kbuild: sign the modules at install time

Linus deleted the old code and put signing on the install command, I fixed it to extract the keyid and signer-name within sign-file and cleaned up that script now it always signs in-place. Some enthusiast should convert sign-key to perl and pull x509keyid into it. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Rusty Russell <rusty@rustcorp.com.au> 2012-10-18 21:23:15 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-19 11:27:43 -0400
commit: e2a666d52b4825c26c857cada211f3baac26a600 (patch)
tree: b7e91bd10e8c1b2932ffd1716fde3abccd7c4dd8 /scripts/sign-file
parent: c9623de4fc2f8320fe94316b46171683be3b1d59 (diff)
1 files changed, 18 insertions, 26 deletions
diff --git a/scripts/sign-file b/scripts/sign-file
index e58e34e50ac5..095a953bdb8e 100644
--- a/scripts/sign-file
+++ b/scripts/sign-file
@@ -1,8 +1,8 @@
-#!/bin/sh
+#!/bin/bash
 #
 # Sign a module file using the given key.
 #
-# Format: sign-file <key> <x509> <src-file> <dst-file>
+# Format: sign-file <key> <x509> <keyid-script> <module>
 #
 scripts=`dirname $0`
@@ -15,8 +15,8 @@ fi
 key="$1"
 x509="$2"
-src="$3"
+keyid_script="$3"
-dst="$4"
+mod="$4"
 if [ ! -r "$key" ]
 then
@@ -29,16 +29,6 @@ then
    echo "Can't read X.509 certificate" >&2
    exit 2
 fi
-if [ ! -r "$x509.signer" ]
-then
-    echo "Can't read Signer name" >&2
-    exit 2;
-fi
-if [ ! -r "$x509.keyid" ]
-then
-    echo "Can't read Key identifier" >&2
-    exit 2;
-fi
 #
 # Signature parameters
@@ -83,33 +73,35 @@ fi
 (
 perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" || exit $?
-openssl dgst $dgst -binary $src || exit $?
+openssl dgst $dgst -binary $mod || exit $?
-) >$src.dig || exit $?
+) >$mod.dig || exit $?
 #
 # Generate the binary signature, which will be just the integer that comprises
 # the signature with no metadata attached.
 #
-openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig || exit $?
+openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig || exit $?
-signerlen=`stat -c %s $x509.signer`
-keyidlen=`stat -c %s $x509.keyid`
+SIGNER="`perl $keyid_script $x509 signer-name`"
-siglen=`stat -c %s $src.sig`
+KEYID="`perl $keyid_script $x509 keyid`"
+keyidlen=${#KEYID}
+siglen=${#SIGNER}
 #
 # Build the signed binary
 #
 (
-    cat $src || exit $?
+    cat $mod || exit $?
    echo '~Module signature appended~' || exit $?
-    cat $x509.signer $x509.keyid || exit $?
+    echo -n "$SIGNER" || exit $?
+    echo -n "$KEYID" || exit $?
    # Preface each signature integer with a 2-byte BE length
    perl -e "binmode STDOUT; print pack(\"n\", $siglen)" || exit $?
-    cat $src.sig || exit $?
+    cat $mod.sig || exit $?
    # Generate the information block
    perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" || exit $?
-) >$dst~ || exit $?
+) >$mod~ || exit $?
-# Permit in-place signing
+mv $mod~ $mod || exit $?
-mv $dst~ $dst || exit $?
author	Rusty Russell <rusty@rustcorp.com.au>	2012-10-18 21:23:15 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-10-19 11:27:43 -0400
commit	e2a666d52b4825c26c857cada211f3baac26a600 (patch)
tree	b7e91bd10e8c1b2932ffd1716fde3abccd7c4dd8 /scripts/sign-file
parent	c9623de4fc2f8320fe94316b46171683be3b1d59 (diff)

diff --git a/scripts/sign-file b/scripts/sign-file index e58e34e50ac5..095a953bdb8e 100644 --- a/scripts/sign-file +++ b/scripts/sign-file
@@ -1,8 +1,8 @@
1	#!/bin/sh	1	#!/bin/bash
2	#	2	#
3	# Sign a module file using the given key.	3	# Sign a module file using the given key.
4	#	4	#
5	# Format: sign-file <key> <x509> <src-file> <dst-file>	5	# Format: sign-file <key> <x509> <keyid-script> <module>
6	#	6	#
7		7
8	scripts=`dirname $0`	8	scripts=`dirname $0`
@@ -15,8 +15,8 @@ fi
15		15
16	key="$1"	16	key="$1"
17	x509="$2"	17	x509="$2"
18	src="$3"	18	keyid_script="$3"
19	dst="$4"	19	mod="$4"
20		20
21	if [ ! -r "$key" ]	21	if [ ! -r "$key" ]
22	then	22	then
@@ -29,16 +29,6 @@ then
29	echo "Can't read X.509 certificate" >&2	29	echo "Can't read X.509 certificate" >&2
30	exit 2	30	exit 2
31	fi	31	fi
32	if [ ! -r "$x509.signer" ]
33	then
34	echo "Can't read Signer name" >&2
35	exit 2;
36	fi
37	if [ ! -r "$x509.keyid" ]
38	then
39	echo "Can't read Key identifier" >&2
40	exit 2;
41	fi
42		32
43	#	33	#
44	# Signature parameters	34	# Signature parameters
@@ -83,33 +73,35 @@ fi
83		73
84	(	74	(
85	perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" \|\| exit $?	75	perl -e "binmode STDOUT; print pack(\"C*\", $prologue)" \|\| exit $?
86	openssl dgst $dgst -binary $src \|\| exit $?	76	openssl dgst $dgst -binary $mod \|\| exit $?
87	) >$src.dig \|\| exit $?	77	) >$mod.dig \|\| exit $?
88		78
89	#	79	#
90	# Generate the binary signature, which will be just the integer that comprises	80	# Generate the binary signature, which will be just the integer that comprises
91	# the signature with no metadata attached.	81	# the signature with no metadata attached.
92	#	82	#
93	openssl rsautl -sign -inkey $key -keyform PEM -in $src.dig -out $src.sig \|\| exit $?	83	openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig \|\| exit $?
94	signerlen=`stat -c %s $x509.signer`	84
95	keyidlen=`stat -c %s $x509.keyid`	85	SIGNER="`perl $keyid_script $x509 signer-name`"
96	siglen=`stat -c %s $src.sig`	86	KEYID="`perl $keyid_script $x509 keyid`"
		87	keyidlen=${#KEYID}
		88	siglen=${#SIGNER}
97		89
98	#	90	#
99	# Build the signed binary	91	# Build the signed binary
100	#	92	#
101	(	93	(
102	cat $src \|\| exit $?	94	cat $mod \|\| exit $?
103	echo '~Module signature appended~' \|\| exit $?	95	echo '~Module signature appended~' \|\| exit $?
104	cat $x509.signer $x509.keyid \|\| exit $?	96	echo -n "$SIGNER" \|\| exit $?
		97	echo -n "$KEYID" \|\| exit $?
105		98
106	# Preface each signature integer with a 2-byte BE length	99	# Preface each signature integer with a 2-byte BE length
107	perl -e "binmode STDOUT; print pack(\"n\", $siglen)" \|\| exit $?	100	perl -e "binmode STDOUT; print pack(\"n\", $siglen)" \|\| exit $?
108	cat $src.sig \|\| exit $?	101	cat $mod.sig \|\| exit $?
109		102
110	# Generate the information block	103	# Generate the information block
111	perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" \|\| exit $?	104	perl -e "binmode STDOUT; print pack(\"CCCCCxxxN\", $algo, $hash, $id_type, $signerlen, $keyidlen, $siglen + 2)" \|\| exit $?
112	) >$dst~ \|\| exit $?	105	) >$mod~ \|\| exit $?
113		106
114	# Permit in-place signing	107	mv $mod~ $mod \|\| exit $?
115	mv $dst~ $dst \|\| exit $?