Publish the signature of packages automatically when the package is processed
based on previous
package prepared by the maintainer with all the efi images and linux modules.
The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with
all the efi images
and/or linux modules, and a changelog file. When processing the package from
the queue, the
byhand-code-sign script is called, read this .tar.xz package, sign all the efi
or modules inside
it and publish a tarball with all the signatures at
$ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head
-c 64)_$ARCH.tar.xz
This signature are then retrieved by the maintainers of the *-signed packages
(e.g. linux-signed,
grub2-signed, fwupdate-signed) to construct the *-signed versions.
NOTE: The maintainers of the main package and the -signed package will have to
coordinate their
uploads to reduce de propagation delay of a security fix to be incorporated in
the -signed package
Script used for testing byhand-code-sign-user:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Check each commit message for more information on testing
Patches are also available here:
https://github.com/helen-fornazier/dak/tree/review
Changes since v4:
Apend _$ARCH in the end of the tar.xz file
Remove extra new line
diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index 40afdc6..86abd6e 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -53,9 +53,8 @@ if [ ! -f "$IN_DIR/changelog" ]; then
error "Can't find changelog file in $IN_TARBALL"
fi
-
TARGET="$ftpdir/dists/$suitedir/main/code-sign"
-OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz"
+OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c
64)_$ARCH.tar.xz"
# Check that this source/arch/version hasn't already been signed
if [ -e "$OUT_TARBALL" ]; then
Helen Koike (3):
byhand-code-sign-user: signing script for efi images and linux modules
byhand-code-sign: intermediate script for code sign
dak.conf: add packages that trigger byhand-code-sign
config/debian-security/byhand-code-sign.conf | 43 +++++++++++
config/debian-security/dak.conf | 24 +++++++
config/debian/byhand-code-sign.conf | 43 +++++++++++
config/debian/dak.conf | 21 ++++++
scripts/debian/byhand-code-sign | 67 +++++++++++++++++
scripts/debian/byhand-code-sign-user | 103 +++++++++++++++++++++++++++
6 files changed, 301 insertions(+)
create mode 100644 config/debian-security/byhand-code-sign.conf
create mode 100644 config/debian/byhand-code-sign.conf
create mode 100755 scripts/debian/byhand-code-sign
create mode 100755 scripts/debian/byhand-code-sign-user
--
2.7.4
