UEFI image signing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Colin Watson |
Bug Description
As per https:/
* installing Jeremy Kerr's sbsigntool utility on dogfood/
* generating a throwaway key for dogfood so that we can QA
* installing the official Ubuntu UEFI signing key on production
* landing a patch to add a new custom upload format, which is signed during publication
Given the value of signed UEFI images, we also want to ensure that uploads containing a UEFI image tarball are never auto-approved, but always require manual approval by an archive admin. (This approach has been agreed with the security team.)
Related branches
- Brad Crittenden (community): Approve (code)
-
Diff: 1106 lines (+473/-95)25 files modifiedlib/lp/archivepublisher/config.py (+6/-1)
lib/lp/archivepublisher/customupload.py (+11/-3)
lib/lp/archivepublisher/ddtp_tarball.py (+16/-10)
lib/lp/archivepublisher/debian_installer.py (+11/-10)
lib/lp/archivepublisher/dist_upgrader.py (+13/-11)
lib/lp/archivepublisher/model/ftparchive.py (+5/-10)
lib/lp/archivepublisher/tests/test_config.py (+6/-0)
lib/lp/archivepublisher/tests/test_ddtp_tarball.py (+8/-1)
lib/lp/archivepublisher/tests/test_debian_installer.py (+8/-1)
lib/lp/archivepublisher/tests/test_dist_upgrader.py (+8/-1)
lib/lp/archivepublisher/tests/test_ftparchive.py (+1/-28)
lib/lp/archivepublisher/tests/test_generate_extra_overrides.py (+2/-7)
lib/lp/archivepublisher/tests/test_uefi.py (+132/-0)
lib/lp/archivepublisher/uefi.py (+141/-0)
lib/lp/archiveuploader/nascentuploadfile.py (+29/-0)
lib/lp/archiveuploader/tests/test_nascentuploadfile.py (+32/-2)
lib/lp/archiveuploader/uploadpolicy.py (+8/-0)
lib/lp/services/osutils.py (+4/-4)
lib/lp/soyuz/browser/queue.py (+2/-1)
lib/lp/soyuz/browser/tests/builder-views.txt (+1/-1)
lib/lp/soyuz/configure.zcml (+1/-0)
lib/lp/soyuz/enums.py (+6/-0)
lib/lp/soyuz/interfaces/queue.py (+4/-2)
lib/lp/soyuz/model/queue.py (+16/-2)
lib/lp/soyuz/scripts/custom_uploads_copier.py (+2/-0)
Changed in launchpad: | |
assignee: | nobody → Colin Watson (cjwatson) |
status: | New → In Progress |
Changed in launchpad: | |
importance: | Undecided → High |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
Fixed in stable r15547 <http:// bazaar. launchpad. net/~launchpad- pqm/launchpad/ stable/ revision/ 15547>.