Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pesign-obs-integration for
openSUSE:Factory checked in at 2026-05-08 16:41:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pesign-obs-integration (Old)
and /work/SRC/openSUSE:Factory/.pesign-obs-integration.new.1966 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign-obs-integration"
Fri May 8 16:41:59 2026 rev:65 rq:1351396 version:10.2+git20260506.67eda76
Changes:
--------
---
/work/SRC/openSUSE:Factory/pesign-obs-integration/pesign-obs-integration.changes
2026-04-18 21:32:05.715115003 +0200
+++
/work/SRC/openSUSE:Factory/.pesign-obs-integration.new.1966/pesign-obs-integration.changes
2026-05-08 16:42:01.948856512 +0200
@@ -1,0 +2,10 @@
+Wed May 06 08:31:26 UTC 2026 - [email protected]
+
+- Update to version 10.2+git20260506.67eda76:
+ * modsign-repackage: The input raw signature should be a PKCS#7 packet
+ * modsign-repackage: Handle RemovePathPostfixes
+ * Handle RemovePathPostFixes on build services
+ * brp-99-pesign: Extract and transfer RemovePathPostFixes information
+ * debian: skip shellcheck on i386
+
+-------------------------------------------------------------------
Old:
----
pesign-obs-integration-10.2+git20260409.5b7f1bb.obscpio
New:
----
pesign-obs-integration-10.2+git20260506.67eda76.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pesign-obs-integration.spec ++++++
--- /var/tmp/diff_new_pack.jYSj5U/_old 2026-05-08 16:42:04.264952489 +0200
+++ /var/tmp/diff_new_pack.jYSj5U/_new 2026-05-08 16:42:04.276952987 +0200
@@ -22,7 +22,7 @@
%endif
Name: pesign-obs-integration
-Version: 10.2+git20260409.5b7f1bb
+Version: 10.2+git20260506.67eda76
Release: 0
Summary: Macros and scripts to sign the kernel and bootloader
License: GPL-2.0-or-later
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.jYSj5U/_old 2026-05-08 16:42:04.672969397 +0200
+++ /var/tmp/diff_new_pack.jYSj5U/_new 2026-05-08 16:42:04.708970889 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/openSUSE/pesign-obs-integration.git</param>
- <param
name="changesrevision">5b7f1bb5c9649945e4951c072addc492acbfc2dc</param></service></servicedata>
+ <param
name="changesrevision">626534cdcd41806bee2fa31c551b9221ea983df0</param></service></servicedata>
(No newline at EOF)
++++++ pesign-obs-integration-10.2+git20260409.5b7f1bb.obscpio ->
pesign-obs-integration-10.2+git20260506.67eda76.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20260409.5b7f1bb/brp-99-pesign
new/pesign-obs-integration-10.2+git20260506.67eda76/brp-99-pesign
--- old/pesign-obs-integration-10.2+git20260409.5b7f1bb/brp-99-pesign
2026-04-09 03:59:01.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20260506.67eda76/brp-99-pesign
2026-05-06 08:31:23.000000000 +0200
@@ -66,6 +66,82 @@
exit 0
fi
+# Handing RemovePathPostFixes
+# Scanning for spec files and parsing package/subpackage names,
RemovePathPostFixes
+# Producing pkg_name:RemovePathPostFixes_suffix mapping string for later usage
+SOURCE_DIR=$(rpm --eval '%{_sourcedir}')
+SPEC_LIST=$(find "$SOURCE_DIR" -maxdepth 1 -name "*.spec" 2>/dev/null || :)
+if [ -z "$SPEC_LIST" ]; then
+ # If can not find any spec in _sourcedir, fallback here
+ SPEC_LIST=$(find ../../../rpmbuild/SOURCES -maxdepth 1 -name "*.spec"
2>/dev/null || :)
+fi
+# pkg_name:rpp_suffix mapping string: "pkg-A:.suffixA pkg-B:.suffixB"
+POSTFIX_MAP_STR=""
+if [ -z "$SPEC_LIST" ]; then
+ echo "No spec files found. RemovePaathPostFixes mapping failed."
+else
+ for spec in $SPEC_LIST; do
+ # Using awk for parsing spec file
+ # Name: main_pkg
+ # %package: p_name
+ # - without -n, p_name = main_pkg-$2
+ # RemovePathPostfixes: p_suffix
+ mappings=$(awk '{
+ cmd = toupper($1)
+ if (cmd == "NAME:") {
+ main_pkg = $2
+ current_pkg = main_pkg
+ }
+ else if (cmd == "%PACKAGE") {
+ if ($2 == "-n") {
+ current_pkg = $3
+ } else {
+ current_pkg = main_pkg "-" $2
+ }
+ }
+ else if (cmd == "REMOVEPATHPOSTFIXES:") {
+ print current_pkg ":" $2
+ }
+ }' "$spec")
+ if [ -n "$mappings" ]; then
+ # attach new mapping entry to string
+ POSTFIX_MAP_STR="$POSTFIX_MAP_STR $mappings"
+ fi
+ done
+fi
+# Remove leading and trailing whitespace
+POSTFIX_MAP_STR=$(echo $POSTFIX_MAP_STR | xargs)
+# Print postfix map string
+if [ -n "$POSTFIX_MAP_STR" ]; then
+ echo "Memory-based Postfix Map generated: $POSTFIX_MAP_STR"
+fi
+
+# Support RemovePathPostFixes, relocating files into Package-named folder. e.g.
+# copy /usr/share/toto/systemd-bootx64.efi.standalone
+# to /toto-standalone/usr/share/toto/systemd-bootx64.efi
+# Then we will package the copy to RPM_PACKAGE_NAME.cpio.rsasign archive
+if [ -n "$POSTFIX_MAP_STR" ]; then
+ # Each entry in map string is pkg_name:p_suffix
+ for entry in $POSTFIX_MAP_STR; do
+ p_name="${entry%%:*}"
+ p_suffix="${entry#*:}"
+ # Search all files with p_suffix. e.g. .standalone
+ find "$RPM_BUILD_ROOT" -type f -name "*$p_suffix" | while read -r
src_file; do
+ # Remove the original p_suffix as new file name for copy
+ # e.g. /.../systemd-bootx64.efi.standalone ->
/.../systemd-bootx64.efi
+ target_base_path="${src_file%$p_suffix}"
+ rel_path="${target_base_path#$RPM_BUILD_ROOT}"
+ # Add a new p_name folder behine buildroot
+ # e.g. BUILD_ROOT/usr/share/toto/ ->
BUILD_ROOT/toto-standalone/usr/share/toto/
+ target_file="$RPM_BUILD_ROOT/${p_name}${rel_path}"
+ target_dir=$(dirname "$target_file")
+ # Run copy
+ mkdir -p "$target_dir"
+ cp -a "$src_file" "$target_file"
+ done
+ done
+fi
+
case "$BRP_PESIGN_GRUB_RESERVATION" in
'')
pesign_grub_reservation="0"
@@ -103,6 +179,7 @@
fi
pushd "$RPM_BUILD_ROOT"
+# Producing the arguments of find command to pick files to .cpio.rsasign
archive
args=()
for pattern in $files; do
pattern=${pattern#/}
@@ -112,7 +189,33 @@
if test -d "$pattern"; then
pattern="$pattern/*"
fi
- args=("${args[@]}" -o -path "$pattern")
+ # Support RemovePathPostFixes, check the pattern matches with any
+ # suffix in Postfix Map file. If so, then we package the copy file
+ # in /pkg_name to $RPM_PACKAGE_NAME.cpio.rsasign archive. e.g.
+ # /toto-standalone/usr/share/toto/systemd-bootx64.efi
+ # instead of
+ # /usr/share/toto/systemd-bootx64.efi.standalone
+ shifted_match=""
+ if [ -n "$POSTFIX_MAP_STR" ]; then
+ for entry in $POSTFIX_MAP_STR; do
+ p_name="${entry%%:*}"
+ p_suffix="${entry#*:}"
+ # If current pattern matches with suffix
+ if [[ "$pattern" == *"$p_suffix" ]]; then
+ base_path="${pattern%$p_suffix}"
+ rel_base_path="${base_path#./}"
+ shifted_match="./${p_name}/${rel_base_path}"
+ break
+ fi
+ done
+ fi
+ if [ -z "$shifted_match" ]; then
+ # Case A: no match, keep using original file pattern
+ args=("${args[@]}" -o -path "$pattern")
+ else
+ # Case B: match, using shifted match pattern
+ args=("${args[@]}" -o -path "$shifted_match")
+ fi
done
# delete the leading -o
unset args[0]
@@ -152,12 +255,26 @@
fi
rm -rf "$archive_dir"
+# Removing temporary suffix package folders and its files before primary build
+if [ -n "$POSTFIX_MAP_STR" ]; then
+ for entry in $POSTFIX_MAP_STR; do
+ p_name="${entry%%:*}"
+ # Delete the $p_name/ folder located directly under the build root
+ find "$RPM_BUILD_ROOT" -maxdepth 1 -type d -name "${p_name}" -exec rm
-rf {} +
+ done
+fi
+
if [ "$nfiles" = 0 ] ; then
echo "No files in $archive, giving up"
exit 0
fi
popd
+# Show the content in .cpio.rsasign archive for debugging
+if [ -f "$archive" ]; then
+ cpio -it < "$archive" | sed 's/^/DEBUG: [CPIO] /'
+fi
+
if test -e $RPM_SOURCE_DIR/pesign-spec-macros; then
sed "
s:%{name}:$RPM_PACKAGE_NAME:g
@@ -179,6 +296,12 @@
rm $output/pesign-copy-sources
fi
+# Collect all RemovePathPostFixes (RPP) pkg_names for sending to next stage
+RPP_PACKAGES=""
+if [ -n "$POSTFIX_MAP_STR" ]; then
+ RPP_PACKAGES=$(echo "$POSTFIX_MAP_STR" | awk 'BEGIN{RS=" "; FS=":"} {print
$1}' | xargs)
+fi
+echo "RPP_PACKAGES: $RPP_PACKAGES"
sed "
s:@NAME@:$RPM_PACKAGE_NAME:g
@@ -186,6 +309,7 @@
s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g
s:@PESIGN_LOAD_SPEC_MACROS@:$spec_macros:g
s:@PESIGN_PACKAGES@:$packages:g
+ s:@RPP_PACKAGES@:$RPP_PACKAGES:g
/@CERT@/ {
r $cert
d
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20260409.5b7f1bb/debian/control
new/pesign-obs-integration-10.2+git20260506.67eda76/debian/control
--- old/pesign-obs-integration-10.2+git20260409.5b7f1bb/debian/control
2026-04-09 03:59:01.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20260506.67eda76/debian/control
2026-05-06 08:31:23.000000000 +0200
@@ -2,7 +2,7 @@
Section: devel
Priority: optional
Maintainer: Michal Marek <[email protected]>
-Build-Depends: debhelper (>= 7), openssl, shellcheck
+Build-Depends: debhelper (>= 7), openssl, shellcheck [!i386]
Standards-Version: 3.9.8
Package: pesign-obs-integration
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20260409.5b7f1bb/debian/rules
new/pesign-obs-integration-10.2+git20260506.67eda76/debian/rules
--- old/pesign-obs-integration-10.2+git20260409.5b7f1bb/debian/rules
2026-04-09 03:59:01.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20260506.67eda76/debian/rules
2026-05-06 08:31:23.000000000 +0200
@@ -25,4 +25,7 @@
fi
override_dh_auto_test:
- shellcheck dh_signobs
+ # shellcheck is not available anymore on Ubuntu i386
+ if command -v shellcheck >/dev/null; then \
+ shellcheck dh_signobs; \
+ fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20260409.5b7f1bb/modsign-repackage
new/pesign-obs-integration-10.2+git20260506.67eda76/modsign-repackage
--- old/pesign-obs-integration-10.2+git20260409.5b7f1bb/modsign-repackage
2026-04-09 03:59:01.000000000 +0200
+++ new/pesign-obs-integration-10.2+git20260506.67eda76/modsign-repackage
2026-05-06 08:31:23.000000000 +0200
@@ -74,6 +74,7 @@
srpmdir=SRPMS
disturl=
rpms=()
+RPP_PKGS=""
rm -rf "$workdir"
mkdir "$workdir" || exit
mkdir -p "$rpmdir" "$srpmdir" || exit
@@ -104,7 +105,18 @@
cp "$rpm" "$_"
continue
esac
- rpm2cpio "$rpm" | (cd "$buildroot"; cpio -idm --quiet) || exit
+ # To avoid conflict with duplicate installed file use suffix and
+ # RemovePathPostfixes from RPM macros. We direct use pkg_name as
+ # the RemovePathPostfixes suffix. In the later, the RemovePathPostfixes
+ # in repackage.spec will handle it when repackaging.
+ pkg_name=$(rpm -qp --qf '%{name}' "$rpm")
+ mkdir -p "$workdir/tmp_extract"
+ rpm2cpio "$rpm" | cpio -idm -D "$workdir/tmp_extract" --quiet || exit
+ find "$workdir/tmp_extract" -depth ! -type d -print0 | while IFS= read
-r -d '' f; do
+ mv "$f" "${f}.${pkg_name}"
+ done
+ cp -a "$workdir/tmp_extract"/. "$buildroot/"
+ rm -rf "$workdir/tmp_extract"
d=$(rpm -qp --qf '%{disturl}' "$rpm")
if test -z "$disturl"; then
disturl=$d
@@ -114,25 +126,46 @@
exit 1
fi
rpms=("${rpms[@]}" "$rpm")
+ # Put all package name to RPP_PKGS string for pesign-gen-repackage-spec
+ # In local signing/repackaging situation, we treat all packages as RPP
+ # (RemovePathPostFixes) packages to avoid file conflict.
+ if [ -z "$RPP_PKGS" ]; then
+ RPP_PKGS="$pkg_name"
+ else
+ RPP_PKGS="$RPP_PKGS,$pkg_name"
+ fi
done
set -e
echo "Signing kernel modules..."
if test ! -e "$cert.pub"; then
openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub"
fi
-for module in $(find "$buildroot" -type f -name '*.ko' -printf '%P\n'); do
+for module in $(find "$buildroot" -type f -name '*.ko.*' -printf '%P\n'); do
+ orig_module=$(echo "$module" | sed -r 's/\.ko\.[^/]+$/.ko/')
if test -n "$key"; then
/usr/lib/rpm/pesign/kernel-sign-file \
-i pkcs7 sha256 "$key" "$cert" "$buildroot/$module"
else
- raw_sig="$sig_dir/$module.sig"
+ raw_sig="$sig_dir/$orig_module.sig"
if test ! -e "$raw_sig"; then
- echo "$module.sig not found in $sig_dir" >&2
+ echo "$orig_module.sig not found in $sig_dir" >&2
+ exit 1
+ fi
+ status=0
+ output=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in
"$raw_sig" 2>/dev/null | xxd -p -c 256)
+ status=${PIPESTATUS[0]}
+ if [ "$status" -ne 0 ]; then
+ echo "$raw_sig signature can not be decrypted by $cert,
exit code: $status, output: $output" >&2
+ exit 1
+ fi
+ # check error wording in output
+ if echo "$output" | xxd -r -p | grep -iq "error"; then
+ echo "$raw_sig signature can not be decrypted by $cert,
output: $output" >&2
exit 1
fi
- ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in
"$raw_sig" 2>&1 | grep -i error)
- if [ -n "$ver_err" ]; then
- echo "$raw_sig signature can not be decrypted by $cert"
>&2
+ # A PKCS#7 packet must encapsulate a DigestInfo in ASN.1 format
+ if ! echo "$output" | xxd -r -p | openssl asn1parse -inform der
> /dev/null 2>&1; then
+ echo "$raw_sig signature is not a DigestInfo in ASN.1
format for a PKCS#7" >&2
exit 1
fi
/usr/lib/rpm/pesign/kernel-sign-file \
@@ -156,7 +189,7 @@
fi
/usr/lib/rpm/pesign/pesign-gen-repackage-spec \
--cert-subpackage=/usr/lib/rpm/kernel-cert-subpackage \
- --directory="$buildroot" --output="$workdir" "${rpms[@]}"
+ --directory="$buildroot" --output="$workdir" --rpp-pkgs="$RPP_PKGS"
"${rpms[@]}"
echo "Running rpmbuild..."
rpmbuild --define "buildroot $buildroot" --define "disturl $disturl" \
--define "_builddir $workdir" \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20260409.5b7f1bb/pesign-gen-repackage-spec
new/pesign-obs-integration-10.2+git20260506.67eda76/pesign-gen-repackage-spec
---
old/pesign-obs-integration-10.2+git20260409.5b7f1bb/pesign-gen-repackage-spec
2026-04-09 03:59:01.000000000 +0200
+++
new/pesign-obs-integration-10.2+git20260506.67eda76/pesign-gen-repackage-spec
2026-05-06 08:31:23.000000000 +0200
@@ -34,6 +34,8 @@
my $kmp_basename;
my $compress = "";
my $macros_file = "";
+my $rpp_pkgs_list = "";
+my %rpp_lookup = ();
my @rpms;
$ENV{LC_ALL} = "en_US.UTF-8";
@@ -45,6 +47,7 @@
"cert-subpackage|c=s" => \$cert_subpackage,
"compress|C=s" => \$compress,
"macros|M=s" => \$macros_file,
+ "rpp-pkgs:s" => \$rpp_pkgs_list,
) or die $USAGE;
@rpms = @ARGV;
if (!@rpms) {
@@ -55,6 +58,15 @@
print STDERR "$0: --directory must be an absolute path\n";
die $USAGE;
}
+# Transfer RPP package list from CSV to Hash for later usage
+if ($rpp_pkgs_list) {
+ %rpp_lookup = map { $_ => 1 } split(',', $rpp_pkgs_list);
+}
+print "--- rpp_lookup content ---\n";
+foreach my $key (sort keys %rpp_lookup) {
+ print "$key => $rpp_lookup{$key}\n";
+}
+print "----------------------------------\n";
sub query_array {
my ($rpm, @tags) = @_;
@@ -345,9 +357,13 @@
}
print SPEC "\%define _binary_payload $payloadstr\n";
+ my $has_rpp = $rpp_lookup{$p->{name}} // 0;
if ($is_main) {
print SPEC "\%{load:\%_sourcedir/$macros_file}\n" if
$macros_file ne "";
print SPEC "Name: $p->{name}\n";
+ if ($has_rpp) {
+ print SPEC "RemovePathPostfixes: .$p->{name}\n";
+ }
print SPEC "Buildroot: $directory\n";
if ($p->{nosource}) {
# We do not generate any no(src).rpm, but we want the
@@ -358,6 +374,9 @@
}
} else {
print SPEC "\%package -n $p->{name}\n";
+ if ($has_rpp) {
+ print SPEC "RemovePathPostfixes: .$p->{name}\n";
+ }
}
for my $tag (@simple_tags) {
next if $p->{$tag} eq "";
@@ -408,7 +427,7 @@
}
if ($p->{files}) {
print SPEC "\%files -n $p->{name}\n";
- print_files($p->{files});
+ print_files($p->{name}, $p->{files});
}
print SPEC "\n";
}
@@ -491,6 +510,7 @@
);
sub print_files {
+ my $pkg_name = shift;
my $files = shift;
my @tocompress;
my $compress_ext = "";
@@ -509,11 +529,24 @@
$compress_cmd = "zstd -T0 --rm -f -q";
}
+ # If files are in RPP (RemovePathPostFixes) pacakge
+ my $has_rpp = $rpp_lookup{$pkg_name} // 0;
+
for my $f (@$files) {
- my $path = "$directory/$f->{name}";
+ # Put the .pkg_name as the last suffix when the file is:
+ # Not a directory
+ # and Not in main package
+ # and In a RPP pacakge
+ # e.g. /usr/lib/modules/vmlinuz.toto-standalone
+ # The RemovePathPostfixes in repackage.spec will remove
+ # .pkg_name suffix when repackaging RPMs
+ my $is_dir = S_ISDIR($f->{mode});
+ my $suffix = (!$is_dir && $has_rpp) ? ".$pkg_name" : "";
+ my $suffixed_name = $f->{name} . $suffix;
+ my $path = "$directory/$suffixed_name";
my $attrs = "";
# Fix mtime of directories, which cpio -idm fails to preserve
- if (S_ISDIR($f->{mode})) {
+ if ($is_dir) {
$attrs .= "\%dir ";
utime($f->{mtime}, $f->{mtime}, $path);
}
@@ -576,13 +609,24 @@
chmod($f->{mode}, $path);
utime($f->{mtime}, $f->{mtime}, $path);
push(@tocompress, $path);
- print SPEC "$attrs " . quote_fn($f->{name} .
$compress_ext) . "\n";
+ my $final_name = $f->{name} . $compress_ext;
+ # If the ko file is in RPP package, add .pkg_name
suffix in the end
+ # e.g. driver.ko.zst.pkg_name
+ $final_name .= "." . $pkg_name if $has_rpp;
+ print SPEC "$attrs " . quote_fn($final_name) . "\n";
} else {
- print SPEC "$attrs " . quote_fn($f->{name}) . "\n";
+ # non-ko file
+ print SPEC "$attrs " . quote_fn($suffixed_name) . "\n";
}
-
- if (-e "$path.sig") {
- print SPEC "$attrs " . quote_fn($f->{name} . ".sig") .
"\n";
+ # Handle the signature exists as a separate .sig file
+ # (e.g., driver.ko corresponds to driver.ko.sig)
+ # For modsign-repackage?
+ my $sig_name = $f->{name} . ".sig";
+ # Special handle RPP files
+ my $sig_suffix = (!$is_dir && $has_rpp) ? ".$pkg_name" : "";
+ my $suffixed_sig_name = $sig_name . $sig_suffix;
+ if (-e "$directory/$suffixed_sig_name") {
+ print SPEC "$attrs " . quote_fn($suffixed_sig_name) .
"\n";
}
}
@@ -592,6 +636,22 @@
print M join("\n", @tocompress);
close(M);
system("xargs -a $m -t -P 4 -n 1 $compress_cmd");
+ # After file is compressed, handling RPP file
+ if ($has_rpp) {
+ # Move pkg_name suffix to the tail of file name after ko be
compressed
+ foreach my $suffixed_path (@tocompress) {
+ # suffixed path: /.../driver.ko.kernel-default
+ # current filename: /.../driver.ko.kernel-default.zst
+ # Before RemovePathPostfixes, we want:
/.../driver.ko.zst.kernel-default
+ my $current_file = $suffixed_path . $compress_ext;
+ if (-e $current_file) {
+ # rename driver.ko.pkg_name.zst to
driver.ko.zst.pkg_name
+ my $new_file = $current_file;
+ $new_file =~
s/\.${pkg_name}${compress_ext}$/${compress_ext}.${pkg_name}/;
+ rename($current_file, $new_file);
+ }
+ }
+ }
unlink($m);
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/pesign-obs-integration-10.2+git20260409.5b7f1bb/pesign-repackage.spec.in
new/pesign-obs-integration-10.2+git20260506.67eda76/pesign-repackage.spec.in
---
old/pesign-obs-integration-10.2+git20260409.5b7f1bb/pesign-repackage.spec.in
2026-04-09 03:59:01.000000000 +0200
+++
new/pesign-obs-integration-10.2+git20260506.67eda76/pesign-repackage.spec.in
2026-05-06 08:31:23.000000000 +0200
@@ -52,6 +52,10 @@
# avoid loops
export BRP_PESIGN_FILES=""
+RPP_rpms=(@RPP_PACKAGES@)
+echo "Extracted RemovePathPostFixes packages array:"
+declare -p RPP_rpms
+
pushd %buildroot
disturl=
rpms_filter=@PESIGN_PACKAGES@
@@ -85,7 +89,26 @@
cp "$rpm" "$_"
continue
fi
- rpm2cpio "$rpm" | cpio -idm
+ # Check if package name is in RPP list
+ p_name=$(rpm -qp --qf '%%{NAME}' "$rpm")
+ is_postfix_pkg=0
+ for rpp_rpm in "${RPP_rpms[@]}"; do
+ if [ "$p_name" = "$rpp_rpm" ]; then
+ is_postfix_pkg=1
+ break
+ fi
+ done
+ if [ "$is_postfix_pkg" -eq 1 ]; then
+ echo "[Unpack] Special handling for postfix package: $p_name"
+ mkdir -p "$p_name"
+ # Decompress RPM to a folder with the name of the package
+ # It can avoid any file conflict with other packages
+ (cd "$p_name" && rpm2cpio "$rpm" | cpio -idm)
+ else
+ # Unpack normal package
+ # Direct decompress it to BUILDROOT
+ rpm2cpio "$rpm" | cpio -idm
+ fi
d=$(rpm -qp --qf '%%{disturl}' "$rpm")
if test -z "$disturl"; then
disturl=$d
@@ -129,6 +152,19 @@
mkdir rsasigned
pushd rsasigned
cpio -idm <%_sourcedir/@[email protected]
+
+# Extracting all sattrs metadata from CPIO before we handling _RPP_ folder
+find . -type f \( \
+ -path "*/boot/*.sig" -o \
+ -name "*.efi.sig" -o \
+ -name "vmlinu[xz].sig" -o \
+ -name "[Ii]mage.sig" -o \
+ -name "z[Ii]mage.sig" \
+\) | while read -r sig_path; do
+ infile_entry="${sig_path%.sig}"
+ cpio -i --to-stdout "${infile_entry#./}" < %_sourcedir/@[email protected]
> "${infile_entry}.sattrs" 2>/dev/null
+done
+
cat >cert.crt <<EOF
@CERT@
EOF
@@ -161,6 +197,8 @@
echo "$sig signature can not be decrypted by $cert" >&2
exit 1
fi
+ # Estimate the target file path $f based on the signature file path .sig
+ # The siganture will be attached to target file in the later against
different format
f=%buildroot/${sig%.sig}
case "/$sig" in
*.ko.sig|*.mod.sig)
@@ -180,7 +218,6 @@
%ifarch %ix86 x86_64 aarch64 %arm riscv64 loongarch64
# PE style signature injection
infile=${sig%.sig}
- cpio -i --to-stdout ${infile#./}
<%_sourcedir/@[email protected] > ${infile}.sattrs
test -s ${infile}.sattrs || exit 1
ohash=$(pesign -n "$nss_db" -h -P -i "$f")
pesign -n "$nss_db" -c cert -i "$f" -o "$f.tmp" -d sha256 -I
"${infile}.sattrs" -R "$sig"
@@ -195,11 +232,18 @@
# appending to the file itself, e.g. for s390x.
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f"
%endif
- # Regenerate the HMAC if it exists
- hmac="${f%%/*}/.${f##*/}.hmac"
- if test -e "$hmac"; then
- /usr/lib/rpm/pesign/gen-hmac -r %buildroot
"/${sig%.sig}"
- fi
+ # Regenerate the kernel's HMAC in target file's folder
+ f_dir=$(dirname "$f")
+ f_name=$(basename "$f")
+ hmac_file="$f_dir/.$f_name.hmac"
+ if [ -e "$hmac_file" ]; then
+ # The $BUILDROOT in tareget file path should be removed
for gen-hmac
+ # e.g. We want:
/toto-standalone/usr/lib/modules/.../vmlinuz
+ rel_f_path="${f#%buildroot}"
+ [[ "$rel_f_path" != /* ]] && rel_f_path="/$rel_f_path"
+ /usr/lib/rpm/pesign/gen-hmac -r %buildroot
"$rel_f_path"
+ echo "[HMAC] Regenerated for $rel_f_path"
+ fi
;;
*stage3.bin.sig)
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f"
@@ -233,9 +277,34 @@
# Remove the public key file
rm "$cert.pub"
+# Preparing buildroot for repackaging stage
+
+# Recovery. Move RPP files to buildroot/*/*/*.pkg_name and remove
+# buildroot/pkg_name/ namespace folder. The RemovePathPostFixes in
+# repackage.spec will handle it. e.g.
+# %{buildroot}/toto-standalone/usr/lib/modules/vmlinuz
+# move back to
+# %{buildroot}/usr/lib/modules/vmlinuz.toto-standalone
+for p_name in "${RPP_rpms[@]}"; do
+ p_root="%{buildroot}/$p_name"
+ if [ -d "$p_root" ]; then
+ echo "Processing RPP package: $p_name"
+ # handling buildroot/pkg_name namespace folder
+ find "$p_root" -type f | while read -r src_file; do
+ rel_path="${src_file#$p_root/}"
+ dest_file="%{buildroot}/${rel_path}.${p_name}"
+ mkdir -p "$(dirname "$dest_file")"
+ mv "$src_file" "$dest_file"
+ done
+ rm -rf "$p_root"
+ fi
+done
+# Transfer RPP rpms array to CSV string for pesign-gen-repackage-spec perl
script
+RPP_PKGS=$(IFS=,; echo "${RPP_rpms[*]}")
+
popd
/usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@
@PESIGN_LOAD_SPEC_MACROS@ \
- --directory=%buildroot "${rpms[@]}"
+ --directory=%buildroot --rpp-pkgs="$RPP_PKGS" "${rpms[@]}"
# For some reason in Fedora/CentOS builds the directory structure is different
from SUSE,
# which breaks repacking. Copy the package content to the buildroot that is
actually used.
++++++ pesign-obs-integration.obsinfo ++++++
--- /var/tmp/diff_new_pack.jYSj5U/_old 2026-05-08 16:42:05.901020286 +0200
+++ /var/tmp/diff_new_pack.jYSj5U/_new 2026-05-08 16:42:05.941021944 +0200
@@ -1,5 +1,5 @@
name: pesign-obs-integration
-version: 10.2+git20260409.5b7f1bb
-mtime: 1775699941
-commit: 5b7f1bb5c9649945e4951c072addc492acbfc2dc
+version: 10.2+git20260506.67eda76
+mtime: 1778049083
+commit: 67eda7615f9903cca356e00ea92bd533f7eb8833
