Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pesign-obs-integration for
openSUSE:Factory checked in at 2024-02-22 20:56:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pesign-obs-integration (Old)
and /work/SRC/openSUSE:Factory/.pesign-obs-integration.new.1706 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign-obs-integration"
Thu Feb 22 20:56:13 2024 rev:54 rq:1147093 version:10.2+git20240216.1e15ef4
Changes:
--------
---
/work/SRC/openSUSE:Factory/pesign-obs-integration/pesign-obs-integration.changes
2023-06-23 21:52:32.934599315 +0200
+++
/work/SRC/openSUSE:Factory/.pesign-obs-integration.new.1706/pesign-obs-integration.changes
2024-02-22 20:56:18.386331548 +0100
@@ -1,0 +2,11 @@
+Fri Feb 16 13:05:01 UTC 2024 - [email protected]
+
+- Update to version 10.2+git20240216.1e15ef4:
+ * Create changes file for reproducible build
+ * Add support for authenticated uefi variables
+ * Allow to dump the pkcs7 signed data as well
+ * Add -N option to add a NULL param to the digest algo definitions
+ * Add -C option to include certificates in the PKCS7 signature
+ * spec.in: fix rpmlint warnings
+
+-------------------------------------------------------------------
Old:
----
pesign-obs-integration-10.2+git20230612.4699910.obscpio
pesign-obs-integration-10.2+git20230612.4699910.tar.gz
New:
----
pesign-obs-integration-10.2+git20240216.1e15ef4.obscpio
pesign-obs-integration-10.2+git20240216.1e15ef4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pesign-obs-integration.spec ++++++
--- /var/tmp/diff_new_pack.lRfCQg/_old 2024-02-22 20:56:19.054355894 +0100
+++ /var/tmp/diff_new_pack.lRfCQg/_new 2024-02-22 20:56:19.054355894 +0100
@@ -1,7 +1,7 @@
#
# spec file for package pesign-obs-integration
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
Name: pesign-obs-integration
-Version: 10.2+git20230612.4699910
+Version: 10.2+git20240216.1e15ef4
Release: 0
Summary: Macros and scripts to sign the kernel and bootloader
License: GPL-2.0-only
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.lRfCQg/_old 2024-02-22 20:56:19.090357206 +0100
+++ /var/tmp/diff_new_pack.lRfCQg/_new 2024-02-22 20:56:19.094357352 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/openSUSE/pesign-obs-integration.git</param>
- <param
name="changesrevision">4699910cf20591bcf3d06e42189ad8cb1326ab08</param></service></servicedata>
+ <param
name="changesrevision">1e15ef4d77f9ba77ba21e06114068b3a04d1d5bf</param></service></servicedata>
(No newline at EOF)
++++++ pesign-obs-integration-10.2+git20230612.4699910.obscpio ->
pesign-obs-integration-10.2+git20240216.1e15ef4.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20230612.4699910/brp-99-pesign
new/pesign-obs-integration-10.2+git20240216.1e15ef4/brp-99-pesign
--- old/pesign-obs-integration-10.2+git20230612.4699910/brp-99-pesign
2023-06-12 07:16:32.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20240216.1e15ef4/brp-99-pesign
2024-02-16 12:10:58.000000000 +0100
@@ -122,6 +122,15 @@
}
" /usr/lib/rpm/pesign/pesign-repackage.spec.in >"$output/pesign-repackage.spec"
+date="$(LANG=C date --utc --date "@${SOURCE_DATE_EPOCH:-$(date +%s)}" '+%a %b
%d %H:%M:%S %Z %Y')"
+cat <<EOF >"$output/pesign-repackage.changes"
+-------------------------------------------------------------------
+$date - openSUSE <[email protected]>
+
+- automatically generated
+
+EOF
+
for rpmlintrc in $RPM_SOURCE_DIR/*rpmlintrc; do
if test -e "$rpmlintrc"; then
cp "$rpmlintrc" "$output/"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20230612.4699910/kernel-sign-file
new/pesign-obs-integration-10.2+git20240216.1e15ef4/kernel-sign-file
--- old/pesign-obs-integration-10.2+git20230612.4699910/kernel-sign-file
2023-06-12 07:16:32.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20240216.1e15ef4/kernel-sign-file
2024-02-16 12:10:58.000000000 +0100
@@ -13,7 +13,7 @@
use Getopt::Std;
my %opts;
-getopts('vkpds:i:', \%opts) or die $USAGE;
+getopts('vkpdNPs:i:C:', \%opts) or die $USAGE;
my $verbose = $opts{'v'};
my $signature_file = $opts{'s'};
my $use_keyid = $opts{'k'};
@@ -21,6 +21,9 @@
my $save_sig = $opts{'p'};
$save_sig = 1 if $sign_only;
my $id_type_name = $opts{'i'};
+my $certs_file = $opts{'C'}; # certs to include in pkcs7 signature
(DER encoded)
+my $digest_algo_with_null = $opts{'N'}; # add NULL param to algo, like
openssl does (see RFC 4055)
+my $save_signed_data = $opts{'P'}; # dump pkcs7 signed data in .p7sd
die $USAGE if ($#ARGV > 4);
die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV <
2);
@@ -43,6 +46,7 @@
die "Can't read private key\n" if (!$signature_file && !-r $private_key);
die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
die "Can't read module\n" unless (-r $module);
+die "Can't read X.509 certs file\n" if ($certs_file && !-r $certs_file);
#
# Function to read the contents of a file into a variable.
@@ -455,10 +459,15 @@
$x509_certificate = '';
}
if ($x509_certificate) {
+ my $certs = '';
+ if ($certs_file) {
+ $certs = read_file($certs_file);
+ $certs = asn1_pack($CONT | $CONS | 0, $certs);
+ }
%certdata = parse_certificate($x509_certificate);
$signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
my $digest_algo = substr($prologue, 4, 2 + unpack('C',
substr($prologue, 5, 1)));
- my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE,
$digest_algo);
+ my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE,
$digest_algo, ($digest_algo_with_null ? asn1_pack($UNIV | $NULL) : ''));
my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET,
$digest_algo_seq);
my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3
: 1));
my $si_issuer = asn1_pack($certdata{issuer}->[0],
asn1_retrieve($certdata{issuer}->[1]));
@@ -473,9 +482,14 @@
my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3
: 1));
my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134,
72, 134, 247, 13, 1, 7, 1));
my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
- my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version,
$digest_algo_seq_set, $pkcs7_data_seq, $si_set);
+ my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version,
$digest_algo_seq_set, $pkcs7_data_seq, $certs, $si_set);
my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC",
42, 134, 72, 134, 247, 13, 1, 7, 2));
$signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data,
asn1_pack($CONT | $CONS | 0, $sid));
+ if ($save_signed_data) {
+ open(FD, ">$module.p7sd") || die "$module.p7sd";
+ binmode FD;
+ print FD $sid;
+ }
} else {
print "Certificate is empty, assuming pre-built PKCS#7 signature.\n" if
($verbose);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20230612.4699910/pesign-repackage.spec.in
new/pesign-obs-integration-10.2+git20240216.1e15ef4/pesign-repackage.spec.in
---
old/pesign-obs-integration-10.2+git20230612.4699910/pesign-repackage.spec.in
2023-06-12 07:16:32.000000000 +0200
+++
new/pesign-obs-integration-10.2+git20240216.1e15ef4/pesign-repackage.spec.in
2024-02-16 12:10:58.000000000 +0100
@@ -31,10 +31,11 @@
%endif
License: GPL-2.0
Group: Development/Tools/Other
-Summary: Spec file to rebuild RPMs with signatures
+Summary: Rebuild RPMs with signatures
+URL: https://github.com/opensuse/pesign-obs-integration
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
-Rebuilds RPMs with signatures
+Spec file to rebuild RPMs with signatures
%prep
%setup -c -T
@@ -84,7 +85,7 @@
rpms=("${rpms[@]}" "$rpm")
done
popd
-# Copy files other than the meta files and RPMs to %_topdir/OTHER
+# Copy files other than the meta files and RPMs to %%_topdir/OTHER
OTHER_FILES=`find %_sourcedir/ -maxdepth 1 -type f \
-not -regex '.*\.\(rpm\|spec\|rsasign\|sig\|crt\)' \
-not -regex '.*\rpmlintrc' \
@@ -146,6 +147,16 @@
*.ko.sig|*.mod.sig)
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f"
;;
+ *.auth.sig)
+ /usr/lib/rpm/pesign/kernel-sign-file -N -P -d -C "$cert" -i
pkcs7 -s "$sig" sha256 "$cert" "$f"
+ fbase="${f##*/}"
+ fbase="${fbase%.auth}"
+ fbase="${fbase%%-*}"
+ perl -0777 -npe 's/\A(?:[\040-\176]\0)+.{18}\0\0.{14}\0\0//s' <
"$f" > "$f.orig"
+ sign-efi-sig-list -i "$f.p7sd" "$fbase" "$f.orig" "$f.tmp"
+ mv "$f.tmp" "$f"
+ rm -f "$f.p7s" "$f.p7sd" "$f.orig"
+ ;;
/boot/* | *.efi.sig | */lib/modules/*/vmlinu[xz].sig |
*/lib/modules/*/[Ii]mage.sig | */lib/modules/*/z[Ii]mage.sig)
%ifarch %ix86 x86_64 aarch64 %arm riscv64
# PE style signature injection
++++++ pesign-obs-integration-10.2+git20230612.4699910.tar.gz ->
pesign-obs-integration-10.2+git20240216.1e15ef4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20230612.4699910/brp-99-pesign
new/pesign-obs-integration-10.2+git20240216.1e15ef4/brp-99-pesign
--- old/pesign-obs-integration-10.2+git20230612.4699910/brp-99-pesign
2023-06-12 07:16:32.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20240216.1e15ef4/brp-99-pesign
2024-02-16 12:10:58.000000000 +0100
@@ -122,6 +122,15 @@
}
" /usr/lib/rpm/pesign/pesign-repackage.spec.in >"$output/pesign-repackage.spec"
+date="$(LANG=C date --utc --date "@${SOURCE_DATE_EPOCH:-$(date +%s)}" '+%a %b
%d %H:%M:%S %Z %Y')"
+cat <<EOF >"$output/pesign-repackage.changes"
+-------------------------------------------------------------------
+$date - openSUSE <[email protected]>
+
+- automatically generated
+
+EOF
+
for rpmlintrc in $RPM_SOURCE_DIR/*rpmlintrc; do
if test -e "$rpmlintrc"; then
cp "$rpmlintrc" "$output/"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20230612.4699910/kernel-sign-file
new/pesign-obs-integration-10.2+git20240216.1e15ef4/kernel-sign-file
--- old/pesign-obs-integration-10.2+git20230612.4699910/kernel-sign-file
2023-06-12 07:16:32.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20240216.1e15ef4/kernel-sign-file
2024-02-16 12:10:58.000000000 +0100
@@ -13,7 +13,7 @@
use Getopt::Std;
my %opts;
-getopts('vkpds:i:', \%opts) or die $USAGE;
+getopts('vkpdNPs:i:C:', \%opts) or die $USAGE;
my $verbose = $opts{'v'};
my $signature_file = $opts{'s'};
my $use_keyid = $opts{'k'};
@@ -21,6 +21,9 @@
my $save_sig = $opts{'p'};
$save_sig = 1 if $sign_only;
my $id_type_name = $opts{'i'};
+my $certs_file = $opts{'C'}; # certs to include in pkcs7 signature
(DER encoded)
+my $digest_algo_with_null = $opts{'N'}; # add NULL param to algo, like
openssl does (see RFC 4055)
+my $save_signed_data = $opts{'P'}; # dump pkcs7 signed data in .p7sd
die $USAGE if ($#ARGV > 4);
die $USAGE if (!$signature_file && $#ARGV < 3 || $signature_file && $#ARGV <
2);
@@ -43,6 +46,7 @@
die "Can't read private key\n" if (!$signature_file && !-r $private_key);
die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
die "Can't read module\n" unless (-r $module);
+die "Can't read X.509 certs file\n" if ($certs_file && !-r $certs_file);
#
# Function to read the contents of a file into a variable.
@@ -455,10 +459,15 @@
$x509_certificate = '';
}
if ($x509_certificate) {
+ my $certs = '';
+ if ($certs_file) {
+ $certs = read_file($certs_file);
+ $certs = asn1_pack($CONT | $CONS | 0, $certs);
+ }
%certdata = parse_certificate($x509_certificate);
$signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
my $digest_algo = substr($prologue, 4, 2 + unpack('C',
substr($prologue, 5, 1)));
- my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE,
$digest_algo);
+ my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE,
$digest_algo, ($digest_algo_with_null ? asn1_pack($UNIV | $NULL) : ''));
my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET,
$digest_algo_seq);
my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3
: 1));
my $si_issuer = asn1_pack($certdata{issuer}->[0],
asn1_retrieve($certdata{issuer}->[1]));
@@ -473,9 +482,14 @@
my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3
: 1));
my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134,
72, 134, 247, 13, 1, 7, 1));
my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
- my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version,
$digest_algo_seq_set, $pkcs7_data_seq, $si_set);
+ my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version,
$digest_algo_seq_set, $pkcs7_data_seq, $certs, $si_set);
my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC",
42, 134, 72, 134, 247, 13, 1, 7, 2));
$signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data,
asn1_pack($CONT | $CONS | 0, $sid));
+ if ($save_signed_data) {
+ open(FD, ">$module.p7sd") || die "$module.p7sd";
+ binmode FD;
+ print FD $sid;
+ }
} else {
print "Certificate is empty, assuming pre-built PKCS#7 signature.\n" if
($verbose);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20230612.4699910/pesign-repackage.spec.in
new/pesign-obs-integration-10.2+git20240216.1e15ef4/pesign-repackage.spec.in
---
old/pesign-obs-integration-10.2+git20230612.4699910/pesign-repackage.spec.in
2023-06-12 07:16:32.000000000 +0200
+++
new/pesign-obs-integration-10.2+git20240216.1e15ef4/pesign-repackage.spec.in
2024-02-16 12:10:58.000000000 +0100
@@ -31,10 +31,11 @@
%endif
License: GPL-2.0
Group: Development/Tools/Other
-Summary: Spec file to rebuild RPMs with signatures
+Summary: Rebuild RPMs with signatures
+URL: https://github.com/opensuse/pesign-obs-integration
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
-Rebuilds RPMs with signatures
+Spec file to rebuild RPMs with signatures
%prep
%setup -c -T
@@ -84,7 +85,7 @@
rpms=("${rpms[@]}" "$rpm")
done
popd
-# Copy files other than the meta files and RPMs to %_topdir/OTHER
+# Copy files other than the meta files and RPMs to %%_topdir/OTHER
OTHER_FILES=`find %_sourcedir/ -maxdepth 1 -type f \
-not -regex '.*\.\(rpm\|spec\|rsasign\|sig\|crt\)' \
-not -regex '.*\rpmlintrc' \
@@ -146,6 +147,16 @@
*.ko.sig|*.mod.sig)
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f"
;;
+ *.auth.sig)
+ /usr/lib/rpm/pesign/kernel-sign-file -N -P -d -C "$cert" -i
pkcs7 -s "$sig" sha256 "$cert" "$f"
+ fbase="${f##*/}"
+ fbase="${fbase%.auth}"
+ fbase="${fbase%%-*}"
+ perl -0777 -npe 's/\A(?:[\040-\176]\0)+.{18}\0\0.{14}\0\0//s' <
"$f" > "$f.orig"
+ sign-efi-sig-list -i "$f.p7sd" "$fbase" "$f.orig" "$f.tmp"
+ mv "$f.tmp" "$f"
+ rm -f "$f.p7s" "$f.p7sd" "$f.orig"
+ ;;
/boot/* | *.efi.sig | */lib/modules/*/vmlinu[xz].sig |
*/lib/modules/*/[Ii]mage.sig | */lib/modules/*/z[Ii]mage.sig)
%ifarch %ix86 x86_64 aarch64 %arm riscv64
# PE style signature injection
++++++ pesign-obs-integration.obsinfo ++++++
--- /var/tmp/diff_new_pack.lRfCQg/_old 2024-02-22 20:56:19.246362892 +0100
+++ /var/tmp/diff_new_pack.lRfCQg/_new 2024-02-22 20:56:19.250363038 +0100
@@ -1,5 +1,5 @@
name: pesign-obs-integration
-version: 10.2+git20230612.4699910
-mtime: 1686546992
-commit: 4699910cf20591bcf3d06e42189ad8cb1326ab08
+version: 10.2+git20240216.1e15ef4
+mtime: 1708081858
+commit: 1e15ef4d77f9ba77ba21e06114068b3a04d1d5bf
