]> git.decadent.org.uk Git - dak.git/commit
projects / dak.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2f03955) | patch
Add byhand script to perform code signing
authorBen Hutchings <ben@decadent.org.uk>
Mon, 27 Jun 2016 21:34:36 +0000 (23:34 +0200)
committerBen Hutchings <ben@decadent.org.uk>
Thu, 30 Jun 2016 19:39:56 +0000 (21:39 +0200)
commit9cc55bf99db30be35f70e19058e4fe5dbdb17ede
treedc873bfab608f530291ddbbe8a30b541b65d97d6tree | snapshot
parent2f03955b56fa89c67a9d45af6543b82adb4b1f41commit | diff
Add byhand script to perform code signing

It takes a tarball of code objects and generates a tarball of
corresponding detached PKCS#7 signatures (with '.sig' suffixes).

It will sign:
- EFI binaries (*.efi, vmlinuz-*) using pesign
- Linux kernel modules (*.ko) using sign-file from linux-kbuild-<version>

Currently it should work with private key files and certificates.  It
may be able to sign kernel modules with a key on a PKCS#11 device.
It definitely can't sign EFI binaries using a PKCS#11 device yet.
scripts/debian/byhand-code-sign [new file with mode: 0755] blob
dak changes to support and test code signing