Hello community, here is the log from the commit of package mkdud for openSUSE:Factory checked in at 2015-02-10 20:23:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mkdud (Old) and /work/SRC/openSUSE:Factory/.mkdud.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mkdud" Changes: -------- --- /work/SRC/openSUSE:Factory/mkdud/mkdud.changes 2015-01-27 09:09:21.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.mkdud.new/mkdud.changes 2015-02-10 20:23:09.000000000 +0100 @@ -1,0 +2,6 @@ +Mon Feb 9 14:16:09 CET 2015 - snw...@suse.com + +- support creating signed driver updates +- 1.14 + +------------------------------------------------------------------- Old: ---- mkdud-1.13.tar.xz New: ---- mkdud-1.14.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mkdud.spec ++++++ --- /var/tmp/diff_new_pack.4N8q8v/_old 2015-02-10 20:23:10.000000000 +0100 +++ /var/tmp/diff_new_pack.4N8q8v/_new 2015-02-10 20:23:10.000000000 +0100 @@ -19,10 +19,11 @@ Name: mkdud BuildRequires: xz +Requires: gpg2 Summary: Create driver update from rpms License: GPL-3.0+ Group: Hardware/Other -Version: 1.13 +Version: 1.14 Release: 0 Source: %{name}-%{version}.tar.xz Url: https://github.com/wfeldt/mkdud ++++++ mkdud-1.13.tar.xz -> mkdud-1.14.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mkdud-1.13/README new/mkdud-1.14/README --- old/mkdud-1.13/README 2015-01-26 16:35:56.000000000 +0100 +++ new/mkdud-1.14/README 2015-02-09 14:13:17.000000000 +0100 @@ -120,3 +120,14 @@ boot medium to apply it (literally: 'cat my.dud >> initrd'). No need for a 'dud' boot option in this case. + +5. Signature +------------ + +When downloading a driver update the installer will verify the integrity of +the update by checking the (detached) signature. + +Note that for sle11 due to a limitation in the installer you can only sign +an uncompressed update. sle12/openSUSE 13.2 and later don't have this +limitation. + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mkdud-1.13/VERSION new/mkdud-1.14/VERSION --- old/mkdud-1.13/VERSION 2015-01-26 16:35:56.000000000 +0100 +++ new/mkdud-1.14/VERSION 2015-02-09 14:13:17.000000000 +0100 @@ -1 +1 @@ -1.13 +1.14 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mkdud-1.13/changelog new/mkdud-1.14/changelog --- old/mkdud-1.13/changelog 2015-01-26 16:35:56.000000000 +0100 +++ new/mkdud-1.14/changelog 2015-02-09 14:13:17.000000000 +0100 @@ -1,4 +1,7 @@ -2015-01-26: 8bc57e17bc620def784a8130c98d349054c6823d-1.13 +2015-02-09: 1.14 + - support creating signed driver updates + +2015-01-26: 1.13 - fix git2log script 2015-01-26: 1.12 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mkdud-1.13/git2log new/mkdud-1.14/git2log --- old/mkdud-1.13/git2log 2015-01-26 16:35:56.000000000 +0100 +++ new/mkdud-1.14/git2log 2015-02-09 14:13:17.000000000 +0100 @@ -64,10 +64,16 @@ @tags = get_branch_tags; die "no tags at all?\n" unless @tags; -if(!grep { /^$branch\-/ } @tags) { - $branch = get_parent_branch; - die "sorry, can't determine branch\n" unless $branch; +if($branch ne 'master') { + if(!grep { /^$branch\-/ } @tags) { + $branch = get_parent_branch; + die "sorry, can't determine branch\n" unless $branch; + @tags = get_branch_tags; + die "no tags at all?\n" unless @tags; + } +} +else { @tags = get_branch_tags; die "no tags at all?\n" unless @tags; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mkdud-1.13/mkdud new/mkdud-1.14/mkdud --- old/mkdud-1.13/mkdud 2015-01-26 16:35:56.000000000 +0100 +++ new/mkdud-1.14/mkdud 2015-02-09 14:13:17.000000000 +0100 @@ -111,7 +111,10 @@ sub show_single_dir; sub get_service_pack; sub set_format; +sub import_sign_key; +sub sign_file; +my %config; my $opt_create; my $opt_show; my @opt_dist; @@ -126,6 +129,8 @@ my @opt_config; my @opt_condition; my $opt_format; +my $opt_sign; +my $opt_sign_key; # global variables my $dud; @@ -136,6 +141,7 @@ my $use_all_archs = 0; my $format_archive = "cpio"; my $format_compr = "gz"; +my $sign_key_dir; # linuxrc versions in service packs my $servicepack; @@ -161,6 +167,8 @@ 'may-replace-yast' => \$opt_force, 'no-docs' => \$opt_no_docs, 'keep-docs' => sub { $opt_no_docs = 0 }, + 'sign' => \$opt_sign, + 'sign-key=s' => \$opt_sign_key, 'force' => \$opt_force, 'format=s' => \$opt_format, 'save-temp' => \$opt_save_temp, @@ -182,6 +190,21 @@ @opt_arch = map { /^i.86$/ ? "i386" : $_ } @opt_arch; +if(open my $f, "$ENV{HOME}/.mkdudrc") { + while(<$f>) { + next if /^\s*#/; + if(/^\s*(\S+?)\s*=\s*(.*?)\s*$/) { + my $key = $1; + my $val = $2; + $val =~ s/^\"|\"$//g; + $config{$key} = $val; + } + } + close $f; +} + +$opt_sign_key ||= $config{'sign-key'}; + my $tmp = Tmp::new($opt_save_temp); my $tmp_dud = $tmp->dir('dud'); @@ -193,6 +216,8 @@ set_format; +import_sign_key; + if($opt_create) { file_type $_ for (@ARGV); @@ -291,12 +316,12 @@ Note: if you don't set the architecture and mkdud can't find a hint in SOURCES either, an update for all supported architectures is created. - -d, --dist DIST Either an openSUSE version (e.g. 13.1) or SLE version - (e.g. sles11). - Note that 'sle11' is a short hand for specifying both - 'sles11' and 'sled11'. + -d, --dist DIST Either an openSUSE version (e.g. 13.2) or SLE version + (e.g. sles12). + Note that 'sle12' is a short hand for specifying both + 'sles12' and 'sled12'. Note also that there are no separate names for service packs. - So 'sles11-sp1' is the same as 'sles11'. But see '--condition' + So 'sles12-sp1' is the same as 'sles12'. But see '--condition' below for a way to target specific service packs. Option can be repeated to specify several distribution targets. --condition SCRIPT Run SCRIPT and apply DUD only if SCRIPT has exit status 0. @@ -332,6 +357,16 @@ --format FORMAT Specify archive format for DUD. FORMAT=(cpio|tar)[.(gz|xz)]. Default FORMAT is cpio.gz (gzip compressed cpio archive). Note: don't change the default. See README. + --sign Sign the driver update. This creates a detached signature. + --sign-key KEY_FILE Use this key for signing. Alternatively, use the + 'sign-key' entry in ~/.mkdudrc. + +Configuration file: + + \$HOME/.mkdudrc + + sign-key=KEY_FILE + File name of the private signing key. The same as the 'sign-key' option. To create a driver update you need SOURCES. SOURCES can contain: @@ -377,28 +412,28 @@ mkdud --show foo.dud # create update for hello.rpm - mkdud --create foo.dud --dist 13.1 hello.rpm + mkdud --create foo.dud --dist 13.2 hello.rpm # create kernel update - mkdud --create foo.dud --dist 13.1 kernel-*.rpm + mkdud --create foo.dud --dist 13.2 kernel-*.rpm # create kernel update and replace tg3 module - mkdud --create foo.dud --dist 13.1 kernel-*.rpm tg3.ko + mkdud --create foo.dud --dist 13.2 kernel-*.rpm tg3.ko # create kernel update, replace tg3 module, add some docs and give the dud a nice name - mkdud --create foo.dud --dist 13.1 --name 'for granny' kernel-*.rpm tg3.ko README + mkdud --create foo.dud --dist 13.2 --name 'for granny' kernel-*.rpm tg3.ko README # update some YaST stuff - mkdud --create foo.dud --dist 13.1 BootCommon.y* + mkdud --create foo.dud --dist 13.2 BootCommon.y* # add directory tree below 'newstuff/' to installation system - mkdud --create foo.dud --dist 13.1 newstuff + mkdud --create foo.dud --dist 13.2 newstuff # extract driver updates from ISO (you need root permissions for that) mkdud --create foo.dud xxx.iso # create update for hello.rpm and join with foo1.dud and foo2.dud - mkdud --create foo.dud --dist sle11 foo1.dud foo2.dud hello.rpm + mkdud --create foo.dud --dist sle12 foo1.dud foo2.dud hello.rpm = = = = = = = = @@ -1219,6 +1254,12 @@ system "cd $tmp_src; $cmd_archive | $compr >$tmp_archive"; system "cp $tmp_archive $file_name"; + if($opt_sign) { + sign_file $tmp_archive; + system "cp ${tmp_archive}.asc ${file_name}.asc"; + print "created detached signature ${file_name}.asc\n"; + } + return $tmp_src; } @@ -1771,3 +1812,60 @@ } } + +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +sub import_sign_key +{ + return if !$opt_sign; + + die "no sign key specified\n" if !$opt_sign_key; + + my $gpg_dir = $tmp->dir(); + + my $key = $opt_sign_key; + $key =~ s/^~/$ENV{HOME}/; + die "$key: no such key file\n" unless -f $key; + + my $keyid; + my $date; + my $priv; + my $pub; + + if(open my $p, "gpg -v -v $key 2>&1 |") { + while(<$p>) { + $priv = 1 if /BEGIN PGP PRIVATE KEY BLOCK/; + $pub = 1 if /BEGIN PGP PUBLIC KEY BLOCK/; + $keyid = $1 if !$keyid && /^:signature packet:.*keyid\s+([0-9a-zA-Z]+)/; + $date = $1, last if !$date && $keyid && /created\s+(\d+)/; + } + close $p; + } + + if($priv && $date) { + $sign_key_dir = $gpg_dir; + + system "gpg --homedir=$gpg_dir --import $key >/dev/null 2>&1"; + + print "using signing key, keyid = $keyid\n"; + } + else { + if($pub) { + die "$key: signing key is not a private key\n"; + } + else { + die "$key: signing key not usable\n"; + } + } +} + + +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +sub sign_file +{ + my $file = $_[0]; + + return if !$sign_key_dir; + + system "gpg --homedir=$sign_key_dir --batch --yes --armor --detach-sign $file"; +} + -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org