Re: [PATCH v4 0/3] Add byhand script to perform code signing for secure boot

To: Helen Koike <helen.koike@collabora.com>, Julien Cristau <jcristau@debian.org>, Jakub Wilk <jwilk@debian.org>, 821051@bugs.debian.org
Cc: Steve McIntyre <steve@einval.com>, debian-dak@lists.debian.org
Subject: Re: [PATCH v4 0/3] Add byhand script to perform code signing for secure boot
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 01 Dec 2016 01:27:47 +0000
Message-id: <[🔎] 1480555667.16599.83.camel@decadent.org.uk>
In-reply-to: <[🔎] cover.1480553656.git.helen.koike@collabora.com>
References: <cover.1479261618.git.helen.koike@collabora.com> <[🔎] cover.1480553656.git.helen.koike@collabora.com>

On Wed, 2016-11-30 at 23:12 -0200, Helen Koike wrote:
> Publish the signature of packages automatically when the package is processed based on previous
> package prepared by the maintainer with all the efi images and linux modules.
> 
> The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images
> and/or linux modules, and a changelog file. When processing the package from the queue, the
> byhand-code-sign script is called, read this .tar.xz package, sign all the efi or modules inside
> it and publish a tarball with all the signatures at
> $ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz
> This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed,
> grub2-signed, fwupdate-signed) to construct the *-signed versions.

I missed a bit here.  The output tarball filename needs to include the
architecture name as well as the changelog hash.

> NOTE: this causes a delay between publishing embargoed updates and publishing *-signed packages that can
> be a problem since we avoid to leak the existence of a security flaw before its fix has being released.
> The proposed solution for this is by making dak to publish the *-signed packages automatically.
[...]

I don't follow this.  I've been assuming that the process would be
something like:

1. Mantainer uploads main source package
2. Security team accepts it into the embargoed queue
3. Buildds upload unsigned binary packages
4. Security team accepts these into the embargoed queue.
   By-hand script generates and immediately publishes signatures.
5. Maintainer downloads signatures and prepares signed source package
6. Maintainer uploads signed source package
7. Security team accepts it into the embargoed queue
8. Buildds upload signed binary packages
9. Security team accepts these into the embargoed queue
10. Security team publishes both sets of source and binary packages

Is that not correct/possible?

Ben.

-- 
Ben Hutchings
A free society is one where it is safe to be unpopular. - Adlai
Stevenson

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- [PATCH v5 0/3] Add byhand script to perform code signing for secure boot
  - From: Helen Koike <helen.koike@collabora.com>

References:
- [PATCH v4 0/3] Add byhand script to perform code signing for secure boot
  - From: Helen Koike <helen.koike@collabora.com>

Prev by Date: [PATCH v4 0/3] Add byhand script to perform code signing for secure boot
Next by Date: [PATCH v5 0/3] Add byhand script to perform code signing for secure boot
Previous by thread: [PATCH v4 0/3] Add byhand script to perform code signing for secure boot
Next by thread: [PATCH v5 0/3] Add byhand script to perform code signing for secure boot
Index(es):
- Date
- Thread