|
Server IP : 103.191.208.227 / Your IP : 3.135.185.78 Web Server : LiteSpeed System : Linux emphasis.herosite.pro 4.18.0-553.8.1.lve.el8.x86_64 #1 SMP Thu Jul 4 16:24:39 UTC 2024 x86_64 User : mhmsfzcs ( 1485) PHP Version : 8.1.31 Disable Function : show_source, system, shell_exec, passthru, exec MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON Directory (0755) : /lib64/jna/../../tmp/../tmp/../lib/.build-id/04/../0d/../7d/../../rpm/macros.d/ |
| [ Home ] | [ C0mmand ] | [ Upload File ] |
|---|
# macros for use with pesign
#
# this makes it possible to invoke your build as:
# rpmbuild --define 'pe_signing_token test2' --define "pe_signing_cert signing key for test2" -ba shim.spec
# and then in the spec do:
# %pesign -s -i shim.orig -o shim.efi
# And magically get the right thing.
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}}
%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}}
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
# -i <input filename>
# -o <output filename>
# -C <output cert filename>
# -e <output sattr filename>
# -c <input certificate filename> # rhel only
# -n <input certificate name> # rhel only
# -a <input ca cert filename> # rhel only
# -s # perform signing
%pesign(i:o:C:e:c:n:a:s) \
_pesign_nssdir=/etc/pki/pesign \
if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
_pesign_nssdir=/etc/pki/pesign-rh-test \
fi \
if [ -x %{_pesign} ] && \\\
[ "%{_target_cpu}" == "x86_64" -o \\\
"%{_target_cpu}" == "aarch64" ]; then \
if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then \
nss=$(mktemp -p $PWD -d) \
echo > ${nss}/pwfile \
certutil -N -d ${nss} -f ${nss}/pwfile \
certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss} \
certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss} \
sattrs=$(mktemp -p $PWD --suffix=.der) \
%{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force \
rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs} \
%{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i} \\\
--certdir ${nss} -c signer %{-o} \
rm -rf ${sattrs} ${sattrs}.sig ${nss} \
elif [ "%{vendor}" == "Fedora Project" -a \\\
"$(id -un)" == "mockbuild" -a \\\
"$(uname -m)" == "x86_64" ] && \\\
grep -q ID=fedora /etc/os-release && \\\
[[ "%{_buildhost}" =~ ^bkernel.* ]] && \\\
! [ -S /run/pesign/socket ]; then \
echo "No socket even though this is %{_buildhost}" \
ls -ld /run/pesign || : \
getfacl /run/pesign || : \
ls -l /run/pesign/socket || : \
getfacl /run/pesign/socket || : \
echo =========== env ============== \
set \
echo =========== env ============== \
exit 1 \
elif [ -S /run/pesign/socket ]; then \
%{_pesign_client} -t %{__pesign_client_token} \\\
-c %{__pesign_client_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
%{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
--certdir ${_pesign_nssdir} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
else \
if [ -n "%{-i*}" -a -n "%{-o*}" ]; then \
mv %{-i*} %{-o*} \
elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then \
touch %{-e*} \
fi \
fi \
if [ ! -s %{-o} ]; then \
if [ -e "%{-o*}" ]; then \
rm -f %{-o*} \
fi \
exit 1 \
fi ;