From 2d349e915aa7a26d5d41c3dcdea597195ed26948 Mon Sep 17 00:00:00 2001

From: Jes Sorensen <jsorensen@fb.com>

Date: Fri, 3 Apr 2020 16:26:06 -0400

Subject: [PATCH 19/33] rpmsign: Handle --certpath for signing certificate

fsverirty needs a certificate for signing, in addition to the signing key.

Signed-off-by: Jes Sorensen <jsorensen@fb.com>

---

 rpmsign.c | 12 ++++++++++++

 1 file changed, 12 insertions(+)

diff --git a/rpmsign.c b/rpmsign.c

index 94cbf1d1a..074dd8b13 100644

--- a/rpmsign.c

+++ b/rpmsign.c

@@ -22,6 +22,9 @@ static int mode = MODE_NONE;

 static int fskpass = 0;

 static char * fileSigningKey = NULL;

 #endif

+#ifdef WITH_FSVERITY

+static char * fileSigningCert = NULL;

+#endif

 static struct rpmSignArgs sargs = {NULL, 0, 0};

@@ -44,6 +47,9 @@ static struct poptOption signOptsTable[] = {

     { "signverity", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR),

 	&sargs.signflags, RPMSIGN_FLAG_FSVERITY,

 	N_("generate fsverity signatures for package(s) files"), NULL},

+    { "certpath", '\0', POPT_ARG_STRING, &fileSigningCert, 0,

+	N_("use file signing cert <cert>"),

+	N_("<cert>") },

 #endif

 #if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)

     { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,

@@ -123,6 +129,12 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)

 	rpmPushMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL);

     }

+#ifdef WITH_FSVERITY

+    if (fileSigningCert) {

+	rpmPushMacro(NULL, "_file_signing_cert", NULL, fileSigningCert, RMIL_GLOBAL);

+    }

+#endif

+

     if (flags_sign_files(sargs->signflags)) {

 	char *fileSigningKeyPassword = NULL;

 	char *key = rpmExpand("%{?_file_signing_key}", NULL);

-- 

2.13.5