From cd6077c83de13932d7b62abecb59dbaace9d64bb Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sun, 1 Dec 2019 02:03:15 +0300 Subject: [PATCH] test libressl, step 1 --- kernel.spec | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/kernel.spec b/kernel.spec index 6b69850..4e4a4ef 100644 --- a/kernel.spec +++ b/kernel.spec @@ -11,7 +11,7 @@ %define sublevel 11 # Release number. Increase this before a rebuild. -%define rpmrel 5 +%define rpmrel 6 %define fullrpmrel %{rpmrel} %define rpmtag %{disttag} @@ -252,8 +252,11 @@ BuildRequires: pkgconfig(libcrypto) %endif %if %{enhanced_security} -# To generate keys -BuildRequires: openssl +# (To generate keys) +# LibreSSL has GOST support without making additional configuration that +# OpenSSL requires and which is not possible to be done inside a spec file +# because editing /etc/pki/tls/openssl.cnf is not possible. +BuildRequires: libressl # To verify signatures (find, xargs, hexdump) BuildRequires: findutils util-linux %endif @@ -795,7 +798,7 @@ echo CONFIG_MODULE_SIG_FORCE=n >> .config echo CONFIG_MODULE_SIG_ALL=y >> .config # Use SHA-512 algo echo CONFIG_MODULE_SIG_SHA512=y >> .config -# Set path to the key that will be generated later by openssl +# Set path to the key that will be generated later by openssl/libressl echo CONFIG_MODULE_SIG_KEY=\"%{certs_signing_key_rnd}\" >> .config # Set path to one PEM file with all keys that the kernel must trust sed -i '/CONFIG_SYSTEM_TRUSTED_KEYS/d' .config @@ -923,7 +926,7 @@ authorityKeyIdentifier=keyid EOF cat "%{certs_key_config_rnd}" -openssl req -new -nodes -utf8 -batch -x509 \ +libressl req -new -nodes -utf8 -batch -x509 \ -days 109500 \ -config "%{certs_key_config_rnd}" \ -outform PEM \