Hello community, here is the log from the commit of package mokutil for openSUSE:Factory checked in at 2020-09-21 16:59:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mokutil (Old) and /work/SRC/openSUSE:Factory/.mokutil.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mokutil" Mon Sep 21 16:59:42 2020 rev:25 rq:835084 version:0.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/mokutil/mokutil.changes 2020-08-15 21:15:15.263448365 +0200 +++ /work/SRC/openSUSE:Factory/.mokutil.new.4249/mokutil.changes 2020-09-21 16:59:52.166730381 +0200 @@ -1,0 +2,10 @@ +Wed Sep 16 09:06:02 UTC 2020 - Gary Ching-Pang Lin <[email protected]> + +- Add mokutil-bsc1173115-add-ca-and-keyring-checks.patch to add + options for CA and kernel keyring checks (bsc#1173115) + + Add new BuildRequires: keyutils-devel + + Add mokutil-remove-libkeyutils-check.patch to disable the + version check of libkeyutils +- Refresh mokutil-support-revoke-builtin-cert.patch + +------------------------------------------------------------------- New: ---- mokutil-bsc1173115-add-ca-and-keyring-checks.patch mokutil-remove-libkeyutils-check.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mokutil.spec ++++++ --- /var/tmp/diff_new_pack.OQScQ2/_old 2020-09-21 16:59:55.378733268 +0200 +++ /var/tmp/diff_new_pack.OQScQ2/_new 2020-09-21 16:59:55.382733272 +0200 @@ -27,10 +27,15 @@ Source1: modhash # PATCH-FIX-UPSTREAM mokutil-remove-shebang-from-bash-completion-file.patch [email protected] -- Remove shebang from bash-completion/mokutil Patch1: mokutil-remove-shebang-from-bash-completion-file.patch +# PATCH-FIX-UPSTREAM mokutil-bsc1173115-add-ca-and-keyring-checks.patch bsc#1173115 [email protected] -- Add options for CA and kernel keyring checks +Patch2: mokutil-bsc1173115-add-ca-and-keyring-checks.patch +# PATCH-FIX-SUSE mokutil-remove-libkeyutils-check.patch [email protected] -- Disable the check of libkeyutils version +Patch3: mokutil-remove-libkeyutils-check.patch Patch100: mokutil-support-revoke-builtin-cert.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: efivar-devel >= 0.12 +BuildRequires: keyutils-devel >= 1.5.0 BuildRequires: libopenssl-devel >= 0.9.8 BuildRequires: pkg-config Requires: openssl @@ -50,6 +55,8 @@ %prep %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch100 -p1 %build ++++++ mokutil-bsc1173115-add-ca-and-keyring-checks.patch ++++++ ++++ 1159 lines (skipped) ++++++ mokutil-remove-libkeyutils-check.patch ++++++ >From 87eb098c85dcae328924e91bb84e8e68ea15fd15 Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Wed, 16 Sep 2020 17:02:56 +0800 Subject: [PATCH] Remove libkeyutils pkgconfig check keyutils didn't provide pkgconfig in 1.5.* Signed-off-by: Gary Lin <[email protected]> --- configure.ac | 1 - src/Makefile.am | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index b0b0376..d74fd21 100644 --- a/configure.ac +++ b/configure.ac @@ -85,7 +85,6 @@ AC_CHECK_FUNCS([memset]) PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8]) PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12]) -PKG_CHECK_MODULES(LIBKEYUTILS, [libkeyutils >= 1.5]) AC_ARG_WITH([bash-completion-dir], AS_HELP_STRING([--with-bash-completion-dir[=PATH]], diff --git a/src/Makefile.am b/src/Makefile.am index f616b90..664b80a 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -2,12 +2,11 @@ bin_PROGRAMS = mokutil mokutil_CFLAGS = $(OPENSSL_CFLAGS) \ $(EFIVAR_CFLAGS) \ - $(LIBKEYUTILS_CFLAGS) \ $(WARNINGFLAGS_C) mokutil_LDADD = $(OPENSSL_LIBS) \ $(EFIVAR_LIBS) \ - $(LIBKEYUTILS_LIBS) \ + -lkeyutils \ -lcrypt mokutil_SOURCES = signature.h \ -- 2.28.0 ++++++ mokutil-support-revoke-builtin-cert.patch ++++++ --- /var/tmp/diff_new_pack.OQScQ2/_old 2020-09-21 16:59:55.426733312 +0200 +++ /var/tmp/diff_new_pack.OQScQ2/_new 2020-09-21 16:59:55.426733312 +0200 @@ -1,4 +1,4 @@ -From 93ded288224a18f336f9e3654a33a48bcb748b11 Mon Sep 17 00:00:00 2001 +From df2a6b1cc6e1763e1ed1b8e59b012ae8dc048a81 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Fri, 21 Feb 2014 17:56:55 +0800 Subject: [PATCH 1/4] Add the option to revoke the built-in certificate @@ -13,10 +13,10 @@ 1 file changed, 82 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c -index e2d567d..1ada2a0 100644 +index 02ed21f..d95a2eb 100644 --- a/src/mokutil.c +++ b/src/mokutil.c -@@ -84,6 +84,7 @@ +@@ -86,6 +86,7 @@ #define DELETE_HASH (1 << 22) #define VERBOSITY (1 << 23) #define TIMEOUT (1 << 24) @@ -24,7 +24,7 @@ #define DEFAULT_CRYPT_METHOD SHA512_BASED #define DEFAULT_SALT_SIZE SHA512_SALT_MAX -@@ -176,6 +177,7 @@ print_help () +@@ -180,6 +181,7 @@ print_help () printf (" --db\t\t\t\t\tList the keys in db\n"); printf (" --dbx\t\t\t\t\tList the keys in dbx\n"); printf (" --timeout <-1,0..0x7fff>\t\tSet the timeout for MOK prompt\n"); @@ -32,7 +32,7 @@ printf ("\n"); printf ("Supplimentary Options:\n"); printf (" --hash-file <hash file>\t\tUse the specific password hash\n"); -@@ -2103,6 +2105,79 @@ set_verbosity (uint8_t verbosity) +@@ -2397,6 +2399,79 @@ set_verbosity (uint8_t verbosity) return 0; } @@ -112,24 +112,24 @@ static inline int list_db (DBName db_name) { -@@ -2182,6 +2257,7 @@ main (int argc, char *argv[]) - {"db", no_argument, 0, 0 }, - {"dbx", no_argument, 0, 0 }, +@@ -2480,6 +2555,7 @@ main (int argc, char *argv[]) {"timeout", required_argument, 0, 0 }, + {"ca-check", no_argument, 0, 0 }, + {"ignore-keyring", no_argument, 0, 0 }, + {"revoke-cert", no_argument, 0, 0 }, {0, 0, 0, 0} }; -@@ -2268,6 +2344,8 @@ main (int argc, char *argv[]) - } else if (strcmp (option, "timeout") == 0) { - command |= TIMEOUT; - timeout = strdup (optarg); +@@ -2570,6 +2646,8 @@ main (int argc, char *argv[]) + force_ca_check = 1; + } else if (strcmp (option, "ignore-keyring") == 0) { + check_keyring = 0; + } else if (strcmp (option, "revoke-cert") == 0) { + command |= REVOKE_CERT; } break; -@@ -2537,6 +2615,10 @@ main (int argc, char *argv[]) +@@ -2839,6 +2917,10 @@ main (int argc, char *argv[]) case TIMEOUT: ret = set_timeout (timeout); break; @@ -141,10 +141,10 @@ print_help (); break; -- -2.27.0 +2.28.0 -From 17f9850edce4dd40f96107c97d3d720406bf9f09 Mon Sep 17 00:00:00 2001 +From 819accd580465aa21da7bed081790c6c9e889702 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Tue, 4 Nov 2014 14:50:36 +0800 Subject: [PATCH 2/4] Use the efivar functions to access UEFI variables @@ -157,10 +157,10 @@ 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c -index 1ada2a0..dcf55dc 100644 +index d95a2eb..8be0b77 100644 --- a/src/mokutil.c +++ b/src/mokutil.c -@@ -2108,28 +2108,35 @@ set_verbosity (uint8_t verbosity) +@@ -2402,28 +2402,35 @@ set_verbosity (uint8_t verbosity) static int revoke_builtin_cert (void) { @@ -205,7 +205,7 @@ memset (&pw_crypt, 0, sizeof(pw_crypt_t)); memset (auth, 0, SHA256_DIGEST_LENGTH); -@@ -2152,20 +2159,18 @@ revoke_builtin_cert (void) +@@ -2446,20 +2453,18 @@ revoke_builtin_cert (void) } if (!use_simple_hash) { @@ -236,10 +236,10 @@ goto error; } -- -2.27.0 +2.28.0 -From 1ab85ee4d98a5436c4612b8f893c3c73f113a6e0 Mon Sep 17 00:00:00 2001 +From 2627cdff19e6e998180690151c9cc6533fff6cc1 Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Wed, 13 Jul 2016 14:58:15 +0800 Subject: [PATCH 3/4] Use efi_set_variable from efivar 0.24 @@ -250,10 +250,10 @@ 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/mokutil.c b/src/mokutil.c -index dcf55dc..0160c06 100644 +index 8be0b77..f27bba0 100644 --- a/src/mokutil.c +++ b/src/mokutil.c -@@ -2170,7 +2170,8 @@ revoke_builtin_cert (void) +@@ -2464,7 +2464,8 @@ revoke_builtin_cert (void) | EFI_VARIABLE_RUNTIME_ACCESS; if (efi_set_variable (efi_guid_shim, "ClearVerify", @@ -264,10 +264,10 @@ goto error; } -- -2.27.0 +2.28.0 -From ca9db2e9aa89a945651787b23046a6213af4144d Mon Sep 17 00:00:00 2001 +From acbf5198afdec419f4ae17dc140cd093906e0a00 Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Fri, 14 Aug 2020 14:57:23 +0800 Subject: [PATCH 4/4] man: add "--revoke-cert" @@ -282,7 +282,7 @@ 1 file changed, 5 insertions(+) diff --git a/man/mokutil.1 b/man/mokutil.1 -index 25fe8b4..bf27a52 100644 +index cbea367..1c18d7a 100644 --- a/man/mokutil.1 +++ b/man/mokutil.1 @@ -73,6 +73,8 @@ mokutil \- utility to manipulate machine owner keys @@ -294,13 +294,13 @@ .SH DESCRIPTION \fBmokutil\fR is a tool to import or delete the machines owner keys -@@ -173,3 +175,6 @@ List the keys in the secure boot signature store (db) - \fB--dbx\fR - List the keys in the secure boot blacklist signature store (dbx) +@@ -180,3 +182,6 @@ databases. + \fB--ignore-keyring\fR + Ignore the kernel builtin trusted keys keyring check when enrolling a key into MokList .TP +\fB--revoke-cert\fR +Revoke the agreement of using the built-in certificate in shim (openSUSE Specfic) +.TP -- -2.27.0 +2.28.0
