pesign-obs-integration/Add-support-for-digest-lists.patch

From 9caa3773a41c531c21b4a696a6928ed953f18b7f Mon Sep 17 00:00:00 2001
From: Roberto Sassu <roberto.sassu@huawei.com>
Date: Sat, 27 Jun 2020 13:38:07 +0200
Subject: [PATCH] Add support for digest lists

---
 pesign-gen-repackage-spec |  7 +++++++
 pesign-repackage.spec.in  | 11 +++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
index 96f07b5..682c5c1 100755
--- a/pesign-gen-repackage-spec
+++ b/pesign-gen-repackage-spec
@@ -432,6 +432,13 @@ sub print_files {
 		if (-e "$path.sig") {
 			print SPEC "$attrs " . quote($f->{name}) . ".sig\n";
 		}
+
+		my $digest_list_sig = $f->{name};
+		$digest_list_sig =~ s/digest_lists/digest_lists.sig/;
+
+		if (-e "$directory/$digest_list_sig.sig") {
+			print SPEC "$attrs " . quote($digest_list_sig) . ".sig\n";
+		}
 	}
 }
 
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index 76732b5..141f990 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -119,13 +119,20 @@ fi
 mkdir nss-db
 nss_db=$PWD/nss-db
 echo foofoofoo > "$nss_db/passwd"
-certutil -N -d "$nss_db" -f "$nss_db/passwd"
-certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
+
+if test "$(wc -l <cert.crt)" -gt 1; then
+	certutil -N -d "$nss_db" -f "$nss_db/passwd"
+	certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
+fi
 
 sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
 for sig in "${sigs[@]}"; do
 	f=%buildroot/${sig%.sig}
 	case "/$sig" in
+	*/etc/ima/digest_lists/*)
+		mkdir -p %buildroot/etc/ima/digest_lists.sig
+		cp $sig %buildroot/etc/ima/digest_lists.sig
+		;;
 	*.ko.sig)
 		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
 		;;
-- 
2.27.GIT
Initial version 2020-07-15 11:37:25 +02:00			`From 9caa3773a41c531c21b4a696a6928ed953f18b7f Mon Sep 17 00:00:00 2001`
			`From: Roberto Sassu <roberto.sassu@huawei.com>`
			`Date: Sat, 27 Jun 2020 13:38:07 +0200`
			`Subject: [PATCH] Add support for digest lists`

			`---`
			`pesign-gen-repackage-spec \| 7 +++++++`
			`pesign-repackage.spec.in \| 11 +++++++++--`
			`2 files changed, 16 insertions(+), 2 deletions(-)`

			`diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec`
			`index 96f07b5..682c5c1 100755`
			`--- a/pesign-gen-repackage-spec`
			`+++ b/pesign-gen-repackage-spec`
			`@@ -432,6 +432,13 @@ sub print_files {`
			`if (-e "$path.sig") {`
			`print SPEC "$attrs " . quote($f->{name}) . ".sig\n";`
			`}`
			`+`
			`+ my $digest_list_sig = $f->{name};`
			`+ $digest_list_sig =~ s/digest_lists/digest_lists.sig/;`
			`+`
			`+ if (-e "$directory/$digest_list_sig.sig") {`
			`+ print SPEC "$attrs " . quote($digest_list_sig) . ".sig\n";`
			`+ }`
			`}`
			`}`

			`diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in`
			`index 76732b5..141f990 100644`
			`--- a/pesign-repackage.spec.in`
			`+++ b/pesign-repackage.spec.in`
			`@@ -119,13 +119,20 @@ fi`
			`mkdir nss-db`
			`nss_db=$PWD/nss-db`
			`echo foofoofoo > "$nss_db/passwd"`
			`-certutil -N -d "$nss_db" -f "$nss_db/passwd"`
			`-certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"`
			`+`
			`+if test "$(wc -l <cert.crt)" -gt 1; then`
			`+ certutil -N -d "$nss_db" -f "$nss_db/passwd"`
			`+ certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"`
			`+fi`

			`sigs=($(find -type f -name '*.sig' -printf '%%P\n'))`
			`for sig in "${sigs[@]}"; do`
			`f=%buildroot/${sig%.sig}`
			`case "/$sig" in`
			`+ /etc/ima/digest_lists/)`
			`+ mkdir -p %buildroot/etc/ima/digest_lists.sig`
			`+ cp $sig %buildroot/etc/ima/digest_lists.sig`
			`+ ;;`
			`*.ko.sig)`
			`/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"`
			`;;`
			`--`
			`2.27.GIT`