Publish the signature of packages automatically when the package is processed based on previous package prepared by the maintainer with all the efi images and linux modules.
The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images and/or linux modules, and a changelog file. When processing the package from the queue, the byhand-code-sign script is called, read this .tar.xz package, sign all the efi or modules inside it and publish a tarball with all the signatures at $ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head -c 64)_$ARCH.tar.xz This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed, grub2-signed, fwupdate-signed) to construct the *-signed versions. NOTE: The maintainers of the main package and the -signed package will have to coordinate their uploads to reduce de propagation delay of a security fix to be incorporated in the -signed package Script used for testing byhand-code-sign-user: https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh Check each commit message for more information on testing Patches are also available here: https://github.com/helen-fornazier/dak/tree/review Changes since v4: Apend _$ARCH in the end of the tar.xz file Remove extra new line diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign index 40afdc6..86abd6e 100755 --- a/scripts/debian/byhand-code-sign +++ b/scripts/debian/byhand-code-sign @@ -53,9 +53,8 @@ if [ ! -f "$IN_DIR/changelog" ]; then error "Can't find changelog file in $IN_TARBALL" fi - TARGET="$ftpdir/dists/$suitedir/main/code-sign" -OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz" +OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64)_$ARCH.tar.xz" # Check that this source/arch/version hasn't already been signed if [ -e "$OUT_TARBALL" ]; then Helen Koike (3): byhand-code-sign-user: signing script for efi images and linux modules byhand-code-sign: intermediate script for code sign dak.conf: add packages that trigger byhand-code-sign config/debian-security/byhand-code-sign.conf | 43 +++++++++++ config/debian-security/dak.conf | 24 +++++++ config/debian/byhand-code-sign.conf | 43 +++++++++++ config/debian/dak.conf | 21 ++++++ scripts/debian/byhand-code-sign | 67 +++++++++++++++++ scripts/debian/byhand-code-sign-user | 103 +++++++++++++++++++++++++++ 6 files changed, 301 insertions(+) create mode 100644 config/debian-security/byhand-code-sign.conf create mode 100644 config/debian/byhand-code-sign.conf create mode 100755 scripts/debian/byhand-code-sign create mode 100755 scripts/debian/byhand-code-sign-user -- 2.7.4