forked from pool/pesign-obs-integration
Michael Schröder
c581df2ee9
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=3
28 lines
1.3 KiB
Plaintext
28 lines
1.3 KiB
Plaintext
Signing kernel modules and EFI binaries in the Open Build Service
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Note: Not everything that is described here is actually implemented. Even
|
|
those parts that are implemented can change slightly.
|
|
|
|
Packages that need to sign files during build should add the following lines
|
|
to the specfile
|
|
|
|
# needssslcertforbuild
|
|
export BRP_PESIGN_FILES='pattern...'
|
|
BuildRequires: pesign-obs-integration
|
|
|
|
The "# needssslcertforbuild" comment tells the buildservice to store the
|
|
signing certificate in %_sourcedir/_projectcert.crt. At the end of the
|
|
install phase, the brp-99-pesign script computes hashes of all
|
|
files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored
|
|
in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a
|
|
pesign-repackage.spec file there. When the first rpmbuild finishes, the
|
|
buildservice sends the cpio archive to the signing server, which returns
|
|
a rsasigned.cio archive with RSA signatures of the sha256 hashes.
|
|
|
|
The pesign-repackage.spec takes the original RPMs, unpacks them and
|
|
appends the signatures to the files (TODO: only implemented for firmware
|
|
files). It then uses the pesign-gen-repackage-spec script to generate
|
|
another specfile, which builds new RPMs with signed files.
|
|
|