Publish the signature of packages automatically when the package is processed based on previous package prepared by the maintainer with all the efi images and linux modules.
The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images and/or linux modules, and a changelog file. When processing the package from the queue, the byhand-code-sign script is called, read this .tar.xz package, sign all the efi or modules inside it and publish a tarball with all the signatures at $ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed, grub2-signed, fwupdate-signed) to construct the *-signed versions. NOTE: this causes a delay between publishing embargoed updates and publishing *-signed packages that can be a problem since we avoid to leak the existence of a security flaw before its fix has being released. The proposed solution for this is by making dak to publish the *-signed packages automatically. Since we already have this problem anyway, we can add this patch in dak and add the mechanism to automatically publish the *-signed packages latter in incremental basis as we advance constructing the *-signed source packages Script used for testing byhand-code-sign-user: https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh Check each commit message for more information on testing Patches are also available here: https://github.com/helen-fornazier/dak/tree/review Changes since v3: Use hash of changelog file to generate the output tarball name with the signatures diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign index f3eceab..40afdc6 100755 --- a/scripts/debian/byhand-code-sign +++ b/scripts/debian/byhand-code-sign @@ -37,9 +37,25 @@ case "$0" in esac . "$configdir/vars" -TARGET="$ftpdir/dists/$suitedir/main/code-sign/" -OUT_TARBALL="$TARGET/${IN_TARBALL##*/}" -OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz" +# cleanup the temporary directories on EXIT +IN_DIR= +cleanup() { + test -z "$IN_DIR" || rm -rf "$IN_DIR" +} +trap cleanup EXIT + +# Extract the data from stdin into the input directory +IN_DIR="$(mktemp -td byhand-code-sign-in.XXXXXX)" +tar xaf "$IN_TARBALL" --directory="$IN_DIR" + +# Check if tarball contain the changelog file +if [ ! -f "$IN_DIR/changelog" ]; then + error "Can't find changelog file in $IN_TARBALL" +fi + + +TARGET="$ftpdir/dists/$suitedir/main/code-sign" +OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz" # Check that this source/arch/version hasn't already been signed if [ -e "$OUT_TARBALL" ]; then diff --git a/scripts/debian/byhand-code-sign-user b/scripts/debian/byhand-code-sign-user index 91520d6..3477d6c 100755 --- a/scripts/debian/byhand-code-sign-user +++ b/scripts/debian/byhand-code-sign-user @@ -52,6 +52,10 @@ tar xJ --directory="$in_dir" <&0 out_dir="$(mktemp -td byhand-code-sign-out.XXXXXX)" while read filename; do + # Skip changelog + if [ "$filename" == changelog ]; then + continue + fi mkdir -p "$out_dir/${filename%/*}" case "${filename##*/}" in *.efi | vmlinuz-*) Helen Koike (3): byhand-code-sign-user: signing script for efi images and linux modules byhand-code-sign: intermediate script for code sign dak.conf: add packages that trigger byhand-code-sign config/debian-security/byhand-code-sign.conf | 43 +++++++++++ config/debian-security/dak.conf | 24 +++++++ config/debian/byhand-code-sign.conf | 43 +++++++++++ config/debian/dak.conf | 21 ++++++ scripts/debian/byhand-code-sign | 68 ++++++++++++++++++ scripts/debian/byhand-code-sign-user | 103 +++++++++++++++++++++++++++ 6 files changed, 302 insertions(+) create mode 100644 config/debian-security/byhand-code-sign.conf create mode 100644 config/debian/byhand-code-sign.conf create mode 100755 scripts/debian/byhand-code-sign create mode 100755 scripts/debian/byhand-code-sign-user -- 2.7.4