Publish the signature of packages automatically when the package is processed
based on previous
package prepared by the maintainer with all the efi images and linux modules.
The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with
all the efi images
and/or linux modules. When processing the package from the queue, the
byhand-code-sign script
is called, read this .tar.xz package, sign all the efi or modules inside it and
publish another
${package}-code-sign_${version}_${arch}_sigs.tar.xz at
$ftpdir/dists/$suitedir/main/code-sign/
This signature are then retrieved by the maintainers of the *-signed packages
(e.g. linux-signed,
grub2-signed, fwupdate-signed) to construct the *-signed versions.
NOTE: this causes a delay between publishing embargoed updates and publishing
*-signed packages that can
be a problem since we avoid to leak the existence of a security flaw before its
fix has being released.
The proposed solution for this is by making dak to publish the *-signed
packages automatically.
Since we already have this problem anyway, we can add this patch in dak and add
the mechanism to automatically publish the *-signed packages latter in
incremental basis as
we advance constructing the *-signed source packages
Changes since last version:
- Patches based on https://ftp-master.debian.org/git/dak.git master to
be easier to review
- byhand-code-sign-user-exp was deleted, the expect part to enter pin
code is embedded in
bash script byhand-code-sign-user
- Add default configuration file for yubikey with more docs
- Also add grub2 and fwupdate in dak.conf AutomaticByHandPackages
- Call pesign just once in the script (no matter if we have a token or
not, with a password or not)
Script used for testing byhand-code-sign-user:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Check each commit message for more information on testing
Patches are also available here:
https://github.com/helen-fornazier/dak/tree/review
Helen Koike (3):
byhand-code-sign-user: signing script for efi images and linux modules
byhand-code-sign: intermediate script for code sign
dak.conf: add packages that trigger byhand-code-sign
config/debian-security/byhand-code-sign.conf | 43 ++++++++++++
config/debian-security/dak.conf | 24 +++++++
config/debian/byhand-code-sign.conf | 43 ++++++++++++
config/debian/dak.conf | 21 ++++++
scripts/debian/byhand-code-sign | 52 +++++++++++++++
scripts/debian/byhand-code-sign-user | 99 ++++++++++++++++++++++++++++
6 files changed, 282 insertions(+)
create mode 100644 config/debian-security/byhand-code-sign.conf
create mode 100644 config/debian/byhand-code-sign.conf
create mode 100755 scripts/debian/byhand-code-sign
create mode 100755 scripts/debian/byhand-code-sign-user
--
2.7.4
