Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15:Update
pesign-obs-integration.9576
README
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File README of Package pesign-obs-integration.9576
Signing kernel modules and EFI binaries in the Open Build Service ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Packages that need to sign files during build should add the following lines to the specfile # needssslcertforbuild export BRP_PESIGN_FILES='pattern...' BuildRequires: pesign-obs-integration The "# needssslcertforbuild" comment tells the buildservice to store the signing certificate in %_sourcedir/_projectcert.crt. At the end of the install phase, the brp-99-pesign script computes hashes of all files matching the patterns in $BRP_PESIGN_FILES. The sha256 hashes are stored in %_topdir/OTHER/%name.cpio.rsasign, plus the script places a pesign-repackage.spec file there. When the first rpmbuild finishes, the buildservice sends the cpio archive to the signing server, which returns a rsasigned.cpio archive with RSA signatures of the sha256 hashes. The pesign-repackage.spec takes the original RPMs, unpacks them and appends the signatures to the files. It then uses the pesign-gen-repackage-spec script to generate another specfile, which builds new RPMs with signed files. The supported file types are: *.ko - Signature appended to the module efi binaries - Signature embedded in a header. If a HMAC checksum named .$file.hmac exists, it is regenerated
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor