Launchpad itself

Merge lp:~apw/launchpad/signing-permissions into lp:launchpad

  1. signing-permissions
  2. Merge into devel
Proposed by Andy Whitcroft
Status: Merged
Merged at revision: 18065
Proposed branch: lp:~apw/launchpad/signing-permissions
Merge into: lp:launchpad
Diff against target: 40 lines (+8/-0)
2 files modified
lib/lp/archivepublisher/signing.py (+3/-0)
lib/lp/archivepublisher/tests/test_signing.py (+5/-0)
To merge this branch: bzr merge lp:~apw/launchpad/signing-permissions
Reviewer Review Type Date Requested Status
Colin Watson (community) Approve
Review via email: mp+295616@code.launchpad.net

Commit message

Fix the permissions of newly created Kmod signing x509 certificates.

Description of the change

Fix the permissions of newly created Kmod signing x509 certificates.

This is public information there is no need for them to be private. Make sure these are readable after creation.

To post a comment you must log in.
Revision history for this message
Colin Watson (cjwatson) wrote :

Could you add a test as well? I think you could reasonably just tack a stat check onto the end of test_create_kmod_keys_autokey_on, and that would also be a good place to check (more importantly) that kmod.pem isn't world-readable.

review: Needs Fixing
Revision history for this message
Andy Whitcroft (apw) wrote :

Yeah that makes a heap of sense. I have added tests to confirm the expected permissions on both the kmod.pem and kmod.x509. I have also added the same tests for the primary uefi.key and uefi.crt.

Revision history for this message
Colin Watson (cjwatson) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'lib/lp/archivepublisher/signing.py'
--- lib/lp/archivepublisher/signing.py 2016-05-23 10:18:21 +0000
+++ lib/lp/archivepublisher/signing.py 2016-05-24 21:36:36 +0000
@@ -267,6 +267,9 @@
267 finally:267 finally:
268 os.umask(old_mask)268 os.umask(old_mask)
269269
270 if os.path.exists(self.kmod_x509):
271 os.chmod(self.kmod_x509, 0o644)
272
270 def signKmod(self, image):273 def signKmod(self, image):
271 """Attempt to sign a kernel module."""274 """Attempt to sign a kernel module."""
272 remove_if_exists("%s.sig" % image)275 remove_if_exists("%s.sig" % image)
273276
=== modified file 'lib/lp/archivepublisher/tests/test_signing.py'
--- lib/lp/archivepublisher/tests/test_signing.py 2016-05-23 11:59:17 +0000
+++ lib/lp/archivepublisher/tests/test_signing.py 2016-05-24 21:36:36 +0000
@@ -6,6 +6,7 @@
6__metaclass__ = type6__metaclass__ = type
77
8import os8import os
9import stat
9import tarfile10import tarfile
1011
11from fixtures import MonkeyPatch12from fixtures import MonkeyPatch
@@ -571,6 +572,8 @@
571 self.assertEqual(1, upload.callLog.caller_count('UEFI keygen'))572 self.assertEqual(1, upload.callLog.caller_count('UEFI keygen'))
572 self.assertTrue(os.path.exists(self.key))573 self.assertTrue(os.path.exists(self.key))
573 self.assertTrue(os.path.exists(self.cert))574 self.assertTrue(os.path.exists(self.cert))
575 self.assertEqual(stat.S_IMODE(os.stat(self.key).st_mode), 0o600)
576 self.assertEqual(stat.S_IMODE(os.stat(self.cert).st_mode), 0o644)
574577
575 def test_create_kmod_keys_autokey_off(self):578 def test_create_kmod_keys_autokey_off(self):
576 # Keys are not created.579 # Keys are not created.
@@ -606,3 +609,5 @@
606 self.assertEqual(1, upload.callLog.caller_count('Kmod keygen cert'))609 self.assertEqual(1, upload.callLog.caller_count('Kmod keygen cert'))
607 self.assertTrue(os.path.exists(self.kmod_pem))610 self.assertTrue(os.path.exists(self.kmod_pem))
608 self.assertTrue(os.path.exists(self.kmod_x509))611 self.assertTrue(os.path.exists(self.kmod_x509))
612 self.assertEqual(stat.S_IMODE(os.stat(self.kmod_pem).st_mode), 0o600)
613 self.assertEqual(stat.S_IMODE(os.stat(self.kmod_x509).st_mode), 0o644)