Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pesign-obs-integration for
openSUSE:Factory checked in at 2022-10-01 17:42:31
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pesign-obs-integration (Old)
and /work/SRC/openSUSE:Factory/.pesign-obs-integration.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign-obs-integration"
Sat Oct 1 17:42:31 2022 rev:50 rq:1006626 version:10.2+git20220504.8690743
Changes:
--------
---
/work/SRC/openSUSE:Factory/pesign-obs-integration/pesign-obs-integration.changes
2022-07-29 16:47:26.818577328 +0200
+++
/work/SRC/openSUSE:Factory/.pesign-obs-integration.new.2275/pesign-obs-integration.changes
2022-10-01 17:42:33.725605192 +0200
@@ -1,0 +2,6 @@
+Wed Sep 28 06:36:56 UTC 2022 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Add verify-sig.patch to verify the signatures before attaching
+ them (bsc#1200108, bsc#1203679)
+
+-------------------------------------------------------------------
New:
----
verify-sig.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pesign-obs-integration.spec ++++++
--- /var/tmp/diff_new_pack.iMlcRK/_old 2022-10-01 17:42:34.309606257 +0200
+++ /var/tmp/diff_new_pack.iMlcRK/_new 2022-10-01 17:42:34.313606265 +0200
@@ -29,6 +29,7 @@
Patch1: attr.patch
Patch2: lang.patch
Patch3: rpmlintrc.patch
+Patch4: verify-sig.patch
BuildRequires: openssl
Requires: fipscheck
Requires: mozilla-nss-tools
++++++ verify-sig.patch ++++++
>From 3219b56af4f8f396b194ea81ab715831469260e5 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Wed, 28 Sep 2022 14:27:31 +0800
Subject: [PATCH] Verfiy the signatures before attaching them
Sometime the build service may sign the target binaries with the wrong
key due to misconfiguration. Verfiy the signature first so that we can
detect the error earily.
Ref: bsc#1200108, bsc#1203679
Signed-off-by: Gary Lin <g...@suse.com>
---
pesign-repackage.spec.in | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index 7b3d2e5..0b59360 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -122,8 +122,17 @@ echo foofoofoo > "$nss_db/passwd"
certutil -N -d "$nss_db" -f "$nss_db/passwd"
certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
+# Extract the public key of the certificate
+openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub"
+
sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
for sig in "${sigs[@]}"; do
+ # Verify the signature with the public key of the certificate
+ ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$sig"
2>&1 | grep -i error) || true
+ if [ -n "$ver_err" ]; then
+ echo "$sig signature can not be decrypted by $cert" >&2
+ exit 1
+ fi
f=%buildroot/${sig%.sig}
case "/$sig" in
*.ko.sig|*.mod.sig)
@@ -182,6 +191,10 @@ for sig in "${sigs[@]}"; do
echo "Warning: unhandled signature: $sig" >&2
esac
done
+
+# Remove the public key file
+rm "$cert.pub"
+
popd
/usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \
--directory=%buildroot "${rpms[@]}"
--
2.35.3
