|
|
|
@ -1,7 +1,7 @@
|
|
|
|
|
Summary: Simple pesign test target
|
|
|
|
|
Name: pesign-test-app
|
|
|
|
|
Version: 5
|
|
|
|
|
Release: 28%{?dist}.inferit
|
|
|
|
|
Release: 28%{?dist}
|
|
|
|
|
License: GPLv2
|
|
|
|
|
URL: https://github.com/vathpela/pesign-test-app
|
|
|
|
|
BuildRequires: make
|
|
|
|
@ -19,7 +19,7 @@ ExclusiveArch: x86_64
|
|
|
|
|
# debuginfo is useless
|
|
|
|
|
%global debug_package %{nil}
|
|
|
|
|
|
|
|
|
|
%global __pesign_client_token "NSS Certificate DB"
|
|
|
|
|
%global __pesign_client_token "OpenSC Card (Fedora Signer)"
|
|
|
|
|
|
|
|
|
|
# there is no tarball at github, of course. To get this version do:
|
|
|
|
|
# git clone https://github.com/vathpela/pesign-test-app.git
|
|
|
|
@ -41,16 +41,27 @@ deployments of new pesign versions into build infrastructure have succeeded.
|
|
|
|
|
make LIBDIR=%{_libdir} DATADIR=%{_datadir} CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_OPT_LDFLAGS"
|
|
|
|
|
cp %{name}.efi %{name}-unsigned.efi
|
|
|
|
|
id
|
|
|
|
|
ls -ld /etc/pki/pesign || :
|
|
|
|
|
getfacl /etc/pki/pesign || :
|
|
|
|
|
ls -l /etc/pki/pesign || :
|
|
|
|
|
getfacl /etc/pki/pesign/* || :
|
|
|
|
|
|
|
|
|
|
%define pe_signing_cert MSVSphere Secure Boot Signing
|
|
|
|
|
|
|
|
|
|
cp %{name}-unsigned.efi %{name}-unsigned.0.efi
|
|
|
|
|
%pesign -s -i %{name}-unsigned.0.efi -o %{name}-signed.efi -a spheresecurebootca.cer -c spheresecureboot001.cer -n spheresecureboot001
|
|
|
|
|
|
|
|
|
|
ls -ld /var/run/pesign || :
|
|
|
|
|
getfacl /var/run/pesign || :
|
|
|
|
|
ls -l /var/run/pesign/socket || :
|
|
|
|
|
getfacl /var/run/pesign/socket || :
|
|
|
|
|
ls -ld /run/pesign || :
|
|
|
|
|
getfacl /run/pesign || :
|
|
|
|
|
ls -l /run/pesign/socket || :
|
|
|
|
|
getfacl /run/pesign/socket || :
|
|
|
|
|
|
|
|
|
|
%define pe_signing_cert grub2-signer
|
|
|
|
|
if ! true ; then
|
|
|
|
|
cp %{name}-unsigned.efi bzImage.signed
|
|
|
|
|
%pesign -s -i bzImage.signed -o bzImage.signed -a redhatsecurebootca5.cer -c redhatsecureboot501.cer -n redhatsecureboot501
|
|
|
|
|
%pesign -s -i bzImage.signed -o bzImage.signed -a redhatsecurebootca1.cer -c redhatsecureboot301.cer -n redhatsecureboot301
|
|
|
|
|
mv bzImage.signed %{name}-signed.efi
|
|
|
|
|
else
|
|
|
|
|
cp %{name}-unsigned.efi %{name}-unsigned.0.efi
|
|
|
|
|
%pesign -s -i %{name}-unsigned.0.efi -o %{name}.tmp.efi -a redhatsecurebootca5.cer -c redhatsecureboot501.cer -n redhatsecureboot501
|
|
|
|
|
%define pe_signing_cert fwupd-signer
|
|
|
|
|
%pesign -s -i %{name}.tmp.efi -o %{name}-signed.efi -a redhatsecurebootca1.cer -c redhatsecureboot301.cer -n redhatsecureboot301
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
%install
|
|
|
|
|
rm -rf %{buildroot}
|
|
|
|
@ -60,13 +71,15 @@ make LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} DATADIR=%{_datadir} \
|
|
|
|
|
mv %{name}-signed.efi %{buildroot}/%{_datadir}/%{name}-%{version}/
|
|
|
|
|
|
|
|
|
|
%check
|
|
|
|
|
ls -la /var/run/pesign || :
|
|
|
|
|
%ifarch %{efi}
|
|
|
|
|
# for display in the build log
|
|
|
|
|
for x in %{buildroot}/%{_datadir}/%{name}-%{version}/%{name}-signed.* ; do
|
|
|
|
|
pesign -l -i "${x}"
|
|
|
|
|
# to test the actual output
|
|
|
|
|
pesign -l -i "${x}" | grep -c -q "^Signing time: $(date +%%a\ %%b\ %%d,\ %%Y)$"
|
|
|
|
|
pesign -l -i "${x}" | grep -c -q '^The signer.s common name is MSVSphere Secure Boot Signing$'
|
|
|
|
|
pesign -l -i "${x}" | grep -c -q '^The signer.s common name is Fedora Secure Boot Signer$' ||
|
|
|
|
|
pesign -l -i "${x}" | grep -c -q '^The signer.s common name is fwupd-signer$'
|
|
|
|
|
done
|
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
@ -77,9 +90,6 @@ done
|
|
|
|
|
%{_datadir}/%{name}-%{version}/%{name}-signed*.efi
|
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
|
|
* Mon Mar 27 2023 Eugene Zamriy <ezamriy@msvsphere.ru> - 5-28.inferit
|
|
|
|
|
- Initial adoption for MSVSphere infrastructure
|
|
|
|
|
|
|
|
|
|
* Wed Feb 01 2023 Robbie Harwood <rharwood@redhat.com> - 5.28
|
|
|
|
|
- Rise and sign
|
|
|
|
|
|