[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[PATCH] dak: byhand-code sign with dsigning-box


Sorry for the delay to send this.

I prepared a simple packaged named dsigning-box that should be installed in the same machine that have access to the tokens: https://github.com/helen-fornazier/dsigning-box For now it only contain a script to sign efi and kernel modules from a tarball, it is almost the same script in the previous patch (byhand-code-sign-user), I just changed where it gets the tarball and where it places the signatures (which can be changed by a configuration file). As before, I tested with and without a yubikey using this script: https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Please review.

I also made dak patches to integrate with dsigning-box in a remote machine: https://github.com/helen-fornazier/dak/commits/review This patches add a script called byhand-code-sign which will send (rsync) the tarball with the images to be signed to the machine that has dsigning-box installed. This script execute a command by ssh in dsigning-box to sign the images. As we don't have a dedicated machine yet to install dsigning-box the signatures will be copied to another machine (coccia.debian.org?) that can be changed in the configuration file (this is temporary as the signatures should stay in the signing box).

Please review all this and let me know if I should alter anything.

Let me know if you prefer that I send email patches to be easier to review.


Reply to: