-
Notifications
You must be signed in to change notification settings - Fork 40
/
dual-sign-zfs.sh
executable file
·50 lines (45 loc) · 2.56 KB
/
dual-sign-zfs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/bash
set -eoux pipefail
KERNEL="$(rpm -q "${KERNEL_NAME}" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
SIGNING_KEY_1="/tmp/certs/signing_key_1.pem"
SIGNING_KEY_2="/tmp/certs/signing_key_2.pem"
PUBLIC_CHAIN="/tmp/certs/public_key_chain.pem"
if [[ "${DUAL_SIGN}" == "true" ]]; then
ln -s / /tmp/buildroot
dnf install -y /var/cache/rpms/kmods/zfs/*.rpm pv
modinfo /usr/lib/modules/"${KERNEL}"/extra/zfs/spl.ko
for module in /usr/lib/modules/"${KERNEL}"/extra/zfs/*.ko*; do
module_basename=${module:0:-3}
module_suffix=${module: -3}
if [[ "$module_suffix" == ".xz" ]]; then
xz --decompress "$module"
openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap
/usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_CHAIN}" "${module_basename}"
/tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}"
xz -f "${module_basename}"
elif [[ "$module_suffix" == ".gz" ]]; then
gzip -d "$module"
openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap
/usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_CHAIN}" "${module_basename}"
/tmp/dual-sign-check.sh "${KERNEL}" "${module_basename}" "${PUBLIC_CHAIN}"
gzip -9f "${module_basename}"
else
openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module" -outform DER -out "${module}.cms" -nocerts -noattr -nosmimecap
/usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module}.cms" sha256 "${PUBLIC_CHAIN}" "${module}"
/tmp/dual-sign-check.sh "${KERNEL}" "${module}" "${PUBLIC_CHAIN}"
fi
done
rpmrebuild --additional=--buildroot=/tmp/buildroot --batch /var/cache/rpms/kmods/zfs/kmod-zfs-*.rpm
rm -rf /usr/lib/modules/"${KERNEL}"/extra
dnf reinstall -y /root/rpmbuild/RPMS/"$(uname -m)"/kmod-*-"${KERNEL}"-*.rpm
for module in /usr/lib/modules/"${KERNEL}"/extra/*/*.ko*; do
if ! modinfo "${module}"; then
exit 1
fi
done
mv -f /root/rpmbuild/RPMS/"$(uname -m)"/kmod-*.rpm /var/cache/rpms/kmods/zfs/
fi
for RPM in $(find /var/cache/akmods/ -type f -name \*.rpm); do
cp "${RPM}" /var/cache/rpms/kmods/
done
find /var/cache/rpms