From 063b48e11347563cd5eba1fb52d6750bb0086dfd Mon Sep 17 00:00:00 2001 From: Radon Date: Tue, 23 Sep 2025 20:18:56 -0500 Subject: [PATCH] remove auto update --- Makefile | 3 +- README.md | 19 ++---------- VERSION | 2 +- docs/ksigner.8.in | 23 ++------------ ksigner.spec.in | 7 +---- src/ksigner-update-hook | 67 ----------------------------------------- src/ksigner.conf | 10 +----- src/ksigner.in | 2 -- 8 files changed, 8 insertions(+), 125 deletions(-) delete mode 100644 src/ksigner-update-hook diff --git a/Makefile b/Makefile index 81e175b..e2ad320 100644 --- a/Makefile +++ b/Makefile @@ -4,7 +4,7 @@ RELEASE = $(shell cat RELEASE) DISTS = $(shell cat DISTS) SOURCEDIR = . BUILDDIR = build -SOURCES = src/ksigner src/ksigner.conf src/ksigner-update-hook docs/ksigner.8 README.md LICENSE +SOURCES = src/ksigner src/ksigner.conf docs/ksigner.8 README.md LICENSE CLEANFILES = $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8 noarch *.tar.gz *.rpm *.src.rpm .PHONY: all clean dist rpm srpm install @@ -79,5 +79,4 @@ install: install -d $(DESTDIR)/usr/share/man/man8 install -m 755 src/ksigner $(DESTDIR)/usr/bin/ install -m 644 src/ksigner.conf $(DESTDIR)/etc/ksigner/ - install -m 755 src/ksigner-update-hook $(DESTDIR)/etc/kernel/postinst.d/zz-ksigner install -m 644 docs/ksigner.8 $(DESTDIR)/usr/share/man/man8/ diff --git a/README.md b/README.md index 6756a10..02b3e69 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Enable/disable automatic signing on kernel updates# Kernel Signer +# KSigner A secure boot kernel signing utility @@ -77,15 +77,7 @@ sudo ksigner status ## Configuration -Edit `/etc/ksigner/ksigner.conf` to customize behavior: - -```bash -# Enable/disable automatic signing on kernel updates -SIGN_ON_UPDATE=true - -# Type of automatic signing (sign, sign-all) -AUTO_SIGN_TYPE="sign-all" -``` +Edit `/etc/ksigner/ksigner.conf` to customize behavior ## Commands @@ -95,12 +87,6 @@ AUTO_SIGN_TYPE="sign-all" - `ksigner status` - Show signing key status - `ksigner version` - Show version information -## Automatic Kernel Signing - -When `SIGN_ON_UPDATE=true` in the configuration, kernels are automatically signed when installed via package manager. The hook script `/etc/kernel/postinst.d/zz-ksigner` handles this process. - -Logs are written to `/var/log/ksigner.log`. - ## File Locations - **Configuration**: `/etc/ksigner/ksigner.conf` @@ -108,7 +94,6 @@ Logs are written to `/var/log/ksigner.log`. - **Private Key**: `/etc/pki/sbsign/private/MOK.priv` - **DER Key**: `/etc/pki/sbsign/certs/MOK.der` - **Log File**: `/var/log/ksigner.log` -- **Update Hook**: `/etc/kernel/postinst.d/zz-ksigner` ## Security Notes diff --git a/VERSION b/VERSION index 3eefcb9..7dea76e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.0 +1.0.1 diff --git a/docs/ksigner.8.in b/docs/ksigner.8.in index 3f68201..638e307 100644 --- a/docs/ksigner.8.in +++ b/docs/ksigner.8.in @@ -41,7 +41,7 @@ Show the current status of signing keys and MOK enrollment. .SH FILES .TP .I /etc/ksigner/ksigner.conf -Main configuration file. Contains key paths, automatic signing settings, and LTS version definitions. +Main configuration file. .TP .I /etc/pki/sbsign/certs/MOK.pem @@ -55,13 +55,9 @@ Private signing key. .I /etc/pki/sbsign/certs/MOK.der Public signing key in DER format for MOK import. -.TP -.I /etc/kernel/postinst.d/zz-ksigner -Kernel update hook script for automatic signing. - .TP .I /var/log/ksigner.log -Log file for automatic signing operations. +Log file. .SH CONFIGURATION The behavior of ksigner can be customized through the configuration file @@ -72,21 +68,6 @@ Key configuration options include: .B KEY_LIFETIME_DAYS Number of days the signing keys should remain valid (default: 36500, approximately 100 years). -.TP -.B SIGN_ON_UPDATE -Enable or disable automatic signing when kernels are updated (default: true). - -.TP -.B AUTO_SIGN_TYPE -Type of automatic signing to perform on kernel updates. -Valid options are: sign, sign-all (default: sign). - -.SH AUTOMATIC KERNEL SIGNING -When SIGN_ON_UPDATE is enabled in the configuration, new kernels are automatically signed -when they are installed through the package manager. The kernel update hook script -.I /etc/kernel/postinst.d/zz-ksigner -is executed during kernel package installation and performs the configured signing operation. - .SH EXAMPLES .TP Set up signing keys for the first time: diff --git a/ksigner.spec.in b/ksigner.spec.in index 61fcb70..f348630 100644 --- a/ksigner.spec.in +++ b/ksigner.spec.in @@ -40,9 +40,6 @@ install -m 755 ksigner %{buildroot}%{_bindir}/ksigner # Install configuration file install -m 644 ksigner.conf %{buildroot}%{_sysconfdir}/ksigner/ksigner.conf -# Install kernel update hook -install -m 755 ksigner-update-hook %{buildroot}%{_sysconfdir}/kernel/postinst.d/zz-ksigner - # Install man page install -m 644 ksigner.8 %{buildroot}%{_mandir}/man8/ksigner.8 @@ -60,11 +57,9 @@ echo "===========================================" %doc README.md %{_bindir}/ksigner %config(noreplace) %{_sysconfdir}/ksigner/ksigner.conf -%{_sysconfdir}/kernel/postinst.d/zz-ksigner %{_mandir}/man8/ksigner.8* %changelog -* Tue Sep 23 2025 RadioactivePb - @VERSION@-@RELEASE@ +* Tue Sep 23 2025 RadioactivePb - 1.0.1-1 - Initial RPM release -- Added automatic kernel signing on updates - Added configuration file support diff --git a/src/ksigner-update-hook b/src/ksigner-update-hook deleted file mode 100644 index 769a882..0000000 --- a/src/ksigner-update-hook +++ /dev/null @@ -1,67 +0,0 @@ -#!/usr/bin/env bash - -# Kernel update hook for automatic signing -# This script is called when new kernels are installed - -CONFIG_FILE="/etc/ksigner/ksigner.conf" -KERNEL_SIGNER="/usr/bin/ksigner" -LOG_FILE="/var/log/ksigner.log" - -# Source configuration -if [[ -f "$CONFIG_FILE" ]]; then - source "$CONFIG_FILE" -fi - -# Default values -SIGN_ON_UPDATE=${SIGN_ON_UPDATE:-true} -AUTO_SIGN_TYPE=${AUTO_SIGN_TYPE:-sign} -LOG_FILE=${LOG_FILE:-/var/log/ksigner.log} - -log_message() { - echo "$(date '+%Y-%m-%d %H:%M:%S') - ksigner-update-hook: $1" >>"$LOG_FILE" -} - -# Exit if automatic signing is disabled -if [[ "$SIGN_ON_UPDATE" != "true" ]]; then - log_message "Automatic signing disabled, skipping" - exit 0 -fi - -# Check if ksigner exists and keys are set up -if [[ ! -x "$KERNEL_SIGNER" ]]; then - log_message "ksigner not found at $KERNEL_SIGNER" - exit 1 -fi - -if [[ ! -f "/etc/pki/sbsign/certs/MOK.pem" ]]; then - log_message "Signing keys not found, run 'ksigner setup' first" - exit 1 -fi - -# Get the kernel version from the environment or find the latest -if [[ -n "$KERNEL_VERSION" ]]; then - KERNEL_FILE="/boot/vmlinuz-$KERNEL_VERSION" - if [[ -f "$KERNEL_FILE" ]]; then - log_message "Signing newly installed kernel: $KERNEL_VERSION" - if "$KERNEL_SIGNER" sign "$KERNEL_FILE" >>"$LOG_FILE" 2>&1; then - log_message "Successfully signed kernel $KERNEL_VERSION" - else - log_message "Failed to sign kernel $KERNEL_VERSION" - exit 1 - fi - else - log_message "Kernel file not found: $KERNEL_FILE" - exit 1 - fi -else - # Fallback to configured auto-sign type - log_message "Running automatic signing: $AUTO_SIGN_TYPE" - if "$KERNEL_SIGNER" "$AUTO_SIGN_TYPE" >>"$LOG_FILE" 2>&1; then - log_message "Successfully completed $AUTO_SIGN_TYPE" - else - log_message "Failed to complete $AUTO_SIGN_TYPE" - exit 1 - fi -fi - -exit 0 diff --git a/src/ksigner.conf b/src/ksigner.conf index 2acb1a2..f119288 100644 --- a/src/ksigner.conf +++ b/src/ksigner.conf @@ -13,13 +13,5 @@ KEY_PUB="MOK.pem" KEY_PRIV="MOK.priv" KEY_DER="MOK.der" -# Automatic signing on kernel updates -# Set to true to enable automatic signing when kernels are updated -SIGN_ON_UPDATE=true - -# Type of automatic signing to perform -# Options: sign, sign-all -AUTO_SIGN_TYPE="sign" - -# Log file for automatic signing operations +# Log file LOG_FILE="/var/log/ksigner.log" diff --git a/src/ksigner.in b/src/ksigner.in index 80c65ee..6c698fa 100644 --- a/src/ksigner.in +++ b/src/ksigner.in @@ -16,8 +16,6 @@ KEY_PUB=${KEY_PUB:-MOK.pem} KEY_PRIV_DIR=${KEY_PRIV_DIR:-/etc/pki/sbsign/private/} KEY_PRIV=${KEY_PRIV:-MOK.priv} KEY_DER=${KEY_DER:-MOK.der} -SIGN_ON_UPDATE=${SIGN_ON_UPDATE:-true} -AUTO_SIGN_TYPE=${AUTO_SIGN_TYPE:-sign} REQUIRED_BINARIES=( "openssl"