← Back to team overview

launchpad-reviewers team mailing list archive

  1. launchpad-reviewers team
  2. Mailing list archive
  3. Message #23706

Re: [Merge] lp:~apw/launchpad/signing-sipl into lp:launchpad

  Thread PreviousDate PreviousThread Next 
Hopefully that is all of the nits addressed.

Diff comments:

> === modified file 'lib/lp/archivepublisher/signing.py'
> --- lib/lp/archivepublisher/signing.py	2018-08-03 16:10:41 +0000
> +++ lib/lp/archivepublisher/signing.py	2019-06-03 14:49:08 +0000
> @@ -260,37 +266,35 @@
>          authorityKeyIdentifier=keyid
>          """)
>  
> -    openssl_config_kmod = openssl_config_opal + textwrap.dedent("""
> +    openssl_config_opal = "# OPAL openssl config" + openssl_config_base

The newline thing had irked me too; changed as you suggest.  As the openssl is on all of the same lines I have switched that up at the same time.

> +
> +    openssl_config_kmod = "# KMOD openssl config" + openssl_config_base + \
> +        textwrap.dedent("""
>          # codeSigning:  specifies that this key is used to sign code.
>          # 1.3.6.1.4.1.2312.16.1.2:  defines this key as used for
>          #   module signing only. See https://lkml.org/lkml/2015/8/26/741.
>          extendedKeyUsage        = codeSigning,1.3.6.1.4.1.2312.16.1.2
>          """)
>  
> -    def generateOpensslConfig(self, key_type, common_name):
> -        if key_type == 'Kmod':
> -            genkey_tmpl = self.openssl_config_kmod
> -        elif key_type == 'Opal':
> -            genkey_tmpl = self.openssl_config_opal
> -        else:
> -            raise ValueError("unknown key_type " + key_type)
> +    openssl_config_sipl = "# SIPL openssl config" + openssl_config_base
> +
> +    def generateOpensslConfig(self, key_type, genkey_tmpl):
> +        # Truncate name to 64 character maximum.
> +        common_name = self.generateKeyCommonName(
> +            self.archive.owner.name, self.archive.name, key_type)
>  
>          return genkey_tmpl.format(common_name=common_name)
>  
> -    def generatePemX509Pair(self, key_type, pem_filename, x509_filename):
> +    def generatePemX509Pair(self, key_type, genkey_text, pem_filename,
> +            x509_filename):
>          """Generate new pem/x509 key pairs."""
>          directory = os.path.dirname(pem_filename)
>          if not os.path.exists(directory):
>              os.makedirs(directory)
>  
> -        # Truncate name to 64 character maximum.
> -        common_name = self.generateKeyCommonName(
> -            self.archive.owner.name, self.archive.name, key_type)
> -
>          old_mask = os.umask(0o077)
>          try:
>              with tempfile.NamedTemporaryFile(suffix='.keygen') as tf:
> -                genkey_text = self.generateOpensslConfig(key_type, common_name)
>                  print(genkey_text, file=tf)
>  
>                  # Close out the underlying file so we know it is complete.
> @@ -346,6 +352,22 @@
>          cmdl = ["kmodsign", "-D", "sha512", pem, cert, image, image + ".sig"]
>          return self.callLog("Opal signing", cmdl)
>  
> +    def generateSiplKeys(self):
> +        """Generate new Sipl Signing Keys for this archive."""
> +        config = self.generateOpensslConfig("Sipl", self.openssl_config_sipl)

Changed in all the textual forms to SIPL.

> +        self.generatePemX509Pair("Sipl", config, self.sipl_pem, self.sipl_x509)
> +
> +    def signSipl(self, image):
> +        """Attempt to sign a kernel image for Sipl."""
> +        remove_if_exists("%s.sig" % image)
> +        (pem, cert) = self.getKeys('Sipl Kernel', self.generateSiplKeys,
> +            self.sipl_pem, self.sipl_x509)
> +        if not pem or not cert:
> +            return
> +        self.publishPublicKey(cert)
> +        cmdl = ["kmodsign", "-D", "sha512", pem, cert, image, image + ".sig"]

No changes needed for kmodsign, it is the exactly the same algorithm.  Apparently they talked to each other.

> +        return self.callLog("Sipl signing", cmdl)
> +
>      def convertToTarball(self):
>          """Convert unpacked output to signing tarball."""
>          tarfilename = os.path.join(self.tmpdir, "signed.tar.gz")


-- 
https://code.launchpad.net/~apw/launchpad/signing-sipl/+merge/368275
Your team Launchpad code reviewers is subscribed to branch lp:launchpad.

References

  Thread PreviousDate PreviousThread Next