I don't know anything about dak, PKCS#$N, or EFI; but Helen asked me for a
review, so here it goes:
* Helen Koike <[email protected]>, 2016-09-28, 14:39:
+chmod a+r $IN_TARBALL
No, if the input tarball isn't world-writable, then it was certainly made so
for a reason, and you shouldn't expose it to all local users. (Even if it
didn't hurt from security perspective, this script is a wrong place to change
permissions of this file anyway.)
Here, and in other places, variables are not double-quoted. I don't think it
makes a difference in this case, but the style in inconsistent with the rest of
the code, and ""-less code in unnecessarily difficult to review.
+sudo -u codesign ${0%/*}/byhand-code-sign-user $IN_TARBALL $OUT_TARBALL
"$configdir/byhand-code-sign.conf"
The codesign user wouldn't have permissions to create the output tarball, I
guess...
+sudo chown dak $OUT_TARBALL
Hopefully the dak user is not permitted to elevate to root!
Instead of playing with file permissions, it would be much better (and simpler)
for byhand-code-sign-user to read the input file from stdin and spew the
tarball with sigs on stdout.
+ CERT_DIR="$(mktemp -td byhand-code-sign-cert.XXXXXX)"
+ chmod 700 "$CERT_DIR"
mktemp(1) calls mkdir(..., 0700), so the chmod is not necessary. (And if mktemp
didn't do the right thing, then there would be race window between mktemp and
chmod, in which the directory could be opened by other users.)
+ ${0%/*}/byhand-code-sign-user-exp $IN_DIR/$filename
$OUT_DIR/$filename.sig $pkcs11_pin_value ${PESIGN_PARAMS[@]}
Don't put secrets, such as $pkcs11_pin_value, on the command line. Command
lines are visible to all local users via /proc/$pid/cmdline.
+chmod -R a+rX "$OUT_DIR"
This unnecessarily exposes the files to local users. (Though I guess it doesn't
matter in this case.) You can ask tar to normalize permissions for you:
--mode=a+rX. You may also want to normalize ownership: --owner=root
--group=root.
+expect "Enter Password *:" {send $pin} timeout {exit 1}
+expect "Enter passphrase *:" {send $pin} timeout {exit 1}
This is weird. Why two different prompts exist?
--
Jakub Wilk
