Launchpad itself

Merge lp:~apw/launchpad/signing-opal into lp:launchpad

signing-opal
Merge into devel

Proposed by Andy Whitcroft on 2017-07-26

Status:	Merged
Merged at revision:	18445
Proposed branch:	lp:~apw/launchpad/signing-opal
Merge into:	lp:launchpad
Diff against target:	649 lines (+316/-75) 2 files modified lib/lp/archivepublisher/signing.py (+39/-13) lib/lp/archivepublisher/tests/test_signing.py (+277/-62)
To merge this branch:	bzr merge lp:~apw/launchpad/signing-opal
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Colin Watson (community)		2017-07-26	Approve on 2017-08-02
Review via email: mp+328108@code.launchpad.net

Commit message

Add signing support for vmlinux for use on ppc64el Opal (and compatible) firmware.

Description of the change

Add signing support for vmlinux for use on ppc64el Opal (and compatible) firmware.

Revision history for this message

Andy Whitcroft (apw) wrote on 2017-08-01:

Reworked the signing validation to be more comprehensive. Cleaned up some lint. Added an additional noted missing test for checksums in tarball mode.

Revision history for this message

Colin Watson (cjwatson) wrote on 2017-08-02:

This generally seems OK; just some nits in the tests.

review: Approve

Revision history for this message

Andy Whitcroft (apw) wrote on 2017-08-02:

Nits applied as indicated. Fixed the errant match in the latest test. Should be good to go.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andy Whitcroft

Barki Mustapha

Celso Providelo

Christian Reis

Christy Awad

Colin Watson

Harpianto,ANDI

James Troup

John A Meinel

Kevin bush

Launchpad code reviewers

Launchpad code reviewers from Canonical

Matthew Tanner

Maximiliano Bertacchini

Oguz Ersoz

Simon Brakhane

Ubuntu-BR DevOps

William Grant

alhawiti

api.ng

pedro cavazos

todaioan

wenjingwen

to status/vote changes:

Tzaddi

Tzaddi Belding

 === modified file 'lib/lp/archivepublisher/signing.py'
 --- lib/lp/archivepublisher/signing.py	2016-08-10 09:19:16 +0000
 +++ lib/lp/archivepublisher/signing.py	2017-08-02 19:21:26 +0000
@@ -94,12 +94,16 @@
              self.uefi_cert = None
              self.kmod_pem = None
              self.kmod_x509 = None
++            self.opal_pem = None
++            self.opal_x509 = None
              self.autokey = False
          else:
              self.uefi_key = os.path.join(pubconf.signingroot, "uefi.key")
              self.uefi_cert = os.path.join(pubconf.signingroot, "uefi.crt")
              self.kmod_pem = os.path.join(pubconf.signingroot, "kmod.pem")
              self.kmod_x509 = os.path.join(pubconf.signingroot, "kmod.x509")
++            self.opal_pem = os.path.join(pubconf.signingroot, "opal.pem")
++            self.opal_x509 = os.path.join(pubconf.signingroot, "opal.x509")
              self.autokey = pubconf.signingautokey
          self.setComponents(tarfile_path)
@@ -171,6 +175,8 @@
                      yield (os.path.join(dirpath, filename), self.signUefi)
                  elif filename.endswith(".ko"):
                      yield (os.path.join(dirpath, filename), self.signKmod)
++                elif filename.endswith(".opal"):
++                    yield (os.path.join(dirpath, filename), self.signOpal)
      def getKeys(self, which, generate, *keynames):
          """Validate and return the uefi key and cert for encryption."""
@@ -237,15 +243,15 @@
          cmdl = ["sbsign", "--key", key, "--cert", cert, image]
          return self.callLog("UEFI signing", cmdl)
--    def generateKmodKeys(self):
--        """Generate new Kernel Signing Keys for this archive."""
--        directory = os.path.dirname(self.kmod_pem)
++    def generatePemX509Pair(self, key_type, pem_filename, x509_filename):
++        """Generate new pem/x509 key pairs."""
++        directory = os.path.dirname(pem_filename)
          if not os.path.exists(directory):
              os.makedirs(directory)
          # Truncate name to 64 character maximum.
          common_name = self.generateKeyCommonName(
--            self.archive.owner.name, self.archive.name, "kmod")
++            self.archive.owner.name, self.archive.name, key_type)
          old_mask = os.umask(0o077)
          try:
@@ -276,21 +282,26 @@
                  new_key_cmd = [
                      'openssl', 'req', '-new', '-nodes', '-utf8', '-sha512',
                      '-days', '3650', '-batch', '-x509', '-config', tf.name,
--                    '-outform', 'PEM', '-out', self.kmod_pem,
--                    '-keyout', self.kmod_pem
++                    '-outform', 'PEM', '-out', pem_filename,
++                    '-keyout', pem_filename
+                     ]
--                if self.callLog("Kmod keygen key", new_key_cmd) == 0:
++                if self.callLog(key_type + " keygen key", new_key_cmd) == 0:
                      new_x509_cmd = [
--                        'openssl', 'x509', '-in', self.kmod_pem,
--                        '-outform', 'DER', '-out', self.kmod_x509
++                        'openssl', 'x509', '-in', pem_filename,
++                        '-outform', 'DER', '-out', x509_filename
+                         ]
--                    if self.callLog("Kmod keygen cert", new_x509_cmd) != 0:
--                        os.unlink(self.kmod_pem)
++                    if self.callLog(key_type + " keygen cert",
++                                    new_x509_cmd) != 0:
++                        os.unlink(pem_filename)
          finally:
              os.umask(old_mask)
--        if os.path.exists(self.kmod_x509):
--            os.chmod(self.kmod_x509, 0o644)
++        if os.path.exists(x509_filename):
++            os.chmod(x509_filename, 0o644)
++
++    def generateKmodKeys(self):
++        """Generate new Kernel Signing Keys for this archive."""
++        self.generatePemX509Pair("Kmod", self.kmod_pem, self.kmod_x509)
      def signKmod(self, image):
          """Attempt to sign a kernel module."""
@@ -303,6 +314,21 @@
          cmdl = ["kmodsign", "-D", "sha512", pem, cert, image, image + ".sig"]
          return self.callLog("Kmod signing", cmdl)
++    def generateOpalKeys(self):
++        """Generate new Opal Signing Keys for this archive."""
++        self.generatePemX509Pair("Opal", self.opal_pem, self.opal_x509)
++
++    def signOpal(self, image):
++        """Attempt to sign a kernel image for Opal."""
++        remove_if_exists("%s.sig" % image)
++        (pem, cert) = self.getKeys('Opal Kernel', self.generateOpalKeys,
++            self.opal_pem, self.opal_x509)
++        if not pem or not cert:
++            return
++        self.publishPublicKey(cert)
++        cmdl = ["kmodsign", "-D", "sha512", pem, cert, image, image + ".sig"]
++        return self.callLog("Opal signing", cmdl)
++
      def convertToTarball(self):
          """Convert unpacked output to signing tarball."""
          tarfilename = os.path.join(self.tmpdir, "signed.tar.gz")
 === modified file 'lib/lp/archivepublisher/tests/test_signing.py'
 --- lib/lp/archivepublisher/tests/test_signing.py	2017-07-24 10:06:38 +0000
 +++ lib/lp/archivepublisher/tests/test_signing.py	2017-08-02 19:21:26 +0000
@@ -11,6 +11,13 @@
  from fixtures import MonkeyPatch
  from testtools.deferredruntest import AsynchronousDeferredRunTest
++from testtools.matchers import (
++    Contains,
++    Matcher,
++    MatchesAll,
++    Mismatch,
++    Not,
++    )
  from twisted.internet import defer
  from zope.component import getUtility
@@ -37,6 +44,30 @@
  from lp.testing.layers import ZopelessDatabaseLayer
++class SignedMatches(Matcher):
++    """Matches if a signing result directory is valid."""
++
++    def __init__(self, expected):
++        self.expected = expected
++
++    def match(self, base):
++        content = []
++        for root, dirs, files in os.walk(base):
++            content.extend(
++                [os.path.relpath(os.path.join(root, f), base) for f in files])
++
++        left_over = sorted(set(content) - set(self.expected))
++        missing = sorted(set(self.expected) - set(content))
++        if left_over != [] or missing != []:
++            mismatch = ''
++            if left_over:
++                mismatch += " unexpected files: " + str(left_over)
++            if missing:
++                mismatch += " missing files: " + str(missing)
++            return Mismatch("SignedMatches:" + mismatch)
++        return None
++
++
  class FakeMethodCallLog(FakeMethod):
      """Fake execution general commands."""
      def __init__(self, upload=None, *args, **kwargs):
@@ -44,10 +75,13 @@
          self.upload = upload
          self.callers = {
              "UEFI signing": 0,
++            "UEFI keygen": 0,
              "Kmod signing": 0,
--            "UEFI keygen": 0,
              "Kmod keygen key": 0,
              "Kmod keygen cert": 0,
++            "Opal signing": 0,
++            "Opal keygen key": 0,
++            "Opal keygen cert": 0,
+             }
      def __call__(self, *args, **kwargs):
@@ -61,6 +95,10 @@
              if filename.endswith(".efi"):
                  write_file(filename + ".signed", "")
++        elif description == "UEFI keygen":
++            write_file(self.upload.uefi_key, "")
++            write_file(self.upload.uefi_cert, "")
++
          elif description == "Kmod signing":
              filename = cmdl[-1]
              if filename.endswith(".ko.sig"):
@@ -72,9 +110,16 @@
          elif description == "Kmod keygen key":
              write_file(self.upload.kmod_pem, "")
--        elif description == "UEFI keygen":
--            write_file(self.upload.uefi_key, "")
--            write_file(self.upload.uefi_cert, "")
++        elif description == "Opal signing":
++            filename = cmdl[-1]
++            if filename.endswith(".opal.sig"):
++                write_file(filename, "")
++
++        elif description == "Opal keygen cert":
++            write_file(self.upload.opal_x509, "")
++
++        elif description == "Opal keygen key":
++            write_file(self.upload.opal_pem, "")
          else:
              raise AssertionError("unknown command executed cmd=(%s)" %
@@ -85,6 +130,9 @@
      def caller_count(self, caller):
          return self.callers.get(caller, 0)
++    def caller_list(self):
++        return [(caller, n) for (caller, n) in self.callers.items() if n != 0]
++
  class TestSigningHelpers(TestCaseWithFactory):
@@ -147,6 +195,13 @@
              write_file(self.kmod_pem, "")
              write_file(self.kmod_x509, "")
++    def setUpOpalKeys(self, create=True):
++        self.opal_pem = os.path.join(self.signing_dir, "opal.pem")
++        self.opal_x509 = os.path.join(self.signing_dir, "opal.x509")
++        if create:
++            write_file(self.opal_pem, "")
++            write_file(self.opal_x509, "")
++
      def openArchive(self, loader_type, version, arch):
          self.path = os.path.join(
              self.temp_dir, "%s_%s_%s.tar.gz" % (loader_type, version, arch))
@@ -182,6 +237,7 @@
          upload = SigningUpload()
          upload.signUefi = FakeMethod()
          upload.signKmod = FakeMethod()
++        upload.signOpal = FakeMethod()
          # Under no circumstances is it safe to execute actual commands.
          fake_call = FakeMethod(result=0)
          self.useFixture(MonkeyPatch("subprocess.call", fake_call))
@@ -201,12 +257,9 @@
          self.openArchive("test", "1.0", "amd64")
          self.tarfile.add_file("1.0/empty.efi", "")
          self.tarfile.add_file("1.0/empty.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
          upload = self.process_emulate()
--        self.assertEqual(0, upload.callLog.caller_count('UEFI keygen'))
--        self.assertEqual(0, upload.callLog.caller_count('Kmod keygen key'))
--        self.assertEqual(0, upload.callLog.caller_count('Kmod keygen cert'))
--        self.assertEqual(0, upload.callLog.caller_count('UEFI signing'))
--        self.assertEqual(0, upload.callLog.caller_count('Kmod signing'))
++        self.assertContentEqual([], upload.callLog.caller_list())
      def test_archive_primary_no_keys(self):
          # If the configured key/cert are missing, processing succeeds but
@@ -214,12 +267,9 @@
          self.openArchive("test", "1.0", "amd64")
          self.tarfile.add_file("1.0/empty.efi", "")
          self.tarfile.add_file("1.0/empty.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
          upload = self.process_emulate()
--        self.assertEqual(0, upload.callLog.caller_count('UEFI keygen'))
--        self.assertEqual(0, upload.callLog.caller_count('Kmod keygen key'))
--        self.assertEqual(0, upload.callLog.caller_count('Kmod keygen cert'))
--        self.assertEqual(0, upload.callLog.caller_count('UEFI signing'))
--        self.assertEqual(0, upload.callLog.caller_count('Kmod signing'))
++        self.assertContentEqual([], upload.callLog.caller_list())
      def test_archive_primary_keys(self):
          # If the configured key/cert are missing, processing succeeds but
@@ -229,12 +279,13 @@
          self.openArchive("test", "1.0", "amd64")
          self.tarfile.add_file("1.0/empty.efi", "")
          self.tarfile.add_file("1.0/empty.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
          upload = self.process_emulate()
--        self.assertEqual(0, upload.callLog.caller_count('UEFI keygen'))
--        self.assertEqual(0, upload.callLog.caller_count('Kmod keygen key'))
--        self.assertEqual(0, upload.callLog.caller_count('Kmod keygen cert'))
--        self.assertEqual(1, upload.callLog.caller_count('UEFI signing'))
--        self.assertEqual(1, upload.callLog.caller_count('Kmod signing'))
++        expected_callers = [
++            ('UEFI signing', 1),
++            ('Kmod signing', 1),
++        ]
++        self.assertContentEqual(expected_callers, upload.callLog.caller_list())
      def test_PPA_creates_keys(self):
          # If the configured key/cert are missing, processing succeeds but
@@ -243,12 +294,19 @@
          self.openArchive("test", "1.0", "amd64")
          self.tarfile.add_file("1.0/empty.efi", "")
          self.tarfile.add_file("1.0/empty.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
          upload = self.process_emulate()
--        self.assertEqual(1, upload.callLog.caller_count('UEFI keygen'))
--        self.assertEqual(1, upload.callLog.caller_count('Kmod keygen key'))
--        self.assertEqual(1, upload.callLog.caller_count('Kmod keygen cert'))
--        self.assertEqual(1, upload.callLog.caller_count('UEFI signing'))
--        self.assertEqual(1, upload.callLog.caller_count('Kmod signing'))
++        expected_callers = [
++            ('UEFI keygen', 1),
++            ('Kmod keygen key', 1),
++            ('Kmod keygen cert', 1),
++            ('Opal keygen key', 1),
++            ('Opal keygen cert', 1),
++            ('UEFI signing', 1),
++            ('Kmod signing', 1),
++            ('Opal signing', 1),
++        ]
++        self.assertContentEqual(expected_callers, upload.callLog.caller_list())
      def test_common_name_plain(self):
          upload = SigningUpload()
@@ -319,42 +377,45 @@
          # Specifying no options should leave us with an open tree.
          self.setUpUefiKeys()
          self.setUpKmodKeys()
++        self.setUpOpalKeys()
          self.openArchive("test", "1.0", "amd64")
          self.tarfile.add_file("1.0/empty.efi", "")
          self.tarfile.add_file("1.0/empty.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
          self.process_emulate()
--        self.assertTrue(os.path.exists(os.path.join(
--            self.getSignedPath("test", "amd64"), "1.0", "empty.efi")))
--        self.assertTrue(os.path.exists(os.path.join(
--            self.getSignedPath("test", "amd64"), "1.0", "empty.efi.signed")))
--        self.assertTrue(os.path.exists(os.path.join(
--            self.getSignedPath("test", "amd64"), "1.0", "empty.ko")))
--        self.assertTrue(os.path.exists(os.path.join(
--            self.getSignedPath("test", "amd64"), "1.0", "empty.ko.sig")))
++        self.assertThat(self.getSignedPath("test", "amd64"), SignedMatches([
++            "1.0/SHA256SUMS",
++            "1.0/empty.efi", "1.0/empty.efi.signed", "1.0/control/uefi.crt",
++            "1.0/empty.ko", "1.0/empty.ko.sig", "1.0/control/kmod.x509",
++            "1.0/empty.opal", "1.0/empty.opal.sig", "1.0/control/opal.x509",
++            ]))
      def test_options_tarball(self):
          # Specifying the "tarball" option should create an tarball in
          # the tmpdir.
          self.setUpUefiKeys()
          self.setUpKmodKeys()
++        self.setUpOpalKeys()
          self.openArchive("test", "1.0", "amd64")
          self.tarfile.add_file("1.0/control/options", "tarball")
          self.tarfile.add_file("1.0/empty.efi", "")
          self.tarfile.add_file("1.0/empty.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
          self.process_emulate()
--        self.assertFalse(os.path.exists(os.path.join(
--            self.getSignedPath("test", "amd64"), "1.0", "empty.efi")))
--        self.assertFalse(os.path.exists(os.path.join(
--            self.getSignedPath("test", "amd64"), "1.0", "empty.ko")))
++        self.assertThat(self.getSignedPath("test", "amd64"), SignedMatches([
++            "1.0/SHA256SUMS",
++            "1.0/signed.tar.gz",
++            ]))
          tarfilename = os.path.join(self.getSignedPath("test", "amd64"),
              "1.0", "signed.tar.gz")
--        self.assertTrue(os.path.exists(tarfilename))
          with tarfile.open(tarfilename) as tarball:
              self.assertContentEqual([
--                '1.0', '1.0/control', '1.0/control/kmod.x509',
--                '1.0/control/uefi.crt', '1.0/empty.efi',
--                '1.0/empty.efi.signed', '1.0/empty.ko', '1.0/empty.ko.sig',
--                '1.0/control/options',
++                '1.0', '1.0/control', '1.0/control/options',
++                '1.0/empty.efi', '1.0/empty.efi.signed',
++                '1.0/control/uefi.crt',
++                '1.0/empty.ko', '1.0/empty.ko.sig', '1.0/control/kmod.x509',
++                '1.0/empty.opal', '1.0/empty.opal.sig',
++                '1.0/control/opal.x509',
                  ], tarball.getnames())
      def test_options_signed_only(self):
@@ -362,19 +423,19 @@
          # the source files leaving signatures only.
          self.setUpUefiKeys()
          self.setUpKmodKeys()
++        self.setUpOpalKeys()
          self.openArchive("test", "1.0", "amd64")
          self.tarfile.add_file("1.0/control/options", "signed-only")
          self.tarfile.add_file("1.0/empty.efi", "")
          self.tarfile.add_file("1.0/empty.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
          self.process_emulate()
--        self.assertFalse(os.path.exists(os.path.join(
--            self.getSignedPath("test", "amd64"), "1.0", "empty.efi")))
--        self.assertTrue(os.path.exists(os.path.join(
--            self.getSignedPath("test", "amd64"), "1.0", "empty.efi.signed")))
--        self.assertFalse(os.path.exists(os.path.join(
--            self.getSignedPath("test", "amd64"), "1.0", "empty.ko")))
--        self.assertTrue(os.path.exists(os.path.join(
--            self.getSignedPath("test", "amd64"), "1.0", "empty.ko.sig")))
++        self.assertThat(self.getSignedPath("test", "amd64"), SignedMatches([
++            "1.0/SHA256SUMS", "1.0/control/options",
++            "1.0/empty.efi.signed", "1.0/control/uefi.crt",
++            "1.0/empty.ko.sig", "1.0/control/kmod.x509",
++            "1.0/empty.opal.sig", "1.0/control/opal.x509",
++            ]))
      def test_options_tarball_signed_only(self):
          # Specifying the "tarball" option should create an tarball in
@@ -382,20 +443,26 @@
          # original files.
          self.setUpUefiKeys()
          self.setUpKmodKeys()
++        self.setUpOpalKeys()
          self.openArchive("test", "1.0", "amd64")
          self.tarfile.add_file("1.0/control/options",
              "tarball\nsigned-only")
          self.tarfile.add_file("1.0/empty.efi", "")
          self.tarfile.add_file("1.0/empty.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
          self.process_emulate()
++        self.assertThat(self.getSignedPath("test", "amd64"), SignedMatches([
++            "1.0/SHA256SUMS",
++            "1.0/signed.tar.gz",
++            ]))
          tarfilename = os.path.join(self.getSignedPath("test", "amd64"),
              "1.0", "signed.tar.gz")
--        self.assertTrue(os.path.exists(tarfilename))
          with tarfile.open(tarfilename) as tarball:
              self.assertContentEqual([
--                '1.0', '1.0/control', '1.0/control/kmod.x509',
--                '1.0/control/uefi.crt', '1.0/empty.efi.signed',
--                '1.0/empty.ko.sig', '1.0/control/options',
++                '1.0', '1.0/control', '1.0/control/options',
++                '1.0/empty.efi.signed', '1.0/control/uefi.crt',
++                '1.0/empty.ko.sig', '1.0/control/kmod.x509',
++                '1.0/empty.opal.sig', '1.0/control/opal.x509',
                  ], tarball.getnames())
      def test_no_signed_files(self):
@@ -512,7 +579,7 @@
          upload.generateKmodKeys = FakeMethod()
          upload.setTargetDirectory(
              self.archive, "test_1.0_amd64.tar.gz", "distroseries")
--        upload.signUefi('t.ko')
++        upload.signKmod('t.ko')
          self.assertEqual(0, fake_call.call_count)
          self.assertEqual(0, upload.generateKmodKeys.call_count)
@@ -547,6 +614,72 @@
+             ]
          self.assertEqual(expected_cmd, args)
++    def test_correct_opal_signing_command_executed(self):
++        # Check that calling signOpal() will generate the expected command
++        # when appropriate keys are present.
++        self.setUpOpalKeys()
++        fake_call = FakeMethod(result=0)
++        self.useFixture(MonkeyPatch("subprocess.call", fake_call))
++        upload = SigningUpload()
++        upload.generateOpalKeys = FakeMethod()
++        upload.setTargetDirectory(
++            self.archive, "test_1.0_amd64.tar.gz", "distroseries")
++        upload.signOpal('t.opal')
++        self.assertEqual(1, fake_call.call_count)
++        # Assert command form.
++        args = fake_call.calls[0][0][0]
++        expected_cmd = [
++            'kmodsign', '-D', 'sha512', self.opal_pem, self.opal_x509,
++            't.opal', 't.opal.sig'
++            ]
++        self.assertEqual(expected_cmd, args)
++        self.assertEqual(0, upload.generateOpalKeys.call_count)
++
++    def test_correct_opal_signing_command_executed_no_keys(self):
++        # Check that calling signOpal() will generate no commands when
++        # no keys are present.
++        self.setUpOpalKeys(create=False)
++        fake_call = FakeMethod(result=0)
++        self.useFixture(MonkeyPatch("subprocess.call", fake_call))
++        upload = SigningUpload()
++        upload.generateOpalKeys = FakeMethod()
++        upload.setTargetDirectory(
++            self.archive, "test_1.0_amd64.tar.gz", "distroseries")
++        upload.signOpal('t.opal')
++        self.assertEqual(0, fake_call.call_count)
++        self.assertEqual(0, upload.generateOpalKeys.call_count)
++
++    def test_correct_opal_keygen_command_executed(self):
++        # Check that calling generateOpalKeys() will generate the
++        # expected command.
++        self.setUpPPA()
++        self.setUpOpalKeys(create=False)
++        fake_call = FakeMethod(result=0)
++        self.useFixture(MonkeyPatch("subprocess.call", fake_call))
++        upload = SigningUpload()
++        upload.setTargetDirectory(
++            self.archive, "test_1.0_amd64.tar.gz", "distroseries")
++        upload.generateOpalKeys()
++        self.assertEqual(2, fake_call.call_count)
++        # Assert the actual command matches.
++        args = fake_call.calls[0][0][0]
++        # Sanitise the keygen tmp file.
++        if args[11].endswith('.keygen'):
++            args[11] = 'XXX.keygen'
++        expected_cmd = [
++            'openssl', 'req', '-new', '-nodes', '-utf8', '-sha512',
++            '-days', '3650', '-batch', '-x509',
++            '-config', 'XXX.keygen', '-outform', 'PEM',
++            '-out', self.opal_pem, '-keyout', self.opal_pem
++            ]
++        self.assertEqual(expected_cmd, args)
++        args = fake_call.calls[1][0][0]
++        expected_cmd = [
++            'openssl', 'x509', '-in', self.opal_pem, '-outform', 'DER',
++            '-out', self.opal_x509
++            ]
++        self.assertEqual(expected_cmd, args)
++
      def test_signs_uefi_image(self):
          # Each image in the tarball is signed.
          self.setUpUefiKeys()
@@ -563,6 +696,14 @@
          upload = self.process()
          self.assertEqual(1, upload.signKmod.call_count)
++    def test_signs_opal_image(self):
++        # Each image in the tarball is signed.
++        self.setUpOpalKeys()
++        self.openArchive("test", "1.0", "amd64")
++        self.tarfile.add_file("1.0/empty.opal", "")
++        upload = self.process()
++        self.assertEqual(1, upload.signOpal.call_count)
++
      def test_signs_combo_image(self):
          # Each image in the tarball is signed.
          self.setUpKmodKeys()
@@ -570,9 +711,13 @@
          self.tarfile.add_file("1.0/empty.efi", "")
          self.tarfile.add_file("1.0/empty.ko", "")
          self.tarfile.add_file("1.0/empty2.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
++        self.tarfile.add_file("1.0/empty2.opal", "")
++        self.tarfile.add_file("1.0/empty3.opal", "")
          upload = self.process()
          self.assertEqual(1, upload.signUefi.call_count)
          self.assertEqual(2, upload.signKmod.call_count)
++        self.assertEqual(3, upload.signOpal.call_count)
      def test_installed(self):
          # Files in the tarball are installed correctly.
@@ -681,14 +826,53 @@
          self.assertEqual(stat.S_IMODE(os.stat(self.kmod_pem).st_mode), 0o600)
          self.assertEqual(stat.S_IMODE(os.stat(self.kmod_x509).st_mode), 0o644)
++    def test_create_opal_keys_autokey_off(self):
++        # Keys are not created.
++        self.setUpOpalKeys(create=False)
++        self.assertFalse(os.path.exists(self.opal_pem))
++        self.assertFalse(os.path.exists(self.opal_x509))
++        fake_call = FakeMethod(result=0)
++        self.useFixture(MonkeyPatch("subprocess.call", fake_call))
++        upload = SigningUpload()
++        upload.callLog = FakeMethodCallLog(upload=upload)
++        upload.setTargetDirectory(
++            self.archive, "test_1.0_amd64.tar.gz", "distroseries")
++        upload.signOpal(os.path.join(self.makeTemporaryDirectory(), 't.opal'))
++        self.assertEqual(0, upload.callLog.caller_count('Opal keygen key'))
++        self.assertEqual(0, upload.callLog.caller_count('Opal keygen cert'))
++        self.assertFalse(os.path.exists(self.opal_pem))
++        self.assertFalse(os.path.exists(self.opal_x509))
++
++    def test_create_opal_keys_autokey_on(self):
++        # Keys are created on demand.
++        self.setUpPPA()
++        self.setUpOpalKeys(create=False)
++        self.assertFalse(os.path.exists(self.opal_pem))
++        self.assertFalse(os.path.exists(self.opal_x509))
++        fake_call = FakeMethod(result=0)
++        self.useFixture(MonkeyPatch("subprocess.call", fake_call))
++        upload = SigningUpload()
++        upload.callLog = FakeMethodCallLog(upload=upload)
++        upload.setTargetDirectory(
++            self.archive, "test_1.0_amd64.tar.gz", "distroseries")
++        upload.signOpal(os.path.join(self.makeTemporaryDirectory(), 't.opal'))
++        self.assertEqual(1, upload.callLog.caller_count('Opal keygen key'))
++        self.assertEqual(1, upload.callLog.caller_count('Opal keygen cert'))
++        self.assertTrue(os.path.exists(self.opal_pem))
++        self.assertTrue(os.path.exists(self.opal_x509))
++        self.assertEqual(stat.S_IMODE(os.stat(self.opal_pem).st_mode), 0o600)
++        self.assertEqual(stat.S_IMODE(os.stat(self.opal_x509).st_mode), 0o644)
++
      def test_checksumming_tree(self):
          # Specifying no options should leave us with an open tree,
          # confirm it is checksummed.
          self.setUpUefiKeys()
          self.setUpKmodKeys()
++        self.setUpOpalKeys()
          self.openArchive("test", "1.0", "amd64")
          self.tarfile.add_file("1.0/empty.efi", "")
          self.tarfile.add_file("1.0/empty.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
          self.process_emulate()
          sha256file = os.path.join(self.getSignedPath("test", "amd64"),
               "1.0", "SHA256SUMS")
@@ -702,14 +886,45 @@
          yield self.setUpArchiveKey()
          self.setUpUefiKeys()
          self.setUpKmodKeys()
--        self.openArchive("test", "1.0", "amd64")
--        self.tarfile.add_file("1.0/empty.efi", "")
--        self.tarfile.add_file("1.0/empty.ko", "")
--        self.process_emulate()
--        sha256file = os.path.join(self.getSignedPath("test", "amd64"),
--             "1.0", "SHA256SUMS")
--        self.assertTrue(os.path.exists(sha256file))
--        self.assertTrue(os.path.exists(sha256file + '.gpg'))
++        self.setUpOpalKeys()
++        self.openArchive("test", "1.0", "amd64")
++        self.tarfile.add_file("1.0/empty.efi", "")
++        self.tarfile.add_file("1.0/empty.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
++        self.process_emulate()
++        sha256file = os.path.join(self.getSignedPath("test", "amd64"),
++             "1.0", "SHA256SUMS")
++        self.assertTrue(os.path.exists(sha256file))
++        self.assertTrue(os.path.exists(sha256file + '.gpg'))
++
++    @defer.inlineCallbacks
++    def test_checksumming_tree_signed_options_tarball(self):
++        # Specifying no options should leave us with an open tree,
++        # confirm it is checksummed.  Supply an archive signing key
++        # which should trigger signing of the checksum file.
++        yield self.setUpArchiveKey()
++        self.setUpUefiKeys()
++        self.setUpKmodKeys()
++        self.setUpOpalKeys()
++        self.openArchive("test", "1.0", "amd64")
++        self.tarfile.add_file("1.0/control/options", "tarball")
++        self.tarfile.add_file("1.0/empty.efi", "")
++        self.tarfile.add_file("1.0/empty.ko", "")
++        self.tarfile.add_file("1.0/empty.opal", "")
++        self.process_emulate()
++        sha256file = os.path.join(self.getSignedPath("test", "amd64"),
++             "1.0", "SHA256SUMS")
++        self.assertTrue(os.path.exists(sha256file))
++        self.assertTrue(os.path.exists(sha256file + '.gpg'))
++
++        tarfilename = os.path.join(self.getSignedPath("test", "amd64"),
++            "1.0", "signed.tar.gz")
++        with tarfile.open(tarfilename) as tarball:
++            self.assertThat(tarball.getnames(), MatchesAll(*[
++              Not(Contains(name)) for name in [
++                  "1.0/SHA256SUMS", "1.0/SHA256SUMS.gpg",
++                  "1.0/signed.tar.gz",
++                  ]]))
  class TestUefi(TestSigningHelpers):