Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pesign-obs-integration for
openSUSE:Factory checked in at 2022-06-19 21:10:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pesign-obs-integration (Old)
and /work/SRC/openSUSE:Factory/.pesign-obs-integration.new.1548 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign-obs-integration"
Sun Jun 19 21:10:37 2022 rev:47 rq:982941 version:10.2+git20220504.8690743
Changes:
--------
---
/work/SRC/openSUSE:Factory/pesign-obs-integration/pesign-obs-integration.changes
2022-01-25 17:35:43.326478156 +0100
+++
/work/SRC/openSUSE:Factory/.pesign-obs-integration.new.1548/pesign-obs-integration.changes
2022-06-19 21:10:43.238113328 +0200
@@ -1,0 +2,20 @@
+Wed Jun 15 11:13:51 UTC 2022 - gm...@opensuse.org
+
+- Update to version 10.2+git20220504.8690743:
+ * Don't repackage aarch64_ilp32 *-64bit packages
+ * Use pesign for signing on riscv64
+ * Add padding to grub signature correctly (jsc#SLE-18271 bsc#1192764).
+ * kernel-sign-file: Support appending verbatim PKCS#7 signature.
+ * kernel-sign-file: Move x509 parsing into a function.
+ * Support ppc grub signing (jsc#SLE-18271 bsc#1192764).
+ * Handle packages with epochs as well
+ * Turn off rpm fatal warnings for noarch packages
+- Upstreamed patches:
+ * 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
+ * 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
+ * 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
+ * 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
+- Added patches:
+ * order.patch - support OrderWithRequires
+
+-------------------------------------------------------------------
Old:
----
0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
pesign-obs-integration-10.2+git20210804.ff18da1.obscpio
New:
----
order.patch
pesign-obs-integration-10.2+git20220504.8690743.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pesign-obs-integration.spec ++++++
--- /var/tmp/diff_new_pack.vbC7du/_old 2022-06-19 21:10:44.070114566 +0200
+++ /var/tmp/diff_new_pack.vbC7du/_new 2022-06-19 21:10:44.078114578 +0200
@@ -18,24 +18,21 @@
Name: pesign-obs-integration
-Version: 10.2+git20210804.ff18da1
+Version: 10.2+git20220504.8690743
Release: 0
Summary: Macros and scripts to sign the kernel and bootloader
License: GPL-2.0-only
Group: Development/Tools/Other
URL: https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
Source: %{name}-%{version}.tar.gz
-Patch1: 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
-Patch2: 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
-Patch3: 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
-Patch4: 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
+Patch: order.patch
BuildRequires: openssl
Requires: fipscheck
Requires: mozilla-nss-tools
Requires: openssl
# suse-module-tools <= 15.0.10 contains modsign-verify
Requires: suse-module-tools >= 15.0.10
-%ifarch %{ix86} x86_64 ia64 aarch64 %{arm}
+%ifarch %{ix86} x86_64 ia64 aarch64 %{arm} riscv64
Requires: pesign
%endif
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.vbC7du/_old 2022-06-19 21:10:44.118114636 +0200
+++ /var/tmp/diff_new_pack.vbC7du/_new 2022-06-19 21:10:44.122114643 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/openSUSE/pesign-obs-integration.git</param>
- <param
name="changesrevision">ceb23130f31ccfc02049b944bd82167678186d27</param></service></servicedata>
+ <param
name="changesrevision">8690743c1c82e6a37d50c522ba01b4f34c2cb795</param></service></servicedata>
(No newline at EOF)
++++++ order.patch ++++++
>From 729accc5eeefbd6accfa3244ce5c5dbd868e6d63 Mon Sep 17 00:00:00 2001
From: Callum Farmer <gm...@opensuse.org>
Date: Thu, 21 Apr 2022 11:17:36 +0100
Subject: [PATCH] Support OrderWithRequires
---
pesign-gen-repackage-spec | 1 +
1 file changed, 1 insertion(+)
diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
index ca493f6..8746a52 100755
--- a/pesign-gen-repackage-spec
+++ b/pesign-gen-repackage-spec
@@ -130,6 +130,7 @@ my %dep2tag = (
enhances => "enhance",
recommends => "recommend",
supplements => "supplement",
+ orderwithrequires => "order",
);
# specfile scriptlet => rpm tag name
++++++ pesign-obs-integration-10.2+git20210804.ff18da1.obscpio ->
pesign-obs-integration-10.2+git20220504.8690743.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20210804.ff18da1/brp-99-pesign
new/pesign-obs-integration-10.2+git20220504.8690743/brp-99-pesign
--- old/pesign-obs-integration-10.2+git20210804.ff18da1/brp-99-pesign
2021-08-04 14:33:30.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20220504.8690743/brp-99-pesign
2022-05-04 23:07:02.000000000 +0200
@@ -58,6 +58,19 @@
exit 0
fi
+case "$BRP_PESIGN_GRUB_RESERVATION" in
+ '')
+ pesign_grub_reservation="0"
+ ;;
+ *[!0-9]*)
+ echo "$0: warning: non-numerc value
'$BRP_PESIGN_GRUB_RESERVATION' of BRP_PESIGN_GRUB_RESERVATION" >&2
+ pesign_grub_reservation="0"
+ ;;
+ *)
+ pesign_grub_reservation="${BRP_PESIGN_GRUB_RESERVATION}"
+ ;;
+esac
+
if test "${BRP_PESIGN_COMPRESS_MODULE}" = "xz"; then
pesign_repackage_compress="--compress xz"
elif test "${BRP_PESIGN_COMPRESS_MODULE}" = "gzip"; then
@@ -77,6 +90,7 @@
fi
sed "
s:@NAME@:$RPM_PACKAGE_NAME:g
+ s:@PESIGN_GRUB_RESERVATION@:$pesign_grub_reservation:g
s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g
/@CERT@/ {
r $cert
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20210804.ff18da1/kernel-sign-file
new/pesign-obs-integration-10.2+git20220504.8690743/kernel-sign-file
--- old/pesign-obs-integration-10.2+git20210804.ff18da1/kernel-sign-file
2021-08-04 14:33:30.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20220504.8690743/kernel-sign-file
2022-05-04 23:07:02.000000000 +0200
@@ -42,7 +42,6 @@
die "Can't read private key\n" if (!$signature_file && !-r $private_key);
die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
-die "Can't read X.509 certificate\n" unless (-r $x509);
die "Can't read module\n" unless (-r $module);
#
@@ -99,7 +98,6 @@
# we're intending to use to sign the module.
#
###############################################################################
-my $x509_certificate = read_file($x509);
my $UNIV = 0 << 6;
my $APPL = 1 << 6;
@@ -226,113 +224,119 @@
# Roughly parse the X.509 certificate
#
###############################################################################
-my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
+sub parse_certificate($)
+{
+ my ($x509_certificate) = @_;
+ my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
+ my %result;
+
+ my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
+ my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
+ my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
+ $result{serial_number} = asn1_extract($tbs->[1], $UNIV | $INTEGER);
+ my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ $result{issuer} = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
+ my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
+ my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
+
+ $result{subject_key_id} = ();
+ my $authority_key_id = ();
+
+ #
+ # Parse the extension list
+ #
+ if ($extension_list->[0] != -1) {
+ my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS |
$SEQUENCE);
+
+ while ($extensions->[1]->[1] > 0) {
+ my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
+ my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
+ my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
+ my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
+
+ my $raw_oid = asn1_retrieve($x_oid->[1]);
+ next if (!exists($OIDs{$raw_oid}));
+ my $x_type = $OIDs{$raw_oid};
-my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
-my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
-my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
-my $serial_number = asn1_extract($tbs->[1], $UNIV | $INTEGER);
-my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $issuer = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
-my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
-my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
-
-my $subject_key_id = ();
-my $authority_key_id = ();
-
-#
-# Parse the extension list
-#
-if ($extension_list->[0] != -1) {
- my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS |
$SEQUENCE);
-
- while ($extensions->[1]->[1] > 0) {
- my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
- my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
- my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
- my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
+ my $raw_value = asn1_retrieve($x_val->[1]);
- my $raw_oid = asn1_retrieve($x_oid->[1]);
- next if (!exists($OIDs{$raw_oid}));
- my $x_type = $OIDs{$raw_oid};
+ if ($x_type eq "subjectKeyIdentifier") {
+ my $vcursor = [ 0, length($raw_value), \$raw_value ];
+
+ $result{subject_key_id} = asn1_extract($vcursor, $UNIV |
$OCTET_STRING);
+ }
+ }
+ }
+
+
###############################################################################
+ #
+ # Determine what we're going to use as the signer's name. In order of
+ # preference, take one of: commonName, organizationName or emailAddress.
+ #
+
###############################################################################
+ my $org = "";
+ my $cn = "";
+ my $email = "";
+
+ while ($subject->[1]->[1] > 0) {
+ my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
+ my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
+ my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
+ my $n_val = asn1_extract($attr->[1], -1);
- my $raw_value = asn1_retrieve($x_val->[1]);
+ my $raw_oid = asn1_retrieve($n_oid->[1]);
+ next if (!exists($OIDs{$raw_oid}));
+ my $n_type = $OIDs{$raw_oid};
- if ($x_type eq "subjectKeyIdentifier") {
- my $vcursor = [ 0, length($raw_value), \$raw_value ];
+ my $raw_value = asn1_retrieve($n_val->[1]);
- $subject_key_id = asn1_extract($vcursor, $UNIV | $OCTET_STRING);
+ if ($n_type eq "organizationName") {
+ $org = $raw_value;
+ } elsif ($n_type eq "commonName") {
+ $cn = $raw_value;
+ } elsif ($n_type eq "emailAddress") {
+ $email = $raw_value;
}
}
-}
-###############################################################################
-#
-# Determine what we're going to use as the signer's name. In order of
-# preference, take one of: commonName, organizationName or emailAddress.
-#
-###############################################################################
-my $org = "";
-my $cn = "";
-my $email = "";
-
-while ($subject->[1]->[1] > 0) {
- my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
- my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
- my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
- my $n_val = asn1_extract($attr->[1], -1);
-
- my $raw_oid = asn1_retrieve($n_oid->[1]);
- next if (!exists($OIDs{$raw_oid}));
- my $n_type = $OIDs{$raw_oid};
-
- my $raw_value = asn1_retrieve($n_val->[1]);
-
- if ($n_type eq "organizationName") {
- $org = $raw_value;
- } elsif ($n_type eq "commonName") {
- $cn = $raw_value;
- } elsif ($n_type eq "emailAddress") {
- $email = $raw_value;
- }
-}
+ $result{signers_name} = $email;
-my $signers_name = $email;
+ if ($org && $cn) {
+ # Don't use the organizationName if the commonName repeats it
+ if (length($org) <= length($cn) &&
+ substr($cn, 0, length($org)) eq $org) {
+ $result{signers_name} = $cn;
+ goto got_id_name;
+ }
-if ($org && $cn) {
- # Don't use the organizationName if the commonName repeats it
- if (length($org) <= length($cn) &&
- substr($cn, 0, length($org)) eq $org) {
- $signers_name = $cn;
- goto got_id_name;
- }
+ # Or a signifcant chunk of it
+ if (length($org) >= 7 &&
+ length($cn) >= 7 &&
+ substr($cn, 0, 7) eq substr($org, 0, 7)) {
+ $result{signers_name} = $cn;
+ goto got_id_name;
+ }
- # Or a signifcant chunk of it
- if (length($org) >= 7 &&
- length($cn) >= 7 &&
- substr($cn, 0, 7) eq substr($org, 0, 7)) {
- $signers_name = $cn;
- goto got_id_name;
+ $result{signers_name} = $org . ": " . $cn;
+ } elsif ($org) {
+ $result{signers_name} = $org;
+ } elsif ($cn) {
+ $result{signers_name} = $cn;
}
- $signers_name = $org . ": " . $cn;
-} elsif ($org) {
- $signers_name = $org;
-} elsif ($cn) {
- $signers_name = $cn;
-}
-
-got_id_name:
+ got_id_name:
-die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
- if (!$subject_key_id);
+ die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier
extension\n"
+ if (!$result{subject_key_id});
-my $key_identifier = asn1_retrieve($subject_key_id->[1]);
+ $result{key_identifier} = asn1_retrieve($result{subject_key_id}->[1]);
+ return %result;
+}
###############################################################################
#
# Create and attach the module signature
@@ -430,30 +434,51 @@
"openssl rsautl -sign -inkey $private_key -keyform PEM");
}
+my %certdata;
+my $signers_name;
+my $key_identifier;
+my $x509_certificate;
if ($id_type == 1) {
+ die "Can't read X.509 certificate\n" unless (-r $x509);
+ $x509_certificate = read_file($x509);
+ %certdata = parse_certificate($x509_certificate);
$signature = pack("n", length($signature)) . $signature,
+ $signers_name = $certdata{signers_name};
+ $key_identifier = $certdata{key_identifier};
} elsif ($id_type == 2) {
# create PKCS7 signature
- $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
- my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue,
5, 1)));
- my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
- my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET,
$digest_algo_seq);
- my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 :
1));
- my $si_issuer = asn1_pack($issuer->[0], asn1_retrieve($issuer->[1]));
- my $si_serial = asn1_pack($serial_number->[0],
asn1_retrieve($serial_number->[1]));
- my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer,
$si_serial);
- my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($subject_key_id->[1]));
- my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134,
72, 134, 247, 13, 1, 1, 1));
- my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption,
asn1_pack($UNIV | $NULL));
- my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
- my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion,
$signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
- my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
- my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 :
1));
- my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72,
134, 247, 13, 1, 7, 1));
- my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
- my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version,
$digest_algo_seq_set, $pkcs7_data_seq, $si_set);
- my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42,
134, 72, 134, 247, 13, 1, 7, 2));
- $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data,
asn1_pack($CONT | $CONS | 0, $sid));
+ if ($x509) {
+ die "Can't read X.509 certificate\n" unless (-r $x509);
+ $x509_certificate = read_file($x509);
+ } else {
+ print "No certificate specified, assuming pre-built PKCS#7
signature.\n" if ($verbose);
+ $x509_certificate = '';
+ }
+ if ($x509_certificate) {
+ %certdata = parse_certificate($x509_certificate);
+ $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
+ my $digest_algo = substr($prologue, 4, 2 + unpack('C',
substr($prologue, 5, 1)));
+ my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE,
$digest_algo);
+ my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET,
$digest_algo_seq);
+ my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3
: 1));
+ my $si_issuer = asn1_pack($certdata{issuer}->[0],
asn1_retrieve($certdata{issuer}->[1]));
+ my $si_serial = asn1_pack($certdata{serial_number}->[0],
asn1_retrieve($certdata{serial_number}->[1]));
+ my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer,
$si_serial);
+ my $si_keyid = asn1_pack($CONT | 0,
asn1_retrieve($certdata{subject_key_id}->[1]));
+ my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42,
134, 72, 134, 247, 13, 1, 1, 1));
+ my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE,
$rsa_encryption, asn1_pack($UNIV | $NULL));
+ my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
+ my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion,
$signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
+ my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
+ my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3
: 1));
+ my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134,
72, 134, 247, 13, 1, 7, 1));
+ my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
+ my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version,
$digest_algo_seq_set, $pkcs7_data_seq, $si_set);
+ my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC",
42, 134, 72, 134, 247, 13, 1, 7, 2));
+ $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data,
asn1_pack($CONT | $CONS | 0, $sid));
+ } else {
+ print "Certificate is empty, assuming pre-built PKCS#7 signature.\n" if
($verbose);
+ }
# zero out unneeded entries
$signers_name = '';
$key_identifier = '';
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20210804.ff18da1/modsign-repackage
new/pesign-obs-integration-10.2+git20220504.8690743/modsign-repackage
--- old/pesign-obs-integration-10.2+git20210804.ff18da1/modsign-repackage
2021-08-04 14:33:30.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20220504.8690743/modsign-repackage
2022-05-04 23:07:02.000000000 +0200
@@ -99,7 +99,7 @@
# bitness => skip)
case "$(rpm -qp --qf '%{name}/%{arch}' "$rpm")" in
*-32bit/x86_64 | *-32bit/s390x | *-32bit/ppc64 | \
- *-64bit/ppc | *-x86/ia64)
+ *-64bit/ppc | *-x86/ia64 | *-64bit/aarch64_ilp32)
mkdir -p "$rpmdir/$(rpm -qp --qf '%{arch}')/"
cp "$rpm" "$_"
continue
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20210804.ff18da1/pesign-gen-repackage-spec
new/pesign-obs-integration-10.2+git20220504.8690743/pesign-gen-repackage-spec
---
old/pesign-obs-integration-10.2+git20210804.ff18da1/pesign-gen-repackage-spec
2021-08-04 14:33:30.000000000 +0200
+++
new/pesign-obs-integration-10.2+git20220504.8690743/pesign-gen-repackage-spec
2022-05-04 23:07:02.000000000 +0200
@@ -154,7 +154,7 @@
);
# tags which are printed verbatim in the specfile
-my @simple_tags = qw(version release license group summary packager vendor
+my @simple_tags = qw(epoch version release license group summary packager
vendor
url distribution);
my @payload_tags = qw(payloadcompressor payloadflags);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20210804.ff18da1/pesign-obs-integration.spec
new/pesign-obs-integration-10.2+git20220504.8690743/pesign-obs-integration.spec
---
old/pesign-obs-integration-10.2+git20210804.ff18da1/pesign-obs-integration.spec
2021-08-04 14:33:30.000000000 +0200
+++
new/pesign-obs-integration-10.2+git20220504.8690743/pesign-obs-integration.spec
2022-05-04 23:07:02.000000000 +0200
@@ -31,7 +31,7 @@
Requires: openssl
# suse-module-tools <= 15.0.10 contains modsign-verify
Requires: suse-module-tools >= 15.0.10
-%ifarch %{ix86} x86_64 ia64 aarch64 %{arm}
+%ifarch %{ix86} x86_64 ia64 aarch64 %{arm} riscv64
Requires: pesign
%endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20210804.ff18da1/pesign-repackage.spec.in
new/pesign-obs-integration-10.2+git20220504.8690743/pesign-repackage.spec.in
---
old/pesign-obs-integration-10.2+git20210804.ff18da1/pesign-repackage.spec.in
2021-08-04 14:33:30.000000000 +0200
+++
new/pesign-obs-integration-10.2+git20220504.8690743/pesign-repackage.spec.in
2022-05-04 23:07:02.000000000 +0200
@@ -67,7 +67,7 @@
# bitness => skip)
case "$(rpm -qp --qf '%%{name}/%%{arch}' "$rpm")" in
*-32bit/x86_64 | *-32bit/s390x | *-32bit/ppc64 | \
- *-64bit/ppc | *-x86/ia64)
+ *-64bit/ppc | *-x86/ia64 | *-64bit/aarch64_ilp32)
mkdir -p "%_topdir/OTHER"
cp "$rpm" "$_"
continue
@@ -126,11 +126,11 @@
for sig in "${sigs[@]}"; do
f=%buildroot/${sig%.sig}
case "/$sig" in
- *.ko.sig)
+ *.ko.sig|*.mod.sig)
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f"
;;
/boot/* | *.efi.sig | */lib/modules/*/vmlinu[xz].sig |
*/lib/modules/*/[Ii]mage.sig | */lib/modules/*/z[Ii]mage.sig)
-%ifarch %ix86 x86_64 aarch64 %arm
+%ifarch %ix86 x86_64 aarch64 %arm riscv64
# PE style signature injection
infile=${sig%.sig}
cpio -i --to-stdout ${infile#./}
<%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs
@@ -157,6 +157,27 @@
*stage3.bin.sig)
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f"
;;
+ *grub.elf.sig)
+ sig_size="$(wc -c < "$sig")"
+ unsigned_grub_size="$(wc -c < "$f")"
+ /usr/lib/rpm/pesign/kernel-sign-file -vpd -i pkcs7 -s "$sig"
sha256 "$cert" "$f"
+ sig_size="$(wc -c < "$f.p7s")"
+ footer_size=40
+ grub_size="$(wc -c < "$f")"
+ if ! [ $(expr "$sig_size" + "$footer_size") -le
"@PESIGN_GRUB_RESERVATION@" ] ; then
+ echo "size of '$f.p7s' ($sig_size) cannot fit into
reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
+ exit 1
+ fi
+ sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")"
+ truncate -s $sig_size "$f.p7s"
+ /usr/lib/rpm/pesign/kernel-sign-file -v -i pkcs7 -s "$f.p7s"
sha256 "" "$f"
+ rm "$f.p7s"
+ grub_size="$(wc -c < "$f")"
+ if ! [ "$(expr "$unsigned_grub_size" +
"@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then
+ echo "The size of unsigned grub ($unsigned_grub_size) +
reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size
($grub_size)"
+ exit 1
+ fi
+ ;;
*)
echo "Warning: unhandled signature: $sig" >&2
esac
@@ -165,8 +186,9 @@
/usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \
--directory=%buildroot "${rpms[@]}"
rpmbuild --define "%%buildroot %buildroot" --define "%%disturl $disturl" \
- --define "%%_builddir $PWD" \
- --define "%_suse_insert_debug_package %%{nil}" -bb repackage.spec
+ --define "%%_builddir $PWD" \
+ --define "%%_binaries_in_noarch_packages_terminate_build 0" \
+ --define "%_suse_insert_debug_package %%{nil}" -bb repackage.spec
# This is needed by the kernel packages. Ideally, we should not run _any_ brp
# checks, because the RPMs passed them once already
++++++ pesign-obs-integration.obsinfo ++++++
--- /var/tmp/diff_new_pack.vbC7du/_old 2022-06-19 21:10:44.238114816 +0200
+++ /var/tmp/diff_new_pack.vbC7du/_new 2022-06-19 21:10:44.242114821 +0200
@@ -1,6 +1,5 @@
name: pesign-obs-integration
-version: 10.2+git20210804.ff18da1
-mtime: 1628080410
-commit: ff18da1d43b41939a4cb0fc85f1d3713de0ed3c2
-
+version: 10.2+git20220504.8690743
+mtime: 1651698422
+commit: 8690743c1c82e6a37d50c522ba01b4f34c2cb795
