.pesign-test-app.metadata

@@ -1 +0,0 @@
-0db174239a2532a9485b6b5623ab3cb2  SOURCES/pesign-test-app-5.tar.bz2

pesign-test-app.spec

@@ -1,7 +1,7 @@
 Summary: Simple pesign test target
 Name: pesign-test-app
 Version: 5
-Release: 28%{?dist}.inferit
+Release: 28%{?dist}
 License: GPLv2
 URL: https://github.com/vathpela/pesign-test-app
 BuildRequires: make
@@ -19,7 +19,7 @@ ExclusiveArch: x86_64
 # debuginfo is useless
 %global debug_package %{nil}
 
-%global __pesign_client_token "NSS Certificate DB"
+%global __pesign_client_token "OpenSC Card (Fedora Signer)"
 
 # there is no tarball at github, of course.  To get this version do:
 # git clone https://github.com/vathpela/pesign-test-app.git
@@ -41,16 +41,27 @@ deployments of new pesign versions into build infrastructure have succeeded.
 make LIBDIR=%{_libdir} DATADIR=%{_datadir} CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_OPT_LDFLAGS"
 cp %{name}.efi %{name}-unsigned.efi
 id
-ls -ld /etc/pki/pesign || :
+ls -ld /var/run/pesign || :
-getfacl /etc/pki/pesign || :
+getfacl /var/run/pesign || :
-ls -l /etc/pki/pesign || :
+ls -l /var/run/pesign/socket || :
-getfacl /etc/pki/pesign/* || :
+getfacl /var/run/pesign/socket || :
-
+ls -ld /run/pesign || :
-%define pe_signing_cert MSVSphere Secure Boot Signing
+getfacl /run/pesign || :
-
+ls -l /run/pesign/socket || :
-cp %{name}-unsigned.efi %{name}-unsigned.0.efi
+getfacl /run/pesign/socket || :
-%pesign -s -i %{name}-unsigned.0.efi -o %{name}-signed.efi -a spheresecurebootca.cer -c spheresecureboot001.cer -n spheresecureboot001
+
-
+%define pe_signing_cert grub2-signer
+if ! true ; then
+	cp %{name}-unsigned.efi bzImage.signed
+	%pesign -s -i bzImage.signed -o bzImage.signed -a redhatsecurebootca5.cer -c redhatsecureboot501.cer -n redhatsecureboot501
+	%pesign -s -i bzImage.signed -o bzImage.signed -a redhatsecurebootca1.cer -c redhatsecureboot301.cer -n redhatsecureboot301
+	mv bzImage.signed %{name}-signed.efi
+else
+	cp %{name}-unsigned.efi %{name}-unsigned.0.efi
+	%pesign -s -i %{name}-unsigned.0.efi -o %{name}.tmp.efi -a redhatsecurebootca5.cer -c redhatsecureboot501.cer -n redhatsecureboot501
+	%define pe_signing_cert fwupd-signer
+	%pesign -s -i %{name}.tmp.efi -o %{name}-signed.efi -a redhatsecurebootca1.cer -c redhatsecureboot301.cer -n redhatsecureboot301
+fi
 
 %install
 rm -rf %{buildroot}
@@ -60,13 +71,15 @@ make LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} DATADIR=%{_datadir} \
 mv %{name}-signed.efi %{buildroot}/%{_datadir}/%{name}-%{version}/
 
 %check
+ls -la /var/run/pesign || :
 %ifarch %{efi}
 # for display in the build log
 for x in %{buildroot}/%{_datadir}/%{name}-%{version}/%{name}-signed.* ; do
 	pesign -l -i "${x}"
 	# to test the actual output
 	pesign -l -i "${x}" | grep -c -q "^Signing time: $(date +%%a\ %%b\ %%d,\ %%Y)$"
-	pesign -l -i "${x}" | grep -c -q '^The signer.s common name is MSVSphere Secure Boot Signing$'
+	pesign -l -i "${x}" | grep -c -q '^The signer.s common name is Fedora Secure Boot Signer$' ||
+	pesign -l -i "${x}" | grep -c -q '^The signer.s common name is fwupd-signer$'
 done
 %endif
 
@@ -77,9 +90,6 @@ done
 %{_datadir}/%{name}-%{version}/%{name}-signed*.efi
 
 %changelog
-* Mon Mar 27 2023 Eugene Zamriy <ezamriy@msvsphere.ru> - 5-28.inferit
-- Initial adoption for MSVSphere infrastructure
-
 * Wed Feb 01 2023 Robbie Harwood <rharwood@redhat.com> - 5.28
 - Rise and sign
 

sources

@@ -0,0 +1 @@
+0db174239a2532a9485b6b5623ab3cb2  pesign-test-app-5.tar.bz2