[linux-signed] 03/05: Implement module signing

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Mon Apr 4 18:39:11 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux-signed.

commit 45562ad500111c73d93cc58b2f1bd87b0969a1e3
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sun Apr 3 23:36:35 2016 +0100

    Implement module signing
---
 debian/bin/sign.py                                 | 34 +++++++++++++++++-----
 .../certs/linux-modules-benh at debian.org.cert.pem   | 21 +++++++++++++
 2 files changed, 48 insertions(+), 7 deletions(-)

diff --git a/debian/bin/sign.py b/debian/bin/sign.py
index a2d3878..d25f600 100755
--- a/debian/bin/sign.py
+++ b/debian/bin/sign.py
@@ -34,16 +34,34 @@ def get_package(name, version, arch):
 
     return unpack_dir
 
-def sign_module(module_name, signature_name, privkey_name, cert_name):
-    print('Should sign module %s with %s/%s and detach signature as %s' %
-          (module_name, privkey_name, cert_name, signature_name))
-
-def sign_modules(modules_dir, signature_dir, privkey_name, cert_name):
+def detach_sig(unsigned_name, signed_file, signature_name):
+    # Signatures are appended, so we detach by copying everything beyond
+    # the unsigned file size
+    unsigned_size = os.stat(unsigned_name).st_size
+    os.makedirs(os.path.dirname(signature_name), exist_ok=True)
+    with open(signature_name, 'wb') as signature:
+        signed_file.seek(unsigned_size)
+        signature.write(signed_file.read())
+
+def sign_module(kbuild_dir, module_name, signature_name, privkey_name,
+                cert_name):
+    with tempfile.NamedTemporaryFile() as signed_module:
+        if os.system('%s/scripts/sign-file sha256 %s %s %s %s' %
+                     (kbuild_dir, privkey_name, cert_name, module_name,
+                      signed_module.name)):
+            raise Exception('sign-file failed')
+        detach_sig(module_name, signed_module, signature_name)
+
+def sign_modules(kbuild_dir, modules_dir, signature_dir, privkey_name,
+                 cert_name):
+    print('I: Signing modules in %s' % modules_dir)
+    print('I: Storing detached signatures in %s' % signature_dir)
     for walk_dir, subdir_names, file_names in os.walk(modules_dir):
         rel_dir = os.path.relpath(walk_dir, modules_dir)
         for rel_name in file_names:
             if rel_name.endswith('.ko'):
-                sign_module(os.path.join(walk_dir, rel_name),
+                sign_module(kbuild_dir,
+                            os.path.join(walk_dir, rel_name),
                             os.path.join(signature_dir, rel_dir, rel_name) + '.sig',
                             privkey_name, cert_name)
 
@@ -57,6 +75,7 @@ def sign(config_name, imageversion_str, modules_privkey_name, modules_cert_name,
     assert config['version',]['source'] == imageversion_str
     abiname = config['version',]['abiname']
     imageversion = VersionLinux(imageversion_str)
+    kbuild_dir = '/usr/src/linux-kbuild-%s' % imageversion.linux_version
 
     signature_dir = 'debian/signatures'
     if os.path.isdir(signature_dir):
@@ -82,7 +101,8 @@ def sign(config_name, imageversion_str, modules_privkey_name, modules_cert_name,
 
                 signature_dir = os.path.join('debian/signatures', package_name)
                 os.makedirs(signature_dir)
-                sign_modules('%s/lib/modules/%s' % (package_dir, kernelversion),
+                sign_modules(kbuild_dir,
+                             '%s/lib/modules/%s' % (package_dir, kernelversion),
                              '%s/lib/modules/%s' % (signature_dir, kernelversion),
                              modules_privkey_name, modules_cert_name)
 
diff --git a/debian/certs/linux-modules-benh at debian.org.cert.pem b/debian/certs/linux-modules-benh at debian.org.cert.pem
new file mode 100644
index 0000000..8d49875
--- /dev/null
+++ b/debian/certs/linux-modules-benh at debian.org.cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYDCCAkgCCQCKAY3KgJMmMDANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJH
+QjESMBAGA1UEBwwJQ2FtYnJpZGdlMRcwFQYDVQQKDA5EZWJpYW4gUHJvamVjdDEW
+MBQGA1UEAwwNQmVuIEh1dGNoaW5nczEeMBwGCSqGSIb3DQEJARYPYmVuaEBkZWJp
+YW4ub3JnMB4XDTE2MDQwMzIyNTg1NVoXDTE2MDUwMzIyNTg1NVowcjELMAkGA1UE
+BhMCR0IxEjAQBgNVBAcMCUNhbWJyaWRnZTEXMBUGA1UECgwORGViaWFuIFByb2pl
+Y3QxFjAUBgNVBAMMDUJlbiBIdXRjaGluZ3MxHjAcBgkqhkiG9w0BCQEWD2JlbmhA
+ZGViaWFuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPYUchZ
+x/VmCn4klnuqyym6gehD/sUnjqAbDdVtAVMYBHTxxpujW2GDtCsyiqyeDlSlbd6X
+piXAko7u2UaBfY5SpKcw1KDDrCgzQ3y9O0QCe0DzI/7YKvE3A7FPluJ1ZhIhHIIZ
+ce6oln0WfW/H5SY6BQWE3kzxXFUXXFPvTdLQtjOBxVWeOeMTZ5CAJqG/6uHIlJms
+RTJiiiHjrI3yAfLS1wcGutmu9q9YQF1ND+lbdIT4OeyIMVGe03dVrDxWjNUL+G5h
+nBRwFAwkb5qxpDNayvA8eIlNwWJE/uu+4crlL+PdM9i2TduoG5gRE39KPTrxrUyN
+QiDe+09lJF12wQECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAieMLuk4Ky2FmMnzF
+ryaJbbRXN163bXHPrDFd0NkvWQFa+3253QXxlLwEoS4v4OFbYb0tDxcn8qkpNLCb
+DLtNUcl99slPbmBUi/RFTy/aAWc6LB4XxjbFcIlY27/c/W5bbr6/XmlVtElRW3gZ
+y3JWFjgym+6lXywbr6RVKYioM3N+LlGf794Kf/pY9y7i8PqDM8WbhurGXwoaPxjv
+/XsVTpuMCkorUya2n7Ap9Hatlref/IccdxnIOxItH3Jvze0vfygL82Mee77KN5U/
+jsvtswp6P3K08sLjtFGiAhkjim67H+nJrrhhczXjtUnLZUQuHpkzOghyKFDMpn3R
+8lchpg==
+-----END CERTIFICATE-----

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux-signed.git

More information about the Kernel-svn-changes mailing list