Hello community, here is the log from the commit of package pesign-obs-integration for openSUSE:Factory checked in at 2014-05-02 09:51:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pesign-obs-integration (Old) and /work/SRC/openSUSE:Factory/.pesign-obs-integration.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "pesign-obs-integration" Changes: -------- --- /work/SRC/openSUSE:Factory/pesign-obs-integration/pesign-obs-integration.changes 2014-04-05 16:50:17.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.pesign-obs-integration.new/pesign-obs-integration.changes 2014-05-02 09:51:46.000000000 +0200 @@ -1,0 +2,27 @@ +Thu Apr 24 09:25:18 UTC 2014 - mmarek@suse.cz + +- Fix matching /boot and /lib/firmware in pesign-repackage.spec + +------------------------------------------------------------------- +Wed Apr 23 22:28:05 UTC 2014 - mmarek@suse.com + +- Do not store the buildroot in the .*.hmac file. + +------------------------------------------------------------------- +Wed Apr 23 21:48:04 UTC 2014 - mmarek@suse.com + +- Regenerate the HMAC checksum when signing and EFI binary with + a checksum (fate#316930, bnc#856310). + +------------------------------------------------------------------- +Wed Apr 23 21:38:42 UTC 2014 - mmarek@suse.com + +- Update README. + +------------------------------------------------------------------- +Wed Apr 23 19:49:09 UTC 2014 - mmarek@suse.cz + +- Add /usr/lib/rpm/pesign/gen-hmac tool to generate a hmac checksum + for a given file (fate#316930, bnc#856310). + +------------------------------------------------------------------- New: ---- gen-hmac ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pesign-obs-integration.spec ++++++ --- /var/tmp/diff_new_pack.bLCwl1/_old 2014-05-02 09:51:47.000000000 +0200 +++ /var/tmp/diff_new_pack.bLCwl1/_new 2014-05-02 09:51:47.000000000 +0200 @@ -38,6 +38,7 @@ Source6: README Source7: kernel-sign-file Source8: modsign-repackage +Source9: gen-hmac BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -54,7 +55,7 @@ mkdir -p %buildroot/usr/lib/rpm/brp-suse.d %buildroot/usr/lib/rpm/pesign cd %_sourcedir -install pesign-gen-repackage-spec kernel-sign-file %buildroot/usr/lib/rpm/pesign +install pesign-gen-repackage-spec kernel-sign-file gen-hmac %buildroot/usr/lib/rpm/pesign install brp-99-pesign %buildroot/usr/lib/rpm/brp-suse.d install -m644 pesign-repackage.spec.in %buildroot/usr/lib/rpm/pesign mkdir -p %buildroot/usr/bin ++++++ README ++++++ --- /var/tmp/diff_new_pack.bLCwl1/_old 2014-05-02 09:51:47.000000000 +0200 +++ /var/tmp/diff_new_pack.bLCwl1/_new 2014-05-02 09:51:47.000000000 +0200 @@ -1,9 +1,6 @@ Signing kernel modules and EFI binaries in the Open Build Service ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Note: Not everything that is described here is actually implemented. Even -those parts that are implemented can change slightly. - Packages that need to sign files during build should add the following lines to the specfile @@ -18,10 +15,15 @@ in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a pesign-repackage.spec file there. When the first rpmbuild finishes, the buildservice sends the cpio archive to the signing server, which returns -a rsasigned.cio archive with RSA signatures of the sha256 hashes. +a rsasigned.cpio archive with RSA signatures of the sha256 hashes. The pesign-repackage.spec takes the original RPMs, unpacks them and -appends the signatures to the files (TODO: only implemented for firmware -files). It then uses the pesign-gen-repackage-spec script to generate -another specfile, which builds new RPMs with signed files. +appends the signatures to the files. It then uses the +pesign-gen-repackage-spec script to generate another specfile, which +builds new RPMs with signed files. The supported file types are: + +/lib/firmware/* - Detached signature in $file.sig +*.ko - Signature appended to the module +efi binaries - Signature embedded in a header. If a HMAC checksum named + .$file.hmac exists, it is regenerated ++++++ gen-hmac ++++++ #!/usr/bin/perl use strict; use warnings; use Getopt::Long; my $USAGE = "Usage: $0 [-r <build root>] <file>\n"; my $buildroot = ""; GetOptions("r|root=s" => \$buildroot) or die $USAGE; if (scalar(@ARGV) != 1) { die $USAGE; } if ($buildroot) { $buildroot .= "/"; } my $fn = shift @ARGV; my $out = `sha512hmac "$buildroot$fn"`; if ($?) { exit 1; } my @t = split(" ", $out); my $hmac = $t[0]; (my $hmacfn = "$buildroot$fn") =~ s|([^/]*)$|.$1.hmac|; open(my $fd, '>', $hmacfn) or die "$0: Cannot open $hmacfn: $!\n"; print $fd "$hmac $fn\n"; close($fd); exit 0; ++++++ pesign-repackage.spec.in ++++++ --- /var/tmp/diff_new_pack.bLCwl1/_old 2014-05-02 09:51:47.000000000 +0200 +++ /var/tmp/diff_new_pack.bLCwl1/_new 2014-05-02 09:51:47.000000000 +0200 @@ -102,17 +102,17 @@ certutil -N -d "$nss_db" -f "$nss_db/passwd" certutil -A -d "$nss_db" -n cert -t CT,CT,CT -i "$cert" -sigs=($(find -type f -name '*.sig')) +sigs=($(find -type f -name '*.sig' -printf '%%P\n')) for sig in "${sigs[@]}"; do f=%buildroot/${sig%.sig} - case "$sig" in + case "/$sig" in *.ko.sig) /usr/lib/rpm/pesign/kernel-sign-file -s "$sig" sha256 "$cert" "$f" ;; - ./lib/firmware/*.sig) + /lib/firmware/*.sig) /usr/lib/rpm/pesign/kernel-sign-file -f -s "$sig" sha256 "$cert" "$f" ;; - ./boot/* | *.efi.sig) + /boot/* | *.efi.sig) infile=${sig%.sig} cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs test -s ${infile}.sattrs || exit 1 @@ -125,6 +125,11 @@ echo "hash mismatch error: $ohash $nhash" exit 1 fi + # Regenerate the HMAC if it exists + hmac="${f%%/*}/.${f##*/}.hmac" + if test -e "$hmac"; then + /usr/lib/rpm/pesign/gen-hmac -r %buildroot "/${sig%.sig}" + fi ;; *) echo "Warning: unhandled signature: $sig" >&2 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org