diff options
author | Eric Hameleers <alien@slackware.com> | 2021-08-01 10:58:35 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2021-08-01 10:58:35 +0000 |
commit | 77e5dfb02fb9a6e290e72361f2fe99a239ed3566 (patch) | |
tree | a7dc9de6b57647d74ee785740047dccd6afea09a /pesign | |
parent | 4d3f6d4f93bd0e0a5d8f9deaaf5b05905a94829a (diff) | |
download | asb-77e5dfb02fb9a6e290e72361f2fe99a239ed3566.tar.gz asb-77e5dfb02fb9a6e290e72361f2fe99a239ed3566.tar.xz |
Initial revision
Diffstat (limited to 'pesign')
-rw-r--r-- | pesign/build/patches/pesign_nss344.patch | 42 | ||||
-rw-r--r-- | pesign/build/patches/pesign_sigtype.patch | 46 | ||||
-rwxr-xr-x | pesign/build/pesign.SlackBuild | 280 | ||||
-rw-r--r-- | pesign/build/slack-desc | 19 |
4 files changed, 387 insertions, 0 deletions
diff --git a/pesign/build/patches/pesign_nss344.patch b/pesign/build/patches/pesign_nss344.patch new file mode 100644 index 00000000..e3cc74a4 --- /dev/null +++ b/pesign/build/patches/pesign_nss344.patch @@ -0,0 +1,42 @@ +From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001 +From: Peter Jones <pjones@redhat.com> +Date: Tue, 14 May 2019 11:28:38 -0400 +Subject: [PATCH] efikeygen: Fix the build with nss 3.44 + +NSS 3.44 adds some certificate types, which changes a type and makes +some encoding stuff weird. As a result, we get: + +gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing -g -O0 -g -O0 -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/ -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o +In file included from /usr/local/include/nss/nss/cert.h:22, + from efikeygen.c:39: +efikeygen.c: In function 'add_cert_type': +/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow] + (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ + ^ +efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP' + unsigned char type = NS_CERT_TYPE_APP; + ^~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors + +This is fixed by just making it an int. + +Fixes github issue #48. + +Signed-off-by: Peter Jones <pjones@redhat.com> +--- + src/efikeygen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/efikeygen.c b/src/efikeygen.c +index ede76ef..2cd953e 100644 +--- a/src/efikeygen.c ++++ b/src/efikeygen.c +@@ -208,7 +208,7 @@ static int + add_cert_type(cms_context *cms, void *extHandle, int is_ca) + { + SECItem bitStringValue; +- unsigned char type = NS_CERT_TYPE_APP; ++ int type = NS_CERT_TYPE_APP; + + if (is_ca) + type |= NS_CERT_TYPE_SSL_CA | diff --git a/pesign/build/patches/pesign_sigtype.patch b/pesign/build/patches/pesign_sigtype.patch new file mode 100644 index 00000000..89a57e46 --- /dev/null +++ b/pesign/build/patches/pesign_sigtype.patch @@ -0,0 +1,46 @@ +From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001 +From: Peter Jones <pjones@redhat.com> +Date: Tue, 18 Feb 2020 16:28:56 -0500 +Subject: [PATCH] pesigcheck: Fix a wrong assignment + +gcc says: + + pesigcheck.c: In function 'check_signature': + pesigcheck.c:321:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion] + 321 | reason->type = siBuffer; + | ^ + pesigcheck.c:333:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion] + 333 | reason->type = siBuffer; + | ^ + cc1: all warnings being treated as errors + +And indeed, that line of code makes no sense at all - it was supposed to +be reason->sig.type. + +Signed-off-by: Peter Jones <pjones@redhat.com> +--- + src/pesigcheck.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/pesigcheck.c b/src/pesigcheck.c +index 524cce3..8fa0f1a 100644 +--- a/src/pesigcheck.c ++++ b/src/pesigcheck.c +@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons, + reason->type = SIGNATURE; + reason->sig.data = data; + reason->sig.len = datalen; +- reason->type = siBuffer; ++ reason->sig.type = siBuffer; + nreason += 1; + is_invalid = true; + } +@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons, + reason->type = SIGNATURE; + reason->sig.data = data; + reason->sig.len = datalen; +- reason->type = siBuffer; ++ reason->sig.type = siBuffer; + nreason += 1; + has_valid_cert = true; + } diff --git a/pesign/build/pesign.SlackBuild b/pesign/build/pesign.SlackBuild new file mode 100755 index 00000000..8592d699 --- /dev/null +++ b/pesign/build/pesign.SlackBuild @@ -0,0 +1,280 @@ +#!/bin/sh +# $Id$ +# Copyright 2021 Eric Hameleers, Eindhoven, NL +# All rights reserved. +# +# Permission to use, copy, modify, and distribute this software for +# any purpose with or without fee is hereby granted, provided that +# the above copyright notice and this permission notice appear in all +# copies. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# ----------------------------------------------------------------------------- +# +# Slackware SlackBuild script +# =========================== +# By: Eric Hameleers <alien@slackware.com> +# For: pesign +# Descr: tools for manipulating signed pe-coff binaries +# URL: https://github.com/rhboot/pesign +# Build needs: +# Needs: +# Changelog: +# 113-1: 01/aug/2021 by Eric Hameleers <alien@slackware.com> +# * Initial build. +# +# Run 'sh pesign.SlackBuild' to build a Slackware package. +# The package (.t?z) and .txt file as well as build logs are created in /tmp . +# Install the package using 'installpkg' or 'upgradepkg --install-new'. +# +# ----------------------------------------------------------------------------- + +PRGNAM=pesign +VERSION=${VERSION:-113} +BUILD=${BUILD:-1} +NUMJOBS=${NUMJOBS:-" -j$(nproc) "} +TAG=${TAG:-alien} + +DOCS="COPYING README TODO" + +# Account numbers as registered in https://slackbuilds.org/uid_gid.txt : +PESIGNUID=369 +PESIGNGID=369 + +# Where do we look for sources? +SRCDIR=$(cd $(dirname $0); pwd) + +# Place to build (TMP) package (PKG) and output (OUTPUT) the program: +TMP=${TMP:-/tmp/build} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +SOURCE="$SRCDIR/${PRGNAM}-${VERSION}.tar.gz" +SRCURL="https://github.com/rhboot/${PRGNAM}/archive/${VERSION}.tar.gz" + +## +## --- with a little luck, you won't have to edit below this point --- ## +## + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$(uname -m)" in + i?86) ARCH=i586 ;; + arm*) readelf /usr/bin/file -A | egrep -q "Tag_CPU.*[4,5]" && ARCH=arm || ARCH=armv7hl ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) ARCH=$(uname -m) ;; + esac + export ARCH +fi +# Set CFLAGS/CXXFLAGS and LIBDIRSUFFIX: +case "$ARCH" in + i?86) SLKCFLAGS="-O2 -march=${ARCH} -mtune=i686" + SLKLDFLAGS=""; LIBDIRSUFFIX="" + ;; + x86_64) SLKCFLAGS="-O2 -fPIC" + SLKLDFLAGS="-L/usr/lib64"; LIBDIRSUFFIX="64" + ;; + armv7hl) SLKCFLAGS="-O2 -march=armv7-a -mfpu=vfpv3-d16" + SLKLDFLAGS=""; LIBDIRSUFFIX="" + ;; + *) SLKCFLAGS=${SLKCFLAGS:-"-O2"} + SLKLDFLAGS=${SLKLDFLAGS:-""}; LIBDIRSUFFIX=${LIBDIRSUFFIX:-""} + ;; +esac + +case "$ARCH" in + arm*) TARGET=$ARCH-slackware-linux-gnueabi ;; + *) TARGET=$ARCH-slackware-linux ;; +esac + +# Exit the script on errors: +set -e +trap 'echo "$0 FAILED at line ${LINENO}" | tee $OUTPUT/error-${PRGNAM}.log' ERR +# Catch unitialized variables: +set -u +P1=${1:-1} + +# Save old umask and set to 0022: +_UMASK_=$(umask) +umask 0022 + +# Create working directories: +mkdir -p $OUTPUT # place for the package to be saved +mkdir -p $TMP/tmp-$PRGNAM # location to build the source +mkdir -p $PKG # place for the package to be built +rm -rf $PKG/* # always erase old package's contents +rm -rf $TMP/tmp-$PRGNAM/* # remove the remnants of previous build +rm -rf $OUTPUT/{checkout,configure,make,install,error,makepkg,patch}-$PRGNAM.log + # remove old log files + +# Source file availability: +if ! [ -f ${SOURCE} ]; then + echo "Source '$(basename ${SOURCE})' not available yet..." + # Check if the $SRCDIR is writable at all - if not, download to $OUTPUT + [ -w "$SRCDIR" ] || SOURCE="$OUTPUT/$(basename $SOURCE)" + if [ -f ${SOURCE} ]; then echo "Ah, found it!"; continue; fi + if ! [ "x${SRCURL}" == "x" ]; then + echo "Will download file to $(dirname $SOURCE)" + wget --no-check-certificate -nv -T 20 -O "${SOURCE}" "${SRCURL}" || true + if [ $? -ne 0 -o ! -s "${SOURCE}" ]; then + echo "Downloading '$(basename ${SOURCE})' failed... aborting the build." + mv -f "${SOURCE}" "${SOURCE}".FAIL + exit 1 + fi + else + echo "File '$(basename ${SOURCE})' not available... aborting the build." + exit 1 + fi +fi + +if [ "$P1" == "--download" ]; then + echo "Download complete." + exit 0 +fi + +# --- PACKAGE BUILDING --- + +echo "++" +echo "|| $PRGNAM-$VERSION" +echo "++" + +cd $TMP/tmp-$PRGNAM +echo "Extracting the source archive(s) for $PRGNAM..." +tar -xvf ${SOURCE} +cd ${PRGNAM}-${VERSION} + +# Compile breaks because of '-Werror': +sed -i Make.defaults -e 's/\-Werror//g' +touch $OUTPUT/patch-${PRGNAM}.log +# Fix compile with nss-3.44: +# https://github.com/rhboot/pesign/commit/b535d1ac5cbcdf18a97d97a92581e38080d9e521.patch +cat $SRCDIR/patches/pesign_nss344.patch | patch -p1 --verbose \ + 2>&1 | tee -a $OUTPUT/patch-${PRGNAM}.log +# Fix a wrong assignment: +# https://github.com/rhboot/pesign/commit/c555fd74c009242c3864576bd5f17a1f8f4fdffd.patch +cat $SRCDIR/patches/pesign_sigtype.patch | patch -p1 --verbose \ + 2>&1 | tee -a $OUTPUT/patch-${PRGNAM}.log + +chown -R root:root . +chmod -R u+w,go+r-w,a+rX-st . + +echo Building ... +export LDFLAGS="$SLKLDFLAGS" +export CXXFLAGS="$SLKCFLAGS" +export CFLAGS="$SLKCFLAGS" +make $NUMJOBS 2>&1 | tee $OUTPUT/make-${PRGNAM}.log +make DESTDIR=$PKG install \ + VERSION=${VERSION} \ + docdir=/usr/doc \ + libdir=/usr/lib${LIBDIRSUFFIX} \ + libexecdir=/usr/libexec \ + mandir=/usr/man/ \ + 2>&1 | tee $OUTPUT/install-${PRGNAM}.log + +# Install a Slackware boot script for the PE signing daemon: +install -Dm0644 src/pesign.sysvinit $PKG/etc/rc.d/rc.pesign.new + +# Remove cruft: +rm -rf $PKG/etc/pki $PKG/etc/popt.d $PKG/etc/rpm + +# Don't clobber configuration files: +mv -i $PKG/etc/pesign/groups{,.new} +mv -i $PKG/etc/pesign/users{,.new} + +# Add this to the doinst.sh: +mkdir -p $PKG/install +cat <<EOINS >> $PKG/install/doinst.sh +# Handle the incoming configuration files: +config() { + for infile in \$1; do + NEW="\$infile" + OLD="\$(dirname \$NEW)/\$(basename \$NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r \$OLD ]; then + mv \$NEW \$OLD + elif [ "\$(cat \$OLD | md5sum)" = "\$(cat \$NEW | md5sum)" ]; then + # toss the redundant copy + rm \$NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... + done +} +preserve_perms() { + NEW="\$1" + OLD="\$(dirname \$NEW)/\$(basename \$NEW .new)" + if [ -e \$OLD ]; then + cp -a \$OLD \${NEW}.incoming + cat \$NEW > \${NEW}.incoming + mv \${NEW}.incoming \$NEW + fi + config \$NEW +} +preserve_perms etc/rc.d/rc.pesign.new +config etc/pesign/groups.new +config etc/pesign/users.new + +# Create 'pesign' user and group on target host: +chroot . \ +getent group pesign > /dev/null || \ + /usr/sbin/groupadd -g ${PESIGNGID} -r pesign 2>/dev/null +chroot . \ +getent passwd pesign > /dev/null || \ + /usr/sbin/useradd -c "PE signing daemon" -g pesign \ + -s /bin/bash -u ${PESIGNUID} -r pesign 2>/dev/null + +# Update rc.local so that pesign will be started on boot: +if ! grep -q "rc.pesign" etc/rc.d/rc.local ; then + cat <<_EOM_ >> etc/rc.d/rc.local +if [ -x /etc/rc.d/rc.pesign ]; then + # Start PE signing daemon: + echo "Starting PE signing daemon: /etc/rc.d/rc.pesign start" + /etc/rc.d/rc.pesign start +fi +_EOM_ +fi + +EOINS + +# Add documentation: +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a $DOCS $PKG/usr/doc/$PRGNAM-$VERSION || true +cat $SRCDIR/$(basename $0) > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild +chown -R root:root $PKG/usr/doc/$PRGNAM-$VERSION +find $PKG/usr/doc -type f -exec chmod 644 {} \; + +# Compress the man page(s): +if [ -d $PKG/usr/man ]; then + find $PKG/usr/man -type f -name "*.?" -exec gzip -9f {} \; + for i in $(find $PKG/usr/man -type l -name "*.?") ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done +fi + +# Strip binaries (if any): +find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +# Add a package description: +mkdir -p $PKG/install +cat $SRCDIR/slack-desc > $PKG/install/slack-desc + +# Build the package: +cd $PKG +makepkg --linkadd y --chown n $OUTPUT/${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.${PKGTYPE:-txz} 2>&1 | tee $OUTPUT/makepkg-${PRGNAM}.log +cd $OUTPUT +md5sum ${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.${PKGTYPE:-txz} > ${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.${PKGTYPE:-txz}.md5 +cd - +cat $PKG/install/slack-desc | grep "^${PRGNAM}" > $OUTPUT/${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.txt + +# Restore the original umask: +umask ${_UMASK_} + diff --git a/pesign/build/slack-desc b/pesign/build/slack-desc new file mode 100644 index 00000000..4ce1e205 --- /dev/null +++ b/pesign/build/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +pesign: pesign (tools for manipulating signed pe-coff binaries) +pesign: +pesign: Signing tool for PE-COFF binaries, hopefully at least vaguely +pesign: compliant with the PE and Authenticode specifications. +pesign: This is vaguely analogous to the tool described by +pesign: http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx +pesign: +pesign: +pesign: +pesign: See also: https://github.com/rhboot/pesign +pesign: |