[PATCH v5 0/3] Add byhand script to perform code signing for secure boot

To: Ben Hutchings <ben@decadent.org.uk>, Helen Koike <helen.koike@collabora.com>, Julien Cristau <jcristau@debian.org>, Jakub Wilk <jwilk@debian.org>, 821051@bugs.debian.org
Cc: Steve McIntyre <steve@einval.com>, debian-dak@lists.debian.org
Subject: [PATCH v5 0/3] Add byhand script to perform code signing for secure boot
From: Helen Koike <helen.koike@collabora.com>
Date: Thu, 1 Dec 2016 00:05:07 -0200
Message-id: <[🔎] cover.1480557037.git.helen.koike@collabora.com>
In-reply-to: <[🔎] 1480555667.16599.83.camel@decadent.org.uk>
References: <[🔎] 1480555667.16599.83.camel@decadent.org.uk>

Publish the signature of packages automatically when the package is processed based on previous
package prepared by the maintainer with all the efi images and linux modules.

The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images
and/or linux modules, and a changelog file. When processing the package from the queue, the
byhand-code-sign script is called, read this .tar.xz package, sign all the efi or modules inside
it and publish a tarball with all the signatures at
$ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head -c 64)_$ARCH.tar.xz
This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed,
grub2-signed, fwupdate-signed) to construct the *-signed versions.

NOTE: The maintainers of the main package and the -signed package will have to coordinate their
uploads to reduce de propagation delay of a security fix to be incorporated in the -signed package

Script used for testing byhand-code-sign-user:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Check each commit message for more information on testing

Patches are also available here: https://github.com/helen-fornazier/dak/tree/review

Changes since v4:
	Apend _$ARCH in the end of the tar.xz file
	Remove extra new line

diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index 40afdc6..86abd6e 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -53,9 +53,8 @@ if [ ! -f "$IN_DIR/changelog" ]; then
 	error "Can't find changelog file in $IN_TARBALL"
 fi
 
-
 TARGET="$ftpdir/dists/$suitedir/main/code-sign"
-OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz"
+OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64)_$ARCH.tar.xz"
 
 # Check that this source/arch/version hasn't already been signed
 if [ -e "$OUT_TARBALL" ]; then

Helen Koike (3):
  byhand-code-sign-user: signing script for efi images and linux modules
  byhand-code-sign: intermediate script for code sign
  dak.conf: add packages that trigger byhand-code-sign

 config/debian-security/byhand-code-sign.conf |  43 +++++++++++
 config/debian-security/dak.conf              |  24 +++++++
 config/debian/byhand-code-sign.conf          |  43 +++++++++++
 config/debian/dak.conf                       |  21 ++++++
 scripts/debian/byhand-code-sign              |  67 +++++++++++++++++
 scripts/debian/byhand-code-sign-user         | 103 +++++++++++++++++++++++++++
 6 files changed, 301 insertions(+)
 create mode 100644 config/debian-security/byhand-code-sign.conf
 create mode 100644 config/debian/byhand-code-sign.conf
 create mode 100755 scripts/debian/byhand-code-sign
 create mode 100755 scripts/debian/byhand-code-sign-user

-- 
2.7.4

Reply to:

References:
- Re: [PATCH v4 0/3] Add byhand script to perform code signing for secure boot
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: [PATCH v4 0/3] Add byhand script to perform code signing for secure boot
Next by Date: Secure-boot - auto publishing signature in Dak (closes #821051) - Overview
Previous by thread: Re: [PATCH v4 0/3] Add byhand script to perform code signing for secure boot
Next by thread: Secure-boot - auto publishing signature in Dak (closes #821051) - Overview
Index(es):
- Date
- Thread