Bug#821051: [PATCH v2] byhand-code-sign: sign using another user
On Thu, Oct 6, 2016 at 18:27:33 -0300, Helen Koike wrote:
> Thanks Jakub for your review.
> I modified the script to read the .tar.xz from stdin and output the
> -sign.tar.xz to stdout.
> It is also available here: https://github.com/helen-fornazier/dak
>
> Changes since last version:
> - add quotes around variables
> - remove unnecessary chmod 700
> - receive tar.xz from stdin in byhand-code-sign-user script
> - generate the -sign.tar.xz to stdout in byhand-code-sign-user script
>
> I would appreciate if someone could review this version
I wonder if maybe this would be more readable as a patch (or a series)
against the main dak repo, rather than incremental against Ben's
preliminary patches, since a lot of this is moving around code that was
just added in a previous patch.
> Thank you
>
> Helen
>
>
> scripts/debian/byhand-code-sign | 104 +---
> scripts/debian/byhand-code-sign-user | 135
> +++
> scripts/debian/byhand-code-sign-user-exp | 17
> 3 files changed, 154 insertions(+), 102 deletions(-)
> create mode 100755 scripts/debian/byhand-code-sign-user
> create mode 100755 scripts/debian/byhand-code-sign-user-exp
>
> diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
> index fbd6855..18bd09e 100755
> --- a/scripts/debian/byhand-code-sign
> +++ b/scripts/debian/byhand-code-sign
[...]
> +sudo -u codesign "${0%/*}/byhand-code-sign-user"
> "$configdir/byhand-code-sign.conf" < "$IN_TARBALL" > "$OUT_TARBALL"
I'm not sure we want the script called with sudo (and its config) to
live in dak. Or if it does, I guess it should be named dak-codesign or
something, to make it clear it's part of dak and strictly less
privileged, like dak-unpriv is today.
Cheers,
Julien
Bug#821051: [PATCH v2] byhand-code-sign: sign using another user
---
Hi,
Thanks Jakub for your review.
I modified the script to read the .tar.xz from stdin and output the
-sign.tar.xz to stdout.
It is also available here: https://github.com/helen-fornazier/dak
Changes since last version:
- add quotes around variables
- remove unnecessary chmod 700
- receive tar.xz from stdin in byhand-code-sign-user script
- generate the -sign.tar.xz to stdout in byhand-code-sign-user script
I would appreciate if someone could review this version
Thank you
Helen
scripts/debian/byhand-code-sign | 104 +---
scripts/debian/byhand-code-sign-user | 135 +++
scripts/debian/byhand-code-sign-user-exp | 17
3 files changed, 154 insertions(+), 102 deletions(-)
create mode 100755 scripts/debian/byhand-code-sign-user
create mode 100755 scripts/debian/byhand-code-sign-user-exp
diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index fbd6855..18bd09e 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -20,8 +20,6 @@ error() {
exit 1
}
-export OPENSSL_CONF=/dev/null
-
# Read dak configuration for security or main archive.
# Also determine subdirectory for the suite.
case "$0" in
@@ -39,14 +37,6 @@ case "$0" in
esac
. "$configdir/vars"
-# Read and trivially validate our configuration
-. "$configdir/byhand-code-sign.conf"
-for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \
- LINUX_SIGNFILE LINUX_MODULE_PRIVKEY LINUX_MODULE_CERT; do
- test -v $var || error "$var is not defined in configuration"
- test -n "${!var}" || error "$var is empty in configuration"
-done
-
TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"
@@ -56,99 +46,9 @@ if [ -e "$OUT_TARBALL" ]; then
error "Signature tarball already exists: $OUT_TARBALL"
fi
-# If we fail somewhere, cleanup the temporary directories
-IN_DIR=
-OUT_DIR=
-CERT_DIR=
-cleanup() {
- for dir in "$IN_DIR" "$OUT_DIR" "$CERT_DIR"; do
- test -z "$dir" || rm -rf "$dir"
- done
-}
-trap cleanup EXIT
-
-# Extract the data into the input directory
-IN_DIR="$(mktemp -td byhand-code-sign-in.XX)"
-tar xaf "$IN_TARBALL" --directory="$IN_DIR"
-
-case "$EFI_BINARY_PRIVKEY" in
-pkcs11:*)
- # Translate from OpenSSL PKCS#11 enigne syntax to pesign parameters
- # See:
https://sources.debian.net/src/engine-pkcs11/0.2.2-1/src/engine_pkcs11.c
- pkcs11_pin_value=
- old_IFS="$IFS"
- IFS=';'
- for kv in ${EFI_BINARY_PRIVKEY#pkcs11:}; do
- case "$kv" in
- token=*)
- pkcs11_token="${kv#*=}"
- ;;
- object=*)
- pkcs11_object="${kv#*=}"
- ;;
- pin-value=*)
- pkcs11_pin_value="${kv#*=}"
- ;;
- esac
- done
- IFS="$old_IFS"
- unset old_IFS
- # TODO: unlock it
- PESIGN_PARAMS=(-t "$pkcs11_token" -c "$pkcs11_object")
- ;;
-*)
- # Create certificate store for pesign
- CERT_DIR="$(mktemp -td byhand-code-sign-cert.XX)"
- chmod 700 "$CERT_DIR"
- mkdir "$CERT_DIR/store"
- certutil -N --empty-password -d "$CERT_DIR/store"
- openssl pkcs12 -export \
- -inkey "$EFI_BINARY_PRIVKEY" -in "$EFI_BINARY_CERT" \
- -out "$CERT_DIR/efi-image.p12" -passout pass: \
- -name efi-image
- pk12util -i "$CERT_DIR/efi-image.p12" -d "$CERT_DIR/store" -K '' -W ''
- PESIGN_PARAMS=(-n "$CERT_DIR/store" -c efi-image)
- ;;
-esac
-
-# Create hierarchy of detached signatures in parallel to the uploaded files
-OUT_DIR="$(mktemp -td byhand-code-sign-out.XX)"
-while read filename; do
- mkdir -p "$OUT_DIR/${filename%/*}"
- case "${filename##*/}" in
- *.efi | vmlinuz-*)
- pesign -i "$IN_DIR/$filename" \
- --export-signature "$OUT_DIR/$filename.sig" --sign \
- -d sha256 "${PESIGN_PARAMS[@]}"
- ;;
- *.ko)
- "$LINUX_SIGNFILE" -d sha256 "$LINUX_MODULE_PRIVKEY" \
- "$LINUX_MODULE_CERT" "$IN_DIR/$filename"
- mv "$IN_DIR/$filename.p7s" "$OUT_DIR/$filename.sig"
- ;;
- *)
- echo >&2 "W: Not signing unrecognised file: $filename"
- continue
- ;;
- esac
- if [ ${#filename} -gt 60 ]; then
- filename_trunc="...${filename:$((${#filename} - 57)):57}"
- else
- filename_trunc="$filename"
- fi
- printf 'I: Signed %-60s\r' "$filename_trunc"
-done < <(find "$IN_DIR" -type f -printf '%P\n')
-
-# Clear last progress message
-printf '%-70s\r' ''
+mkdir -p "${OUT_TARBALL%/*}"
-# Build tarball of
