Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pesign-obs-integration for
openSUSE:Factory checked in at 2023-06-13 16:08:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pesign-obs-integration (Old)
and /work/SRC/openSUSE:Factory/.pesign-obs-integration.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign-obs-integration"
Tue Jun 13 16:08:52 2023 rev:52 rq:1092483 version:10.2+git20230612.4699910
Changes:
--------
---
/work/SRC/openSUSE:Factory/pesign-obs-integration/pesign-obs-integration.changes
2023-01-30 17:11:50.520738748 +0100
+++
/work/SRC/openSUSE:Factory/.pesign-obs-integration.new.15902/pesign-obs-integration.changes
2023-06-13 16:09:02.914722075 +0200
@@ -1,0 +2,23 @@
+Mon Jun 12 05:20:28 UTC 2023 - [email protected]
+
+- Update to version 10.2+git20230612.4699910:
+ * pesign-gen-repackage-spec: support filetriggers and transfiletriggers
+ * Add support for dependency generators
+ * pesign-gen-repackage-spec: fix the filename issue in the scripts of
generated ueficert package
+ * Verfiy the signatures before attaching them
+ * Don't copy rpmlintrc to OTHER
+ * Fix %attr issues
+ * Support %lang
+ * Support OrderWithRequires
+ * pesign-repackage.spec.in: Add description for footer_size
+- Removed the following patches becuase they are merged to
+ 10.2+git20230612.4699910:
+ Patch: order.patch
+ Patch1: attr.patch
+ Patch2: lang.patch
+ Patch3: rpmlintrc.patch
+ Patch4: verify-sig.patch
+ Patch5: dependency-generators.patch
+- Use README.md instead of README in pesign-obs-integration.spec.
+
+-------------------------------------------------------------------
Old:
----
attr.patch
dependency-generators.patch
lang.patch
order.patch
pesign-obs-integration-10.2+git20220504.8690743.obscpio
rpmlintrc.patch
verify-sig.patch
New:
----
pesign-obs-integration-10.2+git20230612.4699910.obscpio
pesign-obs-integration-10.2+git20230612.4699910.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pesign-obs-integration.spec ++++++
--- /var/tmp/diff_new_pack.jbspO8/_old 2023-06-13 16:09:03.814727384 +0200
+++ /var/tmp/diff_new_pack.jbspO8/_new 2023-06-13 16:09:03.818727408 +0200
@@ -1,7 +1,7 @@
#
# spec file for package pesign-obs-integration
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,19 +18,13 @@
Name: pesign-obs-integration
-Version: 10.2+git20220504.8690743
+Version: 10.2+git20230612.4699910
Release: 0
Summary: Macros and scripts to sign the kernel and bootloader
License: GPL-2.0-only
Group: Development/Tools/Other
URL: https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
Source: %{name}-%{version}.tar.gz
-Patch: order.patch
-Patch1: attr.patch
-Patch2: lang.patch
-Patch3: rpmlintrc.patch
-Patch4: verify-sig.patch
-Patch5: dependency-generators.patch
BuildRequires: openssl
Requires: fipscheck
Requires: mozilla-nss-tools
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.jbspO8/_old 2023-06-13 16:09:03.862727667 +0200
+++ /var/tmp/diff_new_pack.jbspO8/_new 2023-06-13 16:09:03.866727692 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/openSUSE/pesign-obs-integration.git</param>
- <param
name="changesrevision">8690743c1c82e6a37d50c522ba01b4f34c2cb795</param></service></servicedata>
+ <param
name="changesrevision">4699910cf20591bcf3d06e42189ad8cb1326ab08</param></service></servicedata>
(No newline at EOF)
++++++ pesign-obs-integration-10.2+git20220504.8690743.obscpio ->
pesign-obs-integration-10.2+git20230612.4699910.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20220504.8690743/README
new/pesign-obs-integration-10.2+git20230612.4699910/README
--- old/pesign-obs-integration-10.2+git20220504.8690743/README 2022-05-04
23:07:02.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20230612.4699910/README 1970-01-01
01:00:00.000000000 +0100
@@ -1,45 +0,0 @@
-Signing kernel modules and EFI binaries in the Open Build Service
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-RPM packages that need to sign files during build should add the following
lines
-to the specfile
-
-# needssslcertforbuild
-export BRP_PESIGN_FILES='pattern...'
-BuildRequires: pesign-obs-integration
-
-Debian packages need to add the following line to the Source stanza in the
-debian/control file, which will add "Obs: needssslcertforbuild" to the
generated
-.dsc file:
-
-XS-Obs: needssslcertforbuild
-
-The "# needssslcertforbuild" comment tells the buildservice to store the
-signing certificate in %_sourcedir/_projectcert.crt. At the end of the
-install phase, the brp-99-pesign script computes hashes of all
-files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored
-in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a
-pesign-repackage.spec file there. When the first rpmbuild finishes, the
-buildservice sends the cpio archive to the signing server, which returns
-a rsasigned.cpio archive with RSA signatures of the sha256 hashes.
-
-The pesign-repackage.spec takes the original RPMs, unpacks them and
-appends the signatures to the files. It then uses the
-pesign-gen-repackage-spec script to generate another specfile, which
-builds new RPMs with signed files. The supported file types are:
-
-*.ko - Signature appended to the module
-efi binaries - Signature embedded in a header. If a HMAC checksum named
- .$file.hmac exists, it is regenerated
-
-Debian packages can use the dh-signobs debhelper to automate signing and
-repacking. Build-depend on dh-signobs and add --with signobs to the dh line
-in debian/rules to use the fully automated helper.
-Consult the dh_signobs manpage for more information.
-
-When BRP_PESIGN_COMPRESS_MODULE is passed, the script tries to compress the
-kernel modules at the repackaging phase. Currently xz, gzip and zstd format is
supported.
-For enable the compression feature, put the following along with
-BRP_PESIGN_FILES setup:
-
-export BRP_PESIGN_COMPRESS_MODULE="xz"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20220504.8690743/README.md
new/pesign-obs-integration-10.2+git20230612.4699910/README.md
--- old/pesign-obs-integration-10.2+git20220504.8690743/README.md
1970-01-01 01:00:00.000000000 +0100
+++ new/pesign-obs-integration-10.2+git20230612.4699910/README.md
2023-06-12 07:16:32.000000000 +0200
@@ -0,0 +1,71 @@
+ # Signing kernel modules and EFI binaries in the Open Build Service
+
+RPM packages that need to sign files during build should add the following
lines
+to the specfile
+
+```
+# needssslcertforbuild
+export BRP_PESIGN_FILES='pattern...'
+BuildRequires: pesign-obs-integration
+```
+
+Debian packages need to add the following line to the Source stanza in the
+debian/control file, which will add "Obs: needssslcertforbuild" to the
generated
+.dsc file:
+
+```XS-Obs: needssslcertforbuild```
+
+The "# needssslcertforbuild" comment tells the buildservice to store the
+signing certificate in %_sourcedir/_projectcert.crt. At the end of the
+install phase, the brp-99-pesign script computes hashes of all
+files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored
+in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a
+pesign-repackage.spec file there. When the first rpmbuild finishes, the
+buildservice sends the cpio archive to the signing server, which returns
+a rsasigned.cpio archive with RSA signatures of the sha256 hashes.
+
+The pesign-repackage.spec takes the original RPMs, unpacks them and
+appends the signatures to the files. It then uses the
+pesign-gen-repackage-spec script to generate another specfile, which
+builds new RPMs with signed files. The supported file types are:
+
+- *.ko
+ - Signature appended to the module
+- efi binaries
+ - Signature embedded in a header. If a HMAC checksum named
+ .$file.hmac exists, it is regenerated
+
+Debian packages can use the dh-signobs debhelper to automate signing and
+repacking. Build-depend on dh-signobs and add --with signobs to the dh line
+in debian/rules to use the fully automated helper.
+Consult the dh_signobs manpage for more information.
+
+## Options
+
+### Kernel Module Compression
+When BRP_PESIGN_COMPRESS_MODULE is passed, the script tries to compress the
+kernel modules at the repackaging phase. Currently xz, gzip and zstd format is
supported.
+For enable the compression feature, put the following along with
+BRP_PESIGN_FILES setup:
+
+```export BRP_PESIGN_COMPRESS_MODULE="xz"```
+
+### Dependency Generation
+If you need macros within the pesign-repackage specfile to adjust [dependency
generation](https://rpm-software-management.github.io/rpm/manual/dependency_generators.html)
+, then place these in a source file called pesign-spec-macros, this will
subseqently be loaded.
+
+Example of pesign-spec-macros:
+
+```%__kmp_supplements %_sourcedir/my-find-supplements
%_sourcedir/pci_ids-%{version}```
+
+To save creating duplicate copies of macros, load this file from your existing
spec file by using the following:
+
+```%{load:%{_sourcedir}/pesign-spec-macros}```
+
+If you need some source files such as dependency generation scripts then place
the names of these source files in a source file called pesign-copy-sources.
+
+Example of pesign-copy-sources:
+```
+my-find-supplements
+pci_ids-%{version}
+```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20220504.8690743/brp-99-pesign
new/pesign-obs-integration-10.2+git20230612.4699910/brp-99-pesign
--- old/pesign-obs-integration-10.2+git20220504.8690743/brp-99-pesign
2022-05-04 23:07:02.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20230612.4699910/brp-99-pesign
2023-06-12 07:16:32.000000000 +0200
@@ -88,10 +88,34 @@
echo "No buildservice signing certificate"
cert=/dev/null
fi
+
+if test -e $RPM_SOURCE_DIR/pesign-spec-macros; then
+ sed "
+ s:%{name}:$RPM_PACKAGE_NAME:g
+ s:%{version}:$RPM_PACKAGE_VERSION:g
+ " $RPM_SOURCE_DIR/pesign-spec-macros > $output/pesign-spec-macros
+ spec_macros="--macros pesign-spec-macros"
+fi
+if test -e $RPM_SOURCE_DIR/pesign-copy-sources; then
+ sed "
+ s:%{name}:$RPM_PACKAGE_NAME:g
+ s:%{version}:$RPM_PACKAGE_VERSION:g
+ " $RPM_SOURCE_DIR/pesign-copy-sources > $output/pesign-copy-sources
+ while read -r line; do
+ if [ -n "${line}" ]; then
+
source_files="${source_files}${RPM_SOURCE_DIR}/${line}\n"
+ fi
+ done < $output/pesign-copy-sources
+ echo -e "$source_files" | head -c -1 | cpio -o >
$output/source_files.cpio
+ rm $output/pesign-copy-sources
+fi
+
+
sed "
s:@NAME@:$RPM_PACKAGE_NAME:g
s:@PESIGN_GRUB_RESERVATION@:$pesign_grub_reservation:g
s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g
+ s:@PESIGN_LOAD_SPEC_MACROS@:$spec_macros:g
/@CERT@/ {
r $cert
d
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20220504.8690743/pesign-gen-repackage-spec
new/pesign-obs-integration-10.2+git20230612.4699910/pesign-gen-repackage-spec
---
old/pesign-obs-integration-10.2+git20220504.8690743/pesign-gen-repackage-spec
2022-05-04 23:07:02.000000000 +0200
+++
new/pesign-obs-integration-10.2+git20230612.4699910/pesign-gen-repackage-spec
2023-06-12 07:16:32.000000000 +0200
@@ -33,6 +33,7 @@
my $cert_subpackage;
my $kmp_basename;
my $compress = "";
+my $macros_file = "";
my @rpms;
$ENV{LC_ALL} = "en_US.UTF-8";
@@ -43,6 +44,7 @@
"output|o=s" => \$output,
"cert-subpackage|c=s" => \$cert_subpackage,
"compress|C=s" => \$compress,
+ "macros|M=s" => \$macros_file,
) or die $USAGE;
@rpms = @ARGV;
if (!@rpms) {
@@ -130,6 +132,7 @@
enhances => "enhance",
recommends => "recommend",
supplements => "supplement",
+ orderwithrequires => "order",
);
# specfile scriptlet => rpm tag name
@@ -153,6 +156,12 @@
zstd => "zstdio",
);
+my %sense2tag = (
+ 0x10000 => 'triggerin',
+ 0x20000 => 'triggerun',
+ 0x40000 => 'triggerpostun',
+);
+
# tags which are printed verbatim in the specfile
my @simple_tags = qw(epoch version release license group summary packager
vendor
url distribution);
@@ -166,7 +175,7 @@
$res{$tag} = query_single($rpm, $tag);
}
my @files;
- my @list = query_array($rpm, qw(filenames fileflags filemodes
fileusername filegroupname filesizes filemtimes filelinktos fileverifyflags));
+ my @list = query_array($rpm, qw(filenames fileflags filemodes
fileusername filegroupname filesizes filemtimes filelinktos fileverifyflags
filelangs));
for my $file (@list) {
my $new = {
name => $file->[0],
@@ -178,6 +187,7 @@
mtime => $file->[6],
target => $file->[7],
verify => $file->[8],
+ lang => $file->[9],
};
push(@files, $new);
if ($new->{name} =~ /\.ko$/ && S_ISREG($new->{mode})) {
@@ -224,6 +234,58 @@
script => $triggerscripts[$i],
});
}
+
+ my @filetriggerprogs = query_array($rpm, qw(filetriggerscriptprog
filetriggerscriptflags filetriggerpriorities));
+ my @filetriggerscripts = query_multiline_array($rpm,
"filetriggerscripts");
+ my @filetriggers = query_array($rpm, qw(filetriggerindex
filetriggername filetriggerversion filetriggerflags));
+ if (scalar(@filetriggerprogs) != scalar(@filetriggerscripts)) {
+ die "# of %%{filetriggerscriptprog} tags (" .
scalar(@filetriggerprogs) .
+ ") != # of %%{filetriggerscripts} tags (" .
scalar(@filetriggerscripts)
+ . ")";
+ }
+ my @filetriggeridx;
+ for (my $i = 0; $i < scalar(@filetriggers); $i++) {
+ push @{$filetriggeridx[$filetriggers[$i]->[0]]}, $i;
+ }
+ for (my $i = 0; $i < scalar(@filetriggerprogs); $i++) {
+ my @idx = @{$filetriggeridx[$i] || []};
+ $res{filetriggers} ||= [];
+ push(@{$res{filetriggers}}, {
+ name => [ map {$filetriggers[$_]->[1]} @idx ],
+ interp => $filetriggerprogs[$i]->[0],
+ scriptflags => $filetriggerprogs[$i]->[1],
+ version => [ map {$filetriggers[$_]->[2]} @idx
],
+ sense => [ map {$filetriggers[$_]->[3]} @idx ],
+ priority => $filetriggerprogs[$i]->[2],
+ script => $filetriggerscripts[$i],
+ });
+ }
+
+ my @transfiletriggerprogs = query_array($rpm,
qw(transfiletriggerscriptprog transfiletriggerscriptflags
transfiletriggerpriorities));
+ my @transfiletriggerscripts = query_multiline_array($rpm,
"transfiletriggerscripts");
+ my @transfiletriggers = query_array($rpm, qw(transfiletriggerindex
transfiletriggername transfiletriggerversion transfiletriggerflags));
+ if (scalar(@transfiletriggerprogs) != scalar(@transfiletriggerscripts))
{
+ die "# of %%{transfiletriggerscriptprog} tags (" .
scalar(@transfiletriggerprogs) .
+ ") != # of %%{transfiletriggerscripts} tags (" .
scalar(@transfiletriggerscripts)
+ . ")";
+ }
+ my @transfiletriggeridx;
+ for (my $i = 0; $i < scalar(@transfiletriggers); $i++) {
+ push @{$transfiletriggeridx[$transfiletriggers[$i]->[0]]}, $i;
+ }
+ for (my $i = 0; $i < scalar(@transfiletriggerprogs); $i++) {
+ my @idx = @{$transfiletriggeridx[$i] || []};
+ $res{transfiletriggers} ||= [];
+ push(@{$res{transfiletriggers}}, {
+ name => [ map {$transfiletriggers[$_]->[1]}
@idx ],
+ interp => $transfiletriggerprogs[$i]->[0],
+ scriptflags => $transfiletriggerprogs[$i]->[1],
+ version => [ map {$transfiletriggers[$_]->[2]}
@idx ],
+ sense => [ map {$transfiletriggers[$_]->[3]}
@idx ],
+ priority => $transfiletriggerprogs[$i]->[2],
+ script => $transfiletriggerscripts[$i],
+ });
+ }
open(my $fh, '-|', "rpm", "-qp", "--changelog", $rpm) or die "rpm:
$!\n";
{
local $/ = undef;
@@ -270,6 +332,7 @@
print SPEC "\%define _binary_payload $payloadstr\n";
if ($is_main) {
+ print SPEC "\%{load:\%_sourcedir/$macros_file}\n" if
$macros_file ne "";
print SPEC "Name: $p->{name}\n";
print SPEC "Buildroot: $directory\n";
if ($p->{nosource}) {
@@ -309,6 +372,26 @@
print SPEC " -- $trigger->{conds}\n";
$i++;
}
+ for my $trigger (@{$p->{filetriggers}}) {
+ my $sense = $trigger->{'sense'}->[0];
+ die("unsupported sense $sense\n") unless $sense2tag{$sense};
+ print SPEC "\%file$sense2tag{$sense}";
+ print SPEC " -P $trigger->{'priority'}" if
$trigger->{'priority'} && $trigger->{'priority'} ne '(none)';
+ print SPEC " -p $trigger->{interp} -n $p->{name}";
+ print_script("trigger$i-$p->{name}", $trigger);
+ print SPEC " -- ".join(' ', @{$trigger->{'name'}})."\n";
+ $i++;
+ }
+ for my $trigger (@{$p->{transfiletriggers}}) {
+ my $sense = $trigger->{'sense'}->[0];
+ die("unsupported sense $sense\n") unless $sense2tag{$sense};
+ print SPEC "\%transfile$sense2tag{$sense}";
+ print SPEC " -P $trigger->{'priority'}" if
$trigger->{'priority'} && $trigger->{'priority'} ne '(none)';
+ print SPEC " -p $trigger->{interp} -n $p->{name}";
+ print_script("trigger$i-$p->{name}", $trigger);
+ print SPEC " -- ".join(' ', @{$trigger->{'name'}})."\n";
+ $i++;
+ }
if ($p->{files}) {
print SPEC "\%files -n $p->{name}\n";
print_files($p->{files});
@@ -416,8 +499,6 @@
$attrs .= "\%dir ";
utime($f->{mtime}, $f->{mtime}, $path);
}
- $attrs .= sprintf('%%attr(%04o, %s, %s) ', ($f->{mode} & 0777),
- $f->{owner}, $f->{group});
if ($f->{flags} & $filetypes{config}) {
$attrs .= "%config ";
my @cfg_attrs;
@@ -448,6 +529,10 @@
symlink($f->{target}, $path);
}
}
+ unless (S_ISLNK($f->{mode})) {
+ $attrs .= sprintf('%%attr(%04o, %s, %s) ', ($f->{mode}
& 07777),
+ $f->{owner}, $f->{group});
+ }
# mtime of symlinks is also not preserved by cpio
if (S_ISLNK($f->{mode})) {
# perl core does not provide lutimes()/utimensat()
@@ -462,7 +547,9 @@
if ($verify_attrs) {
$attrs .= "%verify(not $verify_attrs) ";
}
-
+ if ($f->{lang} ne "") {
+ $attrs .= sprintf('%%lang(%s) ', $f->{lang});
+ }
if ($compress ne "" &&
$f->{name} =~ /\.ko$/ && S_ISREG($f->{mode})) {
chmod($f->{mode}, $path);
@@ -556,7 +643,8 @@
print STDERR "warning: Ignoring
$directory/$certdir/$cert (no .crt suffix)\n";
next;
}
- $certs .= " $certdir/$cert";
+ $cert =~ s{\.[^.]+$}{};
+ $certs .= " $cert";
}
}
if (!$certs) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20220504.8690743/pesign-repackage.spec.in
new/pesign-obs-integration-10.2+git20230612.4699910/pesign-repackage.spec.in
---
old/pesign-obs-integration-10.2+git20220504.8690743/pesign-repackage.spec.in
2022-05-04 23:07:02.000000000 +0200
+++
new/pesign-obs-integration-10.2+git20230612.4699910/pesign-repackage.spec.in
2023-06-12 07:16:32.000000000 +0200
@@ -87,10 +87,13 @@
# Copy files other than the meta files and RPMs to %_topdir/OTHER
OTHER_FILES=`find %_sourcedir/ -maxdepth 1 -type f \
-not -regex '.*\.\(rpm\|spec\|rsasign\|sig\|crt\)' \
+ -not -regex '.*\rpmlintrc' \
-not -name "_buildenv" \
-not -name "_statistics" \
-not -name "logfile" \
-not -name "meta" \
+ -not -name "pesign-spec-macros" \
+ -not -name "source_files.cpio" \
-print`
for file in $OTHER_FILES; do
if test -e "$file"; then
@@ -98,6 +101,11 @@
cp "$file" "$_"
fi
done
+if test -e %_sourcedir/source_files.cpio; then
+ pushd %_sourcedir
+ cpio -i < source_files.cpio
+ popd
+fi
mkdir rsasigned
pushd rsasigned
cpio -idm <%_sourcedir/@[email protected]
@@ -122,8 +130,17 @@
certutil -N -d "$nss_db" -f "$nss_db/passwd"
certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
+# Extract the public key of the certificate
+openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub"
+
sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
for sig in "${sigs[@]}"; do
+ # Verify the signature with the public key of the certificate
+ ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$sig"
2>&1 | grep -i error) || true
+ if [ -n "$ver_err" ]; then
+ echo "$sig signature can not be decrypted by $cert" >&2
+ exit 1
+ fi
f=%buildroot/${sig%.sig}
case "/$sig" in
*.ko.sig|*.mod.sig)
@@ -162,7 +179,7 @@
unsigned_grub_size="$(wc -c < "$f")"
/usr/lib/rpm/pesign/kernel-sign-file -vpd -i pkcs7 -s "$sig"
sha256 "$cert" "$f"
sig_size="$(wc -c < "$f.p7s")"
- footer_size=40
+ footer_size=40 # 12 bytes signature info structure, 28 bytes
signature magic string
grub_size="$(wc -c < "$f")"
if ! [ $(expr "$sig_size" + "$footer_size") -le
"@PESIGN_GRUB_RESERVATION@" ] ; then
echo "size of '$f.p7s' ($sig_size) cannot fit into
reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
@@ -182,8 +199,12 @@
echo "Warning: unhandled signature: $sig" >&2
esac
done
+
+# Remove the public key file
+rm "$cert.pub"
+
popd
-/usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \
+/usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@
@PESIGN_LOAD_SPEC_MACROS@ \
--directory=%buildroot "${rpms[@]}"
rpmbuild --define "%%buildroot %buildroot" --define "%%disturl $disturl" \
--define "%%_builddir $PWD" \
++++++ pesign-obs-integration.obsinfo ++++++
--- /var/tmp/diff_new_pack.jbspO8/_old 2023-06-13 16:09:03.998728470 +0200
+++ /var/tmp/diff_new_pack.jbspO8/_new 2023-06-13 16:09:04.002728493 +0200
@@ -1,5 +1,5 @@
name: pesign-obs-integration
-version: 10.2+git20220504.8690743
-mtime: 1651698422
-commit: 8690743c1c82e6a37d50c522ba01b4f34c2cb795
+version: 10.2+git20230612.4699910
+mtime: 1686546992
+commit: 4699910cf20591bcf3d06e42189ad8cb1326ab08
