Launchpad itself

Expand archive signing to kernel modules

Bug #1577736 reported by Andy Whitcroft
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Andy Whitcroft

Bug Description

We are going to need to sign kernel modules which are built separately from the kernel itself. For this we need a launchpad level mechanism to sign those modules.

We intend to leverage the existing efi signing custom uploads, generifying that as a signing upload and then adding a new Kernel Module signing phase to that.

Related branches

lp:~apw/launchpad/uefi-auto-key
Colin Watson (community): Approve
Andy Whitcroft (community): Abstain
Diff: 443 lines (+221/-50)
4 files modified
lib/lp/archivepublisher/config.py (+3/-0)
lib/lp/archivepublisher/tests/test_config.py (+5/-0)
lib/lp/archivepublisher/tests/test_uefi.py (+141/-27)
lib/lp/archivepublisher/uefi.py (+72/-23)
lp:~apw/launchpad/generify-uefi-signing
Colin Watson (community): Approve
Diff: 853 lines (+244/-105)
15 files modified
lib/lp/archivepublisher/config.py (+12/-7)
lib/lp/archivepublisher/signing.py (+44/-25)
lib/lp/archivepublisher/tests/test_config.py (+42/-12)
lib/lp/archivepublisher/tests/test_ftparchive.py (+6/-2)
lib/lp/archivepublisher/tests/test_signing.py (+71/-26)
lib/lp/archiveuploader/nascentuploadfile.py (+8/-6)
lib/lp/archiveuploader/tests/test_nascentuploadfile.py (+7/-1)
lib/lp/archiveuploader/tests/test_uploadpolicy.py (+22/-1)
lib/lp/soyuz/browser/queue.py (+2/-2)
lib/lp/soyuz/configure.zcml (+1/-0)
lib/lp/soyuz/enums.py (+3/-3)
lib/lp/soyuz/interfaces/queue.py (+5/-2)
lib/lp/soyuz/model/queue.py (+8/-6)
lib/lp/soyuz/scripts/custom_uploads_copier.py (+6/-5)
lib/lp/soyuz/scripts/tests/test_custom_uploads_copier.py (+7/-7)
lp:~apw/launchpad/signing-add-kernel-module-signing
Colin Watson (community): Approve
Diff: 907 lines (+554/-118)
2 files modified
lib/lp/archivepublisher/signing.py (+182/-60)
lib/lp/archivepublisher/tests/test_signing.py (+372/-58)
lp:~apw/launchpad/signing-permissions
Colin Watson (community): Approve
Diff: 40 lines (+8/-0)
2 files modified
lib/lp/archivepublisher/signing.py (+3/-0)
lib/lp/archivepublisher/tests/test_signing.py (+5/-0)
lp:~apw/launchpad/signing-record-public-keys-when-used
Colin Watson (community): Approve
Diff: 163 lines (+42/-13)
2 files modified
lib/lp/archivepublisher/signing.py (+29/-3)
lib/lp/archivepublisher/tests/test_signing.py (+13/-10)
lp:~apw/launchpad/signing-add-sha256-checksums
Colin Watson (community): Approve
Diff: 354 lines (+215/-2)
5 files modified
lib/lp/archivepublisher/publishing.py (+61/-0)
lib/lp/archivepublisher/signing.py (+8/-0)
lib/lp/archivepublisher/tests/test_publisher.py (+106/-1)
lib/lp/archivepublisher/tests/test_signing.py (+30/-0)
lib/lp/archivepublisher/utils.py (+10/-1)
lp:~apw/launchpad/signing-gpg-sign-checksum-files
Colin Watson (community): Approve
Diff: 528 lines (+285/-52)
7 files modified
lib/lp/archivepublisher/archivesigningkey.py (+46/-16)
lib/lp/archivepublisher/interfaces/archivesigningkey.py (+9/-0)
lib/lp/archivepublisher/publishing.py (+9/-7)
lib/lp/archivepublisher/signing.py (+15/-5)
lib/lp/archivepublisher/tests/test_archivesigningkey.py (+80/-0)
lib/lp/archivepublisher/tests/test_publisher.py (+100/-24)
lib/lp/archivepublisher/tests/test_signing.py (+26/-0)
lp:~apw/launchpad/signing-reinstate-raw-uefi-custom-upload
Colin Watson (community): Approve
Diff: 415 lines (+165/-46)
9 files modified
lib/lp/archivepublisher/configure.zcml (+7/-0)
lib/lp/archivepublisher/signing.py (+22/-2)
lib/lp/archivepublisher/tests/test_signing.py (+66/-32)
lib/lp/archiveuploader/nascentuploadfile.py (+8/-3)
lib/lp/soyuz/browser/queue.py (+1/-0)
lib/lp/soyuz/enums.py (+7/-1)
lib/lp/soyuz/model/queue.py (+5/-2)
lib/lp/soyuz/scripts/custom_uploads_copier.py (+7/-2)
lib/lp/soyuz/scripts/tests/test_custom_uploads_copier.py (+42/-4)
lp:~apw/launchpad/signing-checksum-fix-cross-device-links
Colin Watson (community): Approve
Diff: 54 lines (+11/-1)
2 files modified
lib/lp/archivepublisher/signing.py (+2/-1)
lib/lp/archivepublisher/tests/test_signing.py (+9/-0)
Colin Watson (cjwatson)
tags: added: feature lp-soyuz soyuz-publish
Changed in launchpad:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Andy Whitcroft (apw)
Revision history for this message
Andy Whitcroft (apw) wrote :

Phase 1: move the existing efi signing to validating the efi signing keys on first use. For PPAs generate the keys on first use if they are missing.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18015 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18015) is part of this bug's fix.

tags: added: qa-needstesting
Revision history for this message
Andy Whitcroft (apw) wrote :

Tested both in the main archive and in a PPA. Confirmed that signing will not make keys in the main archive and does make keys in a PPA without keys. That in the face of keys that the correct files are signed and published into dists. Finally confirmed that the files so produced were correctly signed and signed by the expected keys.

tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18029 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18029) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Revision history for this message
Andy Whitcroft (apw) wrote :

Confirmed that copies and direct uploads to PPAs and to the primary archive publish as expected. Confirmed that the dists directories get sorted out so that "signed" is primary and "uefi" is a link to them. Confirmed that the resulting contents are signed and signed with the appropriate keys. Confirmed that items in the queue appear as expected with the new "signing" name and "Objects for signing" as the icon hover text. Testing good for me.

tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Andy Whitcroft (apw) wrote :

For the record, this testing included direct uploads using raw-uefi and raw-signing naming. Both worked equivalently.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18054 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18054) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Revision history for this message
Andy Whitcroft (apw) wrote :

Tested with raw-uefi and raw-signing uploads to primary and PPAs. Confirmed keys created when appropriate. Tested with no options and with tarball, signed-only, and tarball+signed-only combinations. All produced expected contents of dists. Confirmed kmod signing locally produces the same signatures.

tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18065 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18065) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18098 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18098) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Revision history for this message
Andy Whitcroft (apw) wrote :

Tested with copies and uploads to the primary archive and PPAs. Confirmed keys included in all result forms as expected.

tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r18108 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18108>.

tags: added: qa-needstesting
removed: qa-ok
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote :

Testing of signing shows functionality unaffected by the updates to checksumming and signing.

tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r18112 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18112>.

tags: added: qa-needstesting
removed: qa-ok
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote :

Tests in PPA and primary archive working as expected.

tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Fix Released
Revision history for this message
Andy Whitcroft (apw) wrote :

Final testing on production PPAs looks good.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.