diff options
author | Tom Rini <trini@konsulko.com> | 2018-02-13 08:45:39 -0500 |
---|---|---|
committer | Jia Zhang <zhang.jia@linux.alibaba.com> | 2018-02-14 09:13:47 +0800 |
commit | 59a9f43b899c795d1b2c3593d829f945c337832d (patch) | |
tree | 96c843c3574de0a4851593014d903f20c9addc17 | |
parent | af05e4860f06aa3d20efe983a3865af1eb895de2 (diff) | |
download | meta-secure-core-59a9f43b899c795d1b2c3593d829f945c337832d.tar.gz |
meta-integrity: Drop RPM patches that are upstream now
As of OE-Core rev b4613b6ce07c295c5d6de6861acf19315acaccb2 we are using
rpm-4.14.0 as the base version. This includes all of the patches we had
been applying.
Signed-off-by: Tom Rini <trini@konsulko.com>
12 files changed, 0 insertions, 796 deletions
diff --git a/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc b/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc index aeb7c07..1945cc2 100644 --- a/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc +++ b/meta-integrity/recipes-devtools/rpm/rpm-integrity.inc | |||
@@ -1,19 +1,5 @@ | |||
1 | FILESEXTRAPATHS_prepend := "${THISDIR}/rpm:" | 1 | FILESEXTRAPATHS_prepend := "${THISDIR}/rpm:" |
2 | 2 | ||
3 | SRC_URI += "\ | ||
4 | file://0001-Pass-sign-arguments-to-signature-deletion-too.patch \ | ||
5 | file://0002-Beat-some-sense-into-rpmsign-cli-parsing.patch \ | ||
6 | file://0003-Fix-thinko-typo-in-file-signing-error-message.patch \ | ||
7 | file://0004-Bury-get_fskpass-inside-rpmsign-utility.patch \ | ||
8 | file://0005-Dont-advertise-file-signing-features-if-support-not-.patch \ | ||
9 | file://0006-Remove-bunch-of-redundant-environ-declarations.patch \ | ||
10 | file://0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch \ | ||
11 | file://0008-Move-key-password-helper-variables-to-local-scope.patch \ | ||
12 | file://0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch \ | ||
13 | file://0010-Fix-a-number-of-problems-in-get_fskpass.patch \ | ||
14 | file://0011-Bump-file-digests-to-SHA256-by-default-finally.patch \ | ||
15 | " | ||
16 | |||
17 | PACKAGECONFIG = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'imaevm', '', d)}" | 3 | PACKAGECONFIG = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'imaevm', '', d)}" |
18 | 4 | ||
19 | # IMA signing support is provided by RPM plugin. | 5 | # IMA signing support is provided by RPM plugin. |
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch b/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch deleted file mode 100644 index a2c453f..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0001-Pass-sign-arguments-to-signature-deletion-too.patch +++ /dev/null | |||
@@ -1,162 +0,0 @@ | |||
1 | From 23dc36f0d587495f2d29ebefd9e46437069b5a2d Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Mon, 29 May 2017 16:11:55 +0300 | ||
4 | Subject: [PATCH] Pass sign arguments to signature deletion too | ||
5 | |||
6 | Refactor rpmsign and python bindings to be more similar on both | ||
7 | addsign/delsign operations, and always pass the signing arguments | ||
8 | along. Deletion doesn't actually (yet) use the arguments for anything | ||
9 | but makes things more symmetric (I remember having doubts about | ||
10 | this when adding - reminder to self: if in doubt, add more arguments ;) | ||
11 | |||
12 | Yet another API break, but what the hey... Other than that, behavior is | ||
13 | not supposed to change here. | ||
14 | --- | ||
15 | python/rpmsmodule.c | 28 ++++++++++++++++------------ | ||
16 | rpmsign.c | 13 +++++++------ | ||
17 | sign/rpmgensig.c | 2 +- | ||
18 | sign/rpmsign.h | 3 ++- | ||
19 | 4 files changed, 26 insertions(+), 20 deletions(-) | ||
20 | |||
21 | diff --git a/python/rpmsmodule.c b/python/rpmsmodule.c | ||
22 | index 0601353b9..72465221d 100644 | ||
23 | --- a/python/rpmsmodule.c | ||
24 | +++ b/python/rpmsmodule.c | ||
25 | @@ -5,32 +5,36 @@ | ||
26 | static char rpms__doc__[] = | ||
27 | ""; | ||
28 | |||
29 | +static int parseSignArgs(PyObject * args, PyObject *kwds, | ||
30 | + const char **path, struct rpmSignArgs *sargs) | ||
31 | +{ | ||
32 | + char * kwlist[] = { "path", "keyid", "hashalgo", NULL }; | ||
33 | + | ||
34 | + memset(sargs, 0, sizeof(*sargs)); | ||
35 | + return PyArg_ParseTupleAndKeywords(args, kwds, "s|si", kwlist, | ||
36 | + path, &sargs->keyid, &sargs->hashalgo); | ||
37 | +} | ||
38 | + | ||
39 | static PyObject * addSign(PyObject * self, PyObject * args, PyObject *kwds) | ||
40 | { | ||
41 | const char *path = NULL; | ||
42 | - char * kwlist[] = { "path", "keyid", "hashalgo", NULL }; | ||
43 | - struct rpmSignArgs sig, *sigp = NULL; | ||
44 | + struct rpmSignArgs sargs; | ||
45 | |||
46 | - memset(&sig, 0, sizeof(sig)); | ||
47 | - if (!PyArg_ParseTupleAndKeywords(args, kwds, "s|si", kwlist, | ||
48 | - &path, &sig.keyid, &sig.hashalgo)) | ||
49 | + if (parseSignArgs(args, kwds, &path, &sargs)) | ||
50 | return NULL; | ||
51 | |||
52 | - if (sig.keyid || sig.hashalgo) | ||
53 | - sigp = &sig; | ||
54 | - | ||
55 | - return PyBool_FromLong(rpmPkgSign(path, sigp) == 0); | ||
56 | + return PyBool_FromLong(rpmPkgSign(path, &sargs) == 0); | ||
57 | } | ||
58 | |||
59 | static PyObject * delSign(PyObject * self, PyObject * args, PyObject *kwds) | ||
60 | { | ||
61 | const char *path = NULL; | ||
62 | - char * kwlist[] = { "path", NULL }; | ||
63 | + struct rpmSignArgs sargs; | ||
64 | |||
65 | - if (!PyArg_ParseTupleAndKeywords(args, kwds, "s", kwlist, &path)) | ||
66 | + if (parseSignArgs(args, kwds, &path, &sargs)) | ||
67 | return NULL; | ||
68 | |||
69 | - return PyBool_FromLong(rpmPkgDelSign(path) == 0); | ||
70 | + return PyBool_FromLong(rpmPkgDelSign(path, &sargs) == 0); | ||
71 | } | ||
72 | |||
73 | /* | ||
74 | diff --git a/rpmsign.c b/rpmsign.c | ||
75 | index 3834b505e..0402af556 100644 | ||
76 | --- a/rpmsign.c | ||
77 | +++ b/rpmsign.c | ||
78 | @@ -25,6 +25,8 @@ static int signfiles = 0, fskpass = 0; | ||
79 | static char * fileSigningKey = NULL; | ||
80 | static char * fileSigningKeyPassword = NULL; | ||
81 | |||
82 | +static struct rpmSignArgs sargs = {NULL, 0, 0}; | ||
83 | + | ||
84 | static struct poptOption signOptsTable[] = { | ||
85 | { "addsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_ADDSIGN, | ||
86 | N_("sign package(s)"), NULL }, | ||
87 | @@ -54,11 +56,10 @@ static struct poptOption optionsTable[] = { | ||
88 | }; | ||
89 | |||
90 | /* TODO: permit overriding macro setup on the command line */ | ||
91 | -static int doSign(poptContext optCon) | ||
92 | +static int doSign(poptContext optCon, struct rpmSignArgs *sargs) | ||
93 | { | ||
94 | int rc = EXIT_FAILURE; | ||
95 | char * name = rpmExpand("%{?_gpg_name}", NULL); | ||
96 | - struct rpmSignArgs sig = {NULL, 0, 0}; | ||
97 | char *key = NULL; | ||
98 | |||
99 | if (rstreq(name, "")) { | ||
100 | @@ -92,13 +93,13 @@ static int doSign(poptContext optCon) | ||
101 | free(fileSigningKeyPassword); | ||
102 | } | ||
103 | |||
104 | - sig.signfiles = 1; | ||
105 | + sargs->signfiles = 1; | ||
106 | } | ||
107 | |||
108 | const char *arg; | ||
109 | rc = 0; | ||
110 | while ((arg = poptGetArg(optCon)) != NULL) { | ||
111 | - rc += rpmPkgSign(arg, &sig); | ||
112 | + rc += rpmPkgSign(arg, sargs); | ||
113 | } | ||
114 | |||
115 | exit: | ||
116 | @@ -133,12 +134,12 @@ int main(int argc, char *argv[]) | ||
117 | switch (mode) { | ||
118 | case MODE_ADDSIGN: | ||
119 | case MODE_RESIGN: | ||
120 | - ec = doSign(optCon); | ||
121 | + ec = doSign(optCon, &sargs); | ||
122 | break; | ||
123 | case MODE_DELSIGN: | ||
124 | ec = 0; | ||
125 | while ((arg = poptGetArg(optCon)) != NULL) { | ||
126 | - ec += rpmPkgDelSign(arg); | ||
127 | + ec += rpmPkgDelSign(arg, &sargs); | ||
128 | } | ||
129 | break; | ||
130 | default: | ||
131 | diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c | ||
132 | index 4f5ff7b59..32bcfb3fb 100644 | ||
133 | --- a/sign/rpmgensig.c | ||
134 | +++ b/sign/rpmgensig.c | ||
135 | @@ -863,7 +863,7 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args) | ||
136 | return rc; | ||
137 | } | ||
138 | |||
139 | -int rpmPkgDelSign(const char *path) | ||
140 | +int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args) | ||
141 | { | ||
142 | return rpmSign(path, 1, 0); | ||
143 | } | ||
144 | diff --git a/sign/rpmsign.h b/sign/rpmsign.h | ||
145 | index b41e3caab..bed8d6245 100644 | ||
146 | --- a/sign/rpmsign.h | ||
147 | +++ b/sign/rpmsign.h | ||
148 | @@ -31,9 +31,10 @@ int rpmPkgSign(const char *path, const struct rpmSignArgs * args); | ||
149 | /** \ingroup rpmsign | ||
150 | * Delete signature(s) from a package | ||
151 | * @param path path to package | ||
152 | + * @param args signing parameters (or NULL for defaults) | ||
153 | * @return 0 on success | ||
154 | */ | ||
155 | -int rpmPkgDelSign(const char *path); | ||
156 | +int rpmPkgDelSign(const char *path, const struct rpmSignArgs * args); | ||
157 | |||
158 | #ifdef __cplusplus | ||
159 | } | ||
160 | -- | ||
161 | 2.11.0 | ||
162 | |||
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch b/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch deleted file mode 100644 index 34f35bc..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0002-Beat-some-sense-into-rpmsign-cli-parsing.patch +++ /dev/null | |||
@@ -1,43 +0,0 @@ | |||
1 | From 8bcfd98c0545eaf98bbc99e56cc2118c995a8fad Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Thu, 8 Jun 2017 12:39:53 +0300 | ||
4 | Subject: [PATCH] Beat some sense into rpmsign cli parsing | ||
5 | |||
6 | Separate missing mode and several modes, print usage in the former | ||
7 | and mumble about modes only if more than one actually specified. | ||
8 | --- | ||
9 | rpmsign.c | 6 +++++- | ||
10 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
11 | |||
12 | diff --git a/rpmsign.c b/rpmsign.c | ||
13 | index 0402af556..de6f79384 100644 | ||
14 | --- a/rpmsign.c | ||
15 | +++ b/rpmsign.c | ||
16 | @@ -14,12 +14,13 @@ char ** environ = NULL; | ||
17 | #endif | ||
18 | |||
19 | enum modes { | ||
20 | + MODE_NONE = 0, | ||
21 | MODE_ADDSIGN = (1 << 0), | ||
22 | MODE_RESIGN = (1 << 1), | ||
23 | MODE_DELSIGN = (1 << 2), | ||
24 | }; | ||
25 | |||
26 | -static int mode = 0; | ||
27 | +static int mode = MODE_NONE; | ||
28 | |||
29 | static int signfiles = 0, fskpass = 0; | ||
30 | static char * fileSigningKey = NULL; | ||
31 | @@ -142,6 +143,9 @@ int main(int argc, char *argv[]) | ||
32 | ec += rpmPkgDelSign(arg, &sargs); | ||
33 | } | ||
34 | break; | ||
35 | + case MODE_NONE: | ||
36 | + printUsage(optCon, stderr, 0); | ||
37 | + break; | ||
38 | default: | ||
39 | argerror(_("only one major mode may be specified")); | ||
40 | break; | ||
41 | -- | ||
42 | 2.11.0 | ||
43 | |||
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch b/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch deleted file mode 100644 index 5452778..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0003-Fix-thinko-typo-in-file-signing-error-message.patch +++ /dev/null | |||
@@ -1,25 +0,0 @@ | |||
1 | From 26cae3941f68c96e44d8126fea330ef7f0327913 Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Thu, 8 Jun 2017 12:42:00 +0300 | ||
4 | Subject: [PATCH] Fix %% -> $$ thinko/typo in file signing error message | ||
5 | |||
6 | --- | ||
7 | rpmsign.c | 2 +- | ||
8 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
9 | |||
10 | diff --git a/rpmsign.c b/rpmsign.c | ||
11 | index de6f79384..66ab8e5eb 100644 | ||
12 | --- a/rpmsign.c | ||
13 | +++ b/rpmsign.c | ||
14 | @@ -75,7 +75,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) | ||
15 | if (signfiles) { | ||
16 | key = rpmExpand("%{?_file_signing_key}", NULL); | ||
17 | if (rstreq(key, "")) { | ||
18 | - fprintf(stderr, _("You must set \"$$_file_signing_key\" in your macro file or on the command line with --fskpath\n")); | ||
19 | + fprintf(stderr, _("You must set \"%%_file_signing_key\" in your macro file or on the command line with --fskpath\n")); | ||
20 | goto exit; | ||
21 | } | ||
22 | |||
23 | -- | ||
24 | 2.11.0 | ||
25 | |||
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch b/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch deleted file mode 100644 index 6906a39..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0004-Bury-get_fskpass-inside-rpmsign-utility.patch +++ /dev/null | |||
@@ -1,145 +0,0 @@ | |||
1 | From 5a76125050c2f389cdc1c3017dff5fec4aef7e57 Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Thu, 8 Jun 2017 16:55:16 +0300 | ||
4 | Subject: [PATCH] Bury get_fskpass() inside rpmsign utility | ||
5 | |||
6 | librpm is not in the business of providing terminal utility functions, | ||
7 | file signing might well need to ask for passwords but it doesn't | ||
8 | have to be a non-prefixed function in a shared library. The library | ||
9 | provides means to *pass* the password and its up to calling applications | ||
10 | to ask for it if needed. | ||
11 | --- | ||
12 | lib/rpmsignfiles.c | 35 ----------------------------------- | ||
13 | lib/rpmsignfiles.h | 2 -- | ||
14 | rpmsign.c | 37 ++++++++++++++++++++++++++++++++++++- | ||
15 | 3 files changed, 36 insertions(+), 38 deletions(-) | ||
16 | |||
17 | diff --git a/lib/rpmsignfiles.c b/lib/rpmsignfiles.c | ||
18 | index 87e4e4265..aacb34647 100644 | ||
19 | --- a/lib/rpmsignfiles.c | ||
20 | +++ b/lib/rpmsignfiles.c | ||
21 | @@ -7,8 +7,6 @@ | ||
22 | #include "system.h" | ||
23 | #include "imaevm.h" | ||
24 | |||
25 | -#include <termios.h> | ||
26 | - | ||
27 | #include <rpm/rpmlog.h> /* rpmlog */ | ||
28 | #include <rpm/rpmstring.h> /* rnibble */ | ||
29 | #include <rpm/rpmpgp.h> /* rpmDigestLength */ | ||
30 | @@ -34,39 +32,6 @@ static const char *hash_algo_name[] = { | ||
31 | |||
32 | #define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) | ||
33 | |||
34 | -char *get_fskpass(void) | ||
35 | -{ | ||
36 | - struct termios flags, tmp_flags; | ||
37 | - char *password, *pwd; | ||
38 | - int passlen = 64; | ||
39 | - | ||
40 | - password = malloc(passlen); | ||
41 | - if (!password) { | ||
42 | - perror("malloc"); | ||
43 | - return NULL; | ||
44 | - } | ||
45 | - | ||
46 | - tcgetattr(fileno(stdin), &flags); | ||
47 | - tmp_flags = flags; | ||
48 | - tmp_flags.c_lflag &= ~ECHO; | ||
49 | - tmp_flags.c_lflag |= ECHONL; | ||
50 | - | ||
51 | - if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) { | ||
52 | - perror("tcsetattr"); | ||
53 | - return NULL; | ||
54 | - } | ||
55 | - | ||
56 | - printf("PEM password: "); | ||
57 | - pwd = fgets(password, passlen, stdin); | ||
58 | - pwd[strlen(pwd) - 1] = '\0'; /* remove newline */ | ||
59 | - | ||
60 | - if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) { | ||
61 | - perror("tcsetattr"); | ||
62 | - return NULL; | ||
63 | - } | ||
64 | - return pwd; | ||
65 | -} | ||
66 | - | ||
67 | static char *signFile(const char *algo, const char *fdigest, int diglen, | ||
68 | const char *key, char *keypass) | ||
69 | { | ||
70 | diff --git a/lib/rpmsignfiles.h b/lib/rpmsignfiles.h | ||
71 | index 52e2482a9..70ed69412 100644 | ||
72 | --- a/lib/rpmsignfiles.h | ||
73 | +++ b/lib/rpmsignfiles.h | ||
74 | @@ -14,8 +14,6 @@ extern "C" { | ||
75 | */ | ||
76 | rpmRC rpmSignFiles(Header h, const char *key, char *keypass); | ||
77 | |||
78 | -char *get_fskpass(void); /* get file signing key password */ | ||
79 | - | ||
80 | #ifdef _cplusplus | ||
81 | } | ||
82 | #endif | ||
83 | diff --git a/rpmsign.c b/rpmsign.c | ||
84 | index 66ab8e5eb..6cd63d872 100644 | ||
85 | --- a/rpmsign.c | ||
86 | +++ b/rpmsign.c | ||
87 | @@ -1,12 +1,12 @@ | ||
88 | #include "system.h" | ||
89 | #include <errno.h> | ||
90 | #include <sys/wait.h> | ||
91 | +#include <termios.h> | ||
92 | |||
93 | #include <popt.h> | ||
94 | #include <rpm/rpmcli.h> | ||
95 | #include <rpm/rpmsign.h> | ||
96 | #include "cliutils.h" | ||
97 | -#include "lib/rpmsignfiles.h" | ||
98 | #include "debug.h" | ||
99 | |||
100 | #if !defined(__GLIBC__) && !defined(__APPLE__) | ||
101 | @@ -56,6 +56,41 @@ static struct poptOption optionsTable[] = { | ||
102 | POPT_TABLEEND | ||
103 | }; | ||
104 | |||
105 | +#ifdef WITH_IMAEVM | ||
106 | +static char *get_fskpass(void) | ||
107 | +{ | ||
108 | + struct termios flags, tmp_flags; | ||
109 | + char *password, *pwd; | ||
110 | + int passlen = 64; | ||
111 | + | ||
112 | + password = malloc(passlen); | ||
113 | + if (!password) { | ||
114 | + perror("malloc"); | ||
115 | + return NULL; | ||
116 | + } | ||
117 | + | ||
118 | + tcgetattr(fileno(stdin), &flags); | ||
119 | + tmp_flags = flags; | ||
120 | + tmp_flags.c_lflag &= ~ECHO; | ||
121 | + tmp_flags.c_lflag |= ECHONL; | ||
122 | + | ||
123 | + if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) { | ||
124 | + perror("tcsetattr"); | ||
125 | + return NULL; | ||
126 | + } | ||
127 | + | ||
128 | + printf("PEM password: "); | ||
129 | + pwd = fgets(password, passlen, stdin); | ||
130 | + pwd[strlen(pwd) - 1] = '\0'; /* remove newline */ | ||
131 | + | ||
132 | + if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) { | ||
133 | + perror("tcsetattr"); | ||
134 | + return NULL; | ||
135 | + } | ||
136 | + return pwd; | ||
137 | +} | ||
138 | +#endif | ||
139 | + | ||
140 | /* TODO: permit overriding macro setup on the command line */ | ||
141 | static int doSign(poptContext optCon, struct rpmSignArgs *sargs) | ||
142 | { | ||
143 | -- | ||
144 | 2.11.0 | ||
145 | |||
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch b/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch deleted file mode 100644 index a3d0e24..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0005-Dont-advertise-file-signing-features-if-support-not-.patch +++ /dev/null | |||
@@ -1,87 +0,0 @@ | |||
1 | From a77d2d3476919fdbcba9baf0dd44c98db1620360 Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Thu, 8 Jun 2017 17:36:28 +0300 | ||
4 | Subject: [PATCH] Dont advertise file signing features if support not built in | ||
5 | |||
6 | ifdef the whole thing out when not enabled, instead of blurting out | ||
7 | obscure error messages. A few to many ifdefs for my taste but | ||
8 | that's a topic for another day... | ||
9 | --- | ||
10 | rpmsign.c | 12 ++++++++---- | ||
11 | 1 file changed, 8 insertions(+), 4 deletions(-) | ||
12 | |||
13 | diff --git a/rpmsign.c b/rpmsign.c | ||
14 | index 6cd63d872..dce342af0 100644 | ||
15 | --- a/rpmsign.c | ||
16 | +++ b/rpmsign.c | ||
17 | @@ -22,9 +22,11 @@ enum modes { | ||
18 | |||
19 | static int mode = MODE_NONE; | ||
20 | |||
21 | +#ifdef WITH_IMAEVM | ||
22 | static int signfiles = 0, fskpass = 0; | ||
23 | static char * fileSigningKey = NULL; | ||
24 | static char * fileSigningKeyPassword = NULL; | ||
25 | +#endif | ||
26 | |||
27 | static struct rpmSignArgs sargs = {NULL, 0, 0}; | ||
28 | |||
29 | @@ -35,6 +37,7 @@ static struct poptOption signOptsTable[] = { | ||
30 | N_("sign package(s) (identical to --addsign)"), NULL }, | ||
31 | { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN, | ||
32 | N_("delete package signatures"), NULL }, | ||
33 | +#ifdef WITH_IMAEVM | ||
34 | { "signfiles", '\0', POPT_ARG_NONE, &signfiles, 0, | ||
35 | N_("sign package(s) files"), NULL}, | ||
36 | { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0, | ||
37 | @@ -42,6 +45,7 @@ static struct poptOption signOptsTable[] = { | ||
38 | N_("<key>") }, | ||
39 | { "fskpass", '\0', POPT_ARG_NONE, &fskpass, 0, | ||
40 | N_("prompt for file signing key password"), NULL}, | ||
41 | +#endif | ||
42 | POPT_TABLEEND | ||
43 | }; | ||
44 | |||
45 | @@ -103,6 +107,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) | ||
46 | goto exit; | ||
47 | } | ||
48 | |||
49 | +#ifdef WITH_IMAEVM | ||
50 | if (fileSigningKey) { | ||
51 | rpmPushMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL); | ||
52 | } | ||
53 | @@ -115,11 +120,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) | ||
54 | } | ||
55 | |||
56 | if (fskpass) { | ||
57 | -#ifndef WITH_IMAEVM | ||
58 | - argerror(_("--fskpass may only be specified when signing files")); | ||
59 | -#else | ||
60 | fileSigningKeyPassword = get_fskpass(); | ||
61 | -#endif | ||
62 | } | ||
63 | |||
64 | rpmPushMacro(NULL, "_file_signing_key_password", NULL, | ||
65 | @@ -131,6 +132,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) | ||
66 | |||
67 | sargs->signfiles = 1; | ||
68 | } | ||
69 | +#endif | ||
70 | |||
71 | const char *arg; | ||
72 | rc = 0; | ||
73 | @@ -163,9 +165,11 @@ int main(int argc, char *argv[]) | ||
74 | argerror(_("no arguments given")); | ||
75 | } | ||
76 | |||
77 | +#ifdef WITH_IMAEVM | ||
78 | if (fileSigningKey && !signfiles) { | ||
79 | argerror(_("--fskpath may only be specified when signing files")); | ||
80 | } | ||
81 | +#endif | ||
82 | |||
83 | switch (mode) { | ||
84 | case MODE_ADDSIGN: | ||
85 | -- | ||
86 | 2.11.0 | ||
87 | |||
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch b/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch deleted file mode 100644 index 8260865..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0006-Remove-bunch-of-redundant-environ-declarations.patch +++ /dev/null | |||
@@ -1,85 +0,0 @@ | |||
1 | From 8fae14f4dfc655dabd3de11be4d7e9b7c1cb6898 Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Fri, 9 Jun 2017 11:37:03 +0300 | ||
4 | Subject: [PATCH] Remove bunch of redundant environ declarations | ||
5 | |||
6 | rpmsign.c used to actually use "environ" to pass to execve(), but | ||
7 | that call moved to librpmsign a long, long time ago. rpmdb.c and | ||
8 | rpmkeys.c never used it at all but guess it was copy-paste inherited | ||
9 | from rpmsign.c back in the day (dfbaa77152ccf98524c4f27afe85d32e6f690522) | ||
10 | |||
11 | rpmgensig.c actually refers to environ, but this is a POSIX required | ||
12 | variable and while Apple has managed to screw it up, it's handled | ||
13 | in system.h and that must be sufficient for all relevant systems | ||
14 | as we also refer to environ in rpmfileutil.c open_dso() and there's | ||
15 | no fake environ definition there. So drop the one in rpmgensig.c too. | ||
16 | --- | ||
17 | rpmdb.c | 4 ---- | ||
18 | rpmkeys.c | 4 ---- | ||
19 | rpmsign.c | 4 ---- | ||
20 | sign/rpmgensig.c | 4 ---- | ||
21 | 4 files changed, 16 deletions(-) | ||
22 | |||
23 | diff --git a/rpmdb.c b/rpmdb.c | ||
24 | index 67630d00c..25c088da9 100644 | ||
25 | --- a/rpmdb.c | ||
26 | +++ b/rpmdb.c | ||
27 | @@ -6,10 +6,6 @@ | ||
28 | #include "cliutils.h" | ||
29 | #include "debug.h" | ||
30 | |||
31 | -#if !defined(__GLIBC__) && !defined(__APPLE__) | ||
32 | -char ** environ = NULL; | ||
33 | -#endif | ||
34 | - | ||
35 | enum modes { | ||
36 | MODE_INITDB = (1 << 0), | ||
37 | MODE_REBUILDDB = (1 << 1), | ||
38 | diff --git a/rpmkeys.c b/rpmkeys.c | ||
39 | index 0ecc65ed1..2b60a729e 100644 | ||
40 | --- a/rpmkeys.c | ||
41 | +++ b/rpmkeys.c | ||
42 | @@ -5,10 +5,6 @@ | ||
43 | #include "cliutils.h" | ||
44 | #include "debug.h" | ||
45 | |||
46 | -#if !defined(__GLIBC__) && !defined(__APPLE__) | ||
47 | -char ** environ = NULL; | ||
48 | -#endif | ||
49 | - | ||
50 | enum modes { | ||
51 | MODE_CHECKSIG = (1 << 0), | ||
52 | MODE_IMPORTKEY = (1 << 1), | ||
53 | diff --git a/rpmsign.c b/rpmsign.c | ||
54 | index dce342af0..04738c052 100644 | ||
55 | --- a/rpmsign.c | ||
56 | +++ b/rpmsign.c | ||
57 | @@ -9,10 +9,6 @@ | ||
58 | #include "cliutils.h" | ||
59 | #include "debug.h" | ||
60 | |||
61 | -#if !defined(__GLIBC__) && !defined(__APPLE__) | ||
62 | -char ** environ = NULL; | ||
63 | -#endif | ||
64 | - | ||
65 | enum modes { | ||
66 | MODE_NONE = 0, | ||
67 | MODE_ADDSIGN = (1 << 0), | ||
68 | diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c | ||
69 | index 141ad1530..5c04e9218 100644 | ||
70 | --- a/sign/rpmgensig.c | ||
71 | +++ b/sign/rpmgensig.c | ||
72 | @@ -25,10 +25,6 @@ | ||
73 | |||
74 | #include "debug.h" | ||
75 | |||
76 | -#if !defined(__GLIBC__) && !defined(__APPLE__) | ||
77 | -char ** environ = NULL; | ||
78 | -#endif | ||
79 | - | ||
80 | typedef struct sigTarget_s { | ||
81 | FD_t fd; | ||
82 | const char *fileName; | ||
83 | -- | ||
84 | 2.11.0 | ||
85 | |||
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch b/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch deleted file mode 100644 index cdfc2a0..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0007-Dont-push-NULL-bodied-macros-in-case-of-get_fskpass-.patch +++ /dev/null | |||
@@ -1,43 +0,0 @@ | |||
1 | From 5a6acd24a55d31a7c7e68dc4e46149598f1699a4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Fri, 9 Jun 2017 12:33:23 +0300 | ||
4 | Subject: [PATCH] Dont push NULL-bodied macros (in case of get_fskpass() | ||
5 | failure) | ||
6 | |||
7 | --- | ||
8 | rpmsign.c | 4 ++-- | ||
9 | sign/rpmgensig.c | 2 +- | ||
10 | 2 files changed, 3 insertions(+), 3 deletions(-) | ||
11 | |||
12 | diff --git a/rpmsign.c b/rpmsign.c | ||
13 | index 04738c052..578079a4d 100644 | ||
14 | --- a/rpmsign.c | ||
15 | +++ b/rpmsign.c | ||
16 | @@ -119,9 +119,9 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) | ||
17 | fileSigningKeyPassword = get_fskpass(); | ||
18 | } | ||
19 | |||
20 | - rpmPushMacro(NULL, "_file_signing_key_password", NULL, | ||
21 | - fileSigningKeyPassword, RMIL_CMDLINE); | ||
22 | if (fileSigningKeyPassword) { | ||
23 | + rpmPushMacro(NULL, "_file_signing_key_password", NULL, | ||
24 | + fileSigningKeyPassword, RMIL_CMDLINE); | ||
25 | memset(fileSigningKeyPassword, 0, strlen(fileSigningKeyPassword)); | ||
26 | free(fileSigningKeyPassword); | ||
27 | } | ||
28 | diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c | ||
29 | index 5c04e9218..073136364 100644 | ||
30 | --- a/sign/rpmgensig.c | ||
31 | +++ b/sign/rpmgensig.c | ||
32 | @@ -538,7 +538,7 @@ static rpmRC includeFileSignatures(FD_t fd, const char *rpm, | ||
33 | |||
34 | key = rpmExpand("%{?_file_signing_key}", NULL); | ||
35 | |||
36 | - keypass = rpmExpand("%{_file_signing_key_password}", NULL); | ||
37 | + keypass = rpmExpand("%{?_file_signing_key_password}", NULL); | ||
38 | if (rstreq(keypass, "")) { | ||
39 | free(keypass); | ||
40 | keypass = NULL; | ||
41 | -- | ||
42 | 2.11.0 | ||
43 | |||
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch b/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch deleted file mode 100644 index 362e0c1..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0008-Move-key-password-helper-variables-to-local-scope.patch +++ /dev/null | |||
@@ -1,58 +0,0 @@ | |||
1 | From 46eadbf33d06a0a97be0845afe09873acb44af3c Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Fri, 9 Jun 2017 12:35:43 +0300 | ||
4 | Subject: [PATCH] Move key/password helper variables to local scope | ||
5 | |||
6 | --- | ||
7 | rpmsign.c | 7 +++---- | ||
8 | 1 file changed, 3 insertions(+), 4 deletions(-) | ||
9 | |||
10 | diff --git a/rpmsign.c b/rpmsign.c | ||
11 | index 578079a4d..35c5ee966 100644 | ||
12 | --- a/rpmsign.c | ||
13 | +++ b/rpmsign.c | ||
14 | @@ -21,7 +21,6 @@ static int mode = MODE_NONE; | ||
15 | #ifdef WITH_IMAEVM | ||
16 | static int signfiles = 0, fskpass = 0; | ||
17 | static char * fileSigningKey = NULL; | ||
18 | -static char * fileSigningKeyPassword = NULL; | ||
19 | #endif | ||
20 | |||
21 | static struct rpmSignArgs sargs = {NULL, 0, 0}; | ||
22 | @@ -96,7 +95,6 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) | ||
23 | { | ||
24 | int rc = EXIT_FAILURE; | ||
25 | char * name = rpmExpand("%{?_gpg_name}", NULL); | ||
26 | - char *key = NULL; | ||
27 | |||
28 | if (rstreq(name, "")) { | ||
29 | fprintf(stderr, _("You must set \"%%_gpg_name\" in your macro file\n")); | ||
30 | @@ -109,7 +107,8 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) | ||
31 | } | ||
32 | |||
33 | if (signfiles) { | ||
34 | - key = rpmExpand("%{?_file_signing_key}", NULL); | ||
35 | + char *fileSigningKeyPassword = NULL; | ||
36 | + char *key = rpmExpand("%{?_file_signing_key}", NULL); | ||
37 | if (rstreq(key, "")) { | ||
38 | fprintf(stderr, _("You must set \"%%_file_signing_key\" in your macro file or on the command line with --fskpath\n")); | ||
39 | goto exit; | ||
40 | @@ -127,6 +126,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) | ||
41 | } | ||
42 | |||
43 | sargs->signfiles = 1; | ||
44 | + free(key); | ||
45 | } | ||
46 | #endif | ||
47 | |||
48 | @@ -137,7 +137,6 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs) | ||
49 | } | ||
50 | |||
51 | exit: | ||
52 | - free(key); | ||
53 | free(name); | ||
54 | return rc; | ||
55 | } | ||
56 | -- | ||
57 | 2.11.0 | ||
58 | |||
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch b/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch deleted file mode 100644 index 4937c46..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0009-Use-rpm-memory-allocator-so-we-dont-need-to-check-fo.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From 542f41a8bdc385ed849170565ac353956a47683a Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Fri, 9 Jun 2017 12:45:21 +0300 | ||
4 | Subject: [PATCH] Use rpm memory allocator so we dont need to check for return | ||
5 | |||
6 | --- | ||
7 | rpmsign.c | 9 ++------- | ||
8 | 1 file changed, 2 insertions(+), 7 deletions(-) | ||
9 | |||
10 | diff --git a/rpmsign.c b/rpmsign.c | ||
11 | index 35c5ee966..a59f2dc1c 100644 | ||
12 | --- a/rpmsign.c | ||
13 | +++ b/rpmsign.c | ||
14 | @@ -59,14 +59,9 @@ static struct poptOption optionsTable[] = { | ||
15 | static char *get_fskpass(void) | ||
16 | { | ||
17 | struct termios flags, tmp_flags; | ||
18 | - char *password, *pwd; | ||
19 | int passlen = 64; | ||
20 | - | ||
21 | - password = malloc(passlen); | ||
22 | - if (!password) { | ||
23 | - perror("malloc"); | ||
24 | - return NULL; | ||
25 | - } | ||
26 | + char *password = xmalloc(passlen); | ||
27 | + char *pwd; | ||
28 | |||
29 | tcgetattr(fileno(stdin), &flags); | ||
30 | tmp_flags = flags; | ||
31 | -- | ||
32 | 2.11.0 | ||
33 | |||
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch b/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch deleted file mode 100644 index 923de03..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0010-Fix-a-number-of-problems-in-get_fskpass.patch +++ /dev/null | |||
@@ -1,54 +0,0 @@ | |||
1 | From 46c7bf438e5349676139dba0655faed3b2230827 Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Fri, 9 Jun 2017 12:52:08 +0300 | ||
4 | Subject: [PATCH] Fix a number of problems in get_fskpass() | ||
5 | |||
6 | Fix segfault in case of fgets() failure, fix memleak on password | ||
7 | buffer on failure. | ||
8 | --- | ||
9 | rpmsign.c | 14 ++++++++++---- | ||
10 | 1 file changed, 10 insertions(+), 4 deletions(-) | ||
11 | |||
12 | diff --git a/rpmsign.c b/rpmsign.c | ||
13 | index a59f2dc1c..ae86f666d 100644 | ||
14 | --- a/rpmsign.c | ||
15 | +++ b/rpmsign.c | ||
16 | @@ -61,7 +61,7 @@ static char *get_fskpass(void) | ||
17 | struct termios flags, tmp_flags; | ||
18 | int passlen = 64; | ||
19 | char *password = xmalloc(passlen); | ||
20 | - char *pwd; | ||
21 | + char *pwd = NULL; | ||
22 | |||
23 | tcgetattr(fileno(stdin), &flags); | ||
24 | tmp_flags = flags; | ||
25 | @@ -70,17 +70,23 @@ static char *get_fskpass(void) | ||
26 | |||
27 | if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) { | ||
28 | perror("tcsetattr"); | ||
29 | - return NULL; | ||
30 | + goto exit; | ||
31 | } | ||
32 | |||
33 | printf("PEM password: "); | ||
34 | pwd = fgets(password, passlen, stdin); | ||
35 | - pwd[strlen(pwd) - 1] = '\0'; /* remove newline */ | ||
36 | |||
37 | if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) { | ||
38 | perror("tcsetattr"); | ||
39 | - return NULL; | ||
40 | + pwd = NULL; | ||
41 | + goto exit; | ||
42 | } | ||
43 | + | ||
44 | +exit: | ||
45 | + if (pwd) | ||
46 | + pwd[strlen(pwd) - 1] = '\0'; /* remove newline */ | ||
47 | + else | ||
48 | + free(password); | ||
49 | return pwd; | ||
50 | } | ||
51 | #endif | ||
52 | -- | ||
53 | 2.11.0 | ||
54 | |||
diff --git a/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch b/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch deleted file mode 100644 index 68d54ad..0000000 --- a/meta-integrity/recipes-devtools/rpm/rpm/0011-Bump-file-digests-to-SHA256-by-default-finally.patch +++ /dev/null | |||
@@ -1,47 +0,0 @@ | |||
1 | From 0cd74ade37d16d282d13e781deb68a219b2c04b9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Panu Matilainen <pmatilai@redhat.com> | ||
3 | Date: Wed, 8 Mar 2017 14:51:45 +0200 | ||
4 | Subject: [PATCH] Bump file digests to SHA256 by default, finally | ||
5 | |||
6 | As a part of modernizing the crypto used by rpm, it's way past time | ||
7 | to use a stronger algorithm for the file digests. The jump from MD5 | ||
8 | is not entirely smooth but at least Fedora and RHEL did that ages ago | ||
9 | and survived, others should too. And of course you can always flip | ||
10 | it back to MD5 if you really need to, for eg building packages for | ||
11 | ancient distro versions. | ||
12 | |||
13 | Signed-off-by: Lans Zhang <jia.zhang@windriver.com> | ||
14 | --- | ||
15 | macros.in | 10 +++++----- | ||
16 | 1 file changed, 5 insertions(+), 5 deletions(-) | ||
17 | |||
18 | diff --git a/macros.in b/macros.in | ||
19 | index 72d4a51ed..49a3dab04 100644 | ||
20 | --- a/macros.in | ||
21 | +++ b/macros.in | ||
22 | @@ -355,17 +355,17 @@ package or when debugging this package.\ | ||
23 | |||
24 | # Algorithm to use for generating file checksum digests on build. | ||
25 | # If not specified or 0, MD5 is used. | ||
26 | -# WARNING: non-MD5 is backwards incompatible, don't enable lightly! | ||
27 | -# The supported algorithms may depend on NSS version, as of NSS | ||
28 | -# 3.11.99.5 the following are supported: | ||
29 | +# WARNING: non-MD5 is backwards incompatible with rpm < 4.6! | ||
30 | +# The supported algorithms may depend on the underlying crypto | ||
31 | +# implementation but generally at least the following are supported: | ||
32 | # 1 MD5 (default) | ||
33 | # 2 SHA1 | ||
34 | # 8 SHA256 | ||
35 | # 9 SHA384 | ||
36 | # 10 SHA512 | ||
37 | # | ||
38 | -#%_source_filedigest_algorithm 1 | ||
39 | -#%_binary_filedigest_algorithm 1 | ||
40 | +%_source_filedigest_algorithm 8 | ||
41 | +%_binary_filedigest_algorithm 8 | ||
42 | |||
43 | # Configurable vendor information, same as Vendor: in a specfile. | ||
44 | # | ||
45 | -- | ||
46 | 2.11.0 | ||
47 | |||