Hello community, here is the log from the commit of package pesign.3096 for openSUSE:12.3:Update checked in at 2015-01-21 14:19:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/pesign.3096 (Old) and /work/SRC/openSUSE:12.3:Update/.pesign.3096.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign.3096" Changes: -------- New Changes file: --- /dev/null 2014-12-25 22:38:16.200041506 +0100 +++ /work/SRC/openSUSE:12.3:Update/.pesign.3096.new/pesign.changes 2015-01-21 14:19:25.000000000 +0100 @@ -0,0 +1,283 @@ +------------------------------------------------------------------- +Tue Jul 1 06:46:13 UTC 2014 - [email protected] + +- Update pesign-enable-supplementary-programs.patch to fix write + loop + +------------------------------------------------------------------- +Thu Jun 12 02:47:55 UTC 2014 - [email protected] + +- Add pesign-enable-supplementary-programs.patch to fix and enable + the supplementary programs: pesigcheck, authvar, efisiglist + +------------------------------------------------------------------- +Wed Apr 16 07:12:05 UTC 2014 - [email protected] + +- Add pesign-run.patch: Use /run instead of /var/run (bnc#873857). + +------------------------------------------------------------------- +Fri Jan 31 08:49:12 UTC 2014 - [email protected] + +- mark dir in /var/run as %ghost + +------------------------------------------------------------------- +Thu Nov 7 09:17:04 UTC 2013 - [email protected] + +- Add pesign-no-db.patch to allow some commands to proceed without + a NSS database. + +------------------------------------------------------------------- +Thu Oct 24 03:14:05 UTC 2013 - [email protected] + +- Revert the dowload Url since it's not valid + +------------------------------------------------------------------- +Tue Oct 22 11:18:39 UTC 2013 - [email protected] + +- Update to version 0.109 +- Remove sysvinit related old stuff +- Remove redundant %clean section +- Add use-standard-pid-location.patch + Use the good location to stock pidfile +- Use download Url as source +- Rebase pesign-suse-build.patch to upstream changes as it has been + partially merged on upstream +- Remove pesign-allow-no-issuer-cert.patch; fixed on upstream + +------------------------------------------------------------------- +Thu Jul 18 06:54:19 UTC 2013 - [email protected] + +- Add pesign-allow-no-issuer-cert.patch to avoid crash when the + issuer's certificate is not available + +------------------------------------------------------------------- +Tue Jul 9 04:44:44 UTC 2013 - [email protected] + +- Update to 0.106 +- Add pesign-clear-padding-bits.patch to clear the padding bits +- Rebase patches: + + pesign-suse-build.patch + + pesign-fix-build-errors.patch + + pesign-privkey_unneeded.diff +- Drop upstreamed patches + + pesign-client-initialize-action.patch + + pesign-bnc808594-align-signatures.patch + + pesign-upstream-fixes.patch + + pesign-fix-export-attributes.patch + + pesign-no-set-image-size.patch + + pesign-client-read-pin-file.patch + + pesign-local-database.patch + + pesign-bnc801653-teardown-segfault.patch + + pesign-bnc805166-fix-signature-list.patch + +------------------------------------------------------------------- +Tue Mar 26 06:21:15 UTC 2013 - [email protected] + +- Add pesign-bnc808594-align-signatures.patch to align signatures + (bnc#808594, bnc#811325) + +------------------------------------------------------------------- +Fri Mar 1 03:04:35 UTC 2013 - [email protected] + +- Update pesign-bnc805166-fix-signature-list.patch to avoid the + potential crash when inserting a signature (bnc#805166) +- Add pwdutils to PreReq + +------------------------------------------------------------------- +Mon Feb 25 07:35:59 UTC 2013 - [email protected] + +- Update pesign-bnc805166-fix-signature-list.patch to skip the + unneeded private key request. (bnc#805166c#17) + +------------------------------------------------------------------- +Sat Feb 23 04:47:48 UTC 2013 - [email protected] + +- Modified pesign-bnc805166-fix-signature-list.patch, block out the + source code for find/attach Issuer certificate + (bnc#805166 comment#13) + +------------------------------------------------------------------- +Fri Feb 22 08:44:43 UTC 2013 - [email protected] + +- Add pesign-bnc805166-fix-signature-list.patch to fix the broken + signature list when inserting signature into a signed EFI binary + (bnc#805166) + +------------------------------------------------------------------- +Tue Feb 12 15:32:11 CET 2013 - [email protected] + +- do not try to recalculate the image size, it is included in the + hash and therefore must not change. + +------------------------------------------------------------------- +Wed Feb 6 10:44:48 UTC 2013 - [email protected] + +- Merge patches for FATE#314552 + + pesign-fix-export-attributes.patch: fix crash when exporting + the signed attributes + + pesign-privkey_unneeded.diff: Don't check the private key when + importing the raw signature +- Add pesign-bnc801653-teardown-segfault.patch to fix crash when + freeing digests (bnc801653) +- Drop pesign-digestdata.diff which is no longer needed. + +------------------------------------------------------------------- +Mon Jan 21 10:17:28 UTC 2013 - [email protected] + +- Add pesign-digestdata.diff to generate digestdata (FATE#314552) + +------------------------------------------------------------------- +Wed Dec 12 13:18:40 UTC 2012 - [email protected] + +- Don't call sysv RPM post/pre macros when building for systemd +- Ship rcpesign for systemd, link to /sbin/service +- Update pesign-suse-build.patch to allow change systemd unit + install directory. +- Don't hardcode systemd unit directory, since it changed in + Factory. + +------------------------------------------------------------------- +Tue Dec 11 07:10:04 UTC 2012 - [email protected] + +- Add Requires: pwdutils + +------------------------------------------------------------------- +Wed Nov 28 07:42:09 UTC 2012 - [email protected] + +- Add pesign-local-database.patch to support the local certificate + database +- Amend the spec file to build on openSUSE:Factory + +------------------------------------------------------------------- +Thu Nov 8 06:32:32 UTC 2012 - [email protected] + +- Version bump to 0.99 (FATE#314484) + + Add documentation for --daemonize and --nofork + + Make popt aliases work + + Add documentation for pesign-client + + Add --pinfd and --pinfile to the client +- Update pesign-suse-build.patch and pesign-fix-build-errors.patch +- Add pesign-upstream-fixes.patch to backport fixes from git head + and add sysvinit script +- Add pesign-client-initialize-action.patch to initialize client + action to avoid undetermined flags. +- Add pesign-client-read-pin-file.patch to fix pin file reading + +------------------------------------------------------------------- +Mon Oct 15 09:33:19 UTC 2012 - [email protected] + +- Version bump to 0.98 + + close the socket immediately on invalid input + + Slightly better error messages + + Log an error if digest initialization fails + + Add systemd bits for pesignd + + Add actual signing code to the daemon + + Add input and output setup for sign functionality in the daemon + + Audit allocation of CERTCertificateList/PK11SlotList and + friends + + Fix memory leaks +- Refresh pesign-suse-build.patch and pesign-fix-build-errors.patch + +------------------------------------------------------------------- +Mon Aug 13 06:50:35 UTC 2012 - [email protected] + +- Version bump to 0.9 + + Add NSS "token" support for smartcards. + + Allocate space for the section header variable +- Refresh pesign-fix-build-errors.patch to fix the warning +- Drop upstreamed pesign-allocate-shdr.patch + +------------------------------------------------------------------- +Fri Aug 10 10:12:53 UTC 2012 - [email protected] + +- Add pesign-allocate-shdr.patch to allocate space for the section + header variable + +------------------------------------------------------------------- +Thu Aug 9 03:53:45 UTC 2012 - [email protected] ++++ 86 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.pesign.3096.new/pesign.changes New: ---- pesign-0.109.tar.gz pesign-clear-padding-bits.patch pesign-enable-supplementary-programs.patch pesign-fix-build-errors.patch pesign-no-db.patch pesign-privkey_unneeded.diff pesign-run.patch pesign-suse-build.patch pesign.changes pesign.spec use-standard-pid-location.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pesign.spec ++++++ # # spec file for package pesign # # Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: pesign Version: 0.109 Release: 0 Summary: Signing tool for PE-COFF binaries License: GPL-2.0 Group: Productivity/Security Url: https://github.com/vathpela/pesign Source: %{name}-%{version}.tar.gz # PATCH-FIX-SUSE pesign-suse-build.patch [email protected] -- Adjust Makefile for the build service Patch1: pesign-suse-build.patch # PATCH-FIX-UPSTREAM pesign-fix-build-errors.patch [email protected] -- Fix gcc warnings Patch2: pesign-fix-build-errors.patch # PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff [email protected] -- Don't check the private key when importing the raw signature Patch3: pesign-privkey_unneeded.diff # PATCH-FIX-UPSTREAM pesign-clear-padding-bits.patch [email protected] -- Clear the allocated space before inserting the certificate list Patch4: pesign-clear-padding-bits.patch # PATCH-FIX-SUSE use-standard-pid-location.patch [email protected] --Use standard /run instead of /var/run for pidfile Patch6: use-standard-pid-location.patch # PATCH-FIX-UPSTREAM pesign-no-db.patch [email protected] -- Allow some commands to proceed without a NSS database Patch7: pesign-no-db.patch # PATCH-FIX-SUSE pesign-run.patch [email protected] - Use /run instead of /var/run Patch8: pesign-run.patch # PATCH-FIX-UPSTREAM pesign-enable-supplementary-programs.patch [email protected] -- Fix and enable the supplementary programs Patch9: pesign-enable-supplementary-programs.patch BuildRequires: mozilla-nss-devel BuildRequires: pkg-config BuildRequires: popt-devel BuildRequires: pkgconfig(systemd) %{?systemd_requires} PreReq: pwdutils ExclusiveArch: ia64 %ix86 x86_64 %description Signing tool for PE-COFF binaries, hopefully at least vaguely compliant with the PE and Authenticode specifications. Authors: -------- Peter Jones <[email protected]> %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %build make OPTFLAGS="$RPM_OPT_FLAGS" %install make INSTALLROOT=%{buildroot} PREFIX=/usr DOCDIR=/share/doc/packages install mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/pesign mkdir -p $RPM_BUILD_ROOT%{_sbindir} make INSTALLROOT=%{buildroot} UNITDIR=%{_unitdir} install_systemd # there's some stuff that's not really meant to be shipped yet rm -rf %{buildroot}/boot %{buildroot}/usr/include rm -rf %{buildroot}%{_libdir}/libdpe* %pre getent group pesign >/dev/null || groupadd -r pesign getent passwd pesign >/dev/null || useradd -r -g pesign -d /var/lib/pesign -s /bin/false -c "PE-COFF signing daemon" pesign %service_add_pre pesign.service %preun %service_del_preun pesign.service %post %service_add_post pesign.service systemd-tmpfiles --create /usr/lib/tmpfiles.d/pesign.conf %postun %service_del_preun pesign.service %files %defattr(-,root,root) %doc COPYING %{_bindir}/pesign %{_bindir}/pesign-client %{_bindir}/efikeygen %{_bindir}/pesigcheck %{_bindir}/efisiglist %{_bindir}/authvar %dir %{_sysconfdir}/popt.d %config %{_sysconfdir}/popt.d/pesign.popt %{_sysconfdir}/pki/ %config %{_sysconfdir}/rpm/macros.pesign %{_mandir}/man?/* /var/lib/pesign %{_unitdir}/pesign.service /usr/lib/tmpfiles.d/pesign.conf %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign %ghost %dir %attr(0770,pesign,pesign) /run/%{name} %dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name} %changelog ++++++ pesign-clear-padding-bits.patch ++++++ >From edd9cc0e677b35498e974d9a4137feac5bd4b323 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Tue, 26 Mar 2013 18:30:58 +0800 Subject: [PATCH] Clear the space for the certificate list Make sure the aligned bytes are '\0' Signed-off-by: Gary Ching-Pang Lin <[email protected]> --- src/wincert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wincert.c b/src/wincert.c index 942fa26..5e23b04 100644 --- a/src/wincert.c +++ b/src/wincert.c @@ -37,7 +37,7 @@ generate_cert_list(SECItem **signatures, int num_signatures, cl_size += ALIGNMENT_PADDING(cl_size, 8); } - uint8_t *data = malloc(cl_size); + uint8_t *data = calloc(1, cl_size); if (!data) return -1; -- 1.8.1.4 ++++++ pesign-enable-supplementary-programs.patch ++++++ ++++ 4776 lines (skipped) ++++++ pesign-fix-build-errors.patch ++++++ >From 4e03c90bb48e6f9c9d9c9aed491fbcc5be684e7b Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Tue, 9 Jul 2013 12:17:31 +0800 Subject: [PATCH] Fix build errors --- src/daemon.c | 36 +++++++++++++++++++++++++++++------- src/efikeygen.c | 3 ++- src/password.c | 3 ++- src/pesign.c | 10 ++++++++-- 4 files changed, 41 insertions(+), 11 deletions(-) diff --git a/src/daemon.c b/src/daemon.c index b2801b9..832a0ea 100644 --- a/src/daemon.c +++ b/src/daemon.c @@ -432,7 +432,11 @@ malformed: if (rc < 0) { err_attached: pe_end(outpe); - ftruncate(outfd, 0); + if (ftruncate(outfd, 0) != 0) { + ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, + "pesignd: could not truncate output " + "file: %m"); + } goto finish; } ssize_t sigspace = calculate_signature_space(ctx->cms, outpe); @@ -450,21 +454,34 @@ err_attached: ctx->cms->num_signatures, outpe); pe_end(outpe); } else { - ftruncate(outfd, 0); + if (ftruncate(outfd, 0) != 0) { + ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, + "pesignd: could not truncate output " + "file: %m"); + } rc = generate_digest(ctx->cms, inpe, 1); if (rc < 0) { err_detached: - ftruncate(outfd, 0); + if (ftruncate(outfd, 0) != 0) { + ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, + "pesignd: could not truncate output " + "file: %m"); + } goto finish; } rc = generate_signature(ctx->cms); if (rc < 0) goto err_detached; rc = export_signature(ctx->cms, outfd, 0); - if (rc >= 0) - ftruncate(outfd, rc); - else if (rc < 0) + if (rc >= 0) { + if (ftruncate(outfd, rc) != 0) { + ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR, + "pesignd: could not truncate output " + "file: %m"); + } + } else if (rc < 0) { goto err_detached; + } } finish: @@ -996,7 +1013,12 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork) exit(1); } - chdir(homedir ? homedir : "/"); + if (chdir(homedir ? homedir : "/") != 0) { + ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_ERR, + "pesignd: could not change working directory " + "for pesign: %m"); + exit(1); + } if (getuid() == 0) { /* process is running as root, drop privileges */ diff --git a/src/efikeygen.c b/src/efikeygen.c index ac27acc..8c3e814 100644 --- a/src/efikeygen.c +++ b/src/efikeygen.c @@ -330,10 +330,11 @@ populate_extensions(cms_context *cms, CERTCertificate *cert, { CERTAttribute *attr = NULL; SECOidData *oid; + int i; oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST); - for (int i; crq->attributes[i]; i++) { + for (i = 0; crq->attributes[i]; i++) { attr = crq->attributes[i]; if (attr->attrType.len != oid->oid.len) continue; diff --git a/src/password.c b/src/password.c index 43186df..9a9c911 100644 --- a/src/password.c +++ b/src/password.c @@ -76,7 +76,8 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt, echoOff(infd); } - fgets ( phrase, sizeof(phrase), input); + if (fgets(phrase, sizeof(phrase), input) == NULL) + phrase[0] = '\0'; if (isTTY) { fprintf(output, "\n"); diff --git a/src/pesign.c b/src/pesign.c index 890ebfc..fe77c9d 100644 --- a/src/pesign.c +++ b/src/pesign.c @@ -164,9 +164,15 @@ open_output(pesign_context *ctx) addr = pe_rawfile(ctx->inpe, &size); - ftruncate(ctx->outfd, size); + if (ftruncate(ctx->outfd, size) != 0) { + fprintf(stderr, "pesign: could not truncate output file: %m\n"); + exit(1); + } lseek(ctx->outfd, 0, SEEK_SET); - write(ctx->outfd, addr, size); + if (write(ctx->outfd, addr, size) != size) { + fprintf(stderr, "pesign: could not write output file: %m\n"); + exit(1); + } Pe_Cmd cmd = ctx->outfd == STDOUT_FILENO ? PE_C_RDWR : PE_C_RDWR_MMAP; ctx->outpe = pe_begin(ctx->outfd, cmd, NULL); -- 1.8.1.4 ++++++ pesign-no-db.patch ++++++ >From b55ecad4b6ec280d7d17caa5e02c20a7391b8a05 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Thu, 7 Nov 2013 16:58:04 +0800 Subject: [PATCH] Allow some commands to proceed without a NSS db The NSS db is not necessary to calculate the hash, to show the signature or to export the signed attributes. Signed-off-by: Gary Ching-Pang Lin <[email protected]> --- src/pesign.c | 91 +++++++++++++++++++++++++++++++++++------------------------- 1 file changed, 53 insertions(+), 38 deletions(-) diff --git a/src/pesign.c b/src/pesign.c index c7313a6..0cd47a8 100644 --- a/src/pesign.c +++ b/src/pesign.c @@ -405,6 +405,7 @@ main(int argc, char *argv[]) int daemon = 0; int fork = 1; int padding = 0; + int need_db = 0; char *digest_name = "sha256"; char *tokenname = "NSS Certificate DB"; @@ -526,8 +527,59 @@ main(int argc, char *argv[]) } } + int action = 0; + if (daemon) + action |= DAEMONIZE; + + if (ctxp->rawsig) { + action |= IMPORT_RAW_SIGNATURE; + need_db = 1; + } + + if (ctxp->insattrs) + action |= IMPORT_SATTRS; + + if (ctxp->outsattrs) + action |= EXPORT_SATTRS; + + if (ctxp->insig) + action |= IMPORT_SIGNATURE; + + if (ctxp->outkey) { + action |= EXPORT_PUBKEY; + need_db = 1; + } + + if (ctxp->outcert) { + action |= EXPORT_CERT; + need_db = 1; + } + + if (ctxp->outsig) + action |= EXPORT_SIGNATURE; + + if (remove != 0) + action |= REMOVE_SIGNATURE; + + if (list != 0) + action |= LIST_SIGNATURES; + + if (ctxp->sign) { + action |= GENERATE_SIGNATURE; + if (!(action & EXPORT_SIGNATURE)) + action |= IMPORT_SIGNATURE; + need_db = 1; + } + + if (ctxp->hash) + action |= GENERATE_DIGEST|PRINT_DIGEST; + if (!daemon) { - SECStatus status = NSS_Init(certdir); + SECStatus status; + if (need_db) + status = NSS_Init(certdir); + else + status = NSS_NoDB_Init(NULL); if (status != SECSuccess) { fprintf(stderr, "Could not initialize nss: %s\n", PORT_ErrorToString(PORT_GetError())); @@ -571,42 +623,8 @@ main(int argc, char *argv[]) if (certname) free(certname); - int action = 0; - if (daemon) - action |= DAEMONIZE; - - if (ctxp->rawsig) - action |= IMPORT_RAW_SIGNATURE; - - if (ctxp->insattrs) - action |= IMPORT_SATTRS; - - if (ctxp->outsattrs) - action |= EXPORT_SATTRS; - - if (ctxp->insig) - action |= IMPORT_SIGNATURE; - - if (ctxp->outkey) - action |= EXPORT_PUBKEY; - - if (ctxp->outcert) - action |= EXPORT_CERT; - - if (ctxp->outsig) - action |= EXPORT_SIGNATURE; - - if (remove != 0) - action |= REMOVE_SIGNATURE; - - if (list != 0) - action |= LIST_SIGNATURES; if (ctxp->sign) { - action |= GENERATE_SIGNATURE; - if (!(action & EXPORT_SIGNATURE)) - action |= IMPORT_SIGNATURE; - if (!ctxp->cms_ctx->certname) { fprintf(stderr, "pesign: signing requested but no " "certificate nickname provided\n"); @@ -614,9 +632,6 @@ main(int argc, char *argv[]) } } - if (ctxp->hash) - action |= GENERATE_DIGEST|PRINT_DIGEST; - ssize_t sigspace = 0; switch (action) { -- 1.8.1.4 ++++++ pesign-privkey_unneeded.diff ++++++ --- src/cms_common.c | 12 ++++++++++-- src/cms_common.h | 1 + src/pesign.c | 1 + 3 files changed, 12 insertions(+), 2 deletions(-) --- a/src/cms_common.c +++ b/src/cms_common.c @@ -272,6 +272,7 @@ struct cbdata { CERTCertificate *cert; PK11SlotListElement *psle; secuPWData *pwdata; + int privkey_unneeded; }; static SECStatus @@ -283,6 +284,12 @@ is_valid_cert(CERTCertificate *cert, voi void *pwdata = cbdata->pwdata; SECKEYPrivateKey *privkey = NULL; + + if (cbdata->privkey_unneeded) { + cbdata->cert = cert; + return SECSuccess; + } + privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata); if (privkey != NULL) { cbdata->cert = cert; @@ -413,7 +420,7 @@ find_certificate(cms_context *cms, int n } SECStatus status; - if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { + if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); if (status != SECSuccess) { PK11_DestroySlotListElement(slots, &psle); @@ -442,6 +449,7 @@ find_certificate(cms_context *cms, int n .cert = NULL, .psle = psle, .pwdata = pwdata, + .privkey_unneeded = cms->privkey_unneeded, }; if (needs_private_key) { @@ -562,7 +570,7 @@ find_named_certificate(cms_context *cms, } SECStatus status; - if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { + if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); if (status != SECSuccess) { PK11_DestroySlotListElement(slots, &psle); --- a/src/cms_common.h +++ b/src/cms_common.h @@ -63,6 +63,7 @@ typedef int (*cms_common_logger)(struct typedef struct cms_context { PRArenaPool *arena; void *privkey; + int privkey_unneeded; char *tokenname; char *certname; --- a/src/pesign.c +++ b/src/pesign.c @@ -626,6 +626,7 @@ main(int argc, char *argv[]) */ case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS: check_inputs(ctxp); + ctxp->cms_ctx->privkey_unneeded = 1; rc = find_certificate(ctxp->cms_ctx, 0); if (rc < 0) { fprintf(stderr, "pesign: Could not find " ++++++ pesign-run.patch ++++++ Index: pesign-0.109/src/Makefile =================================================================== --- pesign-0.109.orig/src/Makefile +++ pesign-0.109/src/Makefile @@ -79,7 +79,7 @@ install_sysvinit: install : $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ - $(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/ + $(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/ $(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)/bin/ $(INSTALL) -m 755 pesign $(INSTALLROOT)$(PREFIX)/bin/ $(INSTALL) -m 755 client $(INSTALLROOT)$(PREFIX)/bin/pesign-client Index: pesign-0.109/src/daemon.h =================================================================== --- pesign-0.109.orig/src/daemon.h +++ pesign-0.109/src/daemon.h @@ -47,7 +47,7 @@ typedef enum { } pesignd_cmd; #define PESIGND_VERSION 0xa3cf41cb -#define SOCKPATH "/var/run/pesign/socket" -#define PIDFILE "/var/run/pesign.pid" +#define SOCKPATH "/run/pesign/socket" +#define PIDFILE "/run/pesign.pid" #endif /* DAEMON_H */ Index: pesign-0.109/src/macros.pesign =================================================================== --- pesign-0.109.orig/src/macros.pesign +++ pesign-0.109/src/macros.pesign @@ -34,7 +34,7 @@ %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ --certdir ${nss} -c signer %{-o} \ rm -rf ${sattrs} ${sattrs}.sig ${nss} \ - elif [ -S /var/run/pesign/socket ]; then \ + elif [ -S /run/pesign/socket ]; then \ %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ -c "/CN=Fedora Secure Boot Signer" \\\ %{-i} %{-o} %{-e} %{-s} %{-C} \ Index: pesign-0.109/src/pesign.sysvinit =================================================================== --- pesign-0.109.orig/src/pesign.sysvinit +++ pesign-0.109/src/pesign.sysvinit @@ -4,7 +4,7 @@ # # chkconfig: - 50 50 # processname: /usr/bin/pesign -# pidfile: /var/run/pesign.pid +# pidfile: /run/pesign.pid ### BEGIN INIT INFO # Provides: pesign # Should-Start: $remote_fs @@ -19,7 +19,7 @@ [ -f /usr/bin/pesign ] || exit 1 -PESIGN_PIDFILE=/var/run/pesign.pid +PESIGN_PIDFILE=/run/pesign.pid RETVAL=0 start(){ @@ -28,15 +28,15 @@ start(){ RETVAL=$? echo touch /var/lock/subsys/pesign - setfacl -m u:kojibuilder:x /var/run/pesign - setfacl -m u:kojibuilder:rw /var/run/pesign/socket - setfacl -m g:kojibuilder:x /var/run/pesign - setfacl -m g:kojibuilder:rw /var/run/pesign/socket + setfacl -m u:kojibuilder:x /run/pesign + setfacl -m u:kojibuilder:rw /run/pesign/socket + setfacl -m g:kojibuilder:x /run/pesign + setfacl -m g:kojibuilder:rw /run/pesign/socket } stop(){ echo -n "Stopping pesign: " - killproc -p /var/run/pesign.pid pesignd + killproc -p /run/pesign.pid pesignd RETVAL=$? echo rm -f /var/lock/subsys/pesign Index: pesign-0.109/src/tmpfiles.conf =================================================================== --- pesign-0.109.orig/src/tmpfiles.conf +++ pesign-0.109/src/tmpfiles.conf @@ -1 +1 @@ -D /var/run/pesign 0770 pesign pesign - +D /run/pesign 0770 pesign pesign - ++++++ pesign-suse-build.patch ++++++ --- Make.defaults | 5 +++-- Make.rules | 4 ++-- Makefile | 4 ++-- src/Makefile | 9 +++++---- src/pesign.sysvinit | 12 ++++++++---- util/Makefile | 6 +++--- 6 files changed, 23 insertions(+), 17 deletions(-) --- a/Make.defaults +++ b/Make.defaults @@ -5,7 +5,8 @@ HOSTARCH = $(shell uname -m | sed s,i[ ARCH := $(shell uname -m | sed s,i[3456789]86,ia32,) INCDIR = -I$(TOPDIR)/include CPPFLAGS = -DCONFIG_$(ARCH) -CFLAGS = $(ARCH3264) -g -O0 -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE +OPTFLAGS = -O0 -g +CFLAGS = $(ARCH3264) $(OPTFLAGS) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE ASFLAGS = $(ARCH3264) LDFLAGS = -nostdlib CCLDFLAGS = -shared @@ -22,7 +23,7 @@ OBJCOPY = $(bindir)objcopy ifeq ($(ARCH),ia64) CFLAGS += -mfixed-range=f32-f127 - LIBDIR = $(PREFIX)/lib64 + LIBDIR = $(PREFIX)/lib endif ifeq ($(ARCH), ia32) --- a/Make.rules +++ b/Make.rules @@ -2,10 +2,10 @@ $(AR) -cvqs $@ $^ % : %.o - $(CC) $(CCLDFLAGS) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-l --libs-only-other $(pklib))) -lpthread + $(CC) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(CCLDFLAGS) $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-l --libs-only-other $(pklib))) -lpthread %.so : - $(CC) $(INCDIR) $(CFLAGS) -Wl,-soname,$(SONAME) $(CCLDFLAGS) $^ -o $@ + $(CC) $(INCDIR) $(CFLAGS) -Wl,-soname,$(SONAME) $^ $(CCLDFLAGS) -o $@ %.o: %.c $(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -c $< -o $@ --- a/util/Makefile +++ b/util/Makefile @@ -4,7 +4,7 @@ TOPDIR = $(SRCDIR)/.. include $(TOPDIR)/Make.defaults FORMAT=efi-app-$(HOSTARCH) -LDFLAGS = -nostdlib -T $(LIBDIR)/gnuefi/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/gnuefi/crt0-efi-$(HOSTARCH).o -L$(LIBDIR) +LDFLAGS = -nostdlib -T $(LIBDIR)/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/crt0-efi-$(HOSTARCH).o -L$(LIBDIR) LIBS=-lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name) CCLDFLAGS = CFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration @@ -17,8 +17,8 @@ clean : @rm -rfv *.o *.a *.so $(TARGETS) install : - $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/ - $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/ + $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/ + $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/ .PHONY: all clean install --- a/src/pesign.sysvinit +++ b/src/pesign.sysvinit @@ -6,21 +6,25 @@ # processname: /usr/bin/pesign # pidfile: /var/run/pesign.pid ### BEGIN INIT INFO -# Provides: pesign -# Default-Start: +# Provides: pesign +# Should-Start: $remote_fs +# Should-Stop: $remote_fs +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 5 # Default-Stop: # Short-Description: The pesign PE signing daemon # Description: The pesign PE signing daemon ### END INIT INFO -. /etc/init.d/functions [ -f /usr/bin/pesign ] || exit 1 +PESIGN_PIDFILE=/var/run/pesign.pid RETVAL=0 start(){ echo -n "Starting pesign: " - daemon /usr/bin/pesign --daemonize + startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize RETVAL=$? echo touch /var/lock/subsys/pesign ++++++ use-standard-pid-location.patch ++++++ --- a/src/pesign.service +++ b/src/pesign.service @@ -4,5 +4,5 @@ [Service] PrivateTmp=true Type=forking -PIDFile=/var/run/pesign.pid +PIDFile=/run/pesign.pid ExecStart=/usr/bin/pesign --daemonize -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
