[PATCH v5 0/3] Add byhand script to perform code signing for secure boot
Publish the signature of packages automatically when the package is processed based on previous
package prepared by the maintainer with all the efi images and linux modules.
The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images
and/or linux modules, and a changelog file. When processing the package from the queue, the
byhand-code-sign script is called, read this .tar.xz package, sign all the efi or modules inside
it and publish a tarball with all the signatures at
$ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head -c 64)_$ARCH.tar.xz
This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed,
grub2-signed, fwupdate-signed) to construct the *-signed versions.
NOTE: The maintainers of the main package and the -signed package will have to coordinate their
uploads to reduce de propagation delay of a security fix to be incorporated in the -signed package
Script used for testing byhand-code-sign-user:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Check each commit message for more information on testing
Patches are also available here: https://github.com/helen-fornazier/dak/tree/review
Changes since v4:
Apend _$ARCH in the end of the tar.xz file
Remove extra new line
diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index 40afdc6..86abd6e 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -53,9 +53,8 @@ if [ ! -f "$IN_DIR/changelog" ]; then
error "Can't find changelog file in $IN_TARBALL"
fi
-
TARGET="$ftpdir/dists/$suitedir/main/code-sign"
-OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz"
+OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64)_$ARCH.tar.xz"
# Check that this source/arch/version hasn't already been signed
if [ -e "$OUT_TARBALL" ]; then
Helen Koike (3):
byhand-code-sign-user: signing script for efi images and linux modules
byhand-code-sign: intermediate script for code sign
dak.conf: add packages that trigger byhand-code-sign
config/debian-security/byhand-code-sign.conf | 43 +++++++++++
config/debian-security/dak.conf | 24 +++++++
config/debian/byhand-code-sign.conf | 43 +++++++++++
config/debian/dak.conf | 21 ++++++
scripts/debian/byhand-code-sign | 67 +++++++++++++++++
scripts/debian/byhand-code-sign-user | 103 +++++++++++++++++++++++++++
6 files changed, 301 insertions(+)
create mode 100644 config/debian-security/byhand-code-sign.conf
create mode 100644 config/debian/byhand-code-sign.conf
create mode 100755 scripts/debian/byhand-code-sign
create mode 100755 scripts/debian/byhand-code-sign-user
--
2.7.4
Reply to: