No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
debian
COPYING
README
brp-99-compress-vmlinux
brp-99-pesign
dh_signobs
dh_signobs.1
gen-hmac
kernel-sign-file
modsign-repackage
pesign-gen-repackage-spec
pesign-obs-integration.changes
pesign-obs-integration.spec
pesign-repackage.spec.in
signobs.pm

README

Signing kernel modules and EFI binaries in the Open Build Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

RPM packages that need to sign files during build should add the following lines
to the specfile

# needssslcertforbuild
export BRP_PESIGN_FILES='pattern...'
BuildRequires: pesign-obs-integration

Debian packages need to add the following line to the Source stanza in the
debian/control file, which will add "Obs: needssslcertforbuild" to the generated
.dsc file:

XS-Obs: needssslcertforbuild

The "# needssslcertforbuild" comment tells the buildservice to store the
signing certificate in %_sourcedir/_projectcert.crt. At the end of the
install phase, the brp-99-pesign script computes hashes of all
files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored
in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a
pesign-repackage.spec file there. When the first rpmbuild finishes, the
buildservice sends the cpio archive to the signing server, which returns
a rsasigned.cpio archive with RSA signatures of the sha256 hashes.

The pesign-repackage.spec takes the original RPMs, unpacks them and
appends the signatures to the files. It then uses the
pesign-gen-repackage-spec script to generate another specfile, which
builds new RPMs with signed files. The supported file types are:

*.ko            - Signature appended to the module
efi binaries    - Signature embedded in a header. If a HMAC checksum named
                  .$file.hmac exists, it is regenerated

Debian packages can use the dh-signobs debhelper to automate signing and
repacking. Build-depend on dh-signobs and add --with signobs to the dh line
in debian/rules to use the fully automated helper.
Consult the dh_signobs manpage for more information.