Package: sbsigntool
Version: 0.6-3
Severity: normal
Tags: patch
Here's the diff for version 0.6-3.1, which fixed the two open bugs
and some other minor issues I found along the way.
I tested building the new version on arm64 on armhf. It failed on
armhf, but this appears to be a toolchain issue: the linker reported
various symbols in libc as undefined, but only when linking sbkeysync
and not any of the other programs. This build failure won't prevent
propagation to testing, and I assume that it will be resolved later
by an update to the toolchain.
The test suite assumes an x86 multilib compiler, so I stopped it
running on anything but amd64, i386 and kfreebsd-amd64. I did some
basic manual tests of sbsign, sbattach and sbverify on arm64 and
armhf, successfully.
Ben.
---
diff -Nru sbsigntool-0.6/debian/changelog sbsigntool-0.6/debian/changelog
--- sbsigntool-0.6/debian/changelog 2016-04-20 09:34:30.000000000 +0200
+++ sbsigntool-0.6/debian/changelog 2016-06-26 23:39:15.000000000 +0200
@@ -1,3 +1,14 @@
+sbsigntool (0.6-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload with approval of maintainer
+ * Limit build-dependency on gcc-multilib to the architectures where it
+ is available, and disable tests where it is not
+ * Enable building on arm64 and armhf (Closes: #821144)
+ * Update OpenSSL API usage to support OpenSSL 1.1 (Closes: #828539)
+ * Remove incorrect Vcs-Bzr field
+
+ -- Ben Hutchings <b...@decadent.org.uk> Sun, 26 Jun 2016 23:39:15 +0200
+
sbsigntool (0.6-3) unstable; urgency=medium
* Add sbsign_check_write_return.patch: check return when writing
diff -Nru sbsigntool-0.6/debian/control sbsigntool-0.6/debian/control
--- sbsigntool-0.6/debian/control 2016-04-19 08:06:55.000000000 +0200
+++ sbsigntool-0.6/debian/control 2016-06-26 22:45:44.000000000 +0200
@@ -4,7 +4,7 @@
Maintainer: Pierre Chifflier <pol...@debian.org>
Build-Depends: debhelper (>= 9.0.0),
dh-autoreconf,
- gcc-multilib,
+ gcc-multilib [amd64 i386 kfreebsd-amd64],
binutils-dev,
libssl-dev,
openssl,
@@ -14,13 +14,11 @@
help2man,
gnu-efi
Standards-Version: 3.9.7
-Vcs-Bzr: lp:ubuntu/sbsigntool
Package: sbsigntool
-Architecture: any-amd64 any-i386
+Architecture: any-amd64 any-i386 arm64 armhf
Depends: ${shlibs:Depends}, ${misc:Depends}
Multi-Arch: foreign
Description: Tools to manipulate signatures on UEFI binaries and drivers
This package installs tools which can cryptographically sign EFI binaries and
drivers.
- Currently it can only sign x86_64 EFI binaries and drivers.
diff -Nru sbsigntool-0.6/debian/patches/fix-efi-arch-detection.patch
sbsigntool-0.6/debian/patches/fix-efi-arch-detection.patch
--- sbsigntool-0.6/debian/patches/fix-efi-arch-detection.patch 1970-01-01
02:00:00.000000000 +0200
+++ sbsigntool-0.6/debian/patches/fix-efi-arch-detection.patch 2016-06-26
22:59:28.000000000 +0200
@@ -0,0 +1,19 @@
+Author: Ben Hutchings <b...@decadent.org.uk>
+Date: Sun, 26 Jun 2016 22:56:18 +0200
+Description: Fix EFI architecture detection
+ Currently we use 'uname -m', which tells us the build architecture.
+ In a cross-building environment or compat environment, this is not the
+ same as the host architecture. Use AC_CANONICAL_HOST instead.
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -64,7 +64,8 @@ PKG_CHECK_MODULES(uuid, uuid,
+ AC_MSG_ERROR([libuuid (from the uuid package) is required]))
+
+ dnl gnu-efi headers require extra include dirs
+-EFI_ARCH=$(uname -m)
++AC_CANONICAL_HOST
++EFI_ARCH=$host_cpu
+ case $EFI_ARCH in
+ i*86)
+ EFI_ARCH="ia32"
diff -Nru sbsigntool-0.6/debian/patches/series
sbsigntool-0.6/debian/patches/series
--- sbsigntool-0.6/debian/patches/series 2016-04-18 22:56:08.000000000
+0200
+++ sbsigntool-0.6/debian/patches/series 2016-06-26 22:55:38.000000000
+0200
@@ -11,3 +11,5 @@
0001-Support-openssl-1.0.2b-and-above.patch
sbverify_clear_out_cert_content.patch
sbsign_check_write_return.patch
+update-openssl-api-usage-to-support-openssl-1.1.patch
+fix-efi-arch-detection.patch
diff -Nru
sbsigntool-0.6/debian/patches/update-openssl-api-usage-to-support-openssl-1.1.patch
sbsigntool-0.6/debian/patches/update-openssl-api-usage-to-support-openssl-1.1.patch
---
sbsigntool-0.6/debian/patches/update-openssl-api-usage-to-support-openssl-1.1.patch
1970-01-01 02:00:00.000000000 +0200
+++
sbsigntool-0.6/debian/patches/update-openssl-api-usage-to-support-openssl-1.1.patch
2016-06-26 22:20:59.000000000 +0200
@@ -0,0 +1,143 @@
+Author: Ben Hutchings <b...@decadent.org.uk>
+Date: Sun, 26 Jun 2016 22:04:29 +0200
+Description: Update OpenSSL API usage to support OpenSSL 1.1
+ Most structure definitions in OpenSSL are now opaque and we must call
+ the appropriate accessor functions to get information from them.
+ Not all the accessors are available in older versions, so define the
+ missing accessors as macros.
+ .
+ The X509_retrieve_match() function is no longer usable, as we cannot
+ initialise an X509_OBJECT ourselves. Instead, iterate over the
+ certificate store and use X509_OBJECT_get_type and X509_cmp to
+ compare certificates.
+
+--- a/src/sbverify.c
++++ b/src/sbverify.c
+@@ -55,6 +55,14 @@
+ #include <openssl/pem.h>
+ #include <openssl/x509v3.h>
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
++#define X509_OBJECT_get_type(obj) ((obj)->type)
++#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
++#define X509_STORE_get0_objects(certs) ((certs)->objs)
++#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
++#endif
++
+ static const char *toolname = "sbverify";
+ static const int cert_name_len = 160;
+
+@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *
+
+ for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
+ cert = sk_X509_value(p7->d.sign->cert, i);
+- X509_NAME_oneline(cert->cert_info->subject,
++ X509_NAME_oneline(X509_get_subject_name(cert),
+ subject_name, cert_name_len);
+- X509_NAME_oneline(cert->cert_info->issuer,
++ X509_NAME_oneline(X509_get_issuer_name(cert),
+ issuer_name, cert_name_len);
+
+ printf(" - subject: %s\n", subject_name);
+@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *
+ static void print_certificate_store_certs(X509_STORE *certs)
+ {
+ char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
++ STACK_OF(X509_OBJECT) *objs;
+ X509_OBJECT *obj;
++ X509 *cert;
+ int i;
+
+ printf("certificate store:\n");
+
+- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
+- obj = sk_X509_OBJECT_value(certs->objs, i);
++ objs = X509_STORE_get0_objects(certs);
++
++ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
++ obj = sk_X509_OBJECT_value(objs, i);
+
+- if (obj->type != X509_LU_X509)
++ if (X509_OBJECT_get_type(obj) != X509_LU_X509)
+ continue;
+
+- X509_NAME_oneline(obj->data.x509->cert_info->subject,
++ cert = X509_OBJECT_get0_X509(obj);
++
++ X509_NAME_oneline(X509_get_subject_name(cert),
+ subject_name, cert_name_len);
+- X509_NAME_oneline(obj->data.x509->cert_info->issuer,
++ X509_NAME_oneline(X509_get_issuer_name(cert),
+ issuer_name, cert_name_len);
+
+ printf(" - subject: %s\n", subject_name);
+@@ -182,12 +196,21 @@ static int load_detached_signature_data(
+
+ static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
+ {
+- X509_OBJECT obj;
++ STACK_OF(X509_OBJECT) *objs;
++ X509_OBJECT *obj;
++ int i;
++
++ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
+
+- obj.type = X509_LU_X509;
+- obj.data.x509 = cert;
++ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
++ obj = sk_X509_OBJECT_value(objs, i);
+
+- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
++ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
++ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
++ return 1;
++ }
++
++ return 0;
+ }
+
+ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
+@@ -195,8 +218,9 @@ static int x509_verify_cb(int status, X5
+ int err = X509_STORE_CTX_get_error(ctx);
+
+ /* also accept code-signing keys */
+- if (err == X509_V_ERR_INVALID_PURPOSE
+- && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
++ if (err == X509_V_ERR_INVALID_PURPOSE &&
++
X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
++ == XKU_CODE_SIGN)
+ status = 1;
+
+ /* all certs given with the --cert argument are trusted */
+@@ -204,7 +228,7 @@ static int x509_verify_cb(int status, X5
+ err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
+ err == X509_V_ERR_CERT_UNTRUSTED) {
+
+- if (cert_in_store(ctx->current_cert, ctx))
++ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
+ status = 1;
+ }
+ /* UEFI doesn't care about expired signatures, so we shouldn't either.
*/
+--- a/src/sbkeysync.c
++++ b/src/sbkeysync.c
+@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *ke
+ return -1;
+
+ /* we use the X509 serial number as the key ID */
+- if (!x509->cert_info || !x509->cert_info->serialNumber)
++ serial = X509_get_serialNumber(x509);
++ if (!serial)
+ goto out;
+
+- serial = x509->cert_info->serialNumber;
+-
+ key->id_len = ASN1_STRING_length(serial);
+ key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
+
+ key->description = talloc_array(key, char, description_len);
+- X509_NAME_oneline(x509->cert_info->subject,
++ X509_NAME_oneline(X509_get_subject_name(x509),
+ key->description, description_len);
+
+ rc = 0;
diff -Nru sbsigntool-0.6/debian/rules sbsigntool-0.6/debian/rules
--- sbsigntool-0.6/debian/rules 2016-03-08 09:01:25.000000000 +0200
+++ sbsigntool-0.6/debian/rules 2016-06-26 20:54:52.000000000 +0200
@@ -1,8 +1,17 @@
#!/usr/bin/make -f
# -*- makefile -*-
+include /usr/share/dpkg/architecture.mk
+
# Uncomment this to turn on verbose mode.
export DH_VERBOSE=1
%:
dh $@ --with autoreconf
+
+# Upstream tests are specific to x86, and require gcc-multilib which
+# is only available on some x86 architectures
+override_dh_auto_test:
+ifneq ($(filter amd64 i386 kfreebsd-amd64,$(DEB_HOST_ARCH)),)
+ dh_auto_test
+endif
-- System Information:
Debian Release: stretch/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sbsigntool depends on:
ii libc6 2.22-11
ii libssl1.0.2 1.0.2h-1
ii libuuid1 2.28-5
sbsigntool recommends no packages.
sbsigntool suggests no packages.
-- no debconf information
