!122 add support for EBS sign

From: @HuaxinLuGitee Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001
2023-01-16 02:41:17 +00:00 · 2023-01-16 02:41:17 +00:00 · c068c88fee
commit c068c88fee
parent bfd4d81189 f1576a29d1
2 changed files with 88 additions and 1 deletions
--- a/Feature-support-EBS-sign-for-IMA-digest-list.patch
+++ b/Feature-support-EBS-sign-for-IMA-digest-list.patch
@ -0,0 +1,82 @@
+From 0449160c84daff8c557dee47a970e4f4837ff81d Mon Sep 17 00:00:00 2001
+From: Huaxin Lu <luhuaxin1@huawei.com>
+Date: Mon, 12 Dec 2022 00:16:01 +0800
+Subject: [PATCH] support EBS sign for IMA digest list
+
+Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
+---
+ brp-digest-list | 16 ++++++++++++++++
+ brp-ebs-sign    | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 50 insertions(+)
+ create mode 100644 brp-ebs-sign
+
+diff --git a/brp-digest-list b/brp-digest-list
+index e698b7a..9ec50a2 100644
+--- a/brp-digest-list
+++ b/brp-digest-list
+@@ -84,6 +84,22 @@ if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \
+ 	chmod 644 $f
+ 	echo $f
+ 
+	# do EBS sign
+	export PUBLISHER_HOST=$(grep PUBLISHER_HOST /lkp/scheduled/job.yaml | awk '{print $2}')
+	export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}')
+	if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then
+		[ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0
+		for f in $(ls $DIGEST_LIST_DIR); do
+			sh /usr/lib/rpm/brp-ebs-sign $DIGEST_LIST_DIR/$f &> /dev/null
+			[ -f $DIGEST_LIST_DIR/$f.sig ] || exit 0
+			chmod 644 $DIGEST_LIST_DIR/$f.sig
+			mv $DIGEST_LIST_DIR/$f.sig $DIGEST_LIST_DIR.sig/$f.sig
+			echo $DIGEST_LIST_DIR.sig/$f.sig
+		done
+		exit 0
+	fi
+
+	# do OBS sign
+ 	[ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0
+ 
+ 	export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*"
+diff --git a/brp-ebs-sign b/brp-ebs-sign
+new file mode 100644
+index 0000000..662a9f7
+--- /dev/null
+++ b/brp-ebs-sign
+@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# config
+PUBLISHER_ADDR="http://${PUBLISHER_HOST}:${PUBLISHER_PORT}/sign-files"
+POST_KEY_BASE64="encoded_file_content"
+POST_KEY_MD5="file_md5"
+REQ_KEY_BASE64="signed_file_content"
+REQ_KEY_MD5="signed_file_md5"
+
+# function definition
+get_json_value(){
+	echo "$1" | awk -F "[{,:}]" '{for(i=1;i<NF;i++){if($i~"'$2'"){print $(i+1)}}}' | sed 's/\"//g'
+}
+
+file="$1"
+file_base64="$(base64 -w0 $file)"
+file_md5="$(md5sum $file | awk '{printf $1}')"
+json="{\"$POST_KEY_BASE64\":\"$file_base64\", \"$POST_KEY_MD5\":\"$file_md5\"}"
+
+req="$(curl -X POST "$PUBLISHER_ADDR" -H 'Content-Type: application/json' -d "$json")"
+[ $? -eq 0 ] || { echo "Fail to post sign service, REQ="; echo "req"; exit 1; }
+
+sig_base64=$(get_json_value "$req" "$REQ_KEY_BASE64")
+[ $? -eq 0 ] || { echo "Fail to parser $REQ_KEY_BASE64"; exit 1; }
+echo -e "$sig_base64" | base64 -d > $file.sig
+[ $? -eq 0 ] || { echo "Fail to decode value of $key"; exit 1; }
+
+sig_md5=$(get_json_value "$req" "$REQ_KEY_MD5")
+[ $? -eq 0 ] || { echo "Fail to parser $REQ_KEY_MD5"; exit 1; }
+md5sum $file.sig | grep "$sig_md5"
+[ $? -eq 0 ] || { echo "Fail to check md5 of $file.sig"; exit 1; }
+
+echo "Sign $file ok!"
+exit 0
+-- 
+2.33.0
+
--- a/openEuler-rpm-config.spec
+++ b/openEuler-rpm-config.spec
@ -3,7 +3,7 @@

 Name:		%{vendor}-rpm-config
 Version:	30
-Release:	34
+Release:	35
 License:	GPL+
 Summary:	specific rpm configuration files
 URL:		https://gitee.com/openeuler/openEuler-rpm-config
@ -27,6 +27,7 @@ Patch13:	add-loongarch64-support-for-config.guess-and-config.sub.patch
 Patch14:        backport-kmp-feature.patch
 Patch15:	0001-add-loongarch64-for-golang_arches.patch
 Patch16:	fix-config-error-for-loongarch64.patch
+Patch17:	Feature-support-EBS-sign-for-IMA-digest-list.patch

 Provides: python-rpm-macros = %{?epoch:%{epoch}:}%{version}-%{release}
 Provides: python2-rpm-macros = %{?epoch:%{epoch}:}%{version}-%{release}
@ -67,6 +68,7 @@ Requires: qt5-srpm-macros

 Requires: rpm >= 4.11.0
 Requires: zip
+Requires: curl
 #Requires: (annobin if gcc)

 # for brp-mangle-shebangs
@ -133,6 +135,9 @@ sed -i "s/__vendor/%{vendor}/g" `grep "__vendor" -rl %{buildroot}%{_rpmconfigdir
 %{rpmvdir}/find-requires.ksyms

 %changelog
+* Sat Jan 14 2023 luhuaxin <luhuaxin1@huawei.com> - 30-35
+- support EBS sign
+
 * Wed Dec 14 2022 huajingyun <huajingyun@loongson.cn> - 30-34
 - fix config error for loongarch64