forked from openSUSE/pesign-obs-integration
-
Notifications
You must be signed in to change notification settings - Fork 0
/
modsign-repackage
executable file
·172 lines (165 loc) · 4.71 KB
/
modsign-repackage
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
#!/bin/bash
# Script to sign kernel modules and create new RPM packages with these
# modules. Uses pesign-gen-repackage-spec for the repackaging.
#
# Copyright (c) 2013 SUSE Linux Products GmbH, Nuernberg, Germany.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
USAGE="$0 --key <private key> --certificate <x509 cert> rpm ..."
options=`getopt -o hk:c:s: --long help,key:,certificate:,signatures: -- "$@"`
if test $? -ne 0; then
echo "$USAGE" >&2
exit 1
fi
eval set -- "$options"
key=
cert=
sig_dir=
while :; do
case "$1" in
-k|--key)
key=$2
shift 2
;;
-c|--certificate)
cert=$2
shift 2
;;
-s|--signatures)
sig_dir=$2
shift 2
;;
-h|--help)
echo "$USAGE"
exit
;;
--)
shift
break
esac
done
err=
if test -n "$key" -a -n "$sig_dir"; then
err="Cannot use both --key and --signatures"
elif test -z "$key" -a -z "$sig_dir"; then
err="Please specify either --key or --signatures"
elif test -z "$cert"; then
err="Please specify --certificate"
elif test "$#" -eq 0; then
err="No packages specified"
fi
if test -n "$err"; then
echo "$0: $err" >&2
echo "$USAGE" >&2
exit 1
fi
workdir="$PWD/rpm-files.$$"
buildroot="$workdir/buildroot"
rpmdir=RPMS
srpmdir=SRPMS
disturl=
rpms=()
rm -rf "$workdir"
mkdir "$workdir" || exit
mkdir -p "$rpmdir" "$srpmdir" || exit
mkdir "$buildroot"
echo "Unpacking original RPMs..."
for rpm; do
# XXX: Use a common script in pesign-repackage.spec.in and here
case "$rpm" in
*.src.rpm | *.nosrc.rpm)
cp "$rpm" "$srpmdir/"
continue
;;
# Do not repackage debuginfo packages (bnc#806637)
*-debuginfo-*.rpm | *-debugsource-*.rpm)
dir="$rpmdir/$(rpm -qp --qf '%{arch}' "$rpm")"
mkdir -p "$dir"
cp "$rpm" "$dir"
continue
;;
esac
# do not repackage baselibs packages
# FIXME: needs more generic test (if architecture has different
# bitness => skip)
case "$(rpm -qp --qf '%{name}/%{arch}' "$rpm")" in
*-32bit/x86_64 | *-32bit/s390x | *-32bit/ppc64 | \
*-64bit/ppc | *-x86/ia64 | *-64bit/aarch64_ilp32)
mkdir -p "$rpmdir/$(rpm -qp --qf '%{arch}')/"
cp "$rpm" "$_"
continue
esac
rpm2cpio "$rpm" | (cd "$buildroot"; cpio -idm --quiet) || exit
d=$(rpm -qp --qf '%{disturl}' "$rpm")
if test -z "$disturl"; then
disturl=$d
fi
if test "$disturl" != "$d"; then
echo "Error: packages have different disturl: $d vs $disturl"
exit 1
fi
rpms=("${rpms[@]}" "$rpm")
done
set -e
echo "Signing kernel modules..."
if test ! -e "$cert.pub"; then
openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub"
fi
for module in $(find "$buildroot" -type f -name '*.ko' -printf '%P\n'); do
if test -n "$key"; then
/usr/lib/rpm/pesign/kernel-sign-file \
-i pkcs7 sha256 "$key" "$cert" "$buildroot/$module"
else
raw_sig="$sig_dir/$module.sig"
if test ! -e "$raw_sig"; then
echo "$module.sig not found in $sig_dir" >&2
exit 1
fi
ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$raw_sig" 2>&1 | grep -i error)
if [ -n "$ver_err" ]; then
echo "$raw_sig signature can not be decrypted by $cert" >&2
exit 1
fi
/usr/lib/rpm/pesign/kernel-sign-file \
-i pkcs7 -s "$raw_sig" sha256 "$cert" "$buildroot/$module"
fi
done
rm "$cert.pub"
# Add the certificate
mkdir -p "$buildroot/etc/uefi/certs"
h=$(openssl x509 -inform DER -fingerprint -noout -in "$cert")
filename=/etc/uefi/certs/$(echo "$h" | \
sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt
cp "$cert" "$buildroot/$filename"
echo "Generating new specfile..."
if ! test -e /usr/lib/rpm/kernel-cert-subpackage; then
echo "/usr/lib/rpm/kernel-cert-subpackage missing" >&2
echo "please install the kernel-source package" >&2
exit 1
fi
/usr/lib/rpm/pesign/pesign-gen-repackage-spec \
--cert-subpackage=/usr/lib/rpm/kernel-cert-subpackage \
--directory="$buildroot" --output="$workdir" "${rpms[@]}"
echo "Running rpmbuild..."
rpmbuild --define "buildroot $buildroot" --define "disturl $disturl" \
--define "_builddir $workdir" \
--define "_suse_insert_debug_package %{nil}" \
--define "_rpmdir $rpmdir" \
-bb "$workdir/repackage.spec" >"$workdir/log" 2>&1
grep 'RPMS/.*\.rpm$' "$workdir/log"
echo "Cleaning up $workdir..."
rm -r "$workdir"
echo "Done."
exit 0