On Thu, 2016-08-25 at 20:13 +0200, Julien Cristau wrote: > Hi, > > a couple more things I noticed while looking at this again: > > On Thu, Jun 30, 2016 at 21:31:06 +0100, Ben Hutchings wrote: > > > > > +# Read dak configuration for security or main archive > > +case "$SUITE" in > > + *-security) > > > > + configdir="/srv/security-master.debian.org/dak/config/debian-security" > > > > + ;; > > + *) > > > > + configdir="/srv/ftp-master.debian.org/dak/config/debian" > > > > + ;; > > This isn't going to work, as far as I can tell $SUITE on security-master > is going to be "stable" or "oldstable" (or "oldoldstable" for LTS). Patch attached. > > > > +esac > > +. "$configdir/vars" > > + > > +# Read and trivially validate our configuration > > +. "$configdir/byhand-code-sign.conf" > > +for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \ > > > > + LINUX_SIGNFILE LINUX_MODULE_PRIVKEY LINUX_MODULE_CERT; do > > > > + test -v $var || error "$var is not defined in configuration" > > > > + test -n "${!var}" || error "$var is empty in configuration" > > +done > > + > > +TARGET="$ftpdir/dists/$SUITE/main/code-sign/" > > Likewise, I think this won't work for security due to > Dinstall::SuiteSuffix being set (so the path there is actually > $ftpdir/dists/$suite/updates/main/...). I don't see where that setting comes from so I'll hard-code that suffix for now. Patch attached. > I think we'll also end up changing how pesign and sign-file are called, > to go through sudo to a different user, so that dak doesn't have access > to the usb device or pcscd socket directly, to avoid conflicts between > code signing and gpg (archive) signing, so we can move the latter to a > HSM as well. Something like "sudo -u codesign sign-efi foo.efi > > foo.efi.sig" and "sudo -u codesign sign-kmod foo.ko > foo.ko.sig" (user > and script names still open to bikeshedding). Right. Have you tried to implement that yet? Ben. -- Ben Hutchings I say we take off; nuke the site from orbit. It's the only way to be sure.
From c456733300ba69b95975602d9fa31a75f56d0a9a Mon Sep 17 00:00:00 2001 From: Ben Hutchings <ben@decadent.org.uk> Date: Mon, 29 Aug 2016 15:07:11 +0100 Subject: [PATCH 1/2] byhand-code-sign: Use script path, not suite name, to find the config directory At this point the suite name for a security upload no longer has the '-security' suffix. --- scripts/debian/byhand-code-sign | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign index 8038813ed83c..60927014b485 100755 --- a/scripts/debian/byhand-code-sign +++ b/scripts/debian/byhand-code-sign @@ -23,13 +23,16 @@ error() { export OPENSSL_CONF=/dev/null # Read dak configuration for security or main archive -case "$SUITE" in - *-security) +case "$0" in + /srv/security-master.debian.org/*) configdir="/srv/security-master.debian.org/dak/config/debian-security" ;; - *) + /srv/ftp-master.debian.org/*) configdir="/srv/ftp-master.debian.org/dak/config/debian" ;; + *) + error "$0: Can't tell if security or not" + ;; esac . "$configdir/vars"
From c8e2adf8ea11446186d8fad24505ecef15719495 Mon Sep 17 00:00:00 2001 From: Ben Hutchings <ben@decadent.org.uk> Date: Mon, 29 Aug 2016 15:10:18 +0100 Subject: [PATCH 2/2] byhand-code-sign: Put signature tarballs for security uploads in .../updates This is consistent with the Release and Packages files. --- scripts/debian/byhand-code-sign | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign index 60927014b485..fbd6855d76de 100755 --- a/scripts/debian/byhand-code-sign +++ b/scripts/debian/byhand-code-sign @@ -22,13 +22,16 @@ error() { export OPENSSL_CONF=/dev/null -# Read dak configuration for security or main archive +# Read dak configuration for security or main archive. +# Also determine subdirectory for the suite. case "$0" in /srv/security-master.debian.org/*) configdir="/srv/security-master.debian.org/dak/config/debian-security" + suitedir="$SUITE/updates" ;; /srv/ftp-master.debian.org/*) configdir="/srv/ftp-master.debian.org/dak/config/debian" + suitedir="$SUITE" ;; *) error "$0: Can't tell if security or not" @@ -44,7 +47,7 @@ for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \ test -n "${!var}" || error "$var is empty in configuration" done -TARGET="$ftpdir/dists/$SUITE/main/code-sign/" +TARGET="$ftpdir/dists/$suitedir/main/code-sign/" OUT_TARBALL="$TARGET/${IN_TARBALL##*/}" OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"
Attachment:
signature.asc
Description: This is a digitally signed message part