pesign/0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch

From 22658f290fcf66213ca6237e37ae97bba39a8a0b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 6 Jul 2020 13:54:35 -0400
Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 src/Makefile               |   1 +
 src/macros.pesign          |  73 +++++------------
 src/pesign-rpmbuild-helper | 163 +++++++++++++++++++++++++++++++++++++
 3 files changed, 184 insertions(+), 53 deletions(-)
 create mode 100644 src/pesign-rpmbuild-helper

diff --git a/src/Makefile b/src/Makefile
index 74327ba13f3..c9e9cc6cd1b 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -94,6 +94,7 @@ install :
 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
 	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
+	$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
 	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
 	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
diff --git a/src/macros.pesign b/src/macros.pesign
index 5a6da1c6809..e3a0de9c2f4 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -6,10 +6,10 @@
 # %pesign -s -i shim.orig -o shim.efi
 # And magically get the right thing.
 
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
 %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
 
 %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
 %__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
 
 %_pesign /usr/bin/pesign
@@ -24,54 +24,21 @@
 # -a <input ca cert filename>		# rhel only
 # -s 					# perform signing
 %pesign(i:o:C:e:c:n:a:s)						\
-  _pesign_nssdir=/etc/pki/pesign					\
-  if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then		\
-    _pesign_nssdir=/etc/pki/pesign-rh-test				\
-  fi									\
-  if [ -x %{_pesign} ] &&  						\\\
-       [ "%{_target_cpu}" == "x86_64" -o 				\\\
-         "%{_target_cpu}" == "aarch64" ]; then				\
-    if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
-      nss=$(mktemp -p $PWD -d)						\
-      echo > ${nss}/pwfile						\
-      certutil -N -d ${nss} -f ${nss}/pwfile				\
-      certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss}		\
-      certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
-      sattrs=$(mktemp -p $PWD --suffix=.der)				\
-      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force		\
-      rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs}			\
-      %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
-                 --certdir ${nss} -c signer %{-o}			\
-      rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
-    elif [ "$(id -un)" == "kojibuilder" -a				\\\
-           grep -q ID=fedora /etc/os-release -a				\\\
-           ! -S /run/pesign/socket ]; then				\
-      echo "No socket even though this is kojibuilder" 1>&2		\
-      ls -ld /run/pesign 1>&2					\
-      ls -l /run/pesign/socket 1>&2					\
-      getfacl /run/pesign 1>&2					\
-      getfacl /run/pesign/socket 1>&2				\
-      exit 1								\
-    elif [ -S /run/pesign/socket ]; then				\
-      %{_pesign_client} -t %{__pesign_client_token}			\\\
-                        -c %{__pesign_client_cert}			\\\
-                        %{-i} %{-o} %{-e} %{-s} %{-C}			\
-    else								\
-      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
-                 --certdir ${_pesign_nssdir}				\\\
-                 %{-i} %{-o} %{-e} %{-s} %{-C}				\
-    fi									\
-  else									\
-    if [ -n "%{-i*}" -a -n "%{-o*}" ]; then				\
-      mv %{-i*} %{-o*}							\
-    elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then				\
-      touch %{-e*}							\
-    fi									\
-  fi									\
-  if [ ! -s %{-o} ]; then						\
-    if [ -e "%{-o*}" ]; then						\
-      rm -f %{-o*}							\
-    fi									\
-    exit 1								\
-  fi ;
-
+  %{_libexecdir}/pesign/pesign-rpmbuild-helper				\\\
+    "%{_target_cpu}"							\\\
+    "%{_pesign}"							\\\
+    "%{_pesign_client}"							\\\
+    %{?__pesign_client_token:--client-token %{__pesign_client_token}}	\\\
+    %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}}	\\\
+    %{?__pesign_token:%{__pesign_token}}				\\\
+    %{?-n:--cert "\"%{-n*}\""}%{?!-n:--cert "\"%{__pesign_cert}\""}		\\\
+    %{?_rhel:--rhelver "%{_rhel}"}					\\\
+    %{?-a:--cafile "%{-a*}"}						\\\
+    %{?-c:--certfile "%{-c*}"}						\\\
+    %{?-C:--certout "%{-C*}"}						\\\
+    %{?-e:--sattrout "%{-e*}"}						\\\
+    %{?-i:--in "%{-i*}"}						\\\
+    %{?-o:--out "%{-o*}"}						\\\
+    %{?-s:--sign}							\\\
+    ;									\
+%{nil}
diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper
new file mode 100644
index 00000000000..f3d66320bcc
--- /dev/null
+++ b/src/pesign-rpmbuild-helper
@@ -0,0 +1,164 @@
+#!/bin/sh
+
+set -eu
+set -x
+
+main() {
+	local target_cpu="${1}" && shift
+	local bin="${1}" && shift
+	local client="${1}" && shift
+
+	local cafile="" || :
+	local certfile="" || :
+
+	local certout=() || :
+	local sattrout=() || :
+	local input=() || :
+	local output=() || :
+	local client_token=() || :
+	local client_cert=() || :
+	local token=() || :
+	local cert=() || :
+	local rhelver=0 || :
+	local sign="" || :
+
+	local username="$(id -un)"
+
+	while [[ $# -ge 2 ]] ; do
+		case " ${1} " in
+		" --cafile ")
+			cafile="${2}"
+			;;
+		" --certfile ")
+			certfile="${2}"
+			;;
+		" --certout ")
+			certout[0]=-C
+			certout[1]="${2}"
+			;;
+		" --sattrout ")
+			sattrout[0]=-e
+			sattrout[1]="${2}"
+			;;
+		" --client-token ")
+			client_token[0]=-t
+			client_token[1]="${2}"
+			;;
+		" --client-cert ")
+			client_cert[0]=-c
+			client_cert[1]="${2}"
+			;;
+		" --token ")
+			token[0]=-t
+			token="${2}"
+			;;
+		" --cert ")
+			cert[0]=-c
+			cert[1]="${2}"
+			;;
+		" --certname ")
+			cert[0]=-c
+			cert[1]="${2}"
+			;;
+		" --in ")
+			input[0]=-i
+			input[1]="${2}"
+			;;
+		" --out ")
+			output[0]=-o
+			output[1]="${2}"
+			;;
+		" --rhelver ")
+			rhelver="${2}"
+			;;
+		*)
+			break
+			;;
+		esac
+		shift
+		shift
+	done
+	if [ $# -ge 1 -a "${1}" = --sign ] ; then
+		sign=-s
+		shift
+	fi
+
+	local nssdir=/etc/pki/pesign
+	if [ "${#cert[@]}" -eq 2 ] &&
+	   [ "${cert[1]}" == "Red Hat Test Certificate" ] ; then
+		nssdir=/etc/pki/pesign-rh-test
+	fi
+
+	if [ -x "${bin}" ] &&
+	   [ "${target_cpu}" != "x86_64" -a "${target_cpu}" != "aarch64" ] ; then
+		if [ -n "${input[*]}" -a -n "${output[*]}" ] ; then
+			mv -v "${input[1]}" "${output[1]}"
+		elif [ -n "${input[*]}" -a -n "${sattrout[*]}" ] ; then
+			touch "${sattrout[1]}"
+		fi
+
+		# if there's a 0-sized output file, delete it and error out
+		if [ ! -s "${output[1]}" ] ; then
+			if [ -e "${output[1]}" ] ; then
+				rm -f "${output[1]}"
+			fi
+			exit 1
+		fi
+		return 0
+	fi
+
+	local socket="" || :
+	if grep -q ID=fedora /etc/os-release && [ "${rhelver}" -lt 7 ] &&
+	   [ "${username}" = "kojibuilder" -o "${username}" = "mockbuild" ] ; then
+		if [ -S /run/pesign/socket ] ; then
+			socket=/run/pesign/socket
+		elif [ -S /var/run/pesign/socket ]; then
+			socket=/var/run/pesign/socket
+		else
+			echo "Warning: no pesign socket even though user is ${username}" 1>&2
+			echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+                       ls -ld /run/pesign 1>&2 ||:
+                       ls -l /run/pesign/socket 1>&2 ||:
+                       getfacl /run/pesign 1>&2 || :
+                       getfacl /run/pesign/socket 1>&2 ||:
+                       ls -ld /var/run/pesign 1>&2 ||:
+                       ls -l /var/run/pesign/socket 1>&2 ||:
+                       getfacl /var/run/pesign 1>&2 || :
+                       getfacl /var/run/pesign/socket 1>&2 || :
+		fi
+	fi
+
+	if [ "${rhelver}" -ge 7 ] ; then
+		nssdir=$(mktemp -p $PWD -d)
+		echo > ${nssdir}/pwfile
+		certutil -N -d ${nssdir} -f ${nssdir}/pwfile
+		certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${cafile}" -d ${nssdir}
+		certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir}
+		sattrs="$(mktemp -p $PWD --suffix=.der)"
+		"${bin}" -E "${sattrs}" --certdir "${nssdir}" \
+			"${input[@]}" --force
+		rpm-sign --key "${cert[1]}" --rsadgstsign "${sattrs}"
+		"${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
+			--certdir "${nssdir}" -c signer \
+			"${input[@]}" "${output[@]}"
+		rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+	elif [ -n "${socket}" ] ; then
+		"${client}" "${client_token[@]}" "${client_cert[@]}"	\
+			"${sattrout[@]}" "${certout[@]}"		\
+			${sign} "${input[@]}" "${output[@]}"
+	else
+		"${bin}" --certdir "${nssdir}" "${token[@]}"		\
+			"${cert[@]}" ${sign} "${sattrout[@]}"		\
+			"${certout[@]}"	"${input[@]}" "${output[@]}"
+	fi
+
+	# if there's a 0-sized output file, delete it and error out
+	if [ "${#output[@]}" -eq 2 ] && ! [ -s "${output[1]}" ] ; then
+		if [ -e "${output[1]}" ] ; then
+			rm -f "${output[1]}"
+		fi
+		exit 1
+	fi
+}
+
+main "${@}"
-- 
2.26.2