File modsign-repackage of Package pesign-obs-integration.12550

#!/bin/bash
# Script to sign kernel modules and create new RPM packages with these
# modules. Uses pesign-gen-repackage-spec for the repackaging.
#
# Copyright (c) 2013 SUSE Linux Products GmbH, Nuernberg, Germany.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA

USAGE="$0 --key <private key> --certificate <x509 cert> rpm ..."

options=`getopt -o hk:c:s: --long help,key:,certificate:,signatures: -- "$@"`
if test $? -ne 0; then
	echo "$USAGE" >&2
	exit 1
fi
eval set -- "$options"
key=
cert=
sig_dir=
while :; do
	case "$1" in
	-k|--key)
		key=$2
		shift 2
		;;
	-c|--certificate)
		cert=$2
		shift 2
		;;
	-s|--signatures)
		sig_dir=$2
		shift 2
		;;
	-h|--help)
		echo "$USAGE"
		exit
		;;
	--)
		shift
		break
	esac
done
err=
if test -n "$key" -a -n "$sig_dir"; then
	err="Cannot use both --key and --signatures"
elif test -z "$key" -a -z "$sig_dir"; then
	err="Please specify either --key or --signatures"
elif test -z "$cert"; then
	err="Please specify --certificate"
elif test "$#" -eq 0; then
	err="No packages specified"
fi
if test -n "$err"; then
	echo "$0: $err" >&2
	echo "$USAGE" >&2
	exit 1
fi

workdir="$PWD/rpm-files.$$"
buildroot="$workdir/buildroot"
rpmdir=RPMS
srpmdir=SRPMS
disturl=
rpms=()
rm -rf "$workdir"
mkdir "$workdir" || exit
mkdir -p "$rpmdir" "$srpmdir" || exit
mkdir "$buildroot"
echo "Unpacking original RPMs..."
for rpm; do
	# XXX: Use a common script in pesign-repackage.spec.in and here
	case "$rpm" in
	*.src.rpm | *.nosrc.rpm)
		cp "$rpm" "$srpmdir/"
		continue
		;;
	# Do not repackage debuginfo packages (bnc#806637)
	*-debuginfo-*.rpm | *-debugsource-*.rpm)
		dir="$rpmdir/$(rpm -qp --qf '%{arch}' "$rpm")"
		mkdir -p "$dir"
		cp "$rpm" "$dir"
		continue
		;;
	esac
	# do not repackage baselibs packages
	# FIXME: needs more generic test (if architecture has different
	# bitness => skip)
	case "$(rpm -qp --qf '%{name}/%{arch}' "$rpm")" in
	*-32bit/x86_64 | *-32bit/s390x | *-32bit/ppc64 | \
	*-64bit/ppc | *-x86/ia64)
		mkdir -p "$rpmdir/$(rpm -qp --qf '%{arch}')/"
		cp "$rpm" "$_"
		continue
	esac
	rpm2cpio "$rpm" | (cd "$buildroot"; cpio -idm --quiet) || exit
	d=$(rpm -qp --qf '%{disturl}' "$rpm")
	if test -z "$disturl"; then
		disturl=$d
	fi
	if test "$disturl" != "$d"; then
		echo "Error: packages have different disturl: $d vs $disturl"
		exit 1
	fi
	rpms=("${rpms[@]}" "$rpm")
done
set -e
echo "Signing kernel modules..."
if test ! -e "$cert.pub"; then
	openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub"
fi
for module in $(find "$buildroot" -type f -name '*.ko' -printf '%P\n'); do
	if test -n "$key"; then
		/usr/lib/rpm/pesign/kernel-sign-file \
			-i pkcs7 sha256 "$key" "$cert" "$buildroot/$module"
	else
		raw_sig="$sig_dir/$module.sig"
		if test ! -e "$raw_sig"; then
			echo "$module.sig not found in $sig_dir" >&2
			exit 1
		fi
		ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$raw_sig" 2>&1 | grep -i error)
		if [ -n "$ver_err" ]; then
			echo "$raw_sig signature can not be decrypted by $cert" >&2
			exit 1
		fi
		/usr/lib/rpm/pesign/kernel-sign-file \
			-i pkcs7 -s "$raw_sig" sha256 "$cert" "$buildroot/$module"
	fi

done
rm "$cert.pub"
# Add the certificate
mkdir -p "$buildroot/etc/uefi/certs"
h=$(openssl x509 -inform DER -fingerprint -noout -in "$cert")
filename=/etc/uefi/certs/$(echo "$h" | \
	sed -rn 's/^SHA1 Fingerprint=//; T; s/://g; s/(.{8}).*/\1/p').crt
cp "$cert" "$buildroot/$filename"

echo "Generating new specfile..."
if ! test -e /usr/lib/rpm/kernel-cert-subpackage; then
	echo "/usr/lib/rpm/kernel-cert-subpackage missing" >&2
	echo "please install the kernel-source package" >&2
	exit 1
fi
/usr/lib/rpm/pesign/pesign-gen-repackage-spec \
	--cert-subpackage=/usr/lib/rpm/kernel-cert-subpackage \
	--directory="$buildroot" --output="$workdir" "${rpms[@]}"
echo "Running rpmbuild..."
rpmbuild --define "buildroot $buildroot" --define "disturl $disturl" \
	--define "_builddir $workdir" \
	--define "_suse_insert_debug_package %{nil}" \
	--define "_rpmdir $rpmdir" \
	-bb "$workdir/repackage.spec" >"$workdir/log" 2>&1
grep 'RPMS/.*\.rpm$' "$workdir/log"
echo "Cleaning up $workdir..."
rm -r "$workdir"
echo "Done."
exit 0


openSUSE Build Service is sponsored by