Initial revision

4 files changed, 387 insertions, 0 deletions

diff --git a/pesign/build/patches/pesign_nss344.patch b/pesign/build/patches/pesign_nss344.patch
new file mode 100644
index 00000000..e3cc74a4
--- /dev/null
+++ b/pesign/build/patches/pesign_nss344.patch
@@ -0,0 +1,42 @@
+From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 May 2019 11:28:38 -0400
+Subject: [PATCH] efikeygen: Fix the build with nss 3.44
+
+NSS 3.44 adds some certificate types, which changes a type and makes
+some encoding stuff weird.  As a result, we get:
+
+gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe  -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing  -g -O0 -g -O0  -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/  -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr  -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
+In file included from /usr/local/include/nss/nss/cert.h:22,
+                 from efikeygen.c:39:
+efikeygen.c: In function 'add_cert_type':
+/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
+     (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
+     ^
+efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
+  unsigned char type = NS_CERT_TYPE_APP;
+                       ^~~~~~~~~~~~~~~~
+cc1: all warnings being treated as errors
+
+This is fixed by just making it an int.
+
+Fixes github issue #48.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/efikeygen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/efikeygen.c b/src/efikeygen.c
+index ede76ef..2cd953e 100644
+--- a/src/efikeygen.c
++++ b/src/efikeygen.c
+@@ -208,7 +208,7 @@ static int
+ add_cert_type(cms_context *cms, void *extHandle, int is_ca)
+ {
+ 	SECItem bitStringValue;
+-	unsigned char type = NS_CERT_TYPE_APP;
++	int type = NS_CERT_TYPE_APP;
+ 
+ 	if (is_ca)
+ 		type |= NS_CERT_TYPE_SSL_CA |
diff --git a/pesign/build/patches/pesign_sigtype.patch b/pesign/build/patches/pesign_sigtype.patch
new file mode 100644
index 00000000..89a57e46
--- /dev/null
+++ b/pesign/build/patches/pesign_sigtype.patch
@@ -0,0 +1,46 @@
+From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 18 Feb 2020 16:28:56 -0500
+Subject: [PATCH] pesigcheck: Fix a wrong assignment
+
+gcc says:
+
+  pesigcheck.c: In function 'check_signature':
+  pesigcheck.c:321:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
+  321 |    reason->type = siBuffer;
+      |                 ^
+  pesigcheck.c:333:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
+  333 |    reason->type = siBuffer;
+      |                 ^
+  cc1: all warnings being treated as errors
+
+And indeed, that line of code makes no sense at all - it was supposed to
+be reason->sig.type.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesigcheck.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/pesigcheck.c b/src/pesigcheck.c
+index 524cce3..8fa0f1a 100644
+--- a/src/pesigcheck.c
++++ b/src/pesigcheck.c
+@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
+ 			reason->type = SIGNATURE;
+ 			reason->sig.data = data;
+ 			reason->sig.len = datalen;
+-			reason->type = siBuffer;
++			reason->sig.type = siBuffer;
+ 			nreason += 1;
+ 			is_invalid = true;
+ 		}
+@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
+ 			reason->type = SIGNATURE;
+ 			reason->sig.data = data;
+ 			reason->sig.len = datalen;
+-			reason->type = siBuffer;
++			reason->sig.type = siBuffer;
+ 			nreason += 1;
+ 			has_valid_cert = true;
+ 		}
diff --git a/pesign/build/pesign.SlackBuild b/pesign/build/pesign.SlackBuild
new file mode 100755
index 00000000..8592d699
--- /dev/null
+++ b/pesign/build/pesign.SlackBuild
@@ -0,0 +1,280 @@
+#!/bin/sh
+# $Id$
+# Copyright 2021  Eric Hameleers, Eindhoven, NL
+# All rights reserved.
+#
+#   Permission to use, copy, modify, and distribute this software for
+#   any purpose with or without fee is hereby granted, provided that
+#   the above copyright notice and this permission notice appear in all
+#   copies.
+#
+#   THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+#   WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#   MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+#   IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
+#   CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+#   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+#   USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+#   ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+#   OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+#   OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+#   SUCH DAMAGE.
+# -----------------------------------------------------------------------------
+#
+# Slackware SlackBuild script 
+# ===========================
+# By:          Eric Hameleers <alien@slackware.com>
+# For:         pesign
+# Descr:       tools for manipulating signed pe-coff binaries
+# URL:         https://github.com/rhboot/pesign
+# Build needs: 
+# Needs:       
+# Changelog:   
+# 113-1:       01/aug/2021 by Eric Hameleers <alien@slackware.com>
+#              * Initial build.
+# 
+# Run 'sh pesign.SlackBuild' to build a Slackware package.
+# The package (.t?z) and .txt file as well as build logs are created in /tmp .
+# Install the package using 'installpkg' or 'upgradepkg --install-new'.
+#
+# -----------------------------------------------------------------------------
+
+PRGNAM=pesign
+VERSION=${VERSION:-113}
+BUILD=${BUILD:-1}
+NUMJOBS=${NUMJOBS:-" -j$(nproc) "}
+TAG=${TAG:-alien}
+
+DOCS="COPYING README TODO"
+
+# Account numbers as registered in https://slackbuilds.org/uid_gid.txt :
+PESIGNUID=369
+PESIGNGID=369
+
+# Where do we look for sources?
+SRCDIR=$(cd $(dirname $0); pwd)
+
+# Place to build (TMP) package (PKG) and output (OUTPUT) the program:
+TMP=${TMP:-/tmp/build}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp}
+
+SOURCE="$SRCDIR/${PRGNAM}-${VERSION}.tar.gz"
+SRCURL="https://github.com/rhboot/${PRGNAM}/archive/${VERSION}.tar.gz"
+
+##
+## --- with a little luck, you won't have to edit below this point --- ##
+##
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+  case "$(uname -m)" in
+    i?86) ARCH=i586 ;;
+    arm*) readelf /usr/bin/file -A | egrep -q "Tag_CPU.*[4,5]" && ARCH=arm || ARCH=armv7hl ;;
+    # Unless $ARCH is already set, use uname -m for all other archs:
+    *) ARCH=$(uname -m) ;;
+  esac
+  export ARCH
+fi
+# Set CFLAGS/CXXFLAGS and LIBDIRSUFFIX:
+case "$ARCH" in
+  i?86)      SLKCFLAGS="-O2 -march=${ARCH} -mtune=i686"
+             SLKLDFLAGS=""; LIBDIRSUFFIX=""
+             ;;
+  x86_64)    SLKCFLAGS="-O2 -fPIC"
+             SLKLDFLAGS="-L/usr/lib64"; LIBDIRSUFFIX="64"
+             ;;
+  armv7hl)   SLKCFLAGS="-O2 -march=armv7-a -mfpu=vfpv3-d16"
+             SLKLDFLAGS=""; LIBDIRSUFFIX=""
+             ;;
+  *)         SLKCFLAGS=${SLKCFLAGS:-"-O2"}
+             SLKLDFLAGS=${SLKLDFLAGS:-""}; LIBDIRSUFFIX=${LIBDIRSUFFIX:-""}
+             ;;
+esac
+
+case "$ARCH" in
+    arm*)    TARGET=$ARCH-slackware-linux-gnueabi ;;
+    *)       TARGET=$ARCH-slackware-linux ;;
+esac
+
+# Exit the script on errors:
+set -e
+trap 'echo "$0 FAILED at line ${LINENO}" | tee $OUTPUT/error-${PRGNAM}.log' ERR
+# Catch unitialized variables:
+set -u
+P1=${1:-1}
+
+# Save old umask and set to 0022:
+_UMASK_=$(umask)
+umask 0022
+
+# Create working directories:
+mkdir -p $OUTPUT          # place for the package to be saved
+mkdir -p $TMP/tmp-$PRGNAM # location to build the source
+mkdir -p $PKG             # place for the package to be built
+rm -rf $PKG/*             # always erase old package's contents
+rm -rf $TMP/tmp-$PRGNAM/* # remove the remnants of previous build
+rm -rf $OUTPUT/{checkout,configure,make,install,error,makepkg,patch}-$PRGNAM.log
+                          # remove old log files
+
+# Source file availability:
+if ! [ -f ${SOURCE} ]; then
+  echo "Source '$(basename ${SOURCE})' not available yet..."
+  # Check if the $SRCDIR is writable at all - if not, download to $OUTPUT
+  [ -w "$SRCDIR" ] || SOURCE="$OUTPUT/$(basename $SOURCE)"
+  if [ -f ${SOURCE} ]; then echo "Ah, found it!"; continue; fi
+  if ! [ "x${SRCURL}" == "x" ]; then
+    echo "Will download file to $(dirname $SOURCE)"
+    wget --no-check-certificate -nv -T 20 -O "${SOURCE}" "${SRCURL}" || true
+    if [ $? -ne 0 -o ! -s "${SOURCE}" ]; then
+      echo "Downloading '$(basename ${SOURCE})' failed... aborting the build."
+      mv -f "${SOURCE}" "${SOURCE}".FAIL
+      exit 1
+    fi
+  else
+    echo "File '$(basename ${SOURCE})' not available... aborting the build."
+    exit 1
+  fi
+fi
+
+if [ "$P1" == "--download" ]; then
+  echo "Download complete."
+  exit 0
+fi
+
+# --- PACKAGE BUILDING ---
+
+echo "++"
+echo "|| $PRGNAM-$VERSION"
+echo "++"
+
+cd $TMP/tmp-$PRGNAM
+echo "Extracting the source archive(s) for $PRGNAM..."
+tar -xvf ${SOURCE}
+cd ${PRGNAM}-${VERSION}
+
+# Compile breaks because of '-Werror':
+sed -i Make.defaults -e 's/\-Werror//g'
+touch $OUTPUT/patch-${PRGNAM}.log
+# Fix compile with nss-3.44:
+# https://github.com/rhboot/pesign/commit/b535d1ac5cbcdf18a97d97a92581e38080d9e521.patch
+cat $SRCDIR/patches/pesign_nss344.patch | patch -p1 --verbose \
+  2>&1 | tee -a $OUTPUT/patch-${PRGNAM}.log
+# Fix a wrong assignment:
+# https://github.com/rhboot/pesign/commit/c555fd74c009242c3864576bd5f17a1f8f4fdffd.patch
+cat $SRCDIR/patches/pesign_sigtype.patch | patch -p1 --verbose \
+  2>&1 | tee -a $OUTPUT/patch-${PRGNAM}.log
+
+chown -R root:root .
+chmod -R u+w,go+r-w,a+rX-st .
+
+echo Building ...
+export LDFLAGS="$SLKLDFLAGS"
+export CXXFLAGS="$SLKCFLAGS"
+export CFLAGS="$SLKCFLAGS"
+make $NUMJOBS 2>&1 | tee $OUTPUT/make-${PRGNAM}.log
+make DESTDIR=$PKG install \
+  VERSION=${VERSION} \
+  docdir=/usr/doc \
+  libdir=/usr/lib${LIBDIRSUFFIX} \
+  libexecdir=/usr/libexec \
+  mandir=/usr/man/ \
+  2>&1 | tee $OUTPUT/install-${PRGNAM}.log
+
+# Install a Slackware boot script for the PE signing daemon:
+install -Dm0644 src/pesign.sysvinit $PKG/etc/rc.d/rc.pesign.new
+
+# Remove cruft:
+rm -rf $PKG/etc/pki $PKG/etc/popt.d $PKG/etc/rpm
+
+# Don't clobber configuration files:
+mv -i $PKG/etc/pesign/groups{,.new}
+mv -i $PKG/etc/pesign/users{,.new}
+
+# Add this to the doinst.sh:
+mkdir -p $PKG/install
+cat <<EOINS >> $PKG/install/doinst.sh
+# Handle the incoming configuration files:
+config() {
+  for infile in \$1; do
+    NEW="\$infile"
+    OLD="\$(dirname \$NEW)/\$(basename \$NEW .new)"
+    # If there's no config file by that name, mv it over:
+    if [ ! -r \$OLD ]; then
+      mv \$NEW \$OLD
+    elif [ "\$(cat \$OLD | md5sum)" = "\$(cat \$NEW | md5sum)" ]; then
+      # toss the redundant copy
+      rm \$NEW
+    fi
+    # Otherwise, we leave the .new copy for the admin to consider...
+  done
+}
+preserve_perms() {
+  NEW="\$1"
+  OLD="\$(dirname \$NEW)/\$(basename \$NEW .new)"
+  if [ -e \$OLD ]; then
+    cp -a \$OLD \${NEW}.incoming
+    cat \$NEW > \${NEW}.incoming
+    mv \${NEW}.incoming \$NEW
+  fi
+  config \$NEW
+}
+preserve_perms etc/rc.d/rc.pesign.new
+config etc/pesign/groups.new
+config etc/pesign/users.new
+
+# Create 'pesign' user and group on target host:
+chroot . \
+getent group pesign > /dev/null || \
+  /usr/sbin/groupadd -g ${PESIGNGID} -r pesign 2>/dev/null
+chroot . \
+getent passwd pesign > /dev/null || \
+  /usr/sbin/useradd -c "PE signing daemon" -g pesign \
+  -s /bin/bash -u ${PESIGNUID} -r pesign 2>/dev/null
+
+# Update rc.local so that pesign will be started on boot:
+if ! grep -q "rc.pesign" etc/rc.d/rc.local ; then
+  cat <<_EOM_ >> etc/rc.d/rc.local
+if [ -x /etc/rc.d/rc.pesign ]; then
+  # Start PE signing daemon:
+  echo "Starting PE signing daemon:  /etc/rc.d/rc.pesign start"
+  /etc/rc.d/rc.pesign start
+fi
+_EOM_
+fi
+
+EOINS
+
+# Add documentation:
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a $DOCS $PKG/usr/doc/$PRGNAM-$VERSION || true
+cat $SRCDIR/$(basename $0) > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+chown -R root:root $PKG/usr/doc/$PRGNAM-$VERSION
+find $PKG/usr/doc -type f -exec chmod 644 {} \;
+
+# Compress the man page(s):
+if [ -d $PKG/usr/man ]; then
+  find $PKG/usr/man -type f -name "*.?" -exec gzip -9f {} \;
+  for i in $(find $PKG/usr/man -type l -name "*.?") ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
+fi
+
+# Strip binaries (if any):
+find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
+  | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
+
+# Add a package description:
+mkdir -p $PKG/install
+cat $SRCDIR/slack-desc > $PKG/install/slack-desc
+
+# Build the package:
+cd $PKG
+makepkg --linkadd y --chown n $OUTPUT/${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.${PKGTYPE:-txz} 2>&1 | tee $OUTPUT/makepkg-${PRGNAM}.log
+cd $OUTPUT
+md5sum ${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.${PKGTYPE:-txz} > ${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.${PKGTYPE:-txz}.md5
+cd -
+cat $PKG/install/slack-desc | grep "^${PRGNAM}" > $OUTPUT/${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.txt
+
+# Restore the original umask:
+umask ${_UMASK_}
+
diff --git a/pesign/build/slack-desc b/pesign/build/slack-desc
new file mode 100644
index 00000000..4ce1e205
--- /dev/null
+++ b/pesign/build/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.  Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in.  You must
+# make exactly 11 lines for the formatting to be correct.  It's also
+# customary to leave one space after the ':' except on otherwise blank lines.
+
+      |-----handy-ruler------------------------------------------------------|
+pesign: pesign (tools for manipulating signed pe-coff binaries)
+pesign:
+pesign: Signing tool for PE-COFF binaries, hopefully at least vaguely
+pesign: compliant with the PE and Authenticode specifications.
+pesign: This is vaguely analogous to the tool described by
+pesign: http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx
+pesign:
+pesign:
+pesign:
+pesign: See also: https://github.com/rhboot/pesign
+pesign: