process PGP certs before kernel building

(cherry picked from commit 1c7c020a6c7c67b4d9da14b95d250cc8dbb482d4)
2023-09-14 15:42:01 +08:00 · 2023-09-14 15:42:01 +08:00 · 4ccf4d20a7
commit 4ccf4d20a7
parent bb4f19c457
4 changed files with 94 additions and 3 deletions
--- a/50
+++ b/50
@ -0,0 +1,50 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGOROkcBDAC2S6JpeU5YFzMDp5zqpWoTQmDaVnNh4dsbCEJp+Z6p2v7Y7NmM
+iGzDYvScsa0nhM15SVJsrWYFkJB1rX+ESy7RRb1qGS5FznobzgUbhmMhpE0U/5+u
+hTcvjk7wpFn04+FHugvIZ5gjP0G48gYkJoOtKKtMYA5Uvl/w0uRI6++Vme6m4W/K
+Y2igg/JmRXSHhJHLQFICtQSZWw0kvWr6EUhmnFayzB6teKwJivJzJKHBTOgiSq5h
+Q4BEcOJz0jmF4xOvpXIBB2mIb191DSXm9kadyRBZMDfw1Nqgmhhw40BRlt4hsV8k
+yKymCFqm9M48NwY99/8Cfms4IXfD9XiF7nVj8+e5CcXeEGFWatZD2nCHTAkyah2L
+Ukqe372pnQyCBvDIwkxTha/LWIVXU3eIMbSOz2dLht55yb+TNhOgK1b4xjhq6RWz
+BpGjReU8RDtghVZkelt+mBZA8HPR81DoUuAm4vQuaxKecl44FdhzeUkCVDyA6ubh
+kY5LQQBwIR7X+68AEQEAAbQkb3BlbmV1bGVyIDxvcGVuZXVsZXJAY29tcGFzcy1j
+aS5jb20+iQHNBBMBCAA3FiEEiqFr+fLKUkQBDcqWO0d8YLZ1YAsFAmOROkcCGwMF
+CwkIBwIGFQoJCAsCAxYCAQIeAQIXgAAKCRA7R3xgtnVgCzyEC/9L7TMRYC6xK2Dn
+BetWLGBYag2YQmIIPUqZLFmq7RDiyAeVgFfk3TQj7AQryp3Cg63pxGH3YEOmU2B+
+6s9advYUzEokd9DpiZoOKnNRK7EXb1aDw1Ujgd9xH4FgTNiUUxnkrb5Rlf3U5uSI
+moqTwHuagBm9JP3xDllFFyo++w/23pQpoFMza4DiGrfVRor/oqfkmuKnimxg2naU
+iAD4kO25O9Css9cgKrKNN06iuLPW0txqV9t2WfUsP28Lj+QE0yFaxlCokVbD0PSy
+L1GKZszWMN+95NuEwrD8VeEzOrji7MqTjpWmzq70O4tyzyEHlCXizhQo/6HrDVPF
+2npcCFYkxd53LmfW0MuRdEETf7hbIC0+ViD7mX55i3Z3x4MWb2X2zPl+r8yHiQsZ
+Y/wm2sPWZb7jBm8up3c+xIoJZv5yoEX7JMFtiwpEMYJhyNKhgeQ4M3hi3v4q6rIL
+QoCyujyENpr/opHL0EXFkUVvA3AUh+DR8cUiAo7X1pmJjKuRdEW5AY0EY5E6ygEM
+AMj+qR7eLSdfDkcuPkSYqvzVcaYHpBwKn6ax9QTtR6UfONbg5CGQOU90RGH8xBix
+bHf3VvIqt00x9dRW36mwLR/+CP/FJyqchC6Wh2k0SEJ5HR4frsWmOOHcT7wK150D
+uTsyuWF4DidtvWtV1sgMZQcg66iFsPbdyTGaIolXij+4tv2TJgo9468MI0gFOY+0
+2B6vluyB9k9nKNwEzH1cQCcDXa1r3P0f8iMNoojvSHZPKF9uAtUrnWULd3At+Nui
+AI3H6rc7MEp/mVGnGWbNEfpHcwHqafRuJsdQgYu0AYNPyh+NT82n+clNSh0RoYGI
+YLmPX+QBIIlsgcK3P8AZWjISKWtBRo5IJQWeB2BkMNrAKWpKUKn+nsWVaG4TZ8c+
+2oqpuO+6ol4lFhk0G7cVqW09OOQ/UNopEiXHbJvpAqzSKbuzmK+kLB67pp4/wS+w
+Os09t1o/m9qynMCCGmisNvVrWWmEiG/KaeFcQzzs9jVr9piGeGcxva70PbJew1hz
+qwARAQABiQNsBBgBCAAgFiEEiqFr+fLKUkQBDcqWO0d8YLZ1YAsFAmOROsoCGwIB
+wAkQO0d8YLZ1YAvA9CAEGQEIAB0WIQSBLhvcto+bdWqkjO8Af7dH+ze8bwUCY5E6
+ygAKCRAAf7dH+ze8b57HC/4sHZk0yhBlwMWdu0vQGE+e8W1FTkL6uF2TTsTAVmAX
+aIT3PrZJGiCfuqvdaYzArpEjWg6mk63esVs3//iGqsfQBKA6KhJgy4/daSKDnUlv
+RbzJXWFi2gd2FBvGZUvRb/otdA34UvdhHr5q5A6DqPsKu++lj6rqMdDI1RFPr70T
+N2Hd7xGevIWo620N/Hv884dkZ1QiJJ7d+BLavvLWwYy/l/c7NkwdMwFfqS1KMmLU
+Nw5opyBi57I9lhYQTqexa6Fvs5lSvtK+C6YRI6PDn+7tRyqYYQdDANeNzUkn5rBV
+ZGo5FuHlkyk0oKWX0kkYGLwaTV1BdTraeoYYywAJ59PC73pzCe4yBiQmDi6hsZ6D
+DJtrngrGwrYhq87cjBAhK94FpgPSN8CK2XiLcMjmOi8KmVnjb0F6jKH6G0sadNi5
+wm13Ec9XyrcggJUXmGBHQirHTyM3rkyI3C6xC2ZPbl6YxFyTbPruVJuFw2Cfivnk
+b0nMdbfgyoNpOr+BiPqasGzwOgwAogZCFEHPamnOov/Wk/iodTYpR3rV4IAJWBxy
+KLxZYZSf41cgTEZvOKIE2vP8jPnm/ag3T+qTEAsBSf1Y6w1ohLbifF4APq9WmJ8g
+kFuexEyHJUeivojUX2j1V+qDwLJU4EjRsAaLC5dkTf5nF04nwbdnF+qiBsG0bsVK
+V7sdKpbOEfFDQKe66bQ2n2t7jTVjOuS7sLRUx7bGLIEzj8mxhRNmxbXf/gb/Q0bw
+r9T5WxkQnTI6ZwH8t/dYDhMvwpWPCkPqwvY/JAzY3J++AE9oGVdBOu+q9xIkWX7w
+cy5VeGx2n/SLa+aNFXFi9FxyPHAozRnIM9ET8NuhEBncSgvlY1yjURmay8l0zCin
+TOmyCewwVi8TVz9wdrqrHAoItamu+y5mQgU4jinbxWBytzaQ6gmZUsoKHMNOYpOQ
+sg4mugUPR5Gv0xNn+1nZcVyL7nSGlxp7C0ujMVlBugKVR4091KizlHjfVrtuwRHG
+RvdQJiP2pHXAQpBJduIgGAQsGDCk
+=WmUf
+-----END PGP PUBLIC KEY BLOCK-----
--- a/kernel.spec
+++ b/kernel.spec
@ -25,7 +25,7 @@
 %global upstream_sublevel   0
 %global devel_release       8
 %global maintenance_release .0.0
-%global pkg_release         .16
+%global pkg_release         .17

 %define with_debuginfo 1
 # Do not recompute the build-id of vmlinux in find-debuginfo.sh
@ -64,7 +64,10 @@ Source0: kernel.tar.gz
 Source10: sign-modules
 Source11: x509.genkey
 Source12: extra_certificates
-Source13: pubring.gpg
+# openEuler RPM PGP certificates:
+# 1. openeuler <openeuler@compass-ci.com>
+Source13: RPM-GPG-KEY-openEuler-compass-ci
+Source14: process_pgp_certs.sh

 %if 0%{?with_kabichk}
 Source18: check-kabi
@ -285,7 +288,11 @@ tar -xjf %{SOURCE9998}
 mv kernel linux-%{KernelVer}
 cd linux-%{KernelVer}

-cp %{SOURCE13} certs
+# process PGP certs
+cp %{SOURCE13} .
+cp %{SOURCE14} .
+sh %{SOURCE14}
+cp pubring.gpg certs

 %if 0%{?with_patch}
 cp %{SOURCE9000} .
@ -925,6 +932,9 @@ fi
 %endif

 %changelog
+* Sat Sep 16 2023 luhuaxin <luhuaxin1@huawei.com> - 6.4.0-8.0.0.17
+- Process PGP certs before kernel building
+
 * Wed Sep 13 2023 Wei Li <liwei391@huawei.com> - 6.4.0-8.0.0.16
 - ima: Add IMA digest lists extension
 - mm: gmem: create gm_as when dont have device avoid mmap failed
--- a/process_pgp_certs.sh
+++ b/process_pgp_certs.sh
@ -0,0 +1,31 @@
+#!/bin/bash
+
+# from: https://repo.openeuler.org/${openEuler_version}/source/RPM-GPG-KEY-openEuler
+# sha256: 006e79d37c10e74c24df6d07c4efc4176515cec009daa5ed493b06f5b6ef39c1
+CERT="RPM-GPG-KEY-openEuler-compass-ci"
+# process result for kernel building
+CERT_OUT="pubring.gpg"
+
+# base64 decode with removing prefix and suffix
+for cert in $CERT; do
+	cat $cert | head -n -2 | tail -n +2 | base64 -d > $cert.gpg
+done
+
+# Now EBS use subkey to sign, but kernel can only parse main key. So we need to
+# extract subkey information and wrap to a main key format.
+
+# The PGP data can be parsered with https://cirw.in/gpg-decoder/
+
+# Extra User ID Packet
+# start: 400; length: 38
+dd if=$CERT.gpg of=$CERT.userid.gpg skip=400 bs=1c count=38
+# Extra Public-Subkey Packet
+# start: 902 + 1(wrap cipherTypeByte); length: 400 - 1
+# cipherTypeByte: 0x99 = 10 0110(wrap to a main key) 01
+echo -en "\x99" > $CERT.subkey.gpg
+dd if=$CERT.gpg of=$CERT.subkey.gpg skip=903 bs=1c count=399 seek=1
+
+# merge all cert information
+cat $CERT.subkey.gpg $CERT.userid.gpg > $CERT_OUT
+# cleanup
+rm -f RPM-GPG-KEY-openEuler-*
--- a/pubring.gpg
+++ b/pubring.gpg