mirror of
https://github.com/siderolabs/talos.git
synced 2025-10-27 06:21:11 +01:00
53873b8444
This is intemediate step to move parts of the `ukify` down to the main Talos source tree, and call it from `talosctl` binary. The next step will be to integrate it into the imager and move `.uki` build out of the Dockerfile. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
65 lines
1.3 KiB
Go
65 lines
1.3 KiB
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
// Package pesign implements the PE (portable executable) signing.
|
|
package pesign
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"os"
|
|
|
|
"github.com/foxboron/go-uefi/efi"
|
|
siderox509 "github.com/siderolabs/crypto/x509"
|
|
)
|
|
|
|
// Signer sigs PE (portable executable) files.
|
|
type Signer struct {
|
|
key crypto.Signer
|
|
cert *x509.Certificate
|
|
}
|
|
|
|
// NewSigner creates a new Signer.
|
|
func NewSigner(certFile, keyFile string) (*Signer, error) {
|
|
pem, err := siderox509.NewCertificateAndKeyFromFiles(certFile, keyFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
cert, err := pem.GetCert()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
key, err := pem.GetKey()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if signer, ok := key.(crypto.Signer); ok {
|
|
return &Signer{
|
|
key: signer,
|
|
cert: cert,
|
|
}, nil
|
|
}
|
|
|
|
return nil, fmt.Errorf("key is not a crypto.Signer")
|
|
}
|
|
|
|
// Sign signs the input file and writes the output to the output file.
|
|
func (s *Signer) Sign(input, output string) error {
|
|
unsigned, err := os.ReadFile(input)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
signed, err := efi.SignEFIExecutable(s.key, s.cert, unsigned)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return os.WriteFile(output, signed, 0o600)
|
|
}
|