Hello community, here is the log from the commit of package pesign for openSUSE:Factory checked in at 2019-05-14 13:13:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pesign (Old) and /work/SRC/openSUSE:Factory/.pesign.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign" Tue May 14 13:13:42 2019 rev:31 rq:702581 version:113 Changes: -------- --- /work/SRC/openSUSE:Factory/pesign/pesign.changes 2019-05-10 09:20:35.240583180 +0200 +++ /work/SRC/openSUSE:Factory/.pesign.new.5148/pesign.changes 2019-05-14 13:13:43.920850486 +0200 @@ -1,0 +2,24 @@ +Mon May 13 03:57:30 UTC 2019 - Gary Ching-Pang Lin <g...@suse.com> + +- Update to 113 + + Get rid of the 0.Y versioning + + Make --padding the default + + Add kmod signing (drake) + + efisiglist format fixes + + enforce the use of --kernel or --module in efikeygen + + RPM macro updates + + Move the license to GPLv3+ + + Use sql-type NSS database by default + + Various documentation improvements. + + Improve /etc/pki/pesign authorization scripts + + Various pesigcheck improvements +- Refresh patches + + pesign-suse-build.patch + + pesign-privkey_unneeded.diff + + pesign-fix-authvar-write-loop.patch +- Drop upstreamed patches + + pesign-fix-argument-list.patch + + pesign-bsc1087742-fix-efisiglist.patch +- Drop pesign-fix-build-errors.patch since those warnings are gone + +------------------------------------------------------------------- @@ -4 +28 @@ -- Enable build on %arm as we can sign kernel on %arm +- Enable build on %arm as we can sign kernel on %arm (boo#1134670) Old: ---- pesign-0.112.tar.bz2 pesign-bsc1087742-fix-efisiglist.patch pesign-fix-argument-list.patch pesign-fix-build-errors.patch New: ---- pesign-113.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pesign.spec ++++++ --- /var/tmp/diff_new_pack.jCR3r5/_old 2019-05-14 13:13:44.468851862 +0200 +++ /var/tmp/diff_new_pack.jCR3r5/_new 2019-05-14 13:13:44.472851872 +0200 @@ -17,27 +17,21 @@ Name: pesign -Version: 0.112 +Version: 113 Release: 0 Summary: Signing tool for PE-COFF binaries -License: GPL-2.0-only +License: GPL-3.0-or-later Group: Productivity/Security Url: https://github.com/rhinstaller/pesign Source: https://github.com/rhinstaller/pesign/releases/download/%{version}/%{name}-%{version}.tar.bz2 # PATCH-FIX-SUSE pesign-suse-build.patch g...@suse.com -- Adjust Makefile for the build service Patch1: pesign-suse-build.patch -# PATCH-FIX-UPSTREAM pesign-fix-build-errors.patch g...@suse.com -- Fix gcc warnings -Patch2: pesign-fix-build-errors.patch # PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff g...@suse.com -- Don't check the private key when importing the raw signature -Patch3: pesign-privkey_unneeded.diff +Patch2: pesign-privkey_unneeded.diff # PATCH-FIX-SUSE pesign-run.patch a...@suse.com - Use /run instead of /var/run -Patch5: pesign-run.patch +Patch3: pesign-run.patch # PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch g...@suse.com -- Fix the write loop in authvar -Patch6: pesign-fix-authvar-write-loop.patch -# PATCH-FIX-UPSTREAM pesign-fix-argument-list.patch g...@suse.com -- Fix the argument list parsing -Patch7: pesign-fix-argument-list.patch -# PATCH-FIX-UPSTREAM bsc#1087742 pesign-bsc1087742-fix-efisiglist.patch g...@suse.com -- Fix efi signature list generation -Patch8: pesign-bsc1087742-fix-efisiglist.patch +Patch4: pesign-fix-authvar-write-loop.patch BuildRequires: efivar-devel BuildRequires: libuuid-devel BuildRequires: mozilla-nss-devel @@ -57,10 +51,7 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 +%patch4 -p1 %build make %{?_smp_mflags} CFLAGS="$RPM_OPT_FLAGS" @@ -96,7 +87,7 @@ %files %defattr(-,root,root) -%doc COPYING +%license COPYING %{_bindir}/pesign %{_bindir}/pesign-client %{_bindir}/efikeygen @@ -115,7 +106,7 @@ %{_unitdir}/pesign.service %{_libexecdir}/tmpfiles.d/pesign.conf %dir %{_libexecdir}/pesign -%{_libexecdir}/pesign/pesign-authorize-* +%{_libexecdir}/pesign/pesign-authorize %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign %ghost %dir %attr(0770,pesign,pesign) /run/%{name} %dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name} ++++++ pesign-0.112.tar.bz2 -> pesign-113.tar.bz2 ++++++ ++++ 7030 lines of diff (skipped) ++++++ pesign-fix-authvar-write-loop.patch ++++++ --- /var/tmp/diff_new_pack.jCR3r5/_old 2019-05-14 13:13:44.664852354 +0200 +++ /var/tmp/diff_new_pack.jCR3r5/_new 2019-05-14 13:13:44.664852354 +0200 @@ -1,4 +1,4 @@ -From e3aee739b92c4124fc1207fb06a7dd1cd89d03ae Mon Sep 17 00:00:00 2001 +From b3c58e3b9237f90e865723837a9389fcb25f6945 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Tue, 1 Jul 2014 14:43:35 +0800 Subject: [PATCH] authvar: fix the write loop @@ -13,18 +13,18 @@ 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/authvar_context.c b/src/authvar_context.c -index c988e96..675967c 100644 +index 7a753fc..c51c666 100644 --- a/src/authvar_context.c +++ b/src/authvar_context.c -@@ -18,6 +18,7 @@ - */ +@@ -20,6 +20,7 @@ + #include "fix_coverity.h" #include <unistd.h> +#include <stddef.h> #include <sys/mman.h> #include <prerror.h> -@@ -133,11 +134,7 @@ generate_descriptor(authvar_context *ctx) +@@ -135,11 +136,7 @@ generate_descriptor(authvar_context *ctx) if (rc < 0) cmsreterr(-1, ctx->cms_ctx, "could not create signed data"); @@ -37,7 +37,7 @@ authinfo = calloc(offset + sd_der.len, 1); if (!authinfo) cmsreterr(-1, ctx->cms_ctx, "could not allocate authinfo"); -@@ -160,6 +157,7 @@ write_authvar(authvar_context *ctx) +@@ -162,6 +159,7 @@ write_authvar(authvar_context *ctx) void *buffer, *ptr; size_t buf_len, des_len, remain; ssize_t wlen; @@ -45,7 +45,7 @@ if (!ctx->authinfo) cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar"); -@@ -187,17 +185,17 @@ write_authvar(authvar_context *ctx) +@@ -189,19 +187,19 @@ write_authvar(authvar_context *ctx) if (ctx->value_size > 0) memcpy(ptr, ctx->value, ctx->value_size); @@ -60,13 +60,15 @@ do { - wlen = write(ctx->exportfd, buffer, remain); + wlen = write(ctx->exportfd, buffer + offset, remain); - if (wlen < 0) + if (wlen < 0) { + free(buffer); cmsreterr(-1, ctx->cms_ctx, "failed to write authvar"); + } remain -= wlen; + offset += wlen; } while (remain > 0); - return 0; + free(buffer); -- -1.8.4.5 +2.21.0 ++++++ pesign-privkey_unneeded.diff ++++++ --- /var/tmp/diff_new_pack.jCR3r5/_old 2019-05-14 13:13:44.672852374 +0200 +++ /var/tmp/diff_new_pack.jCR3r5/_new 2019-05-14 13:13:44.672852374 +0200 @@ -4,11 +4,11 @@ src/pesign.c | 1 + 3 files changed, 12 insertions(+), 2 deletions(-) -Index: pesign-0.111/src/cms_common.c +Index: pesign-113/src/cms_common.c =================================================================== ---- pesign-0.111.orig/src/cms_common.c -+++ pesign-0.111/src/cms_common.c -@@ -280,6 +280,7 @@ struct cbdata { +--- pesign-113.orig/src/cms_common.c ++++ pesign-113/src/cms_common.c +@@ -282,6 +282,7 @@ struct cbdata { CERTCertificate *cert; PK11SlotListElement *psle; secuPWData *pwdata; @@ -16,7 +16,7 @@ }; static SECStatus -@@ -291,6 +292,12 @@ is_valid_cert(CERTCertificate *cert, voi +@@ -293,6 +294,12 @@ is_valid_cert(CERTCertificate *cert, voi void *pwdata = cbdata->pwdata; SECKEYPrivateKey *privkey = NULL; @@ -29,7 +29,7 @@ privkey = PK11_FindPrivateKeyFromCert(slot, cert, pwdata); if (privkey != NULL) { cbdata->cert = cert; -@@ -421,7 +428,7 @@ find_certificate(cms_context *cms, int n +@@ -423,7 +430,7 @@ find_certificate(cms_context *cms, int n } SECStatus status; @@ -38,7 +38,7 @@ status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); if (status != SECSuccess) { PK11_DestroySlotListElement(slots, &psle); -@@ -450,6 +457,7 @@ find_certificate(cms_context *cms, int n +@@ -452,6 +459,7 @@ find_certificate(cms_context *cms, int n .cert = NULL, .psle = psle, .pwdata = pwdata, @@ -46,7 +46,7 @@ }; if (needs_private_key) { -@@ -570,7 +578,7 @@ find_named_certificate(cms_context *cms, +@@ -572,7 +580,7 @@ find_named_certificate(cms_context *cms, } SECStatus status; @@ -55,11 +55,11 @@ status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); if (status != SECSuccess) { PK11_DestroySlotListElement(slots, &psle); -Index: pesign-0.111/src/cms_common.h +Index: pesign-113/src/cms_common.h =================================================================== ---- pesign-0.111.orig/src/cms_common.h -+++ pesign-0.111/src/cms_common.h -@@ -63,6 +63,7 @@ typedef int (*cms_common_logger)(struct +--- pesign-113.orig/src/cms_common.h ++++ pesign-113/src/cms_common.h +@@ -62,6 +62,7 @@ typedef int (*cms_common_logger)(struct typedef struct cms_context { PRArenaPool *arena; void *privkey; @@ -67,11 +67,11 @@ char *tokenname; char *certname; -Index: pesign-0.111/src/pesign.c +Index: pesign-113/src/file_pe.c =================================================================== ---- pesign-0.111.orig/src/pesign.c -+++ pesign-0.111/src/pesign.c -@@ -651,6 +651,7 @@ main(int argc, char *argv[]) +--- pesign-113.orig/src/file_pe.c ++++ pesign-113/src/file_pe.c +@@ -354,6 +354,7 @@ pe_handle_action(pesign_context *ctxp, i */ case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS: check_inputs(ctxp); ++++++ pesign-run.patch ++++++ --- /var/tmp/diff_new_pack.jCR3r5/_old 2019-05-14 13:13:44.688852414 +0200 +++ /var/tmp/diff_new_pack.jCR3r5/_new 2019-05-14 13:13:44.688852414 +0200 @@ -6,11 +6,11 @@ src/tmpfiles.conf | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) -Index: pesign-0.112/src/Makefile +Index: pesign-113/src/Makefile =================================================================== ---- pesign-0.112.orig/src/Makefile -+++ pesign-0.112/src/Makefile -@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit +--- pesign-113.orig/src/Makefile ++++ pesign-113/src/Makefile +@@ -73,7 +73,7 @@ install_sysvinit: pesign.sysvinit install : $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ @@ -19,11 +19,11 @@ $(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir) $(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir) $(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir) -Index: pesign-0.112/src/daemon.h +Index: pesign-113/src/daemon.h =================================================================== ---- pesign-0.112.orig/src/daemon.h -+++ pesign-0.112/src/daemon.h -@@ -49,7 +49,7 @@ typedef enum { +--- pesign-113.orig/src/daemon.h ++++ pesign-113/src/daemon.h +@@ -49,8 +49,8 @@ typedef enum { } pesignd_cmd; #define PESIGND_VERSION 0x2a9edaf0 @@ -32,31 +32,32 @@ +#define SOCKPATH "/run/pesign/socket" +#define PIDFILE "/run/pesign.pid" - #endif /* DAEMON_H */ -Index: pesign-0.112/src/macros.pesign -=================================================================== ---- pesign-0.112.orig/src/macros.pesign -+++ pesign-0.112/src/macros.pesign -@@ -40,7 +40,7 @@ - %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\ - --certdir ${nss} -c signer %{-o} \ - rm -rf ${sattrs} ${sattrs}.sig ${nss} \ + static inline uint32_t UNUSED + pesignd_string_size(char *buffer) +Index: pesign-113/src/macros.pesign +=================================================================== +--- pesign-113.orig/src/macros.pesign ++++ pesign-113/src/macros.pesign +@@ -52,7 +52,7 @@ + getfacl /var/run/pesign 1>&2 \ + getfacl /var/run/pesign/socket 1>&2 \ + exit 1 \ - elif [ -S /var/run/pesign/socket ]; then \ + elif [ -S /run/pesign/socket ]; then \ - %{_pesign_client} -t "OpenSC Card (Fedora Signer)" \\\ - -c "/CN=Fedora Secure Boot Signer" \\\ + %{_pesign_client} -t %{__pesign_client_token} \\\ + -c %{__pesign_client_cert} \\\ %{-i} %{-o} %{-e} %{-s} %{-C} \ -Index: pesign-0.112/src/tmpfiles.conf +Index: pesign-113/src/tmpfiles.conf =================================================================== ---- pesign-0.112.orig/src/tmpfiles.conf -+++ pesign-0.112/src/tmpfiles.conf +--- pesign-113.orig/src/tmpfiles.conf ++++ pesign-113/src/tmpfiles.conf @@ -1 +1 @@ -D /var/run/pesign 0770 pesign pesign - +D /run/pesign 0770 pesign pesign - -Index: pesign-0.112/src/pesign.sysvinit.in +Index: pesign-113/src/pesign.sysvinit.in =================================================================== ---- pesign-0.112.orig/src/pesign.sysvinit.in -+++ pesign-0.112/src/pesign.sysvinit.in +--- pesign-113.orig/src/pesign.sysvinit.in ++++ pesign-113/src/pesign.sysvinit.in @@ -4,7 +4,7 @@ # # chkconfig: - 50 50 @@ -66,54 +67,28 @@ ### BEGIN INIT INFO # Provides: pesign # Should-Start: $remote_fs -Index: pesign-0.112/src/pesign.service.in +Index: pesign-113/src/pesign.service.in =================================================================== ---- pesign-0.112.orig/src/pesign.service.in -+++ pesign-0.112/src/pesign.service.in -@@ -4,7 +4,7 @@ Description=Pesign signing daemon +--- pesign-113.orig/src/pesign.service.in ++++ pesign-113/src/pesign.service.in +@@ -4,6 +4,6 @@ Description=Pesign signing daemon [Service] PrivateTmp=true Type=forking -PIDFile=/var/run/pesign.pid +PIDFile=/run/pesign.pid ExecStart=/usr/bin/pesign --daemonize - ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users - ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups -Index: pesign-0.112/src/pesign-authorize-groups -=================================================================== ---- pesign-0.112.orig/src/pesign-authorize-groups -+++ pesign-0.112/src/pesign-authorize-groups -@@ -12,10 +12,10 @@ set -e - - if [ -r /etc/pesign/groups ]; then - for group in $(cat /etc/pesign/groups); do -- if [ -d /var/run/pesign ]; then -- setfacl -m g:${group}:rx /var/run/pesign -- if [ -e /var/run/pesign/socket ]; then -- setfacl -m g:${group}:rw /var/run/pesign/socket -+ if [ -d /run/pesign ]; then -+ setfacl -m g:${group}:rx /run/pesign -+ if [ -e /run/pesign/socket ]; then -+ setfacl -m g:${group}:rw /run/pesign/socket - fi - fi - for x in /etc/pki/pesign* ; do -Index: pesign-0.112/src/pesign-authorize-users -=================================================================== ---- pesign-0.112.orig/src/pesign-authorize-users -+++ pesign-0.112/src/pesign-authorize-users -@@ -12,10 +12,10 @@ set -e + ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize +Index: pesign-113/src/pesign-authorize +=================================================================== +--- pesign-113.orig/src/pesign-authorize ++++ pesign-113/src/pesign-authorize +@@ -47,7 +47,7 @@ update_subdir() { + done + } - if [ -r /etc/pesign/users ]; then - for username in $(cat /etc/pesign/users); do -- if [ -d /var/run/pesign ]; then -- setfacl -m g:${username}:rx /var/run/pesign -- if [ -e /var/run/pesign/socket ]; then -- setfacl -m g:${username}:rw /var/run/pesign/socket -+ if [ -d /run/pesign ]; then -+ setfacl -m g:${username}:rx /run/pesign -+ if [ -e /run/pesign/socket ]; then -+ setfacl -m g:${username}:rw /run/pesign/socket - fi - fi - for x in /etc/pki/pesign* ; do +-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do ++for x in /run/pesign/ /etc/pki/pesign*/ ; do + if [ -d "${x}" ]; then + update_subdir "${x}" + else ++++++ pesign-suse-build.patch ++++++ --- /var/tmp/diff_new_pack.jCR3r5/_old 2019-05-14 13:13:44.700852445 +0200 +++ /var/tmp/diff_new_pack.jCR3r5/_new 2019-05-14 13:13:44.704852455 +0200 @@ -1,7 +1,7 @@ -Index: pesign-0.112/util/Makefile +Index: pesign-113/util/Makefile =================================================================== ---- pesign-0.112.orig/util/Makefile -+++ pesign-0.112/util/Makefile +--- pesign-113.orig/util/Makefile ++++ pesign-113/util/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules include $(TOPDIR)/Make.defaults @@ -22,11 +22,11 @@ install_systemd: -Index: pesign-0.112/src/pesign.sysvinit.in +Index: pesign-113/src/pesign.sysvinit.in =================================================================== ---- pesign-0.112.orig/src/pesign.sysvinit.in -+++ pesign-0.112/src/pesign.sysvinit.in -@@ -6,21 +6,24 @@ +--- pesign-113.orig/src/pesign.sysvinit.in ++++ pesign-113/src/pesign.sysvinit.in +@@ -6,16 +6,19 @@ # processname: /usr/bin/pesign # pidfile: /var/run/pesign.pid ### BEGIN INIT INFO @@ -50,13 +50,16 @@ RETVAL=0 start(){ - echo -n "Starting pesign: " +@@ -23,7 +26,7 @@ start(){ + mkdir /var/run/pesign 2>/dev/null && + chown pesign:pesign /var/run/pesign && + chmod 0770 /var/run/pesign - daemon /usr/bin/pesign --daemonize + startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize RETVAL=$? echo touch /var/lock/subsys/pesign -@@ -30,7 +33,7 @@ start(){ +@@ -32,7 +35,7 @@ start(){ stop(){ echo -n "Stopping pesign: " @@ -65,24 +68,24 @@ RETVAL=$? echo rm -f /var/lock/subsys/pesign -Index: pesign-0.112/Make.defaults +Index: pesign-113/Make.defaults =================================================================== ---- pesign-0.112.orig/Make.defaults -+++ pesign-0.112/Make.defaults -@@ -57,7 +57,7 @@ efi_cflags = $(cflags) - ASFLAGS = $(ARCH3264) - CPPFLAGS ?= +--- pesign-113.orig/Make.defaults ++++ pesign-113/Make.defaults +@@ -61,7 +61,7 @@ CPPFLAGS ?= + RANLIBFLAGS := $(if $(filter $(CC),gcc),-D) + ARFLAGS := $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs) -LDLIBS = $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) +LDLIBS = -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) ifeq ($(ARCH),ia64) efi_cflags += -mfixed-range=f32-f127 -Index: pesign-0.112/Makefile +Index: pesign-113/Makefile =================================================================== ---- pesign-0.112.orig/Makefile -+++ pesign-0.112/Makefile -@@ -9,7 +9,6 @@ SUBDIRS := include libdpe src +--- pesign-113.orig/Makefile ++++ pesign-113/Makefile +@@ -11,7 +11,6 @@ SUBDIRS := include libdpe src install : $(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/