[pesign] Automatically select daemon as signer when using rpm macros.
Peter Jones
pjones at fedoraproject.org
Thu Oct 18 19:25:39 UTC 2012
commit 9e2491cafb3f212fc42a8754603091f683cbb6e2
Author: Peter Jones <pjones at redhat.com>
Date: Thu Oct 18 15:18:31 2012 -0400
Automatically select daemon as signer when using rpm macros.
Signed-off-by: Peter Jones <pjones at redhat.com>
..._TraverseCertsForNicknameInSlot-after-all.patch | 2 +-
0002-Remove-an-unused-field.patch | 2 +-
...rtificate-list-we-make-once-we-re-done-us.patch | 2 +-
...e-actually-look-up-the-certificate-when-n.patch | 2 +-
...eck-for-allocations-on-tokenname-certname.patch | 2 +-
...-Update-valgrind.supp-for-newer-codepaths.patch | 2 +-
...the-pid-string-once-we-re-done-writing-it.patch | 2 +-
...n-t-complain-about-unlocking-a-key-and-ke.patch | 2 +-
0009-Only-try-to-register-OIDs-once.patch | 2 +-
0010-Check-for-NSS_Shutdown-failure.patch | 2 +-
...troy-stdin-stdout-stderr-if-we-don-t-fork.patch | 2 +-
0012-valgrind-Add-SECMOD_LoadModule-codepath.patch | 2 +-
...-Don-t-set-up-digests-in-cms_context_init.patch | 2 +-
...-register_oids-where-we-re-doing-NSS_Init.patch | 2 +-
...-shutdown-actually-close-the-NSS-database.patch | 2 +-
...bunch-of-error-messages-to-be-vaguely-con.patch | 2 +-
0017-Use-PORT_ArenaStrdup-where-appropriate.patch | 2 +-
0018-Minor-whitespace-fixes.patch | 2 +-
...-sure-inpe-is-initialized-before-all-erro.patch | 2 +-
...sign_context-rather-than-having-it-on-the.patch | 2 +-
...initialize-nss-only-if-we-re-not-a-daemon.patch | 2 +-
0022-Handle-errors-on-pesign_context_init.patch | 2 +-
...checking-to-make-sure-we-don-t-emit-unini.patch | 2 +-
...e-free-the-token-cert-we-get-from-the-com.patch | 2 +-
...-shut-down-nss-in-pesign.c-if-we-re-not-t.patch | 2 +-
...Rework-setup_digests-and-teardown_digests.patch | 2 +-
...t-need-Environment-NSS_STRICT_NOFORK-DISA.patch | 2 +-
0028-Fix-errors-found-by-coverity.patch | 2 +-
0029-Don-t-keep-the-DEPS-list-twice.patch | 2 +-
0030-Don-t-build-util-right-now.patch | 2 +-
...l_systemd-and-install_sysvinit-separate-t.patch | 2 +-
0032-Get-rid-of-an-unnecessary-allocation.patch | 2 +-
0033-Allow-use-of-e-from-rpm-macro.patch | 29 ++++++
...-use-e-like-pesign-does-rather-than-detac.patch | 81 +++++++++++++++++
...n-by-systemd-to-remove-socket-and-pidfile.patch | 93 ++++++++++++++++++++
...cros-use-the-default-fedora-signer-if-the.patch | 42 +++++++++
pesign.spec | 9 ++-
37 files changed, 285 insertions(+), 33 deletions(-)
---
diff --git a/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch b/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
index bc81098..8c3ae67 100644
--- a/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
+++ b/0001-Use-PK11_TraverseCertsForNicknameInSlot-after-all.patch
@@ -1,7 +1,7 @@
From 406a08cc45a2d0761294002d946ee3381a4706ee Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 09:53:07 -0400
-Subject: [PATCH 01/32] Use PK11_TraverseCertsForNicknameInSlot after all.
+Subject: [PATCH 01/36] Use PK11_TraverseCertsForNicknameInSlot after all.
As of 76bc13c it doesn't appear to be leaky any more, and it does a
better job of disinguishing between certificates with the same nickname
diff --git a/0002-Remove-an-unused-field.patch b/0002-Remove-an-unused-field.patch
index 4fa419d..3d9daa5 100644
--- a/0002-Remove-an-unused-field.patch
+++ b/0002-Remove-an-unused-field.patch
@@ -1,7 +1,7 @@
From e4aa0a2755d7b00e31760a7f90561b0566445fa4 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 09:54:10 -0400
-Subject: [PATCH 02/32] Remove an unused field.
+Subject: [PATCH 02/36] Remove an unused field.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch b/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
index c569564..ad1cf6e 100644
--- a/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
+++ b/0003-Free-the-certificate-list-we-make-once-we-re-done-us.patch
@@ -1,7 +1,7 @@
From df5afd0e6d92f31a804f5f1631b6fae3b8ef4d8b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 09:54:37 -0400
-Subject: [PATCH 03/32] Free the certificate list we make once we're done
+Subject: [PATCH 03/36] Free the certificate list we make once we're done
using it.
Signed-off-by: Peter Jones <pjones at redhat.com>
diff --git a/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch b/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
index 6726174..b79d680 100644
--- a/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
+++ b/0004-Make-sure-we-actually-look-up-the-certificate-when-n.patch
@@ -1,7 +1,7 @@
From c13cc0b03dcae9a743cc49aaa62c3923a3e7d8f9 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 09:55:02 -0400
-Subject: [PATCH 04/32] Make sure we actually look up the certificate when not
+Subject: [PATCH 04/36] Make sure we actually look up the certificate when not
in daemon mode.
Signed-off-by: Peter Jones <pjones at redhat.com>
diff --git a/0005-Fix-check-for-allocations-on-tokenname-certname.patch b/0005-Fix-check-for-allocations-on-tokenname-certname.patch
index bbb7841..94d7a74 100644
--- a/0005-Fix-check-for-allocations-on-tokenname-certname.patch
+++ b/0005-Fix-check-for-allocations-on-tokenname-certname.patch
@@ -1,7 +1,7 @@
From 844138e07535a8aa2be80496378c9929acaa1687 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 10:35:41 -0400
-Subject: [PATCH 05/32] Fix check for allocations on tokenname,certname.
+Subject: [PATCH 05/36] Fix check for allocations on tokenname,certname.
If we didn't have anything to start with, we won't have anything when
we're done...
diff --git a/0006-Update-valgrind.supp-for-newer-codepaths.patch b/0006-Update-valgrind.supp-for-newer-codepaths.patch
index b08a1cb..91cbf56 100644
--- a/0006-Update-valgrind.supp-for-newer-codepaths.patch
+++ b/0006-Update-valgrind.supp-for-newer-codepaths.patch
@@ -1,7 +1,7 @@
From 682233d107460b49071017b4d88c0430373dbd35 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 10:55:25 -0400
-Subject: [PATCH 06/32] Update valgrind.supp for newer codepaths.
+Subject: [PATCH 06/36] Update valgrind.supp for newer codepaths.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0007-Free-the-pid-string-once-we-re-done-writing-it.patch b/0007-Free-the-pid-string-once-we-re-done-writing-it.patch
index af232ff..811a72d 100644
--- a/0007-Free-the-pid-string-once-we-re-done-writing-it.patch
+++ b/0007-Free-the-pid-string-once-we-re-done-writing-it.patch
@@ -1,7 +1,7 @@
From 81bf0e36a82a3d746a01aee50d8ee460dc794b19 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 10:57:20 -0400
-Subject: [PATCH 07/32] Free the pid string once we're done writing it.
+Subject: [PATCH 07/36] Free the pid string once we're done writing it.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch b/0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch
index cf3f17d..2a468c0 100644
--- a/0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch
+++ b/0008-valgrind-Don-t-complain-about-unlocking-a-key-and-ke.patch
@@ -1,7 +1,7 @@
From 50c50c8fbebab3d8b5efff35dc1a7ca4b44d6b19 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 11:08:30 -0400
-Subject: [PATCH 08/32] [valgrind] Don't complain about unlocking a key and
+Subject: [PATCH 08/36] [valgrind] Don't complain about unlocking a key and
keeping the handle.
Signed-off-by: Peter Jones <pjones at redhat.com>
diff --git a/0009-Only-try-to-register-OIDs-once.patch b/0009-Only-try-to-register-OIDs-once.patch
index 64672e5..cd23784 100644
--- a/0009-Only-try-to-register-OIDs-once.patch
+++ b/0009-Only-try-to-register-OIDs-once.patch
@@ -1,7 +1,7 @@
From b71f1d2e8f7ad6853e5e68134a66baf9dea2471b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 11:26:04 -0400
-Subject: [PATCH 09/32] Only try to register OIDs once.
+Subject: [PATCH 09/36] Only try to register OIDs once.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0010-Check-for-NSS_Shutdown-failure.patch b/0010-Check-for-NSS_Shutdown-failure.patch
index fe281c2..ad14586 100644
--- a/0010-Check-for-NSS_Shutdown-failure.patch
+++ b/0010-Check-for-NSS_Shutdown-failure.patch
@@ -1,7 +1,7 @@
From f966137c17f74fc3e343dfb6e04300a9d179de03 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 12:05:29 -0400
-Subject: [PATCH 10/32] Check for NSS_Shutdown() failure.
+Subject: [PATCH 10/36] Check for NSS_Shutdown() failure.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch b/0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch
index 5d6580a..01123d6 100644
--- a/0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch
+++ b/0011-Don-t-destroy-stdin-stdout-stderr-if-we-don-t-fork.patch
@@ -1,7 +1,7 @@
From 0dddfd5e738232403220b0d18888f94fa0032a59 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 12:17:39 -0400
-Subject: [PATCH 11/32] Don't destroy stdin/stdout/stderr if we don't fork.
+Subject: [PATCH 11/36] Don't destroy stdin/stdout/stderr if we don't fork.
I like being able to read my error messages.
diff --git a/0012-valgrind-Add-SECMOD_LoadModule-codepath.patch b/0012-valgrind-Add-SECMOD_LoadModule-codepath.patch
index c5e6980..05294af 100644
--- a/0012-valgrind-Add-SECMOD_LoadModule-codepath.patch
+++ b/0012-valgrind-Add-SECMOD_LoadModule-codepath.patch
@@ -1,7 +1,7 @@
From 19c8e797d092e17f2882d249d5446728a76db050 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 14:29:30 -0400
-Subject: [PATCH 12/32] [valgrind] Add SECMOD_LoadModule codepath.
+Subject: [PATCH 12/36] [valgrind] Add SECMOD_LoadModule codepath.
This is called once when we initialize the database.
diff --git a/0013-Don-t-set-up-digests-in-cms_context_init.patch b/0013-Don-t-set-up-digests-in-cms_context_init.patch
index c9906cc..a878f7c 100644
--- a/0013-Don-t-set-up-digests-in-cms_context_init.patch
+++ b/0013-Don-t-set-up-digests-in-cms_context_init.patch
@@ -1,7 +1,7 @@
From 186b6d5d39a1feeaa5f9493d28dc4f53015d551d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 14:33:35 -0400
-Subject: [PATCH 13/32] Don't set up digests in cms_context_init.
+Subject: [PATCH 13/36] Don't set up digests in cms_context_init.
Move digest setup out of cms_context_init, so we can avoid leaking the
reference to the digests by not having them in ctx->backup_cms in the
diff --git a/0014-Do-register_oids-where-we-re-doing-NSS_Init.patch b/0014-Do-register_oids-where-we-re-doing-NSS_Init.patch
index 1417138..dd10d17 100644
--- a/0014-Do-register_oids-where-we-re-doing-NSS_Init.patch
+++ b/0014-Do-register_oids-where-we-re-doing-NSS_Init.patch
@@ -1,7 +1,7 @@
From e1f8d4e38f4ad08fb407691a3f59edc19a1f15e2 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 14:41:18 -0400
-Subject: [PATCH 14/32] Do register_oids() where we're doing NSS_Init()
+Subject: [PATCH 14/36] Do register_oids() where we're doing NSS_Init()
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch b/0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch
index 68f23c1..c191a24 100644
--- a/0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch
+++ b/0015-Make-daemon-shutdown-actually-close-the-NSS-database.patch
@@ -1,7 +1,7 @@
From 092e3f81233655849156b0948a53f3b5f51b8c97 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 14:43:58 -0400
-Subject: [PATCH 15/32] Make daemon shutdown actually close the NSS databases
+Subject: [PATCH 15/36] Make daemon shutdown actually close the NSS databases
and whatnot.
Signed-off-by: Peter Jones <pjones at redhat.com>
diff --git a/0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch b/0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch
index 8a8ad8e..f579b5e 100644
--- a/0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch
+++ b/0016-Reformat-a-bunch-of-error-messages-to-be-vaguely-con.patch
@@ -1,7 +1,7 @@
From b6ff405da1bf4627a40fc104457a539788c9f470 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 15:18:08 -0400
-Subject: [PATCH 16/32] Reformat a bunch of error messages to be vaguely
+Subject: [PATCH 16/36] Reformat a bunch of error messages to be vaguely
consistent.
Signed-off-by: Peter Jones <pjones at redhat.com>
diff --git a/0017-Use-PORT_ArenaStrdup-where-appropriate.patch b/0017-Use-PORT_ArenaStrdup-where-appropriate.patch
index 3a2ea8d..5c8a0b0 100644
--- a/0017-Use-PORT_ArenaStrdup-where-appropriate.patch
+++ b/0017-Use-PORT_ArenaStrdup-where-appropriate.patch
@@ -1,7 +1,7 @@
From 8ffe6943f04d42314f81eb8b5e3350d4ccc41895 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 15:26:23 -0400
-Subject: [PATCH 17/32] Use PORT_ArenaStrdup() where appropriate.
+Subject: [PATCH 17/36] Use PORT_ArenaStrdup() where appropriate.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0018-Minor-whitespace-fixes.patch b/0018-Minor-whitespace-fixes.patch
index 24c7168..40152ac 100644
--- a/0018-Minor-whitespace-fixes.patch
+++ b/0018-Minor-whitespace-fixes.patch
@@ -1,7 +1,7 @@
From c196b462ad5267e8ed20c0b855b9921268b22a7b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 15:26:47 -0400
-Subject: [PATCH 18/32] Minor whitespace fixes.
+Subject: [PATCH 18/36] Minor whitespace fixes.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch b/0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch
index 3468f15..5358713 100644
--- a/0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch
+++ b/0019-daemon-Make-sure-inpe-is-initialized-before-all-erro.patch
@@ -1,7 +1,7 @@
From 7a8c50f620c7484af9d750f484df8a6837e6b2a5 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 15:27:03 -0400
-Subject: [PATCH 19/32] [daemon] Make sure inpe is initialized before all
+Subject: [PATCH 19/36] [daemon] Make sure inpe is initialized before all
error handling.
find_certificate() and set_up_inpe() errors wind up being at the same
diff --git a/0020-Allocate-pesign_context-rather-than-having-it-on-the.patch b/0020-Allocate-pesign_context-rather-than-having-it-on-the.patch
index c908d4d..562c7f4 100644
--- a/0020-Allocate-pesign_context-rather-than-having-it-on-the.patch
+++ b/0020-Allocate-pesign_context-rather-than-having-it-on-the.patch
@@ -1,7 +1,7 @@
From 66d3353e6d24c9e69ce71735c5aa4741717a6d68 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 15:31:15 -0400
-Subject: [PATCH 20/32] Allocate pesign_context rather than having it on the
+Subject: [PATCH 20/36] Allocate pesign_context rather than having it on the
stack.
This way it won't try to re-initialize cms_context when it's cleaned up.
diff --git a/0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch b/0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch
index f97587a..5e1e8a3 100644
--- a/0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch
+++ b/0021-pesign-initialize-nss-only-if-we-re-not-a-daemon.patch
@@ -1,7 +1,7 @@
From 444a514e1a7c9a27953f914cf416d559ef5be083 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 15:32:57 -0400
-Subject: [PATCH 21/32] [pesign] initialize nss only if we're not a daemon.
+Subject: [PATCH 21/36] [pesign] initialize nss only if we're not a daemon.
If it's a deamon, NSS_Init, register_oids, and setup_digests will be
done in the daemon code, not in the normal tool code.
diff --git a/0022-Handle-errors-on-pesign_context_init.patch b/0022-Handle-errors-on-pesign_context_init.patch
index f2b8567..f8da7e6 100644
--- a/0022-Handle-errors-on-pesign_context_init.patch
+++ b/0022-Handle-errors-on-pesign_context_init.patch
@@ -1,7 +1,7 @@
From a1ce809e199c7fbbd6f5c0e75f27a4234fcbd2bc Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 15:34:00 -0400
-Subject: [PATCH 22/32] Handle errors on pesign_context_init()
+Subject: [PATCH 22/36] Handle errors on pesign_context_init()
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch b/0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch
index 27ce938..9e812e3 100644
--- a/0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch
+++ b/0023-Add-sanity-checking-to-make-sure-we-don-t-emit-unini.patch
@@ -1,7 +1,7 @@
From 4ed91a1bb65769401c0fd6c1c5b2a3c64c0c1266 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 16:35:43 -0400
-Subject: [PATCH 23/32] Add sanity checking to make sure we don't emit
+Subject: [PATCH 23/36] Add sanity checking to make sure we don't emit
uninitialized hashes.
Signed-off-by: Peter Jones <pjones at redhat.com>
diff --git a/0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch b/0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch
index dad0dac..7260ea5 100644
--- a/0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch
+++ b/0024-Make-sure-we-free-the-token-cert-we-get-from-the-com.patch
@@ -1,7 +1,7 @@
From d8ead122f34375a496d280bcc803f730542ca78d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 17:47:49 -0400
-Subject: [PATCH 24/32] Make sure we free the token/cert we get from the
+Subject: [PATCH 24/36] Make sure we free the token/cert we get from the
command line.
This probably needs some further examination, but valgrind likes what's
diff --git a/0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch b/0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch
index 8b45177..77f1de4 100644
--- a/0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch
+++ b/0025-pesign-Only-shut-down-nss-in-pesign.c-if-we-re-not-t.patch
@@ -1,7 +1,7 @@
From 2030d382b49a1b957de829a67f74d9cc127c55ee Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 17:48:44 -0400
-Subject: [PATCH 25/32] [pesign] Only shut down nss in pesign.c if we're not
+Subject: [PATCH 25/36] [pesign] Only shut down nss in pesign.c if we're not
the daemon.
The daemon does its own init and shutdown.
diff --git a/0026-Rework-setup_digests-and-teardown_digests.patch b/0026-Rework-setup_digests-and-teardown_digests.patch
index 6753aa3..e75ceba 100644
--- a/0026-Rework-setup_digests-and-teardown_digests.patch
+++ b/0026-Rework-setup_digests-and-teardown_digests.patch
@@ -1,7 +1,7 @@
From 4efe979d6b781e064fe1afa946753ead9e3bbb9d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 17:49:17 -0400
-Subject: [PATCH 26/32] Rework setup_digests() and teardown_digests()
+Subject: [PATCH 26/36] Rework setup_digests() and teardown_digests()
This fixes the problem I was seeing with empty content_info digests, and
makes the code a /little/ bit cleaner in some ways.
diff --git a/0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch b/0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch
index 44cd173..231214d 100644
--- a/0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch
+++ b/0027-We-shouldn-t-need-Environment-NSS_STRICT_NOFORK-DISA.patch
@@ -1,7 +1,7 @@
From 15cd554d35c5ea8d31671b346dffd84e27e7c6ec Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 17:52:57 -0400
-Subject: [PATCH 27/32] We shouldn't need
+Subject: [PATCH 27/36] We shouldn't need
Environment=NSS_STRICT_NOFORK=DISABLED any more.
Since NSS_Init is called from the daemon now, we should get past its
diff --git a/0028-Fix-errors-found-by-coverity.patch b/0028-Fix-errors-found-by-coverity.patch
index f7bdc00..e3c87c5 100644
--- a/0028-Fix-errors-found-by-coverity.patch
+++ b/0028-Fix-errors-found-by-coverity.patch
@@ -1,7 +1,7 @@
From 1b94dd90f5a1c65df16ffe3b0619ce5dc0ca1f06 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Wed, 17 Oct 2012 19:59:49 -0400
-Subject: [PATCH 28/32] Fix errors found by coverity.
+Subject: [PATCH 28/36] Fix errors found by coverity.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0029-Don-t-keep-the-DEPS-list-twice.patch b/0029-Don-t-keep-the-DEPS-list-twice.patch
index 4d5887f..cc15c07 100644
--- a/0029-Don-t-keep-the-DEPS-list-twice.patch
+++ b/0029-Don-t-keep-the-DEPS-list-twice.patch
@@ -1,7 +1,7 @@
From 95c0fe1d512fcdf3b397359fb0f54dc44e5947c2 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Thu, 18 Oct 2012 09:12:25 -0400
-Subject: [PATCH 29/32] Don't keep the DEPS list twice.
+Subject: [PATCH 29/36] Don't keep the DEPS list twice.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0030-Don-t-build-util-right-now.patch b/0030-Don-t-build-util-right-now.patch
index bcc916b..869c12a 100644
--- a/0030-Don-t-build-util-right-now.patch
+++ b/0030-Don-t-build-util-right-now.patch
@@ -1,7 +1,7 @@
From 44aad110fd3f0a12e1817d95047f882c4d8b0fce Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Thu, 18 Oct 2012 11:36:10 -0400
-Subject: [PATCH 30/32] Don't build util/ right now.
+Subject: [PATCH 30/36] Don't build util/ right now.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0031-Make-install_systemd-and-install_sysvinit-separate-t.patch b/0031-Make-install_systemd-and-install_sysvinit-separate-t.patch
index 270a2c8..4fc2145 100644
--- a/0031-Make-install_systemd-and-install_sysvinit-separate-t.patch
+++ b/0031-Make-install_systemd-and-install_sysvinit-separate-t.patch
@@ -1,7 +1,7 @@
From 4c13f6d393db0aa5ff5b327cb5e842ee21522236 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Thu, 18 Oct 2012 13:09:58 -0400
-Subject: [PATCH 31/32] Make "install_systemd" and "install_sysvinit" separate
+Subject: [PATCH 31/36] Make "install_systemd" and "install_sysvinit" separate
targets
Signed-off-by: Peter Jones <pjones at redhat.com>
diff --git a/0032-Get-rid-of-an-unnecessary-allocation.patch b/0032-Get-rid-of-an-unnecessary-allocation.patch
index 8d2b006..2f0fef3 100644
--- a/0032-Get-rid-of-an-unnecessary-allocation.patch
+++ b/0032-Get-rid-of-an-unnecessary-allocation.patch
@@ -1,7 +1,7 @@
From df1b69e304f2a7eb82e2f94e50f07099afbf4578 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Thu, 18 Oct 2012 13:10:28 -0400
-Subject: [PATCH 32/32] Get rid of an unnecessary allocation.
+Subject: [PATCH 32/36] Get rid of an unnecessary allocation.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0033-Allow-use-of-e-from-rpm-macro.patch b/0033-Allow-use-of-e-from-rpm-macro.patch
new file mode 100644
index 0000000..1e7686f
--- /dev/null
+++ b/0033-Allow-use-of-e-from-rpm-macro.patch
@@ -0,0 +1,29 @@
+From 24a63eab7ddbe2be3ab6b25b04602d8e3fe5d775 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Thu, 18 Oct 2012 14:28:36 -0400
+Subject: [PATCH 33/36] Allow use of -e from rpm macro.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/macros.pesign | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 703edbb..7706050 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -11,9 +11,9 @@
+
+ %_pesign /usr/bin/pesign
+
+-%pesign(i:o:C:s) \
++%pesign(i:o:C:e:s) \
+ if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
+- %{_pesign} %{__pesign_token} %{__pesign_cert} %{-i} %{-o} %{-s} \
++ %{_pesign} %{__pesign_token} %{__pesign_cert} %{-i} %{-o} %{-e} %{-s} \
+ else \
+ if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
+ mv %{-i*} %{-o*} \
+--
+1.7.12.1
+
diff --git a/0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch b/0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch
new file mode 100644
index 0000000..189c2f2
--- /dev/null
+++ b/0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch
@@ -0,0 +1,81 @@
+From e5c632516a2a31f3e184d0ca9d8ac5ceba1f9015 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Thu, 18 Oct 2012 14:55:07 -0400
+Subject: [PATCH 34/36] Make client use -e like pesign does, rather than
+ --detached.
+
+This way we can use the same macros for them.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/client.c | 22 ++++++++++++++++++++--
+ src/pesign-client.1 | 3 ++-
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/src/client.c b/src/client.c
+index df1c8f2..5e5399d 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -434,6 +434,7 @@ main(int argc, char *argv[])
+ int action;
+ char *infile = NULL;
+ char *outfile = NULL;
++ char *exportfile = NULL;
+ int attached = 1;
+ int pinfd = -1;
+ char *pinfile = NULL;
+@@ -456,8 +457,9 @@ main(int argc, char *argv[])
+ &infile, 0, "input filename", "<infile>" },
+ {"outfile", 'o', POPT_ARG_STRING,
+ &outfile, 0, "output filename", "<outfile>" },
+- {"detached", 'd', POPT_ARG_VAL, &attached, 0,
+- "create detached signature", NULL },
++ {"export", 'e', POPT_ARG_STRING,
++ &exportfile, 0, "create detached signature",
++ "<outfile>" },
+ {"pinfd", 'f', POPT_ARG_INT, &pinfd, -1,
+ "read file descriptor for pin information",
+ "<file descriptor>" },
+@@ -494,6 +496,22 @@ main(int argc, char *argv[])
+ exit(1);
+ }
+
++ if (!outfile && !exportfile) {
++ fprintf(stderr, "pesign-client: neither --outfile nor --export "
++ "specified\n");
++ exit(1);
++ }
++
++ if (outfile && exportfile) {
++ fprintf(stderr, "pesign-client: both --outfile and --export "
++ "specified\n");
++ exit(1);
++ }
++ if (exportfile) {
++ outfile = exportfile;
++ attached = 0;
++ }
++
+ poptFreeContext(optCon);
+
+ int sd = connect_to_server();
+diff --git a/src/pesign-client.1 b/src/pesign-client.1
+index 686383e..1ccfbb3 100644
+--- a/src/pesign-client.1
++++ b/src/pesign-client.1
+@@ -5,10 +5,11 @@ pesign-client \- command line tool for signing UEFI applications
+ .SH SYNOPSIS
+ \fBpesign\fR [--in=\fIinfile\fR | -i \fIinfile\fR]
+ [--out=\fIoutfile\fR | -o \fIoutfile\fR]
++ [--export=\fIexportfile\fR | -e \fIexportfile\fR]
+ [--token=\fItoken\fR | -t \fItoken\fR]
+ [--certificate=\fInickname\fR | -c \fInickname\fR]
+ [--unlock | -u] [--kill | -k] [--sign | -s]
+- [--detached | -d] [--pinfd=\fIpinfd\fR | -f \fIpinfd\fR]
++ [--pinfd=\fIpinfd\fR | -f \fIpinfd\fR]
+ [--pinfile=\fIpinfile\fR | -F \fIpinfile\fR]
+
+ .SH DESCRIPTION
+--
+1.7.12.1
+
diff --git a/0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch b/0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch
new file mode 100644
index 0000000..dd4e125
--- /dev/null
+++ b/0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch
@@ -0,0 +1,93 @@
+From f1a2f097cfb290951702251703abcd34ca0bf9e6 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Thu, 18 Oct 2012 15:13:11 -0400
+Subject: [PATCH 35/36] Fix shutdown by systemd to remove socket and pidfile.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/daemon.c | 33 +++++++++++++++------------------
+ src/daemon.h | 1 +
+ 2 files changed, 16 insertions(+), 18 deletions(-)
+
+diff --git a/src/daemon.c b/src/daemon.c
+index 7ad036c..974a559 100644
+--- a/src/daemon.c
++++ b/src/daemon.c
+@@ -116,15 +116,6 @@ send_response(context *ctx, cms_context *cms, struct pollfd *pollfd, int rc)
+ static void
+ handle_kill_daemon(context *ctx, struct pollfd *pollfd, socklen_t size)
+ {
+- if (ctx->sd >= 0) {
+- close(ctx->sd);
+- unlink(SOCKPATH);
+- }
+- xfree(ctx->errstr);
+-
+- ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE,
+- "pesignd exiting (pid %d)", getpid());
+-
+ should_exit = 1;
+ }
+
+@@ -602,11 +593,17 @@ handle_event(context *ctx, struct pollfd *pollfd)
+ static void
+ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
+ {
++ unlink(SOCKPATH);
++ unlink(PIDFILE);
++
++ ctx->backup_cms->log(ctx->backup_cms, ctx->priority|LOG_NOTICE,
++ "pesignd exiting (pid %d)", getpid());
++
++ xfree(ctx->errstr);
++
+ for (int i = 0; i < nsockets; i++)
+ close(pollfds[i].fd);
+ free(pollfds);
+-
+- xfree(ctx->errstr);
+ }
+
+ static int
+@@ -843,7 +840,7 @@ daemon_logger(cms_context *cms, int priority, char *fmt, ...)
+ static void
+ write_pid_file(int pid)
+ {
+- int fd = open("/var/run/pesign.pid", O_WRONLY|O_CREAT|O_TRUNC, 0644);
++ int fd = open(PIDFILE, O_WRONLY|O_CREAT|O_TRUNC, 0644);
+ if (fd < 0) {
+ err:
+ fprintf(stderr, "couldn't open pidfile: %m\n");
+@@ -963,12 +960,12 @@ daemonize(cms_context *cms_ctx, int do_fork)
+ setsid();
+
+ if (do_fork) {
+- signal(SIGTTOU, SIG_IGN);
+- signal(SIGTTIN, SIG_IGN);
+- signal(SIGTSTP, SIG_IGN);
+- signal(SIGQUIT, quit_handler);
+- signal(SIGINT, quit_handler);
+- signal(SIGTERM, quit_handler);
++ struct sigaction sa = {
++ .sa_handler = quit_handler,
++ };
++ sigaction(SIGQUIT, &sa, NULL);
++ sigaction(SIGINT, &sa, NULL);
++ sigaction(SIGTERM, &sa, NULL);
+ }
+
+ char *homedir = NULL;
+diff --git a/src/daemon.h b/src/daemon.h
+index 56cef17..5485e60 100644
+--- a/src/daemon.h
++++ b/src/daemon.h
+@@ -48,5 +48,6 @@ typedef enum {
+
+ #define PESIGND_VERSION 0xa3cf41cb
+ #define SOCKPATH "/var/run/pesign/socket"
++#define PIDFILE "/var/run/pesign.pid"
+
+ #endif /* DAEMON_H */
+--
+1.7.12.1
+
diff --git a/0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch b/0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch
new file mode 100644
index 0000000..1b5a9b9
--- /dev/null
+++ b/0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch
@@ -0,0 +1,42 @@
+From 22308fbfb540b5215efb9ce96a4dfdce08ef9165 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Thu, 18 Oct 2012 15:16:05 -0400
+Subject: [PATCH 36/36] Make the macros use the default (fedora) signer if
+ there's a daemon running.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/macros.pesign | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 7706050..fb9d21e 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -10,13 +10,22 @@
+ %__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
+
+ %_pesign /usr/bin/pesign
++%_pesign_client /usr/bin/pesign-client
+
+ %pesign(i:o:C:e:s) \
+ if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
+- %{_pesign} %{__pesign_token} %{__pesign_cert} %{-i} %{-o} %{-e} %{-s} \
++ if [ -e /var/run/pesign/socket ]; then \
++ %{_pesign_client} -t "OpenSC Card (Fedora Signing CA)" \\\
++ -c "/CN=Fedora Secure Boot Signer" \\\
++ %{-i} %{-o} %{-e} %{-s} \
++ else \
++ %{_pesign} %{__pesign_token} %{__pesign_cert} %{-i} %{-o} %{-e} %{-s} \
++ fi \
+ else \
+ if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
+ mv %{-i*} %{-o*} \
++ elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
++ touch %{-e*} \
+ fi \
+ fi ;
+
+--
+1.7.12.1
+
diff --git a/pesign.spec b/pesign.spec
index 97ff460..12b8e51 100644
--- a/pesign.spec
+++ b/pesign.spec
@@ -1,7 +1,7 @@
Summary: Signing utility for UEFI binaries
Name: pesign
Version: 0.99
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Development/System
License: GPLv2
URL: https://github.com/vathpela/pesign
@@ -49,6 +49,10 @@ Patch29: 0029-Don-t-keep-the-DEPS-list-twice.patch
Patch30: 0030-Don-t-build-util-right-now.patch
Patch31: 0031-Make-install_systemd-and-install_sysvinit-separate-t.patch
Patch32: 0032-Get-rid-of-an-unnecessary-allocation.patch
+Patch33: 0033-Allow-use-of-e-from-rpm-macro.patch
+Patch34: 0034-Make-client-use-e-like-pesign-does-rather-than-detac.patch
+Patch35: 0035-Fix-shutdown-by-systemd-to-remove-socket-and-pidfile.patch
+Patch36: 0036-Make-the-macros-use-the-default-fedora-signer-if-the.patch
%description
This package contains the pesign utility for signing UEFI binaries as
@@ -113,6 +117,9 @@ exit 0
%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
%changelog
+* Thu Oct 18 2012 Peter Jones <pjones at redhat.com> - 0.99-6
+- Automatically select daemon as signer when using rpm macros.
+
* Thu Oct 18 2012 Peter Jones <pjones at redhat.com> - 0.99-5
- Make it work on the -el6 branch as well.
More information about the scm-commits
mailing list