Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing

To: Ben Hutchings <ben@decadent.org.uk>
Cc: 821051@bugs.debian.org, debian-efi@lists.debian.org
Subject: Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
From: Julien Cristau <jcristau@debian.org>
Date: Mon, 29 Aug 2016 17:36:06 +0200
Message-id: <[🔎] 20160829153606.3nbkjctlynuzlk4z@betterave.cristau.org>
In-reply-to: <[🔎] 1472482093.25374.6.camel@decadent.org.uk>
References: <20160630203106.GH7555@decadent.org.uk> <[🔎] 20160825181353.yaigq6n4binu7wxq@betterave.cristau.org> <[🔎] 1472482093.25374.6.camel@decadent.org.uk>

On Mon, Aug 29, 2016 at 15:48:13 +0100, Ben Hutchings wrote:

> On Thu, 2016-08-25 at 20:13 +0200, Julien Cristau wrote:
> > Hi,
> > 
> > a couple more things I noticed while looking at this again:
> > 
> > On Thu, Jun 30, 2016 at 21:31:06 +0100, Ben Hutchings wrote:
> > 
> > > 
> > > +# Read dak configuration for security or main archive
> > > +case "$SUITE" in
> > > +    *-security)
> > > > > +	configdir="/srv/security-master.debian.org/dak/config/debian-security"
> > > > > +	;;
> > > +    *)
> > > > > +	configdir="/srv/ftp-master.debian.org/dak/config/debian"
> > > > > +	;;
> > 
> > This isn't going to work, as far as I can tell $SUITE on security-master
> > is going to be "stable" or "oldstable" (or "oldoldstable" for LTS).
> 
> Patch attached.
> 
Looks good to me, thanks.

> > > 
> > > +esac
> > > +. "$configdir/vars"
> > > +
> > > +# Read and trivially validate our configuration
> > > +. "$configdir/byhand-code-sign.conf"
> > > +for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \
> > > > > +	   LINUX_SIGNFILE LINUX_MODULE_PRIVKEY LINUX_MODULE_CERT; do
> > > > > +	test -v $var || error "$var is not defined in configuration"
> > > > > +	test -n "${!var}" || error "$var is empty in configuration"
> > > +done
> > > +
> > > +TARGET="$ftpdir/dists/$SUITE/main/code-sign/"
> > 
> > Likewise, I think this won't work for security due to
> > Dinstall::SuiteSuffix being set (so the path there is actually
> > $ftpdir/dists/$suite/updates/main/...).
> 
> I don't see where that setting comes from so I'll hard-code that suffix
> for now.  Patch attached.
> 
It's in config/debian-security/dak.conf.  I'm not aware of a way to get
at that from the shell :/

> > I think we'll also end up changing how pesign and sign-file are called,
> > to go through sudo to a different user, so that dak doesn't have access
> > to the usb device or pcscd socket directly, to avoid conflicts between
> > code signing and gpg (archive) signing, so we can move the latter to a
> > HSM as well.  Something like "sudo -u codesign sign-efi foo.efi >
> > foo.efi.sig" and "sudo -u codesign sign-kmod foo.ko > foo.ko.sig" (user
> > and script names still open to bikeshedding).
> 
> Right.  Have you tried to implement that yet?
> 
Yep, sent that out on Friday to -admin and ftpmaster, you're cc:ed.

Cheers,
Julien

Reply to:

References:
- Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
  - From: Julien Cristau <jcristau@debian.org>
- Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
Next by Date: EFI stack update sponsor
Previous by thread: Re: Bug#821051: [PATCH 1/3] Add byhand script to perform code signing
Next by thread: Processed: closing 811939
Index(es):
- Date
- Thread