--- /dev/null
+#!/usr/bin/python3
+
+# Copyright (C) 2017 Collabora Ltd
+# 2017 Helen Koike <helen.koike@collabora.com>
+#
+# Ported from bash to python3 by Julien Cristau <jcristau@debian.org>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+
+import argparse
+import configparser
+import os
+import subprocess
+import sys
+import tarfile
+import tempfile
+
+
+config = {}
+
+
+def sign(extract_dir, signed_dir):
+ for dirpath, dirnames, filenames in os.walk(extract_dir):
+ assert dirpath.startswith(extract_dir)
+ out_dir = signed_dir + dirpath[len(extract_dir):]
+ os.makedirs(out_dir)
+ for filename in filenames:
+ #print(os.path.join(dirpath, filename), file=sys.stderr)
+ if filename.endswith('.efi') or filename.startswith('vmlinuz-'):
+ sign_efi(os.path.join(dirpath, filename), os.path.join(out_dir, filename + '.sig'))
+ elif filename.endswith('.ko'):
+ sign_kmod(os.path.join(dirpath, filename), os.path.join(out_dir, filename + '.sig'))
+ else:
+ print("ignoring %s" % os.path.join(dirpath, filename), file=sys.stderr)
+
+
+def sign_kmod(module_path, signature_path):
+ assert 'linux_sign_file' in config
+ assert 'pkcs11_uri' in config
+ assert 'cert_path' in config
+ assert 'pin' in config
+
+ env = os.environ.copy()
+ env['KBUILD_SIGN_PIN'] = config['pin']
+ # use check_output instead of check_call as sign-file seems to send random
+ # stuff to stderr even when it succeeds
+ subprocess.check_output(
+ [config['linux_sign_file'], '-d', 'sha256', config['pkcs11_uri'],
+ config['cert_path'], module_path],
+ env=env, stderr=subprocess.STDOUT)
+ os.rename(module_path + '.p7s', signature_path)
+
+
+def sign_efi(efi_path, signature_path):
+ assert 'sign-efi' in config
+ assert 'certdir' in config
+ assert 'token' in config
+ assert 'certname' in config
+ assert 'pin' in config
+
+ env = os.environ.copy()
+ env['PESIGN_PIN'] = config['pin']
+ with open(signature_path, 'wb') as out:
+ subprocess.check_call(
+ [config['sign-efi'], config['certdir'], config['token'],
+ config['certname'], efi_path],
+ env=env, stdout=out)
+
+
+def extract(tar_file, extract_dir):
+ with tarfile.TarFile.open(fileobj=tar_file, mode="r:xz") as f:
+ f.extractall(extract_dir)
+
+
+def repack(signed_dir, fileobj):
+ def cleanup_tarinfo(tarinfo):
+ tarinfo.path = os.path.relpath('/' + tarinfo.path, signed_dir)
+ tarinfo.gid = 0
+ tarinfo.gname = 'root'
+ tarinfo.uid = 0
+ tarinfo.uname = 'root'
+ return tarinfo
+
+ with tarfile.TarFile.open(mode='w:xz', fileobj=fileobj) as f:
+ f.add(signed_dir, filter=cleanup_tarinfo)
+
+
+def main():
+ parser = argparse.ArgumentParser(
+ description='sign files in a tarball')
+ parser.add_argument('input_tar', metavar='input', type=argparse.FileType('rb'),
+ help='tarball containing files to be signed')
+ parser.add_argument('--config', '-c', type=str,
+ default='/etc/codesign.ini', help='configuration file')
+
+ args = parser.parse_args()
+
+ cp = configparser.RawConfigParser()
+ cp.read(args.config)
+
+ # path to the sign-file command from Linux
+ config['linux_sign_file'] = cp.get('commands', 'sign-kmod',
+ fallback='/usr/lib/linux-kbuild-4.9/scripts/sign-file')
+ # pkcs11 uri from `p11tool --list-token-urls`
+ config['pkcs11_uri'] = cp.get('efi', 'pkcs11_uri')
+ # path to the PEM or DER-format certificate
+ config['cert_path'] = cp.get('efi', 'cert_path')
+
+ # path to our pesign wrapper script
+ config['sign-efi'] = cp.get('commands', 'sign-efi', fallback='/usr/local/bin/pesign-wrap')
+ # path to the nss store
+ config['certdir'] = cp.get('efi', 'certdir', fallback='/srv/codesign/pki')
+ # name of the token in the nss store
+ config['token'] = cp.get('efi','token', fallback='PIV_II (PIV Card Holder pin)')
+ # name of the cert in the nss store
+ config['certname'] = cp.get('efi', 'cert', fallback='Certificate for Digital Signature')
+
+ config['pin'] = cp.get('efi', 'pin')
+
+ workdir = tempfile.TemporaryDirectory()
+ with workdir:
+ extract_dir = os.path.join(workdir.name, 'in')
+ signed_dir = os.path.join(workdir.name, 'out')
+ extract(args.input_tar, extract_dir)
+ sign(extract_dir, signed_dir)
+ repack(signed_dir, sys.stdout.buffer)
+
+
+if __name__ == '__main__':
+ sys.exit(main())
projects / mirror / dsa-puppet.git / blobdiff