Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
pesign-obs-integration.5861
modsign-repackage
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File modsign-repackage of Package pesign-obs-integration.5861
#!/bin/bash # Script to sign kernel modules and create new RPM packages with these # modules. Uses pesign-gen-repackage-spec for the repackaging. # # Copyright (c) 2013 SUSE Linux Products GmbH, Nuernberg, Germany. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA USAGE="$0 --key <private key> --certificate <x509 cert> rpm ..." options=`getopt -o hk:c:s: --long help,key:,certificate:,signatures: -- "$@"` if test $? -ne 0; then echo "$USAGE" >&2 exit 1 fi eval set -- "$options" key= cert= sig_dir= while :; do case "$1" in -k|--key) key=$2 shift 2 ;; -c|--certificate) cert=$2 shift 2 ;; -s|--signatures) sig_dir=$2 shift 2 ;; -h|--help) echo "$USAGE" exit ;; --) shift break esac done err= if test -n "$key" -a -n "$sig_dir"; then err="Cannot use both --key and --signatures" elif test -z "$key" -a -z "$sig_dir"; then err="Please specify either --key or --signatures" elif test -z "$cert"; then err="Please specify --certificate" elif test "$#" -eq 0; then err="No packages specified" fi if test -n "$err"; then echo "$0: $err" >&2 echo "$USAGE" >&2 exit 1 fi workdir="$PWD/rpm-files.$$" buildroot="$workdir/buildroot" rpmdir=RPMS srpmdir=SRPMS disturl= rpms=() rm -rf "$workdir" mkdir "$workdir" || exit mkdir -p "$rpmdir" "$srpmdir" || exit mkdir "$buildroot" echo "Unpacking original RPMs..." for rpm; do # XXX: Use a common script in pesign-repackage.spec.in and here case "$rpm" in *.src.rpm | *.nosrc.rpm) cp "$rpm" "$srpmdir/" continue ;; # Do not repackage debuginfo packages (bnc#806637) *-debuginfo-*.rpm | *-debugsource-*.rpm) dir="$rpmdir/$(rpm -qp --qf '%{arch}' "$rpm")" mkdir -p "$dir" cp "$rpm" "$dir" continue ;; esac # do not repackage baselibs packages # FIXME: needs more generic test (if architecture has different # bitness => skip) case "$(rpm -qp --qf '%{name}/%{arch}' "$rpm")" in *-32bit/x86_64 | *-32bit/s390x | *-32bit/ppc64 | \ *-64bit/ppc | *-x86/ia64) mkdir -p "$rpmdir/$(rpm -qp --qf '%{arch}')/" cp "$rpm" "$_" continue esac rpm2cpio "$rpm" | (cd "$buildroot"; cpio -idm --quiet) || exit d=$(rpm -qp --qf '%{disturl}' "$rpm") if test -z "$disturl"; then disturl=$d fi if test "$disturl" != "$d"; then echo "Error: packages have different disturl: $d vs $disturl" exit 1 fi rpms=("${rpms[@]}" "$rpm") done set -e echo "Signing kernel modules..." if test ! -e "$cert.pub"; then openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub" fi for module in $(find "$buildroot" -type f -name '*.ko' -printf '%P\n'); do if test -n "$key"; then /usr/lib/rpm/pesign/kernel-sign-file \ sha256 "$key" "$cert" "$buildroot/$module" else raw_sig="$sig_dir/$module.sig" if test ! -e "$raw_sig"; then echo "$module.sig not found in $sig_dir" >&2 exit 1 fi ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$raw_sig" 2>&1 | grep -i error) if [ -n "$ver_err" ]; then echo "$raw_sig signature can not be decrypted by $cert" >&2 exit 1 fi /usr/lib/rpm/pesign/kernel-sign-file \ -s "$raw_sig" sha256 "$cert" "$buildroot/$module" fi done rm "$cert.pub" # Add the certificate mkdir -p "$buildroot/etc/uefi/certs" h=$(openssl x509 -inform DER -fingerprint -noout -in "$cert") filename=/etc/uefi/certs/$(echo "$h" | \ sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt cp "$cert" "$buildroot/$filename" echo "Generating new specfile..." if ! test -e /usr/lib/rpm/kernel-cert-subpackage; then echo "/usr/lib/rpm/kernel-cert-subpackage missing" >&2 echo "please install the kernel-source package" >&2 exit 1 fi /usr/lib/rpm/pesign/pesign-gen-repackage-spec \ --cert-subpackage=/usr/lib/rpm/kernel-cert-subpackage \ --directory="$buildroot" --output="$workdir" "${rpms[@]}" echo "Running rpmbuild..." rpmbuild --define "buildroot $buildroot" --define "disturl $disturl" \ --define "_builddir $workdir" \ --define "_suse_insert_debug_package %{nil}" \ --define "_rpmdir $rpmdir" \ -bb "$workdir/repackage.spec" >"$workdir/log" 2>&1 grep 'RPMS/.*\.rpm$' "$workdir/log" echo "Cleaning up $workdir..." rm -r "$workdir" echo "Done." exit 0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor