Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
Hi,
a couple more things I noticed while looking at this again:
On Thu, Jun 30, 2016 at 21:31:06 +0100, Ben Hutchings wrote:
> +# Read dak configuration for security or main archive
> +case "$SUITE" in
> + *-security)
> + configdir="/srv/security-master.debian.org/dak/config/debian-security"
> + ;;
> + *)
> + configdir="/srv/ftp-master.debian.org/dak/config/debian"
> + ;;
This isn't going to work, as far as I can tell $SUITE on security-master
is going to be "stable" or "oldstable" (or "oldoldstable" for LTS).
> +esac
> +. "$configdir/vars"
> +
> +# Read and trivially validate our configuration
> +. "$configdir/byhand-code-sign.conf"
> +for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \
> + LINUX_SIGNFILE LINUX_MODULE_PRIVKEY LINUX_MODULE_CERT; do
> + test -v $var || error "$var is not defined in configuration"
> + test -n "${!var}" || error "$var is empty in configuration"
> +done
> +
> +TARGET="$ftpdir/dists/$SUITE/main/code-sign/"
Likewise, I think this won't work for security due to
Dinstall::SuiteSuffix being set (so the path there is actually
$ftpdir/dists/$suite/updates/main/...).
I think we'll also end up changing how pesign and sign-file are called,
to go through sudo to a different user, so that dak doesn't have access
to the usb device or pcscd socket directly, to avoid conflicts between
code signing and gpg (archive) signing, so we can move the latter to a
HSM as well. Something like "sudo -u codesign sign-efi foo.efi >
foo.efi.sig" and "sudo -u codesign sign-kmod foo.ko > foo.ko.sig" (user
and script names still open to bikeshedding).
Cheers,
Julien
Reply to: