rpms/pesign
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

merge into: rpms:master
Branches Tags
rpms:master
rpms:f38-riscv64
rpms:f37-riscv64
rpms:f36
rpms:f37
rpms:main
rpms:rawhide
rpms:f35
rpms:f33
rpms:master-riscv64
rpms:f29
rpms:f30
rpms:f28
rpms:f25
rpms:f27
rpms:f26
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:el6
rpms:f19
rpms:f18
...
pull from: rpms:f24
Branches Tags
rpms:f38-riscv64
rpms:f37-riscv64
rpms:f36
rpms:f37
rpms:main
rpms:rawhide
rpms:f35
rpms:f33
rpms:master-riscv64
rpms:f29
rpms:f30
rpms:master
rpms:f28
rpms:f25
rpms:f27
rpms:f26
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:el6
rpms:f19
rpms:f18

4 Commits
master ... f24

Author SHA1 Message Date
Peter Jones
e0d1414ea1 Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy 
scripts.
  Related: rhbz#1349073

Signed-off-by: Peter Jones <pjones@redhat.com>
 2017-01-06 14:30:25 -05:00
Peter Jones
8bee723b19 Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy scripts. 
Related: rhbz#1349073

Signed-off-by: Peter Jones <pjones@redhat.com>
 2017-01-06 13:44:12 -05:00
Peter Jones
aaccfd9c53 Rebase to 0.112 from f25+ 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2016-09-28 14:49:57 -04:00
Peter Jones
3c8bdc13ed Rebuild for efivar-30-3 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2016-09-28 14:00:29 -04:00
10 changed files with 185 additions and 363 deletions
Show Stats Expand all files Collapse all files

71
0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
View File

@ -1,71 +0,0 @@
From ae2520e013caf4f5d0dae89623dc08925d6cd472 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 28 Oct 2015 15:58:07 -0400
Subject: [PATCH] Fix one more -Wsign-compare problem I missed.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/daemon.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/daemon.c b/src/daemon.c
index 02b7352..175c874 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -194,7 +194,7 @@ malformed:
return;
}
n -= sizeof(tn->size);
- if (n < tn->size)
+ if ((size_t)n < tn->size)
goto malformed;
n -= tn->size;
@@ -202,10 +202,10 @@ malformed:
goto malformed;
pesignd_string *tp = pesignd_string_next(tn);
- if (n < (long long)sizeof(tp->size))
+ if ((size_t)n < sizeof(tp->size))
goto malformed;
n -= sizeof(tp->size);
- if (n < tp->size)
+ if ((size_t)n < tp->size)
goto malformed;
n -= tp->size;
@@ -298,7 +298,7 @@ malformed:
return;
}
n -= sizeof(tn->size);
- if (n < tn->size)
+ if ((size_t)n < tn->size)
goto malformed;
n -= tn->size;
@@ -487,7 +487,7 @@ malformed:
}
n -= sizeof(tn->size);
- if (n < tn->size)
+ if ((size_t)n < tn->size)
goto malformed;
n -= tn->size;
@@ -497,11 +497,11 @@ malformed:
if (!ctx->cms->tokenname)
goto oom;
- if (n < (long long)sizeof(tn->size))
+ if ((size_t)n < sizeof(tn->size))
goto malformed;
pesignd_string *cn = pesignd_string_next(tn);
n -= sizeof(cn->size);
- if (n < cn->size)
+ if ((size_t)n < cn->size)
goto malformed;
ctx->cms->certname = PORT_ArenaStrdup(ctx->cms->arena,
--
2.5.0

72
0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch Normal file
View File

@ -0,0 +1,72 @@
From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 21 Apr 2016 10:47:34 -0400
Subject: [PATCH] cms: kill generate_integer(), it doesn't build on i686 and
it's unused.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/cms_common.c | 34 ----------------------------------
src/cms_common.h | 1 -
2 files changed, 35 deletions(-)
diff --git a/src/cms_common.c b/src/cms_common.c
index b19bc62..6a4e6a7 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str)
return 0;
}
-static SEC_ASN1Template IntegerTemplate[] = {
- {.kind = SEC_ASN1_INTEGER,
- .offset = 0,
- .sub = NULL,
- .size = sizeof(long),
- },
- { 0 },
-};
-
-int
-generate_integer(cms_context *cms, SECItem *der, unsigned long integer)
-{
- void *ret;
-
- uint32_t u32;
-
- SECItem input = {
- .data = (void *)&integer,
- .len = sizeof(integer),
- .type = siUnsignedInteger,
- };
-
- if (integer < 0x100000000) {
- u32 = integer & 0xffffffffUL;
- input.data = (void *)&u32;
- input.len = sizeof(u32);
- }
-
- ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate);
- if (ret == NULL)
- cmsreterr(-1, cms, "could not encode data");
- return 0;
-}
-
int
generate_time(cms_context *cms, SECItem *encoded, time_t when)
{
diff --git a/src/cms_common.h b/src/cms_common.h
index 7d77faf..c7d7268 100644
--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded,
SECOidTag tag);
extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded);
extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when);
-extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer);
extern int generate_string(cms_context *cms, SECItem *der, char *str);
extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
extern int wrap_in_seq(cms_context *cms, SECItem *der,
--
2.5.5

63
0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch
View File

@ -1,63 +0,0 @@
From 6796e5f7b0ab1eb08f92887ae0427cf5a4120e0b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sun, 8 Nov 2015 14:42:29 -0500
Subject: [PATCH 1/5] pesign: when nss fails to tell us -EPERM or -ENOENT,
figure it out.
This should make -EPERM problems much easier for the user to diagnose.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/src/pesign.c b/src/pesign.c
index 1d72657..09b6a2b 100644
--- a/src/pesign.c
+++ b/src/pesign.c
@@ -17,7 +17,9 @@
* Author(s): Peter Jones <pjones@redhat.com>
*/
+#include <err.h>
#include <fcntl.h>
+#include <glob.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -576,14 +578,28 @@ main(int argc, char *argv[])
if (!daemon) {
SECStatus status;
- if (need_db)
+ if (need_db) {
status = NSS_Init(certdir);
- else
+ if (status != SECSuccess) {
+ char *globpattern = NULL;
+ rc = asprintf(&globpattern, "%s/cert*.db",
+ certdir);
+ if (rc > 0) {
+ glob_t globbuf;
+ memset(&globbuf, 0, sizeof(globbuf));
+ rc = glob(globpattern, GLOB_ERR, NULL,
+ &globbuf);
+ if (rc != 0) {
+ err(1, "Could not open NSS database (\"%s\")",
+ PORT_ErrorToString(PORT_GetError()));
+ }
+ }
+ }
+ } else
status = NSS_NoDB_Init(NULL);
if (status != SECSuccess) {
- fprintf(stderr, "Could not initialize nss: %s\n",
+ errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
PORT_ErrorToString(PORT_GetError()));
- exit(1);
}
status = register_oids(ctxp->cms_ctx);
--
2.5.0

73
0002-Fix-command-line-parsing.patch Normal file
View File

@ -0,0 +1,73 @@
From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 9 Jun 2016 14:30:37 +0200
Subject: [PATCH 2/2] Fix command line parsing
The gettext translation domain should be passed as .arg, not .descrip,
otherwise popt won't process any of the command line options (it stops
looping over the struct poptOption array when an entry has unset
longName, shortName and arg).
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
src/client.c | 2 +-
src/efikeygen.c | 2 +-
src/efisiglist.c | 2 +-
src/pesigcheck.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/client.c b/src/client.c
index 028419f..575c873 100644
--- a/src/client.c
+++ b/src/client.c
@@ -555,7 +555,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "token",
.shortName = 't',
.argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
diff --git a/src/efikeygen.c b/src/efikeygen.c
index 6278849..8a515a5 100644
--- a/src/efikeygen.c
+++ b/src/efikeygen.c
@@ -486,7 +486,7 @@ int main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
/* global nss-ish things */
{.longName = "dbdir",
.shortName = 'd',
diff --git a/src/efisiglist.c b/src/efisiglist.c
index cd3f1ae..40d6a93 100644
--- a/src/efisiglist.c
+++ b/src/efisiglist.c
@@ -126,7 +126,7 @@ main(int argc, char *argv[])
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "infile",
.shortName = 'i',
.argInfo = POPT_ARG_STRING,
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
index 1328fe9..0d49c1a 100644
--- a/src/pesigcheck.c
+++ b/src/pesigcheck.c
@@ -214,7 +214,7 @@ main(int argc, char *argv[])
poptContext optCon;
struct poptOption options[] = {
{.argInfo = POPT_ARG_INTL_DOMAIN,
- .descrip = "pesign" },
+ .arg = "pesign" },
{.longName = "dbfile",
.shortName = 'D',
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
--
2.9.2

39
0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
View File

@ -1,39 +0,0 @@
From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 19 Nov 2015 11:36:59 -0500
Subject: [PATCH 2/5] setfacl the nss DBs to our authorized users, not just the
socket.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 2 ++
src/pesign-authorize-users | 2 ++
2 files changed, 4 insertions(+)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index e3864ce..2236bea 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
for group in $(cat /etc/pesign/groups); do
setfacl -m g:${group}:rx /var/run/pesign
setfacl -m g:${group}:rw /var/run/pesign/socket
+ setfacl -m g:${username}:rx /etc/pki/pesign
+ setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index e500204..9c38a25 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
for username in $(cat /etc/pesign/users); do
setfacl -m u:${username}:rx /var/run/pesign
setfacl -m u:${username}:rw /var/run/pesign/socket
+ setfacl -m u:${username}:rx /etc/pki/pesign
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
done
fi
--
2.5.0

54
0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
View File

@ -1,54 +0,0 @@
From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:19:49 -0500
Subject: [PATCH 3/5] Don't setfacl when the socket or dir aren't there.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 10 ++++++----
src/pesign-authorize-users | 10 ++++++----
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index 2236bea..2222809 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -11,9 +11,11 @@
if [[ -r /etc/pesign/groups ]]; then
for group in $(cat /etc/pesign/groups); do
- setfacl -m g:${group}:rx /var/run/pesign
- setfacl -m g:${group}:rw /var/run/pesign/socket
- setfacl -m g:${username}:rx /etc/pki/pesign
- setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ if [ -d /var/run/pesign ]; then
+ setfacl -m g:${group}:rx /var/run/pesign
+ if [ -e /var/run/pesign/socket ]; then
+ setfacl -m g:${group}:rw /var/run/pesign/socket
+ fi
+ fi
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 9c38a25..22bddec 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -11,9 +11,11 @@
if [[ -r /etc/pesign/users ]]; then
for username in $(cat /etc/pesign/users); do
- setfacl -m u:${username}:rx /var/run/pesign
- setfacl -m u:${username}:rw /var/run/pesign/socket
- setfacl -m u:${username}:rx /etc/pki/pesign
- setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ if [ -d /var/run/pesign ]; then
+ setfacl -m g:${username}:rx /var/run/pesign
+ if [ -e /var/run/pesign/socket ]; then
+ setfacl -m g:${username}:rw /var/run/pesign/socket
+ fi
+ fi
done
fi
--
2.5.0

51
0004-setfacl-the-db-as-well.patch
View File

@ -1,51 +0,0 @@
From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:21:39 -0500
Subject: [PATCH 4/5] setfacl the db as well
And also get all our "-m [ug]:${name}:$perm" arguments right.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 4 ++++
src/pesign-authorize-users | 8 ++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index 2222809..13aefa6 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
setfacl -m g:${group}:rw /var/run/pesign/socket
fi
fi
+ if [ -d /etc/pki/pesign ]; then
+ setfacl -m g:${group}:rx /etc/pki/pesign
+ setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ fi
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 22bddec..a43ce44 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -12,10 +12,14 @@
if [[ -r /etc/pesign/users ]]; then
for username in $(cat /etc/pesign/users); do
if [ -d /var/run/pesign ]; then
- setfacl -m g:${username}:rx /var/run/pesign
+ setfacl -m u:${username}:rx /var/run/pesign
if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${username}:rw /var/run/pesign/socket
+ setfacl -m u:${username}:rw /var/run/pesign/socket
fi
fi
+ if [ -d /etc/pki/pesign ]; then
+ setfacl -m u:${username}:rx /etc/pki/pesign
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ fi
done
fi
--
2.5.0

61
0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch
View File

@ -1,61 +0,0 @@
From bfa02b50f9bbb60c3b04f159864aa4a87b0020e2 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 30 Nov 2015 15:34:35 -0500
Subject: [PATCH 5/5] Do a better job of isolating pesign-rh-test-crap
---
src/Makefile | 1 +
src/macros.pesign | 10 ++++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/Makefile b/src/Makefile
index af3fd07..1822d3f 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -65,6 +65,7 @@ install_sysvinit: pesign.sysvinit
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
+ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
diff --git a/src/macros.pesign b/src/macros.pesign
index 39374ce..9644940 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -7,7 +7,7 @@
# And magically get the right thing.
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
+%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
@@ -21,6 +21,10 @@
# -a <input ca cert filename> # rhel only
# -s # perform signing
%pesign(i:o:C:e:c:n:a:s) \
+ _pesign_nssdir=/etc/pki/pesign \
+ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
+ _pesign_nssdir=/etc/pki/pesign-rh-test \
+ fi \
if [ -x %{_pesign} ] && \\\
[ "%{_target_cpu}" == "x86_64" -o \\\
"%{_target_cpu}" == "aarch64" ]; then \
@@ -39,9 +43,10 @@
elif [ -S /var/run/pesign/socket ]; then \
%{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
-c "/CN=Fedora Secure Boot Signer" \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
+ --certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
else \
--
2.5.0

62
pesign.spec
View File

@ -2,42 +2,42 @@
Summary: Signing utility for UEFI binaries
Name: pesign
Version: 0.111
Release: 8%{?dist}
Version: 0.112
Release: 5%{?dist}
Group: Development/System
License: GPLv2
URL: https://github.com/vathpela/pesign
Obsoletes: pesign-rh-test-certs <= 0.111-7
BuildRequires: git nspr nss nss-util popt-devel
BuildRequires: coolkey opensc nss-tools
BuildRequires: nss-tools
BuildRequires: nspr-devel >= 4.9.2-1
BuildRequires: nss-devel >= 3.13.6-1
BuildRequires: efivar-devel >= 0.14-1
BuildRequires: efivar-devel >= 26-1
BuildRequires: libuuid-devel
BuildRequires: tar xz
Requires: nspr nss nss-util popt rpm coolkey opensc
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
BuildRequires: systemd
%endif
Requires: nspr nss nss-util popt rpm
Requires(pre): shadow-utils
ExclusiveArch: i686 x86_64 ia64 aarch64
ExclusiveArch: %{ix86} x86_64 ia64 aarch64 arm
%if 0%{?rhel} >= 7
BuildRequires: rh-signing-tools >= 1.20-2
%endif
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz
Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
Patch10001: 0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch
Patch10002: 0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
Patch10003: 0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
Patch10004: 0004-setfacl-the-db-as-well.patch
Patch10005: 0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch
Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
Patch0002: 0002-Fix-command-line-parsing.patch
%description
This package contains the pesign utility for signing UEFI binaries as
well as other associated tools.
%prep
%setup -q -a 0
%setup -a 1 -D -c -n pesign-%{version}/
%setup -q -T -b 0
%setup -q -T -D -c -n pesign-%{version}/ -a 1
git init
git config user.email "pesign-owner@fedoraproject.org"
git config user.name "Fedora Ninjas"
@ -74,7 +74,10 @@ if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
%{buildroot}%{macrosdir}
rmdir %{buildroot}%{_sysconfdir}/rpm
fi
rm -f %{buildroot}/usr/usr/share/doc/pesign-0.111/COPYING
rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
# and find-debuginfo.sh has some pretty awful deficencies too...
cp -av libdpe/*.[ch] src/
%pre
getent group pesign >/dev/null || groupadd -r pesign
@ -86,19 +89,12 @@ exit 0
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%post
%systemd_post pesign.service
modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
#modutil -force -dbdir %{_sysconfdir}/pki/pesign -add coolkey \
# -libfile %%{_libdir}/pkcs11/libcoolkeypk11.so
%preun
%systemd_preun pesign.service
%postun
%systemd_postun_with_restart pesign.service
%else
%post
modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
%endif
%files
@ -135,6 +131,26 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
%endif
%changelog
* Fri Jan 06 2017 Peter Jones <pjones@redhat.com> - 0.112-5
- Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy
scripts.
Related: rhbz#1349073
* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 0.112-4
- Build as -4 to make bodhi happy.
* Fri Aug 12 2016 Adam Williamson <awilliam@redhat.com> - 0.112-3
- backport fix for command line parsing from upstream master
* Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 0.112-2
- Build with newer efivar.
* Wed Apr 20 2016 Peter Jones <pjones@redhat.com> - 0.112-1
- Update to 0.112
- Also fix up some spec file woes:
- dumb things in %%setup
- find-debuginfo.sh not working right for some source files...
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.111-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

2
sources
View File

@ -1,2 +1,2 @@
b2c6b74c2475a1442634d1386d888c24 pesign-0.111.tar.bz2
e377e0bc924287ee09356a239c5f51a8 certs.tar.xz
eae1d66e160be744ff310ad7592ae31e pesign-0.112.tar.bz2