Initial adoption for MSVSphere infrastructure

i9 changed/i9/pesign-test-app-5-28.inferit
Eugene Zamriy 2 years ago
parent 811c132ddf
commit 9ba98f3268
Signed by: ezamriy
GPG Key ID: 7EBF95C7DCFA496C

@ -0,0 +1 @@
0db174239a2532a9485b6b5623ab3cb2 SOURCES/pesign-test-app-5.tar.bz2

@ -1,7 +1,7 @@
Summary: Simple pesign test target
Name: pesign-test-app
Version: 5
Release: 28%{?dist}
Release: 28%{?dist}.inferit
License: GPLv2
URL: https://github.com/vathpela/pesign-test-app
BuildRequires: make
@ -19,7 +19,7 @@ ExclusiveArch: x86_64
# debuginfo is useless
%global debug_package %{nil}
%global __pesign_client_token "OpenSC Card (Fedora Signer)"
%global __pesign_client_token "NSS Certificate DB"
# there is no tarball at github, of course. To get this version do:
# git clone https://github.com/vathpela/pesign-test-app.git
@ -41,27 +41,16 @@ deployments of new pesign versions into build infrastructure have succeeded.
make LIBDIR=%{_libdir} DATADIR=%{_datadir} CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_OPT_LDFLAGS"
cp %{name}.efi %{name}-unsigned.efi
id
ls -ld /var/run/pesign || :
getfacl /var/run/pesign || :
ls -l /var/run/pesign/socket || :
getfacl /var/run/pesign/socket || :
ls -ld /run/pesign || :
getfacl /run/pesign || :
ls -l /run/pesign/socket || :
getfacl /run/pesign/socket || :
%define pe_signing_cert grub2-signer
if ! true ; then
cp %{name}-unsigned.efi bzImage.signed
%pesign -s -i bzImage.signed -o bzImage.signed -a redhatsecurebootca5.cer -c redhatsecureboot501.cer -n redhatsecureboot501
%pesign -s -i bzImage.signed -o bzImage.signed -a redhatsecurebootca1.cer -c redhatsecureboot301.cer -n redhatsecureboot301
mv bzImage.signed %{name}-signed.efi
else
cp %{name}-unsigned.efi %{name}-unsigned.0.efi
%pesign -s -i %{name}-unsigned.0.efi -o %{name}.tmp.efi -a redhatsecurebootca5.cer -c redhatsecureboot501.cer -n redhatsecureboot501
%define pe_signing_cert fwupd-signer
%pesign -s -i %{name}.tmp.efi -o %{name}-signed.efi -a redhatsecurebootca1.cer -c redhatsecureboot301.cer -n redhatsecureboot301
fi
ls -ld /etc/pki/pesign || :
getfacl /etc/pki/pesign || :
ls -l /etc/pki/pesign || :
getfacl /etc/pki/pesign/* || :
%define pe_signing_cert MSVSphere Secure Boot Signing
cp %{name}-unsigned.efi %{name}-unsigned.0.efi
%pesign -s -i %{name}-unsigned.0.efi -o %{name}-signed.efi -a spheresecurebootca.cer -c spheresecureboot001.cer -n spheresecureboot001
%install
rm -rf %{buildroot}
@ -71,15 +60,13 @@ make LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} DATADIR=%{_datadir} \
mv %{name}-signed.efi %{buildroot}/%{_datadir}/%{name}-%{version}/
%check
ls -la /var/run/pesign || :
%ifarch %{efi}
# for display in the build log
for x in %{buildroot}/%{_datadir}/%{name}-%{version}/%{name}-signed.* ; do
pesign -l -i "${x}"
# to test the actual output
pesign -l -i "${x}" | grep -c -q "^Signing time: $(date +%%a\ %%b\ %%d,\ %%Y)$"
pesign -l -i "${x}" | grep -c -q '^The signer.s common name is Fedora Secure Boot Signer$' ||
pesign -l -i "${x}" | grep -c -q '^The signer.s common name is fwupd-signer$'
pesign -l -i "${x}" | grep -c -q '^The signer.s common name is MSVSphere Secure Boot Signing$'
done
%endif
@ -90,6 +77,9 @@ done
%{_datadir}/%{name}-%{version}/%{name}-signed*.efi
%changelog
* Mon Mar 27 2023 Eugene Zamriy <ezamriy@msvsphere.ru> - 5-28.inferit
- Initial adoption for MSVSphere infrastructure
* Wed Feb 01 2023 Robbie Harwood <rharwood@redhat.com> - 5.28
- Rise and sign

@ -1 +0,0 @@
0db174239a2532a9485b6b5623ab3cb2 pesign-test-app-5.tar.bz2
Loading…
Cancel
Save