-
Notifications
You must be signed in to change notification settings - Fork 8
/
rpm-head-signing.spec
131 lines (98 loc) · 3.92 KB
/
rpm-head-signing.spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Currently broken in koji
%bcond_with tests
# Without this, the resulting insertlib will segfault
%define _lto_cflags %{nil}
%define debug_package %{nil}
%global pkgname rpm-head-signing
%global srcname rpm_head_signing
Name: rpm-head-signing
Version: 1.7.4
Release: 1%{?dist}
Summary: Small python module to extract RPM header and file digests
License: MIT
URL: https://github.com/fedora-iot/rpm-head-signing
Source0: %url/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
BuildRequires: gcc
BuildRequires: openssl-devel
BuildRequires: ima-evm-utils
BuildRequires: ima-evm-utils-devel
BuildRequires: rpm-devel
BuildRequires: rpm-sign
BuildRequires: cpio
BuildRequires: valgrind
BuildRequires: zstd
BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-setuptools
BuildRequires: python%{python3_pkgversion}-koji
BuildRequires: python%{python3_pkgversion}-rpm
BuildRequires: python%{python3_pkgversion}-cryptography
BuildRequires: python%{python3_pkgversion}-pyxattr
%{?python_provide:%python_provide python3-%{pkgname}}
%description
A small Python module (with C helper) to extract a RPM header and file
digests and reinsert the signature and signed file digests. This is
used for when you want to retrieve the parts to sign if you have a
remote signing server without having to transmit the entire RPM over
to the server.
%prep
%autosetup -p1
for lib in rpm_head_signing/*.py; do
sed '1{\@^#!/usr/bin/env python@d}' $lib > $lib.new
mv $lib.new $lib
done
%build
%py3_build
%install
%py3_install
%if %{with tests}
%check
# To make sure we get to use the installed version
mv rpm_head_signing rpm_head_signing.orig
PYTHONPATH=%{buildroot}%{python3_sitearch} SKIP_IMA_LIVE_CHECK=true python3 test.py
%endif
%files
%license LICENSE
%doc README.md
%{_bindir}/verify-rpm-ima-signatures
%{python3_sitearch}/%{srcname}/
%{python3_sitearch}/%{srcname}-*/
%changelog
* Wed Oct 25 2023 Peter Robinson <[email protected]> - 1.7.4-1
- Update to 1.7.4
- Upstream and package fixes
* Fri Sep 22 2023 Patrick Uiterwijk <[email protected]> - 1.7.2-1
- fix: add sentinel to insertlib to prevent segfault
* Mon Oct 25 2021 Patrick Uiterwijk <[email protected]> - 1.7-1
- fix: remove the LENGTH header again
* Thu Oct 7 2021 Patrick Uiterwijk <[email protected]> - 1.6-1
- fix: add the LENGTH header for IMA signatures
- feat: add a fix_ima_signatures method to fix missing length headers
* Mon Oct 4 2021 Patrick Uiterwijk <[email protected]> - 1.5.1-1
- fix: ensure that the determine function handles empty packages
* Wed Sep 29 2021 Patrick Uiterwijk <[email protected]> - 1.5-1
- feat: add determine function to determine package status
* Mon Sep 27 2021 Patrick Uiterwijk <[email protected]> - 1.4.3-1
- Fix: ignore RPM Ghost files
- Fix: ignore empty RPMs
* Tue Sep 14 2021 Patrick Uiterwijk <[email protected]> - 1.4.2-1
- Ignore symbolic links when verifying RPMs
* Fri Sep 10 2021 Patrick Uiterwijk <[email protected]> - 1.4.1-1
- Ensure xattrs are passed in as bytes
* Mon Aug 23 2021 Patrick Uiterwijk <[email protected]> - 1.4-1
- Add verify-rpm-ima-signatures script to verify RPM signatures
* Mon Aug 16 2021 Patrick Uiterwijk <[email protected]> - 1.3-1
- Feature: fix byte order on insert_signatures
- Fix: Compile on F32
- Fix: Beta RPM version parsing
* Thu Aug 05 2021 Patrick Uiterwijk <[email protected]> - 1.2-1
- Generate zero digest
* Wed Aug 04 2021 Patrick Uiterwijk <[email protected]> - 1.1-1
- Fix a segfault in case of an early error
- Update spec file to support python2
- Support IMA injection only
* Wed Jun 30 2021 Patrick Uiterwijk <[email protected]> - 1.0-1
- Bump version to v1
* Wed Apr 28 2021 Patrick Uiterwijk <[email protected]> - 0.1-2
- Moved ima_lookup.so to libdir
* Mon Apr 26 2021 Patrick Uiterwijk <[email protected]> - 0.1-1
- Initial packaging