File verify-sig.patch of Package pesign-obs-integration

Overview Repositories Revisions Requests Users Attributes Meta

File verify-sig.patch of Package pesign-obs-integration

From 3219b56af4f8f396b194ea81ab715831469260e5 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 28 Sep 2022 14:27:31 +0800
Subject: [PATCH] Verfiy the signatures before attaching them

Sometime the build service may sign the target binaries with the wrong
key due to misconfiguration. Verfiy the signature first so that we can
detect the error earily.

Ref: bsc#1200108, bsc#1203679

Signed-off-by: Gary Lin <glin@suse.com>
---
 pesign-repackage.spec.in | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index 7b3d2e5..0b59360 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -122,8 +122,17 @@ echo foofoofoo > "$nss_db/passwd"
 certutil -N -d "$nss_db" -f "$nss_db/passwd"
 certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
 
+# Extract the public key of the certificate
+openssl x509 -in "$cert" -inform DER -pubkey -noout > "$cert.pub"
+
 sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
 for sig in "${sigs[@]}"; do
+	# Verify the signature with the public key of the certificate
+	ver_err=$(openssl rsautl -verify -inkey "$cert.pub" -pubin -in "$sig" 2>&1 | grep -i error) || true
+	if [ -n "$ver_err" ]; then
+		echo "$sig signature can not be decrypted by $cert" >&2
+		exit 1
+	fi
 	f=%buildroot/${sig%.sig}
 	case "/$sig" in
 	*.ko.sig|*.mod.sig)
@@ -182,6 +191,10 @@ for sig in "${sigs[@]}"; do
 		echo "Warning: unhandled signature: $sig" >&2
 	esac
 done
+
+# Remove the public key file
+rm "$cert.pub"
+
 popd
 /usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \
 	--directory=%buildroot "${rpms[@]}"
-- 
2.35.3

Places

File verify-sig.patch of Package pesign-obs-integration

Places