backport sb-certs

This commit is contained in:
Louis Abel 2023-03-17 15:02:43 -07:00
parent 6918d955ff
commit abd05514c8
Signed by: label
GPG Key ID: B37E62D143879B36
5 changed files with 91 additions and 13 deletions

BIN
SOURCES/rocky-root-ca.der Normal file

Binary file not shown.

BIN
SOURCES/rocky-signing.der Normal file

Binary file not shown.

BIN
SOURCES/rockydup1.x509 Normal file

Binary file not shown.

BIN
SOURCES/rockykpatch1.x509 Normal file

Binary file not shown.

View File

@ -20,8 +20,8 @@
%define distro_code Green Obsidian %define distro_code Green Obsidian
%define major 8 %define major 8
%define minor 8 %define minor 8
%define rocky_rel 1%{?rllh:.%{rllh}}%{!?rllh:.3} %define rocky_rel 1%{?rllh:.%{rllh}}%{!?rllh:.4}
%define upstream_rel %{major}.%{minor}-0.1 %define upstream_rel %{major}.%{minor}-0.2
%define rpm_license BSD-3-Clause %define rpm_license BSD-3-Clause
%define dist .el%{major} %define dist .el%{major}
%define home_url https://rockylinux.org/ %define home_url https://rockylinux.org/
@ -152,6 +152,12 @@ Source1223: Rocky-Devel.repo
Source1226: Rocky-Plus.repo Source1226: Rocky-Plus.repo
Source1300: rocky.1.gz Source1300: rocky.1.gz
# rocky secureboot certs placeholder (1400-1499)
Source1400: rockydup1.x509
Source1401: rockykpatch1.x509
Source1402: rocky-root-ca.der
Source1403: rocky-signing.der
%description %description
%{distro_name} release files. %{distro_name} release files.
@ -174,6 +180,14 @@ Conflicts: %{name} < 8.0
%description -n rocky-gpg-keys%{?rltype} %description -n rocky-gpg-keys%{?rltype}
This package provides the RPM signature keys for Rocky. This package provides the RPM signature keys for Rocky.
%package -n rocky-sb-certs%{?rltype}
Summary: %{distro_name} public secureboot certificates
Group: System Environment/Base
Provides: system-sb-certs = %{version}-%{release}
%description -n rocky-sb-certs%{?rltype}
This package contains the %{distro_name} secureboot public certificates.
%prep %prep
%if %{with rllookahead} && %{with rlbeta} %if %{with rllookahead} && %{with rlbeta}
echo "!! WARNING !!" echo "!! WARNING !!"
@ -270,21 +284,61 @@ install -d -m 0755 %{buildroot}%{_prefix}/lib/systemd/system-preset/
install -m 0644 %{SOURCE300} %{buildroot}/%{_prefix}/lib/systemd/system-preset/ install -m 0644 %{SOURCE300} %{buildroot}/%{_prefix}/lib/systemd/system-preset/
install -m 0644 %{SOURCE301} %{buildroot}/%{_prefix}/lib/systemd/system-preset/ install -m 0644 %{SOURCE301} %{buildroot}/%{_prefix}/lib/systemd/system-preset/
install -m 0644 %{SOURCE302} %{buildroot}/%{_prefix}/lib/systemd/system-preset/ install -m 0644 %{SOURCE302} %{buildroot}/%{_prefix}/lib/systemd/system-preset/
# systemd section
################################################################################
# dnf stuff ################################################################################
install -d -m 0755 %{buildroot}%{_sysconfdir}/dnf/vars # start secureboot section
echo "%{contentdir}" > %{buildroot}%{_sysconfdir}/dnf/vars/contentdir install -d -m 0755 %{buildroot}%{_sysconfdir}/pki/sb-certs/
echo "%{sigcontent}" > %{buildroot}%{_sysconfdir}/dnf/vars/sigcontentdir install -d -m 0755 %{buildroot}%{_datadir}/pki/sb-certs/
echo "%{?rltype}" > %{buildroot}%{_sysconfdir}/dnf/vars/rltype
echo "%{major}-stream" > %{buildroot}%{_sysconfdir}/dnf/vars/stream
# Copy out GPG keys # Backported certs for now
install -d -m 0755 %{buildroot}%{_sysconfdir}/pki/rpm-gpg install -m 0644 %{SOURCE1400} %{buildroot}%{_datadir}/pki/sb-certs/
install -p -m 0644 %{SOURCE101} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/ install -m 0644 %{SOURCE1401} %{buildroot}%{_datadir}/pki/sb-certs/
install -p -m 0644 %{SOURCE102} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/ install -m 0644 %{SOURCE1402} %{buildroot}%{_datadir}/pki/sb-certs/
install -m 0644 %{SOURCE1403} %{buildroot}%{_datadir}/pki/sb-certs/
# Placeholders
# x86_64
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-root-ca.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-x86_64.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-x86_64.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-x86_64.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-x86_64.cer
# Copy our yum repos # aarch64
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-root-ca.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-aarch64.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-aarch64.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-aarch64.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-aarch64.cer
# ppc64le
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-root-ca.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-ppc64le.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-ppc64le.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-ppc64le.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-ppc64le.cer
# armhfp
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-root-ca.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-armhfp.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-armhfp.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-armhfp.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-armhfp.cer
# s390x
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-root-ca.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-s390x.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-s390x.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-s390x.cer
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-s390x.cer
# symlinks for everybody
for x in $(ls %{buildroot}%{_datadir}/pki/sb-certs); do
ln -sr %{buildroot}%{_datadir}/pki/sb-certs/${x} %{buildroot}%{_sysconfdir}/pki/sb-certs/${x}
done
# end secureboot section
################################################################################
################################################################################
# dnf repo section
install -d -m 0755 %{buildroot}%{_sysconfdir}/yum.repos.d install -d -m 0755 %{buildroot}%{_sysconfdir}/yum.repos.d
install -p -m 0644 %{SOURCE1200} %{buildroot}%{_sysconfdir}/yum.repos.d/ install -p -m 0644 %{SOURCE1200} %{buildroot}%{_sysconfdir}/yum.repos.d/
install -p -m 0644 %{SOURCE1201} %{buildroot}%{_sysconfdir}/yum.repos.d/ install -p -m 0644 %{SOURCE1201} %{buildroot}%{_sysconfdir}/yum.repos.d/
@ -300,6 +354,20 @@ install -p -m 0644 %{SOURCE1222} %{buildroot}%{_sysconfdir}/yum.repos.d/
install -p -m 0644 %{SOURCE1223} %{buildroot}%{_sysconfdir}/yum.repos.d/ install -p -m 0644 %{SOURCE1223} %{buildroot}%{_sysconfdir}/yum.repos.d/
install -p -m 0644 %{SOURCE1226} %{buildroot}%{_sysconfdir}/yum.repos.d/ install -p -m 0644 %{SOURCE1226} %{buildroot}%{_sysconfdir}/yum.repos.d/
# dnf stuff
install -d -m 0755 %{buildroot}%{_sysconfdir}/dnf/vars
echo "%{contentdir}" > %{buildroot}%{_sysconfdir}/dnf/vars/contentdir
echo "%{sigcontent}" > %{buildroot}%{_sysconfdir}/dnf/vars/sigcontentdir
echo "%{?rltype}" > %{buildroot}%{_sysconfdir}/dnf/vars/rltype
echo "%{major}-stream" > %{buildroot}%{_sysconfdir}/dnf/vars/stream
# Copy out GPG keys
install -d -m 0755 %{buildroot}%{_sysconfdir}/pki/rpm-gpg
install -p -m 0644 %{SOURCE101} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/
install -p -m 0644 %{SOURCE102} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/
# end dnf repo section
################################################################################
%files %files
%license LICENSE %license LICENSE
%doc Contributors COMMUNITY-CHARTER %doc Contributors COMMUNITY-CHARTER
@ -330,7 +398,17 @@ install -p -m 0644 %{SOURCE1226} %{buildroot}%{_sysconfdir}/yum.repos.d/
%files -n rocky-gpg-keys%{?rltype} %files -n rocky-gpg-keys%{?rltype}
%{_sysconfdir}/pki/rpm-gpg/ %{_sysconfdir}/pki/rpm-gpg/
%files -n rocky-sb-certs%{?rltype}
# care: resetting symlinks is intended
%dir %{_sysconfdir}/pki/sb-certs
%dir %{_datadir}/pki/sb-certs
%{_sysconfdir}/pki/sb-certs/*
%{_datadir}/pki/sb-certs/*
%changelog %changelog
* Fri Mar 17 2023 Louis Abel <label@rockylinux.org> - 8.8-1.4
- Backport rocky-sb-certs to Rocky Linux 8
* Wed Jan 01 2023 Louis Abel <label@rockylinux.org> - 8.8-1.3 * Wed Jan 01 2023 Louis Abel <label@rockylinux.org> - 8.8-1.3
- Move macros to a proper location - Move macros to a proper location