ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix key to card failing with invalid time when moving keys to smartcard on master (Opt: Authenticated Heads)

Browse Source 
- Revert gnupg toolstack version bump to prior of #1661 merge (2.4.2 -> 2.4.0). Version bump not needed for reproducibility.
  - Investigation and upstream discussions will take their time resolving invalid time issue introduced by between 2.4.0 and latest gnupg, fix regression first under master)

- oem-factory-reset
  - Adding DO_WITH_DEBUG to oem-factory-reset for all its gpg calls. If failing in debug mode, /tmp/debug.txt contains calls and errors
  - Wipe keyrings only (*.gpg, *.kbx)  not conf files under gpg homedir (keep initrd/.gnupg/*.conf)

- flake.nix
  - switch build derivative from qemu and qemu_kvm to qemu_full to have qemu-img tool which was missing to run qemu boards (v0.1.8 docker)
  - add gnupg so that qemu boards can call inject_gpg to inject public key in absence of flashrom+pflash support for internal flashing

- flake.lock: Updated nix pinned package list under flake.lock with 'nix flake update' so qemu_full builds

- README.md: have consistent docker testing + release (push) notes

- .circleci/config.yml: depend on docker v0.1.8 (qemu_full built with canokey-qemu lib support, diffoscopeMinimal and gnupg for proper qemu testing)

TODO:
- some fd2 instead of fd1?!
- oem-factory-resest has whiptail_or_die which sets whiptail box to HEIGHT 0. This doesn't show a scrolling window on gpg errors which is problematic with fbwhiptail, not whiptail

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-05-14 12:44:11 -04:00
parent b80aa87077
commit 37f04e2855
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
16 changed files with 73 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.circleci/config.yml
View File

@ -45,7 +45,7 @@ commands:
jobs: jobs:
prep_env: prep_env:
docker: docker:
- image: tlaurion/heads-dev-env:v0.1.6 - image: tlaurion/heads-dev-env:v0.1.8
resource_class: large resource_class: large
working_directory: ~/heads working_directory: ~/heads
steps: steps:
@ -111,7 +111,7 @@ jobs:
build_and_persist: build_and_persist:
docker: docker:
- image: tlaurion/heads-dev-env:v0.1.6 - image: tlaurion/heads-dev-env:v0.1.8
resource_class: large resource_class: large
working_directory: ~/heads working_directory: ~/heads
parameters: parameters:
@ -139,7 +139,7 @@ jobs:
build: build:
docker: docker:
- image: tlaurion/heads-dev-env:v0.1.6 - image: tlaurion/heads-dev-env:v0.1.8
resource_class: large resource_class: large
working_directory: ~/heads working_directory: ~/heads
parameters: parameters:
@ -160,7 +160,7 @@ jobs:
save_cache: save_cache:
docker: docker:
- image: tlaurion/heads-dev-env:v0.1.6 - image: tlaurion/heads-dev-env:v0.1.8
resource_class: large resource_class: large
working_directory: ~/heads working_directory: ~/heads
steps: steps:

4
README.md
View File

@ -97,6 +97,10 @@ Maintenance notes on docker image
Redo the steps above in case the flake.nix or nix.lock changes. Then publish on docker hub: Redo the steps above in case the flake.nix or nix.lock changes. Then publish on docker hub:
``` ```
docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:vx.y.z
docker push tlaurion/heads-dev-env:vx.y.z
#test against CircleCI in PR. Merge.
#make last version the latest
docker tag tlaurion/heads-dev-env:vx.y.z tlaurion/heads-dev-env:latest docker tag tlaurion/heads-dev-env:vx.y.z tlaurion/heads-dev-env:latest
docker push tlaurion/heads-dev-env:latest docker push tlaurion/heads-dev-env:latest
``` ```

6
flake.lock generated
View File

@ -20,11 +20,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1711703276, "lastModified": 1715534503,
"narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", "narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", "rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
"type": "github" "type": "github"
}, },
"original": { "original": {

8
flake.nix
View File

@ -75,14 +75,16 @@
canokeySupport = true; # This override enables Canokey support in QEMU, resulting in -device canokey being available. canokeySupport = true; # This override enables Canokey support in QEMU, resulting in -device canokey being available.
}) })
# Packages for qemu support with Canokey integration from previous override # Packages for qemu support with Canokey integration from previous override
#qemu_full #Heavier but contains qemu-img, kvm and everything else needed to do development cycles under docker qemu_full #Heavier but contains qemu-img, kvm and everything else needed to do development cycles under docker
qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement. #qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement.
qemu_kvm # kvm additional support for qemu without all the qemu-img and everything else under qemu_full #qemu_kvm # kvm additional support for qemu without all the qemu-img and everything else under qemu_full
] ++ [ ] ++ [
# Additional tools for debugging/editing/testing. # Additional tools for debugging/editing/testing.
vim # Mostly used amongst us, sorry if you'd like something else, open issue. vim # Mostly used amongst us, sorry if you'd like something else, open issue.
swtpm # QEMU requirement to emulate tpm1/tpm2. swtpm # QEMU requirement to emulate tpm1/tpm2.
dosfstools # QEMU requirement to produce valid fs to store exported public key to be fused through inject_key on qemu (so qemu flashrom emulated SPI support). dosfstools # QEMU requirement to produce valid fs to store exported public key to be fused through inject_key on qemu (so qemu flashrom emulated SPI support).
diffoscopeMinimal # Not sure exactly what is packed here, let's try.
gnupg #to inject public key inside of qemu create rom through inject_gpg target of targets/qemu.mk TODO: remove when pflash supported by flashrom
#diffoscope #should we include it? Massive:11 GB uncompressed. Wow?!?! #diffoscope #should we include it? Massive:11 GB uncompressed. Wow?!?!
] ++ [ ] ++ [
# Tools for handling binary blobs in their compressed state. (blobs/xx30/vbios_[tw]530.sh) # Tools for handling binary blobs in their compressed state. (blobs/xx30/vbios_[tw]530.sh)

60
initrd/bin/oem-factory-reset
View File

@ -38,8 +38,9 @@ MAX_HOTP_GPG_PIN_LENGTH=25
CUSTOM_PASS_AFFECTED_COMPONENTS="" CUSTOM_PASS_AFFECTED_COMPONENTS=""
# Default GPG Algorithm is RSA # Default GPG Algorithm is RSA
# p256 also supported (TODO: nk3 supports RSA 4096 in secure element in firmare v1.7.1. Switch!?
GPG_ALGO="RSA" GPG_ALGO="RSA"
# Default RSA key length # Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard
RSA_KEY_LENGTH=3072 RSA_KEY_LENGTH=3072
GPG_USER_NAME="OEM Key" GPG_USER_NAME="OEM Key"
@ -85,12 +86,11 @@ mount_boot() {
fi fi
} }
#Generate a gpg master key: no expiration date, RSA 4096 bits #Generate a gpg master key: no expiration date, ${RSA_KEY_LENGTH} bits
#This key will be used to sign 3 subkeys: encryption, authentication and signing #This key will be used to sign 3 subkeys: encryption, authentication and signing
#The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard #The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard
generate_inmemory_RSA_master_and_subkeys() { generate_inmemory_RSA_master_and_subkeys() {
TRACE_FUNC TRACE_FUNC
echo "Generating GPG key material in memory:"
echo "Generating GPG RSA ${RSA_KEY_LENGTH} bits master key..." echo "Generating GPG RSA ${RSA_KEY_LENGTH} bits master key..."
# Generate GPG master key # Generate GPG master key
@ -104,7 +104,7 @@ generate_inmemory_RSA_master_and_subkeys() {
echo "Expire-Date: 0" # No expiration date echo "Expire-Date: 0" # No expiration date
echo "Passphrase: ${ADMIN_PIN}" # Admin PIN echo "Passphrase: ${ADMIN_PIN}" # Admin PIN
echo "%commit" # Commit changes echo "%commit" # Commit changes
} | gpg --command-fd=0 --status-fd=1 --batch --gen-key >/tmp/gpg_card_edit_output 2>&1 } | DO_WITH_DEBUG gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "GPG Key generation failed!\n\n$ERROR" whiptail_error_die "GPG Key generation failed!\n\n$ERROR"
@ -120,7 +120,7 @@ generate_inmemory_RSA_master_and_subkeys() {
echo ${ADMIN_PIN} # Local keyring admin pin echo ${ADMIN_PIN} # Local keyring admin pin
echo y # confirm echo y # confirm
echo save # save changes and commit to keyring echo save # save changes and commit to keyring
} | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
>/tmp/gpg_card_edit_output 2>&1 >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
@ -137,7 +137,7 @@ generate_inmemory_RSA_master_and_subkeys() {
echo ${ADMIN_PIN} # Local keyring admin pin echo ${ADMIN_PIN} # Local keyring admin pin
echo y # confirm echo y # confirm
echo save # save changes and commit to keyring echo save # save changes and commit to keyring
} | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
>/tmp/gpg_card_edit_output 2>&1 >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
@ -161,26 +161,12 @@ generate_inmemory_RSA_master_and_subkeys() {
echo ${ADMIN_PIN} # Local keyring admin pin echo ${ADMIN_PIN} # Local keyring admin pin
echo y # confirm echo y # confirm
echo save # save changes and commit to keyring echo save # save changes and commit to keyring
} | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --expert --edit-key "${GPG_USER_MAIL}" \ } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --expert --edit-key "${GPG_USER_MAIL}" \
>/tmp/gpg_card_edit_output 2>&1 >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "GPG Key authentication subkey generation failed!\n\n$ERROR" whiptail_error_die "GPG Key authentication subkey generation failed!\n\n$ERROR"
fi fi
DEBUG "Setting public key to ultimate trust..."
#Set the public key to the ultimate trust
{
echo trust # trust key in --edit-key mode
echo 5 # ultimate trust
echo y # confirm
echo save # save changes and commit to keyring
} | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
>/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "GPG Key setting public key to ultimate trust failed!\n\n$ERROR"
fi
} }
#Generate a gpg master key: no expiration date, p256 key (ECC) #Generate a gpg master key: no expiration date, p256 key (ECC)
@ -200,7 +186,7 @@ generate_inmemory_p256_master_and_subkeys() {
echo "Passphrase: ${ADMIN_PIN}" # Local keyring admin pin echo "Passphrase: ${ADMIN_PIN}" # Local keyring admin pin
echo "Expire-Date: 0" # No expiration date echo "Expire-Date: 0" # No expiration date
echo "%commit" # Commit changes echo "%commit" # Commit changes
} | gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key \ } | DO_WITH_DEBUG gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key \
>/tmp/gpg_card_edit_output 2>&1 >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
@ -216,10 +202,10 @@ generate_inmemory_p256_master_and_subkeys() {
echo 11 # ECC own set capability echo 11 # ECC own set capability
echo Q # sign already present, do not modify echo Q # sign already present, do not modify
echo 3 # P-256 echo 3 # P-256
echo 0 # no expiration echo 0 # No validity/expiration date
echo ${ADMIN_PIN} # Local keyring admin pin echo ${ADMIN_PIN} # Local keyring admin pin
echo save # save changes and commit to keyring echo save # save changes and commit to keyring
} | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR_MSG=$(cat /tmp/gpg_card_edit_output) ERROR_MSG=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "Failed to add ECC nistp256 signing key to master key\n\n${ERROR_MSG}" whiptail_error_die "Failed to add ECC nistp256 signing key to master key\n\n${ERROR_MSG}"
@ -231,10 +217,10 @@ generate_inmemory_p256_master_and_subkeys() {
echo 12 # ECC own set capability echo 12 # ECC own set capability
echo Q # Quit echo Q # Quit
echo 3 # P-256 echo 3 # P-256
echo 0 # no expiration echo 0 # No validity/expiration date
echo ${ADMIN_PIN} # Local keyring admin pin echo ${ADMIN_PIN} # Local keyring admin pin
echo save # save changes and commit to keyring echo save # save changes and commit to keyring
} | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR_MSG=$(cat /tmp/gpg_card_edit_output) ERROR_MSG=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "Failed to add ECC nistp256 encryption key to master key\n\n${ERROR_MSG}" whiptail_error_die "Failed to add ECC nistp256 encryption key to master key\n\n${ERROR_MSG}"
@ -251,7 +237,7 @@ generate_inmemory_p256_master_and_subkeys() {
echo 0 # no expiration echo 0 # no expiration
echo ${ADMIN_PIN} # Local keyring admin pin echo ${ADMIN_PIN} # Local keyring admin pin
echo save # save changes and commit to keyring echo save # save changes and commit to keyring
} | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR_MSG=$(cat /tmp/gpg_card_edit_output) ERROR_MSG=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "Failed to add ECC nistp256 authentication key to master key\n\n${ERROR_MSG}" whiptail_error_die "Failed to add ECC nistp256 authentication key to master key\n\n${ERROR_MSG}"
@ -297,7 +283,7 @@ keytocard_subkeys_to_smartcard() {
echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
echo "key 3" #Toggle off Authentication key echo "key 3" #Toggle off Authentication key
echo "save" #Save changes and commit to keyring echo "save" #Save changes and commit to keyring
} | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
>/tmp/gpg_card_edit_output 2>&1 >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
@ -488,7 +474,7 @@ gpg_key_factory_reset() {
echo factory-reset # factory reset smartcard echo factory-reset # factory reset smartcard
echo y # confirm echo y # confirm
echo yes # confirm echo yes # confirm
} | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
>/tmp/gpg_card_edit_output 2>&1 >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
@ -508,7 +494,7 @@ gpg_key_factory_reset() {
echo admin # admin menu echo admin # admin menu
echo forcesig # toggle forcesig echo forcesig # toggle forcesig
echo ${ADMIN_PIN_DEF} # local keyring PIN echo ${ADMIN_PIN_DEF} # local keyring PIN
} | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
>/tmp/gpg_card_edit_output 2>&1 >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
@ -529,7 +515,7 @@ gpg_key_factory_reset() {
echo 2 # ECC echo 2 # ECC
echo 3 # P-256 echo 3 # P-256
echo ${ADMIN_PIN_DEF} # local keyring PIN echo ${ADMIN_PIN_DEF} # local keyring PIN
} | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
>/tmp/gpg_card_edit_output 2>&1 >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
@ -551,7 +537,7 @@ gpg_key_factory_reset() {
echo 1 # RSA echo 1 # RSA
echo ${RSA_KEY_LENGTH} #Authentication key size set to RSA_KEY_LENGTH echo ${RSA_KEY_LENGTH} #Authentication key size set to RSA_KEY_LENGTH
echo ${ADMIN_PIN_DEF} #Local keyring PIN echo ${ADMIN_PIN_DEF} #Local keyring PIN
} | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
>/tmp/gpg_card_edit_output 2>&1 >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
@ -581,7 +567,7 @@ generate_OEM_gpg_keys() {
echo ${GPG_USER_MAIL} # User email echo ${GPG_USER_MAIL} # User email
echo ${GPG_USER_COMMENT} # User comment echo ${GPG_USER_COMMENT} # User comment
echo ${USER_PIN_DEF} # Default user PIN since we just factory reset echo ${USER_PIN_DEF} # Default user PIN since we just factory reset
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
>/tmp/gpg_card_edit_output 2>&1 >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
@ -608,7 +594,7 @@ gpg_key_change_pin() {
echo ${PIN_NEW} # confirm new PIN echo ${PIN_NEW} # confirm new PIN
echo q # quit echo q # quit
echo q echo q
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
>/tmp/gpg_card_edit_output 2>&1 >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output | fold -s) ERROR=$(cat /tmp/gpg_card_edit_output | fold -s)
@ -686,7 +672,7 @@ generate_checksums() {
fi fi
DEBUG "Detach-signing boot files under kexec.sig: ${param_files}" DEBUG "Detach-signing boot files under kexec.sig: ${param_files}"
if sha256sum $param_files 2>/dev/null | gpg \ if sha256sum $param_files 2>/dev/null | DO_WITH_DEBUG gpg \
--pinentry-mode loopback \ --pinentry-mode loopback \
--passphrase "${USER_PIN}" \ --passphrase "${USER_PIN}" \
--digest-algo SHA256 \ --digest-algo SHA256 \
@ -1142,7 +1128,7 @@ assert_signable
# clear gpg-agent cache so that next gpg calls doesn't have past keyring in memory # clear gpg-agent cache so that next gpg calls doesn't have past keyring in memory
killall gpg-agent >/dev/null 2>&1 || true killall gpg-agent >/dev/null 2>&1 || true
# clear local keyring # clear local keyring
rm -rf /.gnupg/* >/dev/null 2>&1 || true rm -rf /.gnupg/*.kbx /.gnupg/*.gpg >/dev/null 2>&1 || true
# detect and set /boot device # detect and set /boot device
echo -e "\nDetecting and setting boot device...\n" echo -e "\nDetecting and setting boot device...\n"
@ -1242,7 +1228,7 @@ if [ "$GPG_EXPORT" != "0" ]; then
fi fi
# ensure key imported locally # ensure key imported locally
if ! cat "$PUBKEY" | gpg --import >/dev/null 2>/tmp/error; then if ! cat "$PUBKEY" | DO_WITH_DEBUG gpg --import >/dev/null 2>/tmp/error; then
ERROR=$(tail -n 1 /tmp/error | fold -s) ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error importing GPG key:\n\n$ERROR" whiptail_error_die "Error importing GPG key:\n\n$ERROR"
fi fi

4
modules/gpg2
View File

@ -1,10 +1,10 @@
modules-$(CONFIG_GPG2) += gpg2 modules-$(CONFIG_GPG2) += gpg2
gpg2_version := 2.4.2 gpg2_version := 2.4.0
gpg2_dir := gnupg-$(gpg2_version) gpg2_dir := gnupg-$(gpg2_version)
gpg2_tar := gnupg-$(gpg2_version).tar.bz2 gpg2_tar := gnupg-$(gpg2_version).tar.bz2
gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar) gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar)
gpg2_hash := 97eb47df8ae5a3ff744f868005a090da5ab45cb48ee9836dbf5ee739a4e5cf49 gpg2_hash := 1d79158dd01d992431dd2e3facb89fdac97127f89784ea2cb610c600fb0c1483
gpg2_depends := libgpg-error libgcrypt libksba libassuan npth libusb $(musl_dep) gpg2_depends := libgpg-error libgcrypt libksba libassuan npth libusb $(musl_dep)
# For reproducibility reasons we have to override the exec_prefix # For reproducibility reasons we have to override the exec_prefix

6
modules/libassuan
View File

@ -1,10 +1,10 @@
modules-$(CONFIG_GPG2) += libassuan modules-$(CONFIG_GPG2) += libassuan
libassuan_version := 2.5.6 libassuan_version := 2.5.5
libassuan_dir := libassuan-$(libassuan_version) libassuan_dir := libassuan-$(libassuan_version)
libassuan_tar := libassuan-$(libassuan_version).tar.bz2 libassuan_tar := libassuan-$(libassuan_version).tar.bz2
libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar) libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar)
libassuan_hash := e9fd27218d5394904e4e39788f9b1742711c3e6b41689a31aa3380bd5aa4f426 libassuan_hash := 8e8c2fcc982f9ca67dcbb1d95e2dc746b1739a4668bc20b3a3c5be632edb34e4
libassuan_configure := \ libassuan_configure := \
CFLAGS="-Os" \ CFLAGS="-Os" \
@ -14,7 +14,7 @@ libassuan_configure := \
--prefix "/" \ --prefix "/" \
--disable-doc \ --disable-doc \
--disable-static \ --disable-static \
--with-libgpg-error-prefix="$(INSTALL)" \ --with-gpg-error-prefix="$(INSTALL)" \
libassuan_target := $(MAKE_JOBS) \ libassuan_target := $(MAKE_JOBS) \
DESTDIR="$(INSTALL)" \ DESTDIR="$(INSTALL)" \

6
modules/libgcrypt
View File

@ -1,10 +1,10 @@
modules-$(CONFIG_GPG2) += libgcrypt modules-$(CONFIG_GPG2) += libgcrypt
libgcrypt_version := 1.10.2 libgcrypt_version := 1.10.1
libgcrypt_dir := libgcrypt-$(libgcrypt_version) libgcrypt_dir := libgcrypt-$(libgcrypt_version)
libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2 libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2
libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar) libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar)
libgcrypt_hash := 3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03 libgcrypt_hash := ef14ae546b0084cd84259f61a55e07a38c3b53afc0f546bffcef2f01baffe9de
libgcrypt_configure := \ libgcrypt_configure := \
$(CROSS_TOOLS) \ $(CROSS_TOOLS) \
@ -14,7 +14,7 @@ libgcrypt_configure := \
--prefix "/" \ --prefix "/" \
--disable-doc \ --disable-doc \
--disable-static \ --disable-static \
--with-libgpg-error-prefix="$(INSTALL)" \ --with-gpg-error-prefix="$(INSTALL)" \
libgcrypt_target := $(MAKE_JOBS) \ libgcrypt_target := $(MAKE_JOBS) \
DESTDIR="$(INSTALL)" \ DESTDIR="$(INSTALL)" \

4
modules/libgpg-error
View File

@ -1,10 +1,10 @@
modules-$(CONFIG_GPG2) += libgpg-error modules-$(CONFIG_GPG2) += libgpg-error
libgpg-error_version := 1.47 libgpg-error_version := 1.46
libgpg-error_dir := libgpg-error-$(libgpg-error_version) libgpg-error_dir := libgpg-error-$(libgpg-error_version)
libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2 libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2
libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar) libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar)
libgpg-error_hash := 9e3c670966b96ecc746c28c2c419541e3bcb787d1a73930f5e5f5e1bcbbb9bdb libgpg-error_hash := b7e11a64246bbe5ef37748de43b245abd72cfcd53c9ae5e7fc5ca59f1c81268d
libgpg-error_configure := \ libgpg-error_configure := \
$(CROSS_TOOLS) \ $(CROSS_TOOLS) \

6
modules/libksba
View File

@ -1,10 +1,10 @@
modules-$(CONFIG_GPG2) += libksba modules-$(CONFIG_GPG2) += libksba
libksba_version := 1.6.4 libksba_version := 1.6.3
libksba_dir := libksba-$(libksba_version) libksba_dir := libksba-$(libksba_version)
libksba_tar := libksba-$(libksba_version).tar.bz2 libksba_tar := libksba-$(libksba_version).tar.bz2
libksba_url := https://gnupg.org/ftp/gcrypt/libksba/$(libksba_tar) libksba_url := https://gnupg.org/ftp/gcrypt/libksba/$(libksba_tar)
libksba_hash := bbb43f032b9164d86c781ffe42213a83bf4f2fee91455edfa4654521b8b03b6b libksba_hash := 3f72c68db30971ebbf14367527719423f0a4d5f8103fc9f4a1c01a9fa440de5c
libksba_configure := \ libksba_configure := \
$(CROSS_TOOLS) \ $(CROSS_TOOLS) \
@ -13,7 +13,7 @@ libksba_configure := \
--host $(MUSL_ARCH)-linux-musl \ --host $(MUSL_ARCH)-linux-musl \
--prefix "/" \ --prefix "/" \
--disable-static \ --disable-static \
--with-libgpg-error-prefix="$(INSTALL)" \ --with-gpg-error-prefix="$(INSTALL)" \
libksba_target := $(MAKE_JOBS) \ libksba_target := $(MAKE_JOBS) \
DESTDIR="$(INSTALL)" \ DESTDIR="$(INSTALL)" \

27
patches/gpg2-2.2.10.patch
View File

@ -1,27 +0,0 @@
diff -u --recursive /home/tlaurion/build/clean/gnupg-2.2.10/configure gnupg-2.2.10/configure
--- /home/tlaurion/build/clean/gnupg-2.2.10/configure 2016-08-17 09:20:25.000000000 -0400
+++ gnupg-2.2.10/configure 2018-01-20 16:55:14.502067084 -0500
@@ -572,7 +572,7 @@
ac_clean_files=
ac_config_libobj_dir=.
LIBOBJS=
-cross_compiling=no
+cross_compiling=yes
subdirs=
MFLAGS=
MAKEFLAGS=
diff -u --recursive gnupg-2.2.10/common/ttyio.c gnupg-2.2.10/common/ttyio.c.mod
--- gnupg-2.2.10/common/ttyio.c 2017-08-28 06:22:54.000000000 -0400
+++ gnupg-2.2.10/common/ttyio.c.mod 2018-09-18 23:00:07.386250017 -0400
@@ -190,7 +190,9 @@
#elif defined (HAVE_W32CE_SYSTEM)
ttyfp = stderr;
#else
- ttyfp = batchmode? stderr : fopen (tty_get_ttyname (), "r+");
+ //ttyfp = batchmode? stderr : fopen( tty_get_ttyname (), "r+");
+ ttyfp = stderr;
+
if( !ttyfp ) {
log_error("cannot open '%s': %s\n", tty_get_ttyname (),
strerror(errno) );

0
patches/gpg2-2.4.2.patch → patches/gpg2-2.4.0.patch
View File

0
patches/libassuan-2.5.6.patch → patches/libassuan-2.5.5.patch
View File

42
patches/libassuan-2.5.1.patch → patches/libgcrypt-1.8.3.patch
View File

@ -1,7 +1,7 @@
diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure diff -u -r libgcrypt-1.8.3-clean/configure libgcrypt-1.8.3/configure
--- libassuan-2.5.1-clean/configure 2017-12-07 06:55:50.000000000 -0800 --- libgcrypt-1.8.3-clean/configure 2018-06-13 00:39:33.000000000 -0700
+++ libassuan-2.5.1/configure 2020-01-12 13:39:50.655638965 -0800 +++ libgcrypt-1.8.3/configure 2020-01-12 13:32:34.840010800 -0800
@@ -10781,7 +10781,7 @@ @@ -11292,7 +11292,7 @@
version_type=linux # correct to gnu/linux during the next big refactor version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no need_lib_prefix=no
need_version=no need_version=no
@ -10,7 +10,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
if test "$host_cpu" = ia64; then if test "$host_cpu" = ia64; then
# AIX 5 supports IA64 # AIX 5 supports IA64
library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
@@ -11020,16 +11020,16 @@ @@ -11531,16 +11531,16 @@
;; ;;
freebsd3.[01]* | freebsdelf3.[01]*) freebsd3.[01]* | freebsdelf3.[01]*)
shlibpath_overrides_runpath=yes shlibpath_overrides_runpath=yes
@ -30,7 +30,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
;; ;;
esac esac
;; ;;
@@ -11042,7 +11042,7 @@ @@ -11553,7 +11553,7 @@
soname_spec='${libname}${release}${shared_ext}$major' soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no shlibpath_overrides_runpath=no
@ -39,7 +39,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
;; ;;
haiku*) haiku*)
@@ -11055,7 +11055,7 @@ @@ -11566,7 +11566,7 @@
shlibpath_var=LIBRARY_PATH shlibpath_var=LIBRARY_PATH
shlibpath_overrides_runpath=yes shlibpath_overrides_runpath=yes
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
@ -48,7 +48,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
;; ;;
hpux9* | hpux10* | hpux11*) hpux9* | hpux10* | hpux11*)
@@ -11067,7 +11067,7 @@ @@ -11578,7 +11578,7 @@
case $host_cpu in case $host_cpu in
ia64*) ia64*)
shrext_cmds='.so' shrext_cmds='.so'
@ -57,7 +57,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
dynamic_linker="$host_os dld.so" dynamic_linker="$host_os dld.so"
shlibpath_var=LD_LIBRARY_PATH shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -11082,7 +11082,7 @@ @@ -11593,7 +11593,7 @@
;; ;;
hppa*64*) hppa*64*)
shrext_cmds='.sl' shrext_cmds='.sl'
@ -66,7 +66,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
dynamic_linker="$host_os dld.sl" dynamic_linker="$host_os dld.sl"
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -11115,7 +11115,7 @@ @@ -11626,7 +11626,7 @@
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
shlibpath_var=LD_LIBRARY_PATH shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no shlibpath_overrides_runpath=no
@ -75,7 +75,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
;; ;;
irix5* | irix6* | nonstopux*) irix5* | irix6* | nonstopux*)
@@ -11152,7 +11152,7 @@ @@ -11663,7 +11663,7 @@
shlibpath_overrides_runpath=no shlibpath_overrides_runpath=no
sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
@ -84,7 +84,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
;; ;;
# No shared lib support for Linux oldld, aout, or coff. # No shared lib support for Linux oldld, aout, or coff.
@@ -11173,7 +11173,7 @@ @@ -11684,7 +11684,7 @@
# This implies no fast_install, which is unacceptable. # This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install # Some rework will be needed to allow for fast_install
# before this can be enabled. # before this can be enabled.
@ -93,7 +93,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
dynamic_linker='Android linker' dynamic_linker='Android linker'
# Don't embed -rpath directories since the linker doesn't support them. # Don't embed -rpath directories since the linker doesn't support them.
@@ -11228,7 +11228,7 @@ @@ -11739,7 +11739,7 @@
# This implies no fast_install, which is unacceptable. # This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install # Some rework will be needed to allow for fast_install
# before this can be enabled. # before this can be enabled.
@ -102,7 +102,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
# Append ld.so.conf contents to the search path # Append ld.so.conf contents to the search path
if test -f /etc/ld.so.conf; then if test -f /etc/ld.so.conf; then
@@ -11253,7 +11253,7 @@ @@ -11764,7 +11764,7 @@
soname_spec='${libname}${release}${shared_ext}$major' soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no shlibpath_overrides_runpath=no
@ -111,7 +111,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
dynamic_linker='NetBSD ld.elf_so' dynamic_linker='NetBSD ld.elf_so'
;; ;;
@@ -11272,7 +11272,7 @@ @@ -11783,7 +11783,7 @@
fi fi
shlibpath_var=LD_LIBRARY_PATH shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes shlibpath_overrides_runpath=yes
@ -120,7 +120,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
;; ;;
newsos6) newsos6)
@@ -11290,7 +11290,7 @@ @@ -11801,7 +11801,7 @@
soname_spec='${libname}${release}${shared_ext}$major' soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no shlibpath_overrides_runpath=no
@ -129,7 +129,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
dynamic_linker='ldqnx.so' dynamic_linker='ldqnx.so'
;; ;;
@@ -11352,7 +11352,7 @@ @@ -11863,7 +11863,7 @@
soname_spec='${libname}${release}${shared_ext}$major' soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes shlibpath_overrides_runpath=yes
@ -138,7 +138,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
# ldd complains unless libraries are executable # ldd complains unless libraries are executable
postinstall_cmds='chmod +x $lib' postinstall_cmds='chmod +x $lib'
;; ;;
@@ -11409,7 +11409,7 @@ @@ -11920,7 +11920,7 @@
soname_spec='${libname}${release}${shared_ext}$major' soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes shlibpath_overrides_runpath=yes
@ -147,7 +147,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
if test "$with_gnu_ld" = yes; then if test "$with_gnu_ld" = yes; then
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
else else
@@ -11431,7 +11431,7 @@ @@ -11942,7 +11942,7 @@
library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
shlibpath_var=LD_LIBRARY_PATH shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no shlibpath_overrides_runpath=no
@ -156,7 +156,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
;; ;;
uts4*) uts4*)
@@ -15680,7 +15680,7 @@ @@ -19824,7 +19824,7 @@
postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`'
finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`'
@ -165,7 +165,7 @@ diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure
sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`'
sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`' sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`'
hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`' hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`'
@@ -16896,7 +16896,7 @@ @@ -21088,7 +21088,7 @@
finish_eval=$lt_finish_eval finish_eval=$lt_finish_eval
# Whether we should hardcode library paths into libraries. # Whether we should hardcode library paths into libraries.

0
patches/libgpg-error-1.47.patch → patches/libgpg-error-1.46.patch
View File

0
patches/libksba-1.6.4.patch → patches/libksba-1.6.3.patch
View File