Expand archive signing to kernel modules

Bug #1577736 reported by Andy Whitcroft on 2016-05-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Andy Whitcroft

Bug Description

We are going to need to sign kernel modules which are built separately from the kernel itself. For this we need a launchpad level mechanism to sign those modules.

We intend to leverage the existing efi signing custom uploads, generifying that as a signing upload and then adding a new Kernel Module signing phase to that.

Related branches

Colin Watson (cjwatson) on 2016-05-03
tags: added: feature lp-soyuz soyuz-publish
Changed in launchpad:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Andy Whitcroft (apw)
Andy Whitcroft (apw) wrote :

Phase 1: move the existing efi signing to validating the efi signing keys on first use. For PPAs generate the keys on first use if they are missing.

Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Andy Whitcroft (apw) wrote :

Tested both in the main archive and in a PPA. Confirmed that signing will not make keys in the main archive and does make keys in a PPA without keys. That in the face of keys that the correct files are signed and published into dists. Finally confirmed that the files so produced were correctly signed and signed by the expected keys.

tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Andy Whitcroft (apw) wrote :

Confirmed that copies and direct uploads to PPAs and to the primary archive publish as expected. Confirmed that the dists directories get sorted out so that "signed" is primary and "uefi" is a link to them. Confirmed that the resulting contents are signed and signed with the appropriate keys. Confirmed that items in the queue appear as expected with the new "signing" name and "Objects for signing" as the icon hover text. Testing good for me.

tags: added: qa-ok
removed: qa-needstesting
Andy Whitcroft (apw) wrote :

For the record, this testing included direct uploads using raw-uefi and raw-signing naming. Both worked equivalently.

Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Andy Whitcroft (apw) wrote :

Tested with raw-uefi and raw-signing uploads to primary and PPAs. Confirmed keys created when appropriate. Tested with no options and with tarball, signed-only, and tarball+signed-only combinations. All produced expected contents of dists. Confirmed kmod signing locally produces the same signatures.

tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson) on 2016-05-25
tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Andy Whitcroft (apw) wrote :

Tested with copies and uploads to the primary archive and PPAs. Confirmed keys included in all result forms as expected.

tags: added: qa-ok
removed: qa-needstesting
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Changed in launchpad:
status: In Progress → Fix Committed
Andy Whitcroft (apw) wrote :

Testing of signing shows functionality unaffected by the updates to checksumming and signing.

tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson) on 2016-06-22
Changed in launchpad:
status: Fix Committed → In Progress
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Changed in launchpad:
status: In Progress → Fix Committed
Andy Whitcroft (apw) wrote :

Tests in PPA and primary archive working as expected.

tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson) on 2016-06-27
Changed in launchpad:
status: Fix Committed → Fix Released
Andy Whitcroft (apw) wrote :

Final testing on production PPAs looks good.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers