[PATCH v4 0/3] Add byhand script to perform code signing for secure boot
Publish the signature of packages automatically when the package is processed based on previous
package prepared by the maintainer with all the efi images and linux modules.
The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images
and/or linux modules, and a changelog file. When processing the package from the queue, the
byhand-code-sign script is called, read this .tar.xz package, sign all the efi or modules inside
it and publish a tarball with all the signatures at
$ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz
This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed,
grub2-signed, fwupdate-signed) to construct the *-signed versions.
NOTE: this causes a delay between publishing embargoed updates and publishing *-signed packages that can
be a problem since we avoid to leak the existence of a security flaw before its fix has being released.
The proposed solution for this is by making dak to publish the *-signed packages automatically.
Since we already have this problem anyway, we can add this patch in dak and add
the mechanism to automatically publish the *-signed packages latter in incremental basis as
we advance constructing the *-signed source packages
Script used for testing byhand-code-sign-user:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Check each commit message for more information on testing
Patches are also available here: https://github.com/helen-fornazier/dak/tree/review
Changes since v3:
Use hash of changelog file to generate the output tarball name with the signatures
diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index f3eceab..40afdc6 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -37,9 +37,25 @@ case "$0" in
esac
. "$configdir/vars"
-TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
-OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
-OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"
+# cleanup the temporary directories on EXIT
+IN_DIR=
+cleanup() {
+ test -z "$IN_DIR" || rm -rf "$IN_DIR"
+}
+trap cleanup EXIT
+
+# Extract the data from stdin into the input directory
+IN_DIR="$(mktemp -td byhand-code-sign-in.XXXXXX)"
+tar xaf "$IN_TARBALL" --directory="$IN_DIR"
+
+# Check if tarball contain the changelog file
+if [ ! -f "$IN_DIR/changelog" ]; then
+ error "Can't find changelog file in $IN_TARBALL"
+fi
+
+
+TARGET="$ftpdir/dists/$suitedir/main/code-sign"
+OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz"
# Check that this source/arch/version hasn't already been signed
if [ -e "$OUT_TARBALL" ]; then
diff --git a/scripts/debian/byhand-code-sign-user b/scripts/debian/byhand-code-sign-user
index 91520d6..3477d6c 100755
--- a/scripts/debian/byhand-code-sign-user
+++ b/scripts/debian/byhand-code-sign-user
@@ -52,6 +52,10 @@ tar xJ --directory="$in_dir" <&0
out_dir="$(mktemp -td byhand-code-sign-out.XXXXXX)"
while read filename; do
+ # Skip changelog
+ if [ "$filename" == changelog ]; then
+ continue
+ fi
mkdir -p "$out_dir/${filename%/*}"
case "${filename##*/}" in
*.efi | vmlinuz-*)
Helen Koike (3):
byhand-code-sign-user: signing script for efi images and linux modules
byhand-code-sign: intermediate script for code sign
dak.conf: add packages that trigger byhand-code-sign
config/debian-security/byhand-code-sign.conf | 43 +++++++++++
config/debian-security/dak.conf | 24 +++++++
config/debian/byhand-code-sign.conf | 43 +++++++++++
config/debian/dak.conf | 21 ++++++
scripts/debian/byhand-code-sign | 68 ++++++++++++++++++
scripts/debian/byhand-code-sign-user | 103 +++++++++++++++++++++++++++
6 files changed, 302 insertions(+)
create mode 100644 config/debian-security/byhand-code-sign.conf
create mode 100644 config/debian/byhand-code-sign.conf
create mode 100755 scripts/debian/byhand-code-sign
create mode 100755 scripts/debian/byhand-code-sign-user
--
2.7.4
Reply to: