commit
206ac56ac1
@ -0,0 +1,2 @@
|
|||||||
|
SOURCES/certs.tar.xz
|
||||||
|
SOURCES/pesign-0.112.tar.bz2
|
@ -0,0 +1,2 @@
|
|||||||
|
53d9b43ef6eadb4512ce9738b5a6efbb40477983 SOURCES/certs.tar.xz
|
||||||
|
7cba5cfddabc425d0a927edfdd6865cc92f00c7b SOURCES/pesign-0.112.tar.bz2
|
@ -0,0 +1,69 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Thu, 21 Apr 2016 10:47:34 -0400
|
||||||
|
Subject: [PATCH] cms: kill generate_integer(), it doesn't build on i686 and
|
||||||
|
it's unused.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/cms_common.c | 34 ----------------------------------
|
||||||
|
src/cms_common.h | 1 -
|
||||||
|
2 files changed, 35 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||||
|
index b19bc62..6a4e6a7 100644
|
||||||
|
--- a/src/cms_common.c
|
||||||
|
+++ b/src/cms_common.c
|
||||||
|
@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static SEC_ASN1Template IntegerTemplate[] = {
|
||||||
|
- {.kind = SEC_ASN1_INTEGER,
|
||||||
|
- .offset = 0,
|
||||||
|
- .sub = NULL,
|
||||||
|
- .size = sizeof(long),
|
||||||
|
- },
|
||||||
|
- { 0 },
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-int
|
||||||
|
-generate_integer(cms_context *cms, SECItem *der, unsigned long integer)
|
||||||
|
-{
|
||||||
|
- void *ret;
|
||||||
|
-
|
||||||
|
- uint32_t u32;
|
||||||
|
-
|
||||||
|
- SECItem input = {
|
||||||
|
- .data = (void *)&integer,
|
||||||
|
- .len = sizeof(integer),
|
||||||
|
- .type = siUnsignedInteger,
|
||||||
|
- };
|
||||||
|
-
|
||||||
|
- if (integer < 0x100000000) {
|
||||||
|
- u32 = integer & 0xffffffffUL;
|
||||||
|
- input.data = (void *)&u32;
|
||||||
|
- input.len = sizeof(u32);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate);
|
||||||
|
- if (ret == NULL)
|
||||||
|
- cmsreterr(-1, cms, "could not encode data");
|
||||||
|
- return 0;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
int
|
||||||
|
generate_time(cms_context *cms, SECItem *encoded, time_t when)
|
||||||
|
{
|
||||||
|
diff --git a/src/cms_common.h b/src/cms_common.h
|
||||||
|
index 7d77faf..c7d7268 100644
|
||||||
|
--- a/src/cms_common.h
|
||||||
|
+++ b/src/cms_common.h
|
||||||
|
@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded,
|
||||||
|
SECOidTag tag);
|
||||||
|
extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded);
|
||||||
|
extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when);
|
||||||
|
-extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer);
|
||||||
|
extern int generate_string(cms_context *cms, SECItem *der, char *str);
|
||||||
|
extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
|
||||||
|
extern int wrap_in_seq(cms_context *cms, SECItem *der,
|
@ -0,0 +1,70 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Cristau <jcristau@debian.org>
|
||||||
|
Date: Thu, 9 Jun 2016 14:30:37 +0200
|
||||||
|
Subject: [PATCH] Fix command line parsing
|
||||||
|
|
||||||
|
The gettext translation domain should be passed as .arg, not .descrip,
|
||||||
|
otherwise popt won't process any of the command line options (it stops
|
||||||
|
looping over the struct poptOption array when an entry has unset
|
||||||
|
longName, shortName and arg).
|
||||||
|
|
||||||
|
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
||||||
|
---
|
||||||
|
src/client.c | 2 +-
|
||||||
|
src/efikeygen.c | 2 +-
|
||||||
|
src/efisiglist.c | 2 +-
|
||||||
|
src/pesigcheck.c | 2 +-
|
||||||
|
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/client.c b/src/client.c
|
||||||
|
index 028419f..575c873 100644
|
||||||
|
--- a/src/client.c
|
||||||
|
+++ b/src/client.c
|
||||||
|
@@ -555,7 +555,7 @@ main(int argc, char *argv[])
|
||||||
|
|
||||||
|
struct poptOption options[] = {
|
||||||
|
{.argInfo = POPT_ARG_INTL_DOMAIN,
|
||||||
|
- .descrip = "pesign" },
|
||||||
|
+ .arg = "pesign" },
|
||||||
|
{.longName = "token",
|
||||||
|
.shortName = 't',
|
||||||
|
.argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
|
||||||
|
diff --git a/src/efikeygen.c b/src/efikeygen.c
|
||||||
|
index 6278849..8a515a5 100644
|
||||||
|
--- a/src/efikeygen.c
|
||||||
|
+++ b/src/efikeygen.c
|
||||||
|
@@ -486,7 +486,7 @@ int main(int argc, char *argv[])
|
||||||
|
poptContext optCon;
|
||||||
|
struct poptOption options[] = {
|
||||||
|
{.argInfo = POPT_ARG_INTL_DOMAIN,
|
||||||
|
- .descrip = "pesign" },
|
||||||
|
+ .arg = "pesign" },
|
||||||
|
/* global nss-ish things */
|
||||||
|
{.longName = "dbdir",
|
||||||
|
.shortName = 'd',
|
||||||
|
diff --git a/src/efisiglist.c b/src/efisiglist.c
|
||||||
|
index cd3f1ae..40d6a93 100644
|
||||||
|
--- a/src/efisiglist.c
|
||||||
|
+++ b/src/efisiglist.c
|
||||||
|
@@ -126,7 +126,7 @@ main(int argc, char *argv[])
|
||||||
|
|
||||||
|
struct poptOption options[] = {
|
||||||
|
{.argInfo = POPT_ARG_INTL_DOMAIN,
|
||||||
|
- .descrip = "pesign" },
|
||||||
|
+ .arg = "pesign" },
|
||||||
|
{.longName = "infile",
|
||||||
|
.shortName = 'i',
|
||||||
|
.argInfo = POPT_ARG_STRING,
|
||||||
|
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
|
||||||
|
index 1328fe9..0d49c1a 100644
|
||||||
|
--- a/src/pesigcheck.c
|
||||||
|
+++ b/src/pesigcheck.c
|
||||||
|
@@ -214,7 +214,7 @@ main(int argc, char *argv[])
|
||||||
|
poptContext optCon;
|
||||||
|
struct poptOption options[] = {
|
||||||
|
{.argInfo = POPT_ARG_INTL_DOMAIN,
|
||||||
|
- .descrip = "pesign" },
|
||||||
|
+ .arg = "pesign" },
|
||||||
|
{.longName = "dbfile",
|
||||||
|
.shortName = 'D',
|
||||||
|
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
|
@ -0,0 +1,23 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Wed, 10 Aug 2016 17:12:39 -0400
|
||||||
|
Subject: [PATCH] gcc: don't error on stuff in includes.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
Make.defaults | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/Make.defaults b/Make.defaults
|
||||||
|
index c97b452..3511080 100644
|
||||||
|
--- a/Make.defaults
|
||||||
|
+++ b/Make.defaults
|
||||||
|
@@ -19,7 +19,7 @@ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
|
||||||
|
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
|
||||||
|
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
|
||||||
|
CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
|
||||||
|
- -Wall -Werror -Wextra
|
||||||
|
+ -Wall -Werror -Wextra -Wno-error=cpp
|
||||||
|
AS := $(CROSS_COMPILE)as
|
||||||
|
AR := $(CROSS_COMPILE)gcc-ar
|
||||||
|
RANLIB := $(CROSS_COMPILE)gcc-ranlib
|
@ -0,0 +1,36 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 18 Apr 2017 19:00:34 -0400
|
||||||
|
Subject: [PATCH] Fix "certficate" argument name.
|
||||||
|
|
||||||
|
This fixes our typoed argument name by making the incorrectly spelled
|
||||||
|
version be a popt alias, and fixing the real implementation to be
|
||||||
|
spelled right in pesign.c .
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/pesign.c | 2 +-
|
||||||
|
src/pesign.popt | 1 +
|
||||||
|
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/pesign.c b/src/pesign.c
|
||||||
|
index af374b6..279a17a 100644
|
||||||
|
--- a/src/pesign.c
|
||||||
|
+++ b/src/pesign.c
|
||||||
|
@@ -438,7 +438,7 @@ main(int argc, char *argv[])
|
||||||
|
.arg = &ctxp->outfile,
|
||||||
|
.descrip = "specify output file",
|
||||||
|
.argDescrip = "<outfile>" },
|
||||||
|
- {.longName = "certficate",
|
||||||
|
+ {.longName = "certificate",
|
||||||
|
.shortName = 'c',
|
||||||
|
.argInfo = POPT_ARG_STRING,
|
||||||
|
.arg = &certname,
|
||||||
|
diff --git a/src/pesign.popt b/src/pesign.popt
|
||||||
|
index 7b3385d..5a97748 100644
|
||||||
|
--- a/src/pesign.popt
|
||||||
|
+++ b/src/pesign.popt
|
||||||
|
@@ -1,2 +1,3 @@
|
||||||
|
pesign alias --cert --certificate
|
||||||
|
+pesign alias --certficate --certificate
|
||||||
|
pesign alias --daemon --daemonize
|
@ -0,0 +1,23 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Cristau <jcristau@debian.org>
|
||||||
|
Date: Mon, 27 Jun 2016 15:38:38 +0200
|
||||||
|
Subject: [PATCH] Fix description of --ascii-armor option in manpage
|
||||||
|
|
||||||
|
The --ascii option does not exist.
|
||||||
|
---
|
||||||
|
src/pesign.1 | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/pesign.1 b/src/pesign.1
|
||||||
|
index 47d1aec..29ae060 100644
|
||||||
|
--- a/src/pesign.1
|
||||||
|
+++ b/src/pesign.1
|
||||||
|
@@ -81,7 +81,7 @@ Export the public key specified by \-\-certificate to \fIoutkey\fR
|
||||||
|
Export the certificate specified by \-\-certificate to \fIoutcert\fR
|
||||||
|
|
||||||
|
.TP
|
||||||
|
-\fB-\-ascii\fR
|
||||||
|
+\fB-\-ascii\-armor\fR
|
||||||
|
Use ascii armoring on exported certificates.
|
||||||
|
|
||||||
|
.TP
|
@ -0,0 +1,19 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 18 Apr 2017 19:05:40 -0400
|
||||||
|
Subject: [PATCH] Make --ascii work, since we documented it.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/pesign.popt | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/pesign.popt b/src/pesign.popt
|
||||||
|
index 5a97748..5ae0c5c 100644
|
||||||
|
--- a/src/pesign.popt
|
||||||
|
+++ b/src/pesign.popt
|
||||||
|
@@ -1,3 +1,4 @@
|
||||||
|
pesign alias --cert --certificate
|
||||||
|
pesign alias --certficate --certificate
|
||||||
|
pesign alias --daemon --daemonize
|
||||||
|
+pesign alias --ascii --ascii-armor
|
@ -0,0 +1,29 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pat Riehecky <riehecky@fnal.gov>
|
||||||
|
Date: Mon, 7 Nov 2016 11:37:08 -0600
|
||||||
|
Subject: [PATCH] Switch pesign client to also accept token/cert macros rather
|
||||||
|
than use hard coded values
|
||||||
|
|
||||||
|
---
|
||||||
|
src/macros.pesign | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||||
|
index 18e5b5e..69280e9 100644
|
||||||
|
--- a/src/macros.pesign
|
||||||
|
+++ b/src/macros.pesign
|
||||||
|
@@ -41,11 +41,11 @@
|
||||||
|
--certdir ${nss} -c signer %{-o} \
|
||||||
|
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||||
|
elif [ -S /var/run/pesign/socket ]; then \
|
||||||
|
- %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\
|
||||||
|
- -c "/CN=Fedora Secure Boot Signer" \\\
|
||||||
|
+ %{_pesign_client} -t %{__pesign_token} \\\
|
||||||
|
+ -c %{__pesign_cert} \\\
|
||||||
|
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||||
|
else \
|
||||||
|
- %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
|
||||||
|
+ %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
|
||||||
|
--certdir ${_pesign_nssdir} \\\
|
||||||
|
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||||
|
fi \
|
@ -0,0 +1,22 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: David Michael <david.michael@coreos.com>
|
||||||
|
Date: Thu, 16 Feb 2017 15:08:30 -0800
|
||||||
|
Subject: [PATCH] pesigcheck: Verify with the cert as an object signer
|
||||||
|
|
||||||
|
---
|
||||||
|
src/certdb.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/certdb.c b/src/certdb.c
|
||||||
|
index 2a08042..b7c99bb 100644
|
||||||
|
--- a/src/certdb.c
|
||||||
|
+++ b/src/certdb.c
|
||||||
|
@@ -339,7 +339,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
||||||
|
}
|
||||||
|
/* Verify the signature */
|
||||||
|
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
|
||||||
|
- certUsageSSLServer,
|
||||||
|
+ certUsageObjectSigner,
|
||||||
|
digest, HASH_AlgSHA256,
|
||||||
|
PR_FALSE, atTime);
|
||||||
|
if (!result) {
|
@ -0,0 +1,44 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Mon, 24 Apr 2017 15:18:10 -0400
|
||||||
|
Subject: [PATCH] pesigcheck: make --certfile actually work
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/pesigcheck.c | 9 +++++++--
|
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
|
||||||
|
index 0d49c1a..d7be542 100644
|
||||||
|
--- a/src/pesigcheck.c
|
||||||
|
+++ b/src/pesigcheck.c
|
||||||
|
@@ -130,7 +130,7 @@ check_signature(pesigcheck_context *ctx)
|
||||||
|
cert_iter iter;
|
||||||
|
|
||||||
|
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
|
||||||
|
-
|
||||||
|
+
|
||||||
|
if (check_db_hash(DBX, ctx) == FOUND)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
@@ -225,6 +225,11 @@ main(int argc, char *argv[])
|
||||||
|
.argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
|
||||||
|
.arg = (void *)callback,
|
||||||
|
.descrip = (void *)ctxp },
|
||||||
|
+ {.longName = "certfile",
|
||||||
|
+ .shortName = 'c',
|
||||||
|
+ .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
|
||||||
|
+ .arg = (void *)callback,
|
||||||
|
+ .descrip = (void *)ctxp },
|
||||||
|
{.longName = "in",
|
||||||
|
.shortName = 'i',
|
||||||
|
.argInfo = POPT_ARG_STRING,
|
||||||
|
@@ -258,7 +263,7 @@ main(int argc, char *argv[])
|
||||||
|
.shortName = 'c',
|
||||||
|
.argInfo = POPT_ARG_STRING,
|
||||||
|
.arg = &certfile,
|
||||||
|
- .descrip = "the certificate (in DER form) for verification ",
|
||||||
|
+ .descrip = "import certfile (in DER encoding) for allowed certificate",
|
||||||
|
.argDescrip = "<certfile>" },
|
||||||
|
POPT_AUTOALIAS
|
||||||
|
POPT_AUTOHELP
|
@ -0,0 +1,24 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 25 Apr 2017 16:15:07 -0400
|
||||||
|
Subject: [PATCH] signerInfos: make sure err is always initialized
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/signed_data.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/signed_data.c b/src/signed_data.c
|
||||||
|
index 721db90..9e0af23 100644
|
||||||
|
--- a/src/signed_data.c
|
||||||
|
+++ b/src/signed_data.c
|
||||||
|
@@ -132,7 +132,8 @@ int
|
||||||
|
generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, SignerInfoType type)
|
||||||
|
{
|
||||||
|
SpcSignerInfo **signerInfo_list;
|
||||||
|
- int err, rc;
|
||||||
|
+ int err = 0;
|
||||||
|
+ int rc;
|
||||||
|
|
||||||
|
if (!signerInfo_list_p)
|
||||||
|
return -1;
|
@ -0,0 +1,23 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 25 Apr 2017 16:23:36 -0400
|
||||||
|
Subject: [PATCH] pesign: make "pesign -h" tell you the file name.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/pesign.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/pesign.c b/src/pesign.c
|
||||||
|
index 279a17a..5879cfc 100644
|
||||||
|
--- a/src/pesign.c
|
||||||
|
+++ b/src/pesign.c
|
||||||
|
@@ -387,7 +387,7 @@ print_digest(pesign_context *pctx)
|
||||||
|
if (!ctx)
|
||||||
|
return;
|
||||||
|
|
||||||
|
- printf("hash: ");
|
||||||
|
+ printf("%s ", pctx->infile);
|
||||||
|
int j = ctx->selected_digest;
|
||||||
|
for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
|
||||||
|
printf("%02x",
|
@ -0,0 +1,101 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Wed, 10 May 2017 10:49:57 -0400
|
||||||
|
Subject: [PATCH] Add coverity build scripts
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
Make.coverity | 37 +++++++++++++++++++++++++++++++++++++
|
||||||
|
Make.defaults | 2 ++
|
||||||
|
Make.rules | 4 ++++
|
||||||
|
Makefile | 1 +
|
||||||
|
.gitignore | 1 +
|
||||||
|
5 files changed, 45 insertions(+)
|
||||||
|
create mode 100644 Make.coverity
|
||||||
|
|
||||||
|
diff --git a/Make.coverity b/Make.coverity
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..b80b091
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/Make.coverity
|
||||||
|
@@ -0,0 +1,37 @@
|
||||||
|
+include $(TOPDIR)/Make.version
|
||||||
|
+include $(TOPDIR)/Make.rules
|
||||||
|
+include $(TOPDIR)/Make.defaults
|
||||||
|
+
|
||||||
|
+COV_EMAIL=$(call get-config,coverity.email)
|
||||||
|
+COV_TOKEN=$(call get-config,coverity.token)
|
||||||
|
+COV_URL=$(call get-config,coverity.url)
|
||||||
|
+COV_FILE=$(NAME)-coverity-$(VERSION)-$(COMMIT_ID).tar.bz2
|
||||||
|
+
|
||||||
|
+cov-int : clean
|
||||||
|
+ cov-build --dir cov-int make all
|
||||||
|
+
|
||||||
|
+cov-clean :
|
||||||
|
+ @rm -vf $(NAME)-coverity-*.tar.*
|
||||||
|
+ @if [[ -d cov-int ]]; then rm -rf cov-int && echo "removed 'cov-int'"; fi
|
||||||
|
+
|
||||||
|
+cov-file : | $(COV_FILE)
|
||||||
|
+
|
||||||
|
+$(COV_FILE) : cov-int
|
||||||
|
+ tar caf $@ cov-int
|
||||||
|
+
|
||||||
|
+cov-upload :
|
||||||
|
+ @if [[ -n "$(COV_URL)" ]] && \
|
||||||
|
+ [[ -n "$(COV_TOKEN)" ]] && \
|
||||||
|
+ [[ -n "$(COV_EMAIL)" ]] ; \
|
||||||
|
+ then \
|
||||||
|
+ echo curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
|
||||||
|
+ curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
|
||||||
|
+ else \
|
||||||
|
+ echo Coverity output is in $(COV_FILE) ; \
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+coverity : cov-file cov-upload
|
||||||
|
+
|
||||||
|
+clean : | cov-clean
|
||||||
|
+
|
||||||
|
+.PHONY : coverity cov-upload cov-clean cov-file
|
||||||
|
diff --git a/Make.defaults b/Make.defaults
|
||||||
|
index 3511080..39b78f0 100644
|
||||||
|
--- a/Make.defaults
|
||||||
|
+++ b/Make.defaults
|
||||||
|
@@ -1,3 +1,5 @@
|
||||||
|
+NAME = pesign
|
||||||
|
+COMMIT_ID ?= $(shell git log -1 --pretty=%H 2>/dev/null || echo master)
|
||||||
|
prefix ?= /usr/
|
||||||
|
prefix := $(abspath $(prefix))/
|
||||||
|
libdir ?= $(prefix)lib64/
|
||||||
|
diff --git a/Make.rules b/Make.rules
|
||||||
|
index af5ecfe..5e3c83d 100644
|
||||||
|
--- a/Make.rules
|
||||||
|
+++ b/Make.rules
|
||||||
|
@@ -79,3 +79,7 @@ endef
|
||||||
|
|
||||||
|
$(TOPDIR)/libdpe/%.a $(TOPDIR)/libdpe/% :
|
||||||
|
$(MAKE) -C $(TOPDIR)/libdpe $(notdir $@)
|
||||||
|
+
|
||||||
|
+define get-config =
|
||||||
|
+$(shell git config --local --get "$(NAME).$(1)")
|
||||||
|
+endef
|
||||||
|
diff --git a/Makefile b/Makefile
|
||||||
|
index db8eb7e..ca1a359 100644
|
||||||
|
--- a/Makefile
|
||||||
|
+++ b/Makefile
|
||||||
|
@@ -4,6 +4,7 @@ TOPDIR = $(realpath .)
|
||||||
|
include $(TOPDIR)/Make.version
|
||||||
|
include $(TOPDIR)/Make.rules
|
||||||
|
include $(TOPDIR)/Make.defaults
|
||||||
|
+include $(TOPDIR)/Make.coverity
|
||||||
|
|
||||||
|
SUBDIRS := include libdpe src
|
||||||
|
|
||||||
|
diff --git a/.gitignore b/.gitignore
|
||||||
|
index 1635ba2..847e172 100644
|
||||||
|
--- a/.gitignore
|
||||||
|
+++ b/.gitignore
|
||||||
|
@@ -12,3 +12,4 @@
|
||||||
|
*.tar.*
|
||||||
|
*.rpm
|
||||||
|
core.*
|
||||||
|
+cov-int
|
@ -0,0 +1,22 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Sat, 8 Jul 2017 16:31:18 -0400
|
||||||
|
Subject: [PATCH] Document implicit fallthrough.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/authvar.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/authvar.c b/src/authvar.c
|
||||||
|
index ad659ca..03e0c47 100644
|
||||||
|
--- a/src/authvar.c
|
||||||
|
+++ b/src/authvar.c
|
||||||
|
@@ -511,6 +511,7 @@ main(int argc, char *argv[])
|
||||||
|
case IMPORT|SET:
|
||||||
|
case IMPORT|SIGN|SET:
|
||||||
|
fprintf(stderr, "authvar: not implemented\n");
|
||||||
|
+ /* fallthrough. */
|
||||||
|
case IMPORT|SIGN|EXPORT:
|
||||||
|
default:
|
||||||
|
fprintf(stderr, "authvar: invalid flags: ");
|
@ -0,0 +1,47 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Mon, 16 May 2016 15:25:53 -0400
|
||||||
|
Subject: [PATCH] Actually setfacl /each/ directory of our key storage.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/pesign-authorize-groups | 6 +++---
|
||||||
|
src/pesign-authorize-users | 6 +++---
|
||||||
|
2 files changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
||||||
|
index a4f895e..cf51fb6 100644
|
||||||
|
--- a/src/pesign-authorize-groups
|
||||||
|
+++ b/src/pesign-authorize-groups
|
||||||
|
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then
|
||||||
|
setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
- for x in /etc/pki/pesign* ; do
|
||||||
|
+ for x in /etc/pki/pesign*/ ; do
|
||||||
|
if [ -d ${x} ]; then
|
||||||
|
- setfacl -m g:${group}:rx /etc/pki/pesign
|
||||||
|
- for y in ${x}/{cert8,key3,secmod}.db ; do
|
||||||
|
+ setfacl -m g:${group}:rx ${x}
|
||||||
|
+ for y in ${x}{cert8,key3,secmod}.db ; do
|
||||||
|
setfacl -m g:${group}:rw ${y}
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
||||||
|
index 8b9a885..940138e 100644
|
||||||
|
--- a/src/pesign-authorize-users
|
||||||
|
+++ b/src/pesign-authorize-users
|
||||||
|
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then
|
||||||
|
setfacl -m g:${username}:rw /var/run/pesign/socket
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
- for x in /etc/pki/pesign* ; do
|
||||||
|
+ for x in /etc/pki/pesign*/ ; do
|
||||||
|
if [ -d ${x} ]; then
|
||||||
|
- setfacl -m g:${username}:rx /etc/pki/pesign
|
||||||
|
- for y in ${x}/{cert8,key3,secmod}.db ; do
|
||||||
|
+ setfacl -m g:${username}:rx ${x}
|
||||||
|
+ for y in ${x}{cert8,key3,secmod}.db ; do
|
||||||
|
setfacl -m g:${username}:rw ${y}
|
||||||
|
done
|
||||||
|
fi
|
@ -0,0 +1,56 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Mon, 22 Aug 2016 13:31:38 -0400
|
||||||
|
Subject: [PATCH] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
|
||||||
|
indices.
|
||||||
|
|
||||||
|
That was all kinds of wrong.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/oid.c | 10 +++++++---
|
||||||
|
src/oid.h | 1 +
|
||||||
|
2 files changed, 8 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/oid.c b/src/oid.c
|
||||||
|
index 9d8154f..7037e1e 100644
|
||||||
|
--- a/src/oid.c
|
||||||
|
+++ b/src/oid.c
|
||||||
|
@@ -33,6 +33,7 @@ static uint8_t oiddata[] = {
|
||||||
|
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f,
|
||||||
|
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15,
|
||||||
|
0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01,
|
||||||
|
+ 0x2b, 0x06, 0x01, 0x04, 0x01, 0x92, 0x08, 0x10, 0x01, 0x02,
|
||||||
|
};
|
||||||
|
|
||||||
|
#define OID(num, desc_s, oidtype, length, value) \
|
||||||
|
@@ -53,11 +54,14 @@ static struct {
|
||||||
|
OID(SPC_STATEMENT_TYPE_OBJID, "Statement Type", siDEROID, 10,
|
||||||
|
&oiddata[10]),
|
||||||
|
OID(SPC_PE_IMAGE_DATA_OBJID, "PE Image Data", siDEROID, 10,
|
||||||
|
- &oiddata[30]),
|
||||||
|
+ &oiddata[20]),
|
||||||
|
OID(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, "Individual Key", siDEROID,
|
||||||
|
- 10, &oiddata[40]),
|
||||||
|
+ 10, &oiddata[30]),
|
||||||
|
OID(szOID_CERTSRV_CA_VERSION, "Certification server CA version",
|
||||||
|
- siAsciiString, 9, &oiddata[50]),
|
||||||
|
+ siAsciiString, 9, &oiddata[40]),
|
||||||
|
+ OID(SHIM_EKU_MODULE_SIGNING_ONLY,
|
||||||
|
+ "Certificate is used for kernel modules only", siDEROID, 10,
|
||||||
|
+ &oiddata[49]),
|
||||||
|
{ .oid = END_OID_LIST }
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/src/oid.h b/src/oid.h
|
||||||
|
index 599f49d..0e00781 100644
|
||||||
|
--- a/src/oid.h
|
||||||
|
+++ b/src/oid.h
|
||||||
|
@@ -25,6 +25,7 @@ typedef enum {
|
||||||
|
SPC_PE_IMAGE_DATA_OBJID, /* 1.3.6.1.4.1.311.2.1.15 */
|
||||||
|
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, /* 1.3.6.1.4.1.311.2.1.21 */
|
||||||
|
szOID_CERTSRV_CA_VERSION, /* 1.3.6.1.4.1.311.21.1 */
|
||||||
|
+ SHIM_EKU_MODULE_SIGNING_ONLY, /* 1.3.6.1.4.1.2312.16.1.2 */
|
||||||
|
END_OID_LIST
|
||||||
|
} ms_oid_t;
|
||||||
|
|
@ -0,0 +1,195 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Mon, 22 Aug 2016 13:43:56 -0400
|
||||||
|
Subject: [PATCH] efikeygen: add --modsign
|
||||||
|
|
||||||
|
---
|
||||||
|
src/cms_common.c | 29 +++++++++++++++++++++++++++
|
||||||
|
src/efikeygen.c | 61 ++++++++++++++++++++++++++++++++++++++++++++------------
|
||||||
|
src/cms_common.h | 1 +
|
||||||
|
3 files changed, 78 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/cms_common.c b/src/cms_common.c
|
||||||
|
index 6a4e6a7..2df2cfe 100644
|
||||||
|
--- a/src/cms_common.c
|
||||||
|
+++ b/src/cms_common.c
|
||||||
|
@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static SEC_ASN1Template EKUOidSequence[] = {
|
||||||
|
+ {
|
||||||
|
+ .kind = SEC_ASN1_OBJECT_ID,
|
||||||
|
+ .offset = 0,
|
||||||
|
+ .sub = &SEC_AnyTemplate,
|
||||||
|
+ .size = sizeof (SECItem),
|
||||||
|
+ },
|
||||||
|
+ { 0 }
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag)
|
||||||
|
+{
|
||||||
|
+ void *rv;
|
||||||
|
+ SECOidData *oid_data;
|
||||||
|
+
|
||||||
|
+ oid_data = SECOID_FindOIDByTag(oid_tag);
|
||||||
|
+ if (!oid_data)
|
||||||
|
+ cmsreterr(-1, cms, "could not encode eku oid data");
|
||||||
|
+
|
||||||
|
+ rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid,
|
||||||
|
+ EKUOidSequence);
|
||||||
|
+ if (rv == NULL)
|
||||||
|
+ cmsreterr(-1, cms, "could not encode eku oid data");
|
||||||
|
+
|
||||||
|
+ encoded->type = siBuffer;
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int
|
||||||
|
generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
|
||||||
|
{
|
||||||
|
diff --git a/src/efikeygen.c b/src/efikeygen.c
|
||||||
|
index 8a515a5..9390578 100644
|
||||||
|
--- a/src/efikeygen.c
|
||||||
|
+++ b/src/efikeygen.c
|
||||||
|
@@ -49,6 +49,7 @@
|
||||||
|
#include <libdpe/libdpe.h>
|
||||||
|
|
||||||
|
#include "cms_common.h"
|
||||||
|
+#include "oid.h"
|
||||||
|
#include "util.h"
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle)
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-add_extended_key_usage(cms_context *cms, void *extHandle)
|
||||||
|
+add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
|
||||||
|
{
|
||||||
|
- SECItem value = {
|
||||||
|
- .data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01"
|
||||||
|
- "\x05\x05\x07\x03\x03",
|
||||||
|
- .len = 12,
|
||||||
|
- .type = siBuffer
|
||||||
|
- };
|
||||||
|
-
|
||||||
|
-
|
||||||
|
+ SECItem values[2];
|
||||||
|
+ SECItem wrapped = { 0 };
|
||||||
|
SECStatus status;
|
||||||
|
+ SECOidTag tag;
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ if (modsign_only < 1 || modsign_only > 2)
|
||||||
|
+ cmsreterr(-1, cms, "could not encode extended key usage");
|
||||||
|
+
|
||||||
|
+ rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
|
||||||
|
+ if (rc < 0)
|
||||||
|
+ cmsreterr(-1, cms, "could not encode extended key usage");
|
||||||
|
+
|
||||||
|
+ tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY);
|
||||||
|
+ printf("tag: %d\n", tag);
|
||||||
|
+ rc = make_eku_oid(cms, &values[1], tag);
|
||||||
|
+ if (rc < 0)
|
||||||
|
+ cmsreterr(-1, cms, "could not encode extended key usage");
|
||||||
|
+
|
||||||
|
+ rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
|
||||||
|
+ if (rc < 0)
|
||||||
|
+ cmsreterr(-1, cms, "could not encode extended key usage");
|
||||||
|
+
|
||||||
|
|
||||||
|
status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
|
||||||
|
- &value, PR_FALSE, PR_TRUE);
|
||||||
|
+ &wrapped, PR_FALSE, PR_TRUE);
|
||||||
|
if (status != SECSuccess)
|
||||||
|
cmsreterr(-1, cms, "could not encode extended key usage");
|
||||||
|
|
||||||
|
@@ -294,7 +309,7 @@ static int
|
||||||
|
add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
|
||||||
|
int is_ca, int is_self_signed, SECKEYPublicKey *pubkey,
|
||||||
|
SECKEYPublicKey *spubkey,
|
||||||
|
- char *url)
|
||||||
|
+ char *url, int modsign_only)
|
||||||
|
{
|
||||||
|
void *mark = PORT_ArenaMark(cms->arena);
|
||||||
|
|
||||||
|
@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
|
||||||
|
if (rc < 0)
|
||||||
|
cmsreterr(-1, cms, "could not generate certificate extensions");
|
||||||
|
|
||||||
|
- rc = add_extended_key_usage(cms, extHandle);
|
||||||
|
+ rc = add_extended_key_usage(cms, modsign_only, extHandle);
|
||||||
|
if (rc < 0)
|
||||||
|
cmsreterr(-1, cms, "could not generate certificate extensions");
|
||||||
|
|
||||||
|
@@ -469,6 +484,7 @@ int main(int argc, char *argv[])
|
||||||
|
{
|
||||||
|
int is_ca = 0;
|
||||||
|
int is_self_signed = -1;
|
||||||
|
+ int modsign_only = 0;
|
||||||
|
char *tokenname = "NSS Certificate DB";
|
||||||
|
char *signer = NULL;
|
||||||
|
char *nickname = NULL;
|
||||||
|
@@ -522,6 +538,18 @@ int main(int argc, char *argv[])
|
||||||
|
.descrip = "Generate a self-signed certificate" },
|
||||||
|
|
||||||
|
/* stuff about the generated key */
|
||||||
|
+ {.longName = "kernel",
|
||||||
|
+ .shortName = 'k',
|
||||||
|
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
|
||||||
|
+ .arg = &modsign_only,
|
||||||
|
+ .val = 1,
|
||||||
|
+ .descrip = "Generate a kernel-signing certificate" },
|
||||||
|
+ {.longName = "module",
|
||||||
|
+ .shortName = 'm',
|
||||||
|
+ .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
|
||||||
|
+ .arg = &modsign_only,
|
||||||
|
+ .val = 2,
|
||||||
|
+ .descrip = "Generate a module-signing certificate" },
|
||||||
|
{.longName = "nickname",
|
||||||
|
.shortName = 'n',
|
||||||
|
.argInfo = POPT_ARG_STRING,
|
||||||
|
@@ -628,6 +656,9 @@ int main(int argc, char *argv[])
|
||||||
|
liberr(1, "could not allocate cms context");
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (modsign_only < 1 || modsign_only > 2)
|
||||||
|
+ errx(1, "either --kernel or --module must be used");
|
||||||
|
+
|
||||||
|
SECStatus status = NSS_InitReadWrite(dbdir);
|
||||||
|
if (status != SECSuccess)
|
||||||
|
nsserr(1, "could not initialize NSS");
|
||||||
|
@@ -639,6 +670,10 @@ int main(int argc, char *argv[])
|
||||||
|
SECKEYPublicKey *pubkey = NULL;
|
||||||
|
SECKEYPrivateKey *privkey = NULL;
|
||||||
|
|
||||||
|
+ status = register_oids(cms);
|
||||||
|
+ if (status != SECSuccess)
|
||||||
|
+ nsserr(1, "Could not register OIDs");
|
||||||
|
+
|
||||||
|
PK11SlotInfo *slot = NULL;
|
||||||
|
if (pubfile) {
|
||||||
|
rc = get_pubkey_from_file(pubfile, &pubkey);
|
||||||
|
@@ -713,7 +748,7 @@ int main(int argc, char *argv[])
|
||||||
|
crq = CERT_CreateCertificateRequest(name, spki, &attributes);
|
||||||
|
|
||||||
|
rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey,
|
||||||
|
- spubkey, url);
|
||||||
|
+ spubkey, url, modsign_only);
|
||||||
|
if (rc < 0)
|
||||||
|
exit(1);
|
||||||
|
|
||||||
|
diff --git a/src/cms_common.h b/src/cms_common.h
|
||||||
|
index c7d7268..7a31273 100644
|
||||||
|
--- a/src/cms_common.h
|
||||||
|
+++ b/src/cms_common.h
|
||||||
|
@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
|
||||||
|
SECItem *items, int num_items);
|
||||||
|
extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
|
||||||
|
SECItem *original);
|
||||||
|
+extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
|
||||||
|
extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
|
||||||
|
time_t end);
|
||||||
|
extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);
|
@ -0,0 +1,118 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 25 Apr 2017 16:25:02 -0400
|
||||||
|
Subject: [PATCH] check_cert_db(): try even harder to pick a reasonable
|
||||||
|
validation time.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
|
||||||
|
1 file changed, 66 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/certdb.c b/src/certdb.c
|
||||||
|
index b7c99bb..1a4baf1 100644
|
||||||
|
--- a/src/certdb.c
|
||||||
|
+++ b/src/certdb.c
|
||||||
|
@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx)
|
||||||
|
return check_db(which, ctx, check_hash, NULL, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static PRTime
|
||||||
|
-determine_reasonable_time(CERTCertificate *cert)
|
||||||
|
+static void
|
||||||
|
+find_cert_times(SEC_PKCS7ContentInfo *cinfo,
|
||||||
|
+ PRTime *notBefore, PRTime *notAfter)
|
||||||
|
{
|
||||||
|
- PRTime notBefore, notAfter;
|
||||||
|
- CERT_GetCertTimes(cert, ¬Before, ¬After);
|
||||||
|
- return notBefore;
|
||||||
|
+ CERTCertDBHandle *defaultdb, *certdb;
|
||||||
|
+ SEC_PKCS7SignedData *sdp;
|
||||||
|
+ CERTCertificate **certs = NULL;
|
||||||
|
+ SECItem **rawcerts;
|
||||||
|
+ int i, certcount;
|
||||||
|
+ SECStatus rv;
|
||||||
|
+
|
||||||
|
+ if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) {
|
||||||
|
+err:
|
||||||
|
+ *notBefore = 0;
|
||||||
|
+ *notAfter = 0x7fffffffffffffff;
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ sdp = cinfo->content.signedData;
|
||||||
|
+ rawcerts = sdp->rawCerts;
|
||||||
|
+
|
||||||
|
+ defaultdb = CERT_GetDefaultCertDB();
|
||||||
|
+
|
||||||
|
+ certdb = defaultdb;
|
||||||
|
+ if (certdb == NULL)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ certcount = 0;
|
||||||
|
+ if (rawcerts != NULL) {
|
||||||
|
+ for (; rawcerts[certcount] != NULL; certcount++)
|
||||||
|
+ ;
|
||||||
|
+ }
|
||||||
|
+ rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount,
|
||||||
|
+ rawcerts, &certs, PR_FALSE, PR_FALSE, NULL);
|
||||||
|
+ if (rv != SECSuccess)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < certcount; i++) {
|
||||||
|
+ PRTime nb = 0, na = 0x7fffffffffff;
|
||||||
|
+ CERT_GetCertTimes(certs[i], &nb, &na);
|
||||||
|
+ if (*notBefore < nb)
|
||||||
|
+ *notBefore = nb;
|
||||||
|
+ if (*notAfter > na)
|
||||||
|
+ *notAfter = na;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ CERT_DestroyCertArray(certs, certcount);
|
||||||
|
}
|
||||||
|
|
||||||
|
static db_status
|
||||||
|
@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
||||||
|
PRBool result;
|
||||||
|
SECStatus rv;
|
||||||
|
db_status status = NOT_FOUND;
|
||||||
|
+ PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
|
||||||
|
+ PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
|
||||||
|
|
||||||
|
efi_guid_t efi_x509 = efi_guid_x509_cert;
|
||||||
|
|
||||||
|
@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
||||||
|
}
|
||||||
|
cert->timeOK = PR_TRUE;
|
||||||
|
|
||||||
|
+ find_cert_times(cinfo, ¬Before, ¬After);
|
||||||
|
+ if (earlyNow < notBefore)
|
||||||
|
+ earlyNow = notBefore;
|
||||||
|
+ if (lateNow > notAfter)
|
||||||
|
+ lateNow = notAfter;
|
||||||
|
+
|
||||||
|
SECItem *eTime;
|
||||||
|
PRTime atTime;
|
||||||
|
// atTime = determine_reasonable_time(cert);
|
||||||
|
eTime = SEC_PKCS7GetSigningTime(cinfo);
|
||||||
|
if (eTime != NULL) {
|
||||||
|
- if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess)
|
||||||
|
- atTime = determine_reasonable_time(cert);
|
||||||
|
- } else {
|
||||||
|
- atTime = determine_reasonable_time(cert);
|
||||||
|
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
|
||||||
|
+ if (earlyNow < atTime)
|
||||||
|
+ earlyNow = atTime;
|
||||||
|
+ if (lateNow > atTime)
|
||||||
|
+ lateNow = atTime;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (lateNow < earlyNow)
|
||||||
|
+ printf("Impossible time constraints: %ld <= %ld\n",
|
||||||
|
+ earlyNow / 1000000, lateNow / 1000000);
|
||||||
|
+ atTime = earlyNow / 2 + lateNow / 2;
|
||||||
|
+
|
||||||
|
/* Verify the signature */
|
||||||
|
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
|
||||||
|
certUsageObjectSigner,
|
@ -0,0 +1,134 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 25 Apr 2017 16:58:50 -0400
|
||||||
|
Subject: [PATCH] show which db we're checking
|
||||||
|
|
||||||
|
---
|
||||||
|
src/certdb.c | 35 ++++++++++++++++++++++++++++++++++-
|
||||||
|
src/pesigcheck_context.c | 2 ++
|
||||||
|
src/pesigcheck_context.h | 1 +
|
||||||
|
3 files changed, 37 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/certdb.c b/src/certdb.c
|
||||||
|
index 1a4baf1..673e074 100644
|
||||||
|
--- a/src/certdb.c
|
||||||
|
+++ b/src/certdb.c
|
||||||
|
@@ -18,6 +18,7 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <fcntl.h>
|
||||||
|
+#include <libgen.h>
|
||||||
|
#include <sys/mman.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
@@ -42,17 +43,33 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
db->type = type;
|
||||||
|
-
|
||||||
|
db->fd = open(dbfile, O_RDONLY);
|
||||||
|
if (db->fd < 0) {
|
||||||
|
save_errno(free(db));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ char *path = strdup(dbfile);
|
||||||
|
+ if (!path) {
|
||||||
|
+ save_errno(close(db->fd);
|
||||||
|
+ free(db));
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ db->path = basename(path);
|
||||||
|
+ db->path = strdup(db->path);
|
||||||
|
+ free(path);
|
||||||
|
+ if (!db->path) {
|
||||||
|
+ save_errno(close(db->fd);
|
||||||
|
+ free(db));
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
struct stat sb;
|
||||||
|
int rc = fstat(db->fd, &sb);
|
||||||
|
if (rc < 0) {
|
||||||
|
save_errno(close(db->fd);
|
||||||
|
+ free(db->path);
|
||||||
|
free(db));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
@@ -65,6 +82,7 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
|
||||||
|
rc = read_file(db->fd, (char **)&db->map, &sz);
|
||||||
|
if (rc < 0) {
|
||||||
|
save_errno(close(db->fd);
|
||||||
|
+ free(db->path);
|
||||||
|
free(db));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
@@ -133,6 +151,7 @@ add_cert_file(pesigcheck_context *ctx, const char *filename)
|
||||||
|
#define DB_PATH "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
|
||||||
|
#define MOK_PATH "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23"
|
||||||
|
#define DBX_PATH "/sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
|
||||||
|
+#define MOKX_PATH "/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23"
|
||||||
|
|
||||||
|
void
|
||||||
|
init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
|
||||||
|
@@ -167,6 +186,18 @@ init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
|
||||||
|
"database \"%s\": %m\n", DBX_PATH);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ rc = add_db_file(ctx, DBX, MOKX_PATH, DB_EFIVAR);
|
||||||
|
+ if (rc < 0 && errno != ENOENT) {
|
||||||
|
+ fprintf(stderr, "pesigcheck: Could not add key database "
|
||||||
|
+ "\"%s\": %m\n", MOKX_PATH);
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ctx->dbx == NULL) {
|
||||||
|
+ fprintf(stderr, "pesigcheck: warning: "
|
||||||
|
+ "No key recovation database available\n");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
|
||||||
|
@@ -187,6 +218,8 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
|
||||||
|
sig.type = siBuffer;
|
||||||
|
|
||||||
|
while (dbl) {
|
||||||
|
+ printf("Searching %s %s\n", which == DB ? "db" : "dbx",
|
||||||
|
+ dbl->path);
|
||||||
|
EFI_SIGNATURE_LIST *certlist;
|
||||||
|
EFI_SIGNATURE_DATA *cert;
|
||||||
|
size_t dbsize = dbl->datalen;
|
||||||
|
diff --git a/src/pesigcheck_context.c b/src/pesigcheck_context.c
|
||||||
|
index b934cbe..5a355b1 100644
|
||||||
|
--- a/src/pesigcheck_context.c
|
||||||
|
+++ b/src/pesigcheck_context.c
|
||||||
|
@@ -87,6 +87,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
|
||||||
|
munmap(db->map, db->size);
|
||||||
|
close(db->fd);
|
||||||
|
ctx->db = db->next;
|
||||||
|
+ free(db->path);
|
||||||
|
free(db);
|
||||||
|
}
|
||||||
|
while (ctx->dbx) {
|
||||||
|
@@ -95,6 +96,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
|
||||||
|
if (db->type == DB_CERT)
|
||||||
|
free(db->data);
|
||||||
|
munmap(db->map, db->size);
|
||||||
|
+ free(db->path);
|
||||||
|
close(db->fd);
|
||||||
|
ctx->dbx = db->next;
|
||||||
|
free(db);
|
||||||
|
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
|
||||||
|
index 1b916e3..7b5cc89 100644
|
||||||
|
--- a/src/pesigcheck_context.h
|
||||||
|
+++ b/src/pesigcheck_context.h
|
||||||
|
@@ -34,6 +34,7 @@ typedef enum {
|
||||||
|
|
||||||
|
struct dblist {
|
||||||
|
db_f_type type;
|
||||||
|
+ char *path;
|
||||||
|
int fd;
|
||||||
|
struct dblist *next;
|
||||||
|
size_t size;
|
@ -0,0 +1,93 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 25 Apr 2017 17:00:46 -0400
|
||||||
|
Subject: [PATCH] more about the time
|
||||||
|
|
||||||
|
---
|
||||||
|
src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
|
||||||
|
1 file changed, 33 insertions(+), 26 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/certdb.c b/src/certdb.c
|
||||||
|
index 673e074..1078a8a 100644
|
||||||
|
--- a/src/certdb.c
|
||||||
|
+++ b/src/certdb.c
|
||||||
|
@@ -345,14 +345,46 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
||||||
|
PRBool result;
|
||||||
|
SECStatus rv;
|
||||||
|
db_status status = NOT_FOUND;
|
||||||
|
+ PRTime atTime = PR_Now();
|
||||||
|
+ SECItem *eTime;
|
||||||
|
PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
|
||||||
|
- PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
|
||||||
|
+ PRTime notBefore, notAfter;
|
||||||
|
|
||||||
|
efi_guid_t efi_x509 = efi_guid_x509_cert;
|
||||||
|
|
||||||
|
if (memcmp(sigtype, &efi_x509, sizeof(efi_guid_t)) != 0)
|
||||||
|
return NOT_FOUND;
|
||||||
|
|
||||||
|
+ cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
|
||||||
|
+ NULL, NULL);
|
||||||
|
+ if (!cinfo)
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
+ notBefore = earlyNow;
|
||||||
|
+ notAfter = lateNow;
|
||||||
|
+ find_cert_times(cinfo, ¬Before, ¬After);
|
||||||
|
+ if (earlyNow < notBefore)
|
||||||
|
+ earlyNow = notBefore;
|
||||||
|
+ if (lateNow > notAfter)
|
||||||
|
+ lateNow = notAfter;
|
||||||
|
+
|
||||||
|
+ // atTime = determine_reasonable_time(cert);
|
||||||
|
+ eTime = SEC_PKCS7GetSigningTime(cinfo);
|
||||||
|
+ if (eTime != NULL) {
|
||||||
|
+ if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
|
||||||
|
+ if (earlyNow < atTime)
|
||||||
|
+ earlyNow = atTime;
|
||||||
|
+ if (lateNow > atTime)
|
||||||
|
+ lateNow = atTime;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (lateNow < earlyNow)
|
||||||
|
+ printf("Signature has impossible time constraint: %ld <= %ld\n",
|
||||||
|
+ earlyNow / 1000000, lateNow / 1000000);
|
||||||
|
+ atTime = earlyNow / 2 + lateNow / 2;
|
||||||
|
+
|
||||||
|
+
|
||||||
|
cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
|
||||||
|
NULL, NULL);
|
||||||
|
if (!cinfo)
|
||||||
|
@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
||||||
|
PORT_ErrorToString(PORT_GetError()));
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- cert->timeOK = PR_TRUE;
|
||||||
|
-
|
||||||
|
- find_cert_times(cinfo, ¬Before, ¬After);
|
||||||
|
- if (earlyNow < notBefore)
|
||||||
|
- earlyNow = notBefore;
|
||||||
|
- if (lateNow > notAfter)
|
||||||
|
- lateNow = notAfter;
|
||||||
|
-
|
||||||
|
- SECItem *eTime;
|
||||||
|
- PRTime atTime;
|
||||||
|
- // atTime = determine_reasonable_time(cert);
|
||||||
|
- eTime = SEC_PKCS7GetSigningTime(cinfo);
|
||||||
|
- if (eTime != NULL) {
|
||||||
|
- if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
|
||||||
|
- if (earlyNow < atTime)
|
||||||
|
- earlyNow = atTime;
|
||||||
|
- if (lateNow > atTime)
|
||||||
|
- lateNow = atTime;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (lateNow < earlyNow)
|
||||||
|
- printf("Impossible time constraints: %ld <= %ld\n",
|
||||||
|
- earlyNow / 1000000, lateNow / 1000000);
|
||||||
|
- atTime = earlyNow / 2 + lateNow / 2;
|
||||||
|
|
||||||
|
/* Verify the signature */
|
||||||
|
result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
|
@ -0,0 +1,416 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 25 Apr 2017 17:01:13 -0400
|
||||||
|
Subject: [PATCH] try to say why something fails
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/certdb.c | 15 ++-
|
||||||
|
src/pesigcheck.c | 244 ++++++++++++++++++++++++++++++++++++++++++-----
|
||||||
|
src/certdb.h | 2 +-
|
||||||
|
src/pesigcheck_context.h | 1 +
|
||||||
|
4 files changed, 233 insertions(+), 29 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/certdb.c b/src/certdb.c
|
||||||
|
index 1078a8a..fae80af 100644
|
||||||
|
--- a/src/certdb.c
|
||||||
|
+++ b/src/certdb.c
|
||||||
|
@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
|
||||||
|
|
||||||
|
static db_status
|
||||||
|
check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
|
||||||
|
- void *data, ssize_t datalen)
|
||||||
|
+ void *data, ssize_t datalen, SECItem *match)
|
||||||
|
{
|
||||||
|
SECItem pkcs7sig, sig;
|
||||||
|
dblist *dbl = which == DB ? ctx->db : ctx->dbx;
|
||||||
|
@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
|
||||||
|
found = check(ctx, &sig,
|
||||||
|
&certlist->SignatureType,
|
||||||
|
&pkcs7sig);
|
||||||
|
- if (found == FOUND)
|
||||||
|
+ if (found == FOUND) {
|
||||||
|
+ if (match)
|
||||||
|
+ memcpy(match, &sig,
|
||||||
|
+ sizeof(sig));
|
||||||
|
return FOUND;
|
||||||
|
+ }
|
||||||
|
cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert +
|
||||||
|
certlist->SignatureSize);
|
||||||
|
}
|
||||||
|
@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
||||||
|
db_status
|
||||||
|
check_db_hash(db_specifier which, pesigcheck_context *ctx)
|
||||||
|
{
|
||||||
|
- return check_db(which, ctx, check_hash, NULL, 0);
|
||||||
|
+ return check_db(which, ctx, check_hash, NULL, 0, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
@@ -459,7 +463,8 @@ out:
|
||||||
|
}
|
||||||
|
|
||||||
|
db_status
|
||||||
|
-check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen)
|
||||||
|
+check_db_cert(db_specifier which, pesigcheck_context *ctx,
|
||||||
|
+ void *data, ssize_t datalen, SECItem *match)
|
||||||
|
{
|
||||||
|
- return check_db(which, ctx, check_cert, data, datalen);
|
||||||
|
+ return check_db(which, ctx, check_cert, data, datalen, match);
|
||||||
|
}
|
||||||
|
diff --git a/src/pesigcheck.c b/src/pesigcheck.c
|
||||||
|
index d7be542..c8e1086 100644
|
||||||
|
--- a/src/pesigcheck.c
|
||||||
|
+++ b/src/pesigcheck.c
|
||||||
|
@@ -17,7 +17,9 @@
|
||||||
|
* Author(s): Peter Jones <pjones@redhat.com>
|
||||||
|
*/
|
||||||
|
|
||||||
|
+#include <err.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
+#include <stdbool.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx)
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
-cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
|
||||||
|
+cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen,
|
||||||
|
+ SECItem *digest_out)
|
||||||
|
{
|
||||||
|
SECItem sig, *pe_digest, *content;
|
||||||
|
uint8_t *digest;
|
||||||
|
@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
|
||||||
|
pe_digest = ctx->cms_ctx->digests[0].pe_digest;
|
||||||
|
content = cinfo->content.signedData->contentInfo.content.data;
|
||||||
|
digest = content->data + content->len - pe_digest->len;
|
||||||
|
+ if (digest_out) {
|
||||||
|
+ digest_out->data = malloc(pe_digest->len);
|
||||||
|
+ digest_out->len = pe_digest->len;
|
||||||
|
+ digest_out->type = pe_digest->type;
|
||||||
|
+ memcpy(digest_out->data, digest, pe_digest->len);
|
||||||
|
+ }
|
||||||
|
if (memcmp(pe_digest->data, digest, pe_digest->len) != 0)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
@@ -120,22 +129,149 @@ out:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+struct reason {
|
||||||
|
+ enum {
|
||||||
|
+ WHITELISTED = 0,
|
||||||
|
+ INVALID = 1,
|
||||||
|
+ BLACKLISTED = 2,
|
||||||
|
+ NO_WHITELIST = 3,
|
||||||
|
+ } reason;
|
||||||
|
+ enum {
|
||||||
|
+ NONE = 0,
|
||||||
|
+ DIGEST = 1,
|
||||||
|
+ SIGNATURE = 2,
|
||||||
|
+ } type;
|
||||||
|
+ union {
|
||||||
|
+ struct {
|
||||||
|
+ SECItem digest;
|
||||||
|
+ };
|
||||||
|
+ struct {
|
||||||
|
+ SECItem sig;
|
||||||
|
+ SECItem db_cert;
|
||||||
|
+ };
|
||||||
|
+ };
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+print_digest(SECItem *digest)
|
||||||
|
+{
|
||||||
|
+ char buf[digest->len * 2 + 2];
|
||||||
|
+
|
||||||
|
+ for (unsigned int i = 0; i < digest->len; i++)
|
||||||
|
+ snprintf(buf + i * 2, digest->len * 2, "%02x",
|
||||||
|
+ digest->data[i]);
|
||||||
|
+ buf[digest->len * 2] = '\0';
|
||||||
|
+ printf("%s\n", buf);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+print_certificate(SECItem *cert)
|
||||||
|
+{
|
||||||
|
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
|
||||||
|
+ printf("cert: %p\n", cert);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+print_signatures(SECItem *database_cert, SECItem *signature)
|
||||||
|
+{
|
||||||
|
+ printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
|
||||||
|
+ print_certificate(database_cert);
|
||||||
|
+ print_certificate(signature);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+print_reason(struct reason *reason)
|
||||||
|
+{
|
||||||
|
+ switch (reason->reason) {
|
||||||
|
+ case WHITELISTED:
|
||||||
|
+ printf("Whitelist entry: ");
|
||||||
|
+ if (reason->type == DIGEST)
|
||||||
|
+ print_digest(&reason->digest);
|
||||||
|
+ else if (reason->type == SIGNATURE)
|
||||||
|
+ print_signatures(&reason->sig, &reason->db_cert);
|
||||||
|
+ else
|
||||||
|
+ errx(1, "Unknown data type %d\n", reason->type);
|
||||||
|
+ break;
|
||||||
|
+ case INVALID:
|
||||||
|
+ if (reason->type == DIGEST) {
|
||||||
|
+ printf("Invalid digest: ");
|
||||||
|
+ print_digest(&reason->digest);
|
||||||
|
+ } else if (reason->type == SIGNATURE) {
|
||||||
|
+ printf("Invalid signature: ");
|
||||||
|
+ print_signatures(&reason->sig, &reason->db_cert);
|
||||||
|
+ } else {
|
||||||
|
+ errx(1, "Unknown data type %d\n", reason->type);
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case BLACKLISTED:
|
||||||
|
+ if (reason->type == DIGEST) {
|
||||||
|
+ printf("Invalid digest: ");
|
||||||
|
+ print_digest(&reason->digest);
|
||||||
|
+ } else if (reason->type == SIGNATURE) {
|
||||||
|
+ printf("Invalid signature: ");
|
||||||
|
+ print_signatures(&reason->sig, &reason->db_cert);
|
||||||
|
+ } else {
|
||||||
|
+ errx(1, "Unknown data type %d\n", reason->type);
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case NO_WHITELIST:
|
||||||
|
+ if (reason->type == NONE)
|
||||||
|
+ printf("No matching whitelist entry.\n");
|
||||||
|
+ else
|
||||||
|
+ errx(1, "Invalid data type %d\n", reason->type);
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ errx(1, "Unknown reason type %d\n", reason->reason);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+get_digest(pesigcheck_context *ctx, SECItem *digest)
|
||||||
|
+{
|
||||||
|
+ struct cms_context *cms = ctx->cms_ctx;
|
||||||
|
+ struct digest *cms_digest = &cms->digests[cms->selected_digest];
|
||||||
|
+
|
||||||
|
+ memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
-check_signature(pesigcheck_context *ctx)
|
||||||
|
+check_signature(pesigcheck_context *ctx, int *nreasons,
|
||||||
|
+ struct reason **reasons)
|
||||||
|
{
|
||||||
|
- int has_valid_cert = 0;
|
||||||
|
- int has_invalid_cert = 0;
|
||||||
|
+ bool has_valid_cert = false;
|
||||||
|
+ bool is_invalid = false;
|
||||||
|
+ struct reason *reasonps = NULL, *reason;
|
||||||
|
+ int num_reasons = 16;
|
||||||
|
+ int nreason = 0;
|
||||||
|
int rc = 0;
|
||||||
|
+ int ret = -1;
|
||||||
|
|
||||||
|
cert_iter iter;
|
||||||
|
|
||||||
|
+ reasonps = calloc(sizeof(struct reason), 512);
|
||||||
|
+ if (!reasonps)
|
||||||
|
+ err(1, "check_signature");
|
||||||
|
+
|
||||||
|
generate_digest(ctx->cms_ctx, ctx->inpe, 1);
|
||||||
|
|
||||||
|
- if (check_db_hash(DBX, ctx) == FOUND)
|
||||||
|
- return -1;
|
||||||
|
+ if (check_db_hash(DBX, ctx) == FOUND) {
|
||||||
|
+ reason = &reasonps[nreason];
|
||||||
|
+ reason->reason = BLACKLISTED;
|
||||||
|
+ reason->type = DIGEST;
|
||||||
|
+ get_digest(ctx, &reason->digest);
|
||||||
|
+ reason += 1;
|
||||||
|
+ is_invalid = true;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (check_db_hash(DB, ctx) == FOUND)
|
||||||
|
- has_valid_cert = 1;
|
||||||
|
+ if (check_db_hash(DB, ctx) == FOUND) {
|
||||||
|
+ reason = &reasonps[nreason];
|
||||||
|
+ reason->reason = WHITELISTED;
|
||||||
|
+ reason->type = DIGEST;
|
||||||
|
+ get_digest(ctx, &reason->digest);
|
||||||
|
+ nreason += 1;
|
||||||
|
+ has_valid_cert = true;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
rc = cert_iter_init(&iter, ctx->inpe);
|
||||||
|
if (rc < 0)
|
||||||
|
@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx)
|
||||||
|
ssize_t datalen;
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
+ /*
|
||||||
|
+ * Make sure we always have enough for this iteration of the
|
||||||
|
+ * loop, plus one "NO_WHITELIST" entry at the end.
|
||||||
|
+ */
|
||||||
|
+ if (nreason >= num_reasons - 4) {
|
||||||
|
+ struct reason *new_reasons;
|
||||||
|
+
|
||||||
|
+ num_reasons += 16;
|
||||||
|
+
|
||||||
|
+ new_reasons = calloc(sizeof(struct reason), num_reasons);
|
||||||
|
+ if (!new_reasons)
|
||||||
|
+ err(1, "check_signature");
|
||||||
|
+ reasonps = new_reasons;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
rc = next_cert(&iter, &data, &datalen);
|
||||||
|
if (rc <= 0)
|
||||||
|
break;
|
||||||
|
|
||||||
|
- if (cert_matches_digest(ctx, data, datalen) < 0) {
|
||||||
|
- has_invalid_cert = 1;
|
||||||
|
- break;
|
||||||
|
+ reason = &reasonps[nreason];
|
||||||
|
+ if (cert_matches_digest(ctx, data, datalen,
|
||||||
|
+ &reason->digest) < 0) {
|
||||||
|
+ reason->reason = INVALID;
|
||||||
|
+ reason->type = DIGEST;
|
||||||
|
+ nreason += 1;
|
||||||
|
+ is_invalid = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (check_db_cert(DBX, ctx, data, datalen) == FOUND) {
|
||||||
|
- has_invalid_cert = 1;
|
||||||
|
- break;
|
||||||
|
+ reason = &reasonps[nreason];
|
||||||
|
+ if (check_db_cert(DBX, ctx, data, datalen,
|
||||||
|
+ &reason->db_cert) == FOUND) {
|
||||||
|
+ reason->reason = INVALID;
|
||||||
|
+ reason->type = SIGNATURE;
|
||||||
|
+ reason->sig.data = data;
|
||||||
|
+ reason->sig.len = datalen;
|
||||||
|
+ reason->type = siBuffer;
|
||||||
|
+ nreason += 1;
|
||||||
|
+ is_invalid = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (check_db_cert(DB, ctx, data, datalen) == FOUND)
|
||||||
|
- has_valid_cert = 1;
|
||||||
|
+ reason = &reasonps[nreason];
|
||||||
|
+ if (check_db_cert(DB, ctx, data, datalen,
|
||||||
|
+ &reason->db_cert) == FOUND) {
|
||||||
|
+ reason->reason = WHITELISTED;
|
||||||
|
+ reason->type = SIGNATURE;
|
||||||
|
+ reason->sig.data = data;
|
||||||
|
+ reason->sig.len = datalen;
|
||||||
|
+ reason->type = siBuffer;
|
||||||
|
+ nreason += 1;
|
||||||
|
+ has_valid_cert = true;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
err:
|
||||||
|
- if (has_invalid_cert)
|
||||||
|
- return -1;
|
||||||
|
+ if (has_valid_cert != true) {
|
||||||
|
+ if (is_invalid != true) {
|
||||||
|
+ reason = &reasonps[nreason];
|
||||||
|
+ reason->reason = NO_WHITELIST;
|
||||||
|
+ reason->type = NONE;
|
||||||
|
+ nreason += 1;
|
||||||
|
+ }
|
||||||
|
+ is_invalid = true;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (has_valid_cert)
|
||||||
|
- return 0;
|
||||||
|
+ if (is_invalid == false)
|
||||||
|
+ ret = 0;
|
||||||
|
|
||||||
|
- return -1;
|
||||||
|
+ if (nreasons && reasons) {
|
||||||
|
+ *nreasons = nreason;
|
||||||
|
+ *reasons = reasonps;
|
||||||
|
+ } else {
|
||||||
|
+ free(reasonps);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
@@ -204,6 +389,9 @@ main(int argc, char *argv[])
|
||||||
|
|
||||||
|
pesigcheck_context ctx, *ctxp = &ctx;
|
||||||
|
|
||||||
|
+ struct reason *reasons = NULL;
|
||||||
|
+ int nreasons = 0;
|
||||||
|
+
|
||||||
|
char *dbfile = NULL;
|
||||||
|
char *dbxfile = NULL;
|
||||||
|
char *certfile = NULL;
|
||||||
|
@@ -242,6 +430,12 @@ main(int argc, char *argv[])
|
||||||
|
.arg = &ctx.quiet,
|
||||||
|
.val = 1,
|
||||||
|
.descrip = "return only; no text output." },
|
||||||
|
+ {.longName = "verbose",
|
||||||
|
+ .shortName = 'v',
|
||||||
|
+ .argInfo = POPT_BIT_SET,
|
||||||
|
+ .arg = &ctx.verbose,
|
||||||
|
+ .val = 1,
|
||||||
|
+ .descrip = "print reasons for success and failure." },
|
||||||
|
{.longName = "no-system-db",
|
||||||
|
.shortName = 'n',
|
||||||
|
.argInfo = POPT_ARG_INT,
|
||||||
|
@@ -308,12 +502,16 @@ main(int argc, char *argv[])
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = check_signature(ctxp);
|
||||||
|
+ rc = check_signature(ctxp, &nreasons, &reasons);
|
||||||
|
|
||||||
|
- close_input(ctxp);
|
||||||
|
+ if (!ctx.quiet && ctx.verbose) {
|
||||||
|
+ for (int i = 0; i < nreasons; i++)
|
||||||
|
+ print_reason(&reasons[i]);
|
||||||
|
+ }
|
||||||
|
if (!ctx.quiet)
|
||||||
|
printf("pesigcheck: \"%s\" is %s.\n", ctx.infile,
|
||||||
|
rc >= 0 ? "valid" : "invalid");
|
||||||
|
+ close_input(ctxp);
|
||||||
|
pesigcheck_context_fini(&ctx);
|
||||||
|
|
||||||
|
NSS_Shutdown();
|
||||||
|
diff --git a/src/certdb.h b/src/certdb.h
|
||||||
|
index ccf3c87..8402299 100644
|
||||||
|
--- a/src/certdb.h
|
||||||
|
+++ b/src/certdb.h
|
||||||
|
@@ -43,7 +43,7 @@ typedef struct {
|
||||||
|
|
||||||
|
extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
|
||||||
|
extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
|
||||||
|
- void *data, ssize_t datalen);
|
||||||
|
+ void *data, ssize_t datalen, SECItem *match);
|
||||||
|
|
||||||
|
extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
|
||||||
|
extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
|
||||||
|
diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
|
||||||
|
index 7b5cc89..aec415e 100644
|
||||||
|
--- a/src/pesigcheck_context.h
|
||||||
|
+++ b/src/pesigcheck_context.h
|
||||||
|
@@ -61,6 +61,7 @@ typedef struct pesigcheck_context {
|
||||||
|
Pe *inpe;
|
||||||
|
|
||||||
|
int quiet;
|
||||||
|
+ int verbose;
|
||||||
|
|
||||||
|
hashlist *hashes;
|
||||||
|
|
@ -0,0 +1,31 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Cristau <jcristau@debian.org>
|
||||||
|
Date: Sat, 6 May 2017 22:45:34 +0200
|
||||||
|
Subject: [PATCH] Fix race condition in SEC_GetPassword
|
||||||
|
|
||||||
|
A side effect of echoOff is to discard unread input, so if we print the
|
||||||
|
prompt before echoOff, the user (or process) at the other end might
|
||||||
|
react to it by writing the password in between those steps, which is
|
||||||
|
then discarded. This bit me when trying to drive pesign with an expect
|
||||||
|
script.
|
||||||
|
|
||||||
|
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
||||||
|
---
|
||||||
|
src/password.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/password.c b/src/password.c
|
||||||
|
index cd1c07e..d4eae0d 100644
|
||||||
|
--- a/src/password.c
|
||||||
|
+++ b/src/password.c
|
||||||
|
@@ -71,9 +71,9 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
|
||||||
|
for (;;) {
|
||||||
|
/* Prompt for password */
|
||||||
|
if (isTTY) {
|
||||||
|
+ echoOff(infd);
|
||||||
|
fprintf(output, "%s", prompt);
|
||||||
|
fflush (output);
|
||||||
|
- echoOff(infd);
|
||||||
|
}
|
||||||
|
|
||||||
|
fgets ( phrase, sizeof(phrase), input);
|
@ -0,0 +1,24 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: David Michael <david.michael@coreos.com>
|
||||||
|
Date: Tue, 13 Jun 2017 13:20:16 -0700
|
||||||
|
Subject: [PATCH] sysvinit: Create the socket directory at runtime
|
||||||
|
|
||||||
|
This better supports non-systemd configurations with tmpfs on /run.
|
||||||
|
---
|
||||||
|
src/pesign.sysvinit.in | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
|
||||||
|
index d8fffca..dc508d8 100644
|
||||||
|
--- a/src/pesign.sysvinit.in
|
||||||
|
+++ b/src/pesign.sysvinit.in
|
||||||
|
@@ -20,6 +20,9 @@ RETVAL=0
|
||||||
|
|
||||||
|
start(){
|
||||||
|
echo -n "Starting pesign: "
|
||||||
|
+ mkdir /var/run/pesign 2>/dev/null &&
|
||||||
|
+ chown pesign:pesign /var/run/pesign &&
|
||||||
|
+ chmod 0770 /var/run/pesign
|
||||||
|
daemon /usr/bin/pesign --daemonize
|
||||||
|
RETVAL=$?
|
||||||
|
echo
|
@ -0,0 +1,214 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 8 Aug 2017 15:44:44 -0400
|
||||||
|
Subject: [PATCH] Better authorization scripts. Again.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/Makefile | 12 ++++++----
|
||||||
|
src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
src/pesign-authorize-groups | 30 ------------------------
|
||||||
|
src/pesign-authorize-users | 30 ------------------------
|
||||||
|
src/pesign.service.in | 3 +--
|
||||||
|
src/pesign.sysvinit.in | 3 +--
|
||||||
|
6 files changed, 65 insertions(+), 69 deletions(-)
|
||||||
|
create mode 100755 src/pesign-authorize
|
||||||
|
delete mode 100644 src/pesign-authorize-groups
|
||||||
|
delete mode 100644 src/pesign-authorize-users
|
||||||
|
|
||||||
|
diff --git a/src/Makefile b/src/Makefile
|
||||||
|
index 654b792..84ad130 100644
|
||||||
|
--- a/src/Makefile
|
||||||
|
+++ b/src/Makefile
|
||||||
|
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
|
||||||
|
|
||||||
|
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
|
||||||
|
SVCTARGETS=pesign.sysvinit pesign.service
|
||||||
|
-TARGETS=$(BINTARGETS) $(SVCTARGETS)
|
||||||
|
+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
|
||||||
|
|
||||||
|
all : deps $(TARGETS)
|
||||||
|
|
||||||
|
@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit
|
||||||
|
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
|
||||||
|
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
|
||||||
|
|
||||||
|
+pesign-users pesign-groups :
|
||||||
|
+ echo pesign > $@
|
||||||
|
+
|
||||||
|
install :
|
||||||
|
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
|
||||||
|
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
|
||||||
|
@@ -88,10 +91,9 @@ install :
|
||||||
|
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
|
||||||
|
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
|
||||||
|
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
||||||
|
- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
|
||||||
|
- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
|
||||||
|
+ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
|
||||||
|
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
|
||||||
|
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
|
||||||
|
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
|
||||||
|
+ $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
|
||||||
|
+ $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
|
||||||
|
|
||||||
|
.PHONY: all deps clean install
|
||||||
|
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
||||||
|
new file mode 100755
|
||||||
|
index 0000000..a496f60
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/pesign-authorize
|
||||||
|
@@ -0,0 +1,56 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+set -e
|
||||||
|
+set -u
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
||||||
|
+# acls for specific users is useful
|
||||||
|
+#
|
||||||
|
+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+# License: GPLv2
|
||||||
|
+declare -a fileusers=()
|
||||||
|
+declare -a dirusers=()
|
||||||
|
+for user in $(cat /etc/pesign/users); do
|
||||||
|
+ dirusers[${#dirusers[@]}]=-m
|
||||||
|
+ dirusers[${#dirusers[@]}]="u:$user:rwx"
|
||||||
|
+ fileusers[${#fileusers[@]}]=-m
|
||||||
|
+ fileusers[${#fileusers[@]}]="u:$user:rw"
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
+declare -a filegroups=()
|
||||||
|
+declare -a dirgroups=()
|
||||||
|
+for group in $(cat /etc/pesign/groups); do
|
||||||
|
+ dirgroups[${#dirgroups[@]}]=-m
|
||||||
|
+ dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
||||||
|
+ filegroups[${#filegroups[@]}]=-m
|
||||||
|
+ filegroups[${#filegroups[@]}]="g:$group:rw"
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
+update_subdir() {
|
||||||
|
+ subdir=$1 && shift
|
||||||
|
+
|
||||||
|
+ setfacl -bk "${subdir}"
|
||||||
|
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
||||||
|
+ for x in "${subdir}"* ; do
|
||||||
|
+ if [ -d "${x}" ]; then
|
||||||
|
+ setfacl -bk ${x}
|
||||||
|
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
||||||
|
+ update_subdir "${x}/"
|
||||||
|
+ elif [ -e "${x}" ]; then
|
||||||
|
+ setfacl -bk ${x}
|
||||||
|
+ setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
||||||
|
+ else
|
||||||
|
+ :;
|
||||||
|
+ fi
|
||||||
|
+ done
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
|
||||||
|
+ if [ -d "${x}" ]; then
|
||||||
|
+ update_subdir "${x}"
|
||||||
|
+ else
|
||||||
|
+ :;
|
||||||
|
+ fi
|
||||||
|
+done
|
||||||
|
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
||||||
|
deleted file mode 100644
|
||||||
|
index cf51fb6..0000000
|
||||||
|
--- a/src/pesign-authorize-groups
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1,30 +0,0 @@
|
||||||
|
-#!/bin/bash
|
||||||
|
-set -e
|
||||||
|
-
|
||||||
|
-#
|
||||||
|
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
||||||
|
-# acls for specific groups is useful
|
||||||
|
-#
|
||||||
|
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
||||||
|
-#
|
||||||
|
-
|
||||||
|
-# License: GPLv2
|
||||||
|
-
|
||||||
|
-if [ -r /etc/pesign/groups ]; then
|
||||||
|
- for group in $(cat /etc/pesign/groups); do
|
||||||
|
- if [ -d /var/run/pesign ]; then
|
||||||
|
- setfacl -m g:${group}:rx /var/run/pesign
|
||||||
|
- if [ -e /var/run/pesign/socket ]; then
|
||||||
|
- setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||||
|
- fi
|
||||||
|
- fi
|
||||||
|
- for x in /etc/pki/pesign*/ ; do
|
||||||
|
- if [ -d ${x} ]; then
|
||||||
|
- setfacl -m g:${group}:rx ${x}
|
||||||
|
- for y in ${x}{cert8,key3,secmod}.db ; do
|
||||||
|
- setfacl -m g:${group}:rw ${y}
|
||||||
|
- done
|
||||||
|
- fi
|
||||||
|
- done
|
||||||
|
- done
|
||||||
|
-fi
|
||||||
|
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
||||||
|
deleted file mode 100644
|
||||||
|
index 940138e..0000000
|
||||||
|
--- a/src/pesign-authorize-users
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1,30 +0,0 @@
|
||||||
|
-#!/bin/bash
|
||||||
|
-set -e
|
||||||
|
-
|
||||||
|
-#
|
||||||
|
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
||||||
|
-# acls for specific users is useful
|
||||||
|
-#
|
||||||
|
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
||||||
|
-#
|
||||||
|
-
|
||||||
|
-# License: GPLv2
|
||||||
|
-
|
||||||
|
-if [ -r /etc/pesign/users ]; then
|
||||||
|
- for username in $(cat /etc/pesign/users); do
|
||||||
|
- if [ -d /var/run/pesign ]; then
|
||||||
|
- setfacl -m g:${username}:rx /var/run/pesign
|
||||||
|
- if [ -e /var/run/pesign/socket ]; then
|
||||||
|
- setfacl -m g:${username}:rw /var/run/pesign/socket
|
||||||
|
- fi
|
||||||
|
- fi
|
||||||
|
- for x in /etc/pki/pesign*/ ; do
|
||||||
|
- if [ -d ${x} ]; then
|
||||||
|
- setfacl -m g:${username}:rx ${x}
|
||||||
|
- for y in ${x}{cert8,key3,secmod}.db ; do
|
||||||
|
- setfacl -m g:${username}:rw ${y}
|
||||||
|
- done
|
||||||
|
- fi
|
||||||
|
- done
|
||||||
|
- done
|
||||||
|
-fi
|
||||||
|
diff --git a/src/pesign.service.in b/src/pesign.service.in
|
||||||
|
index aaa408e..c75a000 100644
|
||||||
|
--- a/src/pesign.service.in
|
||||||
|
+++ b/src/pesign.service.in
|
||||||
|
@@ -6,5 +6,4 @@ PrivateTmp=true
|
||||||
|
Type=forking
|
||||||
|
PIDFile=/var/run/pesign.pid
|
||||||
|
ExecStart=/usr/bin/pesign --daemonize
|
||||||
|
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
|
||||||
|
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
|
||||||
|
+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|
||||||
|
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
|
||||||
|
index dc508d8..b0e0f84 100644
|
||||||
|
--- a/src/pesign.sysvinit.in
|
||||||
|
+++ b/src/pesign.sysvinit.in
|
||||||
|
@@ -27,8 +27,7 @@ start(){
|
||||||
|
RETVAL=$?
|
||||||
|
echo
|
||||||
|
touch /var/lock/subsys/pesign
|
||||||
|
- @@LIBEXECDIR@@/pesign/pesign-authorize-users
|
||||||
|
- @@LIBEXECDIR@@/pesign/pesign-authorize-groups
|
||||||
|
+ @@LIBEXECDIR@@/pesign/pesign-authorize
|
||||||
|
}
|
||||||
|
|
||||||
|
stop(){
|
@ -0,0 +1,91 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 8 Aug 2017 17:28:19 -0400
|
||||||
|
Subject: [PATCH] Make the daemon also try to give better errors on -EPERM etc.
|
||||||
|
|
||||||
|
Basically 6796e5f but also for the daemon. This also tries to fix them
|
||||||
|
up to save errno better, for more accurate reporting.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/daemon.c | 27 +++++++++++++++++++++++++--
|
||||||
|
src/pesign.c | 8 ++++++--
|
||||||
|
2 files changed, 31 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/daemon.c b/src/daemon.c
|
||||||
|
index 7f694b2..942d576 100644
|
||||||
|
--- a/src/daemon.c
|
||||||
|
+++ b/src/daemon.c
|
||||||
|
@@ -19,6 +19,7 @@
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
+#include <glob.h>
|
||||||
|
#include <poll.h>
|
||||||
|
#include <pwd.h>
|
||||||
|
#include <signal.h>
|
||||||
|
@@ -1104,10 +1105,32 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork)
|
||||||
|
"pesignd starting (pid %d)", ctx.pid);
|
||||||
|
|
||||||
|
SECStatus status = NSS_Init(certdir);
|
||||||
|
+ int error = errno;
|
||||||
|
if (status != SECSuccess) {
|
||||||
|
+ char *globpattern = NULL;
|
||||||
|
+ rc = asprintf(&globpattern, "%s/cert*.db",
|
||||||
|
+ certdir);
|
||||||
|
+ if (rc > 0) {
|
||||||
|
+ glob_t globbuf;
|
||||||
|
+ memset(&globbuf, 0, sizeof(globbuf));
|
||||||
|
+ rc = glob(globpattern, GLOB_ERR, NULL,
|
||||||
|
+ &globbuf);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ errno = error;
|
||||||
|
+ ctx.backup_cms->log(ctx.backup_cms,
|
||||||
|
+ ctx.priority|LOG_NOTICE,
|
||||||
|
+ "Could not open NSS database (\"%s\"): %m",
|
||||||
|
+ PORT_ErrorToString(PORT_GetError()));
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (status != SECSuccess) {
|
||||||
|
+ errno = error;
|
||||||
|
ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE,
|
||||||
|
- "Could not initialize nss: %s\n",
|
||||||
|
- PORT_ErrorToString(PORT_GetError()));
|
||||||
|
+ "Could not initialize nss.\n"
|
||||||
|
+ "NSS says \"%s\" errno says \"%m\"\n",
|
||||||
|
+ PORT_ErrorToString(PORT_GetError()));
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/pesign.c b/src/pesign.c
|
||||||
|
index 5879cfc..6ceda34 100644
|
||||||
|
--- a/src/pesign.c
|
||||||
|
+++ b/src/pesign.c
|
||||||
|
@@ -660,10 +660,12 @@ main(int argc, char *argv[])
|
||||||
|
|
||||||
|
if (!daemon) {
|
||||||
|
SECStatus status;
|
||||||
|
+ int error;
|
||||||
|
if (need_db) {
|
||||||
|
status = NSS_Init(certdir);
|
||||||
|
if (status != SECSuccess) {
|
||||||
|
char *globpattern = NULL;
|
||||||
|
+ error = errno;
|
||||||
|
rc = asprintf(&globpattern, "%s/cert*.db",
|
||||||
|
certdir);
|
||||||
|
if (rc > 0) {
|
||||||
|
@@ -680,8 +682,10 @@ main(int argc, char *argv[])
|
||||||
|
} else
|
||||||
|
status = NSS_NoDB_Init(NULL);
|
||||||
|
if (status != SECSuccess) {
|
||||||
|
- errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
|
||||||
|
- PORT_ErrorToString(PORT_GetError()));
|
||||||
|
+ errno = error;
|
||||||
|
+ errx(1, "Could not initialize nss.\n"
|
||||||
|
+ "NSS says \"%s\" errno says \"%m\"\n",
|
||||||
|
+ PORT_ErrorToString(PORT_GetError()));
|
||||||
|
}
|
||||||
|
|
||||||
|
status = register_oids(ctxp->cms_ctx);
|
@ -0,0 +1,28 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Wed, 9 Aug 2017 17:40:33 -0400
|
||||||
|
Subject: [PATCH] certdb: fix PRTime printfs for i686
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/certdb.c | 5 ++---
|
||||||
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/certdb.c b/src/certdb.c
|
||||||
|
index fae80af..29c9502 100644
|
||||||
|
--- a/src/certdb.c
|
||||||
|
+++ b/src/certdb.c
|
||||||
|
@@ -384,11 +384,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (lateNow < earlyNow)
|
||||||
|
- printf("Signature has impossible time constraint: %ld <= %ld\n",
|
||||||
|
- earlyNow / 1000000, lateNow / 1000000);
|
||||||
|
+ printf("Signature has impossible time constraint: %lld <= %lld\n",
|
||||||
|
+ earlyNow / 1000000LL, lateNow / 1000000LL);
|
||||||
|
atTime = earlyNow / 2 + lateNow / 2;
|
||||||
|
|
||||||
|
-
|
||||||
|
cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
|
||||||
|
NULL, NULL);
|
||||||
|
if (!cinfo)
|
@ -0,0 +1,38 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Thu, 10 Aug 2017 10:02:38 -0400
|
||||||
|
Subject: [PATCH] Clean up gcc command lines a little
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
Make.defaults | 9 ++++-----
|
||||||
|
1 file changed, 4 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Make.defaults b/Make.defaults
|
||||||
|
index 39b78f0..b6c0381 100644
|
||||||
|
--- a/Make.defaults
|
||||||
|
+++ b/Make.defaults
|
||||||
|
@@ -20,8 +20,7 @@ CROSS_COMPILE ?= $(bindir)
|
||||||
|
PKG_CONFIG = $(CROSS_COMPILE)pkg-config
|
||||||
|
CC := $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
|
||||||
|
CCLD := $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
|
||||||
|
-CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
|
||||||
|
- -Wall -Werror -Wextra -Wno-error=cpp
|
||||||
|
+CFLAGS ?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments -Wno-error=cpp
|
||||||
|
AS := $(CROSS_COMPILE)as
|
||||||
|
AR := $(CROSS_COMPILE)gcc-ar
|
||||||
|
RANLIB := $(CROSS_COMPILE)gcc-ranlib
|
||||||
|
@@ -36,10 +35,10 @@ ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,)
|
||||||
|
|
||||||
|
SOFLAGS = -shared
|
||||||
|
clang_cflags =
|
||||||
|
-gcc_cflags = -Wmaybe-uninitialized
|
||||||
|
+gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches
|
||||||
|
cflags = $(CFLAGS) $(ARCH3264) \
|
||||||
|
- -Wall -Werror -Wno-cpp -Wsign-compare -Wno-unused-result \
|
||||||
|
- -Wno-unused-function\
|
||||||
|
+ -Wall -Werror -Wextra -Wsign-compare -Wno-unused-result \
|
||||||
|
+ -Wno-unused-function -Wsign-compare \
|
||||||
|
-std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \
|
||||||
|
-fno-merge-constants -fkeep-inline-functions \
|
||||||
|
-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
|
@ -0,0 +1,51 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Thu, 10 Aug 2017 10:03:37 -0400
|
||||||
|
Subject: [PATCH] Make pesign-{users,groups} static in the repo.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/Makefile | 5 +----
|
||||||
|
src/pesign-groups | 1 +
|
||||||
|
src/pesign-users | 1 +
|
||||||
|
3 files changed, 3 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100644 src/pesign-groups
|
||||||
|
create mode 100644 src/pesign-users
|
||||||
|
|
||||||
|
diff --git a/src/Makefile b/src/Makefile
|
||||||
|
index 84ad130..7d68fa1 100644
|
||||||
|
--- a/src/Makefile
|
||||||
|
+++ b/src/Makefile
|
||||||
|
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
|
||||||
|
|
||||||
|
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
|
||||||
|
SVCTARGETS=pesign.sysvinit pesign.service
|
||||||
|
-TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
|
||||||
|
+TARGETS=$(BINTARGETS) $(SVCTARGETS)
|
||||||
|
|
||||||
|
all : deps $(TARGETS)
|
||||||
|
|
||||||
|
@@ -65,9 +65,6 @@ install_sysvinit: pesign.sysvinit
|
||||||
|
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
|
||||||
|
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
|
||||||
|
|
||||||
|
-pesign-users pesign-groups :
|
||||||
|
- echo pesign > $@
|
||||||
|
-
|
||||||
|
install :
|
||||||
|
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
|
||||||
|
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
|
||||||
|
diff --git a/src/pesign-groups b/src/pesign-groups
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..7f57cc5
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/pesign-groups
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+pesign
|
||||||
|
diff --git a/src/pesign-users b/src/pesign-users
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..7f57cc5
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/pesign-users
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+pesign
|
@ -0,0 +1,40 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Wed, 9 Aug 2017 17:31:31 -0400
|
||||||
|
Subject: [PATCH] rpm: Make the client signer use the fedora values unless
|
||||||
|
overridden
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
src/macros.pesign | 9 ++++++---
|
||||||
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||||
|
index 69280e9..22a3ee6 100644
|
||||||
|
--- a/src/macros.pesign
|
||||||
|
+++ b/src/macros.pesign
|
||||||
|
@@ -9,6 +9,9 @@
|
||||||
|
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
||||||
|
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
||||||
|
|
||||||
|
+%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}}
|
||||||
|
+%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}}
|
||||||
|
+
|
||||||
|
%_pesign /usr/bin/pesign
|
||||||
|
%_pesign_client /usr/bin/pesign-client
|
||||||
|
|
||||||
|
@@ -41,11 +44,11 @@
|
||||||
|
--certdir ${nss} -c signer %{-o} \
|
||||||
|
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||||
|
elif [ -S /var/run/pesign/socket ]; then \
|
||||||
|
- %{_pesign_client} -t %{__pesign_token} \\\
|
||||||
|
- -c %{__pesign_cert} \\\
|
||||||
|
+ %{_pesign_client} -t %{__pesign_client_token} \\\
|
||||||
|
+ -c %{__pesign_client_cert} \\\
|
||||||
|
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||||
|
else \
|
||||||
|
- %{_pesign} -t %{__pesign_token} -c %{__pesign_cert} \\\
|
||||||
|
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
|
||||||
|
--certdir ${_pesign_nssdir} \\\
|
||||||
|
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||||
|
fi \
|
@ -0,0 +1,36 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Mon, 14 Aug 2017 11:37:43 -0400
|
||||||
|
Subject: [PATCH] Make macros.pesign error in kojibuilder if we don't have
|
||||||
|
perms on the socket
|
||||||
|
|
||||||
|
---
|
||||||
|
src/macros.pesign | 15 +++++++++++++++
|
||||||
|
1 file changed, 15 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||||
|
index 22a3ee6..dfdac02 100644
|
||||||
|
--- a/src/macros.pesign
|
||||||
|
+++ b/src/macros.pesign
|
||||||
|
@@ -43,6 +43,21 @@
|
||||||
|
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
|
||||||
|
--certdir ${nss} -c signer %{-o} \
|
||||||
|
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
|
||||||
|
+ elif [ "%{vendor}" == "Fedora Project" -a \\\
|
||||||
|
+ "$(id -un)" == "mockbuild" -a \\\
|
||||||
|
+ "$(uname -m)" == "x86_64" ] && \\\
|
||||||
|
+ grep -q ID=fedora /etc/os-release && \\\
|
||||||
|
+ [[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
|
||||||
|
+ ! [ -S /var/run/pesign/socket ]; then \
|
||||||
|
+ echo "No socket even though this is %{_buildhost}" \
|
||||||
|
+ ls -ld /var/run/pesign || : \
|
||||||
|
+ getfacl /var/run/pesign || : \
|
||||||
|
+ ls -l /var/run/pesign/socket || : \
|
||||||
|
+ getfacl /var/run/pesign/socket || : \
|
||||||
|
+ echo =========== env ============== \
|
||||||
|
+ set \
|
||||||
|
+ echo =========== env ============== \
|
||||||
|
+ exit 1 \
|
||||||
|
elif [ -S /var/run/pesign/socket ]; then \
|
||||||
|
%{_pesign_client} -t %{__pesign_client_token} \\\
|
||||||
|
-c %{__pesign_client_cert} \\\
|
@ -0,0 +1,148 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Date: Mon, 8 Nov 2021 17:58:09 -0500
|
||||||
|
Subject: [PATCH] Replace /var/run with /run
|
||||||
|
|
||||||
|
This change is in violation of the FHS and is forced by systemd being
|
||||||
|
obnoxious and logging warnings about it as if it's some kind of problem.
|
||||||
|
|
||||||
|
This commit is a subset of the work in
|
||||||
|
02d473fbfd782863a0dcef7e44822d1e7e56a4b3,
|
||||||
|
f97d3b04a2eafb42272ede24e1353dd0a7f4347c,
|
||||||
|
5f9058677e7241cc88b4e8620654bbaa08a4bce4, and
|
||||||
|
cffa10d9b5eec9a9def3533b181a32b64fc29913 (all by pjones) because they
|
||||||
|
don't backport well.
|
||||||
|
|
||||||
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
---
|
||||||
|
src/daemon.h | 4 ++--
|
||||||
|
src/Makefile | 2 +-
|
||||||
|
src/macros.pesign | 12 ++++++------
|
||||||
|
src/pesign-authorize | 2 +-
|
||||||
|
src/pesign.service.in | 2 +-
|
||||||
|
src/pesign.sysvinit.in | 10 +++++-----
|
||||||
|
src/tmpfiles.conf | 2 +-
|
||||||
|
7 files changed, 17 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/daemon.h b/src/daemon.h
|
||||||
|
index d97eab9..db42c16 100644
|
||||||
|
--- a/src/daemon.h
|
||||||
|
+++ b/src/daemon.h
|
||||||
|
@@ -49,7 +49,7 @@ typedef enum {
|
||||||
|
} pesignd_cmd;
|
||||||
|
|
||||||
|
#define PESIGND_VERSION 0x2a9edaf0
|
||||||
|
-#define SOCKPATH "/var/run/pesign/socket"
|
||||||
|
-#define PIDFILE "/var/run/pesign.pid"
|
||||||
|
+#define SOCKPATH "/run/pesign/socket"
|
||||||
|
+#define PIDFILE "/run/pesign.pid"
|
||||||
|
|
||||||
|
#endif /* DAEMON_H */
|
||||||
|
diff --git a/src/Makefile b/src/Makefile
|
||||||
|
index 7d68fa1..a11e2b4 100644
|
||||||
|
--- a/src/Makefile
|
||||||
|
+++ b/src/Makefile
|
||||||
|
@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
|
||||||
|
install :
|
||||||
|
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
|
||||||
|
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
|
||||||
|
- $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
|
||||||
|
+ $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
|
||||||
|
$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
|
||||||
|
$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
|
||||||
|
$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
|
||||||
|
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||||
|
index dfdac02..f135c29 100644
|
||||||
|
--- a/src/macros.pesign
|
||||||
|
+++ b/src/macros.pesign
|
||||||
|
@@ -48,17 +48,17 @@
|
||||||
|
"$(uname -m)" == "x86_64" ] && \\\
|
||||||
|
grep -q ID=fedora /etc/os-release && \\\
|
||||||
|
[[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
|
||||||
|
- ! [ -S /var/run/pesign/socket ]; then \
|
||||||
|
+ ! [ -S /run/pesign/socket ]; then \
|
||||||
|
echo "No socket even though this is %{_buildhost}" \
|
||||||
|
- ls -ld /var/run/pesign || : \
|
||||||
|
- getfacl /var/run/pesign || : \
|
||||||
|
- ls -l /var/run/pesign/socket || : \
|
||||||
|
- getfacl /var/run/pesign/socket || : \
|
||||||
|
+ ls -ld /run/pesign || : \
|
||||||
|
+ getfacl /run/pesign || : \
|
||||||
|
+ ls -l /run/pesign/socket || : \
|
||||||
|
+ getfacl /run/pesign/socket || : \
|
||||||
|
echo =========== env ============== \
|
||||||
|
set \
|
||||||
|
echo =========== env ============== \
|
||||||
|
exit 1 \
|
||||||
|
- elif [ -S /var/run/pesign/socket ]; then \
|
||||||
|
+ elif [ -S /run/pesign/socket ]; then \
|
||||||
|
%{_pesign_client} -t %{__pesign_client_token} \\\
|
||||||
|
-c %{__pesign_client_cert} \\\
|
||||||
|
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||||
|
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
||||||
|
index a496f60..83a30cd 100755
|
||||||
|
--- a/src/pesign-authorize
|
||||||
|
+++ b/src/pesign-authorize
|
||||||
|
@@ -47,7 +47,7 @@ update_subdir() {
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
|
||||||
|
+for x in /run/pesign/ /etc/pki/pesign*/ ; do
|
||||||
|
if [ -d "${x}" ]; then
|
||||||
|
update_subdir "${x}"
|
||||||
|
else
|
||||||
|
diff --git a/src/pesign.service.in b/src/pesign.service.in
|
||||||
|
index c75a000..4ac2199 100644
|
||||||
|
--- a/src/pesign.service.in
|
||||||
|
+++ b/src/pesign.service.in
|
||||||
|
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
|
||||||
|
[Service]
|
||||||
|
PrivateTmp=true
|
||||||
|
Type=forking
|
||||||
|
-PIDFile=/var/run/pesign.pid
|
||||||
|
+PIDFile=/run/pesign.pid
|
||||||
|
ExecStart=/usr/bin/pesign --daemonize
|
||||||
|
ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|
||||||
|
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
|
||||||
|
index b0e0f84..bf8edec 100644
|
||||||
|
--- a/src/pesign.sysvinit.in
|
||||||
|
+++ b/src/pesign.sysvinit.in
|
||||||
|
@@ -4,7 +4,7 @@
|
||||||
|
#
|
||||||
|
# chkconfig: - 50 50
|
||||||
|
# processname: /usr/bin/pesign
|
||||||
|
-# pidfile: /var/run/pesign.pid
|
||||||
|
+# pidfile: /run/pesign.pid
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: pesign
|
||||||
|
# Default-Start:
|
||||||
|
@@ -20,9 +20,9 @@ RETVAL=0
|
||||||
|
|
||||||
|
start(){
|
||||||
|
echo -n "Starting pesign: "
|
||||||
|
- mkdir /var/run/pesign 2>/dev/null &&
|
||||||
|
- chown pesign:pesign /var/run/pesign &&
|
||||||
|
- chmod 0770 /var/run/pesign
|
||||||
|
+ mkdir /run/pesign 2>/dev/null &&
|
||||||
|
+ chown pesign:pesign /run/pesign &&
|
||||||
|
+ chmod 0770 /run/pesign
|
||||||
|
daemon /usr/bin/pesign --daemonize
|
||||||
|
RETVAL=$?
|
||||||
|
echo
|
||||||
|
@@ -32,7 +32,7 @@ start(){
|
||||||
|
|
||||||
|
stop(){
|
||||||
|
echo -n "Stopping pesign: "
|
||||||
|
- killproc -p /var/run/pesign.pid pesignd
|
||||||
|
+ killproc -p /run/pesign.pid pesignd
|
||||||
|
RETVAL=$?
|
||||||
|
echo
|
||||||
|
rm -f /var/lock/subsys/pesign
|
||||||
|
diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
|
||||||
|
index c1cf355..3375ad5 100644
|
||||||
|
--- a/src/tmpfiles.conf
|
||||||
|
+++ b/src/tmpfiles.conf
|
||||||
|
@@ -1 +1 @@
|
||||||
|
-D /var/run/pesign 0770 pesign pesign -
|
||||||
|
+D /run/pesign 0770 pesign pesign -
|
@ -0,0 +1,43 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 14 May 2019 11:28:38 -0400
|
||||||
|
Subject: [PATCH] efikeygen: Fix the build with nss 3.44
|
||||||
|
|
||||||
|
NSS 3.44 adds some certificate types, which changes a type and makes
|
||||||
|
some encoding stuff weird. As a result, we get:
|
||||||
|
|
||||||
|
gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
|
||||||
|
In file included from /usr/local/include/nss/nss/cert.h:22,
|
||||||
|
from efikeygen.c:39:
|
||||||
|
efikeygen.c: In function 'add_cert_type':
|
||||||
|
/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
|
||||||
|
(NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
|
||||||
|
^
|
||||||
|
efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
|
||||||
|
unsigned char type = NS_CERT_TYPE_APP;
|
||||||
|
^~~~~~~~~~~~~~~~
|
||||||
|
cc1: all warnings being treated as errors
|
||||||
|
|
||||||
|
This is fixed by just making it an int.
|
||||||
|
|
||||||
|
Fixes github issue #48.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
(cherry picked from commit b535d1ac5cbcdf18a97d97a92581e38080d9e521)
|
||||||
|
---
|
||||||
|
src/efikeygen.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/efikeygen.c b/src/efikeygen.c
|
||||||
|
index 9390578..089e6a7 100644
|
||||||
|
--- a/src/efikeygen.c
|
||||||
|
+++ b/src/efikeygen.c
|
||||||
|
@@ -206,7 +206,7 @@ static int
|
||||||
|
add_cert_type(cms_context *cms, void *extHandle, int is_ca)
|
||||||
|
{
|
||||||
|
SECItem bitStringValue;
|
||||||
|
- unsigned char type = NS_CERT_TYPE_APP;
|
||||||
|
+ int type = NS_CERT_TYPE_APP;
|
||||||
|
|
||||||
|
if (is_ca)
|
||||||
|
type |= NS_CERT_TYPE_SSL_CA |
|
@ -0,0 +1,82 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Date: Wed, 18 Jan 2023 14:00:22 -0500
|
||||||
|
Subject: [PATCH] Use normal file permissions instead of ACLs
|
||||||
|
|
||||||
|
Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
|
||||||
|
|
||||||
|
pesign-authorize is now deprecated and will be removed in a future
|
||||||
|
release.
|
||||||
|
|
||||||
|
Resolves: CVE-2022-3560
|
||||||
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
(cherry picked from commit 21d0c7afe0c0c23eee72a5e144995f0acb73b763)
|
||||||
|
---
|
||||||
|
src/pesign-authorize | 53 +++++-----------------------------------------------
|
||||||
|
1 file changed, 5 insertions(+), 48 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
||||||
|
index 83a30cd..b4e89e0 100755
|
||||||
|
--- a/src/pesign-authorize
|
||||||
|
+++ b/src/pesign-authorize
|
||||||
|
@@ -2,55 +2,12 @@
|
||||||
|
set -e
|
||||||
|
set -u
|
||||||
|
|
||||||
|
-#
|
||||||
|
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
||||||
|
-# acls for specific users is useful
|
||||||
|
-#
|
||||||
|
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
||||||
|
-#
|
||||||
|
-
|
||||||
|
# License: GPLv2
|
||||||
|
-declare -a fileusers=()
|
||||||
|
-declare -a dirusers=()
|
||||||
|
-for user in $(cat /etc/pesign/users); do
|
||||||
|
- dirusers[${#dirusers[@]}]=-m
|
||||||
|
- dirusers[${#dirusers[@]}]="u:$user:rwx"
|
||||||
|
- fileusers[${#fileusers[@]}]=-m
|
||||||
|
- fileusers[${#fileusers[@]}]="u:$user:rw"
|
||||||
|
-done
|
||||||
|
-
|
||||||
|
-declare -a filegroups=()
|
||||||
|
-declare -a dirgroups=()
|
||||||
|
-for group in $(cat /etc/pesign/groups); do
|
||||||
|
- dirgroups[${#dirgroups[@]}]=-m
|
||||||
|
- dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
||||||
|
- filegroups[${#filegroups[@]}]=-m
|
||||||
|
- filegroups[${#filegroups[@]}]="g:$group:rw"
|
||||||
|
-done
|
||||||
|
-
|
||||||
|
-update_subdir() {
|
||||||
|
- subdir=$1 && shift
|
||||||
|
|
||||||
|
- setfacl -bk "${subdir}"
|
||||||
|
- setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
||||||
|
- for x in "${subdir}"* ; do
|
||||||
|
- if [ -d "${x}" ]; then
|
||||||
|
- setfacl -bk ${x}
|
||||||
|
- setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
||||||
|
- update_subdir "${x}/"
|
||||||
|
- elif [ -e "${x}" ]; then
|
||||||
|
- setfacl -bk ${x}
|
||||||
|
- setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
||||||
|
- else
|
||||||
|
- :;
|
||||||
|
- fi
|
||||||
|
- done
|
||||||
|
-}
|
||||||
|
+# This script is deprecated and will be removed in a future release.
|
||||||
|
|
||||||
|
-for x in /run/pesign/ /etc/pki/pesign*/ ; do
|
||||||
|
- if [ -d "${x}" ]; then
|
||||||
|
- update_subdir "${x}"
|
||||||
|
- else
|
||||||
|
- :;
|
||||||
|
- fi
|
||||||
|
+sleep 3
|
||||||
|
+for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
|
||||||
|
+ chown -R pesign:pesign "${x}" || true
|
||||||
|
+ chmod -R ug+rwX "${x}" || true
|
||||||
|
done
|
@ -0,0 +1,32 @@
|
|||||||
|
Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
|
||||||
|
Patch0002: 0002-Fix-command-line-parsing.patch
|
||||||
|
Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
|
||||||
|
Patch0004: 0004-Fix-certficate-argument-name.patch
|
||||||
|
Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
|
||||||
|
Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
|
||||||
|
Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
|
||||||
|
Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
|
||||||
|
Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
|
||||||
|
Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
|
||||||
|
Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
|
||||||
|
Patch0012: 0012-Add-coverity-build-scripts.patch
|
||||||
|
Patch0013: 0013-Document-implicit-fallthrough.patch
|
||||||
|
Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
|
||||||
|
Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
|
||||||
|
Patch0016: 0016-efikeygen-add-modsign.patch
|
||||||
|
Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
|
||||||
|
Patch0018: 0018-show-which-db-we-re-checking.patch
|
||||||
|
Patch0019: 0019-more-about-the-time.patch
|
||||||
|
Patch0020: 0020-try-to-say-why-something-fails.patch
|
||||||
|
Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
|
||||||
|
Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
|
||||||
|
Patch0023: 0023-Better-authorization-scripts.-Again.patch
|
||||||
|
Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
|
||||||
|
Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
|
||||||
|
Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
|
||||||
|
Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
|
||||||
|
Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
|
||||||
|
Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
|
||||||
|
Patch0030: 0030-Replace-var-run-with-run.patch
|
||||||
|
Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
|
||||||
|
Patch0032: 0032-Use-normal-file-permissions-instead-of-ACLs.patch
|
@ -0,0 +1,91 @@
|
|||||||
|
#!/usr/bin/python3
|
||||||
|
#
|
||||||
|
# Copyright 2017 Peter Jones <Peter Jones@random>
|
||||||
|
#
|
||||||
|
# Distributed under terms of the GPLv3 license.
|
||||||
|
|
||||||
|
"""
|
||||||
|
mock plugin to make sure pesign and mockbuild users have the right uid and
|
||||||
|
gid.
|
||||||
|
"""
|
||||||
|
|
||||||
|
from mockbuild.trace_decorator import getLog, traceLog
|
||||||
|
import mockbuild.util
|
||||||
|
|
||||||
|
requires_api_version = "1.1"
|
||||||
|
|
||||||
|
@traceLog()
|
||||||
|
def init(plugins, conf, buildroot):
|
||||||
|
""" hello """
|
||||||
|
Pesign(plugins, conf, buildroot)
|
||||||
|
|
||||||
|
def getuid(name):
|
||||||
|
""" get a uid for a user name """
|
||||||
|
output = mockbuild.util.do(["getent", "passwd", "%s" % (name,)],
|
||||||
|
returnOutput=1, printOutput=True)
|
||||||
|
output = output.split(':')
|
||||||
|
return output[2], output[3]
|
||||||
|
|
||||||
|
def getgid(name):
|
||||||
|
""" get a gid for a group name """
|
||||||
|
output = mockbuild.util.do(["getent", "group", "%s" % (name,)],
|
||||||
|
returnOutput=1, printOutput=True)
|
||||||
|
return output.split(':')[2]
|
||||||
|
|
||||||
|
def newgroup(name, gid, rootdir):
|
||||||
|
""" create a group with a gid """
|
||||||
|
getLog().info("creating group %s with gid %s" % (name, gid))
|
||||||
|
mockbuild.util.do(["groupadd",
|
||||||
|
"-g", "%s" % (gid,),
|
||||||
|
"-R", "%s" % (rootdir,),
|
||||||
|
"%s" % (name,),
|
||||||
|
])
|
||||||
|
|
||||||
|
def newuser(name, uid, gid, rootdir):
|
||||||
|
""" create a user with a uid """
|
||||||
|
getLog().info("creating user %s with uid %s" % (name, uid))
|
||||||
|
mockbuild.util.do(["useradd",
|
||||||
|
"-u", "%s" % (uid,),
|
||||||
|
"-g", "%s" % (gid,),
|
||||||
|
"-R", "%s" % (rootdir,),
|
||||||
|
"%s" % (name,)])
|
||||||
|
|
||||||
|
class Pesign(object):
|
||||||
|
""" Creates some stuff in our mock root """
|
||||||
|
# pylint: disable=too-few-public-methods
|
||||||
|
@traceLog()
|
||||||
|
def __init__(self, plugins, conf, buildroot):
|
||||||
|
""" Effectively we're doing:
|
||||||
|
getent group pesign >/dev/null || groupadd -r pesign
|
||||||
|
getent passwd pesign >/dev/null || \
|
||||||
|
useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
|
||||||
|
-c "Group for the pesign signing daemon" pesign
|
||||||
|
"""
|
||||||
|
|
||||||
|
self.buildroot = buildroot
|
||||||
|
self.pesign_opts = conf
|
||||||
|
self.config = buildroot.config
|
||||||
|
self.state = buildroot.state
|
||||||
|
self.users = {}
|
||||||
|
self.groups = {}
|
||||||
|
plugins.add_hook("postinit", self._pesignPostInitHook)
|
||||||
|
|
||||||
|
@traceLog()
|
||||||
|
def _pesignPostInitHook(self):
|
||||||
|
""" find our uid and gid lists """
|
||||||
|
for user in self.pesign_opts['users']:
|
||||||
|
uid, gid = getuid(user)
|
||||||
|
self.users[user] = [user, uid, gid]
|
||||||
|
for group in self.pesign_opts['groups']:
|
||||||
|
gid = getgid(group)
|
||||||
|
self.groups[group] = [group, gid]
|
||||||
|
|
||||||
|
# create our users
|
||||||
|
rootdir = self.buildroot.make_chroot_path()
|
||||||
|
for name, gid in self.groups.values():
|
||||||
|
newgroup(name, gid, rootdir)
|
||||||
|
for name, uid, gid in self.users.values():
|
||||||
|
newuser(name, uid, gid, rootdir)
|
||||||
|
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# vim:fenc=utf-8:tw=75
|
@ -0,0 +1,408 @@
|
|||||||
|
%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
|
||||||
|
|
||||||
|
Name: pesign
|
||||||
|
Summary: Signing utility for UEFI binaries
|
||||||
|
Version: 0.112
|
||||||
|
Release: 27%{?dist}
|
||||||
|
License: GPLv2
|
||||||
|
URL: https://github.com/vathpela/pesign
|
||||||
|
|
||||||
|
Obsoletes: pesign-rh-test-certs <= 0.111-7
|
||||||
|
BuildRequires: git nspr nss nss-util popt-devel
|
||||||
|
BuildRequires: nss-tools
|
||||||
|
BuildRequires: nspr-devel >= 4.9.2-1
|
||||||
|
BuildRequires: nss-devel >= 3.13.6-1
|
||||||
|
BuildRequires: efivar-devel >= 31-1
|
||||||
|
BuildRequires: libuuid-devel
|
||||||
|
BuildRequires: tar xz
|
||||||
|
BuildRequires: python3-rpm-macros python3
|
||||||
|
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
|
||||||
|
BuildRequires: systemd
|
||||||
|
%endif
|
||||||
|
Requires: nspr nss nss-util nss-tools popt rpm
|
||||||
|
Requires(pre): shadow-utils
|
||||||
|
ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm}
|
||||||
|
%if 0%{?rhel} == 7
|
||||||
|
BuildRequires: rh-signing-tools >= 1.20-2
|
||||||
|
%endif
|
||||||
|
|
||||||
|
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
|
||||||
|
Source1: certs.tar.xz
|
||||||
|
Source2: pesign.py
|
||||||
|
Source3: pesign.patches
|
||||||
|
|
||||||
|
%include %{SOURCE3}
|
||||||
|
|
||||||
|
%description
|
||||||
|
This package contains the pesign utility for signing UEFI binaries as
|
||||||
|
well as other associated tools.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%setup -q -T -b 0
|
||||||
|
%setup -q -T -D -c -n pesign-%{version}/ -a 1
|
||||||
|
git init
|
||||||
|
git config user.email "pesign-owner@fedoraproject.org"
|
||||||
|
git config user.name "Fedora Ninjas"
|
||||||
|
git add .
|
||||||
|
git commit -a -q -m "%{version} baseline."
|
||||||
|
git am %{patches} </dev/null
|
||||||
|
git config --unset user.email
|
||||||
|
git config --unset user.name
|
||||||
|
|
||||||
|
%build
|
||||||
|
make PREFIX=%{_prefix} LIBDIR=%{_libdir}
|
||||||
|
|
||||||
|
%install
|
||||||
|
mkdir -p %{buildroot}/%{_libdir}
|
||||||
|
make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
|
||||||
|
install
|
||||||
|
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
|
||||||
|
make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
|
||||||
|
install_systemd
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# there's some stuff that's not really meant to be shipped yet
|
||||||
|
rm -rf %{buildroot}/boot %{buildroot}/usr/include
|
||||||
|
rm -rf %{buildroot}%{_libdir}/libdpe*
|
||||||
|
mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/
|
||||||
|
mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
|
||||||
|
cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
|
||||||
|
cp -a etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
|
||||||
|
|
||||||
|
if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
|
||||||
|
mkdir -p %{buildroot}%{macrosdir}
|
||||||
|
mv %{buildroot}%{_sysconfdir}/rpm/macros.pesign \
|
||||||
|
%{buildroot}%{macrosdir}
|
||||||
|
rmdir %{buildroot}%{_sysconfdir}/rpm
|
||||||
|
fi
|
||||||
|
rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
|
||||||
|
|
||||||
|
# and find-debuginfo.sh has some pretty awful deficencies too...
|
||||||
|
cp -av libdpe/*.[ch] src/
|
||||||
|
|
||||||
|
install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
|
||||||
|
install -m 0755 -p %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
|
||||||
|
|
||||||
|
%pre
|
||||||
|
getent group pesign >/dev/null || groupadd -r pesign
|
||||||
|
getent passwd pesign >/dev/null || \
|
||||||
|
useradd -r -g pesign -d /run/pesign -s /sbin/nologin \
|
||||||
|
-c "Group for the pesign signing daemon" pesign
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
|
||||||
|
%post
|
||||||
|
%systemd_post pesign.service
|
||||||
|
|
||||||
|
#%%posttrans
|
||||||
|
#%%{_libexecdir}/pesign/pesign-authorize
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%systemd_preun pesign.service
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%systemd_postun_with_restart pesign.service
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%files
|
||||||
|
%{!?_licensedir:%global license %%doc}
|
||||||
|
%license COPYING
|
||||||
|
%doc README TODO
|
||||||
|
%{_bindir}/authvar
|
||||||
|
%{_bindir}/efikeygen
|
||||||
|
%{_bindir}/efisiglist
|
||||||
|
%{_bindir}/pesigcheck
|
||||||
|
%{_bindir}/pesign
|
||||||
|
%{_bindir}/pesign-client
|
||||||
|
%dir %{_libexecdir}/pesign/
|
||||||
|
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
|
||||||
|
%config(noreplace) %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
|
||||||
|
%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
|
||||||
|
%config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
|
||||||
|
%{_libexecdir}/pesign/pesign-authorize
|
||||||
|
%config(noreplace)/%{_sysconfdir}/pesign/users
|
||||||
|
%config(noreplace)/%{_sysconfdir}/pesign/groups
|
||||||
|
%{_sysconfdir}/popt.d/pesign.popt
|
||||||
|
%{macrosdir}/macros.pesign
|
||||||
|
%{_mandir}/man*/*
|
||||||
|
%dir %attr(0770, pesign, pesign) /%{_rundir}/%{name}
|
||||||
|
%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
|
||||||
|
%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
|
||||||
|
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
|
||||||
|
%{_tmpfilesdir}/pesign.conf
|
||||||
|
%{_unitdir}/pesign.service
|
||||||
|
%endif
|
||||||
|
%{python3_sitelib}/mockbuild/plugins/*/pesign.*
|
||||||
|
%{python3_sitelib}/mockbuild/plugins/pesign.*
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Wed Jan 18 2023 Robbie Harwood <rharwood@redhat.com> - 0.112-27
|
||||||
|
- Deprecate pesign-authorize and drop ACL
|
||||||
|
- Resolves: CVE-2022-3560
|
||||||
|
|
||||||
|
* Mon Nov 08 2021 Robbie Harwood <rharwood@redhat.com> - 0.112-26
|
||||||
|
- Perform the /var/run to /run "migration" stupidity
|
||||||
|
- Resolves: rhbz#1801976
|
||||||
|
|
||||||
|
* Mon Oct 01 2018 Peter Jones <pjones@redhat.com> - 0.112-25
|
||||||
|
- Preserve .py timestamp during install so .pyc/.pyo files have the same
|
||||||
|
timestamp on all arches, preventing rpmdiff from complaining.
|
||||||
|
Related: rhbz#1625388
|
||||||
|
|
||||||
|
* Fri Sep 28 2018 Peter Jones <pjones@redhat.com> - 0.112-24
|
||||||
|
- Require nss-tools at runtime so the rpm signing macros will have it
|
||||||
|
Resolves: rhbz#1625388
|
||||||
|
|
||||||
|
* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.112-23
|
||||||
|
- Rebuild for platform-python
|
||||||
|
|
||||||
|
* Mon Jan 22 2018 Peter Robinson <pbrobinson@fedoraproject.org> 0.112-22
|
||||||
|
- Minor spec cleanups, fix arm conditional
|
||||||
|
|
||||||
|
* Fri Oct 06 2017 Troy Dawson <tdawson@redhat.com> - 0.112-21
|
||||||
|
- Cleanup spec file conditionals
|
||||||
|
|
||||||
|
* Tue Aug 15 2017 Peter Jones <pjones@redhat.com> - 0.112-20
|
||||||
|
- Maybe fewer typoes would be better.
|
||||||
|
|
||||||
|
* Tue Aug 15 2017 Peter Jones <pjones@redhat.com> - 0.112-19
|
||||||
|
- Update to match f26's build so new kernel builds will work.
|
||||||
|
|
||||||
|
* Thu Aug 10 2017 Peter Jones <pjones@redhat.com> - 0.112-10
|
||||||
|
- Try to fix the db problem nirik is seeing trying to upgrade the builders.
|
||||||
|
|
||||||
|
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-9
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-8
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Jul 08 2017 Peter Jones <pjones@redhat.com> - 0.112-7
|
||||||
|
- Rebuild for efivar-31-1.fc26
|
||||||
|
Related: rhbz#1468841
|
||||||
|
|
||||||
|
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jan 06 2017 Peter Jones <pjones@redhat.com> - 0.112-5
|
||||||
|
- Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy
|
||||||
|
scripts.
|
||||||
|
Related: rhbz#1349073
|
||||||
|
|
||||||
|
* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 0.112-4
|
||||||
|
- Build as -4 to make bodhi happy.
|
||||||
|
|
||||||
|
* Fri Aug 12 2016 Adam Williamson <awilliam@redhat.com> - 0.112-3
|
||||||
|
- backport fix for command line parsing from upstream master
|
||||||
|
|
||||||
|
* Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 0.112-2
|
||||||
|
- Build with newer efivar.
|
||||||
|
|
||||||
|
* Wed Apr 20 2016 Peter Jones <pjones@redhat.com> - 0.112-1
|
||||||
|
- Update to 0.112
|
||||||
|
- Also fix up some spec file woes:
|
||||||
|
- dumb things in %%setup
|
||||||
|
- find-debuginfo.sh not working right for some source files...
|
||||||
|
|
||||||
|
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.111-8
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Dec 10 2015 Peter Jones <pjones@redhat.com> - 0.111-7
|
||||||
|
- Obsolete pesign-rh-test-certs, it was in -1's update.
|
||||||
|
Resolves: rhbz#1283475
|
||||||
|
|
||||||
|
* Wed Dec 02 2015 Peter Jones <pjones@redhat.com> - 0.111-6
|
||||||
|
- *Don't* use --certdir if we're using the socket.
|
||||||
|
Related: rhbz#1283475
|
||||||
|
Related: rhbz#1284063
|
||||||
|
Related: rhbz#1284561
|
||||||
|
|
||||||
|
* Tue Dec 01 2015 Peter Jones <pjones@redhat.com> - 0.111-5
|
||||||
|
- Actually do a better job of choosing which cert to use when, so people will
|
||||||
|
stop seeing any of this problem. (Thanks for the thought, jforbes.)
|
||||||
|
Resolves: rhbz#1283475
|
||||||
|
Resolves: rhbz#1284063
|
||||||
|
Resolves: rhbz#1284561
|
||||||
|
|
||||||
|
* Mon Nov 30 2015 Peter Jones <pjones@redhat.com> - 0.111-5
|
||||||
|
- setfacl even harder.
|
||||||
|
Related: rhbz#1283475
|
||||||
|
Related: rhbz#1284063
|
||||||
|
Related: rhbz#1284561
|
||||||
|
|
||||||
|
* Fri Nov 20 2015 Peter Jones <pjones@redhat.com> - 0.111-3
|
||||||
|
- Better ACL setting code.
|
||||||
|
Related: rhbz#1283475
|
||||||
|
|
||||||
|
* Thu Nov 19 2015 Peter Jones <pjones@redhat.com> - 0.111-2
|
||||||
|
- Allow the mockbuild user to read the nss database if the account exists.
|
||||||
|
|
||||||
|
* Wed Oct 28 2015 Peter Jones <pjones@redhat.com> - 0.111-1
|
||||||
|
- Rebase to 0.111
|
||||||
|
- Split test certs out into a "Recommends" subpackage.
|
||||||
|
|
||||||
|
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.110-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Mar 4 2015 Ville Skyttä <ville.skytta@iki.fi> - 0.110-2
|
||||||
|
- Install macros in %%{_rpmconfigdir}/macros.d where available (#1074281)
|
||||||
|
|
||||||
|
* Fri Oct 24 2014 Peter Jones <pjones@redhat.com> - 0.110-1
|
||||||
|
- Update to pesign-0.110
|
||||||
|
|
||||||
|
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.108-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.108-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu May 29 2014 Peter Jones <pjones@redhat.com> - 0.108-2
|
||||||
|
- Fix a networking problem nirik observed when reinstalling builders.
|
||||||
|
|
||||||
|
* Sat Aug 10 2013 Peter Jones <pjones@redhat.com> - 0.108-1
|
||||||
|
- Remove errant result files and raise an error from %%pesign
|
||||||
|
|
||||||
|
* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.106-3
|
||||||
|
- Add code for signing in RHEL 7
|
||||||
|
|
||||||
|
* Mon Aug 05 2013 Peter Jones <pjones@redhat.com> - 0.106-2
|
||||||
|
- Fix for new %%doc rules.
|
||||||
|
|
||||||
|
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.106-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue May 21 2013 Peter Jones <pjones@redhat.com> - 0.106-1
|
||||||
|
- Update to 0.106
|
||||||
|
- Hopefully fix the segfault dgilmore was seeing.
|
||||||
|
|
||||||
|
* Mon May 20 2013 Peter Jones <pjones@redhat.com> - 0.105-1
|
||||||
|
- Various bug fixes.
|
||||||
|
|
||||||
|
* Wed May 15 2013 Peter Jones <pjones@redhat.com> - 0.104-1
|
||||||
|
- Make sure alignment is correct on signature list entries
|
||||||
|
Resolves: rhbz#963361
|
||||||
|
- Make sure section alignment is correct if we have to extend the file
|
||||||
|
|
||||||
|
* Wed Feb 06 2013 Peter Jones <pjones@redhat.com> - 0.103-2
|
||||||
|
- Conditionalize systemd bits so they don't show up in RHEL 6 builds
|
||||||
|
|
||||||
|
* Tue Feb 05 2013 Peter Jones <pjones@redhat.com> - 0.103-1
|
||||||
|
- One more compiler problem. Let's expect a few more, shall we?
|
||||||
|
|
||||||
|
* Tue Feb 05 2013 Peter Jones <pjones@redhat.com> - 0.102-1
|
||||||
|
- Don't use --std=gnu11 because we have to work on RHEL 6 builders.
|
||||||
|
|
||||||
|
* Mon Feb 04 2013 Peter Jones <pjones@redhat.com> - 0.101-1
|
||||||
|
- Update to 0.101 to fix more "pesign -E" issues.
|
||||||
|
|
||||||
|
* Fri Nov 30 2012 Peter Jones <pjones@redhat.com> - 0.100-1
|
||||||
|
- Fix insertion of signatures from a file.
|
||||||
|
|
||||||
|
* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.99-9
|
||||||
|
- Add a patch needed for new shim builds
|
||||||
|
|
||||||
|
* Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-8
|
||||||
|
- Get the Fedora signing token name right.
|
||||||
|
|
||||||
|
* Fri Oct 19 2012 Peter Jones <pjones@redhat.com>
|
||||||
|
- Add coolkey and opensc modules to pki database during %%install.
|
||||||
|
|
||||||
|
* Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-7
|
||||||
|
- setfacl u:kojibuilder:rw /var/run/pesign/socket
|
||||||
|
- Fix command line checking in client
|
||||||
|
- Add client stdin pin reading.
|
||||||
|
|
||||||
|
* Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-6
|
||||||
|
- Automatically select daemon as signer when using rpm macros.
|
||||||
|
|
||||||
|
* Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-5
|
||||||
|
- Make it work on the -el6 branch as well.
|
||||||
|
|
||||||
|
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-4
|
||||||
|
- Fix some more bugs found by valgrind and coverity.
|
||||||
|
- Don't build utils/ ; we're not using them and they're not ready anyway.
|
||||||
|
|
||||||
|
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-3
|
||||||
|
- Fix daemon startup bug from 0.99-2
|
||||||
|
|
||||||
|
* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-2
|
||||||
|
- Fix various bugs from 0.99-1
|
||||||
|
- Don't make the database unreadable just yet.
|
||||||
|
|
||||||
|
* Mon Oct 15 2012 Peter Jones <pjones@redhat.com> - 0.99-1
|
||||||
|
- Update to 0.99
|
||||||
|
- Add documentation for client/server mode.
|
||||||
|
- Add --pinfd and --pinfile to server mode.
|
||||||
|
|
||||||
|
* Fri Oct 12 2012 Peter Jones <pjones@redhat.com> - 0.98-1
|
||||||
|
- Update to 0.98
|
||||||
|
- Add client/server mode.
|
||||||
|
|
||||||
|
* Mon Oct 01 2012 Peter Jones <pjones@redhat.com> - 0.10-5
|
||||||
|
- Fix missing section address fixup.
|
||||||
|
|
||||||
|
* Wed Aug 15 2012 Peter Jones <pjones@redhat.com> - 0.10-4
|
||||||
|
- Make macros.pesign even better (and make it work right for i686 packages)
|
||||||
|
|
||||||
|
* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.10-3
|
||||||
|
- Only sign things on x86_64; all else ignore gracefully.
|
||||||
|
|
||||||
|
* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.10-2
|
||||||
|
- Make macros.pesign more reliable
|
||||||
|
|
||||||
|
* Mon Aug 13 2012 Peter Jones <pjones@redhat.com> - 0.10-1
|
||||||
|
- Update to 0.10
|
||||||
|
- Include rpm macros to support easy custom signing of signed packages.
|
||||||
|
|
||||||
|
* Fri Aug 10 2012 Peter Jones <pjones@redhat.com> - 0.9-1
|
||||||
|
- Update to 0.9
|
||||||
|
- Bug fix from Gary Ching-Pang Lin
|
||||||
|
- Support NSS Token selection for use with smart cards.
|
||||||
|
|
||||||
|
* Wed Aug 08 2012 Peter Jones <pjones@redhat.com> - 0.8-1
|
||||||
|
- Update to 0.8
|
||||||
|
- Don't open the db read-write
|
||||||
|
- Fix permissions on keystore (everybody can sign with test keys)
|
||||||
|
|
||||||
|
* Wed Aug 08 2012 Peter Jones <pjones@redhat.com> - 0.7-2
|
||||||
|
- Include test keys.
|
||||||
|
|
||||||
|
* Mon Jul 30 2012 Peter Jones <pjones@redhat.com> - 0.7-1
|
||||||
|
- Update to 0.7
|
||||||
|
- Better fix for MS compatibility.
|
||||||
|
|
||||||
|
* Mon Jul 30 2012 Peter Jones <pjones@redhat.com> - 0.6-1
|
||||||
|
- Update to 0.6
|
||||||
|
- Bug-for-bug compatibility with signtool.exe .
|
||||||
|
|
||||||
|
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.5-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 11 2012 Peter Jones <pjones@redhat.com> - 0.5-1
|
||||||
|
- Rebase to 0.5
|
||||||
|
- Do more rigorous bounds checking when hashing a new binary.
|
||||||
|
|
||||||
|
* Tue Jul 10 2012 Peter Jones <pjones@redhat.com> - 0.3-2
|
||||||
|
- Rebase to 0.4
|
||||||
|
|
||||||
|
* Fri Jun 22 2012 Peter Jones <pjones@redhat.com> - 0.3-2
|
||||||
|
- Move man page to a more reasonable place.
|
||||||
|
|
||||||
|
* Fri Jun 22 2012 Peter Jones <pjones@redhat.com> - 0.3-1
|
||||||
|
- Update to upstream's 0.3 .
|
||||||
|
|
||||||
|
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-4
|
||||||
|
- Do not build with smp flags.
|
||||||
|
|
||||||
|
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-3
|
||||||
|
- Make it build on i686, though it's unclear it'll ever be necessary.
|
||||||
|
|
||||||
|
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-2
|
||||||
|
- Fix compile problem with f18's compiler.
|
||||||
|
|
||||||
|
* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-1
|
||||||
|
- Fix some rpmlint complaints nirik pointed out
|
||||||
|
- Add popt-devel build dep
|
||||||
|
|
||||||
|
* Fri Jun 15 2012 Peter Jones <pjones@redhat.com> - 0.1-1
|
||||||
|
- First version of SRPM.
|
Loading…
Reference in new issue