Githubactions: Fix hardening check for Fedora binaries

Yubico · Dec 3, 2024 · 43a143f · 43a143f
1 parent 07f3992
commit 43a143f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 12 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -348,7 +348,7 @@ jobs:
             # enable the epel repository for centos
             yum install -y epel-release
           fi
-          yum install -y checksec procps-ng jq file which curl
+          yum install -y procps-ng jq file which curl
 
       - name: build release
         working-directory: yubihsm-shell
@@ -393,16 +393,18 @@ jobs:
         run: |
           yum install -y ./yubihsm-shell-*.rpm
 
-#      - name: check binaries for hardening
-#        run: |
-#          cs() {
-#            checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1"
-#          }
-#          if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi
-#          if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi
-#          if [ "`cs nx`" != "yes" ]; then echo "nx is `cs nx`"; exit 1; fi
-#          if [ "`cs pie`" != "yes" ]; then echo "pie is `cs pie`"; exit 1; fi
-#          if [ "`cs fortify_source`" != "yes" ]; then echo "fortify_source is `cs fortify_source`"; exit 1; fi
+      - name: check binaries for hardening
+        run: |
+          curl -o checksec.sh-2.5.0.tar.gz -L https://github.com/slimm609/checksec.sh/archive/refs/tags/2.5.0.tar.gz
+          tar xfz checksec.sh-2.5.0.tar.gz
+          cs() {
+            checksec-2.5.0/checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1"
+          }
+          if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi
+          if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi
+          if [ "`cs nx`" != "yes" ]; then echo "nx is `cs nx`"; exit 1; fi
+          if [ "`cs pie`" != "yes" ]; then echo "pie is `cs pie`"; exit 1; fi
+          if [ "`cs fortify_source`" != "yes" ]; then echo "fortify_source is `cs fortify_source`"; exit 1; fi
 
 
       - name: upload artifacts

diff --git a/ykhsmauth/CMakeLists.txt b/ykhsmauth/CMakeLists.txt
@@ -24,7 +24,11 @@ if(WIN32)
     set(SOURCE ${SOURCE} ${CMAKE_CURRENT_BINARY_DIR}/version.rc)
 endif(WIN32)
 
-include_directories (${LIBPCSC_INCLUDEDIR})
+include_directories (
+  ${LIBPCSC_INCLUDEDIR}
+)
+
+# Uncomment this for Ubuntu 24.10 and higher and Fedora 41 and higher
 #SET(CMAKE_C_FLAGS  "${CMAKE_C_FLAGS} ${LIBPCSC_CFLAGS}")
 
 add_library (ykhsmauth SHARED ${SOURCE})