pool/pesign-obs-integration
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
pesign-obs-integration/_service:tar_scm:README
Gary Ching-Pang Lin b86ef55a2e Accepting request 613226 from home:bluca:debian_secure_boot 
Add _service file with tar_scm and dsc. The tar_scm is necessary, as for Debian builds it's necessary to have a tarball with the content.
RPM build is unchanged.

OBS-URL: https://build.opensuse.org/request/show/613226
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=57
2018-05-31 08:50:32 +00:00

39 lines
1.7 KiB
Plaintext
Raw Blame History

Signing kernel modules and EFI binaries in the Open Build Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RPM packages that need to sign files during build should add the following lines
to the specfile
# needssslcertforbuild
export BRP_PESIGN_FILES='pattern...'
BuildRequires: pesign-obs-integration
Debian packages need to add the following line to the Source stanza in the
debian/control file, which will add "Obs: needssslcertforbuild" to the generated
.dsc file:
XS-Obs: needssslcertforbuild
The "# needssslcertforbuild" comment tells the buildservice to store the
signing certificate in %_sourcedir/_projectcert.crt. At the end of the
install phase, the brp-99-pesign script computes hashes of all
files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored
in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a
pesign-repackage.spec file there. When the first rpmbuild finishes, the
buildservice sends the cpio archive to the signing server, which returns
a rsasigned.cpio archive with RSA signatures of the sha256 hashes.
The pesign-repackage.spec takes the original RPMs, unpacks them and
appends the signatures to the files. It then uses the
pesign-gen-repackage-spec script to generate another specfile, which
builds new RPMs with signed files. The supported file types are:
*.ko - Signature appended to the module
efi binaries - Signature embedded in a header. If a HMAC checksum named
.$file.hmac exists, it is regenerated
Debian packages can use the dh-signobs debhelper to automate signing and
repacking. Build-depend on dh-signobs and add --with signobs to the dh line
in debian/rules to use the fully automated helper.
Consult the dh_signobs manpage for more information.
Reference in New Issue View Git Blame Copy Permalink