Secure-boot - auto publishing signature in Dak (closes #821051) - Overview

To: ftpmaster@debian.org, debian-dak@lists.debian.org, 821051@bugs.debian.org, Ben Hutchings <ben@decadent.org.uk>, Julien Cristau <jcristau@debian.org>, Ansgar Burchardt <ansgar@debian.org>, Steve McIntyre <steve@einval.com>
Subject: Secure-boot - auto publishing signature in Dak (closes #821051) - Overview
From: Helen Koike <helen.koike@collabora.co.uk>
Date: Fri, 2 Dec 2016 15:36:58 -0200
Message-id: <[🔎] 49ba43b0-d05c-ef94-beed-a5635f220791@collabora.co.uk>

Hi,

Could someone please take a look at the patch serieshttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821051#200 ?

With those patches, Dak will be able to sign efi image and linux modulesthrough a Yubikey and publish the signatures, allowing grub2-signed,linux-signed and fwupdate-signed to be built.

In short, the maintainer of the main package upload a${package}-code-sign_${version}_${arch}.tar.xz containing a changelogfile and all the binaries to be signed, and Dak will publish a$ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" |head -c 64)_${arch}.tar.xz containing all the detached signaturesthrought a byhand script.



Thanks
Helen


------------------------------------------------
Follow below an overview of the discussed issues so far:
------------------------------------------------
NOTE: quotes below are from Ben Hutchings

* The first version was bypassing embargoed packages, but the proposedsolution was:


"1. Directory listing is disabled for the directory containing
   signature tarballs.
2. In main source package, debian/rules adds debian/changelog to the
   code-sign tarball.
3. Byhand script generates the signature tarball name thus:
       OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog").tar.xz"
4. In signed source package, preparation script takes main source
   package's changelog as input."

* binNMU concerns:

"I suppose binNMUs are not such a problem, they just add some
complication - the preparation script will have to fetch an arbitrary
binary package to get the text of the added changelog entry."

* Avoid the delay between publishing the main package and the *-signedversion:

Maintainers of both packages will need to coordinate their uploads, themain process would be something like:


"1. Mantainer uploads main source package
2. Security team accepts it into the embargoed queue
3. Buildds upload unsigned binary packages
4. Security team accepts these into the embargoed queue.
   By-hand script generates and immediately publishes signatures.
5. Maintainer downloads signatures and prepares signed source package
6. Maintainer uploads signed source package
7. Security team accepts it into the embargoed queue
8. Buildds upload signed binary packages
9. Security team accepts these into the embargoed queue
10. Security team publishes both sets of source and binary packages"

Reply to:

Prev by Date: [PATCH v5 0/3] Add byhand script to perform code signing for secure boot
Next by Date: [dak/master] Use maximum of modification and change time for detecting old files
Previous by thread: [PATCH v5 0/3] Add byhand script to perform code signing for secure boot
Next by thread: [dak/master] Use maximum of modification and change time for detecting old files
Index(es):
- Date
- Thread