initial import

sbsigntool/PKGBUILD

@@ -0,0 +1,57 @@
+# Maintainer: Jesus E. <heckyel@riseup.net>
+
+# Based on sbsigntools package
+
+pkgname=sbsigntool
+pkgver=0.9.2
+_debver=0.9.2
+_debrel=2
+pkgrel=3
+pkgdesc="Tools to add signatures to EFI binaries and Drivers"
+arch=('x86_64' 'i686')
+url="https://tracker.debian.org/pkg/sbsigntool"
+license=('custom:GPL-3+OpenSSL-Linking-Exception')
+makedepends=('gnu-efi-libs' 'help2man' 'intltool' 'quilt')
+depends=('libutil-linux' 'libressl')
+replaces=('sbsigntools')
+conflicts=('sbsigntools')
+provides=('sbsigntools')
+source=("https://deb.debian.org/debian/pool/main/s/sbsigntool/sbsigntool_$pkgver.orig.tar.gz"
+	"https://deb.debian.org/debian/pool/main/s/sbsigntool/sbsigntool_$_debver-$_debrel.debian.tar.xz"
+        'libressl.patch')
+sha512sums=('5b27dea3678a41a09af3eb101c3bde2c561b25c9514dba261411f3f789ed3c998c5bc5401039717014527dd00a426d94d39b1f2c4b3cbc1a49c0067143ef0943'
+            'e2fe8eca518880ddf0c85317ead1de30b87e07a7a936d19ed36c50315030a52d990bc2873cbb45a12be516d6fd5c731bbb4503e4572399edb3c238edac28d1b5'
+            '9602831135773b34ee9264bd94bb6491d03965ce90b808b35721dceda65af46cd9e53b1e5422fae76da07f3ec1b0a77b8bc60a019012cef7f1b8395ffe040d19')
+
+prepare() {
+  cd "${pkgname}-${pkgver}"
+
+  if [[ ${pkgver%.*} = ${_debver%.*} ]]; then
+    # Debian patches
+    export QUILT_PATCHES=debian/patches
+    export QUILT_REFRESH_ARGS='-p ab --no-timestamps --no-index'
+    export QUILT_DIFF_ARGS='--no-timestamps'
+
+    mv "$srcdir"/debian .
+
+    quilt push -av
+  fi
+
+  patch -p1 -i ${srcdir}/libressl.patch
+  autoreconf -fiv
+}
+
+build() {
+  cd "${pkgname}-${pkgver}"
+
+  ./configure --prefix="/usr" --mandir="/usr/share/man" --sysconfdir="/etc"
+  make
+}
+
+package() {
+  cd "${pkgname}-${pkgver}"
+
+  make DESTDIR="${pkgdir}" install
+
+  install -Dm644 COPYING LICENSE.GPLv3 -t "${pkgdir}/usr/share/licenses/${pkgname}"
+}

sbsigntool/libressl.patch

@@ -0,0 +1,161 @@
+diff --git a/src/fileio.c b/src/fileio.c
+index 032eb1e..09bc3aa 100644
+--- a/src/fileio.c
++++ b/src/fileio.c
+@@ -40,6 +40,7 @@
+ #include <openssl/pem.h>
+ #include <openssl/err.h>
+ #include <openssl/engine.h>
++#include <openssl/ui.h>
+ 
+ #include <ccan/talloc/talloc.h>
+ #include <ccan/read_write_all/read_write_all.h>
+diff --git a/src/idc.c b/src/idc.c
+index 236cefd..18c670a 100644
+--- a/src/idc.c
++++ b/src/idc.c
+@@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
+ 
+ 	/* extract the idc from the signed PKCS7 'other' data */
+ 	str = p7->d.sign->contents->d.other->value.asn1_string;
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	idcbuf = buf = ASN1_STRING_data(str);
++#else
++	idcbuf = buf = ASN1_STRING_get0_data(str);
++#endif
+ 	idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
+ 
+ 	/* If we were passed a BIO, write the idc data, minus type and length,
+@@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image)
+ 	}
+ 
+ 	/* check hash against the one we calculated from the image */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	buf = ASN1_STRING_data(str);
++#else
++	buf = ASN1_STRING_get0_data(str);
++#endif
+ 	if (memcmp(buf, sha, sizeof(sha))) {
+ 		fprintf(stderr, "Hash doesn't match image\n");
+ 		fprintf(stderr, " got:       %s\n", sha256_str(buf));
+diff --git a/src/sbattach.c b/src/sbattach.c
+index a0c01b8..fe5a18e 100644
+--- a/src/sbattach.c
++++ b/src/sbattach.c
+@@ -231,6 +231,7 @@ int main(int argc, char **argv)
+ 		return EXIT_FAILURE;
+ 	}
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	ERR_load_crypto_strings();
+ 	OpenSSL_add_all_digests();
+ 	OPENSSL_config(NULL);
+@@ -239,6 +240,7 @@ int main(int argc, char **argv)
+ 	 * module isn't present).  In either case ignore the errors
+ 	 * (malloc will cause other failures out lower down */
+ 	ERR_clear_error();
++#endif
+ 
+ 	image = image_load(image_filename);
+ 	if (!image) {
+diff --git a/src/sbkeysync.c b/src/sbkeysync.c
+index 7b17f40..753ca52 100644
+--- a/src/sbkeysync.c
++++ b/src/sbkeysync.c
+@@ -208,7 +208,11 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
+ 		goto out;
+ 
+ 	key->id_len = ASN1_STRING_length(serial);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
++#else
++	key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
++#endif
+ 
+ 	key->description = talloc_array(key, char, description_len);
+ 	X509_NAME_oneline(X509_get_subject_name(x509),
+@@ -927,6 +931,7 @@ int main(int argc, char **argv)
+ 		return EXIT_FAILURE;
+ 	}
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	ERR_load_crypto_strings();
+ 	OpenSSL_add_all_digests();
+ 	OpenSSL_add_all_ciphers();
+@@ -936,6 +941,7 @@ int main(int argc, char **argv)
+ 	 * module isn't present).  In either case ignore the errors
+ 	 * (malloc will cause other failures out lower down */
+ 	ERR_clear_error();
++#endif
+ 
+ 	ctx->filesystem_keys = init_keyset(ctx);
+ 	ctx->firmware_keys = init_keyset(ctx);
+diff --git a/src/sbsign.c b/src/sbsign.c
+index ff1fdfd..5754113 100644
+--- a/src/sbsign.c
++++ b/src/sbsign.c
+@@ -188,6 +188,7 @@ int main(int argc, char **argv)
+ 
+ 	talloc_steal(ctx, ctx->image);
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	ERR_load_crypto_strings();
+ 	OpenSSL_add_all_digests();
+ 	OpenSSL_add_all_ciphers();
+@@ -197,6 +198,7 @@ int main(int argc, char **argv)
+ 	 * module isn't present).  In either case ignore the errors
+ 	 * (malloc will cause other failures out lower down */
+ 	ERR_clear_error();
++#endif
+ 	if (engine)
+ 		pkey = fileio_read_engine_key(engine, keyfilename);
+ 	else
+diff --git a/src/sbvarsign.c b/src/sbvarsign.c
+index ebf625c..43a1a61 100644
+--- a/src/sbvarsign.c
++++ b/src/sbvarsign.c
+@@ -509,6 +509,7 @@ int main(int argc, char **argv)
+ 		return EXIT_FAILURE;
+ 	}
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	/* initialise openssl */
+ 	OpenSSL_add_all_digests();
+ 	OpenSSL_add_all_ciphers();
+@@ -519,6 +520,7 @@ int main(int argc, char **argv)
+ 	 * module isn't present).  In either case ignore the errors
+ 	 * (malloc will cause other failures out lower down */
+ 	ERR_clear_error();
++#endif
+ 
+ 	/* set up the variable signing context */
+ 	varname = argv[optind];
+diff --git a/src/sbverify.c b/src/sbverify.c
+index 3920d91..3d9c0a1 100644
+--- a/src/sbverify.c
++++ b/src/sbverify.c
+@@ -56,7 +56,7 @@
+ #include <openssl/pem.h>
+ #include <openssl/x509v3.h>
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
+ #define X509_OBJECT_get_type(obj) ((obj)->type)
+ #define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+@@ -250,6 +250,7 @@ int main(int argc, char **argv)
+ 	verbose = false;
+ 	detached_sig_filename = NULL;
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 	OpenSSL_add_all_digests();
+ 	ERR_load_crypto_strings();
+ 	OPENSSL_config(NULL);
+@@ -258,6 +259,7 @@ int main(int argc, char **argv)
+ 	 * module isn't present).  In either case ignore the errors
+ 	 * (malloc will cause other failures out lower down */
+ 	ERR_clear_error();
++#endif
+ 
+ 	for (;;) {
+ 		int idx;