[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#821051: [PATCH v3] Add byhand script to perform code signing for secure boot

Publish the signature of packages automatically when the package is processed based on previous
package prepared by the maintainer with all the efi images and linux modules.

The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images
and/or linux modules. When processing the package from the queue, the byhand-code-sign script
is called, read this .tar.xz package, sign all the efi or modules inside it and publish another
${package}-code-sign_${version}_${arch}_sigs.tar.xz at $ftpdir/dists/$suitedir/main/code-sign/
This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed,
grub2-signed, fwupdate-signed) to construct the *-signed versions.

NOTE: this causes a delay between publishing embargoed updates and publishing *-signed packages that can
be a problem since we avoid to leak the existence of a security flaw before its fix has being released.
The proposed solution for this is by making dak to publish the *-signed packages automatically.

Since we already have this problem anyway, we can add this patch in dak and add
the mechanism to automatically publish the *-signed packages latter in incremental basis as
we advance constructing the *-signed source packages

Changes since last version:
	- Patches based on https://ftp-master.debian.org/git/dak.git master to be easier to review
	- byhand-code-sign-user-exp was deleted, the expect part to enter pin code is embedded in
	bash script byhand-code-sign-user
	- Add default configuration file for yubikey with more docs
	- Also add grub2 and fwupdate in dak.conf AutomaticByHandPackages
	- Call pesign just once in the script (no matter if we have a token or not, with a password or not)

Script used for testing byhand-code-sign-user:
Check each commit message for more information on testing

Patches are also available here: https://github.com/helen-fornazier/dak/tree/review

Helen Koike (3):
  byhand-code-sign-user: signing script for efi images and linux modules
  byhand-code-sign: intermediate script for code sign
  dak.conf: add packages that trigger byhand-code-sign

 config/debian-security/byhand-code-sign.conf | 43 ++++++++++++
 config/debian-security/dak.conf              | 24 +++++++
 config/debian/byhand-code-sign.conf          | 43 ++++++++++++
 config/debian/dak.conf                       | 21 ++++++
 scripts/debian/byhand-code-sign              | 52 +++++++++++++++
 scripts/debian/byhand-code-sign-user         | 99 ++++++++++++++++++++++++++++
 6 files changed, 282 insertions(+)
 create mode 100644 config/debian-security/byhand-code-sign.conf
 create mode 100644 config/debian/byhand-code-sign.conf
 create mode 100755 scripts/debian/byhand-code-sign
 create mode 100755 scripts/debian/byhand-code-sign-user


Reply to: