diff options
| author | Steve McIntyre <steve@einval.com> | 2022-06-29 20:28:41 +0100 |
|---|---|---|
| committer | Steve McIntyre <steve@einval.com> | 2022-06-29 20:34:20 +0100 |
| commit | f07063fefbfd9f2d6a2c01baf8b9b6cb1f87e088 (patch) | |
| tree | 88d80295d8eb259e75a1e1b82290c2f9d7404016 | |
| parent | c82fa48e60370a21ce1383207e01e898f04438d9 (diff) | |
| download | steve-scripts-f07063fefbfd9f2d6a2c01baf8b9b6cb1f87e088.zip | |
Add shim-sign and run-shim-sign scripts
Now we can sign things!
| -rwxr-xr-x | run-shim-sign | 31 | ||||
| -rwxr-xr-x | shim-sign | 108 |
2 files changed, 139 insertions, 0 deletions
diff --git a/run-shim-sign b/run-shim-sign new file mode 100755 index 0000000..07de579 --- /dev/null +++ b/run-shim-sign @@ -0,0 +1,31 @@ +#!/bin/bash +# Sign specified shim build. Separate script so we can background it +# and leave it running + +GIT_DIR=/home/shim/build/shim.git +ARTIFACTS=/home/shim/artifacts +LOGDIR="$ARTIFACTS/sign-logs" +BASE=/home/shim/shim-cron +STATEDIR=${BASE}/statedir +SIGN_MACHINE=jack.einval.org + +SIGNFILE=$1 + +echo "Spawning signature for $SIGNFILE" + +# Rename the queued file so we know it's running +RUNNINGFILE=${SIGNFILE%%.queued}.running +mv $SIGNFILE $RUNNINGFILE + +# Do build here! +. $RUNNINGFILE +for ARCH in ${ARCHES/,/ }; do + LOGFILE="${LOGDIR}/${MACHINE}-$HASH-$ARCH-$DIST.log" + echo "Sign script running!" > "${LOGFILE}" + ssh -l "$SSH_USER" "$SIGN_MACHINE" shim-sign -A "$ARTIFACTS" -h "$HASH" -a "$ARCH" -d "$DIST" >> ${LOGFILE} 2>&1 + OUT_DIR="$ARTIFACTS/sign/$HASH/$ARCH-$DIST" +done + +# Now rename again so we know we're finished +DONEFILE=${SIGNFILE%%.queued}.done +mv $RUNNINGFILE $DONEFILE diff --git a/shim-sign b/shim-sign new file mode 100755 index 0000000..f021185 --- /dev/null +++ b/shim-sign @@ -0,0 +1,108 @@ +#!/bin/sh + +set -x + +# Do all the steps needed to sign the contents of a shim package for a +# given hash, distribution and architecture. + +GIT_DIR=shim@jack.einval.org:build/shim.git +ARTIFACTS=shim@jack.einval.org:artifacts +HOSTNAME=$(hostname --fqdn) +KEYS="snakeoil" + +usage () { + cat <<EOF +$0 <options> - sign a shim build + +options: + + -A ARTIFACTS - the directory holding the .deb(s) to sign + -a ARCH1[,ARCH2,...] - build is for the specified architecture(s) + -d DIST1[,DIST2,...] - build is for the specified Debian distribution(s) + -h HASH - the git hash of the build + +EOF +} + +check_error () { + if [ $1 -ne 0 ]; then + echo "$0 $ARTSIN $HASH $DIST $ARCH failed with error $1: $2" + exit 1 + fi +} + +while getopts ":A:a:d:h:r:" o; do + case "${o}" in + A) + ARTSIN=${OPTARG} + ;; + a) + ARCHES=${OPTARG} + ;; + d) + DISTS=${OPTARG} + ;; + h) + HASH=${OPTARG} + ;; + *) + echo "Unknown option ${o}" + usage + exit 1 + ;; + esac +done +shift $((OPTIND-1)) + +[ "$ARTSIN"x != ""x ] || check_error 1 "Need to specify the input dir" +[ "$HASH"x != ""x ] || check_error 1 "Need to specify hash" +[ "$DISTS"x != ""x ] || check_error 1 "Need to specify distribution(s)" +[ "$ARCHES"x != ""x ] || check_error 1 "Need to specify architecture(S)" + +cleanup () { + if [ "$SIGNTMPS"x != ""x ]; then + echo "Cleaning up build dir(s) $SIGNTMPS" + rm -rf "$SIGNTMPS" + fi +} +trap "cleanup" EXIT + +for ARCH in $(echo "$ARCHES" | tr ',' ' '); do + for DIST in $(echo "$DISTS" | tr ',' ' '); do + + echo "Signing $ARTSIN for $ARCH, $DIST, $HASH" + + DEBS=$(find $ARTSIN/ -name 'shim-unsigned*'_$ARCH'.deb') + NUM_DEBS=$(echo $DEBS | wc -l) + if [ $NUM_DEBS -gt 1 ]; then + check_error 2 "Found too many debs for signing in $ARTSIN: $NUM_DEBS $DEBS" + elif [ $NUM_DEBS = 0 ]; then + check_error 2 "Found no debs for signing in $ARTSIN" + fi + + # Sign in a temporary dir in /dev/shm for performance and easier cleanup + SIGNTMP=$(mktemp -d -p /dev/shm sign-shim-$ARCH-$DIST-$HASH-XXXXXXXXXX) + check_error $? "mktemp failed" + SIGNTMPS="$SIGNTMPS $SIGNTMP" + + dpkg -x $DEBS $SIGNTMP/extract + + for KEY in $KEYS; do + KEYDIR=~/sign/$KEY + for file in $SIGNTMP/extract/usr/lib/shim/*.efi; do + sbsign --key $KEYDIR/*.key.nopass --cert $KEYDIR/*.pem --output $file.signed-$KEY $file + check_error $? "signature failed for $file using key \"$KEY\"" + done + + ls -al $SIGNTMP/extract/usr/lib/shim + + mkdir -p "$SIGNTMP/$HASH/$ARCH-$DIST" + mv -v "$SIGNTMP/extract/usr/lib/shim/"*signed* "$SIGNTMP/$HASH/$ARCH-$DIST" + done + + echo "Copy artifacts to $ARTIFACTS/sign/$HASH/ :" + rsync -av --exclude shim.git "$SIGNTMP/$HASH/" "$ARTIFACTS/sign/$HASH/" + done +done + +exit 0 |