Date: Monday, May 18, 2020 @ 21:00:25 Author: dvzrv Revision: 629723 upgpkg: pesign 113-1: Upgrading to 113.
Removing custom Red Hat/ Fedora upstream certificate databases, as they are of pre-sql format and can not be converted. Adding custom patch to be able to execute pesign as non-root user. Adding a custom systemd service for automatic database generation and for running pesign as an unprivileged system user. Adding tmpfiles integration for /etc/pki/pesign. Removing all Red Hat/Fedora specific system integration and relying on custom service instead. Updating maintainer info. Updating url and switching to correct license (GPL3). Added: pesign/trunk/pesign-113-remove_root_check.patch pesign/trunk/pesign-create-db.service pesign/trunk/pesign.service pesign/trunk/pesign.tmpfiles Modified: pesign/trunk/PKGBUILD pesign/trunk/pesign.sysusers ------------------------------------+ PKGBUILD | 86 +++++++++++++++++++++++------------ pesign-113-remove_root_check.patch | 29 +++++++++++ pesign-create-db.service | 33 +++++++++++++ pesign.service | 37 +++++++++++++++ pesign.sysusers | 2 pesign.tmpfiles | 2 6 files changed, 160 insertions(+), 29 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-05-18 21:00:15 UTC (rev 629722) +++ PKGBUILD 2020-05-18 21:00:25 UTC (rev 629723) @@ -1,39 +1,69 @@ -# Maintainer: Bruno Pagani <[email protected]> +# Maintainer: David Runge <[email protected]> +# Contributor: Bruno Pagani <[email protected]> # Contributor: Mirco Tischler <mt-ml at gmx dot de> pkgname=pesign -pkgver=0.112 -pkgrel=2 -pkgdesc="Tools for manipulating signed PE-COFF binaries" -arch=(x86_64) -url="https://github.com/rhinstaller/pesign"; -license=(GPL2) -depends=(efivar nss libutil-linux) -source=("${url}/releases/download/${pkgver}/${pkgname}-${pkgver}.tar.bz2" +pkgver=113 +pkgrel=1 +pkgdesc="Linux tools for signed PE-COFF binaries" +arch=('x86_64') +url="https://github.com/rhboot/pesign"; +license=('GPL3') +depends=('glibc' 'efivar' 'libutil-linux' 'nspr' 'nss' 'popt') +source=("${pkgname}-${pkgver}.tar.gz::https://github.com/rhboot/${pkgname}/archive/${pkgver}.tar.gz"; + "${pkgname}-113-remove_root_check.patch" + "${pkgname}-113-nss3.44.patch::https://github.com/rhboot/pesign/commit/b535d1ac5cbcdf18a97d97a92581e38080d9e521.patch"; + "${pkgname}-113-assignment.patch::https://github.com/rhboot/pesign/commit/c555fd74c009242c3864576bd5f17a1f8f4fdffd.patch"; "${pkgname}.sysusers" - 'https://src.fedoraproject.org/lookaside/pkgs/pesign/certs.tar.xz/e377e0bc924287ee09356a239c5f51a8/certs.tar.xz') # No HTTP because custom CA -sha256sums=('99fa1240311a802fa381eebba8d52b7106690322ac00395bf9fc149dc2cb363e' - '3e016f959cbd223ecd0103ffb5186e3013bc3152dff722f1c7d67a628e68704a' - 'e0fc5b78dd6e236f87042734b880cdb2859c46817fd7c7f934b8487e0e1c001d') + "${pkgname}.tmpfiles" + "${pkgname}.service" + "${pkgname}-create-db.service") +sha512sums=('e71dc90c2ab8085d1b000c0d2cf9cb00ddaed1ea1393db75c2d19a96f1b1c188a26b76850533ba97ec254a3b48db6b07a69b597c329ac891e64422780a358c24' + '8541fed1dbdea3b5b36731c2982789db457db2d1c6d62cd8461a7ad10e3f26dc16aef62eb991ac2b6504f741442229195e9e2804b770e859f48c475c0467e457' + '03c871d9f03727a98709372d696d38a59d554d9dac487656135f2f043f1eb36515e6988b67a2d0f4d00535771839e934e4f2826959e76221334170837b577d2a' + 'cfa001265bfda5428ef72134d05ec16bee679a3906832aab4100f2c567f22e62d089b8cd475b9707926485c30958e70ba48c4035e118c480d008114fb6876c62' + '46c9958170924632fdf8fdf7b07eac5b35fc2a9292c84e346d9fc69cbedbfb762fc911c5c5dbf6e8391fa38a4f747b891dd295f14b47f594814572a07fcbc44c' + '2dca9a1aba9485afe6f07b7a3d9ee1dd0cd7640264f7584e739cab126b501ac1962a3b37509744a2b77abc613c75222801daf2e4fd97dd5211d19fbb7bd9ec33' + '5e4eb101b01fd688ca915051e25978e6b7a27ad2588c6b04ed52c179a00c04c1298080f9c2c0ae982cd0d861c649e5e6c244e54cb4962ca39c1d2264d1ec12df' + '14a161ec3a883d5c17581a6743a9b5e67e1617228966c4972933a055618f157aafefe8b0f648cb07251f0076384dd19be605acc6b1d31e7dec67749a682f505c') +prepare() { + cd "${pkgname}-${pkgver}" + # -Werror, not even once + sed -e 's/\-Werror//g' -i Make.defaults + # remove root check + patch -Np1 -i "../${pkgname}-113-remove_root_check.patch" + # fix assignment + patch -Np1 -i "../${pkgname}-113-assignment.patch" + # fix issues with nss >=3.44 + patch -Np1 -i "../${pkgname}-113-nss3.44.patch" +} + build() { - cd ${pkgname}-${pkgver} - make + cd "${pkgname}-${pkgver}" + make } package() { - cd ${pkgname}-${pkgver} + cd "${pkgname}-${pkgver}" + make DESTDIR="${pkgdir}" \ + libdir=/usr/lib \ + libexecdir=/usr/lib \ + install + # removing a lot of stuff that we don't need + rm -rfv "${pkgdir}/var" + rm -rfv "${pkgdir}/etc/rpm" + rm -rfv "${pkgdir}/etc/pesign" + rm -rfv "${pkgdir}/etc/pki" + rm -rfv "${pkgdir}/usr/lib/" - make libdir=/usr/lib libexecdir=/usr/lib DESTDIR="${pkgdir}" install install_systemd - rm -rf "${pkgdir}"/var - rm -rf "${pkgdir}"/etc/rpm - - install -Dm644 "${srcdir}"/${pkgname}.sysusers "${pkgdir}"/usr/lib/sysusers.d/${pkgname}.conf - - # No reason those shouldn’t be readable - install -dm0755 "${pkgdir}"/etc/pki/pesign{,-rh-test} - - # Install RedHat test certificates - install -Dm644 "${srcdir}"/etc/pki/pesign/{cert8,key3,secmod}.db -t "${pkgdir}"/etc/pki/pesign/ - install -Dm644 "${srcdir}"/etc/pki/pesign-rh-test/{cert8,key3,secmod}.db -t "${pkgdir}"/etc/pki/pesign-rh-test/ + install -vDm 644 "../${pkgname}.sysusers" \ + "${pkgdir}/usr/lib/sysusers.d/${pkgname}.conf" + install -vDm 644 "../${pkgname}.tmpfiles" \ + "${pkgdir}/usr/lib/tmpfiles.d/${pkgname}.conf" + # install custom service, that can run as separate user + # https://github.com/rhboot/pesign/issues/57 + install -vDm 644 ../*.service \ + -t "${pkgdir}/usr/lib/systemd/system/" + install -vdm 755 "${pkgdir}/etc/pki/pesign" } Added: pesign-113-remove_root_check.patch =================================================================== --- pesign-113-remove_root_check.patch (rev 0) +++ pesign-113-remove_root_check.patch 2020-05-18 21:00:25 UTC (rev 629723) @@ -0,0 +1,29 @@ +diff -ruN a/src/daemon.c b/src/daemon.c +--- a/src/daemon.c 2019-05-10 20:53:51.000000000 +0200 ++++ b/src/daemon.c 2020-04-26 13:34:02.064214277 +0200 +@@ -1159,11 +1159,6 @@ + ctx.backup_cms->log_priv = &ctx; + ctx.sd = -1; + +- if (getuid() != 0) { +- fprintf(stderr, "pesignd must be started as root"); +- exit(1); +- } +- + check_socket(&ctx); + + openlog("pesignd", LOG_PID, LOG_DAEMON); +diff -ruN a/src/daemon.h b/src/daemon.h +--- a/src/daemon.h 2019-05-10 20:53:51.000000000 +0200 ++++ b/src/daemon.h 2020-04-26 13:51:56.580675620 +0200 +@@ -49,8 +49,8 @@ + } pesignd_cmd; + + #define PESIGND_VERSION 0x2a9edaf0 +-#define SOCKPATH "/var/run/pesign/socket" +-#define PIDFILE "/var/run/pesign.pid" ++#define SOCKPATH "/run/pesign/socket" ++#define PIDFILE "/run/pesign/pesign.pid" + + static inline uint32_t UNUSED + pesignd_string_size(char *buffer) Added: pesign-create-db.service =================================================================== --- pesign-create-db.service (rev 0) +++ pesign-create-db.service 2020-05-18 21:00:25 UTC (rev 629723) @@ -0,0 +1,33 @@ +[Unit] +Description=Pesign database generation +Documentation=man:certutil(1) +ConditionPathExists=|!/etc/pki/pesign/cert9.db +ConditionPathExists=|!/etc/pki/pesign/key4.db +ConditionPathExists=|!/etc/pki/pesign/pkcs11.txt + +[Service] +Type=oneshot +RemainAfterExit=yes +User=pesign +Group=pesign +ExecStart=/usr/bin/certutil -N -d sql:/etc/pki/pesign --empty-password +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +ProtectKernelTunables=true +ProtectControlGroups=true +NoNewPrivileges=true +MemoryDenyWriteExecute=true +LockPersonality=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources +ReadWritePaths=/etc/pki/pesign Added: pesign.service =================================================================== --- pesign.service (rev 0) +++ pesign.service 2020-05-18 21:00:25 UTC (rev 629723) @@ -0,0 +1,37 @@ +[Unit] +Description=Pesign signing daemon +Documentation=man:pesign(1) +Wants=pesign-create-db.service +After=pesign-create-db.service + +[Service] +User=pesign +Group=pesign +PIDFile=/run/pesign/pesign.pid +ExecStart=/usr/bin/pesign --daemonize --nofork +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +ProtectKernelTunables=true +ProtectControlGroups=true +NoNewPrivileges=true +MemoryDenyWriteExecute=true +LockPersonality=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources +ReadWritePaths=/run/pesign +RuntimeDirectory=pesign +StateDirectory=pesign +LogsDirectory=pesign + +[Install] +WantedBy=multi-user.target Modified: pesign.sysusers =================================================================== --- pesign.sysusers 2020-05-18 21:00:15 UTC (rev 629722) +++ pesign.sysusers 2020-05-18 21:00:25 UTC (rev 629723) @@ -1 +1 @@ -u pesign 312 "pesign signing daemon" +u pesign - "pesign signing daemon" - Added: pesign.tmpfiles =================================================================== --- pesign.tmpfiles (rev 0) +++ pesign.tmpfiles 2020-05-18 21:00:25 UTC (rev 629723) @@ -0,0 +1,2 @@ +d /etc/pki/pesign 0755 pesign pesign - +z /etc/pki/pesign/* 0600 pesign pesign -
