Expand archive signing to kernel modules
Bug #1577736 reported by
Andy Whitcroft
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Andy Whitcroft |
Bug Description
We are going to need to sign kernel modules which are built separately from the kernel itself. For this we need a launchpad level mechanism to sign those modules.
We intend to leverage the existing efi signing custom uploads, generifying that as a signing upload and then adding a new Kernel Module signing phase to that.
Related branches
lp:~apw/launchpad/uefi-auto-key
- Colin Watson (community): Approve
- Andy Whitcroft (community): Abstain
-
Diff: 443 lines (+221/-50)4 files modifiedlib/lp/archivepublisher/config.py (+3/-0)
lib/lp/archivepublisher/tests/test_config.py (+5/-0)
lib/lp/archivepublisher/tests/test_uefi.py (+141/-27)
lib/lp/archivepublisher/uefi.py (+72/-23)
lp:~apw/launchpad/generify-uefi-signing
- Colin Watson (community): Approve
-
Diff: 853 lines (+244/-105)15 files modifiedlib/lp/archivepublisher/config.py (+12/-7)
lib/lp/archivepublisher/signing.py (+44/-25)
lib/lp/archivepublisher/tests/test_config.py (+42/-12)
lib/lp/archivepublisher/tests/test_ftparchive.py (+6/-2)
lib/lp/archivepublisher/tests/test_signing.py (+71/-26)
lib/lp/archiveuploader/nascentuploadfile.py (+8/-6)
lib/lp/archiveuploader/tests/test_nascentuploadfile.py (+7/-1)
lib/lp/archiveuploader/tests/test_uploadpolicy.py (+22/-1)
lib/lp/soyuz/browser/queue.py (+2/-2)
lib/lp/soyuz/configure.zcml (+1/-0)
lib/lp/soyuz/enums.py (+3/-3)
lib/lp/soyuz/interfaces/queue.py (+5/-2)
lib/lp/soyuz/model/queue.py (+8/-6)
lib/lp/soyuz/scripts/custom_uploads_copier.py (+6/-5)
lib/lp/soyuz/scripts/tests/test_custom_uploads_copier.py (+7/-7)
lp:~apw/launchpad/signing-add-kernel-module-signing
- Colin Watson (community): Approve
-
Diff: 907 lines (+554/-118)2 files modifiedlib/lp/archivepublisher/signing.py (+182/-60)
lib/lp/archivepublisher/tests/test_signing.py (+372/-58)
lp:~apw/launchpad/signing-permissions
- Colin Watson (community): Approve
-
Diff: 40 lines (+8/-0)2 files modifiedlib/lp/archivepublisher/signing.py (+3/-0)
lib/lp/archivepublisher/tests/test_signing.py (+5/-0)
lp:~apw/launchpad/signing-record-public-keys-when-used
- Colin Watson (community): Approve
-
Diff: 163 lines (+42/-13)2 files modifiedlib/lp/archivepublisher/signing.py (+29/-3)
lib/lp/archivepublisher/tests/test_signing.py (+13/-10)
lp:~apw/launchpad/signing-add-sha256-checksums
- Colin Watson (community): Approve
-
Diff: 354 lines (+215/-2)5 files modifiedlib/lp/archivepublisher/publishing.py (+61/-0)
lib/lp/archivepublisher/signing.py (+8/-0)
lib/lp/archivepublisher/tests/test_publisher.py (+106/-1)
lib/lp/archivepublisher/tests/test_signing.py (+30/-0)
lib/lp/archivepublisher/utils.py (+10/-1)
lp:~apw/launchpad/signing-gpg-sign-checksum-files
- Colin Watson (community): Approve
-
Diff: 528 lines (+285/-52)7 files modifiedlib/lp/archivepublisher/archivesigningkey.py (+46/-16)
lib/lp/archivepublisher/interfaces/archivesigningkey.py (+9/-0)
lib/lp/archivepublisher/publishing.py (+9/-7)
lib/lp/archivepublisher/signing.py (+15/-5)
lib/lp/archivepublisher/tests/test_archivesigningkey.py (+80/-0)
lib/lp/archivepublisher/tests/test_publisher.py (+100/-24)
lib/lp/archivepublisher/tests/test_signing.py (+26/-0)
lp:~apw/launchpad/signing-reinstate-raw-uefi-custom-upload
- Colin Watson (community): Approve
-
Diff: 415 lines (+165/-46)9 files modifiedlib/lp/archivepublisher/configure.zcml (+7/-0)
lib/lp/archivepublisher/signing.py (+22/-2)
lib/lp/archivepublisher/tests/test_signing.py (+66/-32)
lib/lp/archiveuploader/nascentuploadfile.py (+8/-3)
lib/lp/soyuz/browser/queue.py (+1/-0)
lib/lp/soyuz/enums.py (+7/-1)
lib/lp/soyuz/model/queue.py (+5/-2)
lib/lp/soyuz/scripts/custom_uploads_copier.py (+7/-2)
lib/lp/soyuz/scripts/tests/test_custom_uploads_copier.py (+42/-4)
lp:~apw/launchpad/signing-checksum-fix-cross-device-links
- Colin Watson (community): Approve
-
Diff: 54 lines (+11/-1)2 files modifiedlib/lp/archivepublisher/signing.py (+2/-1)
lib/lp/archivepublisher/tests/test_signing.py (+9/-0)
tags: | added: feature lp-soyuz soyuz-publish |
Changed in launchpad: | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Andy Whitcroft (apw) |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → In Progress |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Phase 1: move the existing efi signing to validating the efi signing keys on first use. For PPAs generate the keys on first use if they are missing.