radon/ksigner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add auto signing via dnf5 actions plugin

Browse Source
This commit is contained in:
radon 2025-09-24 09:55:37 -05:00
parent e57d12a98f
commit ec57c75445
7 changed files with 69 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Makefile
View File

@ -1,9 +1,11 @@
NAME = ksigner NAME = ksigner
VERSION = $(shell cat VERSION) VERSION = $(shell cat VERSION)
RELEASE = $(shell cat RELEASE) RELEASE = $(shell cat RELEASE)
MONTH = $(shell date +%B)
YEAR = $(shell date +%Y)
SOURCEDIR = . SOURCEDIR = .
BUILDDIR = build BUILDDIR = build
SOURCES = src/ksigner src/ksigner.conf docs/ksigner.8 README.md LICENSE SOURCES = src/ksigner src/ksigner.conf docs/ksigner.8 src/dnf/ksigner.actions README.md LICENSE
CLEANFILES = $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8 noarch *.tar.gz *.rpm *.src.rpm CLEANFILES = $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8 noarch *.tar.gz *.rpm *.src.rpm
.PHONY: all clean dist rpm srpm install .PHONY: all clean dist rpm srpm install
@ -19,14 +21,20 @@ $(BUILDDIR):
%.spec: %.spec.in VERSION RELEASE %.spec: %.spec.in VERSION RELEASE
sed -e 's/@VERSION@/$(VERSION)/g' \ sed -e 's/@VERSION@/$(VERSION)/g' \
-e 's/@RELEASE@/$(RELEASE)/g' \ -e 's/@RELEASE@/$(RELEASE)/g' \
-e 's/@MONTH@/$(MONTH)/g' \
-e 's/@YEAR@/$(YEAR)/g' \
$< > $@ $< > $@
src/%: src/%.in VERSION RELEASE src/%: src/%.in VERSION RELEASE
sed -e 's/@VERSION@/$(VERSION)/g' \ sed -e 's/@VERSION@/$(VERSION)/g' \
-e 's/@MONTH@/$(MONTH)/g' \
-e 's/@YEAR@/$(YEAR)/g' \
$< > $@ $< > $@
docs/%: docs/%.in VERSION RELEASE docs/%: docs/%.in VERSION RELEASE
sed -e 's/@VERSION@/$(VERSION)/g' \ sed -e 's/@VERSION@/$(VERSION)/g' \
-e 's/@MONTH@/$(MONTH)/g' \
-e 's/@YEAR@/$(YEAR)/g' \
$< > $@ $< > $@
dist: $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8 dist: $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8
@ -53,6 +61,8 @@ install:
install -d $(DESTDIR)/etc/ksigner install -d $(DESTDIR)/etc/ksigner
install -d $(DESTDIR)/etc/kernel/postinst.d install -d $(DESTDIR)/etc/kernel/postinst.d
install -d $(DESTDIR)/usr/share/man/man8 install -d $(DESTDIR)/usr/share/man/man8
install -d $(DESTDIR)/etc/dnf/libdnf5-plugins/actions.d
install -m 755 src/ksigner $(DESTDIR)/usr/bin/ install -m 755 src/ksigner $(DESTDIR)/usr/bin/
install -m 755 src/dnf/ksigner.actions $(DESTDIR)/etc/dnf/libdnf5-plugins/actions.d/
install -m 644 src/ksigner.conf $(DESTDIR)/etc/ksigner/ install -m 644 src/ksigner.conf $(DESTDIR)/etc/ksigner/
install -m 644 docs/ksigner.8 $(DESTDIR)/usr/share/man/man8/ install -m 644 docs/ksigner.8 $(DESTDIR)/usr/share/man/man8/

2
VERSION
View File

@ -1 +1 @@
0.1.1 0.2.0

41
docs/ksigner.8.in
View File

@ -1,4 +1,4 @@
.TH KSIGNER 8 "September 2025" "ksigner @VERSION@" "System Administration" .TH ksigner 8 "@MONTH@ @YEAR@" "ksigner @VERSION@" "System Administration"
.SH NAME .SH NAME
ksigner \- Secure Boot kernel signing utility ksigner \- Secure Boot kernel signing utility
@ -12,6 +12,7 @@ ksigner \- Secure Boot kernel signing utility
.B ksigner .B ksigner
is a utility for signing Linux kernels with custom keys for Secure Boot environments. is a utility for signing Linux kernels with custom keys for Secure Boot environments.
It supports signing individual kernels or all available kernels. It supports signing individual kernels or all available kernels.
The utility includes libdnf5-plugin-actions integration for automatic kernel signing.
.SH COMMANDS .SH COMMANDS
.TP .TP
@ -41,7 +42,7 @@ Show the current status of signing keys and MOK enrollment.
.SH FILES .SH FILES
.TP .TP
.I /etc/ksigner/ksigner.conf .I /etc/ksigner/ksigner.conf
Main configuration file. Main configuration file. Contains key paths, automatic signing settings, and LTS version definitions.
.TP .TP
.I /etc/pki/sbsign/certs/MOK.pem .I /etc/pki/sbsign/certs/MOK.pem
@ -57,7 +58,11 @@ Public signing key in DER format for MOK import.
.TP .TP
.I /var/log/ksigner.log .I /var/log/ksigner.log
Log file. Log file for automatic signing operations.
.TP
.I /etc/dnf/libdnf5-plugins/actions.d/ksigner.actions
Kernel update hook script for automatic signing.
.SH CONFIGURATION .SH CONFIGURATION
The behavior of ksigner can be customized through the configuration file The behavior of ksigner can be customized through the configuration file
@ -68,6 +73,20 @@ Key configuration options include:
.B KEY_LIFETIME_DAYS .B KEY_LIFETIME_DAYS
Number of days the signing keys should remain valid (default: 36500, approximately 100 years). Number of days the signing keys should remain valid (default: 36500, approximately 100 years).
.TP
.B AUTO_SIGN
Enable or disable automatic kernel signing when kernels are installed via package manager.
Set to "true" to enable, "false" to disable (default: true). Only works on DNF5 systems.
.SH SYSTEMD INTEGRATION
The package includes systemd service files for integration with the system:
.SH AUTOMATIC KERNEL SIGNING
When AUTO_SIGN (AUTO_SIGN=true) is enabled in the configuration, new kernels are automatically signed
when they are installed through the package manager. The kernel update hook script
.I /etc/dnf/libdnf5-plugins/actions.d/ksigner.actions
is executed after kernel package installation and performs the configured signing operation.
.SH EXAMPLES .SH EXAMPLES
.TP .TP
Set up signing keys for the first time: Set up signing keys for the first time:
@ -89,6 +108,20 @@ Sign all kernels:
Check the status of signing keys: Check the status of signing keys:
.B ksigner status .B ksigner status
.SH AUTOMATIC KERNEL SIGNING
On systems using DNF5, ksigner can automatically sign newly installed kernels
through a post-transaction hook. This feature is controlled by the
.B AUTO_SIGN
setting in the configuration file.
When automatic signing is enabled, kernels are signed immediately after installation
via the package manager. All signing operations are logged to
.IR /var/log/ksigner.log .
Note: Automatic signing requires that signing keys have been set up previously using
.B ksigner setup
and that the MOK has been enrolled.
.SH REQUIREMENTS .SH REQUIREMENTS
The following packages must be installed for ksigner to function: The following packages must be installed for ksigner to function:
.IP \(bu 4 .IP \(bu 4
@ -103,6 +136,8 @@ hmaccalc - for generating kernel HMAC files
sudo - for privilege escalation sudo - for privilege escalation
.IP \(bu 4 .IP \(bu 4
bash (version 4.0 or later) - for shell scripting features bash (version 4.0 or later) - for shell scripting features
.IP \(bu 4
libdnf5-plugin-actions - for automatic kernel signing (Fedora systems only)
.SH SECURITY CONSIDERATIONS .SH SECURITY CONSIDERATIONS
.IP \(bu 4 .IP \(bu 4

13
ksigner.spec.in
View File

@ -15,6 +15,8 @@ Requires: sbsigntools
Requires: hmaccalc Requires: hmaccalc
Requires: sudo Requires: sudo
Requires: bash >= 4.0 Requires: bash >= 4.0
Requires: dnf5
Requires: libdnf5-plugin-actions
%description %description
A utility for signing Linux kernels with custom keys for Secure Boot. A utility for signing Linux kernels with custom keys for Secure Boot.
@ -24,7 +26,7 @@ Supports signing individual kernels or all kernels.
%setup -q %setup -q
%build %build
# Nothing to build - shell script # Nothing to build
%install %install
# Create directories # Create directories
@ -33,6 +35,7 @@ install -d %{buildroot}%{_sysconfdir}/ksigner
install -d %{buildroot}%{_unitdir} install -d %{buildroot}%{_unitdir}
install -d %{buildroot}%{_sysconfdir}/kernel/postinst.d install -d %{buildroot}%{_sysconfdir}/kernel/postinst.d
install -d %{buildroot}%{_mandir}/man8 install -d %{buildroot}%{_mandir}/man8
install -d %{buildroot}%{_sysconfdir}/dnf/libdnf5-plugins/actions.d
# Install main script # Install main script
install -m 755 ksigner %{buildroot}%{_bindir}/ksigner install -m 755 ksigner %{buildroot}%{_bindir}/ksigner
@ -43,6 +46,9 @@ install -m 644 ksigner.conf %{buildroot}%{_sysconfdir}/ksigner/ksigner.conf
# Install man page # Install man page
install -m 644 ksigner.8 %{buildroot}%{_mandir}/man8/ksigner.8 install -m 644 ksigner.8 %{buildroot}%{_mandir}/man8/ksigner.8
# Install dnf5 plugin
install -m 755 ksigner.actions %{buildroot}%{_sysconfdir}/dnf/libdnf5-plugins/actions.d/ksigner.actions
%post %post
echo "===========================================" echo "==========================================="
echo "Kernel Signer has been installed." echo "Kernel Signer has been installed."
@ -58,8 +64,11 @@ echo "==========================================="
%{_bindir}/ksigner %{_bindir}/ksigner
%config(noreplace) %{_sysconfdir}/ksigner/ksigner.conf %config(noreplace) %{_sysconfdir}/ksigner/ksigner.conf
%{_mandir}/man8/ksigner.8* %{_mandir}/man8/ksigner.8*
%{_sysconfdir}/dnf/libdnf5-plugins/actions.d/ksigner.actions
%changelog %changelog
* Tue Sep 23 2025 RadioactivePb <radioactivepb@gmail.com> - 1.0.1-1 * Wed Sep 24 2025 RadioactivePb <radioactivepb@gmail.com> - 0.2.0-1
- Added libdnf5 actions plugin for automatic kernel signing
* Tue Sep 23 2025 RadioactivePb <radioactivepb@gmail.com> - 0.1.1-1
- Initial RPM release - Initial RPM release
- Added configuration file support - Added configuration file support

3
src/dnf/ksigner.actions Normal file
View File

@ -0,0 +1,3 @@
post_transaction:kernel*:in::/usr/bin/sh -c echo\ tmp.kernel_exists=\$\(\[\ -f\ /boot/vmlinuz-\${pkg.version}-\${pkg.release}.\${pkg.arch}\ \]\ \&\&\ echo\ 1\ \|\|\ echo\ 0\)
post_transaction:kernel*:in::/usr/bin/sh -c \[\ \"\${tmp.kernel_exists}\"\ =\ \"1\"\ \]\ \&\&\ echo\ tmp.config_check=\$\(grep\ -q\ \^AUTO_SIGN=true\ /etc/ksigner/ksigner.conf\ 2\>/dev/null\ \&\&\ echo\ 1\ \|\|\ echo\ 0\)
post_transaction:kernel*:in::/usr/bin/sh -c \[\ \"\${tmp.config_check}\"\ =\ \"1\"\ \]\ \&\&\ \[\ \"\${tmp.kernel_exists}\"\ =\ \"1\"\ \]\ \&\&\ /usr/bin/ksigner\ sign\ /boot/vmlinuz-\${pkg.version}-\${pkg.release}.\${pkg.arch}\ \>\>/var/log/ksigner.log\ 2\>\&1

4
src/ksigner.conf
View File

@ -15,3 +15,7 @@ KEY_DER="MOK.der"
# Log file # Log file
LOG_FILE="/var/log/ksigner.log" LOG_FILE="/var/log/ksigner.log"
# Automatic kernel signing via DNF post-transaction hook
# Uncomment the following line to enable
# AUTO_SIGN=true

2
src/ksigner.in
View File

@ -45,7 +45,7 @@ usage() {
version() { version() {
echo "ksigner version @VERSION@" echo "ksigner version @VERSION@"
echo "Copyright (C) 2025" echo "Copyright (C) @YEAR@"
echo "This is free software; see the source for copying conditions." echo "This is free software; see the source for copying conditions."
} }