From 7d6ce00fe5845cf38742948ffa08b8b209da5334 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Aug 10 2013 14:30:26 +0000 Subject: Remove errant result files and raise an error from %pesign --- diff --git a/0001-Apparently-we-want-documentation-in-a-non-versioned-.patch b/0001-Apparently-we-want-documentation-in-a-non-versioned-.patch deleted file mode 100644 index 5f91738..0000000 --- a/0001-Apparently-we-want-documentation-in-a-non-versioned-.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1079f81298d461583851578ad6afb4a130b675e0 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 5 Aug 2013 09:09:46 -0400 -Subject: [PATCH] Apparently we want documentation in a non-versioned directory - these days. - -Signed-off-by: Peter Jones ---- - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index c2395f2..02e01d5 100644 ---- a/Makefile -+++ b/Makefile -@@ -16,8 +16,8 @@ clean : - - install : - @for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done -- $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/ -- $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/ -+ $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/ -+ $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/ - - install_systemd: - @for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done --- -1.8.3.1 - diff --git a/0001-Make-the-RHEL-pesign-macro-a-little-better.patch b/0001-Make-the-RHEL-pesign-macro-a-little-better.patch new file mode 100644 index 0000000..e3b0d0a --- /dev/null +++ b/0001-Make-the-RHEL-pesign-macro-a-little-better.patch @@ -0,0 +1,61 @@ +From 2933901ce69d3830e0dad983d20d5d17e8087c75 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 23 Jul 2013 16:58:32 -0400 +Subject: [PATCH 1/8] Make the RHEL %%pesign macro a little better. + +Use mktemp to avoid clobering anybody's local files, and document the +arguments better. + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 26f1dd7..8b123fa 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -12,21 +12,31 @@ + %_pesign /usr/bin/pesign + %_pesign_client /usr/bin/pesign-client + +-%pesign(i:o:C:e:c:s) \ ++# -i ++# -o ++# -C ++# -e ++# -c # rhel only ++# -n # rhel only ++# -a # rhel only ++# -s # perform signing ++%pesign(i:o:C:e:c:n:a:s) \ + if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \ + if [ -e /var/run/pesign/socket ]; then \ + %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ + -c "/CN=Fedora Secure Boot Signer" \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ + elif [ -e /etc/rhel-release ]; then \ +- mkdir nss \ +- certutil -d nss -N \ +- certutil -A -n "ca" -t "CT,C," -i %{-c*}.crt -a -d nss \ +- certutil -A -n %{-c*} -t ",c," -i %{-c*}.crt -a -d nss \ +- %{_pesign} %{-i} -E sattrs.der --certdir nss \ +- rpm-sign --key "%{-c*}" --rsasign sattrs.der \ +- %{_pesign} -R sattrs.der.sig -I sattrs.der %{-i} \\\ +- --certdir nss %{-c} %{-o} \ ++ nss=$(mktemp -p $PWD -d) \ ++ certutil -d ${nss} -N \ ++ certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \ ++ certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \ ++ sattrs=$(mktemp -p $PWD --suffix=.der) \ ++ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \ ++ rpm-sign --key "%{-n*}" --rsasign ${sattrs} \ ++ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ ++ --certdir ${nss} -c signer %{-o} \ ++ rm -rf ${sattrs} ${sattrs}.sig ${nss} \ + else \ + %{_pesign} %{__pesign_token} %{__pesign_cert} \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ +-- +1.8.3.1 + diff --git a/0002-Apparently-we-want-documentation-in-a-non-versioned-.patch b/0002-Apparently-we-want-documentation-in-a-non-versioned-.patch new file mode 100644 index 0000000..0ee623b --- /dev/null +++ b/0002-Apparently-we-want-documentation-in-a-non-versioned-.patch @@ -0,0 +1,29 @@ +From 1079f81298d461583851578ad6afb4a130b675e0 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 5 Aug 2013 09:09:46 -0400 +Subject: [PATCH 2/8] Apparently we want documentation in a non-versioned + directory these days. + +Signed-off-by: Peter Jones +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index c2395f2..02e01d5 100644 +--- a/Makefile ++++ b/Makefile +@@ -16,8 +16,8 @@ clean : + + install : + @for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done +- $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/ +- $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign-$(VERSION)/ ++ $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/ ++ $(INSTALL) -m 644 COPYING $(INSTALLROOT)$(PREFIX)$(DOCDIR)/pesign/ + + install_systemd: + @for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done +-- +1.8.3.1 + diff --git a/0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch b/0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch new file mode 100644 index 0000000..d2ad484 --- /dev/null +++ b/0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch @@ -0,0 +1,41 @@ +From c2d54b835ca3db92c9110a2596429710453c2a95 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 6 Aug 2013 12:32:43 -0400 +Subject: [PATCH 3/8] Make the RHEL bits for macros.pesign a bit cleaner. + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 8b123fa..244f576 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -22,11 +22,7 @@ + # -s # perform signing + %pesign(i:o:C:e:c:n:a:s) \ + if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \ +- if [ -e /var/run/pesign/socket ]; then \ +- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ +- -c "/CN=Fedora Secure Boot Signer" \\\ +- %{-i} %{-o} %{-e} %{-s} %{-C} \ +- elif [ -e /etc/rhel-release ]; then \ ++ if [ -e /etc/rhel-release ]; then \ + nss=$(mktemp -p $PWD -d) \ + certutil -d ${nss} -N \ + certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \ +@@ -37,6 +33,10 @@ + %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ + --certdir ${nss} -c signer %{-o} \ + rm -rf ${sattrs} ${sattrs}.sig ${nss} \ ++ elif [ -S /var/run/pesign/socket ]; then \ ++ %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ ++ -c "/CN=Fedora Secure Boot Signer" \\\ ++ %{-i} %{-o} %{-e} %{-s} %{-C} \ + else \ + %{_pesign} %{__pesign_token} %{__pesign_cert} \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ +-- +1.8.3.1 + diff --git a/0004-Include-the-issuer-s-certificate-only-when-available.patch b/0004-Include-the-issuer-s-certificate-only-when-available.patch new file mode 100644 index 0000000..8620609 --- /dev/null +++ b/0004-Include-the-issuer-s-certificate-only-when-available.patch @@ -0,0 +1,55 @@ +From 7c25ea77c81e63c88cf1fbeb2fc9baba94bce8b7 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Mon, 4 Mar 2013 16:25:08 +0800 +Subject: [PATCH 4/8] Include the issuer's certificate only when available + +When pesign generates a signature, it also includes the issuer's certificate. +In SUSE build server, we only import the signer's certificate and pesign +complaint the issuer's certificate was not found. Per Authenticode PE, the +root certificate is typically not included in the certificate list, so I +modified pesign a bit to include the issuer's certificate only when available. +Please check the attached patch. + +Besides the issuer's certificate, I also found find_named_certificate() didn't +handle the certificate list properly and it may cause segfault if "node->cert" +is not valid. The patch also fixes this issue. +--- + src/cms_common.c | 2 +- + src/signed_data.c | 8 ++------ + 2 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index 6b44024..fc9796e 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -592,7 +592,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert) + * in the database, we'll get back what is essentially a template + * that's in NSS's cache waiting to be filled out. We can't use that, + * it'll just cause CERT_DupCertificate() to segfault. */ +- if (!node || !node->cert || !node->cert->derCert.data ++ if (CERT_LIST_END(node) || !node->cert || !node->cert->derCert.data + || !node->cert->derCert.len + || !node->cert->derIssuer.data + || !node->cert->derIssuer.len) { +diff --git a/src/signed_data.c b/src/signed_data.c +index 5425271..2f4b498 100644 +--- a/src/signed_data.c ++++ b/src/signed_data.c +@@ -96,12 +96,8 @@ generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p) + CERTCertificate *signer = NULL; + int rc = find_named_certificate(cms, cms->cert->issuerName, + &signer); +- if (rc < 0) { +- PORT_ArenaRelease(cms->arena, mark); +- return -1; +- } +- +- if (signer && signer->derCert.len && signer->derCert.data) { ++ if (rc == 0 && signer && ++ signer->derCert.len && signer->derCert.data) { + if (signer->derCert.len != cms->cert->derCert.len || + memcmp(signer->derCert.data, + cms->cert->derCert.data, +-- +1.8.3.1 + diff --git a/0005-Try-harder-to-figure-out-if-this-is-RHEL.patch b/0005-Try-harder-to-figure-out-if-this-is-RHEL.patch new file mode 100644 index 0000000..53ed7d6 --- /dev/null +++ b/0005-Try-harder-to-figure-out-if-this-is-RHEL.patch @@ -0,0 +1,26 @@ +From 39466ae9ed3ce5f78fc20c6e74eb0fb3aa93349e Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 6 Aug 2013 16:49:06 -0400 +Subject: [PATCH 5/8] Try harder to figure out if this is RHEL. + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 244f576..f94553d 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -22,7 +22,7 @@ + # -s # perform signing + %pesign(i:o:C:e:c:n:a:s) \ + if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then \ +- if [ -e /etc/rhel-release ]; then \ ++ if [ "0%{?rhel}" -ge "7" ]; then \ + nss=$(mktemp -p $PWD -d) \ + certutil -d ${nss} -N \ + certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \ +-- +1.8.3.1 + diff --git a/0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch b/0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch new file mode 100644 index 0000000..578a4ec --- /dev/null +++ b/0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch @@ -0,0 +1,28 @@ +From f8b19278775fe8a5c599b94fcae90b99a781a42b Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 7 Aug 2013 09:06:33 -0400 +Subject: [PATCH 6/8] Don't use ASCII mode for RHEL certificate imports. + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index f94553d..84e87a3 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -25,8 +25,8 @@ + if [ "0%{?rhel}" -ge "7" ]; then \ + nss=$(mktemp -p $PWD -d) \ + certutil -d ${nss} -N \ +- certutil -A -n "ca" -t "CT,C," -i %{-a*} -a -d ${nss} \ +- certutil -A -n "signer" -t ",c," -i %{-c*} -a -d ${nss} \ ++ certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \ ++ certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ + sattrs=$(mktemp -p $PWD --suffix=.der) \ + %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \ + rpm-sign --key "%{-n*}" --rsasign ${sattrs} \ +-- +1.8.3.1 + diff --git a/0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch b/0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch new file mode 100644 index 0000000..69a5e92 --- /dev/null +++ b/0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch @@ -0,0 +1,30 @@ +From c7318444b811125f26828fd39e8a46de81cd5f86 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 7 Aug 2013 09:13:11 -0400 +Subject: [PATCH 7/8] Apparently if something goes wrong on the HSM, we wind up + with 0-size. + +Handle zero-sized output by erroring in the rpm macro. Eventually we +should make sure pesign is throwing an error there too. + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 84e87a3..6b22826 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -47,5 +47,8 @@ + elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \ + touch %{-e*} \ + fi \ ++ fi \ ++ if [ ! -s %{-o} ]; then \ ++ exit 1 \ + fi ; + +-- +1.8.3.1 + diff --git a/0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch b/0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch new file mode 100644 index 0000000..dc4a40c --- /dev/null +++ b/0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch @@ -0,0 +1,26 @@ +From 5b8950a8cddad1076fb631c4ef6999bfb4f977f8 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 7 Aug 2013 09:37:33 -0400 +Subject: [PATCH 8/8] Use --force when we've got a sattrs blob from mktemp() + +Signed-off-by: Peter Jones +--- + src/macros.pesign | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/macros.pesign b/src/macros.pesign +index 6b22826..a0339fe 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -28,7 +28,7 @@ + certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \ + certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \ + sattrs=$(mktemp -p $PWD --suffix=.der) \ +- %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} \ ++ %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \ + rpm-sign --key "%{-n*}" --rsasign ${sattrs} \ + %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ + --certdir ${nss} -c signer %{-o} \ +-- +1.8.3.1 + diff --git a/pesign.spec b/pesign.spec index 350678c..9d34782 100644 --- a/pesign.spec +++ b/pesign.spec @@ -1,7 +1,7 @@ Summary: Signing utility for UEFI binaries Name: pesign Version: 0.106 -Release: 2%{?dist} +Release: 4%{?dist} Group: Development/System License: GPLv2 URL: https://github.com/vathpela/pesign @@ -12,13 +12,24 @@ BuildRequires: nss-devel >= 3.13.6-1 Requires: nspr nss nss-util popt rpm coolkey opensc Requires(pre): shadow-utils ExclusiveArch: i686 x86_64 ia64 +%if 0%{?rhel} >= 7 +BuildRequires: rh-signing-tools >= 1.20-2 +%endif # there is no tarball at github, of course. To get this version do: # git clone https://github.com/vathpela/pesign.git # git checkout %%{version} Source0: pesign-%{version}.tar.bz2 Source1: rh-test-certs.tar.bz2 -Patch0: 0001-Apparently-we-want-documentation-in-a-non-versioned-.patch +Patch0001: 0001-Make-the-RHEL-pesign-macro-a-little-better.patch +Patch0002: 0002-Apparently-we-want-documentation-in-a-non-versioned-.patch +Patch0003: 0003-Make-the-RHEL-bits-for-macros.pesign-a-bit-cleaner.patch +Patch0004: 0004-Include-the-issuer-s-certificate-only-when-available.patch +Patch0005: 0005-Try-harder-to-figure-out-if-this-is-RHEL.patch +Patch0006: 0006-Don-t-use-ASCII-mode-for-RHEL-certificate-imports.patch +Patch0007: 0007-Apparently-if-something-goes-wrong-on-the-HSM-we-win.patch +Patch0008: 0008-Use-force-when-we-ve-got-a-sattrs-blob-from-mktemp.patch +Patch0009: 0009-Remove-errant-results-from-signing.patch %description This package contains the pesign utility for signing UEFI binaries as @@ -97,6 +108,12 @@ exit 0 %endif %changelog +* Sat Aug 10 2013 Peter Jones - 0.106-4 +- Remove errant result files and raise an error from %%pesign + +* Tue Aug 06 2013 Peter Jones - 0.106-3 +- Add code for signing in RHEL 7 + * Mon Aug 05 2013 Peter Jones - 0.106-2 - Fix for new %%doc rules.