pesign-obs-integration/README

Signing kernel modules and EFI binaries in the Open Build Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Packages that need to sign files during build should add the following lines
to the specfile

# needssslcertforbuild
export BRP_PESIGN_FILES='pattern...'
BuildRequires: pesign-obs-integration

The "# needssslcertforbuild" comment tells the buildservice to store the
signing certificate in %_sourcedir/_projectcert.crt. At the end of the
install phase, the brp-99-pesign script computes hashes of all
files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored
in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a
pesign-repackage.spec file there. When the first rpmbuild finishes, the
buildservice sends the cpio archive to the signing server, which returns
a rsasigned.cpio archive with RSA signatures of the sha256 hashes.

The pesign-repackage.spec takes the original RPMs, unpacks them and
appends the signatures to the files. It then uses the
pesign-gen-repackage-spec script to generate another specfile, which
builds new RPMs with signed files. The supported file types are:

/lib/firmware/* - Detached signature in $file.sig
*.ko            - Signature appended to the module
efi binaries    - Signature embedded in a header. If a HMAC checksum named
                  .$file.hmac exists, it is regenerated
osc copypac from project:home:michal-m:modsign package:pesign-obs-integration revision:2 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=1 2013-02-05 10:41:47 +00:00			`Signing kernel modules and EFI binaries in the Open Build Service`
			`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

			`Packages that need to sign files during build should add the following lines`
			`to the specfile`

			`# needssslcertforbuild`
- switch to normal brp hook OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=3 2013-02-06 12:25:06 +00:00			`export BRP_PESIGN_FILES='pattern...'`
osc copypac from project:home:michal-m:modsign package:pesign-obs-integration revision:2 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=1 2013-02-05 10:41:47 +00:00			`BuildRequires: pesign-obs-integration`

			`The "# needssslcertforbuild" comment tells the buildservice to store the`
			`signing certificate in %_sourcedir/_projectcert.crt. At the end of the`
- switch to normal brp hook OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=3 2013-02-06 12:25:06 +00:00			`install phase, the brp-99-pesign script computes hashes of all`
			`files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored`
osc copypac from project:home:michal-m:modsign package:pesign-obs-integration revision:2 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=1 2013-02-05 10:41:47 +00:00			`in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a`
			`pesign-repackage.spec file there. When the first rpmbuild finishes, the`
			`buildservice sends the cpio archive to the signing server, which returns`
Accepting request 231426 from home:michal-m:branches:Base:System - Fix matching /boot and /lib/firmware in pesign-repackage.spec - Do not store the buildroot in the .*.hmac file. - Regenerate the HMAC checksum when signing and EFI binary with a checksum (fate#316930, bnc#856310). - Update README. - Add /usr/lib/rpm/pesign/gen-hmac tool to generate a hmac checksum for a given file (fate#316930, bnc#856310). OBS-URL: https://build.opensuse.org/request/show/231426 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=23 2014-04-27 07:52:13 +00:00			`a rsasigned.cpio archive with RSA signatures of the sha256 hashes.`
osc copypac from project:home:michal-m:modsign package:pesign-obs-integration revision:2 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=1 2013-02-05 10:41:47 +00:00
			`The pesign-repackage.spec takes the original RPMs, unpacks them and`
Accepting request 231426 from home:michal-m:branches:Base:System - Fix matching /boot and /lib/firmware in pesign-repackage.spec - Do not store the buildroot in the .*.hmac file. - Regenerate the HMAC checksum when signing and EFI binary with a checksum (fate#316930, bnc#856310). - Update README. - Add /usr/lib/rpm/pesign/gen-hmac tool to generate a hmac checksum for a given file (fate#316930, bnc#856310). OBS-URL: https://build.opensuse.org/request/show/231426 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=23 2014-04-27 07:52:13 +00:00			`appends the signatures to the files. It then uses the`
			`pesign-gen-repackage-spec script to generate another specfile, which`
			`builds new RPMs with signed files. The supported file types are:`

			`/lib/firmware/* - Detached signature in $file.sig`
			`*.ko - Signature appended to the module`
			`efi binaries - Signature embedded in a header. If a HMAC checksum named`
			`.$file.hmac exists, it is regenerated`
osc copypac from project:home:michal-m:modsign package:pesign-obs-integration revision:2 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=1 2013-02-05 10:41:47 +00:00