Initial version

2020-07-15 11:37:25 +02:00 · 2020-07-15 11:37:25 +02:00 · 795e3b1989
commit 795e3b1989
parent 617d8b0873
9 changed files with 322 additions and 0 deletions
--- a/Add-support-for-digest-lists.patch
+++ b/Add-support-for-digest-lists.patch
@ -0,0 +1,58 @@
 From 9caa3773a41c531c21b4a696a6928ed953f18b7f Mon Sep 17 00:00:00 2001
 From: Roberto Sassu <roberto.sassu@huawei.com>
 Date: Sat, 27 Jun 2020 13:38:07 +0200
 Subject: [PATCH] Add support for digest lists
 ---
 pesign-gen-repackage-spec |  7 +++++++
 pesign-repackage.spec.in  | 11 +++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)
 diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
 index 96f07b5..682c5c1 100755
 --- a/pesign-gen-repackage-spec
 +++ b/pesign-gen-repackage-spec
@@ -432,6 +432,13 @@ sub print_files {
 		if (-e "$path.sig") {
 			print SPEC "$attrs " . quote($f->{name}) . ".sig\n";
 		}
 +
 +		my $digest_list_sig = $f->{name};
 +		$digest_list_sig =~ s/digest_lists/digest_lists.sig/;
 +
 +		if (-e "$directory/$digest_list_sig.sig") {
 +			print SPEC "$attrs " . quote($digest_list_sig) . ".sig\n";
 +		}
 	}
 }
 diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
 index 76732b5..141f990 100644
 --- a/pesign-repackage.spec.in
 +++ b/pesign-repackage.spec.in
@@ -119,13 +119,20 @@ fi
 mkdir nss-db
 nss_db=$PWD/nss-db
 echo foofoofoo > "$nss_db/passwd"
 -certutil -N -d "$nss_db" -f "$nss_db/passwd"
 -certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
 +
 +if test "$(wc -l <cert.crt)" -gt 1; then
 +	certutil -N -d "$nss_db" -f "$nss_db/passwd"
 +	certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
 +fi
 sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
 for sig in "${sigs[@]}"; do
 	f=%buildroot/${sig%.sig}
 	case "/$sig" in
 +	*/etc/ima/digest_lists/*)
 +		mkdir -p %buildroot/etc/ima/digest_lists.sig
 +		cp $sig %buildroot/etc/ima/digest_lists.sig
 +		;;
 	*.ko.sig)
 		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
 		;;
 -- 
 2.27.GIT
--- a/Apply-correct-mask-in-pesign-gen-repackage-spec.patch
+++ b/Apply-correct-mask-in-pesign-gen-repackage-spec.patch
@ -0,0 +1,25 @@
 From fa21260c3b525ac2db3027c06adcdd282de2bd98 Mon Sep 17 00:00:00 2001
 From: Roberto Sassu <roberto.sassu@huawei.com>
 Date: Tue, 14 Jul 2020 12:38:42 +0200
 Subject: [PATCH 1/3] Apply correct mask in pesign-gen-repackage-spec
 ---
 pesign-gen-repackage-spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
 index fa0935e..e554c5d 100755
 --- a/pesign-gen-repackage-spec
 +++ b/pesign-gen-repackage-spec
@@ -376,7 +376,7 @@ sub print_files {
 			$attrs .= "\%dir ";
 			utime($f->{mtime}, $f->{mtime}, $path);
 		}
 -		$attrs .= sprintf('%%attr(%04o, %s, %s) ', ($f->{mode} & 0777),
 +		$attrs .= sprintf('%%attr(%04o, %s, %s) ', ($f->{mode} & oct(7777)),
 			$f->{owner}, $f->{group});
 		if ($f->{flags} & $filetypes{config}) {
 			$attrs .= "%config ";
 -- 
 2.27.GIT
--- a/Disable-building-debug-packages.patch
+++ b/Disable-building-debug-packages.patch
@ -0,0 +1,24 @@
 From c93cc80bd005f04eec1c933b23d3ba263cf21461 Mon Sep 17 00:00:00 2001
 From: Roberto Sassu <roberto.sassu@huawei.com>
 Date: Sat, 27 Jun 2020 13:56:09 +0200
 Subject: [PATCH] Disable building debug packages
 ---
 pesign-repackage.spec.in | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
 index fe00f0a..90ae17c 100644
 --- a/pesign-repackage.spec.in
 +++ b/pesign-repackage.spec.in
@@ -21,6 +21,7 @@
 # Do not generate any debug packages from the repackage specfile
 %undefine _build_create_debug
 +%global debug_package %{nil}
 Name:           pesign-repackage
 Version:        1.0
 -- 
 2.27.GIT
--- a/Don-t-set-files-variable-in-brp-99-pesign.patch
+++ b/Don-t-set-files-variable-in-brp-99-pesign.patch
@ -0,0 +1,25 @@
 From 6deabd288aa9daffe09b555dd3deff69f0081dcf Mon Sep 17 00:00:00 2001
 From: Roberto Sassu <roberto.sassu@huawei.com>
 Date: Tue, 14 Jul 2020 14:46:40 +0200
 Subject: [PATCH] Don't set files variable in brp-99-pesign
 ---
 brp-99-pesign | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/brp-99-pesign b/brp-99-pesign
 index c2492b3..c991d83 100644
 --- a/brp-99-pesign
 +++ b/brp-99-pesign
@@ -22,7 +22,7 @@
 set -e
 -files="*.ko"
 +#files="*.ko"
 if test -n "${BRP_PESIGN_FILES+x}"; then
 	files=${BRP_PESIGN_FILES}
 fi
 -- 
 2.27.GIT
--- a/Require-nss-util-for-building-in-pesign-repackage.sp.patch
+++ b/Require-nss-util-for-building-in-pesign-repackage.sp.patch
@ -0,0 +1,28 @@
 From f1afdd8f47351449b85da91ae690fb0d06bc3431 Mon Sep 17 00:00:00 2001
 From: Roberto Sassu <roberto.sassu@huawei.com>
 Date: Tue, 14 Jul 2020 14:49:12 +0200
 Subject: [PATCH] Require nss-util for building in pesign-repackage.spec.in
 ---
 pesign-repackage.spec.in | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
 index 141f990..3758329 100644
 --- a/pesign-repackage.spec.in
 +++ b/pesign-repackage.spec.in
@@ -25,7 +25,11 @@
 Name:           pesign-repackage
 Version:        1.0
 Release:        1
 +%if 0%{?suse_version}
 BuildRequires:  openssl mozilla-nss-tools
 +%else
 +BuildRequires:  openssl nss-util
 +%endif
 %ifarch %ix86 x86_64 ia64
 BuildRequires:  pesign
 %endif
 -- 
 2.27.GIT
--- a/Skip-processing-of-ghost-files-as-they-are-not-extra.patch
+++ b/Skip-processing-of-ghost-files-as-they-are-not-extra.patch
@ -0,0 +1,46 @@
 From bbebbe1e51ff38601bb9e14e323327d21dedb048 Mon Sep 17 00:00:00 2001
 From: Roberto Sassu <roberto.sassu@huawei.com>
 Date: Tue, 14 Jul 2020 12:39:44 +0200
 Subject: [PATCH 2/3] Skip processing of ghost files as they are not extracted
 from RPMs
 ---
 pesign-gen-repackage-spec | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)
 diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
 index e554c5d..96f07b5 100755
 --- a/pesign-gen-repackage-spec
 +++ b/pesign-gen-repackage-spec
@@ -392,17 +392,17 @@ sub print_files {
 		}
 		if ($f->{flags} & $filetypes{ghost}) {
 			$attrs .= "%ghost ";
 -			if (S_ISREG($f->{mode})) {
 -				open(my $fh, '>', $path) or die "$path: $!\n";
 -				if ($f->{size} > 0) {
 -					sysseek($fh, $f->{size} - 1, SEEK_SET);
 -					syswrite($fh, ' ', 1);
 -				}
 -				close($fh);
 -				utime($f->{mtime}, $f->{mtime}, $path);
 -			} elsif (S_ISLNK($f->{mode})) {
 -				symlink($f->{target}, $path);
 -			}
 +#			if (S_ISREG($f->{mode})) {
 +#				open(my $fh, '>', $path) or die "$path: $!\n";
 +#				if ($f->{size} > 0) {
 +#					sysseek($fh, $f->{size} - 1, SEEK_SET);
 +#					syswrite($fh, ' ', 1);
 +#				}
 +#				close($fh);
 +#				utime($f->{mtime}, $f->{mtime}, $path);
 +#			} elsif (S_ISLNK($f->{mode})) {
 +#				symlink($f->{target}, $path);
 +#			}
 		}
 		# mtime of symlinks is also not preserved by cpio
 		if (S_ISLNK($f->{mode})) {
 -- 
 2.27.GIT
--- a/Undefine-__brp_digest_list-in-pesign-repackage.spec..patch
+++ b/Undefine-__brp_digest_list-in-pesign-repackage.spec..patch
@ -0,0 +1,26 @@
 From b9006b66251441a10e1714e697cb45c2fb49a410 Mon Sep 17 00:00:00 2001
 From: Roberto Sassu <roberto.sassu@huawei.com>
 Date: Tue, 14 Jul 2020 17:11:10 +0200
 Subject: [PATCH] Undefine __brp_digest_list in pesign-repackage.spec.in
 ---
 pesign-repackage.spec.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
 index 90ae17c..034f56c 100644
 --- a/pesign-repackage.spec.in
 +++ b/pesign-repackage.spec.in
@@ -174,7 +174,8 @@ popd
 	--directory=%buildroot "${rpms[@]}"
 rpmbuild --define "%%buildroot %buildroot" --define "%%disturl $disturl" \
 	 --define "%%_builddir $PWD" \
 -	 --define "%_suse_insert_debug_package %%{nil}" -bb repackage.spec
 +	 --define "%_suse_insert_debug_package %%{nil}" \
 +	 --undefine "%%__brp_digest_list" -bb repackage.spec
 # This is needed by the kernel packages. Ideally, we should not run _any_ brp
 # checks, because the RPMs passed them once already
 -- 
 2.27.GIT
--- a/pesign-obs-integration.spec
+++ b/pesign-obs-integration.spec
@ -0,0 +1,90 @@
 #
 # spec file for package pesign-obs-integration
 #
 # Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
 # case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 # needssslcertforbuild
 %global debug_package %{nil}
 Name:           pesign-obs-integration
 Summary:        Macros and scripts to sign the kernel and bootloader
 License:        GPL-2.0-only
 Group:          Development/Tools/Other
 Version:        10.1
 Release:        0
 Requires:       fipscheck
 %if 0%{?suse_version}
 Requires:       mozilla-nss-tools
 %else
 Requires:       nss-util
 %endif
 Requires:       openssl
 %ifarch %ix86 x86_64 ia64 aarch64 %arm
 Requires:       pesign
 %endif
 BuildRequires:  openssl
 Url:            http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
 Source:         %{name}_%{version}.tar.gz
 Patch0:         Require-nss-util-for-building-in-pesign-repackage.sp.patch
 Patch1:         Apply-correct-mask-in-pesign-gen-repackage-spec.patch
 Patch2:         Skip-processing-of-ghost-files-as-they-are-not-extra.patch
 Patch3:         Add-support-for-digest-lists.patch
 Patch4:         Don-t-set-files-variable-in-brp-99-pesign.patch
 Patch5:         Disable-building-debug-packages.patch
 Patch6:         Undefine-__brp_digest_list-in-pesign-repackage.spec..patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?suse_version}
 # suse-module-tools <= 15.0.10 contains modsign-verify
 Requires:       suse-module-tools >= 15.0.10
 %endif
 %description
 This package provides scripts and rpm macros to automate signing of the
 boot loader, kernel and kernel modules in the openSUSE Buildservice.
 %prep
 %autosetup -n %{name} -p1
 %build
 %install
 mkdir -p %buildroot/usr/lib/rpm/brp-suse.d %buildroot/usr/lib/rpm/pesign
 install pesign-gen-repackage-spec kernel-sign-file gen-hmac %buildroot/usr/lib/rpm/pesign
 install brp-99-pesign %buildroot/usr/lib/rpm/brp-suse.d
 # brp-99-compress-vmlinux has nothing to do with signing. It is packaged in
 # pesign-obs-integration because this package is already used by the kernel
 # build
 install brp-99-compress-vmlinux %buildroot/usr/lib/rpm/brp-suse.d
 install -m644 pesign-repackage.spec.in %buildroot/usr/lib/rpm/pesign
 mkdir -p %buildroot/usr/bin
 install modsign-repackage %buildroot/usr/bin/
 install -pm 755 modsign-verify %buildroot/usr/bin/
 if test -e _projectcert.crt; then
 	openssl x509 -inform PEM -in _projectcert.crt \
 		-outform DER -out %buildroot/usr/lib/rpm/pesign/pesign-cert.x509
 else
 	echo "No buildservice project certificate available"
 fi
 %files
 %defattr(-,root,root)
 %license COPYING
 %doc README
 /usr/bin/modsign-repackage
 /usr/bin/modsign-verify
 /usr/lib/rpm/*
 %changelog
--- a/pesign-obs-integration_10.1.tar.gz
+++ b/pesign-obs-integration_10.1.tar.gz