commit pesign-obs-integration for openSUSE:Factory

root Tue, 14 Nov 2017 03:38:17 -0800

Hello community,

here is the log from the commit of package pesign-obs-integration for 
openSUSE:Factory checked in at 2017-11-14 12:37:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pesign-obs-integration (Old)
 and      /work/SRC/openSUSE:Factory/.pesign-obs-integration.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "pesign-obs-integration"

Tue Nov 14 12:37:18 2017 rev:25 rq:539775 version:10.0

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/pesign-obs-integration/pesign-obs-integration.changes
    2017-10-05 11:48:14.461617363 +0200
+++ 
/work/SRC/openSUSE:Factory/.pesign-obs-integration.new/pesign-obs-integration.changes
       2017-11-14 12:37:23.678459305 +0100
@@ -1,0 +2,7 @@
+Wed Nov  8 04:35:57 UTC 2017 - [email protected]
+
+- Modified modsign-repackage, using certificate to try to decrypt
+  the signature of kernel module. It can be used to verify the
+  integrity of signature.
+
+-------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ modsign-repackage ++++++
--- /var/tmp/diff_new_pack.DPbJs7/_old  2017-11-14 12:37:24.426431971 +0100
+++ /var/tmp/diff_new_pack.DPbJs7/_new  2017-11-14 12:37:24.426431971 +0100
@@ -117,6 +117,9 @@
 done
 set -e
 echo "Signing kernel modules..."
+if test ! -e "$cert.pub"; then
+       openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub"
+fi
 for module in $(find "$buildroot" -type f -name '*.ko' -printf '%P\n'); do
        if test -n "$key"; then
                /usr/lib/rpm/pesign/kernel-sign-file \
@@ -127,11 +130,17 @@
                        echo "$module.sig not found in $sig_dir" >&2
                        exit 1
                fi
+               ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in 
"$raw_sig" 2>&1 | grep -i error)
+               if [ -n "$ver_err" ]; then
+                       echo "$raw_sig signature can not be decrypted by $cert" 
>&2
+                       exit 1
+               fi
                /usr/lib/rpm/pesign/kernel-sign-file \
                        -i pkcs7 -s "$raw_sig" sha256 "$cert" 
"$buildroot/$module"
        fi
 
 done
+rm "$cert.pub"
 # Add the certificate
 mkdir -p "$buildroot/etc/uefi/certs"
 h=$(openssl x509 -inform DER -fingerprint -noout -in "$cert")

commit pesign-obs-integration for openSUSE:Factory

Reply via email to