[pesign] Remove errant result files and raise an error from %pesign
Peter Jones
pjones at fedoraproject.org
Sat Aug 10 14:31:21 UTC 2013
commit 7d6ce00fe5845cf38742948ffa08b8b209da5334
Author: Peter Jones <pjones at redhat.com>
Date: Sat Aug 10 10:30:26 2013 -0400
Remove errant result files and raise an error from %pesign
...ake-the-RHEL-pesign-macro-a-little-better.patch | 61 ++++++++++++++++++++
...we-want-documentation-in-a-non-versioned-.patch | 4 +-
...RHEL-bits-for-macros.pesign-a-bit-cleaner.patch | 41 +++++++++++++
...-issuer-s-certificate-only-when-available.patch | 55 ++++++++++++++++++
...-Try-harder-to-figure-out-if-this-is-RHEL.patch | 26 ++++++++
...e-ASCII-mode-for-RHEL-certificate-imports.patch | 28 +++++++++
...if-something-goes-wrong-on-the-HSM-we-win.patch | 30 ++++++++++
...-when-we-ve-got-a-sattrs-blob-from-mktemp.patch | 26 ++++++++
pesign.spec | 21 ++++++-
9 files changed, 288 insertions(+), 4 deletions(-)
---
diff --git a/0001-Make-the-RHEL-pesign-macro-a-little-better.patch b/0001-Make-the-RHEL-pesign-macro-a-little-better.patch
new file mode 100644
index 0000000..e3b0d0a
--- /dev/null
+++ b/0001-Make-the-RHEL-pesign-macro-a-little-better.patch
@@ -0,0 +1,61 @@
+From 2933901ce69d3830e0dad983d20d5d17e8087c75 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Tue, 23 Jul 2013 16:58:32 -0400
+Subject: [PATCH 1/8] Make the RHEL %%pesign macro a little better.
+
+Use mktemp to avoid clobering anybody's local files, and document the
+arguments better.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/macros.pesign | 28 +++++++++++++++++++---------
+ 1 file changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 26f1dd7..8b123fa 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -12,21 +12,31 @@
+ %_pesign /usr/bin/pesign
+ %_pesign_client /usr/bin/pesign-client
+
+-%pesign(i:o:C:e:c:s) \
++# -i <input filename>
++# -o <output filename>
++# -C <output cert filename>
++# -e <output sattr filename>
++# -c <input certificate filename> # rhel only
++# -n <input certificate name> # rhel only
++# -a <input ca cert filename> # rhel only
++# -s # perform signing
++%pesign(i:o:C:e:c:n:a:s) \
+ if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
+ if [ -e /var/run/pesign/socket ]; then \
+ %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
+ -c "/CN=Fedora Secure Boot Signer" \\\
+ %{-i} %{-o} %{-e} %{-s} %{-C} \
+ elif [ -e /etc/rhel-release ]; then \
+- mkdir nss \
+- certutil -d nss -N \
+- certutil -A -n "ca" -t "CT,C," -i %{-c*}.crt -a -d nss \
+- certutil -A -n %{-c*} -t ",c," -i %{-c*}.crt -a -d nss \
+- %{_pesign} %{-i} -E sattrs.der --certdir nss \
+- rpm-sign --key "%{-c*}" --rsasign sattrs.der \
+- %{_pesign} -R sattrs.der.sig -I sattrs.der %{-i} \\\
+- --certdir nss %{-c} %{-o} \
++ nss=$(mktemp -p $PWD -d) \
++ certutil -d ${nss} -N \
++ certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
++ certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \
++ sattrs=$(mktemp -p $PWD --suffix=.der) \
++ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
++ rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
++ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
++ --certdir ${nss} -c signer %{-o} \
++ rm -rf ${sattrs} ${sattrs}.sig ${nss} \
+ else \
+ %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
+ %{-i} %{-o} %{-e} %{-s} %{-C} \
+--
+1.8.3.1
+
diff --git a/0001-Apparently-we-want-documentation-in-a-non-versioned-.patch b/0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
similarity index 90%
rename from 0001-Apparently-we-want-documentation-in-a-non-versioned-.patch
rename to 0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
index 5f91738..0ee623b 100644
--- a/0001-Apparently-we-want-documentation-in-a-non-versioned-.patch
+++ b/0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
@@ -1,8 +1,8 @@
From 1079f81298d461583851578ad6afb4a130b675e0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones at redhat.com>
Date: Mon, 5 Aug 2013 09:09:46 -0400
-Subject: [PATCH] Apparently we want documentation in a non-versioned directory
- these days.
+Subject: [PATCH 2/8] Apparently we want documentation in a non-versioned
+ directory these days.
Signed-off-by: Peter Jones <pjones at redhat.com>
---
diff --git a/0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch b/0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch
new file mode 100644
index 0000000..d2ad484
--- /dev/null
+++ b/0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch
@@ -0,0 +1,41 @@
+From c2d54b835ca3db92c9110a2596429710453c2a95 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Tue, 6 Aug 2013 12:32:43 -0400
+Subject: [PATCH 3/8] Make the RHEL bits for macros.pesign a bit cleaner.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/macros.pesign | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 8b123fa..244f576 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -22,11 +22,7 @@
+ # -s # perform signing
+ %pesign(i:o:C:e:c:n:a:s) \
+ if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
+- if [ -e /var/run/pesign/socket ]; then \
+- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
+- -c "/CN=Fedora Secure Boot Signer" \\\
+- %{-i} %{-o} %{-e} %{-s} %{-C} \
+- elif [ -e /etc/rhel-release ]; then \
++ if [ -e /etc/rhel-release ]; then \
+ nss=$(mktemp -p $PWD -d) \
+ certutil -d ${nss} -N \
+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
+@@ -37,6 +33,10 @@
+ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
+ --certdir ${nss} -c signer %{-o} \
+ rm -rf ${sattrs} ${sattrs}.sig ${nss} \
++ elif [ -S /var/run/pesign/socket ]; then \
++ %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
++ -c "/CN=Fedora Secure Boot Signer" \\\
++ %{-i} %{-o} %{-e} %{-s} %{-C} \
+ else \
+ %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
+ %{-i} %{-o} %{-e} %{-s} %{-C} \
+--
+1.8.3.1
+
diff --git a/0004-Include-the-issuer-s-certificate-only-when-available.patch b/0004-Include-the-issuer-s-certificate-only-when-available.patch
new file mode 100644
index 0000000..8620609
--- /dev/null
+++ b/0004-Include-the-issuer-s-certificate-only-when-available.patch
@@ -0,0 +1,55 @@
+From 7c25ea77c81e63c88cf1fbeb2fc9baba94bce8b7 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin at suse.com>
+Date: Mon, 4 Mar 2013 16:25:08 +0800
+Subject: [PATCH 4/8] Include the issuer's certificate only when available
+
+When pesign generates a signature, it also includes the issuer's certificate.
+In SUSE build server, we only import the signer's certificate and pesign
+complaint the issuer's certificate was not found. Per Authenticode PE, the
+root certificate is typically not included in the certificate list, so I
+modified pesign a bit to include the issuer's certificate only when available.
+Please check the attached patch.
+
+Besides the issuer's certificate, I also found find_named_certificate() didn't
+handle the certificate list properly and it may cause segfault if "node->cert"
+is not valid. The patch also fixes this issue.
+---
+ src/cms_common.c | 2 +-
+ src/signed_data.c | 8 ++------
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 6b44024..fc9796e 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -592,7 +592,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
+ * in the database, we'll get back what is essentially a template
+ * that's in NSS's cache waiting to be filled out. We can't use that,
+ * it'll just cause CERT_DupCertificate() to segfault. */
+- if (!node || !node->cert || !node->cert->derCert.data
++ if (CERT_LIST_END(node) || !node->cert || !node->cert->derCert.data
+ || !node->cert->derCert.len
+ || !node->cert->derIssuer.data
+ || !node->cert->derIssuer.len) {
+diff --git a/src/signed_data.c b/src/signed_data.c
+index 5425271..2f4b498 100644
+--- a/src/signed_data.c
++++ b/src/signed_data.c
+@@ -96,12 +96,8 @@ generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
+ CERTCertificate *signer = NULL;
+ int rc = find_named_certificate(cms, cms->cert->issuerName,
+ &signer);
+- if (rc < 0) {
+- PORT_ArenaRelease(cms->arena, mark);
+- return -1;
+- }
+-
+- if (signer && signer->derCert.len && signer->derCert.data) {
++ if (rc == 0 && signer &&
++ signer->derCert.len && signer->derCert.data) {
+ if (signer->derCert.len != cms->cert->derCert.len ||
+ memcmp(signer->derCert.data,
+ cms->cert->derCert.data,
+--
+1.8.3.1
+
diff --git a/0005-Try-harder-to-figure-out-if-this-is-RHEL.patch b/0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
new file mode 100644
index 0000000..53ed7d6
--- /dev/null
+++ b/0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
@@ -0,0 +1,26 @@
+From 39466ae9ed3ce5f78fc20c6e74eb0fb3aa93349e Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Tue, 6 Aug 2013 16:49:06 -0400
+Subject: [PATCH 5/8] Try harder to figure out if this is RHEL.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/macros.pesign | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 244f576..f94553d 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -22,7 +22,7 @@
+ # -s # perform signing
+ %pesign(i:o:C:e:c:n:a:s) \
+ if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \
+- if [ -e /etc/rhel-release ]; then \
++ if [ "0%{?rhel}" -ge "7" ]; then \
+ nss=$(mktemp -p $PWD -d) \
+ certutil -d ${nss} -N \
+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
+--
+1.8.3.1
+
diff --git a/0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch b/0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
new file mode 100644
index 0000000..578a4ec
--- /dev/null
+++ b/0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
@@ -0,0 +1,28 @@
+From f8b19278775fe8a5c599b94fcae90b99a781a42b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Wed, 7 Aug 2013 09:06:33 -0400
+Subject: [PATCH 6/8] Don't use ASCII mode for RHEL certificate imports.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/macros.pesign | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index f94553d..84e87a3 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -25,8 +25,8 @@
+ if [ "0%{?rhel}" -ge "7" ]; then \
+ nss=$(mktemp -p $PWD -d) \
+ certutil -d ${nss} -N \
+- certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \
+- certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \
++ certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
++ certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
+ sattrs=$(mktemp -p $PWD --suffix=.der) \
+ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
+ rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
+--
+1.8.3.1
+
diff --git a/0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch b/0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch
new file mode 100644
index 0000000..69a5e92
--- /dev/null
+++ b/0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch
@@ -0,0 +1,30 @@
+From c7318444b811125f26828fd39e8a46de81cd5f86 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Wed, 7 Aug 2013 09:13:11 -0400
+Subject: [PATCH 7/8] Apparently if something goes wrong on the HSM, we wind up
+ with 0-size.
+
+Handle zero-sized output by erroring in the rpm macro. Eventually we
+should make sure pesign is throwing an error there too.
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/macros.pesign | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 84e87a3..6b22826 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -47,5 +47,8 @@
+ elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
+ touch %{-e*} \
+ fi \
++ fi \
++ if [ ! -s %{-o} ]; then \
++ exit 1 \
+ fi ;
+
+--
+1.8.3.1
+
diff --git a/0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch b/0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch
new file mode 100644
index 0000000..dc4a40c
--- /dev/null
+++ b/0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch
@@ -0,0 +1,26 @@
+From 5b8950a8cddad1076fb631c4ef6999bfb4f977f8 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Wed, 7 Aug 2013 09:37:33 -0400
+Subject: [PATCH 8/8] Use --force when we've got a sattrs blob from mktemp()
+
+Signed-off-by: Peter Jones <pjones at redhat.com>
+---
+ src/macros.pesign | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 6b22826..a0339fe 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -28,7 +28,7 @@
+ certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
+ certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
+ sattrs=$(mktemp -p $PWD --suffix=.der) \
+- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \
++ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
+ rpm-sign --key "%{-n*}" --rsasign ${sattrs} \
+ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
+ --certdir ${nss} -c signer %{-o} \
+--
+1.8.3.1
+
diff --git a/pesign.spec b/pesign.spec
index 350678c..9d34782 100644
--- a/pesign.spec
+++ b/pesign.spec
@@ -1,7 +1,7 @@
Summary: Signing utility for UEFI binaries
Name: pesign
Version: 0.106
-Release: 2%{?dist}
+Release: 4%{?dist}
Group: Development/System
License: GPLv2
URL: https://github.com/vathpela/pesign
@@ -12,13 +12,24 @@ BuildRequires: nss-devel >= 3.13.6-1
Requires: nspr nss nss-util popt rpm coolkey opensc
Requires(pre): shadow-utils
ExclusiveArch: i686 x86_64 ia64
+%if 0%{?rhel} >= 7
+BuildRequires: rh-signing-tools >= 1.20-2
+%endif
# there is no tarball at github, of course. To get this version do:
# git clone https://github.com/vathpela/pesign.git
# git checkout %%{version}
Source0: pesign-%{version}.tar.bz2
Source1: rh-test-certs.tar.bz2
-Patch0: 0001-Apparently-we-want-documentation-in-a-non-versioned-.patch
+Patch0001: 0001-Make-the-RHEL-pesign-macro-a-little-better.patch
+Patch0002: 0002-Apparently-we-want-documentation-in-a-non-versioned-.patch
+Patch0003: 0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch
+Patch0004: 0004-Include-the-issuer-s-certificate-only-when-available.patch
+Patch0005: 0005-Try-harder-to-figure-out-if-this-is-RHEL.patch
+Patch0006: 0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch
+Patch0007: 0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch
+Patch0008: 0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch
+Patch0009: 0009-Remove-errant-results-from-signing.patch
%description
This package contains the pesign utility for signing UEFI binaries as
@@ -97,6 +108,12 @@ exit 0
%endif
%changelog
+* Sat Aug 10 2013 Peter Jones <pjones at redhat.com> - 0.106-4
+- Remove errant result files and raise an error from %%pesign
+
+* Tue Aug 06 2013 Peter Jones <pjones at redhat.com> - 0.106-3
+- Add code for signing in RHEL 7
+
* Mon Aug 05 2013 Peter Jones <pjones at redhat.com> - 0.106-2
- Fix for new %%doc rules.
More information about the scm-commits
mailing list