Hello community,
here is the log from the commit of package pesign-obs-integration for
openSUSE:Factory checked in at 2014-05-02 09:51:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pesign-obs-integration (Old)
and /work/SRC/openSUSE:Factory/.pesign-obs-integration.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign-obs-integration"
Changes:
--------
---
/work/SRC/openSUSE:Factory/pesign-obs-integration/pesign-obs-integration.changes
2014-04-05 16:50:17.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.pesign-obs-integration.new/pesign-obs-integration.changes
2014-05-02 09:51:46.000000000 +0200
@@ -1,0 +2,27 @@
+Thu Apr 24 09:25:18 UTC 2014 - [email protected]
+
+- Fix matching /boot and /lib/firmware in pesign-repackage.spec
+
+-------------------------------------------------------------------
+Wed Apr 23 22:28:05 UTC 2014 - [email protected]
+
+- Do not store the buildroot in the .*.hmac file.
+
+-------------------------------------------------------------------
+Wed Apr 23 21:48:04 UTC 2014 - [email protected]
+
+- Regenerate the HMAC checksum when signing and EFI binary with
+ a checksum (fate#316930, bnc#856310).
+
+-------------------------------------------------------------------
+Wed Apr 23 21:38:42 UTC 2014 - [email protected]
+
+- Update README.
+
+-------------------------------------------------------------------
+Wed Apr 23 19:49:09 UTC 2014 - [email protected]
+
+- Add /usr/lib/rpm/pesign/gen-hmac tool to generate a hmac checksum
+ for a given file (fate#316930, bnc#856310).
+
+-------------------------------------------------------------------
New:
----
gen-hmac
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pesign-obs-integration.spec ++++++
--- /var/tmp/diff_new_pack.bLCwl1/_old 2014-05-02 09:51:47.000000000 +0200
+++ /var/tmp/diff_new_pack.bLCwl1/_new 2014-05-02 09:51:47.000000000 +0200
@@ -38,6 +38,7 @@
Source6: README
Source7: kernel-sign-file
Source8: modsign-repackage
+Source9: gen-hmac
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -54,7 +55,7 @@
mkdir -p %buildroot/usr/lib/rpm/brp-suse.d %buildroot/usr/lib/rpm/pesign
cd %_sourcedir
-install pesign-gen-repackage-spec kernel-sign-file
%buildroot/usr/lib/rpm/pesign
+install pesign-gen-repackage-spec kernel-sign-file gen-hmac
%buildroot/usr/lib/rpm/pesign
install brp-99-pesign %buildroot/usr/lib/rpm/brp-suse.d
install -m644 pesign-repackage.spec.in %buildroot/usr/lib/rpm/pesign
mkdir -p %buildroot/usr/bin
++++++ README ++++++
--- /var/tmp/diff_new_pack.bLCwl1/_old 2014-05-02 09:51:47.000000000 +0200
+++ /var/tmp/diff_new_pack.bLCwl1/_new 2014-05-02 09:51:47.000000000 +0200
@@ -1,9 +1,6 @@
Signing kernel modules and EFI binaries in the Open Build Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Note: Not everything that is described here is actually implemented. Even
-those parts that are implemented can change slightly.
-
Packages that need to sign files during build should add the following lines
to the specfile
@@ -18,10 +15,15 @@
in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a
pesign-repackage.spec file there. When the first rpmbuild finishes, the
buildservice sends the cpio archive to the signing server, which returns
-a rsasigned.cio archive with RSA signatures of the sha256 hashes.
+a rsasigned.cpio archive with RSA signatures of the sha256 hashes.
The pesign-repackage.spec takes the original RPMs, unpacks them and
-appends the signatures to the files (TODO: only implemented for firmware
-files). It then uses the pesign-gen-repackage-spec script to generate
-another specfile, which builds new RPMs with signed files.
+appends the signatures to the files. It then uses the
+pesign-gen-repackage-spec script to generate another specfile, which
+builds new RPMs with signed files. The supported file types are:
+
+/lib/firmware/* - Detached signature in $file.sig
+*.ko - Signature appended to the module
+efi binaries - Signature embedded in a header. If a HMAC checksum named
+ .$file.hmac exists, it is regenerated
++++++ gen-hmac ++++++
#!/usr/bin/perl
use strict;
use warnings;
use Getopt::Long;
my $USAGE = "Usage: $0 [-r <build root>] <file>\n";
my $buildroot = "";
GetOptions("r|root=s" => \$buildroot) or die $USAGE;
if (scalar(@ARGV) != 1) {
die $USAGE;
}
if ($buildroot) {
$buildroot .= "/";
}
my $fn = shift @ARGV;
my $out = `sha512hmac "$buildroot$fn"`;
if ($?) {
exit 1;
}
my @t = split(" ", $out);
my $hmac = $t[0];
(my $hmacfn = "$buildroot$fn") =~ s|([^/]*)$|.$1.hmac|;
open(my $fd, '>', $hmacfn) or die "$0: Cannot open $hmacfn: $!\n";
print $fd "$hmac $fn\n";
close($fd);
exit 0;
++++++ pesign-repackage.spec.in ++++++
--- /var/tmp/diff_new_pack.bLCwl1/_old 2014-05-02 09:51:47.000000000 +0200
+++ /var/tmp/diff_new_pack.bLCwl1/_new 2014-05-02 09:51:47.000000000 +0200
@@ -102,17 +102,17 @@
certutil -N -d "$nss_db" -f "$nss_db/passwd"
certutil -A -d "$nss_db" -n cert -t CT,CT,CT -i "$cert"
-sigs=($(find -type f -name '*.sig'))
+sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
for sig in "${sigs[@]}"; do
f=%buildroot/${sig%.sig}
- case "$sig" in
+ case "/$sig" in
*.ko.sig)
/usr/lib/rpm/pesign/kernel-sign-file -s "$sig" sha256 "$cert"
"$f"
;;
- ./lib/firmware/*.sig)
+ /lib/firmware/*.sig)
/usr/lib/rpm/pesign/kernel-sign-file -f -s "$sig" sha256
"$cert" "$f"
;;
- ./boot/* | *.efi.sig)
+ /boot/* | *.efi.sig)
infile=${sig%.sig}
cpio -i --to-stdout ${infile#./}
<%_sourcedir/@[email protected] > ${infile}.sattrs
test -s ${infile}.sattrs || exit 1
@@ -125,6 +125,11 @@
echo "hash mismatch error: $ohash $nhash"
exit 1
fi
+ # Regenerate the HMAC if it exists
+ hmac="${f%%/*}/.${f##*/}.hmac"
+ if test -e "$hmac"; then
+ /usr/lib/rpm/pesign/gen-hmac -r %buildroot
"/${sig%.sig}"
+ fi
;;
*)
echo "Warning: unhandled signature: $sig" >&2
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
