Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing

To: Julien Cristau <jcristau@debian.org>, 821051@bugs.debian.org
Cc: debian-efi@lists.debian.org
Subject: Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 29 Aug 2016 15:48:13 +0100
Message-id: <[🔎] 1472482093.25374.6.camel@decadent.org.uk>
In-reply-to: <[🔎] 20160825181353.yaigq6n4binu7wxq@betterave.cristau.org>
References: <20160630203106.GH7555@decadent.org.uk> <[🔎] 20160825181353.yaigq6n4binu7wxq@betterave.cristau.org>

On Thu, 2016-08-25 at 20:13 +0200, Julien Cristau wrote:
> Hi,
> 
> a couple more things I noticed while looking at this again:
> 
> On Thu, Jun 30, 2016 at 21:31:06 +0100, Ben Hutchings wrote:
> 
> > 
> > +# Read dak configuration for security or main archive
> > +case "$SUITE" in
> > +    *-security)
> > > > +	configdir="/srv/security-master.debian.org/dak/config/debian-security"
> > > > +	;;
> > +    *)
> > > > +	configdir="/srv/ftp-master.debian.org/dak/config/debian"
> > > > +	;;
> 
> This isn't going to work, as far as I can tell $SUITE on security-master
> is going to be "stable" or "oldstable" (or "oldoldstable" for LTS).

Patch attached.

> > 
> > +esac
> > +. "$configdir/vars"
> > +
> > +# Read and trivially validate our configuration
> > +. "$configdir/byhand-code-sign.conf"
> > +for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \
> > > > +	   LINUX_SIGNFILE LINUX_MODULE_PRIVKEY LINUX_MODULE_CERT; do
> > > > +	test -v $var || error "$var is not defined in configuration"
> > > > +	test -n "${!var}" || error "$var is empty in configuration"
> > +done
> > +
> > +TARGET="$ftpdir/dists/$SUITE/main/code-sign/"
> 
> Likewise, I think this won't work for security due to
> Dinstall::SuiteSuffix being set (so the path there is actually
> $ftpdir/dists/$suite/updates/main/...).

I don't see where that setting comes from so I'll hard-code that suffix
for now.  Patch attached.

> I think we'll also end up changing how pesign and sign-file are called,
> to go through sudo to a different user, so that dak doesn't have access
> to the usb device or pcscd socket directly, to avoid conflicts between
> code signing and gpg (archive) signing, so we can move the latter to a
> HSM as well.  Something like "sudo -u codesign sign-efi foo.efi >
> foo.efi.sig" and "sudo -u codesign sign-kmod foo.ko > foo.ko.sig" (user
> and script names still open to bikeshedding).

Right.  Have you tried to implement that yet?

Ben.

-- 
Ben Hutchings
I say we take off; nuke the site from orbit.  It's the only way to be
sure.

From c456733300ba69b95975602d9fa31a75f56d0a9a Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 29 Aug 2016 15:07:11 +0100
Subject: [PATCH 1/2] byhand-code-sign: Use script path, not suite name, to
 find the config directory

At this point the suite name for a security upload no longer has the
'-security' suffix.
---
 scripts/debian/byhand-code-sign | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index 8038813ed83c..60927014b485 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -23,13 +23,16 @@ error() {
 export OPENSSL_CONF=/dev/null
 
 # Read dak configuration for security or main archive
-case "$SUITE" in
-    *-security)
+case "$0" in
+    /srv/security-master.debian.org/*)
 	configdir="/srv/security-master.debian.org/dak/config/debian-security"
 	;;
-    *)
+    /srv/ftp-master.debian.org/*)
 	configdir="/srv/ftp-master.debian.org/dak/config/debian"
 	;;
+    *)
+	error "$0: Can't tell if security or not"
+	;;
 esac
 . "$configdir/vars"

From c8e2adf8ea11446186d8fad24505ecef15719495 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 29 Aug 2016 15:10:18 +0100
Subject: [PATCH 2/2] byhand-code-sign: Put signature tarballs for security
 uploads in .../updates

This is consistent with the Release and Packages files.
---
 scripts/debian/byhand-code-sign | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index 60927014b485..fbd6855d76de 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -22,13 +22,16 @@ error() {
 
 export OPENSSL_CONF=/dev/null
 
-# Read dak configuration for security or main archive
+# Read dak configuration for security or main archive.
+# Also determine subdirectory for the suite.
 case "$0" in
     /srv/security-master.debian.org/*)
 	configdir="/srv/security-master.debian.org/dak/config/debian-security"
+	suitedir="$SUITE/updates"
 	;;
     /srv/ftp-master.debian.org/*)
 	configdir="/srv/ftp-master.debian.org/dak/config/debian"
+	suitedir="$SUITE"
 	;;
     *)
 	error "$0: Can't tell if security or not"
@@ -44,7 +47,7 @@ for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \
 	test -n "${!var}" || error "$var is empty in configuration"
 done
 
-TARGET="$ftpdir/dists/$SUITE/main/code-sign/"
+TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
 OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
 OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
  - From: Julien Cristau <jcristau@debian.org>

References:
- Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
Next by Date: Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
Previous by thread: Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
Next by thread: Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
Index(es):
- Date
- Thread