/efikeygen.c
|
||||
@@ -486,7 +486,7 @@ int main(int argc, char *argv[])
|
||||
poptContext optCon;
|
||||
struct poptOption options[] = {
|
||||
{.argInfo = POPT_ARG_INTL_DOMAIN,
|
||||
- .descrip = "pesign" },
|
||||
+ .arg = "pesign" },
|
||||
/* global nss-ish things */
|
||||
{.longName = "dbdir",
|
||||
.shortName = 'd',
|
||||
diff --git a/src/efisiglist.c b/src/efisiglist.c
|
||||
index cd3f1ae..40d6a93 100644
|
||||
--- a/src/efisiglist.c
|
||||
+++ b/src/efisiglist.c
|
||||
@@ -126,7 +126,7 @@ main(int argc, char *argv[])
|
||||
|
||||
struct poptOption options[] = {
|
||||
{.argInfo = POPT_ARG_INTL_DOMAIN,
|
||||
- .descrip = "pesign" },
|
||||
+ .arg = "pesign" },
|
||||
{.longName = "infile",
|
||||
.shortName = 'i',
|
||||
.argInfo = POPT_ARG_STRING,
|
||||
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
|
||||
index 1328fe9..0d49c1a 100644
|
||||
--- a/src/pesigcheck.c
|
||||
+++ b/src/pesigcheck.c
|
||||
@@ -214,7 +214,7 @@ main(int argc, char *argv[])
|
||||
poptContext optCon;
|
||||
struct poptOption options[] = {
|
||||
{.argInfo = POPT_ARG_INTL_DOMAIN,
|
||||
- .descrip = "pesign" },
|
||||
+ .arg = "pesign" },
|
||||
{.longName = "dbfile",
|
||||
.shortName = 'D',
|
||||
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
|
||||
--
|
||||
2.9.2
|
||||
|
@ -1,39 +0,0 @@
|
||||
From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 19 Nov 2015 11:36:59 -0500
|
||||
Subject: [PATCH 2/5] setfacl the nss DBs to our authorized users, not just the
|
||||
socket.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize-groups | 2 ++
|
||||
src/pesign-authorize-users | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
||||
index e3864ce..2236bea 100644
|
||||
--- a/src/pesign-authorize-groups
|
||||
+++ b/src/pesign-authorize-groups
|
||||
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
|
||||
for group in $(cat /etc/pesign/groups); do
|
||||
setfacl -m g:${group}:rx /var/run/pesign
|
||||
setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
+ setfacl -m g:${username}:rx /etc/pki/pesign
|
||||
+ setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
done
|
||||
fi
|
||||
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
||||
index e500204..9c38a25 100644
|
||||
--- a/src/pesign-authorize-users
|
||||
+++ b/src/pesign-authorize-users
|
||||
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
|
||||
for username in $(cat /etc/pesign/users); do
|
||||
setfacl -m u:${username}:rx /var/run/pesign
|
||||
setfacl -m u:${username}:rw /var/run/pesign/socket
|
||||
+ setfacl -m u:${username}:rx /etc/pki/pesign
|
||||
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
done
|
||||
fi
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,54 +0,0 @@
|
||||
From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 20 Nov 2015 19:19:49 -0500
|
||||
Subject: [PATCH 3/5] Don't setfacl when the socket or dir aren't there.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize-groups | 10 ++++++----
|
||||
src/pesign-authorize-users | 10 ++++++----
|
||||
2 files changed, 12 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
||||
index 2236bea..2222809 100644
|
||||
--- a/src/pesign-authorize-groups
|
||||
+++ b/src/pesign-authorize-groups
|
||||
@@ -11,9 +11,11 @@
|
||||
|
||||
if [[ -r /etc/pesign/groups ]]; then
|
||||
for group in $(cat /etc/pesign/groups); do
|
||||
- setfacl -m g:${group}:rx /var/run/pesign
|
||||
- setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
- setfacl -m g:${username}:rx /etc/pki/pesign
|
||||
- setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ if [ -d /var/run/pesign ]; then
|
||||
+ setfacl -m g:${group}:rx /var/run/pesign
|
||||
+ if [ -e /var/run/pesign/socket ]; then
|
||||
+ setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
+ fi
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
||||
index 9c38a25..22bddec 100644
|
||||
--- a/src/pesign-authorize-users
|
||||
+++ b/src/pesign-authorize-users
|
||||
@@ -11,9 +11,11 @@
|
||||
|
||||
if [[ -r /etc/pesign/users ]]; then
|
||||
for username in $(cat /etc/pesign/users); do
|
||||
- setfacl -m u:${username}:rx /var/run/pesign
|
||||
- setfacl -m u:${username}:rw /var/run/pesign/socket
|
||||
- setfacl -m u:${username}:rx /etc/pki/pesign
|
||||
- setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ if [ -d /var/run/pesign ]; then
|
||||
+ setfacl -m g:${username}:rx /var/run/pesign
|
||||
+ if [ -e /var/run/pesign/socket ]; then
|
||||
+ setfacl -m g:${username}:rw /var/run/pesign/socket
|
||||
+ fi
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,51 +0,0 @@
|
||||
From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 20 Nov 2015 19:21:39 -0500
|
||||
Subject: [PATCH 4/5] setfacl the db as well
|
||||
|
||||
And also get all our "-m [ug]:${name}:$perm" arguments right.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize-groups | 4 ++++
|
||||
src/pesign-authorize-users | 8 ++++++--
|
||||
2 files changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
||||
index 2222809..13aefa6 100644
|
||||
--- a/src/pesign-authorize-groups
|
||||
+++ b/src/pesign-authorize-groups
|
||||
@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
|
||||
setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
fi
|
||||
fi
|
||||
+ if [ -d /etc/pki/pesign ]; then
|
||||
+ setfacl -m g:${group}:rx /etc/pki/pesign
|
||||
+ setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
||||
index 22bddec..a43ce44 100644
|
||||
--- a/src/pesign-authorize-users
|
||||
+++ b/src/pesign-authorize-users
|
||||
@@ -12,10 +12,14 @@
|
||||
if [[ -r /etc/pesign/users ]]; then
|
||||
for username in $(cat /etc/pesign/users); do
|
||||
if [ -d /var/run/pesign ]; then
|
||||
- setfacl -m g:${username}:rx /var/run/pesign
|
||||
+ setfacl -m u:${username}:rx /var/run/pesign
|
||||
if [ -e /var/run/pesign/socket ]; then
|
||||
- setfacl -m g:${username}:rw /var/run/pesign/socket
|
||||
+ setfacl -m u:${username}:rw /var/run/pesign/socket
|
||||
fi
|
||||
fi
|
||||
+ if [ -d /etc/pki/pesign ]; then
|
||||
+ setfacl -m u:${username}:rx /etc/pki/pesign
|
||||
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
--
|
||||
2.5.0
|
||||
|
@ -1,61 +0,0 @@
|
||||
From bfa02b50f9bbb60c3b04f159864aa4a87b0020e2 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 30 Nov 2015 15:34:35 -0500
|
||||
Subject: [PATCH 5/5] Do a better job of isolating pesign-rh-test-crap
|
||||
|
||||
---
|
||||
src/Makefile | 1 +
|
||||
src/macros.pesign | 10 ++++++++--
|
||||
2 files changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/Makefile b/src/Makefile
|
||||
index af3fd07..1822d3f 100644
|
||||
--- a/src/Makefile
|
||||
+++ b/src/Makefile
|
||||
@@ -65,6 +65,7 @@ install_sysvinit: pesign.sysvinit
|
||||
|
||||
install :
|
||||
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
|
||||
+ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
|
||||
$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
|
||||
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 39374ce..9644940 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -7,7 +7,7 @@
|
||||
# And magically get the right thing.
|
||||
|
||||
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
||||
-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
|
||||
+%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
||||
|
||||
%_pesign /usr/bin/pesign
|
||||
%_pesign_client /usr/bin/pesign-client
|
||||
@@ -21,6 +21,10 @@
|
||||
# -a <input ca cert filename> # rhel only
|
||||
# -s # perform signing
|
||||
%pesign(i:o:C:e:c:n:a:s) \
|
||||
+ _pesign_nssdir=/etc/pki/pesign \
|
||||
+ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
|
||||
+ _pesign_nssdir=/etc/pki/pesign-rh-test \
|
||||
+ fi \
|
||||
if [ -x %{_pesign} ] && \\\
|
||||
[ "%{_target_cpu}" == "x86_64" -o \\\
|
||||
"%{_target_cpu}" == "aarch64" ]; then \
|
||||
@@ -39,9 +43,10 @@
|
||||
elif [ -S /var/run/pesign/socket ]; then \
|
||||
%{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||
-c "/CN=Fedora Secure Boot Signer" \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
else \
|
||||
- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
|
||||
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
|
||||
+ --certdir ${_pesign_nssdir} \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
fi \
|
||||
else \
|
||||
--
|
||||
2.5.0
|
||||
|
62
pesign.spec
62
pesign.spec
@ -2,42 +2,42 @@
|
||||
|
||||
Summary: Signing utility for UEFI binaries
|
||||
Name: pesign
|
||||
Version: 0.111
|
||||
Release: 8%{?dist}
|
||||
Version: 0.112
|
||||
Release: 5%{?dist}
|
||||
Group: Development/System
|
||||
License: GPLv2
|
||||
URL: https://github.com/vathpela/pesign
|
||||
Obsoletes: pesign-rh-test-certs <= 0.111-7
|
||||
BuildRequires: git nspr nss nss-util popt-devel
|
||||
BuildRequires: coolkey opensc nss-tools
|
||||
BuildRequires: nss-tools
|
||||
BuildRequires: nspr-devel >= 4.9.2-1
|
||||
BuildRequires: nss-devel >= 3.13.6-1
|
||||
BuildRequires: efivar-devel >= 0.14-1
|
||||
BuildRequires: efivar-devel >= 26-1
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: tar xz
|
||||
Requires: nspr nss nss-util popt rpm coolkey opensc
|
||||
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
|
||||
BuildRequires: systemd
|
||||
%endif
|
||||
Requires: nspr nss nss-util popt rpm
|
||||
Requires(pre): shadow-utils
|
||||
ExclusiveArch: i686 x86_64 ia64 aarch64
|
||||
ExclusiveArch: %{ix86} x86_64 ia64 aarch64 arm
|
||||
%if 0%{?rhel} >= 7
|
||||
BuildRequires: rh-signing-tools >= 1.20-2
|
||||
%endif
|
||||
|
||||
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
|
||||
Source1: certs.tar.xz
|
||||
Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
|
||||
Patch10001: 0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch
|
||||
Patch10002: 0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
|
||||
Patch10003: 0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
|
||||
Patch10004: 0004-setfacl-the-db-as-well.patch
|
||||
Patch10005: 0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch
|
||||
|
||||
Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
|
||||
Patch0002: 0002-Fix-command-line-parsing.patch
|
||||
|
||||
%description
|
||||
This package contains the pesign utility for signing UEFI binaries as
|
||||
well as other associated tools.
|
||||
|
||||
%prep
|
||||
%setup -q -a 0
|
||||
%setup -a 1 -D -c -n pesign-%{version}/
|
||||
%setup -q -T -b 0
|
||||
%setup -q -T -D -c -n pesign-%{version}/ -a 1
|
||||
git init
|
||||
git config user.email "pesign-owner@fedoraproject.org"
|
||||
git config user.name "Fedora Ninjas"
|
||||
@ -74,7 +74,10 @@ if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
|
||||
%{buildroot}%{macrosdir}
|
||||
rmdir %{buildroot}%{_sysconfdir}/rpm
|
||||
fi
|
||||
rm -f %{buildroot}/usr/usr/share/doc/pesign-0.111/COPYING
|
||||
rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
|
||||
|
||||
# and find-debuginfo.sh has some pretty awful deficencies too...
|
||||
cp -av libdpe/*.[ch] src/
|
||||
|
||||
%pre
|
||||
getent group pesign >/dev/null || groupadd -r pesign
|
||||
@ -86,19 +89,12 @@ exit 0
|
||||
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
|
||||
%post
|
||||
%systemd_post pesign.service
|
||||
modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
|
||||
-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
|
||||
#modutil -force -dbdir %{_sysconfdir}/pki/pesign -add coolkey \
|
||||
# -libfile %%{_libdir}/pkcs11/libcoolkeypk11.so
|
||||
|
||||
%preun
|
||||
%systemd_preun pesign.service
|
||||
|
||||
%postun
|
||||
%systemd_postun_with_restart pesign.service
|
||||
%else
|
||||
%post
|
||||
modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
|
||||
-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
|
||||
%endif
|
||||
|
||||
%files
|
||||
@ -135,6 +131,26 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Jan 06 2017 Peter Jones <pjones@redhat.com> - 0.112-5
|
||||
- Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy
|
||||
scripts.
|
||||
Related: rhbz#1349073
|
||||
|
||||
* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 0.112-4
|
||||
- Build as -4 to make bodhi happy.
|
||||
|
||||
* Fri Aug 12 2016 Adam Williamson <awilliam@redhat.com> - 0.112-3
|
||||
- backport fix for command line parsing from upstream master
|
||||
|
||||
* Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 0.112-2
|
||||
- Build with newer efivar.
|
||||
|
||||
* Wed Apr 20 2016 Peter Jones <pjones@redhat.com> - 0.112-1
|
||||
- Update to 0.112
|
||||
- Also fix up some spec file woes:
|
||||
- dumb things in %%setup
|
||||
- find-debuginfo.sh not working right for some source files...
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.111-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user