From 4ccf4d20a7530a8e54a7f4d1e0f11c2a2efe3750 Mon Sep 17 00:00:00 2001 From: Huaxin Lu Date: Thu, 14 Sep 2023 15:42:01 +0800 Subject: [PATCH] process PGP certs before kernel building (cherry picked from commit 1c7c020a6c7c67b4d9da14b95d250cc8dbb482d4) --- RPM-GPG-KEY-openEuler-compass-ci | 50 +++++++++++++++++++++++++++++++ kernel.spec | 16 ++++++++-- process_pgp_certs.sh | 31 +++++++++++++++++++ pubring.gpg | Bin 1518 -> 0 bytes 4 files changed, 94 insertions(+), 3 deletions(-) create mode 100644 RPM-GPG-KEY-openEuler-compass-ci create mode 100644 process_pgp_certs.sh delete mode 100644 pubring.gpg diff --git a/RPM-GPG-KEY-openEuler-compass-ci b/RPM-GPG-KEY-openEuler-compass-ci new file mode 100644 index 0000000..efabcea --- /dev/null +++ b/RPM-GPG-KEY-openEuler-compass-ci @@ -0,0 +1,50 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGOROkcBDAC2S6JpeU5YFzMDp5zqpWoTQmDaVnNh4dsbCEJp+Z6p2v7Y7NmM +iGzDYvScsa0nhM15SVJsrWYFkJB1rX+ESy7RRb1qGS5FznobzgUbhmMhpE0U/5+u +hTcvjk7wpFn04+FHugvIZ5gjP0G48gYkJoOtKKtMYA5Uvl/w0uRI6++Vme6m4W/K +Y2igg/JmRXSHhJHLQFICtQSZWw0kvWr6EUhmnFayzB6teKwJivJzJKHBTOgiSq5h +Q4BEcOJz0jmF4xOvpXIBB2mIb191DSXm9kadyRBZMDfw1Nqgmhhw40BRlt4hsV8k +yKymCFqm9M48NwY99/8Cfms4IXfD9XiF7nVj8+e5CcXeEGFWatZD2nCHTAkyah2L +Ukqe372pnQyCBvDIwkxTha/LWIVXU3eIMbSOz2dLht55yb+TNhOgK1b4xjhq6RWz +BpGjReU8RDtghVZkelt+mBZA8HPR81DoUuAm4vQuaxKecl44FdhzeUkCVDyA6ubh +kY5LQQBwIR7X+68AEQEAAbQkb3BlbmV1bGVyIDxvcGVuZXVsZXJAY29tcGFzcy1j +aS5jb20+iQHNBBMBCAA3FiEEiqFr+fLKUkQBDcqWO0d8YLZ1YAsFAmOROkcCGwMF +CwkIBwIGFQoJCAsCAxYCAQIeAQIXgAAKCRA7R3xgtnVgCzyEC/9L7TMRYC6xK2Dn +BetWLGBYag2YQmIIPUqZLFmq7RDiyAeVgFfk3TQj7AQryp3Cg63pxGH3YEOmU2B+ +6s9advYUzEokd9DpiZoOKnNRK7EXb1aDw1Ujgd9xH4FgTNiUUxnkrb5Rlf3U5uSI +moqTwHuagBm9JP3xDllFFyo++w/23pQpoFMza4DiGrfVRor/oqfkmuKnimxg2naU +iAD4kO25O9Css9cgKrKNN06iuLPW0txqV9t2WfUsP28Lj+QE0yFaxlCokVbD0PSy +L1GKZszWMN+95NuEwrD8VeEzOrji7MqTjpWmzq70O4tyzyEHlCXizhQo/6HrDVPF +2npcCFYkxd53LmfW0MuRdEETf7hbIC0+ViD7mX55i3Z3x4MWb2X2zPl+r8yHiQsZ +Y/wm2sPWZb7jBm8up3c+xIoJZv5yoEX7JMFtiwpEMYJhyNKhgeQ4M3hi3v4q6rIL +QoCyujyENpr/opHL0EXFkUVvA3AUh+DR8cUiAo7X1pmJjKuRdEW5AY0EY5E6ygEM +AMj+qR7eLSdfDkcuPkSYqvzVcaYHpBwKn6ax9QTtR6UfONbg5CGQOU90RGH8xBix +bHf3VvIqt00x9dRW36mwLR/+CP/FJyqchC6Wh2k0SEJ5HR4frsWmOOHcT7wK150D +uTsyuWF4DidtvWtV1sgMZQcg66iFsPbdyTGaIolXij+4tv2TJgo9468MI0gFOY+0 +2B6vluyB9k9nKNwEzH1cQCcDXa1r3P0f8iMNoojvSHZPKF9uAtUrnWULd3At+Nui +AI3H6rc7MEp/mVGnGWbNEfpHcwHqafRuJsdQgYu0AYNPyh+NT82n+clNSh0RoYGI +YLmPX+QBIIlsgcK3P8AZWjISKWtBRo5IJQWeB2BkMNrAKWpKUKn+nsWVaG4TZ8c+ +2oqpuO+6ol4lFhk0G7cVqW09OOQ/UNopEiXHbJvpAqzSKbuzmK+kLB67pp4/wS+w +Os09t1o/m9qynMCCGmisNvVrWWmEiG/KaeFcQzzs9jVr9piGeGcxva70PbJew1hz +qwARAQABiQNsBBgBCAAgFiEEiqFr+fLKUkQBDcqWO0d8YLZ1YAsFAmOROsoCGwIB +wAkQO0d8YLZ1YAvA9CAEGQEIAB0WIQSBLhvcto+bdWqkjO8Af7dH+ze8bwUCY5E6 +ygAKCRAAf7dH+ze8b57HC/4sHZk0yhBlwMWdu0vQGE+e8W1FTkL6uF2TTsTAVmAX +aIT3PrZJGiCfuqvdaYzArpEjWg6mk63esVs3//iGqsfQBKA6KhJgy4/daSKDnUlv +RbzJXWFi2gd2FBvGZUvRb/otdA34UvdhHr5q5A6DqPsKu++lj6rqMdDI1RFPr70T +N2Hd7xGevIWo620N/Hv884dkZ1QiJJ7d+BLavvLWwYy/l/c7NkwdMwFfqS1KMmLU +Nw5opyBi57I9lhYQTqexa6Fvs5lSvtK+C6YRI6PDn+7tRyqYYQdDANeNzUkn5rBV +ZGo5FuHlkyk0oKWX0kkYGLwaTV1BdTraeoYYywAJ59PC73pzCe4yBiQmDi6hsZ6D +DJtrngrGwrYhq87cjBAhK94FpgPSN8CK2XiLcMjmOi8KmVnjb0F6jKH6G0sadNi5 +wm13Ec9XyrcggJUXmGBHQirHTyM3rkyI3C6xC2ZPbl6YxFyTbPruVJuFw2Cfivnk +b0nMdbfgyoNpOr+BiPqasGzwOgwAogZCFEHPamnOov/Wk/iodTYpR3rV4IAJWBxy +KLxZYZSf41cgTEZvOKIE2vP8jPnm/ag3T+qTEAsBSf1Y6w1ohLbifF4APq9WmJ8g +kFuexEyHJUeivojUX2j1V+qDwLJU4EjRsAaLC5dkTf5nF04nwbdnF+qiBsG0bsVK +V7sdKpbOEfFDQKe66bQ2n2t7jTVjOuS7sLRUx7bGLIEzj8mxhRNmxbXf/gb/Q0bw +r9T5WxkQnTI6ZwH8t/dYDhMvwpWPCkPqwvY/JAzY3J++AE9oGVdBOu+q9xIkWX7w +cy5VeGx2n/SLa+aNFXFi9FxyPHAozRnIM9ET8NuhEBncSgvlY1yjURmay8l0zCin +TOmyCewwVi8TVz9wdrqrHAoItamu+y5mQgU4jinbxWBytzaQ6gmZUsoKHMNOYpOQ +sg4mugUPR5Gv0xNn+1nZcVyL7nSGlxp7C0ujMVlBugKVR4091KizlHjfVrtuwRHG +RvdQJiP2pHXAQpBJduIgGAQsGDCk +=WmUf +-----END PGP PUBLIC KEY BLOCK----- diff --git a/kernel.spec b/kernel.spec index 3c31826..fe04f0f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -25,7 +25,7 @@ %global upstream_sublevel 0 %global devel_release 8 %global maintenance_release .0.0 -%global pkg_release .16 +%global pkg_release .17 %define with_debuginfo 1 # Do not recompute the build-id of vmlinux in find-debuginfo.sh @@ -64,7 +64,10 @@ Source0: kernel.tar.gz Source10: sign-modules Source11: x509.genkey Source12: extra_certificates -Source13: pubring.gpg +# openEuler RPM PGP certificates: +# 1. openeuler +Source13: RPM-GPG-KEY-openEuler-compass-ci +Source14: process_pgp_certs.sh %if 0%{?with_kabichk} Source18: check-kabi @@ -285,7 +288,11 @@ tar -xjf %{SOURCE9998} mv kernel linux-%{KernelVer} cd linux-%{KernelVer} -cp %{SOURCE13} certs +# process PGP certs +cp %{SOURCE13} . +cp %{SOURCE14} . +sh %{SOURCE14} +cp pubring.gpg certs %if 0%{?with_patch} cp %{SOURCE9000} . @@ -925,6 +932,9 @@ fi %endif %changelog +* Sat Sep 16 2023 luhuaxin - 6.4.0-8.0.0.17 +- Process PGP certs before kernel building + * Wed Sep 13 2023 Wei Li - 6.4.0-8.0.0.16 - ima: Add IMA digest lists extension - mm: gmem: create gm_as when dont have device avoid mmap failed diff --git a/process_pgp_certs.sh b/process_pgp_certs.sh new file mode 100644 index 0000000..59a6075 --- /dev/null +++ b/process_pgp_certs.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +# from: https://repo.openeuler.org/${openEuler_version}/source/RPM-GPG-KEY-openEuler +# sha256: 006e79d37c10e74c24df6d07c4efc4176515cec009daa5ed493b06f5b6ef39c1 +CERT="RPM-GPG-KEY-openEuler-compass-ci" +# process result for kernel building +CERT_OUT="pubring.gpg" + +# base64 decode with removing prefix and suffix +for cert in $CERT; do + cat $cert | head -n -2 | tail -n +2 | base64 -d > $cert.gpg +done + +# Now EBS use subkey to sign, but kernel can only parse main key. So we need to +# extract subkey information and wrap to a main key format. + +# The PGP data can be parsered with https://cirw.in/gpg-decoder/ + +# Extra User ID Packet +# start: 400; length: 38 +dd if=$CERT.gpg of=$CERT.userid.gpg skip=400 bs=1c count=38 +# Extra Public-Subkey Packet +# start: 902 + 1(wrap cipherTypeByte); length: 400 - 1 +# cipherTypeByte: 0x99 = 10 0110(wrap to a main key) 01 +echo -en "\x99" > $CERT.subkey.gpg +dd if=$CERT.gpg of=$CERT.subkey.gpg skip=903 bs=1c count=399 seek=1 + +# merge all cert information +cat $CERT.subkey.gpg $CERT.userid.gpg > $CERT_OUT +# cleanup +rm -f RPM-GPG-KEY-openEuler-* diff --git a/pubring.gpg b/pubring.gpg deleted file mode 100644 index c8d4dbc9e276670a515fabf6cb2b7ec7f760d4fe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1518 zcmV=~MJE)s##34@(UV>Z2Gj%f+EA04MNLfWUu~qx@lk zW06xsK_*d(CC86_l7PpDr_XPX)8se&2B*5q{ZO~f{rKZiKfVsk!;0Zs%H0SEv%79j)@>U6A~^o>TwoS?qd zR|a0PUVml<0$r_J&jK4S1q%rX2Lc8a3JC}c0t6NU0|5da0Rk6*0162Z)mH{yvR;2? zKS>AxzLJbDJAiC{>V-EVicu-8eHLf?Ko8RyxFwTy<9>`Qig<|AGJa;~Uf~MQd8dzO z`8&@qMYal#oMJO^JzbRkUGX-2Nlb<;%g@LA%kQV43P|G}`dbQWL>J!r9BBNbvhhbh?Yvwp=zc?)cSa z!diZSs4Notx&z)Ps7`U<(2bVr!VcU)&b)s-Uup-}89I4VLSzBADIi9u1g)EHaE?B}oDQ3sR5xV+K35lTucO|PBLg3LR9ny;l0 z8v7_jA55!>Ta4M&)3XA|;F1Y78NDfz=0RjR5EJy-bnU+2UNvvHe06F~4B!1WAzD)3 zYvEtctAS~?W++HSV*pW7L+I_hVU5T2^=k<}|#7ZnzRJ0Ha4t)rJ3&lx}xMQoY0sK%XbxRr+*8SV-^3r%2duJ zrBPngnQ-}x|H`h$TC0c>_ZCl&@>-{ixSKeR?vF!KKt5!uth}z~>B~HLPKA8qQ8J1( zOK#HA*4$sNg>aQu8h1N}ac^pL-g8`bZcrC2ay${ZC1Rp+(_fs+wIXo;tRgm*(VkOj zJ5K3MgyE=gi2*hQ7y$?XAQmA666$oUo%D@H#+;zO)mH{yvR;2?1p-~ITh9U;3;+rV z5Y<-(Ub0?)W;$^P|3!D$6-RxV?YvHEnVLz`7Nw6c&E3q{mS7^@WzOw}1Xu68?6{7^ z8g{$}e-a@V;Ky0zpqh59?xq@6j%ya%y?9ReWT8cISY7)8C_{7?zzDQkYNy~N|`sLvr1PenkEQ%)-P zV)=cyJw?P1)~#dqj4~{7_)Ju@+KFnQO;PL4pZAATg5i?dML|!q(M#OlG&uX#s;FY( z!^c8`+rx`bJkK|$OuqZMSVhi}L|DjnXU-i#>l?*{H#2ckfbM2ZtYIURvC17~n&0EA}ImjD0&