[PATCH] dak: byhand-code sign with dsigning-box

To: Ben Hutchings <ben@decadent.org.uk>, Joerg Jaspert <joerg@debian.org>
Cc: Julien Cristau <jcristau@debian.org>, Jakub Wilk <jwilk@debian.org>, 821051@bugs.debian.org, niels@thykier.net, Steve McIntyre <steve@einval.com>, debian-dak@lists.debian.org
Subject: [PATCH] dak: byhand-code sign with dsigning-box
From: Helen Koike <helen.koike@collabora.co.uk>
Date: Sat, 28 Jan 2017 17:51:56 -0300
Message-id: <[🔎] 1025dac6-cc59-1161-4ae8-29133754820c@collabora.co.uk>
In-reply-to: <[🔎] 4b20f187-d11f-49bb-43da-0a8d99bc3d03@collabora.co.uk>
References: <1475789253-4597-1-git-send-email-helen.koike@collabora.com> <cover.1479261618.git.helen.koike@collabora.com> <c351cba2a6b2712b05fb5eecc32d44858b72e635.1479261618.git.helen.koike@collabora.com> <1479641248.16599.34.camel@decadent.org.uk> <2929db43-e876-55a1-21bb-4a9c53ce1535@collabora.co.uk> <1480437307.16599.65.camel@decadent.org.uk> <87a8c1yp8y.fsf@delenn.ganneff.de> <1481577100.2742.30.camel@decadent.org.uk> <87bmwgyh62.fsf@delenn.ganneff.de> <1481580327.2742.34.camel@decadent.org.uk> <87vauowzbe.fsf@delenn.ganneff.de> <[🔎] 4b20f187-d11f-49bb-43da-0a8d99bc3d03@collabora.co.uk>

Hi,

Sorry for the delay to send this.

I prepared a simple packaged named dsigning-box that should be installedin the same machine that have access to the tokens:https://github.com/helen-fornazier/dsigning-boxFor now it only contain a script to sign efi and kernel modules from atarball, it is almost the same script in the previous patch(byhand-code-sign-user), I just changed where it gets the tarball andwhere it places the signatures (which can be changed by a configurationfile).As before, I tested with and without a yubikey using this script:https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh

Please review.

I also made dak patches to integrate with dsigning-box in a remotemachine: https://github.com/helen-fornazier/dak/commits/reviewThis patches add a script called byhand-code-sign which will send(rsync) the tarball with the images to be signed to the machine that hasdsigning-box installed. This script execute a command by ssh indsigning-box to sign the images. As we don't have a dedicated machineyet to install dsigning-box the signatures will be copied to anothermachine (coccia.debian.org?) that can be changed in the configurationfile (this is temporary as the signatures should stay in the signing box).


Please review all this and let me know if I should alter anything.

Let me know if you prefer that I send email patches to be easier to review.

Helen

Reply to:

References:
- Re: Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
  - From: Helen Koike <helen.koike@collabora.co.uk>

Prev by Date: Transmaquina - Búsqueda de Proveedor Grúas Telescópicas y Maquinaria
Previous by thread: Re: Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
Next by thread: [dak/master] Also sync priority for source packages
Index(es):
- Date
- Thread