[debhelper-devel] [RFC PATCH 3/3] Include sample script named ima-signhashes.sh

Mimi Zohar zohar at linux.vnet.ibm.com
Tue Aug 12 14:17:16 UTC 2014


This script extracts the sha256sum file from the deb package,
appends the file signatures using the ima-evm-utils package, and
inserts the sha256sum file with signatures in the package.
---
 examples/ima-signhashes.sh | 79 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100755 examples/ima-signhashes.sh

diff --git a/examples/ima-signhashes.sh b/examples/ima-signhashes.sh
new file mode 100755
index 0000000..4137467
--- /dev/null
+++ b/examples/ima-signhashes.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# ima-signhashes.sh - replace the sha256sums file in the .deb package with
+# a version containing the file signatures.  The file signatures provide 
+# file authenticity and provenance.  As part of the package install process,
+# the file signatures are stored as extended attributes associated with
+# the file. IMA-appraisal, if enabled, will appraise file integrity based 
+# on these file signatures.
+# 
+# Mimi Zohar <zohar at linux.vnet.ibm.com>
+
+# format: <debian package pathname> <private key pathname>
+
+set -e
+DEBPACKAGE="${1}"
+PRIVKEY="$2"
+tmpdir="${DEBPACKAGE}.tmp"
+
+if [ $# -ne 2 ]; then
+	echo "$0: <debian package pathname> <private key pathname>"
+	exit -1
+fi
+
+if [ ! -f "${DEBPACKAGE}" ]; then
+	echo ".deb package not found: ${DEBPACKAGE}" 
+	exit -1
+fi
+
+if [ ! -f "${PRIVKEY}" ]; then
+	echo "Private key not found: ${PRIVKEY}" 
+	exit -1
+fi
+
+# extract files from the .deb archive into a temporary directory
+if [ -d "${tmpdir}" ]; then
+	rm -rf "${tmpdir}"
+	if [ $? -ne 0 ]; then
+		echo "Deleting directory failed: ${tmpdir}"
+		exit -1 
+	fi
+fi
+mkdir -p "${tmpdir/DEBIAN}"
+if [ $? -ne 0 ]; then
+	echo "Creating directory failed: ${tmpdir}/DEBIAN"
+	exit -1
+fi
+
+cd $tmpdir 
+ar -x "../$DEBPACKAGE"
+#ls -lat 
+
+# untar the control file in the DEBIAN subdirectory
+if [ ! -f ./control.tar.gz ]; then
+	echo ".deb package missing 'control.tar.gz' file"
+	exit -1
+fi
+mkdir -p DEBIAN
+cd DEBIAN
+tar -xvzf ../control.tar.gz
+if [ ! -f ./sha256sums ]; then
+	echo "'control.tar.gz' missing sha256 file"
+	ls -lat 
+	exit -1
+fi
+cat sha256sums
+
+# Replace sha256sums with one containing file signatures
+cat ./sha256sums | evmctl sign_hash -a sha256 --key "${PRIVKEY}" > sha256sums.sig
+if [ $? == 0 ]; then
+	cp ./sha256sums.sig ./sha256sums
+	rm ./sha256sums.sig
+fi
+
+# create the control tar containing the new sha256sums with the signatures
+tar -cvzf ../control.tar.gz ./*
+
+# replace the existing compressed tar file in the  .deb package
+cd ..
+ar -r "../$DEBPACKAGE" control.tar.gz
-- 
1.8.1.4




More information about the debhelper-devel mailing list