Bug#821051: [PATCH v2] byhand-code-sign: sign using another user
On Thu, Oct 6, 2016 at 18:27:33 -0300, Helen Koike wrote: > Thanks Jakub for your review. > I modified the script to read the .tar.xz from stdin and output the > -sign.tar.xz to stdout. > It is also available here: https://github.com/helen-fornazier/dak > > Changes since last version: > - add quotes around variables > - remove unnecessary chmod 700 > - receive tar.xz from stdin in byhand-code-sign-user script > - generate the -sign.tar.xz to stdout in byhand-code-sign-user script > > I would appreciate if someone could review this version I wonder if maybe this would be more readable as a patch (or a series) against the main dak repo, rather than incremental against Ben's preliminary patches, since a lot of this is moving around code that was just added in a previous patch. > Thank you > > Helen > > > scripts/debian/byhand-code-sign | 104 +--- > scripts/debian/byhand-code-sign-user | 135 > +++ > scripts/debian/byhand-code-sign-user-exp | 17 > 3 files changed, 154 insertions(+), 102 deletions(-) > create mode 100755 scripts/debian/byhand-code-sign-user > create mode 100755 scripts/debian/byhand-code-sign-user-exp > > diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign > index fbd6855..18bd09e 100755 > --- a/scripts/debian/byhand-code-sign > +++ b/scripts/debian/byhand-code-sign [...] > +sudo -u codesign "${0%/*}/byhand-code-sign-user" > "$configdir/byhand-code-sign.conf" < "$IN_TARBALL" > "$OUT_TARBALL" I'm not sure we want the script called with sudo (and its config) to live in dak. Or if it does, I guess it should be named dak-codesign or something, to make it clear it's part of dak and strictly less privileged, like dak-unpriv is today. Cheers, Julien
Bug#821051: [PATCH v2] byhand-code-sign: sign using another user
--- Hi, Thanks Jakub for your review. I modified the script to read the .tar.xz from stdin and output the -sign.tar.xz to stdout. It is also available here: https://github.com/helen-fornazier/dak Changes since last version: - add quotes around variables - remove unnecessary chmod 700 - receive tar.xz from stdin in byhand-code-sign-user script - generate the -sign.tar.xz to stdout in byhand-code-sign-user script I would appreciate if someone could review this version Thank you Helen scripts/debian/byhand-code-sign | 104 +--- scripts/debian/byhand-code-sign-user | 135 +++ scripts/debian/byhand-code-sign-user-exp | 17 3 files changed, 154 insertions(+), 102 deletions(-) create mode 100755 scripts/debian/byhand-code-sign-user create mode 100755 scripts/debian/byhand-code-sign-user-exp diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign index fbd6855..18bd09e 100755 --- a/scripts/debian/byhand-code-sign +++ b/scripts/debian/byhand-code-sign @@ -20,8 +20,6 @@ error() { exit 1 } -export OPENSSL_CONF=/dev/null - # Read dak configuration for security or main archive. # Also determine subdirectory for the suite. case "$0" in @@ -39,14 +37,6 @@ case "$0" in esac . "$configdir/vars" -# Read and trivially validate our configuration -. "$configdir/byhand-code-sign.conf" -for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \ - LINUX_SIGNFILE LINUX_MODULE_PRIVKEY LINUX_MODULE_CERT; do - test -v $var || error "$var is not defined in configuration" - test -n "${!var}" || error "$var is empty in configuration" -done - TARGET="$ftpdir/dists/$suitedir/main/code-sign/" OUT_TARBALL="$TARGET/${IN_TARBALL##*/}" OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz" @@ -56,99 +46,9 @@ if [ -e "$OUT_TARBALL" ]; then error "Signature tarball already exists: $OUT_TARBALL" fi -# If we fail somewhere, cleanup the temporary directories -IN_DIR= -OUT_DIR= -CERT_DIR= -cleanup() { - for dir in "$IN_DIR" "$OUT_DIR" "$CERT_DIR"; do - test -z "$dir" || rm -rf "$dir" - done -} -trap cleanup EXIT - -# Extract the data into the input directory -IN_DIR="$(mktemp -td byhand-code-sign-in.XX)" -tar xaf "$IN_TARBALL" --directory="$IN_DIR" - -case "$EFI_BINARY_PRIVKEY" in -pkcs11:*) - # Translate from OpenSSL PKCS#11 enigne syntax to pesign parameters - # See: https://sources.debian.net/src/engine-pkcs11/0.2.2-1/src/engine_pkcs11.c - pkcs11_pin_value= - old_IFS="$IFS" - IFS=';' - for kv in ${EFI_BINARY_PRIVKEY#pkcs11:}; do - case "$kv" in - token=*) - pkcs11_token="${kv#*=}" - ;; - object=*) - pkcs11_object="${kv#*=}" - ;; - pin-value=*) - pkcs11_pin_value="${kv#*=}" - ;; - esac - done - IFS="$old_IFS" - unset old_IFS - # TODO: unlock it - PESIGN_PARAMS=(-t "$pkcs11_token" -c "$pkcs11_object") - ;; -*) - # Create certificate store for pesign - CERT_DIR="$(mktemp -td byhand-code-sign-cert.XX)" - chmod 700 "$CERT_DIR" - mkdir "$CERT_DIR/store" - certutil -N --empty-password -d "$CERT_DIR/store" - openssl pkcs12 -export \ - -inkey "$EFI_BINARY_PRIVKEY" -in "$EFI_BINARY_CERT" \ - -out "$CERT_DIR/efi-image.p12" -passout pass: \ - -name efi-image - pk12util -i "$CERT_DIR/efi-image.p12" -d "$CERT_DIR/store" -K '' -W '' - PESIGN_PARAMS=(-n "$CERT_DIR/store" -c efi-image) - ;; -esac - -# Create hierarchy of detached signatures in parallel to the uploaded files -OUT_DIR="$(mktemp -td byhand-code-sign-out.XX)" -while read filename; do - mkdir -p "$OUT_DIR/${filename%/*}" - case "${filename##*/}" in - *.efi | vmlinuz-*) - pesign -i "$IN_DIR/$filename" \ - --export-signature "$OUT_DIR/$filename.sig" --sign \ - -d sha256 "${PESIGN_PARAMS[@]}" - ;; - *.ko) - "$LINUX_SIGNFILE" -d sha256 "$LINUX_MODULE_PRIVKEY" \ - "$LINUX_MODULE_CERT" "$IN_DIR/$filename" - mv "$IN_DIR/$filename.p7s" "$OUT_DIR/$filename.sig" - ;; - *) - echo >&2 "W: Not signing unrecognised file: $filename" - continue - ;; - esac - if [ ${#filename} -gt 60 ]; then - filename_trunc="...${filename:$((${#filename} - 57)):57}" - else - filename_trunc="$filename" - fi - printf 'I: Signed %-60s\r' "$filename_trunc" -done < <(find "$IN_DIR" -type f -printf '%P\n') - -# Clear last progress message -printf '%-70s\r' '' +mkdir -p "${OUT_TARBALL%/*}" -# Build tarball of