From ec57c75445286cdc5cf73179cffdebea79d5a58d Mon Sep 17 00:00:00 2001 From: radon Date: Wed, 24 Sep 2025 09:55:37 -0500 Subject: [PATCH] add auto signing via dnf5 actions plugin --- Makefile | 12 +++++++++++- VERSION | 2 +- docs/ksigner.8.in | 41 ++++++++++++++++++++++++++++++++++++++--- ksigner.spec.in | 13 +++++++++++-- src/dnf/ksigner.actions | 3 +++ src/ksigner.conf | 4 ++++ src/ksigner.in | 2 +- 7 files changed, 69 insertions(+), 8 deletions(-) create mode 100644 src/dnf/ksigner.actions diff --git a/Makefile b/Makefile index 331d76a..dfc4e76 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,11 @@ NAME = ksigner VERSION = $(shell cat VERSION) RELEASE = $(shell cat RELEASE) +MONTH = $(shell date +%B) +YEAR = $(shell date +%Y) SOURCEDIR = . BUILDDIR = build -SOURCES = src/ksigner src/ksigner.conf docs/ksigner.8 README.md LICENSE +SOURCES = src/ksigner src/ksigner.conf docs/ksigner.8 src/dnf/ksigner.actions README.md LICENSE CLEANFILES = $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8 noarch *.tar.gz *.rpm *.src.rpm .PHONY: all clean dist rpm srpm install @@ -19,14 +21,20 @@ $(BUILDDIR): %.spec: %.spec.in VERSION RELEASE sed -e 's/@VERSION@/$(VERSION)/g' \ -e 's/@RELEASE@/$(RELEASE)/g' \ + -e 's/@MONTH@/$(MONTH)/g' \ + -e 's/@YEAR@/$(YEAR)/g' \ $< > $@ src/%: src/%.in VERSION RELEASE sed -e 's/@VERSION@/$(VERSION)/g' \ + -e 's/@MONTH@/$(MONTH)/g' \ + -e 's/@YEAR@/$(YEAR)/g' \ $< > $@ docs/%: docs/%.in VERSION RELEASE sed -e 's/@VERSION@/$(VERSION)/g' \ + -e 's/@MONTH@/$(MONTH)/g' \ + -e 's/@YEAR@/$(YEAR)/g' \ $< > $@ dist: $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8 @@ -53,6 +61,8 @@ install: install -d $(DESTDIR)/etc/ksigner install -d $(DESTDIR)/etc/kernel/postinst.d install -d $(DESTDIR)/usr/share/man/man8 + install -d $(DESTDIR)/etc/dnf/libdnf5-plugins/actions.d install -m 755 src/ksigner $(DESTDIR)/usr/bin/ + install -m 755 src/dnf/ksigner.actions $(DESTDIR)/etc/dnf/libdnf5-plugins/actions.d/ install -m 644 src/ksigner.conf $(DESTDIR)/etc/ksigner/ install -m 644 docs/ksigner.8 $(DESTDIR)/usr/share/man/man8/ diff --git a/VERSION b/VERSION index 17e51c3..0ea3a94 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.1.1 +0.2.0 diff --git a/docs/ksigner.8.in b/docs/ksigner.8.in index 638e307..f6e9106 100644 --- a/docs/ksigner.8.in +++ b/docs/ksigner.8.in @@ -1,4 +1,4 @@ -.TH KSIGNER 8 "September 2025" "ksigner @VERSION@" "System Administration" +.TH ksigner 8 "@MONTH@ @YEAR@" "ksigner @VERSION@" "System Administration" .SH NAME ksigner \- Secure Boot kernel signing utility @@ -12,6 +12,7 @@ ksigner \- Secure Boot kernel signing utility .B ksigner is a utility for signing Linux kernels with custom keys for Secure Boot environments. It supports signing individual kernels or all available kernels. +The utility includes libdnf5-plugin-actions integration for automatic kernel signing. .SH COMMANDS .TP @@ -41,7 +42,7 @@ Show the current status of signing keys and MOK enrollment. .SH FILES .TP .I /etc/ksigner/ksigner.conf -Main configuration file. +Main configuration file. Contains key paths, automatic signing settings, and LTS version definitions. .TP .I /etc/pki/sbsign/certs/MOK.pem @@ -57,7 +58,11 @@ Public signing key in DER format for MOK import. .TP .I /var/log/ksigner.log -Log file. +Log file for automatic signing operations. + +.TP +.I /etc/dnf/libdnf5-plugins/actions.d/ksigner.actions +Kernel update hook script for automatic signing. .SH CONFIGURATION The behavior of ksigner can be customized through the configuration file @@ -68,6 +73,20 @@ Key configuration options include: .B KEY_LIFETIME_DAYS Number of days the signing keys should remain valid (default: 36500, approximately 100 years). +.TP +.B AUTO_SIGN +Enable or disable automatic kernel signing when kernels are installed via package manager. +Set to "true" to enable, "false" to disable (default: true). Only works on DNF5 systems. + +.SH SYSTEMD INTEGRATION +The package includes systemd service files for integration with the system: + +.SH AUTOMATIC KERNEL SIGNING +When AUTO_SIGN (AUTO_SIGN=true) is enabled in the configuration, new kernels are automatically signed +when they are installed through the package manager. The kernel update hook script +.I /etc/dnf/libdnf5-plugins/actions.d/ksigner.actions +is executed after kernel package installation and performs the configured signing operation. + .SH EXAMPLES .TP Set up signing keys for the first time: @@ -89,6 +108,20 @@ Sign all kernels: Check the status of signing keys: .B ksigner status +.SH AUTOMATIC KERNEL SIGNING +On systems using DNF5, ksigner can automatically sign newly installed kernels +through a post-transaction hook. This feature is controlled by the +.B AUTO_SIGN +setting in the configuration file. + +When automatic signing is enabled, kernels are signed immediately after installation +via the package manager. All signing operations are logged to +.IR /var/log/ksigner.log . + +Note: Automatic signing requires that signing keys have been set up previously using +.B ksigner setup +and that the MOK has been enrolled. + .SH REQUIREMENTS The following packages must be installed for ksigner to function: .IP \(bu 4 @@ -103,6 +136,8 @@ hmaccalc - for generating kernel HMAC files sudo - for privilege escalation .IP \(bu 4 bash (version 4.0 or later) - for shell scripting features +.IP \(bu 4 +libdnf5-plugin-actions - for automatic kernel signing (Fedora systems only) .SH SECURITY CONSIDERATIONS .IP \(bu 4 diff --git a/ksigner.spec.in b/ksigner.spec.in index f348630..7112863 100644 --- a/ksigner.spec.in +++ b/ksigner.spec.in @@ -15,6 +15,8 @@ Requires: sbsigntools Requires: hmaccalc Requires: sudo Requires: bash >= 4.0 +Requires: dnf5 +Requires: libdnf5-plugin-actions %description A utility for signing Linux kernels with custom keys for Secure Boot. @@ -24,7 +26,7 @@ Supports signing individual kernels or all kernels. %setup -q %build -# Nothing to build - shell script +# Nothing to build %install # Create directories @@ -33,6 +35,7 @@ install -d %{buildroot}%{_sysconfdir}/ksigner install -d %{buildroot}%{_unitdir} install -d %{buildroot}%{_sysconfdir}/kernel/postinst.d install -d %{buildroot}%{_mandir}/man8 +install -d %{buildroot}%{_sysconfdir}/dnf/libdnf5-plugins/actions.d # Install main script install -m 755 ksigner %{buildroot}%{_bindir}/ksigner @@ -43,6 +46,9 @@ install -m 644 ksigner.conf %{buildroot}%{_sysconfdir}/ksigner/ksigner.conf # Install man page install -m 644 ksigner.8 %{buildroot}%{_mandir}/man8/ksigner.8 +# Install dnf5 plugin +install -m 755 ksigner.actions %{buildroot}%{_sysconfdir}/dnf/libdnf5-plugins/actions.d/ksigner.actions + %post echo "===========================================" echo "Kernel Signer has been installed." @@ -58,8 +64,11 @@ echo "===========================================" %{_bindir}/ksigner %config(noreplace) %{_sysconfdir}/ksigner/ksigner.conf %{_mandir}/man8/ksigner.8* +%{_sysconfdir}/dnf/libdnf5-plugins/actions.d/ksigner.actions %changelog -* Tue Sep 23 2025 RadioactivePb - 1.0.1-1 +* Wed Sep 24 2025 RadioactivePb - 0.2.0-1 +- Added libdnf5 actions plugin for automatic kernel signing +* Tue Sep 23 2025 RadioactivePb - 0.1.1-1 - Initial RPM release - Added configuration file support diff --git a/src/dnf/ksigner.actions b/src/dnf/ksigner.actions new file mode 100644 index 0000000..99664da --- /dev/null +++ b/src/dnf/ksigner.actions @@ -0,0 +1,3 @@ +post_transaction:kernel*:in::/usr/bin/sh -c echo\ tmp.kernel_exists=\$\(\[\ -f\ /boot/vmlinuz-\${pkg.version}-\${pkg.release}.\${pkg.arch}\ \]\ \&\&\ echo\ 1\ \|\|\ echo\ 0\) +post_transaction:kernel*:in::/usr/bin/sh -c \[\ \"\${tmp.kernel_exists}\"\ =\ \"1\"\ \]\ \&\&\ echo\ tmp.config_check=\$\(grep\ -q\ \^AUTO_SIGN=true\ /etc/ksigner/ksigner.conf\ 2\>/dev/null\ \&\&\ echo\ 1\ \|\|\ echo\ 0\) +post_transaction:kernel*:in::/usr/bin/sh -c \[\ \"\${tmp.config_check}\"\ =\ \"1\"\ \]\ \&\&\ \[\ \"\${tmp.kernel_exists}\"\ =\ \"1\"\ \]\ \&\&\ /usr/bin/ksigner\ sign\ /boot/vmlinuz-\${pkg.version}-\${pkg.release}.\${pkg.arch}\ \>\>/var/log/ksigner.log\ 2\>\&1 diff --git a/src/ksigner.conf b/src/ksigner.conf index f119288..53f8fec 100644 --- a/src/ksigner.conf +++ b/src/ksigner.conf @@ -15,3 +15,7 @@ KEY_DER="MOK.der" # Log file LOG_FILE="/var/log/ksigner.log" + +# Automatic kernel signing via DNF post-transaction hook +# Uncomment the following line to enable +# AUTO_SIGN=true diff --git a/src/ksigner.in b/src/ksigner.in index 6c698fa..a0d0622 100644 --- a/src/ksigner.in +++ b/src/ksigner.in @@ -45,7 +45,7 @@ usage() { version() { echo "ksigner version @VERSION@" - echo "Copyright (C) 2025" + echo "Copyright (C) @YEAR@" echo "This is free software; see the source for copying conditions." }