Delete scripts for code signing
authorJulien Cristau <jcristau@debian.org>
Fri, 6 Apr 2018 19:08:13 +0000 (21:08 +0200)
committerJulien Cristau <jcristau@debian.org>
Fri, 6 Apr 2018 19:08:13 +0000 (21:08 +0200)
They'll live in ftpteam land after all:
https://salsa.debian.org/ftp-team/code-signing

modules/roles/files/signing/pesign-wrap [deleted file]
modules/roles/files/signing/secure-boot-code-sign.py [deleted file]
modules/roles/manifests/signing.pp

diff --git a/modules/roles/files/signing/pesign-wrap b/modules/roles/files/signing/pesign-wrap
deleted file mode 100755 (executable)
index a061896..0000000
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/usr/bin/expect -f
-
-if {[llength $argv] != 4} {
-    puts stderr "Usage: $argv0 certdir token cert filename"
-    exit 2
-}
-
-lassign $argv certdir token cert filename
-
-set pin $::env(PESIGN_PIN)
-
-file tempfile output efi.sig
-
-log_user 0
-spawn pesign --certdir "$certdir" -t "$token" -c "$cert" --sign -d sha256 -i "$filename" --export-signature "$output" --force
-expect {
-       "Enter Password *:" {
-               send "$pin\n"
-               exp_continue
-       }
-       "Enter passphrase *:" {
-               send "$pin\n"
-               exp_continue
-       }
-       timeout {close}
-}
-lassign [wait] wait_pid spawn_id exec_rc wait_code childkilled
-# couldn't exec pesign
-if {$exec_rc != 0} {
-       file delete $output
-       exit 1
-}
-# killed by signal (e.g. timeout)
-if {$childkilled == "CHILDKILLED"} {
-       file delete $output
-       exit 1
-}
-# all good?
-if {$wait_code == 0} {system cat $output}
-file delete $output
-exit $wait_code
diff --git a/modules/roles/files/signing/secure-boot-code-sign.py b/modules/roles/files/signing/secure-boot-code-sign.py
deleted file mode 100755 (executable)
index 04a3344..0000000
+++ /dev/null
@@ -1,138 +0,0 @@
-#!/usr/bin/python3
-
-# Copyright (C) 2017 Collabora Ltd
-# 2017 Helen Koike <helen.koike@collabora.com>
-#
-# Ported from bash to python3 by Julien Cristau <jcristau@debian.org>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Lesser General Public License for more details.
-
-import argparse
-import configparser
-import os
-import subprocess
-import sys
-import tarfile
-import tempfile
-
-
-config = {}
-
-
-def sign(extract_dir, signed_dir):
-    for dirpath, dirnames, filenames in os.walk(extract_dir):
-        assert dirpath.startswith(extract_dir)
-        out_dir = signed_dir + dirpath[len(extract_dir):]
-        os.makedirs(out_dir)
-        for filename in filenames:
-            #print(os.path.join(dirpath, filename), file=sys.stderr)
-            if filename.endswith('.efi') or filename.startswith('vmlinuz-'):
-                sign_efi(os.path.join(dirpath, filename), os.path.join(out_dir, filename + '.sig'))
-            elif filename.endswith('.ko'):
-                sign_kmod(os.path.join(dirpath, filename), os.path.join(out_dir, filename + '.sig'))
-            else:
-                print("ignoring %s" % os.path.join(dirpath, filename), file=sys.stderr)
-
-
-def sign_kmod(module_path, signature_path):
-    assert 'linux_sign_file' in config
-    assert 'pkcs11_uri' in config
-    assert 'cert_path' in config
-    assert 'pin' in config
-
-    env = os.environ.copy()
-    env['KBUILD_SIGN_PIN'] = config['pin']
-    # use check_output instead of check_call as sign-file seems to send random
-    # stuff to stderr even when it succeeds
-    subprocess.check_output(
-       [config['linux_sign_file'], '-d', 'sha256', config['pkcs11_uri'],
-        config['cert_path'], module_path],
-       env=env, stderr=subprocess.STDOUT)
-    os.rename(module_path + '.p7s', signature_path)
-
-
-def sign_efi(efi_path, signature_path):
-    assert 'sign-efi' in config
-    assert 'certdir' in config
-    assert 'token' in config
-    assert 'certname' in config
-    assert 'pin' in config
-
-    env = os.environ.copy()
-    env['PESIGN_PIN'] = config['pin']
-    with open(signature_path, 'wb') as out:
-        subprocess.check_call(
-           [config['sign-efi'], config['certdir'], config['token'],
-            config['certname'], efi_path],
-           env=env, stdout=out)
-
-
-def extract(tar_file, extract_dir):
-    with tarfile.TarFile.open(fileobj=tar_file, mode="r:xz") as f:
-        f.extractall(extract_dir)
-
-
-def repack(signed_dir, fileobj):
-    def cleanup_tarinfo(tarinfo):
-        tarinfo.path = os.path.relpath('/' + tarinfo.path, signed_dir)
-        tarinfo.gid = 0
-        tarinfo.gname = 'root'
-        tarinfo.uid = 0
-        tarinfo.uname = 'root'
-        return tarinfo
-
-    with tarfile.TarFile.open(mode='w:xz', fileobj=fileobj) as f:
-        f.add(signed_dir, filter=cleanup_tarinfo)
-
-
-def main():
-    parser = argparse.ArgumentParser(
-            description='sign files in a tarball')
-    parser.add_argument('input_tar', metavar='input', type=argparse.FileType('rb'),
-            help='tarball containing files to be signed')
-    parser.add_argument('--config', '-c', type=str,
-            default='/etc/codesign.ini', help='configuration file')
-
-    args = parser.parse_args()
-
-    cp = configparser.RawConfigParser()
-    cp.read(args.config)
-
-    # path to the sign-file command from Linux
-    config['linux_sign_file'] = cp.get('commands', 'sign-kmod',
-            fallback='/usr/lib/linux-kbuild-4.9/scripts/sign-file')
-    # pkcs11 uri from `p11tool --list-token-urls`
-    config['pkcs11_uri'] = cp.get('efi', 'pkcs11_uri')
-    # path to the PEM or DER-format certificate
-    config['cert_path'] = cp.get('efi', 'cert_path')
-
-    # path to our pesign wrapper script
-    config['sign-efi'] = cp.get('commands', 'sign-efi', fallback='/usr/local/bin/pesign-wrap')
-    # path to the nss store
-    config['certdir'] = cp.get('efi', 'certdir', fallback='/srv/codesign/pki')
-    # name of the token in the nss store
-    config['token'] = cp.get('efi','token', fallback='PIV_II (PIV Card Holder pin)')
-    # name of the cert in the nss store
-    config['certname'] = cp.get('efi', 'cert', fallback='Certificate for Digital Signature')
-
-    config['pin'] = cp.get('efi', 'pin')
-
-    workdir = tempfile.TemporaryDirectory()
-    with workdir:
-        extract_dir = os.path.join(workdir.name, 'in')
-        signed_dir = os.path.join(workdir.name, 'out')
-        extract(args.input_tar, extract_dir)
-        sign(extract_dir, signed_dir)
-        repack(signed_dir, sys.stdout.buffer)
-
-
-if __name__ == '__main__':
-    sys.exit(main())
index a959ae3..6ced6eb 100644 (file)
@@ -5,16 +5,10 @@ class roles::signing {
        package { 'libengine-pkcs11-openssl': ensure => installed, }
 
        file { '/usr/local/bin/pesign-wrap':
-               owner => 'root',
-               group => 'root',
-               mode => '0555',
-               source => 'puppet:///modules/roles/signing/pesign-wrap',
+               ensure => absent,
        }
 
        file { '/usr/local/bin/secure-boot-code-sign':
-               owner => 'root',
-               group => 'root',
-               mode => '0555',
-               source => 'puppet:///modules/roles/signing/secure-boot-code-sign.py',
+               ensure => absent,
        }
 }