mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-09 05:56:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #640 from dm0-/secure-boot

Browse Source 
Add Secure Boot to the offline signing process
This commit is contained in:
David Michael 2017-02-06 13:32:27 -08:00 committed by GitHub
commit 06c80eb38a
2 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
offline_signing/download.sh
View File

@ -3,18 +3,29 @@
set -ex set -ex
BOARD="$1" BOARD="$1"
VERSION="$2" VERSION="$2"
GS="gs://builds.release.core-os.net/stable/boards/$BOARD/$VERSION" GS="gs://builds.release.core-os.net/unsigned/boards/$BOARD/$VERSION"
cd "${3:-.}" cd "${3:-.}"
# The shim only exists for amd64 boards.
[ "x${BOARD}" = xamd64-usr ] && shim=1 || shim=
gsutil cp \ gsutil cp \
"${GS}/coreos_production_image.vmlinuz" \ "${GS}/coreos_production_image.vmlinuz" \
"${GS}/coreos_production_image.vmlinuz.sig" \ "${GS}/coreos_production_image.vmlinuz.sig" \
"${GS}/coreos_production_image.grub" \
"${GS}/coreos_production_image.grub.sig" \
${shim:+
"${GS}/coreos_production_image.shim"
"${GS}/coreos_production_image.shim.sig"
} \
"${GS}/coreos_production_update.bin.bz2" \ "${GS}/coreos_production_update.bin.bz2" \
"${GS}/coreos_production_update.bin.bz2.sig" \ "${GS}/coreos_production_update.bin.bz2.sig" \
"${GS}/coreos_production_update.zip" \ "${GS}/coreos_production_update.zip" \
"${GS}/coreos_production_update.zip.sig" ./ "${GS}/coreos_production_update.zip.sig" ./
gpg --verify "coreos_production_image.vmlinuz.sig" gpg --verify "coreos_production_image.vmlinuz.sig"
gpg --verify "coreos_production_image.grub.sig"
[ -z "$shim" ] || gpg --verify "coreos_production_image.shim.sig"
gpg --verify "coreos_production_update.bin.bz2.sig" gpg --verify "coreos_production_update.bin.bz2.sig"
gpg --verify "coreos_production_update.zip.sig" gpg --verify "coreos_production_update.zip.sig"

17
offline_signing/sign.sh
View File

@ -5,14 +5,27 @@ DATA_DIR="$(readlink -f "$1")"
KEYS_DIR="$(readlink -f "$(dirname "$0")")" KEYS_DIR="$(readlink -f "$(dirname "$0")")"
gpg2 --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig" gpg2 --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig"
gpg2 --verify "${DATA_DIR}/coreos_production_image.vmlinuz.sig"
gpg2 --verify "${DATA_DIR}/coreos_production_update.zip.sig" gpg2 --verify "${DATA_DIR}/coreos_production_update.zip.sig"
bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2" bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2"
unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}" unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}"
export PATH="${DATA_DIR}:${PATH}" export PATH="${DATA_DIR}:${PATH}"
cd "${DATA_DIR}" cd "${DATA_DIR}"
# Sign UEFI binaries for Secure Boot.
for bin in vmlinuz grub shim
do
[ -e "coreos_production_image.$bin" ] || continue
gpg2 --verify "coreos_production_image.$bin.sig"
mv "coreos_production_image.$bin" "$bin.unsigned"
pesign --in="$bin.unsigned" \
--out="coreos_production_image.$bin" \
--certdir="${KEYS_DIR}" \
--certificate='CoreOS Secure Boot Certificate' \
--sign
done
# Sign the delta, with the Secure Boot signed kernel.
./core_sign_update \ ./core_sign_update \
--image "${DATA_DIR}/coreos_production_update.bin" \ --image "${DATA_DIR}/coreos_production_update.bin" \
--kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \ --kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \