Re: Bug#821051: [PATCH v2] byhand-code-sign: sign using another user
On Thu, Oct 6, 2016 at 18:27:33 -0300, Helen Koike wrote:
> Thanks Jakub for your review.
> I modified the script to read the .tar.xz from stdin and output the -sign.tar.xz to stdout.
> It is also available here: https://github.com/helen-fornazier/dak
>
> Changes since last version:
> - add quotes around variables
> - remove unnecessary chmod 700
> - receive tar.xz from stdin in byhand-code-sign-user script
> - generate the -sign.tar.xz to stdout in byhand-code-sign-user script
>
> I would appreciate if someone could review this version
I wonder if maybe this would be more readable as a patch (or a series)
against the main dak repo, rather than incremental against Ben's
preliminary patches, since a lot of this is moving around code that was
just added in a previous patch.
> Thank you
>
> Helen
>
>
> scripts/debian/byhand-code-sign | 104 +-----------------------
> scripts/debian/byhand-code-sign-user | 135 +++++++++++++++++++++++++++++++
> scripts/debian/byhand-code-sign-user-exp | 17 ++++
> 3 files changed, 154 insertions(+), 102 deletions(-)
> create mode 100755 scripts/debian/byhand-code-sign-user
> create mode 100755 scripts/debian/byhand-code-sign-user-exp
>
> diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
> index fbd6855..18bd09e 100755
> --- a/scripts/debian/byhand-code-sign
> +++ b/scripts/debian/byhand-code-sign
[...]
> +sudo -u codesign "${0%/*}/byhand-code-sign-user" "$configdir/byhand-code-sign.conf" < "$IN_TARBALL" > "$OUT_TARBALL"
I'm not sure we want the script called with sudo (and its config) to
live in dak. Or if it does, I guess it should be named dak-codesign or
something, to make it clear it's part of dak and strictly less
privileged, like dak-unpriv is today.
Cheers,
Julien
Reply to: