[arch-commits] Commit in pesign/trunk (6 files)

Mon May 18 21:00:26 UTC 2020

Date: Monday, May 18, 2020 @ 21:00:25
  Author: dvzrv
Revision: 629723

upgpkg: pesign 113-1: Upgrading to 113.

Removing custom Red Hat/ Fedora upstream certificate databases, as they are of pre-sql format
and can not be converted.
Adding custom patch to be able to execute pesign as non-root user.
Adding a custom systemd service for automatic database generation and for running
pesign as an unprivileged system user.
Adding tmpfiles integration for /etc/pki/pesign.
Removing all Red Hat/Fedora specific system integration and relying on custom service instead.
Updating maintainer info. Updating url and switching to correct license (GPL3).

Added:
  pesign/trunk/pesign-113-remove_root_check.patch
  pesign/trunk/pesign-create-db.service
  pesign/trunk/pesign.service
  pesign/trunk/pesign.tmpfiles
Modified:
  pesign/trunk/PKGBUILD
  pesign/trunk/pesign.sysusers

------------------------------------+
 PKGBUILD                           |   86 +++++++++++++++++++++++------------
 pesign-113-remove_root_check.patch |   29 +++++++++++
 pesign-create-db.service           |   33 +++++++++++++
 pesign.service                     |   37 +++++++++++++++
 pesign.sysusers                    |    2 
 pesign.tmpfiles                    |    2 
 6 files changed, 160 insertions(+), 29 deletions(-)

Modified: PKGBUILD
===================================================================

--- PKGBUILD	2020-05-18 21:00:15 UTC (rev 629722)
+++ PKGBUILD	2020-05-18 21:00:25 UTC (rev 629723)
@@ -1,39 +1,69 @@
-# Maintainer: Bruno Pagani <archange at archlinux.org>
+# Maintainer: David Runge <dvzrv at archlinux.org>
+# Contributor: Bruno Pagani <archange at archlinux.org>
 # Contributor: Mirco Tischler <mt-ml at gmx dot de>
 
 pkgname=pesign
-pkgver=0.112
-pkgrel=2
-pkgdesc="Tools for manipulating signed PE-COFF binaries"
-arch=(x86_64)
-url="https://github.com/rhinstaller/pesign"
-license=(GPL2)
-depends=(efivar nss libutil-linux)
-source=("${url}/releases/download/${pkgver}/${pkgname}-${pkgver}.tar.bz2"
+pkgver=113
+pkgrel=1
+pkgdesc="Linux tools for signed PE-COFF binaries"
+arch=('x86_64')
+url="https://github.com/rhboot/pesign"
+license=('GPL3')
+depends=('glibc' 'efivar' 'libutil-linux' 'nspr' 'nss' 'popt')
+source=("${pkgname}-${pkgver}.tar.gz::https://github.com/rhboot/${pkgname}/archive/${pkgver}.tar.gz"
+        "${pkgname}-113-remove_root_check.patch"
+        "${pkgname}-113-nss3.44.patch::https://github.com/rhboot/pesign/commit/b535d1ac5cbcdf18a97d97a92581e38080d9e521.patch"
+        "${pkgname}-113-assignment.patch::https://github.com/rhboot/pesign/commit/c555fd74c009242c3864576bd5f17a1f8f4fdffd.patch"
         "${pkgname}.sysusers"
-        'https://src.fedoraproject.org/lookaside/pkgs/pesign/certs.tar.xz/e377e0bc924287ee09356a239c5f51a8/certs.tar.xz') # No HTTP because custom CA
-sha256sums=('99fa1240311a802fa381eebba8d52b7106690322ac00395bf9fc149dc2cb363e'
-            '3e016f959cbd223ecd0103ffb5186e3013bc3152dff722f1c7d67a628e68704a'
-            'e0fc5b78dd6e236f87042734b880cdb2859c46817fd7c7f934b8487e0e1c001d')
+        "${pkgname}.tmpfiles"
+        "${pkgname}.service"
+        "${pkgname}-create-db.service")
+sha512sums=('e71dc90c2ab8085d1b000c0d2cf9cb00ddaed1ea1393db75c2d19a96f1b1c188a26b76850533ba97ec254a3b48db6b07a69b597c329ac891e64422780a358c24'
+            '8541fed1dbdea3b5b36731c2982789db457db2d1c6d62cd8461a7ad10e3f26dc16aef62eb991ac2b6504f741442229195e9e2804b770e859f48c475c0467e457'
+            '03c871d9f03727a98709372d696d38a59d554d9dac487656135f2f043f1eb36515e6988b67a2d0f4d00535771839e934e4f2826959e76221334170837b577d2a'
+            'cfa001265bfda5428ef72134d05ec16bee679a3906832aab4100f2c567f22e62d089b8cd475b9707926485c30958e70ba48c4035e118c480d008114fb6876c62'
+            '46c9958170924632fdf8fdf7b07eac5b35fc2a9292c84e346d9fc69cbedbfb762fc911c5c5dbf6e8391fa38a4f747b891dd295f14b47f594814572a07fcbc44c'
+            '2dca9a1aba9485afe6f07b7a3d9ee1dd0cd7640264f7584e739cab126b501ac1962a3b37509744a2b77abc613c75222801daf2e4fd97dd5211d19fbb7bd9ec33'
+            '5e4eb101b01fd688ca915051e25978e6b7a27ad2588c6b04ed52c179a00c04c1298080f9c2c0ae982cd0d861c649e5e6c244e54cb4962ca39c1d2264d1ec12df'
+            '14a161ec3a883d5c17581a6743a9b5e67e1617228966c4972933a055618f157aafefe8b0f648cb07251f0076384dd19be605acc6b1d31e7dec67749a682f505c')
 
+prepare() {
+  cd "${pkgname}-${pkgver}"
+  # -Werror, not even once
+  sed -e 's/\-Werror//g' -i Make.defaults
+  # remove root check
+  patch -Np1 -i "../${pkgname}-113-remove_root_check.patch"
+  # fix assignment
+  patch -Np1 -i "../${pkgname}-113-assignment.patch"
+  # fix issues with nss >=3.44
+  patch -Np1 -i "../${pkgname}-113-nss3.44.patch"
+}
+
 build() {
-    cd ${pkgname}-${pkgver}
-    make
+  cd "${pkgname}-${pkgver}"
+  make
 }
 
 package() {
-    cd ${pkgname}-${pkgver}
+  cd "${pkgname}-${pkgver}"
+  make DESTDIR="${pkgdir}" \
+       libdir=/usr/lib \
+       libexecdir=/usr/lib \
+       install
+  # removing a lot of stuff that we don't need
+  rm -rfv "${pkgdir}/var"
+  rm -rfv "${pkgdir}/etc/rpm"
+  rm -rfv "${pkgdir}/etc/pesign"
+  rm -rfv "${pkgdir}/etc/pki"
+  rm -rfv "${pkgdir}/usr/lib/"
 
-    make libdir=/usr/lib libexecdir=/usr/lib DESTDIR="${pkgdir}" install install_systemd
-    rm -rf "${pkgdir}"/var
-    rm -rf "${pkgdir}"/etc/rpm
-
-    install -Dm644 "${srcdir}"/${pkgname}.sysusers "${pkgdir}"/usr/lib/sysusers.d/${pkgname}.conf
-
-    # No reason those shouldn’t be readable
-    install -dm0755 "${pkgdir}"/etc/pki/pesign{,-rh-test}
-
-    # Install RedHat test certificates
-    install -Dm644 "${srcdir}"/etc/pki/pesign/{cert8,key3,secmod}.db -t "${pkgdir}"/etc/pki/pesign/
-    install -Dm644 "${srcdir}"/etc/pki/pesign-rh-test/{cert8,key3,secmod}.db -t "${pkgdir}"/etc/pki/pesign-rh-test/
+  install -vDm 644 "../${pkgname}.sysusers" \
+    "${pkgdir}/usr/lib/sysusers.d/${pkgname}.conf"
+  install -vDm 644 "../${pkgname}.tmpfiles" \
+    "${pkgdir}/usr/lib/tmpfiles.d/${pkgname}.conf"
+  # install custom service, that can run as separate user
+  # https://github.com/rhboot/pesign/issues/57
+  install -vDm 644 ../*.service \
+    -t "${pkgdir}/usr/lib/systemd/system/"
+  install -vdm 755 "${pkgdir}/etc/pki/pesign"
 }

Added: pesign-113-remove_root_check.patch
===================================================================
--- pesign-113-remove_root_check.patch	                        (rev 0)
+++ pesign-113-remove_root_check.patch	2020-05-18 21:00:25 UTC (rev 629723)
@@ -0,0 +1,29 @@
+diff -ruN a/src/daemon.c b/src/daemon.c
+--- a/src/daemon.c	2019-05-10 20:53:51.000000000 +0200
++++ b/src/daemon.c	2020-04-26 13:34:02.064214277 +0200
+@@ -1159,11 +1159,6 @@
+ 	ctx.backup_cms->log_priv = &ctx;
+ 	ctx.sd = -1;
+ 
+-	if (getuid() != 0) {
+-		fprintf(stderr, "pesignd must be started as root");
+-		exit(1);
+-	}
+-
+ 	check_socket(&ctx);
+ 
+ 	openlog("pesignd", LOG_PID, LOG_DAEMON);
+diff -ruN a/src/daemon.h b/src/daemon.h
+--- a/src/daemon.h	2019-05-10 20:53:51.000000000 +0200
++++ b/src/daemon.h	2020-04-26 13:51:56.580675620 +0200
+@@ -49,8 +49,8 @@
+ } pesignd_cmd;
+ 
+ #define PESIGND_VERSION 0x2a9edaf0
+-#define SOCKPATH	"/var/run/pesign/socket"
+-#define PIDFILE		"/var/run/pesign.pid"
++#define SOCKPATH	"/run/pesign/socket"
++#define PIDFILE		"/run/pesign/pesign.pid"
+ 
+ static inline uint32_t UNUSED
+ pesignd_string_size(char *buffer)

Added: pesign-create-db.service
===================================================================
--- pesign-create-db.service	                        (rev 0)
+++ pesign-create-db.service	2020-05-18 21:00:25 UTC (rev 629723)
@@ -0,0 +1,33 @@
+[Unit]
+Description=Pesign database generation
+Documentation=man:certutil(1)
+ConditionPathExists=|!/etc/pki/pesign/cert9.db
+ConditionPathExists=|!/etc/pki/pesign/key4.db
+ConditionPathExists=|!/etc/pki/pesign/pkcs11.txt
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+User=pesign
+Group=pesign
+ExecStart=/usr/bin/certutil -N -d sql:/etc/pki/pesign --empty-password
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources
+ReadWritePaths=/etc/pki/pesign

Added: pesign.service
===================================================================
--- pesign.service	                        (rev 0)
+++ pesign.service	2020-05-18 21:00:25 UTC (rev 629723)
@@ -0,0 +1,37 @@
+[Unit]
+Description=Pesign signing daemon
+Documentation=man:pesign(1)
+Wants=pesign-create-db.service
+After=pesign-create-db.service
+
+[Service]
+User=pesign
+Group=pesign
+PIDFile=/run/pesign/pesign.pid
+ExecStart=/usr/bin/pesign --daemonize --nofork
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources
+ReadWritePaths=/run/pesign
+RuntimeDirectory=pesign
+StateDirectory=pesign
+LogsDirectory=pesign
+
+[Install]
+WantedBy=multi-user.target

Modified: pesign.sysusers
===================================================================
--- pesign.sysusers	2020-05-18 21:00:15 UTC (rev 629722)
+++ pesign.sysusers	2020-05-18 21:00:25 UTC (rev 629723)
@@ -1 +1 @@
-u pesign 312 "pesign signing daemon"
+u pesign - "pesign signing daemon" -

Added: pesign.tmpfiles
===================================================================
--- pesign.tmpfiles	                        (rev 0)
+++ pesign.tmpfiles	2020-05-18 21:00:25 UTC (rev 629723)
@@ -0,0 +1,2 @@
+d /etc/pki/pesign 0755 pesign pesign -
+z /etc/pki/pesign/* 0600 pesign pesign -

