Publish the signature of packages automatically when the package is processed
based on previous
package prepared by the maintainer with all the efi images and linux modules.
The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with
all the efi images
and/or linux modules, and a changelog file. When processing the package from
the queue, the
byhand-code-sign script is called, read this .tar.xz package, sign all the efi
or modules inside
it and publish a tarball with all the signatures at
$ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head
-c 64).tar.xz
This signature are then retrieved by the maintainers of the *-signed packages
(e.g. linux-signed,
grub2-signed, fwupdate-signed) to construct the *-signed versions.
NOTE: this causes a delay between publishing embargoed updates and publishing
*-signed packages that can
be a problem since we avoid to leak the existence of a security flaw before its
fix has being released.
The proposed solution for this is by making dak to publish the *-signed
packages automatically.
Since we already have this problem anyway, we can add this patch in dak and add
the mechanism to automatically publish the *-signed packages latter in
incremental basis as
we advance constructing the *-signed source packages
Script used for testing byhand-code-sign-user:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Check each commit message for more information on testing
Patches are also available here:
https://github.com/helen-fornazier/dak/tree/review
Changes since v3:
Use hash of changelog file to generate the output tarball name with the
signatures
diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index f3eceab..40afdc6 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -37,9 +37,25 @@ case "$0" in
esac
. "$configdir/vars"
-TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
-OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
-OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"
+# cleanup the temporary directories on EXIT
+IN_DIR=
+cleanup() {
+ test -z "$IN_DIR" || rm -rf "$IN_DIR"
+}
+trap cleanup EXIT
+
+# Extract the data from stdin into the input directory
+IN_DIR="$(mktemp -td byhand-code-sign-in.XXXXXX)"
+tar xaf "$IN_TARBALL" --directory="$IN_DIR"
+
+# Check if tarball contain the changelog file
+if [ ! -f "$IN_DIR/changelog" ]; then
+ error "Can't find changelog file in $IN_TARBALL"
+fi
+
+
+TARGET="$ftpdir/dists/$suitedir/main/code-sign"
+OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz"
# Check that this source/arch/version hasn't already been signed
if [ -e "$OUT_TARBALL" ]; then
diff --git a/scripts/debian/byhand-code-sign-user
b/scripts/debian/byhand-code-sign-user
index 91520d6..3477d6c 100755
--- a/scripts/debian/byhand-code-sign-user
+++ b/scripts/debian/byhand-code-sign-user
@@ -52,6 +52,10 @@ tar xJ --directory="$in_dir" <&0
out_dir="$(mktemp -td byhand-code-sign-out.XXXXXX)"
while read filename; do
+ # Skip changelog
+ if [ "$filename" == changelog ]; then
+ continue
+ fi
mkdir -p "$out_dir/${filename%/*}"
case "${filename##*/}" in
*.efi | vmlinuz-*)
Helen Koike (3):
byhand-code-sign-user: signing script for efi images and linux modules
byhand-code-sign: intermediate script for code sign
dak.conf: add packages that trigger byhand-code-sign
config/debian-security/byhand-code-sign.conf | 43 +++++++++++
config/debian-security/dak.conf | 24 +++++++
config/debian/byhand-code-sign.conf | 43 +++++++++++
config/debian/dak.conf | 21 ++++++
scripts/debian/byhand-code-sign | 68 ++++++++++++++++++
scripts/debian/byhand-code-sign-user | 103 +++++++++++++++++++++++++++
6 files changed, 302 insertions(+)
create mode 100644 config/debian-security/byhand-code-sign.conf
create mode 100644 config/debian/byhand-code-sign.conf
create mode 100755 scripts/debian/byhand-code-sign
create mode 100755 scripts/debian/byhand-code-sign-user
--
2.7.4
