[debhelper-devel] [RFC PATCH 3/3] Include sample script named ima-signhashes.sh
Mimi Zohar
zohar at linux.vnet.ibm.com
Tue Aug 12 14:17:16 UTC 2014
This script extracts the sha256sum file from the deb package,
appends the file signatures using the ima-evm-utils package, and
inserts the sha256sum file with signatures in the package.
---
examples/ima-signhashes.sh | 79 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 79 insertions(+)
create mode 100755 examples/ima-signhashes.sh
diff --git a/examples/ima-signhashes.sh b/examples/ima-signhashes.sh
new file mode 100755
index 0000000..4137467
--- /dev/null
+++ b/examples/ima-signhashes.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# ima-signhashes.sh - replace the sha256sums file in the .deb package with
+# a version containing the file signatures. The file signatures provide
+# file authenticity and provenance. As part of the package install process,
+# the file signatures are stored as extended attributes associated with
+# the file. IMA-appraisal, if enabled, will appraise file integrity based
+# on these file signatures.
+#
+# Mimi Zohar <zohar at linux.vnet.ibm.com>
+
+# format: <debian package pathname> <private key pathname>
+
+set -e
+DEBPACKAGE="${1}"
+PRIVKEY="$2"
+tmpdir="${DEBPACKAGE}.tmp"
+
+if [ $# -ne 2 ]; then
+ echo "$0: <debian package pathname> <private key pathname>"
+ exit -1
+fi
+
+if [ ! -f "${DEBPACKAGE}" ]; then
+ echo ".deb package not found: ${DEBPACKAGE}"
+ exit -1
+fi
+
+if [ ! -f "${PRIVKEY}" ]; then
+ echo "Private key not found: ${PRIVKEY}"
+ exit -1
+fi
+
+# extract files from the .deb archive into a temporary directory
+if [ -d "${tmpdir}" ]; then
+ rm -rf "${tmpdir}"
+ if [ $? -ne 0 ]; then
+ echo "Deleting directory failed: ${tmpdir}"
+ exit -1
+ fi
+fi
+mkdir -p "${tmpdir/DEBIAN}"
+if [ $? -ne 0 ]; then
+ echo "Creating directory failed: ${tmpdir}/DEBIAN"
+ exit -1
+fi
+
+cd $tmpdir
+ar -x "../$DEBPACKAGE"
+#ls -lat
+
+# untar the control file in the DEBIAN subdirectory
+if [ ! -f ./control.tar.gz ]; then
+ echo ".deb package missing 'control.tar.gz' file"
+ exit -1
+fi
+mkdir -p DEBIAN
+cd DEBIAN
+tar -xvzf ../control.tar.gz
+if [ ! -f ./sha256sums ]; then
+ echo "'control.tar.gz' missing sha256 file"
+ ls -lat
+ exit -1
+fi
+cat sha256sums
+
+# Replace sha256sums with one containing file signatures
+cat ./sha256sums | evmctl sign_hash -a sha256 --key "${PRIVKEY}" > sha256sums.sig
+if [ $? == 0 ]; then
+ cp ./sha256sums.sig ./sha256sums
+ rm ./sha256sums.sig
+fi
+
+# create the control tar containing the new sha256sums with the signatures
+tar -cvzf ../control.tar.gz ./*
+
+# replace the existing compressed tar file in the .deb package
+cd ..
+ar -r "../$DEBPACKAGE" control.tar.gz
--
1.8.1.4
More information about the debhelper-devel
mailing list