Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sbsigntools for openSUSE:Factory checked in at 2021-04-29 22:46:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sbsigntools (Old) and /work/SRC/openSUSE:Factory/.sbsigntools.new.1947 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sbsigntools" Thu Apr 29 22:46:29 2021 rev:2 rq:889228 version:0.9.4 Changes: -------- --- /work/SRC/openSUSE:Factory/sbsigntools/sbsigntools.changes 2020-06-11 14:48:43.574091435 +0200 +++ /work/SRC/openSUSE:Factory/.sbsigntools.new.1947/sbsigntools.changes 2021-04-29 22:53:03.393986340 +0200 @@ -1,0 +2,12 @@ +Wed Apr 28 16:11:39 UTC 2021 - r...@fthiessen.de + +- Update to version 0.9.4: + * docs: add man page for sbkeysync + * Fix errors on 32 bit + * sbverify: refer to unused function + * sbvarsign: remove unused global variable + * Fix some openssl 1.1.0 deprecated functions + * sbverify: fix verification with intermediate certificates + * sbsign: allow for adding intermediate certificates + +------------------------------------------------------------------- Old: ---- sbsigntools-0.9.3.tar.gz New: ---- sbsigntools-0.9.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sbsigntools.spec ++++++ --- /var/tmp/diff_new_pack.9ozyqV/_old 2021-04-29 22:53:03.869984221 +0200 +++ /var/tmp/diff_new_pack.9ozyqV/_new 2021-04-29 22:53:03.873984202 +0200 @@ -1,7 +1,7 @@ # # spec file for package sbsigntools # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ Name: sbsigntools Summary: Canonical EFI binary signing tools License: GPL-3.0-only -Version: 0.9.3 +Version: 0.9.4 Release: 0 URL: http://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git Source: %{name}-%{version}.tar.gz @@ -56,7 +56,6 @@ %make_install %files -%defattr(-,root,root,-) %license COPYING %{_bindir}/* %{_mandir}/man1/* ++++++ _service ++++++ --- /var/tmp/diff_new_pack.9ozyqV/_old 2021-04-29 22:53:03.909984042 +0200 +++ /var/tmp/diff_new_pack.9ozyqV/_new 2021-04-29 22:53:03.909984042 +0200 @@ -2,8 +2,8 @@ <service name="tar_scm" mode="disabled"> <param name="scm">git</param> <param name="url">git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git</param> - <param name="revision">refs/tags/v0.9.3</param> - <param name="version">0.9.3</param> + <param name="revision">refs/tags/v0.9.4</param> + <param name="version">0.9.4</param> <param name="submodules">enable</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.9ozyqV/_old 2021-04-29 22:53:03.925983971 +0200 +++ /var/tmp/diff_new_pack.9ozyqV/_new 2021-04-29 22:53:03.929983953 +0200 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git</param> - <param name="changesrevision">fe88da5f66241d959b7aeca7502d401ad88df410</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">d52f7bbb73401aab8a1d59e8d0d686ad9641035e</param></service></servicedata> \ No newline at end of file ++++++ sbsigntools-0.9.3.tar.gz -> sbsigntools-0.9.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/configure.ac new/sbsigntools-0.9.4/configure.ac --- old/sbsigntools-0.9.3/configure.ac 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/configure.ac 2020-06-12 01:32:13.000000000 +0200 @@ -1,4 +1,4 @@ -AC_INIT([sbsigntool], [0.9.3], [james.bottom...@hansenpartnership.com]) +AC_INIT([sbsigntool], [0.9.4], [james.bottom...@hansenpartnership.com]) AM_INIT_AUTOMAKE() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/docs/Makefile.am new/sbsigntools-0.9.4/docs/Makefile.am --- old/sbsigntools-0.9.3/docs/Makefile.am 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/docs/Makefile.am 2020-06-12 01:32:13.000000000 +0200 @@ -1,8 +1,9 @@ -man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 +man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 \ + sbkeysync.1 EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \ - sbvarsign.1.in sbsiglist.1.in + sbvarsign.1.in sbsiglist.1.in sbkeysync.1.in CLEANFILES = $(man1_MANS) $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/% diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/docs/sbkeysync.1.in new/sbsigntools-0.9.4/docs/sbkeysync.1.in --- old/sbsigntools-0.9.3/docs/sbkeysync.1.in 1970-01-01 01:00:00.000000000 +0100 +++ new/sbsigntools-0.9.4/docs/sbkeysync.1.in 2020-06-12 01:32:13.000000000 +0200 @@ -0,0 +1,2 @@ +[name] +sbkeysync - UEFI secure boot key synchronization tool diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/src/Makefile.am new/sbsigntools-0.9.4/src/Makefile.am --- old/sbsigntools-0.9.3/src/Makefile.am 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/src/Makefile.am 2020-06-12 01:32:13.000000000 +0200 @@ -7,7 +7,7 @@ common_SOURCES = idc.c idc.h image.c image.h fileio.c fileio.h \ efivars.h $(coff_headers) common_LDADD = ../lib/ccan/libccan.a $(libcrypto_LIBS) -common_CFLAGS = -I$(top_srcdir)/lib/ccan/ +common_CFLAGS = -I$(top_srcdir)/lib/ccan/ -Werror sbsign_SOURCES = sbsign.c $(common_SOURCES) sbsign_LDADD = $(common_LDADD) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/src/idc.c new/sbsigntools-0.9.4/src/idc.c --- old/sbsigntools-0.9.3/src/idc.c 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/src/idc.c 2020-06-12 01:32:13.000000000 +0200 @@ -238,7 +238,11 @@ /* extract the idc from the signed PKCS7 'other' data */ str = p7->d.sign->contents->d.other->value.asn1_string; +#if OPENSSL_VERSION_NUMBER < 0x10100000L idcbuf = buf = ASN1_STRING_data(str); +#else + idcbuf = buf = ASN1_STRING_get0_data(str); +#endif idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str)); /* If we were passed a BIO, write the idc data, minus type and length, @@ -289,7 +293,11 @@ } /* check hash against the one we calculated from the image */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L buf = ASN1_STRING_data(str); +#else + buf = ASN1_STRING_get0_data(str); +#endif if (memcmp(buf, sha, sizeof(sha))) { fprintf(stderr, "Hash doesn't match image\n"); fprintf(stderr, " got: %s\n", sha256_str(buf)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/src/sbattach.c new/sbsigntools-0.9.4/src/sbattach.c --- old/sbsigntools-0.9.3/src/sbattach.c 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/src/sbattach.c 2020-06-12 01:32:13.000000000 +0200 @@ -233,7 +233,11 @@ ERR_load_crypto_strings(); OpenSSL_add_all_digests(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); +#else + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); +#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/src/sbkeysync.c new/sbsigntools-0.9.4/src/sbkeysync.c --- old/sbsigntools-0.9.3/src/sbkeysync.c 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/src/sbkeysync.c 2020-06-12 01:32:13.000000000 +0200 @@ -54,9 +54,11 @@ #include "fileio.h" #include "efivars.h" +static struct statfs statfstype; + #define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars" -#define PSTORE_FSTYPE 0x6165676C -#define EFIVARS_FSTYPE 0xde5e81e4 +#define PSTORE_FSTYPE ((typeof(statfstype.f_type))0x6165676C) +#define EFIVARS_FSTYPE ((typeof(statfstype.f_type))0xde5e81e4) #define EFI_IMAGE_SECURITY_DATABASE_GUID \ { 0xd719b2cb, 0x3d3a, 0x4596, \ @@ -208,7 +210,11 @@ goto out; key->id_len = ASN1_STRING_length(serial); +#if OPENSSL_VERSION_NUMBER < 0x10100000L key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len); +#else + key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len); +#endif key->description = talloc_array(key, char, description_len); X509_NAME_oneline(X509_get_subject_name(x509), @@ -930,7 +936,11 @@ ERR_load_crypto_strings(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); +#else + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); +#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/src/sbsign.c new/sbsigntools-0.9.4/src/sbsign.c --- old/sbsigntools-0.9.3/src/sbsign.c 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/src/sbsign.c 2020-06-12 01:32:13.000000000 +0200 @@ -49,6 +49,8 @@ #include <openssl/evp.h> #include <openssl/asn1.h> #include <openssl/asn1t.h> +#include <openssl/bio.h> +#include <openssl/x509.h> #include <ccan/talloc/talloc.h> @@ -75,6 +77,7 @@ { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'V' }, { "engine", required_argument, NULL, 'e'}, + { "addcert", required_argument, NULL, 'a'}, { NULL, 0, NULL, 0 }, }; @@ -88,6 +91,7 @@ "\t--key <keyfile> signing key (PEM-encoded RSA " "private key)\n" "\t--cert <certfile> certificate (x509 certificate)\n" + "\t--addcert <addcertfile> additional intermediate certificates in a file\n" "\t--detached write a detached signature, instead of\n" "\t a signed binary\n" "\t--output <file> write signed data to <file>\n" @@ -112,9 +116,43 @@ ctx->infilename, extension); } +static int add_intermediate_certs(PKCS7 *p7, const char *filename) +{ + STACK_OF(X509_INFO) *certs; + X509_INFO *cert; + BIO *bio = NULL; + int i; + + bio = BIO_new(BIO_s_file()); + if (!bio || BIO_read_filename(bio, filename) <=0) { + fprintf(stderr, + "error in reading intermediate certificates file\n"); + ERR_print_errors_fp(stderr); + return -1; + } + + certs = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL); + if (!certs) { + fprintf(stderr, + "error in parsing intermediate certificates file\n"); + ERR_print_errors_fp(stderr); + return -1; + } + + for (i = 0; i < sk_X509_INFO_num(certs); i++) { + cert = sk_X509_INFO_value(certs, i); + PKCS7_add_certificate(p7, cert->x509); + } + + sk_X509_INFO_pop_free(certs, X509_INFO_free); + BIO_free_all(bio); + + return 0; +} + int main(int argc, char **argv) { - const char *keyfilename, *certfilename, *engine; + const char *keyfilename, *certfilename, *addcertfilename, *engine; struct sign_context *ctx; uint8_t *buf, *tmp; int rc, c, sigsize; @@ -124,11 +162,12 @@ keyfilename = NULL; certfilename = NULL; + addcertfilename = NULL; engine = NULL; for (;;) { int idx; - c = getopt_long(argc, argv, "o:c:k:dvVhe:", options, &idx); + c = getopt_long(argc, argv, "o:c:k:dvVhe:a:", options, &idx); if (c == -1) break; @@ -157,6 +196,9 @@ case 'e': engine = optarg; break; + case 'a': + addcertfilename = optarg; + break; } } @@ -189,9 +231,14 @@ talloc_steal(ctx, ctx->image); ERR_load_crypto_strings(); + ERR_load_BIO_strings(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); +#else + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); +#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors @@ -228,6 +275,9 @@ if (rc) return EXIT_FAILURE; + if (addcertfilename && add_intermediate_certs(p7, addcertfilename)) + return EXIT_FAILURE; + sigsize = i2d_PKCS7(p7, NULL); tmp = buf = talloc_array(ctx->image, uint8_t, sigsize); i2d_PKCS7(p7, &tmp); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/src/sbvarsign.c new/sbsigntools-0.9.4/src/sbvarsign.c --- old/sbsigntools-0.9.3/src/sbvarsign.c 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/src/sbvarsign.c 2020-06-12 01:32:13.000000000 +0200 @@ -105,7 +105,6 @@ static uint32_t attr_invalid = 0xffffffffu; static const char *attr_prefix = "EFI_VARIABLE_"; -static const EFI_GUID default_guid = EFI_GLOBAL_VARIABLE; static const EFI_GUID cert_pkcs7_guid = EFI_CERT_TYPE_PKCS7_GUID; static void set_default_outfilename(struct varsign_context *ctx) @@ -333,7 +332,7 @@ printf("Wrote signed data:\n"); if (include_attrs) { i = sizeof(ctx->var_attrs); - printf(" [%04zx:%04zx] attrs\n", 0l, i); + printf(" [%04lx:%04zx] attrs\n", 0l, i); } printf(" [%04zx:%04x] authentication descriptor\n", @@ -513,7 +512,11 @@ OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); ERR_load_crypto_strings(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); +#else + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); +#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/src/sbverify.c new/sbsigntools-0.9.4/src/sbverify.c --- old/sbsigntools-0.9.3/src/sbverify.c 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/src/sbverify.c 2020-06-12 01:32:13.000000000 +0200 @@ -210,8 +210,7 @@ == XKU_CODE_SIGN) status = 1; - else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || - err == X509_V_ERR_CERT_UNTRUSTED || + else if (err == X509_V_ERR_CERT_UNTRUSTED || err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT || err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) { /* all certs given with the --cert argument are trusted */ @@ -221,6 +220,7 @@ } else if (err == X509_V_ERR_CERT_HAS_EXPIRED || err == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD || err == X509_V_ERR_CERT_NOT_YET_VALID || + err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || err == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD) /* UEFI explicitly allows expired certificates */ status = 1; @@ -239,7 +239,7 @@ uint8_t *sig_buf; size_t sig_size; struct idc *idc; - bool verbose; + int verbose; BIO *idcbio; PKCS7 *p7; int sig_count = 0; @@ -247,12 +247,16 @@ status = VERIFY_FAIL; certs = X509_STORE_new(); list = 0; - verbose = false; + verbose = 0; detached_sig_filename = NULL; OpenSSL_add_all_digests(); ERR_load_crypto_strings(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); +#else + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); +#endif /* here we may get highly unlikely failures or we'll get a * complaint about FIPS signatures (usually becuase the FIPS * module isn't present). In either case ignore the errors @@ -278,7 +282,7 @@ list = 1; break; case 'v': - verbose = true; + verbose++; break; case 'V': version(); @@ -333,7 +337,8 @@ if (verbose || list) { print_signature_info(p7); - //print_certificate_store_certs(certs); + if (verbose > 1) + print_certificate_store_certs(certs); } if (list) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/tests/Makefile.am new/sbsigntools-0.9.4/tests/Makefile.am --- old/sbsigntools-0.9.3/tests/Makefile.am 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/tests/Makefile.am 2020-06-12 01:32:13.000000000 +0200 @@ -3,6 +3,10 @@ test_key = private-key.rsa test_cert = public-cert.pem +ca_key = ca-key.ec +ca_cert = ca-cert.pem +int_key = int-key.ec +int_cert = int-cert.pem test_arches = $(EFI_ARCH) check_PROGRAMS = test.pecoff @@ -31,11 +35,25 @@ AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH) -$(test_key): Makefile +%.rsa: Makefile openssl genrsa -out $@ 2048 -$(test_cert): $(test_key) Makefile - openssl req -x509 -sha256 -subj '/' -new -key $< -out $@ +%.ec: Makefile + openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -out $@ + +$(ca_cert): $(ca_key) Makefile + openssl req -x509 -days 1 -sha256 -subj '/CN=CA Key/' -new -key $< -out $@ + +$(int_cert): $(int_key) $(ca_cert) Makefile + openssl req -new -subj '/CN=Intermediate Certificate/' -key $< -out tmp.req + echo -e "[ca]\nbasicConstraints = critical, CA:true\n" > ca.cnf + openssl x509 -req -sha256 -CA $(ca_cert) -CAkey $(ca_key) -in tmp.req -set_serial 1 -days 1 -extfile ca.cnf -extensions ca -out $@ + -rm -f tmp.req ca.cnf + +$(test_cert): $(test_key) $(int_cert) Makefile + openssl req -new -subj '/CN=Signer Certificate/' -key $< -out tmp.req + openssl x509 -req -sha256 -CA $(int_cert) -CAkey $(int_key) -in tmp.req -set_serial 1 -days 1 -out $@ + -rm -f tmp.req TESTS = sign-verify.sh \ sign-verify-detached.sh \ @@ -65,4 +83,5 @@ SH_LOG_COMPILER = $(srcdir)/test-wrapper.sh EXTRA_DIST = test.S $(TESTS) $(check_SCRIPTS) -CLEANFILES = $(test_key) $(test_cert) +CLEANFILES = $(test_key) $(test_cert) $(int_key) $(int_cert) $(ca_key) \ + $(ca_cert) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/tests/sign-attach-verify.sh new/sbsigntools-0.9.4/tests/sign-attach-verify.sh --- old/sbsigntools-0.9.3/tests/sign-attach-verify.sh 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/tests/sign-attach-verify.sh 2020-06-12 01:32:13.000000000 +0200 @@ -3,7 +3,19 @@ sig="test.sig" signed="test.signed" -"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" -cp "$image" "$signed" -"$sbattach" --attach "$sig" "$signed" -"$sbverify" --cert "$cert" "$signed" +"$sbsign" --cert "$cert" --key "$key" --detached --output "$sig" "$image" || exit 1 +cp "$image" "$signed" || exit 1 +"$sbattach" --attach "$sig" "$signed" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +# there's no intermediate cert in the image so it can't chain to the ca which +# is why this should fail +"$sbverify" --cert "$cacert" "$signed" && exit 1 + +# now add intermediates +"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output "$sig" "$image" || exit 1 +cp "$image" "$signed" || exit 1 +"$sbattach" --attach "$sig" "$signed" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +"$sbverify" --cert "$cacert" "$signed" || exit 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/tests/sign-verify-detached.sh new/sbsigntools-0.9.4/tests/sign-verify-detached.sh --- old/sbsigntools-0.9.3/tests/sign-verify-detached.sh 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/tests/sign-verify-detached.sh 2020-06-12 01:32:13.000000000 +0200 @@ -2,5 +2,16 @@ sig="test.sig" -"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" -"$sbverify" --cert "$cert" --detached $sig "$image" +"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image" || exit 1 +"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1 +"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1 +# should fail because no intermediate +"$sbverify" --cert "$cacert" --detached $sig "$image" && exit 1 + +# now make sure everything succeeds with the intermediate added +"$sbsign" --cert "$cert" --key "$key" --addcert "$intcert" --detached --output $sig "$image" || exit 1 +"$sbverify" --cert "$cert" --detached $sig "$image" || exit 1 +"$sbverify" --cert "$intcert" --detached $sig "$image" || exit 1 +"$sbverify" --cert "$cacert" --detached $sig "$image" || exit 1 + +exit 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/tests/sign-verify.sh new/sbsigntools-0.9.4/tests/sign-verify.sh --- old/sbsigntools-0.9.3/tests/sign-verify.sh 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/tests/sign-verify.sh 2020-06-12 01:32:13.000000000 +0200 @@ -2,5 +2,16 @@ signed="test.signed" -"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" -"$sbverify" --cert "$cert" "$signed" +"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +# there's no intermediate cert in the image so it can't chain to the ca which +# is why this should fail +"$sbverify" --cert "$cacert" "$signed" && exit 1 + +# now add the intermediates and each level should succeed +"$sbsign" --cert "$cert" --addcert "$intcert" --key "$key" --output "$signed" "$image" || exit 1 +"$sbverify" --cert "$cert" "$signed" || exit 1 +"$sbverify" --cert "$intcert" "$signed" || exit 1 +"$sbverify" --cert "$cacert" "$signed" || exit 1 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbsigntools-0.9.3/tests/test-wrapper.sh new/sbsigntools-0.9.4/tests/test-wrapper.sh --- old/sbsigntools-0.9.3/tests/test-wrapper.sh 2020-01-09 18:33:38.000000000 +0100 +++ new/sbsigntools-0.9.4/tests/test-wrapper.sh 2020-06-12 01:32:13.000000000 +0200 @@ -11,8 +11,12 @@ key="$datadir/private-key.rsa" cert="$datadir/public-cert.pem" +intkey="$datadir/int-key.ec" +intcert="$datadir/int-cert.pem" +cakey="$datadir/ca-key.ec" +cacert="$datadir/ca-cert.pem" -export basedir datadir bindir sbsign sbverify sbattach key cert +export basedir datadir bindir sbsign sbverify sbattach key cert intkey intcert cakey cacert # 'test' needs to be an absolute path, as we will cd to a temporary # directory before running the test
