113 lines
4.2 KiB
Diff
113 lines
4.2 KiB
Diff
From 54dd12c2653dc3aecdd73b9ffb2a85d92e39d858 Mon Sep 17 00:00:00 2001
|
|
From: Peter Jones <pjones@redhat.com>
|
|
Date: Mon, 30 Nov 2015 15:34:35 -0500
|
|
Subject: [PATCH 4/4] Gripe about pesign-rh-test-certs not being installed
|
|
|
|
---
|
|
src/Makefile | 7 +++++--
|
|
src/macros.pesign | 10 ++++++++--
|
|
src/missing-stuff.txt | 11 +++++++++++
|
|
src/pesign-authorize.service.in | 8 ++++++++
|
|
4 files changed, 32 insertions(+), 4 deletions(-)
|
|
create mode 100644 src/missing-stuff.txt
|
|
create mode 100644 src/pesign-authorize.service.in
|
|
|
|
diff --git a/src/Makefile b/src/Makefile
|
|
index af3fd07..9e27ee6 100644
|
|
--- a/src/Makefile
|
|
+++ b/src/Makefile
|
|
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
|
|
include $(TOPDIR)/Make.defaults
|
|
|
|
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
|
|
-SVCTARGETS=pesign.sysvinit pesign.service
|
|
+SVCTARGETS=pesign.sysvinit pesign.service pesign-authorize.service
|
|
TARGETS=$(BINTARGETS) $(SVCTARGETS)
|
|
|
|
all : deps $(TARGETS)
|
|
@@ -53,11 +53,12 @@ clean :
|
|
@rm -rfv *.o *.a *.so $(TARGETS)
|
|
@rm -rfv .*.d
|
|
|
|
-install_systemd: pesign.service
|
|
+install_systemd: pesign.service pesign-authorize.service
|
|
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)tmpfiles.d/
|
|
$(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)$(libdatadir)tmpfiles.d/pesign.conf
|
|
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)systemd/system/
|
|
$(INSTALL) -m 644 pesign.service $(INSTALLROOT)$(libdatadir)systemd/system/
|
|
+ $(INSTALL) -m 644 pesign-authorize.service $(INSTALLROOT)$(libdatadir)systemd/system/
|
|
|
|
install_sysvinit: pesign.sysvinit
|
|
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
|
|
@@ -84,6 +85,8 @@ install :
|
|
$(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/
|
|
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
|
|
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
|
|
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/share/doc/pesign/
|
|
+ $(INSTALL) -m 644 missing-stuff.txt $(INSTALLROOT)/usr/share/doc/pesign/
|
|
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
|
$(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
|
|
$(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
|
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
|
index 39374ce..3197ed7 100644
|
|
--- a/src/macros.pesign
|
|
+++ b/src/macros.pesign
|
|
@@ -7,7 +7,7 @@
|
|
# And magically get the right thing.
|
|
|
|
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
|
-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
|
|
+%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
|
|
|
%_pesign /usr/bin/pesign
|
|
%_pesign_client /usr/bin/pesign-client
|
|
@@ -41,7 +41,13 @@
|
|
-c "/CN=Fedora Secure Boot Signer" \\\
|
|
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
|
else \
|
|
- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
|
|
+ if ! certutil -d /etc/pki/pesign -L -n %{__pesign_cert} >/dev/null 2>&1 ; then \ \
|
|
+ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
|
|
+ cat /usr/share/doc/pesign/missing-stuff.txt 1>&2 \
|
|
+ exit 1 \
|
|
+ fi \
|
|
+ fi \
|
|
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
|
|
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
|
fi \
|
|
else \
|
|
diff --git a/src/missing-stuff.txt b/src/missing-stuff.txt
|
|
new file mode 100644
|
|
index 0000000..55b68e3
|
|
--- /dev/null
|
|
+++ b/src/missing-stuff.txt
|
|
@@ -0,0 +1,11 @@
|
|
+
|
|
+
|
|
+You are attempting to sign the with the "Red Hat Test Certificate",
|
|
+which is not installed or cannot be accessed. If you mean to be signing
|
|
+with this key, ensure that the "pesign-rh-test-certs" package is
|
|
+installed and that your user name is listed in "/etc/pesign/users", and
|
|
+then run:
|
|
+
|
|
+ systemctl restart pesign-authorize.service
|
|
+
|
|
+
|
|
diff --git a/src/pesign-authorize.service.in b/src/pesign-authorize.service.in
|
|
new file mode 100644
|
|
index 0000000..ccb1d4f
|
|
--- /dev/null
|
|
+++ b/src/pesign-authorize.service.in
|
|
@@ -0,0 +1,8 @@
|
|
+[Unit]
|
|
+Description=Pesign database authentication management service
|
|
+
|
|
+[Service]
|
|
+PrivateTmp=true
|
|
+Type=oneshot
|
|
+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-users
|
|
+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
|
|
--
|
|
2.5.0
|
|
|