sbsigntools: import from fedora 40

microsoft · Jun 14, 2024 · 8f7362e · 8f7362e
1 parent 817838b
commit 8f7362e
Show file tree

Hide file tree

Showing 5 changed files with 297 additions and 0 deletions.
diff --git a/SPECS/sbsigntools/sbsigntools-0.9.5.tar.xz b/SPECS/sbsigntools/sbsigntools-0.9.5.tar.xz
diff --git a/SPECS/sbsigntools/sbsigntools-gnuefi.patch b/SPECS/sbsigntools/sbsigntools-gnuefi.patch
@@ -0,0 +1,69 @@
+diff -up sbsigntools-0.9.5/configure.ac.gnu-efi sbsigntools-0.9.5/configure.ac
+--- sbsigntools-0.9.5/configure.ac.gnu-efi	2023-05-05 12:56:50.000000000 +0200
++++ sbsigntools-0.9.5/configure.ac	2023-05-05 13:06:47.495361241 +0200
+@@ -67,19 +67,30 @@ PKG_CHECK_MODULES(uuid, uuid,
+     AC_MSG_ERROR([libuuid (from the uuid package) is required]))
+
+ dnl gnu-efi headers require extra include dirs
+-EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
+-AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" -o "$EFI_ARCH" = riscv64 ])
++EFI_ARCH=$(uname -m | sed -e 's/i.86/ia32/;s/arm.*/arm/' -e 's/x86_64/x64/' -e 's/aarch64/aa64/')
++AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aa64" -o "$EFI_ARCH" = riscv64 ])
+
+ ##
+ # no consistent view of where gnu-efi should dump the efi stuff, so find it
+ ##
+-for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do
+-    if test -e $path/crt0-efi-$EFI_ARCH.o; then
++AC_MSG_CHECKING([gnu-efi crt path])
++for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi /usr/lib/gnuefi/$EFI_ARCH ; do
++    if test -e $path/crt0.o; then
+        CRTPATH=$path
++       CRT=crt0.o
++       LDS=efi.lds
++       EFI_PATH=$path
++    elif test -e $path/crt0-efi-$EFI_ARCH.o; then
++       CRTPATH=$path
++       CRT=crt0-efi-${EFI_ARCH}.o
++       LDS=elf_${EFI_ARCH}_efi.lds
++       EFI_PATH=$libdir
+     fi
+ done
+ if test -z "$CRTPATH"; then
+    AC_MSG_ERROR([cannot find the gnu-efi crt path])
++else
++   AC_MSG_RESULT($CRTPATH)
+ fi
+
+ EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
+@@ -91,6 +102,9 @@ CPPFLAGS="$CPPFLAGS_save"
+ AC_SUBST(EFI_CPPFLAGS, $EFI_CPPFLAGS)
+ AC_SUBST(EFI_ARCH, $EFI_ARCH)
+ AC_SUBST(CRTPATH, $CRTPATH)
++AC_SUBST(CRT, $CRT)
++AC_SUBST(LDS, $LDS)
++AC_SUBST(EFI_PATH, $EFI_PATH)
+
+ AC_CONFIG_FILES([Makefile src/Makefile lib/ccan/Makefile]
+ 		[docs/Makefile tests/Makefile])
+diff -up sbsigntools-0.9.5/tests/Makefile.am.gnu-efi sbsigntools-0.9.5/tests/Makefile.am
+--- sbsigntools-0.9.5/tests/Makefile.am.gnu-efi	2023-05-05 12:56:50.000000000 +0200
++++ sbsigntools-0.9.5/tests/Makefile.am	2023-05-05 12:57:50.674915069 +0200
+@@ -18,7 +18,7 @@ if TEST_BINARY_FORMAT
+ EFILDFLAGS = --defsym=EFI_SUBSYSTEM=0x0a
+ FORMAT = -O binary
+ else
+-FORMAT = --target=efi-app-$(EFI_ARCH)
++FORMAT = --target=efi-app-$(EFI_ARCH:x64=x86_64)
+ endif
+ check_DATA = $(test_key) $(test_cert)
+ check_SCRIPTS = test-wrapper.sh
+@@ -31,7 +31,7 @@ check_SCRIPTS = test-wrapper.sh
+ 		$(FORMAT) $^ $@
+
+ .$(OBJEXT).elf:
+-	$(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/crt0-efi-$(EFI_ARCH).o -T elf_$(EFI_ARCH)_efi.lds $< -o $@ -lefi -lgnuefi
++	$(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/$(CRT) -T $(LDS) $< -o $@ $(EFI_PATH)/libefi.a $(EFI_PATH)/libgnuefi.a
+
+ AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH)
+
diff --git a/SPECS/sbsigntools/sbsigntools-mktarball.sh b/SPECS/sbsigntools/sbsigntools-mktarball.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -e
+
+tmp=$(mktemp -d)
+
+#trap cleanup EXIT
+#cleanup() {
+#    set +e
+#    [ -z "$tmp" -o ! -d "$tmp" ] || rm -rf "$tmp"
+#}
+
+unset CDPATH
+pwd=$(pwd)
+version=0.9.5
+commit=9cfca9fe7aa7a8e29b92fe33ce8433e212c9a8ba
+
+pushd "$tmp"
+git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git
+cd sbsigntools
+git checkout ${commit}
+ccan_modules="talloc read_write_all build_assert array_size endian"
+git submodule init
+git submodule update
+lib/ccan.git/tools/create-ccan-tree --build-type=automake lib/ccan $ccan_modules
+rm -r lib/ccan.git
+(
+	echo "Authors of sbsigntool:"
+	echo
+	git log --format='%an' | sort -u | sed 's,^,\t,'
+) > AUTHORS
+git log --date=short --format='%ad %t %an <%ae>%n%n  * %s%n' > ChangeLog
+cd ..
+mv sbsigntools sbsigntools-${version}
+tar cJf "$pwd"/sbsigntools-${version}.tar.xz --exclude=.git sbsigntools-${version}
+popd
diff --git a/SPECS/sbsigntools/sbsigntools-no-git.patch b/SPECS/sbsigntools/sbsigntools-no-git.patch
@@ -0,0 +1,35 @@
+diff -up sbsigntools-0.8/autogen.sh.nogit sbsigntools-0.8/autogen.sh
+--- sbsigntools-0.8/autogen.sh.nogit	2017-09-04 18:22:49.244640635 +0200
++++ sbsigntools-0.8/autogen.sh	2017-09-04 18:31:49.136838666 +0200
+@@ -1,31 +1,5 @@
+ #!/bin/bash
+
+-ccan_modules="talloc read_write_all build_assert array_size endian"
+-
+-# Add ccan upstream sources
+-if [ ! -e lib/ccan.git/Makefile ]
+-then
+-	git submodule init
+-	git submodule update
+-fi
+-
+-# create ccan build tree
+-if [ ! -e lib/ccan ]
+-then
+-	lib/ccan.git/tools/create-ccan-tree \
+-		--build-type=automake lib/ccan $ccan_modules
+-fi
+-
+-# Create generatable docs from git
+-(
+-	echo "Authors of sbsigntool:"
+-	echo
+-	git log --format='%an' | sort -u | sed 's,^,\t,'
+-) > AUTHORS
+-
+-# Generate simple ChangeLog
+-git log --date=short --format='%ad %t %an <%ae>%n%n  * %s%n' > ChangeLog
+-
+ # automagic
+ aclocal
+ autoheader
diff --git a/SPECS/sbsigntools/sbsigntools.spec b/SPECS/sbsigntools/sbsigntools.spec
@@ -0,0 +1,157 @@
+%bcond_without check
+%define _warning_options -Wall -Werror=format-security -Wno-deprecated-declarations -Wno-maybe-uninitialized
+
+Name:          sbsigntools
+Version:       0.9.5
+Release:       3%{?dist}
+Summary:       Signing utility for UEFI secure boot
+License:       GPLv3+
+URL:           https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools
+# upstream tarballs don't include bundled ccan
+# run sbsigntools-mktarball.sh
+Source0:       %{name}-%{version}.tar.xz
+Source1:       %{name}-mktarball.sh
+# don't fetch ccan or run git from autogen.sh, already done by mktarball.sh
+Patch0:        %{name}-no-git.patch
+# add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a
+Patch1:        %{name}-gnuefi.patch
+# same as gnu-efi
+ExclusiveArch: x86_64 aarch64 %{arm} %{ix86}
+BuildRequires: make
+BuildRequires: automake
+BuildRequires: binutils-devel
+BuildRequires: gcc
+BuildRequires: gnu-efi-devel >= 1:3.0.8-3
+BuildRequires: help2man
+BuildRequires: libuuid-devel
+%if %{with check}
+BuildRequires: openssl
+%endif
+BuildRequires: openssl-devel
+Provides: bundled(ccan-array_size)
+Provides: bundled(ccan-build_assert)
+Provides: bundled(ccan-check_type)
+Provides: bundled(ccan-compiler)
+Provides: bundled(ccan-container_of)
+Provides: bundled(ccan-endian)
+Provides: bundled(ccan-failtest)
+Provides: bundled(ccan-hash)
+Provides: bundled(ccan-htable)
+Provides: bundled(ccan-list)
+Provides: bundled(ccan-read_write_all)
+Provides: bundled(ccan-str)
+Provides: bundled(ccan-talloc)
+Provides: bundled(ccan-tcon)
+Provides: bundled(ccan-time)
+Provides: bundled(ccan-tlist)
+Provides: bundled(ccan-typesafe_cb)
+
+%description
+Tools to add signatures to EFI binaries and Drivers.
+
+%prep
+%autosetup -p1
+
+%build
+./autogen.sh
+%configure
+%make_build
+
+%install
+%make_install
+
+%if %{with check}
+%check
+make check
+%endif
+
+%files
+%license COPYING LICENSE.GPLv3 lib/ccan/licenses/*
+%doc AUTHORS ChangeLog
+%{_bindir}/sbattach
+%{_bindir}/sbkeysync
+%{_bindir}/sbsiglist
+%{_bindir}/sbsign
+%{_bindir}/sbvarsign
+%{_bindir}/sbverify
+%{_mandir}/man1/sbattach.1.*
+%{_mandir}/man1/sbkeysync.1.*
+%{_mandir}/man1/sbsiglist.1.*
+%{_mandir}/man1/sbsign.1.*
+%{_mandir}/man1/sbvarsign.1.*
+%{_mandir}/man1/sbverify.1.*
+
+%changelog
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri May 05 2023 Dominik Mierzejewski <dominik@greysector.net> - 0.9.5-1
+- update to 0.9.5 (#2179697)
+- drop obsolete patches
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Tue Jan 17 2023 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-10
+- fix build with GCC 13
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Nov 19 2021 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-7
+- fix build with OpenSSL 3.0.0 (fixes rhbz#2021909)
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.9.4-6
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon May 17 2021 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-4
+- don't ignore errors from sbkeysync (fixes rhbz#1955828)
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Fri Jul 03 2020 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-1
+- update to 0.9.4 (#1846578)
+
+* Mon Feb 03 2020 Dominik Mierzejewski <dominik@greysector.net> - 0.9.3-1
+- update to 0.9.3
+- update bundled CCAN components list
+- support building with gnu-efi 3.0.11
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Feb 28 2019 Dominik Mierzejewski <dominik@greysector.net> - 0.9.2-1
+- update to 0.9.2
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jul 25 2018 Dominik Mierzejewski <dominik@greysector.net> - 0.9.1-3
+- fix paths to gnu-efi (work around #1608293)
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Feb 22 2018 Dominik Mierzejewski <dominik@greysector.net> - 0.9.1-1
+- update to 0.9.1
+- add Fedora gnu-efi libs location to search path
+- link tests statically against gnu-efi libs, there are no shared versions
+
+* Mon Sep  4 2017 Dominik Mierzejewski <dominik@greysector.net> - 0.8-1
+- initial build