#!/bin/sh
# $Id: pesign.SlackBuild,v 1.4 2021/11/30 18:25:05 root Exp root $
# Copyright 2021 Eric Hameleers, Eindhoven, NL
# All rights reserved.
#
# Permission to use, copy, modify, and distribute this software for
# any purpose with or without fee is hereby granted, provided that
# the above copyright notice and this permission notice appear in all
# copies.
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# -----------------------------------------------------------------------------
#
# Slackware SlackBuild script
# ===========================
# By: Eric Hameleers <alien@slackware.com>
# For: pesign
# Descr: tools for manipulating signed pe-coff binaries
# URL: https://github.com/rhboot/pesign
# Build needs:
# Needs: on Slackware 14.2:
# * 'daemon' package if you want to use rc.pesign
# * 'efivar' package (present in Slackware 15.0 and newer)
# Changelog:
# 113-1: 01/aug/2021 by Eric Hameleers <alien@slackware.com>
# * Initial build.
#
# Run 'sh pesign.SlackBuild' to build a Slackware package.
# The package (.t?z) and .txt file as well as build logs are created in /tmp .
# Install the package using 'installpkg' or 'upgradepkg --install-new'.
#
# -----------------------------------------------------------------------------
PRGNAM=pesign
VERSION=${VERSION:-113}
BUILD=${BUILD:-1}
NUMJOBS=${NUMJOBS:-" -j$(nproc) "}
TAG=${TAG:-alien}
DOCS="COPYING README TODO"
# Account numbers as registered in https://slackbuilds.org/uid_gid.txt :
PESIGNUID=369
PESIGNGID=369
# Where do we look for sources?
SRCDIR=$(cd $(dirname $0); pwd)
# Place to build (TMP) package (PKG) and output (OUTPUT) the program:
TMP=${TMP:-/tmp/build}
PKG=$TMP/package-$PRGNAM
OUTPUT=${OUTPUT:-/tmp}
SOURCE="$SRCDIR/${PRGNAM}-${VERSION}.tar.gz"
SRCURL="https://github.com/rhboot/${PRGNAM}/archive/${VERSION}.tar.gz"
##
## --- with a little luck, you won't have to edit below this point --- ##
##
# Automatically determine the architecture we're building on:
if [ -z "$ARCH" ]; then
case "$(uname -m)" in
i?86) ARCH=i586 ;;
arm*) readelf /usr/bin/file -A | egrep -q "Tag_CPU.*[4,5]" && ARCH=arm || ARCH=armv7hl ;;
# Unless $ARCH is already set, use uname -m for all other archs:
*) ARCH=$(uname -m) ;;
esac
export ARCH
fi
# Set CFLAGS/CXXFLAGS and LIBDIRSUFFIX:
case "$ARCH" in
i?86) SLKCFLAGS="-O2 -march=${ARCH} -mtune=i686"
SLKLDFLAGS=""; LIBDIRSUFFIX=""
;;
x86_64) SLKCFLAGS="-O2 -fPIC"
SLKLDFLAGS="-L/usr/lib64"; LIBDIRSUFFIX="64"
;;
armv7hl) SLKCFLAGS="-O2 -march=armv7-a -mfpu=vfpv3-d16"
SLKLDFLAGS=""; LIBDIRSUFFIX=""
;;
*) SLKCFLAGS=${SLKCFLAGS:-"-O2"}
SLKLDFLAGS=${SLKLDFLAGS:-""}; LIBDIRSUFFIX=${LIBDIRSUFFIX:-""}
;;
esac
case "$ARCH" in
arm*) TARGET=$ARCH-slackware-linux-gnueabi ;;
*) TARGET=$ARCH-slackware-linux ;;
esac
# Exit the script on errors:
set -e
trap 'echo "$0 FAILED at line ${LINENO}" | tee $OUTPUT/error-${PRGNAM}.log' ERR
# Catch unitialized variables:
set -u
P1=${1:-1}
# Save old umask and set to 0022:
_UMASK_=$(umask)
umask 0022
# Create working directories:
mkdir -p $OUTPUT # place for the package to be saved
mkdir -p $TMP/tmp-$PRGNAM # location to build the source
mkdir -p $PKG # place for the package to be built
rm -rf $PKG/* # always erase old package's contents
rm -rf $TMP/tmp-$PRGNAM/* # remove the remnants of previous build
rm -rf $OUTPUT/{checkout,configure,make,install,error,makepkg,patch}-$PRGNAM.log
# remove old log files
# Source file availability:
if ! [ -f ${SOURCE} ]; then
echo "Source '$(basename ${SOURCE})' not available yet..."
# Check if the $SRCDIR is writable at all - if not, download to $OUTPUT
[ -w "$SRCDIR" ] || SOURCE="$OUTPUT/$(basename $SOURCE)"
if [ -f ${SOURCE} ]; then echo "Ah, found it!"; continue; fi
if ! [ "x${SRCURL}" == "x" ]; then
echo "Will download file to $(dirname $SOURCE)"
wget --no-check-certificate -nv -T 20 -O "${SOURCE}" "${SRCURL}" || true
if [ $? -ne 0 -o ! -s "${SOURCE}" ]; then
echo "Downloading '$(basename ${SOURCE})' failed... aborting the build."
mv -f "${SOURCE}" "${SOURCE}".FAIL
exit 1
fi
else
echo "File '$(basename ${SOURCE})' not available... aborting the build."
exit 1
fi
fi
if [ "$P1" == "--download" ]; then
echo "Download complete."
exit 0
fi
# --- PACKAGE BUILDING ---
echo "++"
echo "|| $PRGNAM-$VERSION"
echo "++"
cd $TMP/tmp-$PRGNAM
echo "Extracting the source archive(s) for $PRGNAM..."
tar -xvf ${SOURCE}
cd ${PRGNAM}-${VERSION}
# Compile breaks because of '-Werror':
sed -i Make.defaults -e 's/\-Werror//g'
touch $OUTPUT/patch-${PRGNAM}.log
# Fix compile with nss-3.44:
# https://github.com/rhboot/pesign/commit/b535d1ac5cbcdf18a97d97a92581e38080d9e521.patch
cat $SRCDIR/patches/pesign_nss344.patch | patch -p1 --verbose \
2>&1 | tee -a $OUTPUT/patch-${PRGNAM}.log
# Fix a wrong assignment:
# https://github.com/rhboot/pesign/commit/c555fd74c009242c3864576bd5f17a1f8f4fdffd.patch
cat $SRCDIR/patches/pesign_sigtype.patch | patch -p1 --verbose \
2>&1 | tee -a $OUTPUT/patch-${PRGNAM}.log
chown -R root:root .
chmod -R u+w,go+r-w,a+rX-st .
echo Building ...
export LDFLAGS="$SLKLDFLAGS"
export CXXFLAGS="$SLKCFLAGS"
export CFLAGS="$SLKCFLAGS"
make $NUMJOBS 2>&1 | tee $OUTPUT/make-${PRGNAM}.log
make DESTDIR=$PKG install \
VERSION=${VERSION} \
docdir=/usr/doc \
libdir=/usr/lib${LIBDIRSUFFIX} \
libexecdir=/usr/libexec \
mandir=/usr/man/ \
2>&1 | tee $OUTPUT/install-${PRGNAM}.log
# Install a Slackware boot script for the PE signing daemon:
install -Dm0644 src/pesign.sysvinit $PKG/etc/rc.d/rc.pesign.new
# Remove cruft:
rm -rf $PKG/etc/pki/pesign-* $PKG/etc/popt.d $PKG/etc/rpm
# Remove /var/run/pesign - it's on a tmpfs so will not survive reboot.
# Also, rc.pesign creates it every boot anyway:
rm -rf $PKG/var
# Don't clobber configuration files:
mv -i $PKG/etc/pesign/groups{,.new}
mv -i $PKG/etc/pesign/users{,.new}
# Add this to the doinst.sh:
mkdir -p $PKG/install
cat <<EOINS >> $PKG/install/doinst.sh
# Handle the incoming configuration files:
config() {
for infile in \$1; do
NEW="\$infile"
OLD="\$(dirname \$NEW)/\$(basename \$NEW .new)"
# If there's no config file by that name, mv it over:
if [ ! -r \$OLD ]; then
mv \$NEW \$OLD
elif [ "\$(cat \$OLD | md5sum)" = "\$(cat \$NEW | md5sum)" ]; then
# toss the redundant copy
rm \$NEW
fi
# Otherwise, we leave the .new copy for the admin to consider...
done
}
preserve_perms() {
NEW="\$1"
OLD="\$(dirname \$NEW)/\$(basename \$NEW .new)"
if [ -e \$OLD ]; then
cp -a \$OLD \${NEW}.incoming
cat \$NEW > \${NEW}.incoming
mv \${NEW}.incoming \$NEW
fi
config \$NEW
}
preserve_perms etc/rc.d/rc.pesign.new
config etc/pesign/groups.new
config etc/pesign/users.new
# Create 'pesign' user and group on target host:
chroot . \
getent group pesign > /dev/null || \
/usr/sbin/groupadd -g ${PESIGNGID} -r pesign 2>/dev/null
chroot . \
getent passwd pesign > /dev/null || \
/usr/sbin/useradd -c "PE signing daemon" -g pesign \
-s /bin/bash -u ${PESIGNUID} -r pesign 2>/dev/null
# Give the NSS database directory proper ownership:
chroot . \
chown pesign:pesign etc/pki/pesign
# Pesign does not come with a preconfigured NSS database. On startup, pesign
# would abort with error "pesign could not open nss database: bad database".
# If none exists yet, create an initial empty database without password.
# NOTE: for production usage you would set a password on this database
# using the command "certutil -d sql:/etc/pki/pesign -W"!
if [ ! -f etc/pki/pesign/cert?*.db ]; then
chroot . \
su - pesign -c "certutil -N -d sql:/etc/pki/pesign --empty-password"
fi
# Update rc.local so that pesign will be started on boot:
if ! grep -q "rc.pesign" etc/rc.d/rc.local ; then
cat <<_EOM_ >> etc/rc.d/rc.local
if [ -x /etc/rc.d/rc.pesign ]; then
# Start PE signing daemon:
echo "Starting PE signing daemon: /etc/rc.d/rc.pesign start"
/etc/rc.d/rc.pesign start
fi
_EOM_
fi
EOINS
# Add documentation:
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
cp -a $DOCS $PKG/usr/doc/$PRGNAM-$VERSION || true
cat $SRCDIR/$(basename $0) > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
chown -R root:root $PKG/usr/doc/$PRGNAM-$VERSION
find $PKG/usr/doc -type f -exec chmod 644 {} \;
# Compress the man page(s):
if [ -d $PKG/usr/man ]; then
find $PKG/usr/man -type f -name "*.?" -exec gzip -9f {} \;
for i in $(find $PKG/usr/man -type l -name "*.?") ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
fi
# Strip binaries (if any):
find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
# Add a package description:
mkdir -p $PKG/install
cat $SRCDIR/slack-desc > $PKG/install/slack-desc
# Build the package:
cd $PKG
makepkg --linkadd y --chown n $OUTPUT/${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.${PKGTYPE:-txz} 2>&1 | tee $OUTPUT/makepkg-${PRGNAM}.log
cd $OUTPUT
md5sum ${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.${PKGTYPE:-txz} > ${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.${PKGTYPE:-txz}.md5
cd -
cat $PKG/install/slack-desc | grep "^${PRGNAM}" > $OUTPUT/${PRGNAM}-${VERSION}-${ARCH}-${BUILD}${TAG}.txt
# Restore the original umask:
umask ${_UMASK_}