8 echo "Usage: $0 filename version arch changes_file suite"
12 IN_TARBALL="$1" # Tarball to read, compressed with xz
15 CHANGES="$4" # Changes file for the upload
23 export OPENSSL_CONF=/dev/null
25 # Read dak configuration for security or main archive.
26 # Also determine subdirectory for the suite.
28 /srv/security-master.debian.org/*)
29 configdir="/srv/security-master.debian.org/dak/config/debian-security"
30 suitedir="$SUITE/updates"
32 /srv/ftp-master.debian.org/*)
33 configdir="/srv/ftp-master.debian.org/dak/config/debian"
37 error "$0: Can't tell if security or not"
42 # Read and trivially validate our configuration
43 . "$configdir/byhand-code-sign.conf"
44 for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \
45 LINUX_SIGNFILE LINUX_MODULE_PRIVKEY LINUX_MODULE_CERT; do
46 test -v $var || error "$var is not defined in configuration"
47 test -n "${!var}" || error "$var is empty in configuration"
50 TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
51 OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
52 OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"
54 # Check that this source/arch/version hasn't already been signed
55 if [ -e "$OUT_TARBALL" ]; then
56 error "Signature tarball already exists: $OUT_TARBALL"
59 # If we fail somewhere, cleanup the temporary directories
64 for dir in "$IN_DIR" "$OUT_DIR" "$CERT_DIR"; do
65 test -z "$dir" || rm -rf "$dir"
70 # Extract the data into the input directory
71 IN_DIR="$(mktemp -td byhand-code-sign-in.XXXXXX)"
72 tar xaf "$IN_TARBALL" --directory="$IN_DIR"
74 case "$EFI_BINARY_PRIVKEY" in
76 # Translate from OpenSSL PKCS#11 enigne syntax to pesign parameters
77 # See: https://sources.debian.net/src/engine-pkcs11/0.2.2-1/src/engine_pkcs11.c
81 for kv in ${EFI_BINARY_PRIVKEY#pkcs11:}; do
84 pkcs11_token="${kv#*=}"
87 pkcs11_object="${kv#*=}"
90 pkcs11_pin_value="${kv#*=}"
97 PESIGN_PARAMS=(-t "$pkcs11_token" -c "$pkcs11_object")
100 # Create certificate store for pesign
101 CERT_DIR="$(mktemp -td byhand-code-sign-cert.XXXXXX)"
102 chmod 700 "$CERT_DIR"
103 mkdir "$CERT_DIR/store"
104 certutil -N --empty-password -d "$CERT_DIR/store"
105 openssl pkcs12 -export \
106 -inkey "$EFI_BINARY_PRIVKEY" -in "$EFI_BINARY_CERT" \
107 -out "$CERT_DIR/efi-image.p12" -passout pass: \
109 pk12util -i "$CERT_DIR/efi-image.p12" -d "$CERT_DIR/store" -K '' -W ''
110 PESIGN_PARAMS=(-n "$CERT_DIR/store" -c efi-image)
114 # Create hierarchy of detached signatures in parallel to the uploaded files
115 OUT_DIR="$(mktemp -td byhand-code-sign-out.XXXXXX)"
116 while read filename; do
117 mkdir -p "$OUT_DIR/${filename%/*}"
118 case "${filename##*/}" in
120 pesign -i "$IN_DIR/$filename" \
121 --export-signature "$OUT_DIR/$filename.sig" --sign \
122 -d sha256 "${PESIGN_PARAMS[@]}"
125 "$LINUX_SIGNFILE" -d sha256 "$LINUX_MODULE_PRIVKEY" \
126 "$LINUX_MODULE_CERT" "$IN_DIR/$filename"
127 mv "$IN_DIR/$filename.p7s" "$OUT_DIR/$filename.sig"
130 echo >&2 "W: Not signing unrecognised file: $filename"
134 if [ ${#filename} -gt 60 ]; then
135 filename_trunc="...${filename:$((${#filename} - 57)):57}"
137 filename_trunc="$filename"
139 printf 'I: Signed %-60s\r' "$filename_trunc"
140 done < <(find "$IN_DIR" -type f -printf '%P\n')
142 # Clear last progress message
145 # Build tarball of signatures
146 chmod -R a+rX "$OUT_DIR"
148 tar caf "$OUT_TARBALL" --directory="$OUT_DIR" .
149 echo "I: Created $OUT_TARBALL"