From c2226db9c882eaa971e7cac10423647c5df8b4e7 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Dec 01 2015 20:37:28 +0000 Subject: Try a completely different thing for the test certs... Signed-off-by: Peter Jones --- diff --git a/0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch b/0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch deleted file mode 100644 index bf4cce3..0000000 --- a/0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 2ced112a031c65791f04d46ce73f6d64a17ad069 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 20 Nov 2015 19:19:49 -0500 -Subject: [PATCH 1/2] Don't setfacl when the socket or dir aren't there. - -Signed-off-by: Peter Jones ---- - src/pesign-authorize-groups | 8 ++++++-- - src/pesign-authorize-users | 8 ++++++-- - 2 files changed, 12 insertions(+), 4 deletions(-) - -diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups -index e3864ce..2222809 100644 ---- a/src/pesign-authorize-groups -+++ b/src/pesign-authorize-groups -@@ -11,7 +11,11 @@ - - if [[ -r /etc/pesign/groups ]]; then - for group in $(cat /etc/pesign/groups); do -- setfacl -m g:${group}:rx /var/run/pesign -- setfacl -m g:${group}:rw /var/run/pesign/socket -+ if [ -d /var/run/pesign ]; then -+ setfacl -m g:${group}:rx /var/run/pesign -+ if [ -e /var/run/pesign/socket ]; then -+ setfacl -m g:${group}:rw /var/run/pesign/socket -+ fi -+ fi - done - fi -diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users -index e500204..22bddec 100644 ---- a/src/pesign-authorize-users -+++ b/src/pesign-authorize-users -@@ -11,7 +11,11 @@ - - if [[ -r /etc/pesign/users ]]; then - for username in $(cat /etc/pesign/users); do -- setfacl -m u:${username}:rx /var/run/pesign -- setfacl -m u:${username}:rw /var/run/pesign/socket -+ if [ -d /var/run/pesign ]; then -+ setfacl -m g:${username}:rx /var/run/pesign -+ if [ -e /var/run/pesign/socket ]; then -+ setfacl -m g:${username}:rw /var/run/pesign/socket -+ fi -+ fi - done - fi --- -2.5.0 - diff --git a/0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch b/0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch new file mode 100644 index 0000000..0a6780a --- /dev/null +++ b/0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch @@ -0,0 +1,63 @@ +From 6796e5f7b0ab1eb08f92887ae0427cf5a4120e0b Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Sun, 8 Nov 2015 14:42:29 -0500 +Subject: [PATCH 1/5] pesign: when nss fails to tell us -EPERM or -ENOENT, + figure it out. + +This should make -EPERM problems much easier for the user to diagnose. + +Signed-off-by: Peter Jones +--- + src/pesign.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/src/pesign.c b/src/pesign.c +index 1d72657..09b6a2b 100644 +--- a/src/pesign.c ++++ b/src/pesign.c +@@ -17,7 +17,9 @@ + * Author(s): Peter Jones + */ + ++#include + #include ++#include + #include + #include + #include +@@ -576,14 +578,28 @@ main(int argc, char *argv[]) + + if (!daemon) { + SECStatus status; +- if (need_db) ++ if (need_db) { + status = NSS_Init(certdir); +- else ++ if (status != SECSuccess) { ++ char *globpattern = NULL; ++ rc = asprintf(&globpattern, "%s/cert*.db", ++ certdir); ++ if (rc > 0) { ++ glob_t globbuf; ++ memset(&globbuf, 0, sizeof(globbuf)); ++ rc = glob(globpattern, GLOB_ERR, NULL, ++ &globbuf); ++ if (rc != 0) { ++ err(1, "Could not open NSS database (\"%s\")", ++ PORT_ErrorToString(PORT_GetError())); ++ } ++ } ++ } ++ } else + status = NSS_NoDB_Init(NULL); + if (status != SECSuccess) { +- fprintf(stderr, "Could not initialize nss: %s\n", ++ errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n", + PORT_ErrorToString(PORT_GetError())); +- exit(1); + } + + status = register_oids(ctxp->cms_ctx); +-- +2.5.0 + diff --git a/0002-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch b/0002-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch deleted file mode 100644 index 28d43be..0000000 --- a/0002-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 20 Nov 2015 19:19:49 -0500 -Subject: [PATCH 2/3] Don't setfacl when the socket or dir aren't there. - -Signed-off-by: Peter Jones ---- - src/pesign-authorize-groups | 10 ++++++---- - src/pesign-authorize-users | 10 ++++++---- - 2 files changed, 12 insertions(+), 8 deletions(-) - -diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups -index 2236bea..2222809 100644 ---- a/src/pesign-authorize-groups -+++ b/src/pesign-authorize-groups -@@ -11,9 +11,11 @@ - - if [[ -r /etc/pesign/groups ]]; then - for group in $(cat /etc/pesign/groups); do -- setfacl -m g:${group}:rx /var/run/pesign -- setfacl -m g:${group}:rw /var/run/pesign/socket -- setfacl -m g:${username}:rx /etc/pki/pesign -- setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db -+ if [ -d /var/run/pesign ]; then -+ setfacl -m g:${group}:rx /var/run/pesign -+ if [ -e /var/run/pesign/socket ]; then -+ setfacl -m g:${group}:rw /var/run/pesign/socket -+ fi -+ fi - done - fi -diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users -index 9c38a25..22bddec 100644 ---- a/src/pesign-authorize-users -+++ b/src/pesign-authorize-users -@@ -11,9 +11,11 @@ - - if [[ -r /etc/pesign/users ]]; then - for username in $(cat /etc/pesign/users); do -- setfacl -m u:${username}:rx /var/run/pesign -- setfacl -m u:${username}:rw /var/run/pesign/socket -- setfacl -m u:${username}:rx /etc/pki/pesign -- setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db -+ if [ -d /var/run/pesign ]; then -+ setfacl -m g:${username}:rx /var/run/pesign -+ if [ -e /var/run/pesign/socket ]; then -+ setfacl -m g:${username}:rw /var/run/pesign/socket -+ fi -+ fi - done - fi --- -2.5.0 - diff --git a/0002-setfacl-the-db-as-well.patch b/0002-setfacl-the-db-as-well.patch deleted file mode 100644 index 55774de..0000000 --- a/0002-setfacl-the-db-as-well.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 4abf6bc506a31ae3e21ae736a44cea992c6ba6c1 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 20 Nov 2015 19:21:39 -0500 -Subject: [PATCH 2/2] setfacl the db as well - ---- - src/pesign-authorize-groups | 4 ++++ - src/pesign-authorize-users | 4 ++++ - 2 files changed, 8 insertions(+) - -diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups -index 2222809..e0f679d 100644 ---- a/src/pesign-authorize-groups -+++ b/src/pesign-authorize-groups -@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then - setfacl -m g:${group}:rw /var/run/pesign/socket - fi - fi -+ if [ -d /etc/pki/pesign ]; then -+ setfacl -m g:${group}:rx /etc/pki/pesign -+ setfacl -m u:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db -+ fi - done - fi -diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users -index 22bddec..997c8a3 100644 ---- a/src/pesign-authorize-users -+++ b/src/pesign-authorize-users -@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/users ]]; then - setfacl -m g:${username}:rw /var/run/pesign/socket - fi - fi -+ if [ -d /etc/pki/pesign ]; then -+ setfacl -m g:${username}:rx /etc/pki/pesign -+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db -+ fi - done - fi --- -2.5.0 - diff --git a/0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch b/0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch new file mode 100644 index 0000000..d578e5a --- /dev/null +++ b/0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch @@ -0,0 +1,39 @@ +From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 19 Nov 2015 11:36:59 -0500 +Subject: [PATCH 2/5] setfacl the nss DBs to our authorized users, not just the + socket. + +Signed-off-by: Peter Jones +--- + src/pesign-authorize-groups | 2 ++ + src/pesign-authorize-users | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups +index e3864ce..2236bea 100644 +--- a/src/pesign-authorize-groups ++++ b/src/pesign-authorize-groups +@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then + for group in $(cat /etc/pesign/groups); do + setfacl -m g:${group}:rx /var/run/pesign + setfacl -m g:${group}:rw /var/run/pesign/socket ++ setfacl -m g:${username}:rx /etc/pki/pesign ++ setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db + done + fi +diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users +index e500204..9c38a25 100644 +--- a/src/pesign-authorize-users ++++ b/src/pesign-authorize-users +@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then + for username in $(cat /etc/pesign/users); do + setfacl -m u:${username}:rx /var/run/pesign + setfacl -m u:${username}:rw /var/run/pesign/socket ++ setfacl -m u:${username}:rx /etc/pki/pesign ++ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db + done + fi +-- +2.5.0 + diff --git a/0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch b/0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch new file mode 100644 index 0000000..8e77ffe --- /dev/null +++ b/0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch @@ -0,0 +1,54 @@ +From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 20 Nov 2015 19:19:49 -0500 +Subject: [PATCH 3/5] Don't setfacl when the socket or dir aren't there. + +Signed-off-by: Peter Jones +--- + src/pesign-authorize-groups | 10 ++++++---- + src/pesign-authorize-users | 10 ++++++---- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups +index 2236bea..2222809 100644 +--- a/src/pesign-authorize-groups ++++ b/src/pesign-authorize-groups +@@ -11,9 +11,11 @@ + + if [[ -r /etc/pesign/groups ]]; then + for group in $(cat /etc/pesign/groups); do +- setfacl -m g:${group}:rx /var/run/pesign +- setfacl -m g:${group}:rw /var/run/pesign/socket +- setfacl -m g:${username}:rx /etc/pki/pesign +- setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db ++ if [ -d /var/run/pesign ]; then ++ setfacl -m g:${group}:rx /var/run/pesign ++ if [ -e /var/run/pesign/socket ]; then ++ setfacl -m g:${group}:rw /var/run/pesign/socket ++ fi ++ fi + done + fi +diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users +index 9c38a25..22bddec 100644 +--- a/src/pesign-authorize-users ++++ b/src/pesign-authorize-users +@@ -11,9 +11,11 @@ + + if [[ -r /etc/pesign/users ]]; then + for username in $(cat /etc/pesign/users); do +- setfacl -m u:${username}:rx /var/run/pesign +- setfacl -m u:${username}:rw /var/run/pesign/socket +- setfacl -m u:${username}:rx /etc/pki/pesign +- setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db ++ if [ -d /var/run/pesign ]; then ++ setfacl -m g:${username}:rx /var/run/pesign ++ if [ -e /var/run/pesign/socket ]; then ++ setfacl -m g:${username}:rw /var/run/pesign/socket ++ fi ++ fi + done + fi +-- +2.5.0 + diff --git a/0003-setfacl-the-db-as-well.patch b/0003-setfacl-the-db-as-well.patch deleted file mode 100644 index baaf661..0000000 --- a/0003-setfacl-the-db-as-well.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 20 Nov 2015 19:21:39 -0500 -Subject: [PATCH 3/3] setfacl the db as well - -And also get all our "-m [ug]:${name}:$perm" arguments right. - -Signed-off-by: Peter Jones ---- - src/pesign-authorize-groups | 4 ++++ - src/pesign-authorize-users | 8 ++++++-- - 2 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups -index 2222809..13aefa6 100644 ---- a/src/pesign-authorize-groups -+++ b/src/pesign-authorize-groups -@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then - setfacl -m g:${group}:rw /var/run/pesign/socket - fi - fi -+ if [ -d /etc/pki/pesign ]; then -+ setfacl -m g:${group}:rx /etc/pki/pesign -+ setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db -+ fi - done - fi -diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users -index 22bddec..a43ce44 100644 ---- a/src/pesign-authorize-users -+++ b/src/pesign-authorize-users -@@ -12,10 +12,14 @@ - if [[ -r /etc/pesign/users ]]; then - for username in $(cat /etc/pesign/users); do - if [ -d /var/run/pesign ]; then -- setfacl -m g:${username}:rx /var/run/pesign -+ setfacl -m u:${username}:rx /var/run/pesign - if [ -e /var/run/pesign/socket ]; then -- setfacl -m g:${username}:rw /var/run/pesign/socket -+ setfacl -m u:${username}:rw /var/run/pesign/socket - fi - fi -+ if [ -d /etc/pki/pesign ]; then -+ setfacl -m u:${username}:rx /etc/pki/pesign -+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db -+ fi - done - fi --- -2.5.0 - diff --git a/0004-Gripe-about-pesign-rh-test-certs-not-being-installed.patch b/0004-Gripe-about-pesign-rh-test-certs-not-being-installed.patch deleted file mode 100644 index 3b8a69b..0000000 --- a/0004-Gripe-about-pesign-rh-test-certs-not-being-installed.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 54dd12c2653dc3aecdd73b9ffb2a85d92e39d858 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 30 Nov 2015 15:34:35 -0500 -Subject: [PATCH 4/4] Gripe about pesign-rh-test-certs not being installed - ---- - src/Makefile | 7 +++++-- - src/macros.pesign | 10 ++++++++-- - src/missing-stuff.txt | 11 +++++++++++ - src/pesign-authorize.service.in | 8 ++++++++ - 4 files changed, 32 insertions(+), 4 deletions(-) - create mode 100644 src/missing-stuff.txt - create mode 100644 src/pesign-authorize.service.in - -diff --git a/src/Makefile b/src/Makefile -index af3fd07..9e27ee6 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules - include $(TOPDIR)/Make.defaults - - BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign --SVCTARGETS=pesign.sysvinit pesign.service -+SVCTARGETS=pesign.sysvinit pesign.service pesign-authorize.service - TARGETS=$(BINTARGETS) $(SVCTARGETS) - - all : deps $(TARGETS) -@@ -53,11 +53,12 @@ clean : - @rm -rfv *.o *.a *.so $(TARGETS) - @rm -rfv .*.d - --install_systemd: pesign.service -+install_systemd: pesign.service pesign-authorize.service - $(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)tmpfiles.d/ - $(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)$(libdatadir)tmpfiles.d/pesign.conf - $(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)systemd/system/ - $(INSTALL) -m 644 pesign.service $(INSTALLROOT)$(libdatadir)systemd/system/ -+ $(INSTALL) -m 644 pesign-authorize.service $(INSTALLROOT)$(libdatadir)systemd/system/ - - install_sysvinit: pesign.sysvinit - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/ -@@ -84,6 +85,8 @@ install : - $(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ -+ $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/share/doc/pesign/ -+ $(INSTALL) -m 644 missing-stuff.txt $(INSTALLROOT)/usr/share/doc/pesign/ - $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/ -diff --git a/src/macros.pesign b/src/macros.pesign -index 39374ce..3197ed7 100644 ---- a/src/macros.pesign -+++ b/src/macros.pesign -@@ -7,7 +7,7 @@ - # And magically get the right thing. - - %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} --%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"} -+%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} - - %_pesign /usr/bin/pesign - %_pesign_client /usr/bin/pesign-client -@@ -41,7 +41,13 @@ - -c "/CN=Fedora Secure Boot Signer" \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ - else \ -- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\ -+ if ! certutil -d /etc/pki/pesign -L -n %{__pesign_cert} >/dev/null 2>&1 ; then \ \ -+ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \ -+ cat /usr/share/doc/pesign/missing-stuff.txt 1>&2 \ -+ exit 1 \ -+ fi \ -+ fi \ -+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ - %{-i} %{-o} %{-e} %{-s} %{-C} \ - fi \ - else \ -diff --git a/src/missing-stuff.txt b/src/missing-stuff.txt -new file mode 100644 -index 0000000..55b68e3 ---- /dev/null -+++ b/src/missing-stuff.txt -@@ -0,0 +1,11 @@ -+ -+ -+You are attempting to sign the with the "Red Hat Test Certificate", -+which is not installed or cannot be accessed. If you mean to be signing -+with this key, ensure that the "pesign-rh-test-certs" package is -+installed and that your user name is listed in "/etc/pesign/users", and -+then run: -+ -+ systemctl restart pesign-authorize.service -+ -+ -diff --git a/src/pesign-authorize.service.in b/src/pesign-authorize.service.in -new file mode 100644 -index 0000000..ccb1d4f ---- /dev/null -+++ b/src/pesign-authorize.service.in -@@ -0,0 +1,8 @@ -+[Unit] -+Description=Pesign database authentication management service -+ -+[Service] -+PrivateTmp=true -+Type=oneshot -+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-users -+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-groups --- -2.5.0 - diff --git a/0004-setfacl-the-db-as-well.patch b/0004-setfacl-the-db-as-well.patch new file mode 100644 index 0000000..3daedcc --- /dev/null +++ b/0004-setfacl-the-db-as-well.patch @@ -0,0 +1,51 @@ +From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 20 Nov 2015 19:21:39 -0500 +Subject: [PATCH 4/5] setfacl the db as well + +And also get all our "-m [ug]:${name}:$perm" arguments right. + +Signed-off-by: Peter Jones +--- + src/pesign-authorize-groups | 4 ++++ + src/pesign-authorize-users | 8 ++++++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups +index 2222809..13aefa6 100644 +--- a/src/pesign-authorize-groups ++++ b/src/pesign-authorize-groups +@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then + setfacl -m g:${group}:rw /var/run/pesign/socket + fi + fi ++ if [ -d /etc/pki/pesign ]; then ++ setfacl -m g:${group}:rx /etc/pki/pesign ++ setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db ++ fi + done + fi +diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users +index 22bddec..a43ce44 100644 +--- a/src/pesign-authorize-users ++++ b/src/pesign-authorize-users +@@ -12,10 +12,14 @@ + if [[ -r /etc/pesign/users ]]; then + for username in $(cat /etc/pesign/users); do + if [ -d /var/run/pesign ]; then +- setfacl -m g:${username}:rx /var/run/pesign ++ setfacl -m u:${username}:rx /var/run/pesign + if [ -e /var/run/pesign/socket ]; then +- setfacl -m g:${username}:rw /var/run/pesign/socket ++ setfacl -m u:${username}:rw /var/run/pesign/socket + fi + fi ++ if [ -d /etc/pki/pesign ]; then ++ setfacl -m u:${username}:rx /etc/pki/pesign ++ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db ++ fi + done + fi +-- +2.5.0 + diff --git a/0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch b/0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch new file mode 100644 index 0000000..ee12c70 --- /dev/null +++ b/0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch @@ -0,0 +1,62 @@ +From bfa02b50f9bbb60c3b04f159864aa4a87b0020e2 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 30 Nov 2015 15:34:35 -0500 +Subject: [PATCH 5/5] Do a better job of isolating pesign-rh-test-crap + +--- + src/Makefile | 1 + + src/macros.pesign | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/Makefile b/src/Makefile +index af3fd07..1822d3f 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -65,6 +65,7 @@ install_sysvinit: pesign.sysvinit + + install : + $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ ++ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ + $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) + $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) +diff --git a/src/macros.pesign b/src/macros.pesign +index 39374ce..9644940 100644 +--- a/src/macros.pesign ++++ b/src/macros.pesign +@@ -7,7 +7,7 @@ + # And magically get the right thing. + + %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"} +-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"} ++%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"} + + %_pesign /usr/bin/pesign + %_pesign_client /usr/bin/pesign-client +@@ -21,6 +21,10 @@ + # -a # rhel only + # -s # perform signing + %pesign(i:o:C:e:c:n:a:s) \ ++ _pesign_nssdir=/etc/pki/pesign \ ++ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \ ++ _pesign_nssdir=/etc/pki/pesign-rh-test \ ++ fi \ + if [ -x %{_pesign} ] && \\\ + [ "%{_target_cpu}" == "x86_64" -o \\\ + "%{_target_cpu}" == "aarch64" ]; then \ +@@ -39,9 +43,11 @@ + elif [ -S /var/run/pesign/socket ]; then \ + %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ + -c "/CN=Fedora Secure Boot Signer" \\\ ++ --certdir ${_pesign_nssdir} \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ + else \ +- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\ ++ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\ ++ --certdir ${_pesign_nssdir} \\\ + %{-i} %{-o} %{-e} %{-s} %{-C} \ + fi \ + else \ +-- +2.5.0 + diff --git a/pesign.spec b/pesign.spec index 5912e5b..3502d2d 100644 --- a/pesign.spec +++ b/pesign.spec @@ -6,8 +6,8 @@ Version: 0.111 Release: 5%{?dist} Group: Development/System License: GPLv2 -Recommends: pesign-rh-test-certs URL: https://github.com/vathpela/pesign +Obsoletes: rh-test-certs <= 0.111-5 BuildRequires: git nspr nss nss-util popt-devel BuildRequires: coolkey opensc nss-tools BuildRequires: nspr-devel >= 4.9.2-1 @@ -25,24 +25,16 @@ BuildRequires: rh-signing-tools >= 1.20-2 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 Source1: certs.tar.xz Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch -Patch10001: 0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch -Patch10002: 0002-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch -Patch10003: 0003-setfacl-the-db-as-well.patch -Patch10004: 0004-Gripe-about-pesign-rh-test-certs-not-being-installed.patch +Patch10001: 0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch +Patch10002: 0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch +Patch10003: 0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch +Patch10004: 0004-setfacl-the-db-as-well.patch +Patch10005: 0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch %description This package contains the pesign utility for signing UEFI binaries as well as other associated tools. -%package rh-test-certs -Summary: Test keys for pesign -Group: Development/System -License: GPLv2 -Requires: pesign = %{version}-%{release} - -%description rh-test-certs -This package contains test keys for use with pesign - %prep %setup -q -a 0 %setup -a 1 -D -c -n pesign-%{version}/ @@ -72,7 +64,9 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \ rm -rf %{buildroot}/boot %{buildroot}/usr/include rm -rf %{buildroot}%{_libdir}/libdpe* mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/ +mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/ cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/ +cp -a etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/ if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then mkdir -p %{buildroot}%{macrosdir} @@ -89,24 +83,6 @@ getent passwd pesign >/dev/null || \ -c "Group for the pesign signing daemon" pesign exit 0 -%post rh-test-certs -certutil --merge -d %{_sysconfdir}/pki/pesign/ --source-dir %{_sysconfdir}/pki/pesign/rh-test-certs/ -if getent passwd mockbuild >/dev/null ; then - if ! grep -q mockbuild %{_sysconfdir}/pesign/users ; then - echo mockbuild >> %{_sysconfdir}/pesign/users - %{_libexecdir}/pesign/pesign-authorize-users - fi -fi - -%preun rh-test-certs -if [ "$1" -eq 0 ]; then - if certutil -d %{_sysconfdir}/pki/pesign -L -n "Red Hat Test Certificate" >/dev/null 2>&1 ; then - certutil -d %{_sysconfdir}/pki/pesign -F -n "Red Hat Test Certificate" >/dev/null 2>&1 || : - certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test Certificate" >/dev/null 2>&1 || : - certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test CA" >/dev/null 2>&1 || : - fi -fi - %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 %post %systemd_post pesign.service @@ -114,7 +90,6 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \ -libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null #modutil -force -dbdir %{_sysconfdir}/pki/pesign -add coolkey \ # -libfile %%{_libdir}/pkcs11/libcoolkeypk11.so - %preun %systemd_preun pesign.service @@ -138,14 +113,16 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \ %{_bindir}/pesign %{_bindir}/pesign-client %dir %{_libexecdir}/pesign/ -%exclude %{_sysconfdir}/pki/pesign/rh-test-certs/ +%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/ +%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/* +%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/ +%attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/* %{_libexecdir}/pesign/pesign-authorize-users %{_libexecdir}/pesign/pesign-authorize-groups %config(noreplace)/%{_sysconfdir}/pesign/users %config(noreplace)/%{_sysconfdir}/pesign/groups %{_sysconfdir}/popt.d/pesign.popt %{macrosdir}/macros.pesign -%{_docdir}/pesign/missing-stuff.txt %{_mandir}/man*/* %dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/* @@ -155,13 +132,8 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \ %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 %{_tmpfilesdir}/pesign.conf %{_unitdir}/pesign.service -%{_unitdir}/pesign-authorize.service %endif -%files rh-test-certs -%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/ -%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/* - %changelog * Mon Nov 30 2015 Peter Jones - 0.111-5 - setfacl even harder. diff --git a/sources b/sources index 91d5153..60f95c5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -37bb2a79934feda0327e0fb4d9e5b08e certs.tar.xz b2c6b74c2475a1442634d1386d888c24 pesign-0.111.tar.bz2 +e377e0bc924287ee09356a239c5f51a8 certs.tar.xz