Updated livepatch macros and template to preserve signatures. (#3954)

* livepatch: updating macros and template to preserve signatures.

* validate-cg-manifest.sh: ignore 'SPECS-SIGNED'.

.github/workflows/validate-cg-manifest.sh

@@ -52,14 +52,6 @@ ignore_no_source_tarball=" \
   web-assets \
   "
 
-# Specs for signed packages. Their unsigned versions should already be included in the manifest.
-ignore_signed_package=" \
-  grub2-efi-binary-signed-aarch64 \
-  grub2-efi-binary-signed-x86_64 \
-  kernel-signed-aarch64 \
-  kernel-signed-x86_64 \
-  shim"
-
 # Specs where cgmanifest validation has known issues checking URLs.
 ignore_known_issues=" \
   virglrenderer"
@@ -90,6 +82,13 @@ do
   spec="$WORK_DIR/$(basename "$original_spec")"
   cp "$original_spec" "$spec"
 
+  # Skipping specs for signed packages. Their unsigned versions should already be included in the manifest.
+  if echo "$original_spec" | grep -q "SPECS-SIGNED"
+  then
+    echo "    $spec is being ignored (reason: signed package), skipping"
+    continue
+  fi
+
   # Pre-processing alternate sources (commented-out "Source" lines with full URLs), if present. Currently we only care about the first source.
   # First, we replace "%%" with "%" in the alternate source's line.
   sed -Ei "/^#\s*Source0?:.*%%.*/s/%%/%/g" "$spec"
@@ -108,9 +107,9 @@ do
   fi
 
   # Skipping specs from the ignore lists.
-  if echo "$ignore_multiple_sources $ignore_signed_package $ignore_no_source_tarball $ignore_known_issues" | grep -P "(^|\s)$name($|\s)" > /dev/null
+  if echo "$ignore_multiple_sources $ignore_no_source_tarball $ignore_known_issues" | grep -qP "(^|\s)$name($|\s)"
   then
-    echo "    $name is being ignored, skipping"
+    echo "    $name is being ignored (reason: explicitly ignored package), skipping"
     continue
   fi
 

SPECS/mariner-rpm-macros/macros

@@ -64,17 +64,21 @@
 %_use_internal_dependency_generator 1
 %_build_id_links alldebug
 
-%__os_install_post    \
+%__os_install_post_leave_signatures    \
     %{_rpmconfigdir}/brp-compress \
-    %{_rpmconfigdir}/brp-strip %{__strip} \
-    %{_rpmconfigdir}/brp-strip-debug-symbols %{__strip} \
     %{_rpmconfigdir}/brp-strip-comment-note %{__strip} %{__objdump} \
-    %{_rpmconfigdir}/brp-strip-unneeded %{__strip} \
     %{_rpmconfigdir}/brp-strip-static-archive %{__strip} \
     %{?py_auto_byte_compile:%{?__brp_python_bytecompile}} \
     find %{buildroot} -name "*.pc" | xargs -I{} sed -i -e 's@-Wl,-dT,%{_topdir}/BUILD/module_info.ld@ @' {} \
     %{nil}
 
+%__os_install_post    \
+    %{__os_install_post_leave_signatures} \
+    %{_rpmconfigdir}/brp-strip %{__strip} \
+    %{_rpmconfigdir}/brp-strip-debug-symbols %{__strip} \
+    %{_rpmconfigdir}/brp-strip-unneeded %{__strip} \
+    %{nil}
+
 %install %{?_enable_debug_packages:%{?buildsubdir:%{debug_package}}}\
 %%install\
 %{nil}

SPECS/mariner-rpm-macros/mariner-rpm-macros.signatures.json

@@ -10,7 +10,7 @@
   "gen-ld-script.sh": "894b394f376dae7be23c314b79f31772aa40a24895122242abd7a178aea9cade",
   "generate-package-note.py": "bd76a8e88a1356fed74863c38e5cf6a20c1c26426ac94ba21dd172578e8ca2a2",
   "gpgverify": "db0e050f56b694497d70603a6f5c17dd60ddbcf7cee670616851cd389f6767c4",
-  "macros": "d24f63ec2ee9f58db2298375cda29c2df884a4968d7cb1c58b64930646fd270f",
+  "macros": "469c67da587224cad8a19f0170ccf2190a2f3118fdf7ef9ecb60ee2ed394660a",
   "macros.check": "79367176c3c7d10c0158b6e5d881e0fc3c8fd50c5957dad2f097c2d4a37833e7",
   "macros.fonts": "f52edc646414c5dd0f5f4cdd570f2f9dbe6fb97d4f0db360908deb56d96492f8",
   "macros.forge": "8785fe3de4570d6b78dc40aa2f0a4124ce1ddb6282fe3060fb0ae2001178abe6",

SPECS/mariner-rpm-macros/mariner-rpm-macros.spec

@@ -6,7 +6,7 @@
 Summary:        Mariner specific rpm macro files
 Name:           mariner-rpm-macros
 Version:        2.0
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        GPL+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -121,6 +121,9 @@ install -p -m 644 -t %{buildroot}%{rcluadir}/srpm forge.lua
 %{_rpmconfigdir}/macros.d/macros.check
 
 %changelog
+* Fri Oct 07 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.0-17
+- Adding macro to skip stripping of signatures.
+
 * Fri Jun 10 2022 Rachel Menge <rachelmenge@microsoft.com> - 2.0-16
 - Modify macros to depend on other macros
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -207,8 +207,8 @@ pcre-8.45-2.cm2.aarch64.rpm
 pcre-libs-8.45-2.cm2.aarch64.rpm
 lua-5.4.3-4.cm2.aarch64.rpm
 lua-libs-5.4.3-4.cm2.aarch64.rpm
-mariner-rpm-macros-2.0-16.cm2.noarch.rpm
-mariner-check-macros-2.0-16.cm2.noarch.rpm
+mariner-rpm-macros-2.0-17.cm2.noarch.rpm
+mariner-check-macros-2.0-17.cm2.noarch.rpm
 libassuan-2.5.5-2.cm2.aarch64.rpm
 libassuan-devel-2.5.5-2.cm2.aarch64.rpm
 libgpg-error-1.43-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -207,8 +207,8 @@ pcre-8.45-2.cm2.x86_64.rpm
 pcre-libs-8.45-2.cm2.x86_64.rpm
 lua-5.4.3-4.cm2.x86_64.rpm
 lua-libs-5.4.3-4.cm2.x86_64.rpm
-mariner-rpm-macros-2.0-16.cm2.noarch.rpm
-mariner-check-macros-2.0-16.cm2.noarch.rpm
+mariner-rpm-macros-2.0-17.cm2.noarch.rpm
+mariner-check-macros-2.0-17.cm2.noarch.rpm
 libassuan-2.5.5-2.cm2.x86_64.rpm
 libassuan-devel-2.5.5-2.cm2.x86_64.rpm
 libgpg-error-1.43-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -225,7 +225,7 @@ m4-1.4.19-1.cm2.aarch64.rpm
 m4-debuginfo-1.4.19-1.cm2.aarch64.rpm
 make-4.3-2.cm2.aarch64.rpm
 make-debuginfo-4.3-2.cm2.aarch64.rpm
-mariner-check-macros-2.0-16.cm2.noarch.rpm
+mariner-check-macros-2.0-17.cm2.noarch.rpm
 mariner-repos-2.0-8.cm2.noarch.rpm
 mariner-repos-debug-2.0-8.cm2.noarch.rpm
 mariner-repos-debug-preview-2.0-8.cm2.noarch.rpm
@@ -239,7 +239,7 @@ mariner-repos-microsoft-2.0-8.cm2.noarch.rpm
 mariner-repos-microsoft-preview-2.0-8.cm2.noarch.rpm
 mariner-repos-preview-2.0-8.cm2.noarch.rpm
 mariner-repos-shared-2.0-8.cm2.noarch.rpm
-mariner-rpm-macros-2.0-16.cm2.noarch.rpm
+mariner-rpm-macros-2.0-17.cm2.noarch.rpm
 meson-0.60.2-2.cm2.noarch.rpm
 mpfr-4.1.0-1.cm2.aarch64.rpm
 mpfr-debuginfo-4.1.0-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -225,7 +225,7 @@ m4-1.4.19-1.cm2.x86_64.rpm
 m4-debuginfo-1.4.19-1.cm2.x86_64.rpm
 make-4.3-2.cm2.x86_64.rpm
 make-debuginfo-4.3-2.cm2.x86_64.rpm
-mariner-check-macros-2.0-16.cm2.noarch.rpm
+mariner-check-macros-2.0-17.cm2.noarch.rpm
 mariner-repos-2.0-8.cm2.noarch.rpm
 mariner-repos-debug-2.0-8.cm2.noarch.rpm
 mariner-repos-debug-preview-2.0-8.cm2.noarch.rpm
@@ -239,7 +239,7 @@ mariner-repos-microsoft-2.0-8.cm2.noarch.rpm
 mariner-repos-microsoft-preview-2.0-8.cm2.noarch.rpm
 mariner-repos-preview-2.0-8.cm2.noarch.rpm
 mariner-repos-shared-2.0-8.cm2.noarch.rpm
-mariner-rpm-macros-2.0-16.cm2.noarch.rpm
+mariner-rpm-macros-2.0-17.cm2.noarch.rpm
 meson-0.60.2-2.cm2.noarch.rpm
 mpfr-4.1.0-1.cm2.x86_64.rpm
 mpfr-debuginfo-4.1.0-1.cm2.x86_64.rpm

toolkit/scripts/livepatching/template_livepatch-signed.spec

@@ -1,11 +1,16 @@
+# The default %%__os_install_post macro ends up stripping the signatures off of the kernel module.
+%define __os_install_post %{__os_install_post_leave_signatures} %{nil}
+
 %global debug_package %{nil}
 
 %define kernel_version_release @KERNEL_VERSION_RELEASE@
 %define kernel_version %(echo %{kernel_version_release} | grep -oP "^[^-]+")
 %define kernel_release %(echo %{kernel_version_release} | grep -oP "(?<=-).+")
 
+%define livepatch_unsigned_name livepatch-%{kernel_version_release}
+
 # Kpatch module names allow only alphanumeric characters and '_'.
-%define livepatch_name %(value="%{name}-%{version}-%{release}"; echo "${value//[^a-zA-Z0-9_]/_}")
+%define livepatch_name %(value="%{livepatch_unsigned_name}-%{version}-%{release}"; echo "${value//[^a-zA-Z0-9_]/_}")
 %define livepatch_install_dir %{_libdir}/livepatching/%{kernel_version_release}
 %define livepatch_module_name %{livepatch_name}.ko
 %define livepatch_module_path %{livepatch_install_dir}/%{livepatch_module_name}
@@ -43,7 +48,7 @@ then \
 fi
 
 Summary:        Set of livepatches for kernel %{kernel_version_release}
-Name:           livepatch-%{kernel_version_release}
+Name:           %{livepatch_unsigned_name}-signed
 Version:        1.0.0
 Release:        @RELEASE_TAG@
 License:        MIT
@@ -55,6 +60,12 @@ Source0:        https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/ro
 
 ExclusiveArch:  x86_64
 
+%description
+@DESCRIPTION@
+
+%package -n     %{livepatch_unsigned_name}
+Summary:        %{summary}
+
 Requires:       coreutils
 Requires:       livepatching-filesystem
 
@@ -65,32 +76,32 @@ Requires(preun): kpatch
 
 Provides:       livepatch = %{kernel_version_release}
 
-%description
+%description -n %{livepatch_unsigned_name}
 @DESCRIPTION@
 
 %install
 install -dm 755 %{buildroot}%{livepatch_install_dir}
 install -m 744 %{SOURCE0} %{buildroot}%{livepatch_module_path}
 
-%post
+%post -n %{livepatch_unsigned_name}
 %load_if_should
 %install_if_should
 
-%preun
+%preun -n %{livepatch_unsigned_name}
 %uninstall_if_should
 %unload_if_should
 
 # Re-enable patch on rollbacks to supported kernel.
-%triggerin -- kernel = %{kernel_version_release}
+%triggerin -n %{livepatch_unsigned_name} -- kernel = %{kernel_version_release}
 %load_if_should
 %install_if_should
 
 # Prevent the patch from being loaded after a reboot to a different kernel.
 # Previous kernel is still running, do NOT unload the livepatch.
-%triggerin -- kernel > %{kernel_version_release}, kernel < %{kernel_version_release}
+%triggerin -n %{livepatch_unsigned_name} -- kernel > %{kernel_version_release}, kernel < %{kernel_version_release}
 %uninstall_if_should
 
-%files
+%files -n %{livepatch_unsigned_name}
 %defattr(-,root,root)
 %dir %{livepatch_install_dir}
 %{livepatch_module_path}