[PATCH 2/3] Add (incomplete) configuration for signing code for linux

To: 821051@bugs.debian.org
Cc: debian-efi@lists.debian.org
Subject: [PATCH 2/3] Add (incomplete) configuration for signing code for linux
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 30 Jun 2016 21:36:26 +0100
Message-id: <[🔎] 20160630203626.GI7555@decadent.org.uk>

---
This assumes linux-kbuild-4.6 (available from jessie-backports)
is installed on ftp-master/security-master, and that the module
signature format is stable.

Ben.

 config/debian-security/byhand-code-sign.conf |  8 ++++++++
 config/debian-security/dak.conf              | 10 ++++++++++
 config/debian/byhand-code-sign.conf          |  8 ++++++++
 config/debian/dak.conf                       |  7 +++++++
 4 files changed, 33 insertions(+)
 create mode 100644 config/debian-security/byhand-code-sign.conf
 create mode 100644 config/debian/byhand-code-sign.conf

diff --git a/config/debian-security/byhand-code-sign.conf b/config/debian-security/byhand-code-sign.conf
new file mode 100644
index 000000000000..c9dcc946da50
--- /dev/null
+++ b/config/debian-security/byhand-code-sign.conf
@@ -0,0 +1,8 @@
+# Configuration for byhand-sign shell script
+
+EFI_IMAGE_PRIVKEY=
+EFI_IMAGE_CERT=
+
+LINUX_SIGNFILE=/usr/lib/linux-kbuild-4.6/scripts/sign-file
+LINUX_MODULES_PRIVKEY=
+LINUX_MODULES_CERT=
diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index 2bcfbbee4ed7..c4a932a0cd1a 100644
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -124,6 +124,16 @@ SuiteMappings
   "reject oldoldstable";
 };
 
+AutomaticByHandPackages
+{
+  "linux-code-sign" {
+    Source "linux";
+    Section "byhand";
+    Extension "tar.xz";
+    Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+};
+
 Dir
 {
   Base "/srv/security-master.debian.org/";
diff --git a/config/debian/byhand-code-sign.conf b/config/debian/byhand-code-sign.conf
new file mode 100644
index 000000000000..e26c5a4d2527
--- /dev/null
+++ b/config/debian/byhand-code-sign.conf
@@ -0,0 +1,8 @@
+# Configuration for byhand-code-sign shell script
+
+EFI_BINARY_PRIVKEY=
+EFI_BINARY_CERT=
+
+LINUX_SIGNFILE=/usr/lib/linux-kbuild-4.6/scripts/sign-file
+LINUX_MODULE_PRIVKEY=
+LINUX_MODULE_CERT=
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index a7e34cba14ff..d5858da3a86a 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -185,6 +185,13 @@ AutomaticByHandPackages {
     Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-di";
   };
 
+  "linux-code-sign" {
+    Source "linux";
+    Section "byhand";
+    Extension "tar.xz";
+    Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
   "tag-overrides" {
     Source "tag-overrides";
     Section "byhand";

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: [PATCH 1/3] Add byhand script to perform code signing
Next by Date: [PATCH 3/3] daklib.regexes: Add signature tarballs to re_includeinrelease
Previous by thread: [PATCH 1/3] Add byhand script to perform code signing
Next by thread: [PATCH 3/3] daklib.regexes: Add signature tarballs to re_includeinrelease
Index(es):
- Date
- Thread