Bug#821051: [PATCH v3] Add byhand script to perform code signing for secure boot

To: Helen Koike <helen.koike@collabora.com>, Julien Cristau <jcristau@debian.org>, Jakub Wilk <jwilk@debian.org>, 821051@bugs.debian.org
Cc: debian-admin@lists.debian.org, Ben Hutchings <ben@decadent.org.uk>, Steve McIntyre <steve@einval.com>, debian-dak@lists.debian.org
Subject: Bug#821051: [PATCH v3] Add byhand script to perform code signing for secure boot
From: Helen Koike <helen.koike@collabora.com>
Date: Wed, 16 Nov 2016 00:45:06 -0200
Message-id: <[🔎] cover.1479261618.git.helen.koike@collabora.com>
In-reply-to: <1475789253-4597-1-git-send-email-helen.koike@collabora.com>
References: <1475789253-4597-1-git-send-email-helen.koike@collabora.com>

Publish the signature of packages automatically when the package is processed based on previous
package prepared by the maintainer with all the efi images and linux modules.

The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images
and/or linux modules. When processing the package from the queue, the byhand-code-sign script
is called, read this .tar.xz package, sign all the efi or modules inside it and publish another
${package}-code-sign_${version}_${arch}_sigs.tar.xz at $ftpdir/dists/$suitedir/main/code-sign/
This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed,
grub2-signed, fwupdate-signed) to construct the *-signed versions.

NOTE: this causes a delay between publishing embargoed updates and publishing *-signed packages that can
be a problem since we avoid to leak the existence of a security flaw before its fix has being released.
The proposed solution for this is by making dak to publish the *-signed packages automatically.

Since we already have this problem anyway, we can add this patch in dak and add
the mechanism to automatically publish the *-signed packages latter in incremental basis as
we advance constructing the *-signed source packages

Changes since last version:
	- Patches based on https://ftp-master.debian.org/git/dak.git master to be easier to review
	- byhand-code-sign-user-exp was deleted, the expect part to enter pin code is embedded in
	bash script byhand-code-sign-user
	- Add default configuration file for yubikey with more docs
	- Also add grub2 and fwupdate in dak.conf AutomaticByHandPackages
	- Call pesign just once in the script (no matter if we have a token or not, with a password or not)

Script used for testing byhand-code-sign-user:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Check each commit message for more information on testing

Patches are also available here: https://github.com/helen-fornazier/dak/tree/review

Helen Koike (3):
  byhand-code-sign-user: signing script for efi images and linux modules
  byhand-code-sign: intermediate script for code sign
  dak.conf: add packages that trigger byhand-code-sign

 config/debian-security/byhand-code-sign.conf | 43 ++++++++++++
 config/debian-security/dak.conf              | 24 +++++++
 config/debian/byhand-code-sign.conf          | 43 ++++++++++++
 config/debian/dak.conf                       | 21 ++++++
 scripts/debian/byhand-code-sign              | 52 +++++++++++++++
 scripts/debian/byhand-code-sign-user         | 99 ++++++++++++++++++++++++++++
 6 files changed, 282 insertions(+)
 create mode 100644 config/debian-security/byhand-code-sign.conf
 create mode 100644 config/debian/byhand-code-sign.conf
 create mode 100755 scripts/debian/byhand-code-sign
 create mode 100755 scripts/debian/byhand-code-sign-user

-- 
2.7.4

Reply to:

Prev by Date: [dak/master] Fix linkpath for new location on usper
Next by Date: Transporte de Carga de Puertos y Distribución Nacional
Previous by thread: [dak/master] Fix linkpath for new location on usper
Next by thread: Re: [PATCH v3 2/3] byhand-code-sign: intermediate script for code sign
Index(es):
- Date
- Thread