Bugfix-Free-resources-if-certificate-cannot-be-found.patch

@@ -1,39 +0,0 @@
-From d8ea40d773dc1bcd90d8fc3b1f71ce49044ccef0 Mon Sep 17 00:00:00 2001
-From: Chenxi Mao <chenxi.mao@suse.com>
-Date: Tue, 13 Dec 2022 22:12:29 +0800
-Subject: [PATCH 1/1] Free resources if certificate cannot be found
-
-In find_certificate_by_callback, function return -1 directly without
-free resource if node is null, that will lead to nss shut down failed.
-
-The error message as below:
-could not shut down NSS: NSS could not shutdown. Objects are still in use.
-
-To fix this issue, free all resources before function return -1.
-
-Signed-off-by: Chenxi Mao <chenxi.mao@suse.com>
----
- src/cms_common.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/cms_common.c b/src/cms_common.c
-index 1c54c90..24576f2 100644
---- a/src/cms_common.c
-+++ b/src/cms_common.c
-@@ -878,8 +878,12 @@ find_certificate_by_callback(cms_context *cms,
- 		}
- 	}
- 
--	if (!node)
-+	if (!node) {
-+		PK11_DestroySlotListElement(slots, &psle);
-+		PK11_FreeSlotList(slots);
-+		CERT_DestroyCertList(certlist);
- 		cnreterr(-1, cms, "Could not find certificate");
-+	}
- 
- 	*cert = CERT_DupCertificate(node->cert);
- 
--- 
-2.33.0
-

Bugfix-cms_common-fix-cert-match-check.patch

@@ -1,29 +0,0 @@
-From c6a38cd80916e7a412227836b1865685e8d1ccfd Mon Sep 17 00:00:00 2001
-From: Huaxin Lu <luhuaxin1@huawei.com>
-Date: Fri, 11 Nov 2022 11:20:35 +0800
-Subject: [PATCH] cms_common: fix cert match check
-
-In find_certificate_by_callback(), the match() returns 1
-when cert subject is matched.
-
-Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
----
- src/cms_common.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/cms_common.c b/src/cms_common.c
-index 1c54c90..d3e6dea 100644
---- a/src/cms_common.c
-+++ b/src/cms_common.c
-@@ -872,7 +872,7 @@ find_certificate_by_callback(cms_context *cms,
- 			continue;
- 
- 		int rc = match(tmpnode->cert, cbdata);
--		if (rc == 0) {
-+		if (rc == 1) {
- 			node = tmpnode;
- 			break;
- 		}
--- 
-2.33.0
-

Feature-pesign-support-SM2-signature-algorithm.patch

@@ -21,8 +21,8 @@ index afa00e2..4aabf5d 100644
 +		SECItem *content, SECOidData *oid)
 +{
 +	int ret = -1;
-+	SECKEYPublicKey *pubkey = NULL;
-+	unsigned char *buf = NULL;
++	SECKEYPublicKey *pubkey;
++	unsigned char *buf;
 +	SECStatus status;
 +	SECItem sig_raw = { 0 };
 +

Fix-CVE-2022-3560.patch

@@ -1,80 +0,0 @@
-From d8a8c259994d0278c59b30b41758a8dd0abff998 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Wed, 18 Jan 2023 14:00:22 -0500
-Subject: [PATCH] Use normal file permissions instead of ACLs
-
-Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
-
-pesign-authorize is now deprecated and will be removed in a future
-release.
-
-Resolves: CVE-2022-3560
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
----
- src/pesign-authorize.in | 50 +++--------------------------------------
- 1 file changed, 3 insertions(+), 47 deletions(-)
-
-diff --git a/src/pesign-authorize.in b/src/pesign-authorize.in
-index 69797d5..b4e89e0 100644
---- a/src/pesign-authorize.in
-+++ b/src/pesign-authorize.in
-@@ -2,56 +2,12 @@
- set -e
- set -u
- 
--#
--# With /run/pesign/socket on tmpfs, a simple way of restoring the
--# acls for specific users is useful
--#
--#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
--#
--
- # License: GPLv2
--declare -a fileusers=()
--declare -a dirusers=()
--while read -r user ; do
--	dirusers[${#dirusers[@]}]=-m
--	dirusers[${#dirusers[@]}]="u:$user:rwx"
--	fileusers[${#fileusers[@]}]=-m
--	fileusers[${#fileusers[@]}]="u:$user:rw"
--done </etc/pesign/users
--
--declare -a filegroups=()
--declare -a dirgroups=()
--while read -r group ; do
--	dirgroups[${#dirgroups[@]}]=-m
--	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
--	filegroups[${#filegroups[@]}]=-m
--	filegroups[${#filegroups[@]}]="g:$group:rw"
--done </etc/pesign/groups
--
--update_subdir() {
--	subdir=$1 && shift
- 
--	setfacl -bk "${subdir}"
--	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
--	for x in "${subdir}"* ; do
--		if [ -d "${x}" ]; then
--			setfacl -bk "${x}"
--			setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
--			update_subdir "${x}/"
--		elif [ -e "${x}" ]; then
--			setfacl -bk "${x}"
--			setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
--		else
--			:;
--		fi
--	done
--}
-+# This script is deprecated and will be removed in a future release.
- 
- sleep 3
- for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
--	if [ -d "${x}" ]; then
--		update_subdir "${x}"
--	else
--		:;
--	fi
-+	chown -R pesign:pesign "${x}" || true
-+	chmod -R ug+rwX "${x}" || true
- done

Fix-build-error-of-gcc-version-too-low.patch

@@ -1,53 +0,0 @@
-From 3afba00007f294baca8c7cfbc20cec24899fe5f1 Mon Sep 17 00:00:00 2001
-From: jinlun <jinlun@huawei.com>
-Date: Mon, 7 Nov 2022 20:41:08 +0800
-Subject: [PATCH] fix build error of gcc version too low
-
----
- src/daemon.c   | 3 ---
- src/password.c | 3 ---
- 2 files changed, 6 deletions(-)
-
-diff --git a/src/daemon.c b/src/daemon.c
-index 0a66deb..c5061bd 100644
---- a/src/daemon.c
-+++ b/src/daemon.c
-@@ -920,8 +920,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
- 
- /* GCC -fanalyzer has trouble with realloc
-  * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
--#pragma GCC diagnostic push
--#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value"
- static int
- handle_events(context *ctx)
- {
-@@ -1000,7 +998,6 @@ shutdown:
- 	}
- 	return 0;
- }
--#pragma GCC diagnostic pop
- 
- static int
- get_uid_and_gid(context *ctx, char **homedir)
-diff --git a/src/password.c b/src/password.c
-index 05add9a..0f359d2 100644
---- a/src/password.c
-+++ b/src/password.c
-@@ -304,14 +304,11 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
- 
- 		/* Workaround for -fanalzer/reallocarray() bug
- 		 * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
--#pragma GCC diagnostic push
--#pragma GCC diagnostic ignored "-Wanalyzer-mismatching-deallocation"
- 		new_phrases = reallocarray(phrases, nphrases + 1, sizeof(struct token_pass));
- 		if (!new_phrases)
- 			goto err_phrases;
- 		phrases = new_phrases;
- 		memset(&new_phrases[nphrases], 0, sizeof(struct token_pass));
--#pragma GCC diagnostic pop
- 
- 		span = strspn(start, whitespace_and_eol_chars);
- 		dprintf("whitespace span is %zd", span);
--- 
-2.27.0
-

Fix-the-build-with-nss-3.44.patch

@@ -0,0 +1,42 @@
+From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 May 2019 11:28:38 -0400
+Subject: [PATCH] efikeygen: Fix the build with nss 3.44
+
+NSS 3.44 adds some certificate types, which changes a type and makes
+some encoding stuff weird.  As a result, we get:
+
+gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe  -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing  -g -O0 -g -O0  -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/  -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr  -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
+In file included from /usr/local/include/nss/nss/cert.h:22,
+                 from efikeygen.c:39:
+efikeygen.c: In function 'add_cert_type':
+/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
+     (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
+     ^
+efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
+  unsigned char type = NS_CERT_TYPE_APP;
+                       ^~~~~~~~~~~~~~~~
+cc1: all warnings being treated as errors
+
+This is fixed by just making it an int.
+
+Fixes github issue #48.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/efikeygen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/efikeygen.c b/src/efikeygen.c
+index ede76ef..2cd953e 100644
+--- a/src/efikeygen.c
++++ b/src/efikeygen.c
+@@ -208,7 +208,7 @@ static int
+ add_cert_type(cms_context *cms, void *extHandle, int is_ca)
+ {
+ 	SECItem bitStringValue;
+-	unsigned char type = NS_CERT_TYPE_APP;
++	int type = NS_CERT_TYPE_APP;
+ 
+ 	if (is_ca)
+ 		type |= NS_CERT_TYPE_SSL_CA |

Remove-unused-i-option-in-authvar.patch

@@ -1,16 +0,0 @@
-diff -Nur a/src/authvar.c b/src/authvar.c
---- a/src/authvar.c	2022-03-09 01:46:30.000000000 +0800
-+++ b/src/authvar.c	2023-05-31 16:47:15.329069974 +0800
-@@ -324,12 +324,6 @@
- 		 .arg = &ctx.valuefile,
- 		 .descrip = "read value from <file>",
- 		 .argDescrip = "<file>" },
--		{.longName = "import",
--		 .shortName = 'i',
--		 .argInfo = POPT_ARG_STRING,
--		 .arg = &ctx.importfile,
--		 .descrip = "import variable from <file>",
--		 .argDescrip = "<file>" },
- 		{.longName = "export",
- 		 .shortName = 'e',
- 		 .argInfo = POPT_ARG_STRING,

pesign.spec

@@ -1,11 +1,11 @@
 %global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
 Name:          pesign
 Summary:       Signing utility for UEFI binaries
-Version:       115
-Release:       5
+Version:       0.113
+Release:       7
 License:       GPLv2
-URL:           https://github.com/rhboot/pesign
-Source0:       https://github.com/rhboot/pesign/archive/refs/tags/115.tar.gz
+URL:           https://github.com/vathpela/pesign
+Source0:       https://github.com/rhboot/pesign/archive/113.tar.gz
 Source1:       certs.tar.xz
 Source2:       pesign.py
 Source3:       euleros-certs.tar.bz2
@@ -14,16 +14,14 @@ Requires:      nspr nss nss-util popt rpm
 Requires(pre): shadow-utils
 BuildRequires: nspr nss nss-util popt-devel nss-tools nspr-devel >= 4.9.2-1
 BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz
-BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc mandoc
+BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc
+
+Patch0001:     Fix-the-build-with-nss-3.44.patch
+Patch0002:     remove-superfluous-type-settings.patch
 
-Patch0001:     Bugfix-cms_common-fix-cert-match-check.patch
-Patch0002:     Bugfix-Free-resources-if-certificate-cannot-be-found.patch
-Patch0003:     Remove-unused-i-option-in-authvar.patch
 # Feature: support SM2 and SM3
 Patch9000:     Feature-pesign-support-SM3-digest-algorithm.patch
 Patch9001:     Feature-pesign-support-SM2-signature-algorithm.patch
-Patch9002:     Fix-build-error-of-gcc-version-too-low.patch
-Patch9003:     Fix-CVE-2022-3560.patch
 
 %description
 pesign is a command line tool for manipulating signatures and
@@ -37,7 +35,7 @@ Requires:       %{name} = %{version}-%{release}
 Files for help with pesign.
 
 %prep
-%autosetup -n %{name}-%{version} -p1 -T -b 0 -D -c -a 1
+%autosetup -n %{name}-113 -p1 -T -b 0 -D -c -a 1
 tar -jxf %{SOURCE3}
 
 %build
@@ -51,7 +49,7 @@ install -D etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
 install -D etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
 mv euleros-certs/etc/pki/pesign/euleros-pesign-db %{buildroot}/etc/pki/pesign/
 install -D %{buildroot}%{_sysconfdir}/rpm/macros.pesign %{buildroot}%{macrosdir}/macros.pesign
-rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
+rm -vf %{buildroot}/usr/share/doc/pesign-113/COPYING
 install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
 install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
 
@@ -80,10 +78,10 @@ exit 0
 %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
 %config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
 %{_libexecdir}/pesign/pesign-authorize
-%{_libexecdir}/pesign/pesign-rpmbuild-helper
 %config(noreplace)/%{_sysconfdir}/pesign/*
 %{_sysconfdir}/popt.d/pesign.popt
 %{macrosdir}/macros.pesign
+%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
 %dir %attr(0775,pesign,pesign) /etc/pki/pesign/euleros-pesign-db
 %attr(0644,pesign,pesign) /etc/pki/pesign/euleros-pesign-db/*
 %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
@@ -100,31 +98,13 @@ exit 0
 %{_mandir}/man*/*
 
 %changelog
-* Wed May 31 2023 liyanan <thistleslyn@163.com> - 115-5
-- Remove unused i option in authvar 
-
-* Tue Feb 14 2023 luopihui <luopihui@ncti-gba.cn> - 115-4
-- Fix CVE-2022-3560
-
-* Mon Dec 19 2022 Chenxi Mao <chenxi.mao@suse.com> - 115-3
-- Free resources if certification cannot be found. 
-
-* Sat Nov 12 2022 luhuaxin <luhuaxin1@huawei.com> - 115-2
-- fix certificate chain bug
-
-* Mon Nov 7 2022 jinlun <jinlun@huawei.com> - 115-1
-- Type:bugfix
-- Id:NA
-- SUG:NA
-- DESC:update to 115
-
 * Mon Oct 31 2022 luhuaxin <luhuaxin1@huawei.com> - 0.113-7
 - fix the algorithm flag for sm2,sm3
 
 * Mon Oct 10 2022 godcansee <liu332084460@foxmail.com> - 0.113-6
 - add feature to support for sm2,sm3 
 
-* Sat Jul 31 2021 Shenmei Tu <tushenmei@huawei.com> - 0.113-5
+* Sat July 31 2021 Shenmei Tu <tushenmei@huawei.com> - 0.113-5
 - remove-superfluous-type-settings.patch
 
 * Mon May 31 2021 huanghaitao <huanghaitao8@huawei.com> - 0.113-4

remove-superfluous-type-settings.patch

@@ -0,0 +1,19 @@
+diff -Nur pesign-113/src/pesigcheck.c pesign-113-new/src/pesigcheck.c
+--- pesign-113/src/pesigcheck.c	2019-05-11 02:53:51.000000000 +0800
++++ pesign-113-new/src/pesigcheck.c	2021-07-30 11:25:25.000000000 +0800
+@@ -318,7 +318,6 @@
+ 			reason->type = SIGNATURE;
+ 			reason->sig.data = data;
+ 			reason->sig.len = datalen;
+-			reason->type = siBuffer;
+ 			nreason += 1;
+ 			is_invalid = true;
+ 		}
+@@ -330,7 +329,6 @@
+ 			reason->type = SIGNATURE;
+ 			reason->sig.data = data;
+ 			reason->sig.len = datalen;
+-			reason->type = siBuffer;
+ 			nreason += 1;
+ 			has_valid_cert = true;
+ 		}