Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pesign for openSUSE:Factory checked in at 2023-03-16 22:57:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pesign (Old) and /work/SRC/openSUSE:Factory/.pesign.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign" Thu Mar 16 22:57:09 2023 rev:42 rq:1070580 version:116 Changes: -------- --- /work/SRC/openSUSE:Factory/pesign/pesign.changes 2023-02-09 16:21:55.542316926 +0100 +++ /work/SRC/openSUSE:Factory/.pesign.new.31432/pesign.changes 2023-03-16 22:57:10.991121155 +0100 @@ -1,0 +2,57 @@ +Wed Feb 22 08:05:20 UTC 2023 - Gary Ching-Pang Lin <[email protected]> + +- Update to 116 + + daemon: remove always-true comparison + + pesum - add a new tool to the shed + + Fix building signed kernels on setups other than koji + + Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS + + macros.pesign: handle centos like rhel with --rhelver + + Detect the presence of rpm-sign when checking for "rhel"-ness + + Fix typo in efikeygen command + + pesigcheck: Fix crash on digest match + + cms: store digest as pointer instead of index + + Fix mandoc invocation to not produce garbage + + Password fixes + + Re-work CMS's selected_digest again... + + src/certs/make-certs: delete the duplicate codes + + Free resources if certification cannot be found + + macros: drop %{_pesign_args} + + Fix two bugs from package building + + Fix bad free of cms data (DoS only) + + Send pesign stdout/err to systemd journal + + Add missing Install section + + Add default packages for pkg-config + + Short delay to ensure /run/pesign/socket exists + + Resolve crash when signature that is removed is not the end of + the list + + Enhance error diagnostics about version mismatch + + Upstream all Fedora changes + + Add some hardening options to build + + Add code of conduct + + Fix build on gcc 12 and non-Fedora +- Add BuildRequires efivar-devel >= 38 for efisec.h + + efisiglist is replaced by efisecdb in efivar 38 +- Add BuildRequires mandoc to generate the manpages +- Replace pesign-privkey_unneeded.diff with + pesign-skip-auth-on-friendly-slot.patch to avoid the unnecessary + authentication +- Add pesign-fix-cert-match-check.patch to fix the subject name + matching +- Add pesign-fix-efikeygen-segfault.patch to fix the potential + crash when executing efikeygen +- Add pesign-bsc1202933-Remove-pesign-authorize.patch to remove + pesign-authorize completely (bsc#1202933) +- Refresh patches + + harden_pesign.service.patch + + pesign-boo1143063-remove-var-tracking.patch + + pesign-boo1185663-set-rpmmacrodir.patch + + pesign-fix-authvar-write-loop.patch + + pesign-suse-build.patch + + pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch +- Remove upstreamed/unnecessary patches + + pesign-boo1158197-fix-pesigncheck-gcc10.patch + + pesign-efikeygen-Fix-the-build-with-nss-3.44.patch + + pesign-run.patch + + pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch + +------------------------------------------------------------------- Old: ---- pesign-113.tar.bz2 pesign-boo1158197-fix-pesigncheck-gcc10.patch pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch pesign-efikeygen-Fix-the-build-with-nss-3.44.patch pesign-privkey_unneeded.diff pesign-run.patch New: ---- pesign-116.tar.bz2 pesign-bsc1202933-Remove-pesign-authorize.patch pesign-fix-cert-match-check.patch pesign-fix-efikeygen-segfault.patch pesign-skip-auth-on-friendly-slot.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pesign.spec ++++++ --- /var/tmp/diff_new_pack.rQteZu/_old 2023-03-16 22:57:12.711129486 +0100 +++ /var/tmp/diff_new_pack.rQteZu/_new 2023-03-16 22:57:12.719129525 +0100 @@ -17,7 +17,7 @@ Name: pesign -Version: 113 +Version: 116 Release: 0 Summary: Signing tool for PE-COFF binaries License: GPL-3.0-or-later @@ -27,25 +27,21 @@ Source1: pesign.sysusers # PATCH-FIX-SUSE pesign-suse-build.patch [email protected] -- Adjust Makefile for the build service Patch1: pesign-suse-build.patch -# PATCH-FIX-UPSTREAM pesign-privkey_unneeded.diff [email protected] -- Don't check the private key when importing the raw signature -Patch2: pesign-privkey_unneeded.diff -# PATCH-FIX-SUSE pesign-run.patch [email protected] - Use /run instead of /var/run -Patch3: pesign-run.patch +Patch2: pesign-skip-auth-on-friendly-slot.patch # PATCH-FIX-UPSTREAM pesign-fix-authvar-write-loop.patch [email protected] -- Fix the write loop in authvar -Patch4: pesign-fix-authvar-write-loop.patch -# PATCH-FIX-UPSTREAM pesign-efikeygen-Fix-the-build-with-nss-3.44.patch [email protected] -- Fix the NSS 3.44 compilation error -Patch5: pesign-efikeygen-Fix-the-build-with-nss-3.44.patch +Patch3: pesign-fix-authvar-write-loop.patch # PATCH-FIX-SUSE pesign-boo1143063-remove-var-tracking.patch -- boo#1143063 Remove var-tracking from default CFLAGS -Patch6: pesign-boo1143063-remove-var-tracking.patch -# PATCH-FIX-UPSTREAM pesign-boo1158197-fix-pesigncheck-gcc10.patch [email protected] -- boo#1158197 Fix the gcc10 errors -Patch7: pesign-boo1158197-fix-pesigncheck-gcc10.patch +Patch4: pesign-boo1143063-remove-var-tracking.patch # PATCH-FIX-UPSTREAM pesign-boo1185663-set-rpmmacrodir.patch boo#1185663 [email protected] -- Set the rpm macro directory at build time -Patch8: pesign-boo1185663-set-rpmmacrodir.patch -Patch9: harden_pesign.service.patch -Patch10: pesign-bsc1202933-Use-normal-file-permissions-instead-of-ACLs.patch -Patch11: pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch -BuildRequires: efivar-devel +Patch5: pesign-boo1185663-set-rpmmacrodir.patch +Patch6: harden_pesign.service.patch +Patch7: pesign-bsc1202933-Remove-pesign-authorize.patch +Patch8: pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch +Patch9: pesign-fix-cert-match-check.patch +Patch10: pesign-fix-efikeygen-segfault.patch +BuildRequires: efivar-devel >= 38 BuildRequires: libuuid-devel +BuildRequires: mandoc BuildRequires: mozilla-nss-devel BuildRequires: pkg-config BuildRequires: popt-devel @@ -71,10 +67,10 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 -%patch11 -p1 %build %sysusers_generate_pre %{SOURCE1} %{name} %{name}.conf +export CPPFLAGS="%{optflags} -D_GLIBCXX_ASSERTIONS" make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="${LDFLAGS} -pie" libexecdir=%{_libexecdir} %install @@ -115,22 +111,21 @@ %{_bindir}/pesign-client %{_bindir}/efikeygen %{_bindir}/pesigcheck -%{_bindir}/efisiglist %{_bindir}/authvar +%{_bindir}/pesum %{_sbindir}/rcpesign %dir %{_sysconfdir}/pesign %{_sysconfdir}/pesign/* %dir %{_sysconfdir}/popt.d %config %{_sysconfdir}/popt.d/pesign.popt -%{_sysconfdir}/pki/ %{_rpmmacrodir}/macros.pesign %{_mandir}/man?/* -%{_localstatedir}/lib/pesign %{_unitdir}/pesign.service %{_sysusersdir}/pesign.conf %{_tmpfilesdir}/pesign.conf %dir %{_libexecdir}/pesign -%{_libexecdir}/pesign/pesign-authorize +%{_libexecdir}/pesign/pesign-rpmbuild-helper +%dir %{_sysconfdir}/pki/ %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign %ghost %dir %attr(0770,pesign,pesign) /run/%{name} %dir %attr(0770,pesign,pesign) %{_localstatedir}/lib/%{name} ++++++ harden_pesign.service.patch ++++++ --- /var/tmp/diff_new_pack.rQteZu/_old 2023-03-16 22:57:12.763129738 +0100 +++ /var/tmp/diff_new_pack.rQteZu/_new 2023-03-16 22:57:12.767129758 +0100 @@ -1,7 +1,7 @@ -Index: pesign-113/src/pesign.service.in +Index: pesign-115/src/pesign.service.in =================================================================== ---- pesign-113.orig/src/pesign.service.in -+++ pesign-113/src/pesign.service.in +--- pesign-115.orig/src/pesign.service.in ++++ pesign-115/src/pesign.service.in @@ -3,6 +3,19 @@ Description=Pesign signing daemon [Service] @@ -19,7 +19,7 @@ +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions - Type=forking - PIDFile=/run/pesign.pid - ExecStart=/usr/bin/pesign --daemonize + PIDFile=@@RUNDIR@@/pesign.pid + ExecStart=/usr/bin/pesign --daemonize --nofork + ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize ++++++ pesign-113.tar.bz2 -> pesign-116.tar.bz2 ++++++ ++++ 15011 lines of diff (skipped) ++++++ pesign-boo1143063-remove-var-tracking.patch ++++++ --- /var/tmp/diff_new_pack.rQteZu/_old 2023-03-16 22:57:13.059131172 +0100 +++ /var/tmp/diff_new_pack.rQteZu/_new 2023-03-16 22:57:13.067131212 +0100 @@ -1,8 +1,8 @@ -diff --git a/Make.defaults b/Make.defaults -index 7892d73..2d18005 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -47,7 +47,7 @@ cflags = $(CFLAGS) $(ARCH3264) \ +Index: pesign-115/Make.defaults +=================================================================== +--- pesign-115.orig/Make.defaults ++++ pesign-115/Make.defaults +@@ -69,7 +69,7 @@ cflags = $(CFLAGS) $(ARCH3264) \ $(call pkg-config-cflags) clang_ccldflags = gcc_ccldflags = -fno-merge-constants \ @@ -10,5 +10,5 @@ + -fvar-tracking-assignments -fkeep-inline-functions \ -Wl,--fatal-warnings,--no-allow-shlib-undefined,--default-symver \ -Wl,-O2 -Wl,--no-undefined-version -Wl,-z,relro,-z,now \ - -Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed + -Wl,--no-add-needed,--no-copy-dt-needed-entries,--as-needed -pie ++++++ pesign-boo1185663-set-rpmmacrodir.patch ++++++ --- /var/tmp/diff_new_pack.rQteZu/_old 2023-03-16 22:57:13.079131269 +0100 +++ /var/tmp/diff_new_pack.rQteZu/_new 2023-03-16 22:57:13.083131288 +0100 @@ -1,28 +1,28 @@ -diff --git a/Make.defaults b/Make.defaults -index 2d18005..7ecba00 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -11,6 +11,7 @@ includedir ?= $(prefix)include/ - bindir ?= $(prefix)bin/ +Index: pesign-115/Make.defaults +=================================================================== +--- pesign-115.orig/Make.defaults ++++ pesign-115/Make.defaults +@@ -13,6 +13,7 @@ rundir ?= /run/ + rundir := $(abspath $(rundir))/ pcdir ?= $(libdir)pkgconfig/ docdir ?= $(prefix)share/doc/ +rpmmacrodir ?= /etc/rpm/ DESTDIR ?= INSTALLROOT = $(DESTDIR) -diff --git a/src/Makefile b/src/Makefile -index 5fb2841..ca546a3 100644 ---- a/src/Makefile -+++ b/src/Makefile -@@ -90,8 +90,8 @@ install : - $(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)$(mandir)man1/ - $(INSTALL) -m 644 authvar.1 $(INSTALLROOT)$(mandir)man1/ - $(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/ +Index: pesign-115/src/Makefile +=================================================================== +--- pesign-115.orig/src/Makefile ++++ pesign-115/src/Makefile +@@ -88,8 +88,8 @@ install : + $(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(mandir)man1/ + $(INSTALL) -m 644 $(MAN1TARGETS) $(INSTALLROOT)$(mandir)man1/ - $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ - $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ + $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir) + $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir) $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign + $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ ++++++ pesign-bsc1202933-Make-etc-pki-pesign-writeable.patch ++++++ --- /var/tmp/diff_new_pack.rQteZu/_old 2023-03-16 22:57:13.095131347 +0100 +++ /var/tmp/diff_new_pack.rQteZu/_new 2023-03-16 22:57:13.095131347 +0100 @@ -11,16 +11,16 @@ src/pesign.service.in | 1 + 1 file changed, 1 insertion(+) -diff --git a/src/pesign.service.in b/src/pesign.service.in -index 87accee..8542c63 100644 ---- a/src/pesign.service.in -+++ b/src/pesign.service.in -@@ -20,3 +20,4 @@ Type=forking - PIDFile=/run/pesign.pid - ExecStart=/usr/bin/pesign --daemonize - ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize +Index: pesign-116/src/pesign.service.in +=================================================================== +--- pesign-116.orig/src/pesign.service.in ++++ pesign-116/src/pesign.service.in +@@ -18,6 +18,7 @@ RestrictRealtime=true + # end of automatic additions + PIDFile=@@RUNDIR@@/pesign.pid + ExecStart=/usr/bin/pesign --daemonize --nofork +ReadWritePaths=/etc/pki/pesign/ --- -2.35.3 - + + [Install] + WantedBy=multi-user.target ++++++ pesign-bsc1202933-Remove-pesign-authorize.patch ++++++ >From 09a41248f9f867e9aaf06e890621c392d36b52ec Mon Sep 17 00:00:00 2001 From: Robbie Harwood <[email protected]> Date: Tue, 31 Jan 2023 10:00:18 -0500 Subject: [PATCH] Remove pesign-authorize The onus of correct file/directory permissions should be a configuration and systems administration issue, not pesign's. Signed-off-by: Robbie Harwood <[email protected]> --- src/.gitignore | 1 - src/Makefile | 3 +-- src/pesign-authorize.in | 13 ------------- src/pesign.service.in | 1 - src/pesign.sysvinit.in | 1 - 5 files changed, 1 insertion(+), 18 deletions(-) delete mode 100644 src/pesign-authorize.in Index: pesign-116/src/.gitignore =================================================================== --- pesign-116.orig/src/.gitignore +++ pesign-116/src/.gitignore @@ -10,5 +10,4 @@ peverify pesign.service pesign.sysvinit pesign-rpmbuild-helper -pesign-authorize tmpfiles.conf Index: pesign-116/src/Makefile =================================================================== --- pesign-116.orig/src/Makefile +++ pesign-116/src/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules include $(TOPDIR)/Make.defaults BINTARGETS=authvar client efikeygen pesigcheck pesign \ - pesign-rpmbuild-helper pesign-authorize pesum + pesign-rpmbuild-helper pesum CFGTARGETS=tmpfiles.conf SVCTARGETS=pesign.sysvinit pesign.service MAN1TARGETS=authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1 @@ -99,7 +99,6 @@ install : $(INSTALL) -d -m 755 $(INSTALLROOT)$(rpmmacrodir) $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)$(rpmmacrodir) $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users Index: pesign-116/src/pesign-authorize.in =================================================================== --- pesign-116.orig/src/pesign-authorize.in +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash -set -e -set -u - -# License: GPLv2 - -# This script is deprecated and will be removed in a future release. - -sleep 3 -for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do - chown -R pesign:pesign "${x}" || true - chmod -R ug+rwX "${x}" || true -done Index: pesign-116/src/pesign.service.in =================================================================== --- pesign-116.orig/src/pesign.service.in +++ pesign-116/src/pesign.service.in @@ -18,7 +18,6 @@ RestrictRealtime=true # end of automatic additions PIDFile=@@RUNDIR@@/pesign.pid ExecStart=/usr/bin/pesign --daemonize --nofork -ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize [Install] WantedBy=multi-user.target Index: pesign-116/src/pesign.sysvinit.in =================================================================== --- pesign-116.orig/src/pesign.sysvinit.in +++ pesign-116/src/pesign.sysvinit.in @@ -30,7 +30,6 @@ start(){ RETVAL=$? echo touch /var/lock/subsys/pesign - @@LIBEXECDIR@@/pesign/pesign-authorize } stop(){ ++++++ pesign-fix-authvar-write-loop.patch ++++++ --- /var/tmp/diff_new_pack.rQteZu/_old 2023-03-16 22:57:13.151131618 +0100 +++ /var/tmp/diff_new_pack.rQteZu/_new 2023-03-16 22:57:13.155131637 +0100 @@ -12,32 +12,11 @@ src/authvar_context.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) -diff --git a/src/authvar_context.c b/src/authvar_context.c -index 7a753fc..c51c666 100644 ---- a/src/authvar_context.c -+++ b/src/authvar_context.c -@@ -20,6 +20,7 @@ - #include "fix_coverity.h" - - #include <unistd.h> -+#include <stddef.h> - #include <sys/mman.h> - - #include <prerror.h> -@@ -135,11 +136,7 @@ generate_descriptor(authvar_context *ctx) - if (rc < 0) - cmsreterr(-1, ctx->cms_ctx, "could not create signed data"); - --#if __WORDSIZE == 64 -- offset = (uint64_t) &((win_cert_uefi_guid_t *)0)->data; --#else -- offset = (uint32_t) &((win_cert_uefi_guid_t *)0)->data; --#endif -+ offset = offsetof(win_cert_uefi_guid_t, data); - authinfo = calloc(offset + sd_der.len, 1); - if (!authinfo) - cmsreterr(-1, ctx->cms_ctx, "could not allocate authinfo"); -@@ -162,6 +159,7 @@ write_authvar(authvar_context *ctx) +Index: pesign-115/src/authvar_context.c +=================================================================== +--- pesign-115.orig/src/authvar_context.c ++++ pesign-115/src/authvar_context.c +@@ -151,6 +151,7 @@ write_authvar(authvar_context *ctx) void *buffer, *ptr; size_t buf_len, des_len, remain; ssize_t wlen; @@ -45,7 +24,7 @@ if (!ctx->authinfo) cmsreterr(-1, ctx->cms_ctx, "Not a valid authvar"); -@@ -189,19 +187,19 @@ write_authvar(authvar_context *ctx) +@@ -179,19 +180,19 @@ write_authvar(authvar_context *ctx) if (ctx->value_size > 0) memcpy(ptr, ctx->value, ctx->value_size); @@ -69,7 +48,4 @@ } while (remain > 0); free(buffer); --- -2.21.0 - ++++++ pesign-fix-cert-match-check.patch ++++++ >From a6062702e9f0002b86759f6cd14da6d78de99f22 Mon Sep 17 00:00:00 2001 From: Huaxin Lu <[email protected]> Date: Fri, 11 Nov 2022 11:20:35 +0800 Subject: [PATCH] cms_common: fix cert match check In find_certificate_by_callback(), the match() returns 1 when cert subject is matched. Signed-off-by: Huaxin Lu <[email protected]> --- src/cms_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cms_common.c b/src/cms_common.c index 24576f2..cf572ca 100644 --- a/src/cms_common.c +++ b/src/cms_common.c @@ -872,7 +872,7 @@ find_certificate_by_callback(cms_context *cms, continue; int rc = match(tmpnode->cert, cbdata); - if (rc == 0) { + if (rc == 1) { node = tmpnode; break; } -- 2.35.3 ++++++ pesign-fix-efikeygen-segfault.patch ++++++ >From 227435af461f38fc4abeafe02884675ad4b1feb4 Mon Sep 17 00:00:00 2001 From: Nicolas Frayer <[email protected]> Date: Mon, 20 Feb 2023 15:26:20 +0100 Subject: [PATCH] cms_common: Fixed Segmentation fault When running efikeygen, the binary crashes with a segfault due to dereferencing a **ptr instead of a *ptr. Signed-off-by: Nicolas Frayer <[email protected]> --- src/cms_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cms_common.c b/src/cms_common.c index 44e5cca..4f4707b 100644 --- a/src/cms_common.c +++ b/src/cms_common.c @@ -957,7 +957,7 @@ find_certificate_by_issuer_and_sn(cms_context *cms, if (!ias) cnreterr(-1, cms, "invalid issuer and serial number"); - return find_certificate_by_callback(cms, match_issuer_and_serial, &ias, cert); + return find_certificate_by_callback(cms, match_issuer_and_serial, ias, cert); } int -- 2.35.3 ++++++ pesign-skip-auth-on-friendly-slot.patch ++++++ >From 616ec5f25adbde1a4bd78cdcacd6dcd7ecfa5a5c Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Thu, 22 Dec 2022 13:49:34 +0800 Subject: [PATCH] cms_common: skip authentication on the 'Friendly' slot When finding a certificate in a 'Friendly' slot without the need of the private key, it is not necessary to authenticate the slot. For example, when the signed attributes and the raw signature are created in a server and the user has the certificate, signkey.x509, and tries to import them into myapp.efi: $ certutil -N -d nssdb -f passwd $ certutil -A -d nssdb -f passwd -n signkey -t CT,CT,CT \ -i signkey.x509 $ pesign -n nssdb -c signkey -i myapp.efi -o myapp.efi.signed \ -d sha256 -I myapp.sattr -R myapp.sig Since the "signkey" is 'Friendly', i.e. publicly readable, and the private key is not needed, we can just skip the authentication and find "signkey" in the slot. Signed-off-by: Gary Lin <[email protected]> --- src/cms_common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/cms_common.c b/src/cms_common.c index cf572ca..44e5cca 100644 --- a/src/cms_common.c +++ b/src/cms_common.c @@ -628,7 +628,8 @@ find_certificate(cms_context *cms, int needs_private_key) int errnum; SECStatus status; - if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms)) { + if ((needs_private_key || !PK11_IsFriendly(psle->slot)) && + (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms))) { status = PK11_Authenticate(psle->slot, PR_TRUE, cms); if (status != SECSuccess) { save_port_err() { -- 2.35.3 ++++++ pesign-suse-build.patch ++++++ --- /var/tmp/diff_new_pack.rQteZu/_old 2023-03-16 22:57:13.203131870 +0100 +++ /var/tmp/diff_new_pack.rQteZu/_new 2023-03-16 22:57:13.207131890 +0100 @@ -1,7 +1,7 @@ -Index: pesign-113/util/Makefile +Index: pesign-116/util/Makefile =================================================================== ---- pesign-113.orig/util/Makefile -+++ pesign-113/util/Makefile +--- pesign-116.orig/util/Makefile ++++ pesign-116/util/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/Make.efirules include $(TOPDIR)/Make.defaults @@ -17,18 +17,18 @@ install : - $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/ - $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/ -+ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/SuSE/ -+ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/SuSE/ ++ $(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/sles/ ++ $(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/sles/ install_systemd: -Index: pesign-113/src/pesign.sysvinit.in +Index: pesign-116/src/pesign.sysvinit.in =================================================================== ---- pesign-113.orig/src/pesign.sysvinit.in -+++ pesign-113/src/pesign.sysvinit.in +--- pesign-116.orig/src/pesign.sysvinit.in ++++ pesign-116/src/pesign.sysvinit.in @@ -6,16 +6,19 @@ # processname: /usr/bin/pesign - # pidfile: /var/run/pesign.pid + # pidfile: @@RUNDIR@@pesign.pid ### BEGIN INIT INFO -# Provides: pesign -# Default-Start: @@ -46,51 +46,29 @@ -. /etc/init.d/functions [ -f /usr/bin/pesign ] || exit 1 -+PESIGN_PIDFILE=/var/run/pesign.pid ++PESIGN_PIDFILE=@@RUNDIR@@pesign.pid RETVAL=0 start(){ @@ -23,7 +26,7 @@ start(){ - mkdir /var/run/pesign 2>/dev/null && - chown pesign:pesign /var/run/pesign && - chmod 0770 /var/run/pesign + mkdir @@RUNDIR@@pesign 2>/dev/null && + chown pesign:pesign @@RUNDIR@@pesign && + chmod 0770 @@RUNDIR@@pesign - daemon /usr/bin/pesign --daemonize + startproc -f -p "$PESIGN_PIDFILE" /usr/bin/pesign --daemonize RETVAL=$? echo touch /var/lock/subsys/pesign -@@ -32,7 +35,7 @@ start(){ - - stop(){ - echo -n "Stopping pesign: " -- killproc -p /var/run/pesign.pid pesignd -+ killproc -p /run/pesign.pid pesignd - RETVAL=$? - echo - rm -f /var/lock/subsys/pesign -Index: pesign-113/Make.defaults +Index: pesign-116/Makefile =================================================================== ---- pesign-113.orig/Make.defaults -+++ pesign-113/Make.defaults -@@ -61,7 +61,7 @@ CPPFLAGS ?= - RANLIBFLAGS := $(if $(filter $(CC),gcc),-D) - ARFLAGS := $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs) - --LDLIBS = $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) -+LDLIBS = -lpthread $(foreach lib,$(LIBS),-l$(lib)) $(call pkg-config-ldlibs) - - ifeq ($(ARCH),ia64) - efi_cflags += -mfixed-range=f32-f127 -Index: pesign-113/Makefile -=================================================================== ---- pesign-113.orig/Makefile -+++ pesign-113/Makefile +--- pesign-116.orig/Makefile ++++ pesign-116/Makefile @@ -11,7 +11,6 @@ SUBDIRS := include libdpe src install : $(INSTALL) -d -m 755 $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ - $(INSTALL) -pm 644 COPYING $(INSTALLROOT)$(docdir)/pesign-$(VERSION)/ - @set -e ; for x in $(SUBDIRS) ; do \ - $(MAKE) -C $$x $@ ; \ - done + @$(call descend) + + install_systemd install_sysvinit : install
