remove auto update
This commit is contained in:
parent
359b40da40
commit
063b48e113
3
Makefile
3
Makefile
@ -4,7 +4,7 @@ RELEASE = $(shell cat RELEASE)
|
|||||||
DISTS = $(shell cat DISTS)
|
DISTS = $(shell cat DISTS)
|
||||||
SOURCEDIR = .
|
SOURCEDIR = .
|
||||||
BUILDDIR = build
|
BUILDDIR = build
|
||||||
SOURCES = src/ksigner src/ksigner.conf src/ksigner-update-hook docs/ksigner.8 README.md LICENSE
|
SOURCES = src/ksigner src/ksigner.conf docs/ksigner.8 README.md LICENSE
|
||||||
CLEANFILES = $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8 noarch *.tar.gz *.rpm *.src.rpm
|
CLEANFILES = $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8 noarch *.tar.gz *.rpm *.src.rpm
|
||||||
|
|
||||||
.PHONY: all clean dist rpm srpm install
|
.PHONY: all clean dist rpm srpm install
|
||||||
@ -79,5 +79,4 @@ install:
|
|||||||
install -d $(DESTDIR)/usr/share/man/man8
|
install -d $(DESTDIR)/usr/share/man/man8
|
||||||
install -m 755 src/ksigner $(DESTDIR)/usr/bin/
|
install -m 755 src/ksigner $(DESTDIR)/usr/bin/
|
||||||
install -m 644 src/ksigner.conf $(DESTDIR)/etc/ksigner/
|
install -m 644 src/ksigner.conf $(DESTDIR)/etc/ksigner/
|
||||||
install -m 755 src/ksigner-update-hook $(DESTDIR)/etc/kernel/postinst.d/zz-ksigner
|
|
||||||
install -m 644 docs/ksigner.8 $(DESTDIR)/usr/share/man/man8/
|
install -m 644 docs/ksigner.8 $(DESTDIR)/usr/share/man/man8/
|
||||||
|
|||||||
19
README.md
19
README.md
@ -1,4 +1,4 @@
|
|||||||
# Enable/disable automatic signing on kernel updates# Kernel Signer
|
# KSigner
|
||||||
|
|
||||||
A secure boot kernel signing utility
|
A secure boot kernel signing utility
|
||||||
|
|
||||||
@ -77,15 +77,7 @@ sudo ksigner status
|
|||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
Edit `/etc/ksigner/ksigner.conf` to customize behavior:
|
Edit `/etc/ksigner/ksigner.conf` to customize behavior
|
||||||
|
|
||||||
```bash
|
|
||||||
# Enable/disable automatic signing on kernel updates
|
|
||||||
SIGN_ON_UPDATE=true
|
|
||||||
|
|
||||||
# Type of automatic signing (sign, sign-all)
|
|
||||||
AUTO_SIGN_TYPE="sign-all"
|
|
||||||
```
|
|
||||||
|
|
||||||
## Commands
|
## Commands
|
||||||
|
|
||||||
@ -95,12 +87,6 @@ AUTO_SIGN_TYPE="sign-all"
|
|||||||
- `ksigner status` - Show signing key status
|
- `ksigner status` - Show signing key status
|
||||||
- `ksigner version` - Show version information
|
- `ksigner version` - Show version information
|
||||||
|
|
||||||
## Automatic Kernel Signing
|
|
||||||
|
|
||||||
When `SIGN_ON_UPDATE=true` in the configuration, kernels are automatically signed when installed via package manager. The hook script `/etc/kernel/postinst.d/zz-ksigner` handles this process.
|
|
||||||
|
|
||||||
Logs are written to `/var/log/ksigner.log`.
|
|
||||||
|
|
||||||
## File Locations
|
## File Locations
|
||||||
|
|
||||||
- **Configuration**: `/etc/ksigner/ksigner.conf`
|
- **Configuration**: `/etc/ksigner/ksigner.conf`
|
||||||
@ -108,7 +94,6 @@ Logs are written to `/var/log/ksigner.log`.
|
|||||||
- **Private Key**: `/etc/pki/sbsign/private/MOK.priv`
|
- **Private Key**: `/etc/pki/sbsign/private/MOK.priv`
|
||||||
- **DER Key**: `/etc/pki/sbsign/certs/MOK.der`
|
- **DER Key**: `/etc/pki/sbsign/certs/MOK.der`
|
||||||
- **Log File**: `/var/log/ksigner.log`
|
- **Log File**: `/var/log/ksigner.log`
|
||||||
- **Update Hook**: `/etc/kernel/postinst.d/zz-ksigner`
|
|
||||||
|
|
||||||
## Security Notes
|
## Security Notes
|
||||||
|
|
||||||
|
|||||||
@ -41,7 +41,7 @@ Show the current status of signing keys and MOK enrollment.
|
|||||||
.SH FILES
|
.SH FILES
|
||||||
.TP
|
.TP
|
||||||
.I /etc/ksigner/ksigner.conf
|
.I /etc/ksigner/ksigner.conf
|
||||||
Main configuration file. Contains key paths, automatic signing settings, and LTS version definitions.
|
Main configuration file.
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
.I /etc/pki/sbsign/certs/MOK.pem
|
.I /etc/pki/sbsign/certs/MOK.pem
|
||||||
@ -55,13 +55,9 @@ Private signing key.
|
|||||||
.I /etc/pki/sbsign/certs/MOK.der
|
.I /etc/pki/sbsign/certs/MOK.der
|
||||||
Public signing key in DER format for MOK import.
|
Public signing key in DER format for MOK import.
|
||||||
|
|
||||||
.TP
|
|
||||||
.I /etc/kernel/postinst.d/zz-ksigner
|
|
||||||
Kernel update hook script for automatic signing.
|
|
||||||
|
|
||||||
.TP
|
.TP
|
||||||
.I /var/log/ksigner.log
|
.I /var/log/ksigner.log
|
||||||
Log file for automatic signing operations.
|
Log file.
|
||||||
|
|
||||||
.SH CONFIGURATION
|
.SH CONFIGURATION
|
||||||
The behavior of ksigner can be customized through the configuration file
|
The behavior of ksigner can be customized through the configuration file
|
||||||
@ -72,21 +68,6 @@ Key configuration options include:
|
|||||||
.B KEY_LIFETIME_DAYS
|
.B KEY_LIFETIME_DAYS
|
||||||
Number of days the signing keys should remain valid (default: 36500, approximately 100 years).
|
Number of days the signing keys should remain valid (default: 36500, approximately 100 years).
|
||||||
|
|
||||||
.TP
|
|
||||||
.B SIGN_ON_UPDATE
|
|
||||||
Enable or disable automatic signing when kernels are updated (default: true).
|
|
||||||
|
|
||||||
.TP
|
|
||||||
.B AUTO_SIGN_TYPE
|
|
||||||
Type of automatic signing to perform on kernel updates.
|
|
||||||
Valid options are: sign, sign-all (default: sign).
|
|
||||||
|
|
||||||
.SH AUTOMATIC KERNEL SIGNING
|
|
||||||
When SIGN_ON_UPDATE is enabled in the configuration, new kernels are automatically signed
|
|
||||||
when they are installed through the package manager. The kernel update hook script
|
|
||||||
.I /etc/kernel/postinst.d/zz-ksigner
|
|
||||||
is executed during kernel package installation and performs the configured signing operation.
|
|
||||||
|
|
||||||
.SH EXAMPLES
|
.SH EXAMPLES
|
||||||
.TP
|
.TP
|
||||||
Set up signing keys for the first time:
|
Set up signing keys for the first time:
|
||||||
|
|||||||
@ -40,9 +40,6 @@ install -m 755 ksigner %{buildroot}%{_bindir}/ksigner
|
|||||||
# Install configuration file
|
# Install configuration file
|
||||||
install -m 644 ksigner.conf %{buildroot}%{_sysconfdir}/ksigner/ksigner.conf
|
install -m 644 ksigner.conf %{buildroot}%{_sysconfdir}/ksigner/ksigner.conf
|
||||||
|
|
||||||
# Install kernel update hook
|
|
||||||
install -m 755 ksigner-update-hook %{buildroot}%{_sysconfdir}/kernel/postinst.d/zz-ksigner
|
|
||||||
|
|
||||||
# Install man page
|
# Install man page
|
||||||
install -m 644 ksigner.8 %{buildroot}%{_mandir}/man8/ksigner.8
|
install -m 644 ksigner.8 %{buildroot}%{_mandir}/man8/ksigner.8
|
||||||
|
|
||||||
@ -60,11 +57,9 @@ echo "==========================================="
|
|||||||
%doc README.md
|
%doc README.md
|
||||||
%{_bindir}/ksigner
|
%{_bindir}/ksigner
|
||||||
%config(noreplace) %{_sysconfdir}/ksigner/ksigner.conf
|
%config(noreplace) %{_sysconfdir}/ksigner/ksigner.conf
|
||||||
%{_sysconfdir}/kernel/postinst.d/zz-ksigner
|
|
||||||
%{_mandir}/man8/ksigner.8*
|
%{_mandir}/man8/ksigner.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Sep 23 2025 RadioactivePb <radioactivepb@gmail.com> - @VERSION@-@RELEASE@
|
* Tue Sep 23 2025 RadioactivePb <radioactivepb@gmail.com> - 1.0.1-1
|
||||||
- Initial RPM release
|
- Initial RPM release
|
||||||
- Added automatic kernel signing on updates
|
|
||||||
- Added configuration file support
|
- Added configuration file support
|
||||||
|
|||||||
@ -1,67 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# Kernel update hook for automatic signing
|
|
||||||
# This script is called when new kernels are installed
|
|
||||||
|
|
||||||
CONFIG_FILE="/etc/ksigner/ksigner.conf"
|
|
||||||
KERNEL_SIGNER="/usr/bin/ksigner"
|
|
||||||
LOG_FILE="/var/log/ksigner.log"
|
|
||||||
|
|
||||||
# Source configuration
|
|
||||||
if [[ -f "$CONFIG_FILE" ]]; then
|
|
||||||
source "$CONFIG_FILE"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Default values
|
|
||||||
SIGN_ON_UPDATE=${SIGN_ON_UPDATE:-true}
|
|
||||||
AUTO_SIGN_TYPE=${AUTO_SIGN_TYPE:-sign}
|
|
||||||
LOG_FILE=${LOG_FILE:-/var/log/ksigner.log}
|
|
||||||
|
|
||||||
log_message() {
|
|
||||||
echo "$(date '+%Y-%m-%d %H:%M:%S') - ksigner-update-hook: $1" >>"$LOG_FILE"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Exit if automatic signing is disabled
|
|
||||||
if [[ "$SIGN_ON_UPDATE" != "true" ]]; then
|
|
||||||
log_message "Automatic signing disabled, skipping"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check if ksigner exists and keys are set up
|
|
||||||
if [[ ! -x "$KERNEL_SIGNER" ]]; then
|
|
||||||
log_message "ksigner not found at $KERNEL_SIGNER"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ ! -f "/etc/pki/sbsign/certs/MOK.pem" ]]; then
|
|
||||||
log_message "Signing keys not found, run 'ksigner setup' first"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Get the kernel version from the environment or find the latest
|
|
||||||
if [[ -n "$KERNEL_VERSION" ]]; then
|
|
||||||
KERNEL_FILE="/boot/vmlinuz-$KERNEL_VERSION"
|
|
||||||
if [[ -f "$KERNEL_FILE" ]]; then
|
|
||||||
log_message "Signing newly installed kernel: $KERNEL_VERSION"
|
|
||||||
if "$KERNEL_SIGNER" sign "$KERNEL_FILE" >>"$LOG_FILE" 2>&1; then
|
|
||||||
log_message "Successfully signed kernel $KERNEL_VERSION"
|
|
||||||
else
|
|
||||||
log_message "Failed to sign kernel $KERNEL_VERSION"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
log_message "Kernel file not found: $KERNEL_FILE"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
# Fallback to configured auto-sign type
|
|
||||||
log_message "Running automatic signing: $AUTO_SIGN_TYPE"
|
|
||||||
if "$KERNEL_SIGNER" "$AUTO_SIGN_TYPE" >>"$LOG_FILE" 2>&1; then
|
|
||||||
log_message "Successfully completed $AUTO_SIGN_TYPE"
|
|
||||||
else
|
|
||||||
log_message "Failed to complete $AUTO_SIGN_TYPE"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
exit 0
|
|
||||||
@ -13,13 +13,5 @@ KEY_PUB="MOK.pem"
|
|||||||
KEY_PRIV="MOK.priv"
|
KEY_PRIV="MOK.priv"
|
||||||
KEY_DER="MOK.der"
|
KEY_DER="MOK.der"
|
||||||
|
|
||||||
# Automatic signing on kernel updates
|
# Log file
|
||||||
# Set to true to enable automatic signing when kernels are updated
|
|
||||||
SIGN_ON_UPDATE=true
|
|
||||||
|
|
||||||
# Type of automatic signing to perform
|
|
||||||
# Options: sign, sign-all
|
|
||||||
AUTO_SIGN_TYPE="sign"
|
|
||||||
|
|
||||||
# Log file for automatic signing operations
|
|
||||||
LOG_FILE="/var/log/ksigner.log"
|
LOG_FILE="/var/log/ksigner.log"
|
||||||
|
|||||||
@ -16,8 +16,6 @@ KEY_PUB=${KEY_PUB:-MOK.pem}
|
|||||||
KEY_PRIV_DIR=${KEY_PRIV_DIR:-/etc/pki/sbsign/private/}
|
KEY_PRIV_DIR=${KEY_PRIV_DIR:-/etc/pki/sbsign/private/}
|
||||||
KEY_PRIV=${KEY_PRIV:-MOK.priv}
|
KEY_PRIV=${KEY_PRIV:-MOK.priv}
|
||||||
KEY_DER=${KEY_DER:-MOK.der}
|
KEY_DER=${KEY_DER:-MOK.der}
|
||||||
SIGN_ON_UPDATE=${SIGN_ON_UPDATE:-true}
|
|
||||||
AUTO_SIGN_TYPE=${AUTO_SIGN_TYPE:-sign}
|
|
||||||
|
|
||||||
REQUIRED_BINARIES=(
|
REQUIRED_BINARIES=(
|
||||||
"openssl"
|
"openssl"
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user