Publish the signature of packages automatically when the package is processed based on previous package prepared by the maintainer with all the efi images and linux modules.
The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images and/or linux modules. When processing the package from the queue, the byhand-code-sign script is called, read this .tar.xz package, sign all the efi or modules inside it and publish another ${package}-code-sign_${version}_${arch}_sigs.tar.xz at $ftpdir/dists/$suitedir/main/code-sign/ This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed, grub2-signed, fwupdate-signed) to construct the *-signed versions. NOTE: this causes a delay between publishing embargoed updates and publishing *-signed packages that can be a problem since we avoid to leak the existence of a security flaw before its fix has being released. The proposed solution for this is by making dak to publish the *-signed packages automatically. Since we already have this problem anyway, we can add this patch in dak and add the mechanism to automatically publish the *-signed packages latter in incremental basis as we advance constructing the *-signed source packages Changes since last version: - Patches based on https://ftp-master.debian.org/git/dak.git master to be easier to review - byhand-code-sign-user-exp was deleted, the expect part to enter pin code is embedded in bash script byhand-code-sign-user - Add default configuration file for yubikey with more docs - Also add grub2 and fwupdate in dak.conf AutomaticByHandPackages - Call pesign just once in the script (no matter if we have a token or not, with a password or not) Script used for testing byhand-code-sign-user: https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh Check each commit message for more information on testing Patches are also available here: https://github.com/helen-fornazier/dak/tree/review Helen Koike (3): byhand-code-sign-user: signing script for efi images and linux modules byhand-code-sign: intermediate script for code sign dak.conf: add packages that trigger byhand-code-sign config/debian-security/byhand-code-sign.conf | 43 ++++++++++++ config/debian-security/dak.conf | 24 +++++++ config/debian/byhand-code-sign.conf | 43 ++++++++++++ config/debian/dak.conf | 21 ++++++ scripts/debian/byhand-code-sign | 52 +++++++++++++++ scripts/debian/byhand-code-sign-user | 99 ++++++++++++++++++++++++++++ 6 files changed, 282 insertions(+) create mode 100644 config/debian-security/byhand-code-sign.conf create mode 100644 config/debian/byhand-code-sign.conf create mode 100755 scripts/debian/byhand-code-sign create mode 100755 scripts/debian/byhand-code-sign-user -- 2.7.4