#2 bump upstream to version 2.5.3
Closed 2 months ago by msuchy. Opened 3 months ago by squarebracket.
rpms/ squarebracket/obs-signd master  into  master

bump upstream to version 2.5.3
Chuck Wilson • 3 months ago  

@@ -9,23 +9,29 @@ 

   2 files changed, 3 insertions(+), 3 deletions(-)

  

  diff --git a/signd b/signd

- index 4f03bba..5b07c91 100755

+ index 9478a7b..b6615b5 100755

  --- a/signd

  +++ b/signd

- @@ -731,9 +731,9 @@ if ($cmd eq 'sign' || $cmd eq 'privsign') {

-        $argv[2] = substr($argv[2], 0, -10)."0000000000";

+ @@ -820,7 +820,7 @@ sub cmd_privsign {

+        $classtime = $1;

+        $args[0] = substr($args[0], 0, -10)."0000000000";

       }

-      if (@keyargs) {

- -      ($status, $lout, $lerr) = rungpg('/dev/null', ["$tmpdir/privkey.$$", "$tmpdir/pubkey.$$"], $gpg, "--batch", "--force-v3-sigs", "--files-are-digests", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", @keyargs, "-sbo", "-", $argv[2]);

- +      ($status, $lout, $lerr) = rungpg('/dev/null', ["$tmpdir/privkey.$$", "$tmpdir/pubkey.$$"], $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", @keyargs, "-sbo", "-", $argv[2]);

-      } else {

- -      ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--files-are-digests", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $argv[2]);

- +      ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $argv[2]);

+ -    ($status, $lout, $lerr) = rungpg('/dev/null', undef, $gpg, "--batch", "--force-v3-sigs", "--files-are-digests", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-sbo", "-", $args[0]);

+ +    ($status, $lout, $lerr) = rungpg('/dev/null', undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-sbo", "-", $args[0]);

+      $lout = patchclasstime($lout, $classtime) if $classtime && !$status;

+      shift @args;

+      push @out, $lout;

+ @@ -846,7 +846,7 @@ sub cmd_sign {

+        $classtime = $1;

+        $args[0] = substr($args[0], 0, -10)."0000000000";

       }

+ -    ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--files-are-digests", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $args[0]);

+ +    ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $args[0]);

       $lout = patchclasstime($lout, $classtime) if $classtime && !$status;

-      splice(@argv, 2, 1);

+      shift @args;

+      push @out, $lout;

  diff --git a/signd.8 b/signd.8

- index f5c3215..23ca2d0 100644

+ index 2ba6bf9..0b95068 100644

  --- a/signd.8

  +++ b/signd.8

  @@ -14,7 +14,7 @@ to another signd. The -f option makes signd fork on startup.

@@ -36,7 +42,7 @@ 

  +"--file-is-digest" option to work correctly.

   

   .SH SECURITY

-  signd allows only connections from reserved ports and ip

+  Unless the allow-unprivileged-ports option is set to true in

  -- 

- 2.17.1

+ 2.21.0

  

@@ -50,45 +50,45 @@ 

   1 file changed, 4 insertions(+), 4 deletions(-)

  

  diff --git a/signd b/signd

- index 5b07c91..6db2940 100755

+ index b6615b5..2564a87 100755

  --- a/signd

  +++ b/signd

- @@ -575,7 +575,7 @@ if (! -d $tmpdir) {

+ @@ -702,7 +702,7 @@ sub cmd_keygen {

   

-  if ($cmd eq 'pubkey') {

-    die("pubkey: one argument expected\n") if @argv != 2;

- -  my $pubkey = rungpg_fatal('/dev/null', undef, $gpg, '--export', '-a', $user);

- +  my $pubkey = rungpg_fatal('/dev/null', undef, $gpg, '--export', '-a', "<$user>");

-    if (!$oldproto) {

-      $pubkey = pack('nn', 1, length($pubkey)).$pubkey;

-    }

- @@ -621,7 +621,7 @@ if ($cmd eq 'keygen') {

-    $keyid = $keyid[0];

-  

-    # add user sig to pubkey

- -  rungpg_fatal("$phrases/$user", ["$tmpdir/pubkey.$$", "$tmpdir/privkey.$$"], $gpg, '--batch', '--no-secmem-warning', "--keyring=$tmpdir/pubkey.$$", "--passphrase-fd=0", "-u", $user, '--yes', '--trustdb-name', "$tmpdir/trustdb.$$", '--default-cert-level', '3', '--edit-key', $keyid, 'sign', 'save');

- +  rungpg_fatal("$phrases/$user", ["$tmpdir/pubkey.$$", "$tmpdir/privkey.$$"], $gpg, '--batch', '--no-secmem-warning', "--keyring=$tmpdir/pubkey.$$", "--passphrase-fd=0", "-u", "<$user>", '--yes', '--trustdb-name', "$tmpdir/trustdb.$$", '--default-cert-level', '3', '--edit-key', $keyid, 'sign', 'save');

-    unlink("$tmpdir/pubkey.$$~");

-    unlink("$tmpdir/trustdb.$$");

-  

- @@ -630,7 +630,7 @@ if ($cmd eq 'keygen') {

-    unlink("$tmpdir/pubkey.$$");

+    rungpg_fatal("$phrases/$user", $tdir, $gpg, '--batch', '--no-secmem-warning',

+          "--passphrase-fd=0", "--yes",

+ -        "-u", $user,

+ +        "-u", "<$user>",

+          '--default-cert-level', '3',

+          "--keyring", $pubring,

+          '--edit-key', $keyid,

+ @@ -722,7 +722,7 @@ sub cmd_keygen {

+    close(F) || die("privkey close error\n");

   

-    # encrypt privkey

- -  my $privkey = rungpg_fatal('/dev/null', ["$tmpdir/privkey.$$"], $gpg, '--batch', '--encrypt', '--no-verbose', '--no-secmem-warning', '--trust-model', 'always', '-o-', '-r', "$user", "$tmpdir/privkey.$$");

- +  my $privkey = rungpg_fatal('/dev/null', ["$tmpdir/privkey.$$"], $gpg, '--batch', '--encrypt', '--no-verbose', '--no-secmem-warning', '--trust-model', 'always', '-o-', '-r', "<$user>", "$tmpdir/privkey.$$");

-    unlink("$tmpdir/privkey.$$");

+    $ENV{GNUPGHOME} = $org_gnupghome;

+ -  my $privkey = rungpg_fatal('/dev/null', $tdir, $gpg, '--batch', '--encrypt', '--no-verbose', '--no-secmem-warning', '--trust-model', 'always', '-o-', '-r', "$user", "$tdir/privkey");

+ +  my $privkey = rungpg_fatal('/dev/null', $tdir, $gpg, '--batch', '--encrypt', '--no-verbose', '--no-secmem-warning', '--trust-model', 'always', '-o-', '-r', "<$user>", "$tdir/privkey");

+    remove_tree($tdir);

   

     # send back

- @@ -733,7 +733,7 @@ if ($cmd eq 'sign' || $cmd eq 'privsign') {

-      if (@keyargs) {

-        ($status, $lout, $lerr) = rungpg('/dev/null', ["$tmpdir/privkey.$$", "$tmpdir/pubkey.$$"], $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--allow-non-selfsigned-uid", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", @keyargs, "-sbo", "-", $argv[2]);

-      } else {

- -      ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $argv[2]);

- +      ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", "<$user>", "-sbo", "-", $argv[2]);

+ @@ -783,7 +783,7 @@ EOL

+  sub cmd_pubkey {

+    my ($cmd, $user, $hashalgo, @args) = @_;

+    die("pubkey: one argument expected\n") if @args;

+ -  my $pubkey = rungpg_fatal('/dev/null', undef, $gpg, '--export', '-a', $user);

+ +  my $pubkey = rungpg_fatal('/dev/null', undef, $gpg, '--export', '-a', "<$user>");

+    return (0, '', $pubkey);

+  }

+  

+ @@ -846,7 +846,7 @@ sub cmd_sign {

+        $classtime = $1;

+        $args[0] = substr($args[0], 0, -10)."0000000000";

       }

+ -    ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", $user, "-sbo", "-", $args[0]);

+ +    ($status, $lout, $lerr) = rungpg("$phrases/$user", undef, $gpg, "--batch", "--force-v3-sigs", "--file-is-digest", "--digest-algo=$hashalgo", "--no-verbose", "--no-armor", "--no-secmem-warning", "--ignore-time-conflict", "--passphrase-fd=0", "-u", "<$user>", "-sbo", "-", $args[0]);

       $lout = patchclasstime($lout, $classtime) if $classtime && !$status;

-      splice(@argv, 2, 1);

+      shift @args;

+      push @out, $lout;

  -- 

- 2.17.1

+ 2.21.0

  

file modified
+10 -5

@@ -1,16 +1,16 @@ 

  # http://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#PIE

  %global _hardened_build 1

- %global commit 65f9cab3937822234e214e4ed5442db73f640f0c

+ %global commit c3d59841ac2457435c80b2f38e396512de37ae6d

  %global shortcommit %(c=%{commit}; echo ${c:0:7})

- %global snapdate 20180614

+ %global snapdate 20190629

  %global snapshotrel .%{snapdate}git%{shortcommit}

  

  Name:             obs-signd

  Summary:          The OBS sign daemon

  License:          GPLv2

  Url:              https://github.com/openSUSE/obs-sign

- Version:          2.4.2

- Release:          6%{?snapshotrel}%{?dist}

+ Version:          2.5.3

+ Release:          1%{?snapshotrel}%{?dist}

  Source0:          https://github.com/openSUSE/obs-sign/archive/%{commit}/obs-sign-%{shortcommit}.tar.gz

  # We renamed the option in gnupg2 to 'file-is-digest'

  Patch0:           0001-Rename-option-files-are-digests-to-file-is-digest.patch

@@ -36,7 +36,7 @@ 

  %autosetup -n obs-sign-%{commit}

  

  %build

- gcc %{optflags} -fPIC -pie -o sign sign.c

+ gcc %{optflags} -fPIC -pie -o sign appimage.c base64.c clearsign.c hash.c pgp.c rpm.c sign.c sock.c x509.c

  

  %install

  mkdir -p %{buildroot}%{_sbindir} %{buildroot}%{_sysconfdir}

@@ -83,6 +83,11 @@ 

  %doc %{_mandir}/man*/*

  

  %changelog

+ * Sat Jun 29 2019 Chuck Wilson <chuck.wilson+github@gmail.com> - 2.5.3-1.20190629gitc3d5984

+ - Update upstream to version 2.5.3

+ - Rebase patches

+ - Add files to gcc command (source is spread across several files now)

+ 

  * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.2-6.20180614git65f9cab

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

  

file modified
+3 -3

@@ -1,3 +1,3 @@ 

- SHA512 (obs-sign-65f9cab.tar.gz) = 11af12f6e3823b8261bc9aed773d1a04fc6e1f688096c292e2a506e3c1c50fda29aa55a6d20043862486d10ef9ea3a8a2faf072b25de180f7abf84edd7c0b23c

- SHA512 (0001-Rename-option-files-are-digests-to-file-is-digest.patch) = 78ed45a6462574690115ec75f07c330cbbbd777c0f7a680bd5740716e0253f5aaf9dda8a99730693a47b7d994427190cb18cfc751429a8575358a001ece26dd5

- SHA512 (0002-fixes-user-id-matching-to-provide-unique-results.patch) = 73df840e51c6bfc955200b5a733f70db7f27e4235b28f3f5a1135aea542b54adf7fd0d3324a44082511d8f42e2e466bf6d11c9d778e69904dcf35608d9949ed9

+ SHA512 (obs-sign-c3d5984.tar.gz) = c5740ed98ceef2f7edae94c5c47729f55990e04b53686a7e40f3d277ae6ba97ec522460d5683e880d302e607deb0addd36d1c00b98b45b6cdb099703107be637

+ SHA512 (0001-Rename-option-files-are-digests-to-file-is-digest.patch) = 727f8cfc5af6da4a9b20468ec813f72bd0e8328491f3277b2a4a12f67113590f5d4de2db23cd6eea74c209f9b12d41e23bdd6a90413a90bb24c3d94664219475

+ SHA512 (0002-fixes-user-id-matching-to-provide-unique-results.patch) = 2c3e44223d031d1cf3020937bc63ca0a80860cc39569df94e96ae37f7ff99b7de270b4833353691bfd8470701a1243704115359e36f711b7ab4484c56d8501ab

This PR is to rebase to upstream version 2.5.3. I have rebased the Fedora-specific patches, changed the particulars of the spec file, and updated the hashes in the sources file.

Note that since the last upstream version used, they have split sign.c into several files, which required changing the %build command to include all the source files.

The changes from upstream include support for running in a containerized environment, where IPs are not generally known beforehand and unprivileged ports are often used.

Did you take a look at #1?

Pull-Request has been closed by msuchy

2 months ago