remove auto update
This commit is contained in:
parent
359b40da40
commit
063b48e113
3
Makefile
3
Makefile
@ -4,7 +4,7 @@ RELEASE = $(shell cat RELEASE)
|
||||
DISTS = $(shell cat DISTS)
|
||||
SOURCEDIR = .
|
||||
BUILDDIR = build
|
||||
SOURCES = src/ksigner src/ksigner.conf src/ksigner-update-hook docs/ksigner.8 README.md LICENSE
|
||||
SOURCES = src/ksigner src/ksigner.conf docs/ksigner.8 README.md LICENSE
|
||||
CLEANFILES = $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8 noarch *.tar.gz *.rpm *.src.rpm
|
||||
|
||||
.PHONY: all clean dist rpm srpm install
|
||||
@ -79,5 +79,4 @@ install:
|
||||
install -d $(DESTDIR)/usr/share/man/man8
|
||||
install -m 755 src/ksigner $(DESTDIR)/usr/bin/
|
||||
install -m 644 src/ksigner.conf $(DESTDIR)/etc/ksigner/
|
||||
install -m 755 src/ksigner-update-hook $(DESTDIR)/etc/kernel/postinst.d/zz-ksigner
|
||||
install -m 644 docs/ksigner.8 $(DESTDIR)/usr/share/man/man8/
|
||||
|
||||
19
README.md
19
README.md
@ -1,4 +1,4 @@
|
||||
# Enable/disable automatic signing on kernel updates# Kernel Signer
|
||||
# KSigner
|
||||
|
||||
A secure boot kernel signing utility
|
||||
|
||||
@ -77,15 +77,7 @@ sudo ksigner status
|
||||
|
||||
## Configuration
|
||||
|
||||
Edit `/etc/ksigner/ksigner.conf` to customize behavior:
|
||||
|
||||
```bash
|
||||
# Enable/disable automatic signing on kernel updates
|
||||
SIGN_ON_UPDATE=true
|
||||
|
||||
# Type of automatic signing (sign, sign-all)
|
||||
AUTO_SIGN_TYPE="sign-all"
|
||||
```
|
||||
Edit `/etc/ksigner/ksigner.conf` to customize behavior
|
||||
|
||||
## Commands
|
||||
|
||||
@ -95,12 +87,6 @@ AUTO_SIGN_TYPE="sign-all"
|
||||
- `ksigner status` - Show signing key status
|
||||
- `ksigner version` - Show version information
|
||||
|
||||
## Automatic Kernel Signing
|
||||
|
||||
When `SIGN_ON_UPDATE=true` in the configuration, kernels are automatically signed when installed via package manager. The hook script `/etc/kernel/postinst.d/zz-ksigner` handles this process.
|
||||
|
||||
Logs are written to `/var/log/ksigner.log`.
|
||||
|
||||
## File Locations
|
||||
|
||||
- **Configuration**: `/etc/ksigner/ksigner.conf`
|
||||
@ -108,7 +94,6 @@ Logs are written to `/var/log/ksigner.log`.
|
||||
- **Private Key**: `/etc/pki/sbsign/private/MOK.priv`
|
||||
- **DER Key**: `/etc/pki/sbsign/certs/MOK.der`
|
||||
- **Log File**: `/var/log/ksigner.log`
|
||||
- **Update Hook**: `/etc/kernel/postinst.d/zz-ksigner`
|
||||
|
||||
## Security Notes
|
||||
|
||||
|
||||
@ -41,7 +41,7 @@ Show the current status of signing keys and MOK enrollment.
|
||||
.SH FILES
|
||||
.TP
|
||||
.I /etc/ksigner/ksigner.conf
|
||||
Main configuration file. Contains key paths, automatic signing settings, and LTS version definitions.
|
||||
Main configuration file.
|
||||
|
||||
.TP
|
||||
.I /etc/pki/sbsign/certs/MOK.pem
|
||||
@ -55,13 +55,9 @@ Private signing key.
|
||||
.I /etc/pki/sbsign/certs/MOK.der
|
||||
Public signing key in DER format for MOK import.
|
||||
|
||||
.TP
|
||||
.I /etc/kernel/postinst.d/zz-ksigner
|
||||
Kernel update hook script for automatic signing.
|
||||
|
||||
.TP
|
||||
.I /var/log/ksigner.log
|
||||
Log file for automatic signing operations.
|
||||
Log file.
|
||||
|
||||
.SH CONFIGURATION
|
||||
The behavior of ksigner can be customized through the configuration file
|
||||
@ -72,21 +68,6 @@ Key configuration options include:
|
||||
.B KEY_LIFETIME_DAYS
|
||||
Number of days the signing keys should remain valid (default: 36500, approximately 100 years).
|
||||
|
||||
.TP
|
||||
.B SIGN_ON_UPDATE
|
||||
Enable or disable automatic signing when kernels are updated (default: true).
|
||||
|
||||
.TP
|
||||
.B AUTO_SIGN_TYPE
|
||||
Type of automatic signing to perform on kernel updates.
|
||||
Valid options are: sign, sign-all (default: sign).
|
||||
|
||||
.SH AUTOMATIC KERNEL SIGNING
|
||||
When SIGN_ON_UPDATE is enabled in the configuration, new kernels are automatically signed
|
||||
when they are installed through the package manager. The kernel update hook script
|
||||
.I /etc/kernel/postinst.d/zz-ksigner
|
||||
is executed during kernel package installation and performs the configured signing operation.
|
||||
|
||||
.SH EXAMPLES
|
||||
.TP
|
||||
Set up signing keys for the first time:
|
||||
|
||||
@ -40,9 +40,6 @@ install -m 755 ksigner %{buildroot}%{_bindir}/ksigner
|
||||
# Install configuration file
|
||||
install -m 644 ksigner.conf %{buildroot}%{_sysconfdir}/ksigner/ksigner.conf
|
||||
|
||||
# Install kernel update hook
|
||||
install -m 755 ksigner-update-hook %{buildroot}%{_sysconfdir}/kernel/postinst.d/zz-ksigner
|
||||
|
||||
# Install man page
|
||||
install -m 644 ksigner.8 %{buildroot}%{_mandir}/man8/ksigner.8
|
||||
|
||||
@ -60,11 +57,9 @@ echo "==========================================="
|
||||
%doc README.md
|
||||
%{_bindir}/ksigner
|
||||
%config(noreplace) %{_sysconfdir}/ksigner/ksigner.conf
|
||||
%{_sysconfdir}/kernel/postinst.d/zz-ksigner
|
||||
%{_mandir}/man8/ksigner.8*
|
||||
|
||||
%changelog
|
||||
* Tue Sep 23 2025 RadioactivePb <radioactivepb@gmail.com> - @VERSION@-@RELEASE@
|
||||
* Tue Sep 23 2025 RadioactivePb <radioactivepb@gmail.com> - 1.0.1-1
|
||||
- Initial RPM release
|
||||
- Added automatic kernel signing on updates
|
||||
- Added configuration file support
|
||||
|
||||
@ -1,67 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Kernel update hook for automatic signing
|
||||
# This script is called when new kernels are installed
|
||||
|
||||
CONFIG_FILE="/etc/ksigner/ksigner.conf"
|
||||
KERNEL_SIGNER="/usr/bin/ksigner"
|
||||
LOG_FILE="/var/log/ksigner.log"
|
||||
|
||||
# Source configuration
|
||||
if [[ -f "$CONFIG_FILE" ]]; then
|
||||
source "$CONFIG_FILE"
|
||||
fi
|
||||
|
||||
# Default values
|
||||
SIGN_ON_UPDATE=${SIGN_ON_UPDATE:-true}
|
||||
AUTO_SIGN_TYPE=${AUTO_SIGN_TYPE:-sign}
|
||||
LOG_FILE=${LOG_FILE:-/var/log/ksigner.log}
|
||||
|
||||
log_message() {
|
||||
echo "$(date '+%Y-%m-%d %H:%M:%S') - ksigner-update-hook: $1" >>"$LOG_FILE"
|
||||
}
|
||||
|
||||
# Exit if automatic signing is disabled
|
||||
if [[ "$SIGN_ON_UPDATE" != "true" ]]; then
|
||||
log_message "Automatic signing disabled, skipping"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Check if ksigner exists and keys are set up
|
||||
if [[ ! -x "$KERNEL_SIGNER" ]]; then
|
||||
log_message "ksigner not found at $KERNEL_SIGNER"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ ! -f "/etc/pki/sbsign/certs/MOK.pem" ]]; then
|
||||
log_message "Signing keys not found, run 'ksigner setup' first"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Get the kernel version from the environment or find the latest
|
||||
if [[ -n "$KERNEL_VERSION" ]]; then
|
||||
KERNEL_FILE="/boot/vmlinuz-$KERNEL_VERSION"
|
||||
if [[ -f "$KERNEL_FILE" ]]; then
|
||||
log_message "Signing newly installed kernel: $KERNEL_VERSION"
|
||||
if "$KERNEL_SIGNER" sign "$KERNEL_FILE" >>"$LOG_FILE" 2>&1; then
|
||||
log_message "Successfully signed kernel $KERNEL_VERSION"
|
||||
else
|
||||
log_message "Failed to sign kernel $KERNEL_VERSION"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
log_message "Kernel file not found: $KERNEL_FILE"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
# Fallback to configured auto-sign type
|
||||
log_message "Running automatic signing: $AUTO_SIGN_TYPE"
|
||||
if "$KERNEL_SIGNER" "$AUTO_SIGN_TYPE" >>"$LOG_FILE" 2>&1; then
|
||||
log_message "Successfully completed $AUTO_SIGN_TYPE"
|
||||
else
|
||||
log_message "Failed to complete $AUTO_SIGN_TYPE"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
exit 0
|
||||
@ -13,13 +13,5 @@ KEY_PUB="MOK.pem"
|
||||
KEY_PRIV="MOK.priv"
|
||||
KEY_DER="MOK.der"
|
||||
|
||||
# Automatic signing on kernel updates
|
||||
# Set to true to enable automatic signing when kernels are updated
|
||||
SIGN_ON_UPDATE=true
|
||||
|
||||
# Type of automatic signing to perform
|
||||
# Options: sign, sign-all
|
||||
AUTO_SIGN_TYPE="sign"
|
||||
|
||||
# Log file for automatic signing operations
|
||||
# Log file
|
||||
LOG_FILE="/var/log/ksigner.log"
|
||||
|
||||
@ -16,8 +16,6 @@ KEY_PUB=${KEY_PUB:-MOK.pem}
|
||||
KEY_PRIV_DIR=${KEY_PRIV_DIR:-/etc/pki/sbsign/private/}
|
||||
KEY_PRIV=${KEY_PRIV:-MOK.priv}
|
||||
KEY_DER=${KEY_DER:-MOK.der}
|
||||
SIGN_ON_UPDATE=${SIGN_ON_UPDATE:-true}
|
||||
AUTO_SIGN_TYPE=${AUTO_SIGN_TYPE:-sign}
|
||||
|
||||
REQUIRED_BINARIES=(
|
||||
"openssl"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user