From f1576a29d14b555705d05f3db42e6f9f8173e7ae Mon Sep 17 00:00:00 2001 From: Huaxin Lu Date: Sat, 14 Jan 2023 11:23:18 +0800 Subject: [PATCH] add support for EBS sign --- ...support-EBS-sign-for-IMA-digest-list.patch | 82 +++++++++++++++++++ openEuler-rpm-config.spec | 7 +- 2 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 Feature-support-EBS-sign-for-IMA-digest-list.patch diff --git a/Feature-support-EBS-sign-for-IMA-digest-list.patch b/Feature-support-EBS-sign-for-IMA-digest-list.patch new file mode 100644 index 0000000..39b6aae --- /dev/null +++ b/Feature-support-EBS-sign-for-IMA-digest-list.patch @@ -0,0 +1,82 @@ +From 0449160c84daff8c557dee47a970e4f4837ff81d Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Mon, 12 Dec 2022 00:16:01 +0800 +Subject: [PATCH] support EBS sign for IMA digest list + +Signed-off-by: Huaxin Lu +--- + brp-digest-list | 16 ++++++++++++++++ + brp-ebs-sign | 34 ++++++++++++++++++++++++++++++++++ + 2 files changed, 50 insertions(+) + create mode 100644 brp-ebs-sign + +diff --git a/brp-digest-list b/brp-digest-list +index e698b7a..9ec50a2 100644 +--- a/brp-digest-list ++++ b/brp-digest-list +@@ -84,6 +84,22 @@ if [[ "$(basename $BIN_PKG_FILES)" =~ "digest-list-tools" && \ + chmod 644 $f + echo $f + ++ # do EBS sign ++ export PUBLISHER_HOST=$(grep PUBLISHER_HOST /lkp/scheduled/job.yaml | awk '{print $2}') ++ export PUBLISHER_PORT=$(grep PUBLISHER_PORT /lkp/scheduled/job.yaml | awk '{print $2}') ++ if [[ -n "$PUBLISHER_HOST" && -n "$PUBLISHER_PORT" ]]; then ++ [ -f /usr/lib/rpm/brp-ebs-sign ] || exit 0 ++ for f in $(ls $DIGEST_LIST_DIR); do ++ sh /usr/lib/rpm/brp-ebs-sign $DIGEST_LIST_DIR/$f &> /dev/null ++ [ -f $DIGEST_LIST_DIR/$f.sig ] || exit 0 ++ chmod 644 $DIGEST_LIST_DIR/$f.sig ++ mv $DIGEST_LIST_DIR/$f.sig $DIGEST_LIST_DIR.sig/$f.sig ++ echo $DIGEST_LIST_DIR.sig/$f.sig ++ done ++ exit 0 ++ fi ++ ++ # do OBS sign + [ -f /usr/lib/rpm/brp-suse.d/brp-99-pesign ] || exit 0 + + export BRP_PESIGN_FILES="$2/etc/ima/digest_lists/*" +diff --git a/brp-ebs-sign b/brp-ebs-sign +new file mode 100644 +index 0000000..662a9f7 +--- /dev/null ++++ b/brp-ebs-sign +@@ -0,0 +1,34 @@ ++#!/bin/bash ++ ++# config ++PUBLISHER_ADDR="http://${PUBLISHER_HOST}:${PUBLISHER_PORT}/sign-files" ++POST_KEY_BASE64="encoded_file_content" ++POST_KEY_MD5="file_md5" ++REQ_KEY_BASE64="signed_file_content" ++REQ_KEY_MD5="signed_file_md5" ++ ++# function definition ++get_json_value(){ ++ echo "$1" | awk -F "[{,:}]" '{for(i=1;i $file.sig ++[ $? -eq 0 ] || { echo "Fail to decode value of $key"; exit 1; } ++ ++sig_md5=$(get_json_value "$req" "$REQ_KEY_MD5") ++[ $? -eq 0 ] || { echo "Fail to parser $REQ_KEY_MD5"; exit 1; } ++md5sum $file.sig | grep "$sig_md5" ++[ $? -eq 0 ] || { echo "Fail to check md5 of $file.sig"; exit 1; } ++ ++echo "Sign $file ok!" ++exit 0 +-- +2.33.0 + diff --git a/openEuler-rpm-config.spec b/openEuler-rpm-config.spec index f812efc..76bb131 100644 --- a/openEuler-rpm-config.spec +++ b/openEuler-rpm-config.spec @@ -3,7 +3,7 @@ Name: %{vendor}-rpm-config Version: 30 -Release: 34 +Release: 35 License: GPL+ Summary: specific rpm configuration files URL: https://gitee.com/openeuler/openEuler-rpm-config @@ -27,6 +27,7 @@ Patch13: add-loongarch64-support-for-config.guess-and-config.sub.patch Patch14: backport-kmp-feature.patch Patch15: 0001-add-loongarch64-for-golang_arches.patch Patch16: fix-config-error-for-loongarch64.patch +Patch17: Feature-support-EBS-sign-for-IMA-digest-list.patch Provides: python-rpm-macros = %{?epoch:%{epoch}:}%{version}-%{release} Provides: python2-rpm-macros = %{?epoch:%{epoch}:}%{version}-%{release} @@ -67,6 +68,7 @@ Requires: qt5-srpm-macros Requires: rpm >= 4.11.0 Requires: zip +Requires: curl #Requires: (annobin if gcc) # for brp-mangle-shebangs @@ -133,6 +135,9 @@ sed -i "s/__vendor/%{vendor}/g" `grep "__vendor" -rl %{buildroot}%{_rpmconfigdir %{rpmvdir}/find-requires.ksyms %changelog +* Sat Jan 14 2023 luhuaxin - 30-35 +- support EBS sign + * Wed Dec 14 2022 huajingyun - 30-34 - fix config error for loongarch64 -- Gitee