Merge lp:~apw/launchpad/signing-permissions into lp:launchpad

Proposed by Andy Whitcroft on 2016-05-24
Status: Merged
Merged at revision: 18065
Proposed branch: lp:~apw/launchpad/signing-permissions
Merge into: lp:launchpad
Diff against target: 40 lines (+8/-0)
2 files modified
lib/lp/archivepublisher/signing.py (+3/-0)
lib/lp/archivepublisher/tests/test_signing.py (+5/-0)
To merge this branch: bzr merge lp:~apw/launchpad/signing-permissions
Reviewer Review Type Date Requested Status
Colin Watson 2016-05-24 Approve on 2016-05-24
Review via email: mp+295616@code.launchpad.net

Commit message

Fix the permissions of newly created Kmod signing x509 certificates.

Description of the change

Fix the permissions of newly created Kmod signing x509 certificates.

This is public information there is no need for them to be private. Make sure these are readable after creation.

To post a comment you must log in.
Colin Watson (cjwatson) wrote :

Could you add a test as well? I think you could reasonably just tack a stat check onto the end of test_create_kmod_keys_autokey_on, and that would also be a good place to check (more importantly) that kmod.pem isn't world-readable.

review: Needs Fixing
Andy Whitcroft (apw) wrote :

Yeah that makes a heap of sense. I have added tests to confirm the expected permissions on both the kmod.pem and kmod.x509. I have also added the same tests for the primary uefi.key and uefi.crt.

Colin Watson (cjwatson) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'lib/lp/archivepublisher/signing.py'
2--- lib/lp/archivepublisher/signing.py 2016-05-23 10:18:21 +0000
3+++ lib/lp/archivepublisher/signing.py 2016-05-24 21:36:36 +0000
4@@ -267,6 +267,9 @@
5 finally:
6 os.umask(old_mask)
7
8+ if os.path.exists(self.kmod_x509):
9+ os.chmod(self.kmod_x509, 0o644)
10+
11 def signKmod(self, image):
12 """Attempt to sign a kernel module."""
13 remove_if_exists("%s.sig" % image)
14
15=== modified file 'lib/lp/archivepublisher/tests/test_signing.py'
16--- lib/lp/archivepublisher/tests/test_signing.py 2016-05-23 11:59:17 +0000
17+++ lib/lp/archivepublisher/tests/test_signing.py 2016-05-24 21:36:36 +0000
18@@ -6,6 +6,7 @@
19 __metaclass__ = type
20
21 import os
22+import stat
23 import tarfile
24
25 from fixtures import MonkeyPatch
26@@ -571,6 +572,8 @@
27 self.assertEqual(1, upload.callLog.caller_count('UEFI keygen'))
28 self.assertTrue(os.path.exists(self.key))
29 self.assertTrue(os.path.exists(self.cert))
30+ self.assertEqual(stat.S_IMODE(os.stat(self.key).st_mode), 0o600)
31+ self.assertEqual(stat.S_IMODE(os.stat(self.cert).st_mode), 0o644)
32
33 def test_create_kmod_keys_autokey_off(self):
34 # Keys are not created.
35@@ -606,3 +609,5 @@
36 self.assertEqual(1, upload.callLog.caller_count('Kmod keygen cert'))
37 self.assertTrue(os.path.exists(self.kmod_pem))
38 self.assertTrue(os.path.exists(self.kmod_x509))
39+ self.assertEqual(stat.S_IMODE(os.stat(self.kmod_pem).st_mode), 0o600)
40+ self.assertEqual(stat.S_IMODE(os.stat(self.kmod_x509).st_mode), 0o644)