feat: Enable Dual Signing for akmods (#215)

ublue-os · Jul 19, 2024 · 20fce9f · 20fce9f
1 parent 7f7e0d2
commit 20fce9f
Show file tree

Hide file tree

Showing 13 changed files with 207 additions and 65 deletions.
diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
@@ -3,12 +3,12 @@ on:
   workflow_call:
     inputs:
       fedora_version:
-        description: 'The Fedora release version: 39, 40, etc'
+        description: "The Fedora release version: 39, 40, etc"
         required: true
         type: string
 env:
-    IMAGE_BASE_NAME: akmods
-    IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  IMAGE_BASE_NAME: akmods
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}-${{ inputs.fedora_version }}
@@ -170,16 +170,21 @@ jobs:
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md
             io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/1728152?s=200&v=4
 
-      - name: Retrieve akmods signing key
+      - name: Retrieve Signing Key
+        if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'merge_group'
+        shell: bash
         run: |
           mkdir -p certs
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              echo "Using test signing key"
+          if [[ "${{ github.event_name }}"  == 'pull_request' ]]; then
+            echo "This should not have run... exiting..."
+            exit 1
           else
-              echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key.priv
+            echo "${{ secrets.KERNEL_PRIVKEY }}" > certs/private_key.priv
+            echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key_2.priv
+            # DEBUG: get character count of key
+            wc -c certs/private_key.priv
+            wc -c certs/private_key_2.priv
           fi
-          # DEBUG: get character count of key
-          wc -c certs/private_key.priv
 
       # Build image using Buildah action
       - name: Build Image
@@ -197,6 +202,7 @@ jobs:
             KERNEL_FLAVOR=${{ matrix.kernel_flavor }}
             FEDORA_MAJOR_VERSION=${{ matrix.fedora_version }}
             RPMFUSION_MIRROR=${{ vars.RPMFUSION_MIRROR }}
+            DUAL_SIGN=true
           labels: ${{ steps.meta.outputs.labels }}
           oci: false
 

diff --git a/Containerfile.common b/Containerfile.common
@@ -15,8 +15,9 @@ FROM ${BUILDER_BASE} AS builder
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
 ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
 ARG RPMFUSION_MIRROR=""
+ARG DUAL_SIGN="true"
 
-COPY build*.sh /tmp
+COPY build*.sh dual-sign.sh /tmp/
 COPY certs /tmp/certs
 
 # cached kernel rpms
@@ -29,12 +30,10 @@ ADD https://copr.fedorainfracloud.org/coprs/ublue-os/akmods/repo/fedora-${FEDORA
 ADD https://negativo17.org/repos/fedora-multimedia.repo \
     /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/negativo17-fedora-multimedia.repo
 
-RUN /tmp/build-prep.sh
-
-RUN /tmp/build-ublue-os-akmods-addons.sh
-
-# Set kernel name
-RUN if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \
+RUN --mount=type=cache,dst=/var/cache/dnf \
+    /tmp/build-prep.sh && \
+    /tmp/build-ublue-os-akmods-addons.sh && \
+    if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \
         export KERNEL_NAME="kernel" \
     ; else \
         export KERNEL_NAME="kernel-surface" \
@@ -48,15 +47,17 @@ RUN if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \
     /tmp/build-kmod-v4l2loopback.sh && \
     /tmp/build-kmod-wl.sh && \
     /tmp/build-kmod-xpadneo.sh && \
-    /tmp/build-kmod-xone.sh
-
-RUN cp /tmp/ublue-os-akmods-addons/rpmbuild/RPMS/noarch/ublue-os-akmods-addons*.rpm \
-      /var/cache/rpms/ublue-os/
-RUN for RPM in $(find /var/cache/akmods/ -type f -name \*.rpm); do \
+    /tmp/build-kmod-xone.sh && \
+    /tmp/dual-sign.sh && \
+    cp /tmp/ublue-os-akmods-addons/rpmbuild/RPMS/noarch/ublue-os-akmods-addons*.rpm \
+      /var/cache/rpms/ublue-os/ && \
+    for RPM in $(find /var/cache/akmods/ -type f -name \*.rpm); do \
         cp "${RPM}" /var/cache/rpms/kmods/; \
-    done
-
-RUN find /var/cache/rpms
+    done && \
+    for RPM in $(find /root/rpmbuild/RPMS/"$(uname -m)"/ -type f -name \*.rpm); do \
+        cp "${RPM}" /var/cache/rpms/kmods/; \
+    done && \
+    find /var/cache/rpms
 
 FROM scratch
 

diff --git a/Containerfile.extra b/Containerfile.extra
@@ -15,8 +15,9 @@ FROM ${BUILDER_BASE} AS builder
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
 ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
 ARG RPMFUSION_MIRROR=""
+ARG DUAL_SIGN="true"
 
-COPY build*.sh /tmp
+COPY build*.sh dual-sign.sh /tmp/
 COPY certs /tmp/certs
 
 # cached kernel rpms
@@ -29,10 +30,9 @@ ADD https://copr.fedorainfracloud.org/coprs/ublue-os/akmods/repo/fedora-${FEDORA
 ADD https://negativo17.org/repos/fedora-multimedia.repo \
     /tmp/ublue-os-akmods-addons/rpmbuild/SOURCES/negativo17-fedora-multimedia.repo
 
-RUN /tmp/build-prep.sh
-
-# Set kernel name
-RUN if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \
+RUN --mount=type=cache,dst=/var/cache/dnf \
+    /tmp/build-prep.sh && \
+    if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \
         export KERNEL_NAME="kernel" \
     ; else \
         export KERNEL_NAME="kernel-surface" \
@@ -53,13 +53,15 @@ RUN if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \
     /tmp/build-kmod-rtl88xxau.sh && \
     /tmp/build-kmod-ryzen-smu.sh && \
     /tmp/build-kmod-vhba.sh && \
-    /tmp/build-kmod-VirtualBox.sh
-
-RUN for RPM in $(find /var/cache/akmods/ -type f -name \*.rpm); do \
+    /tmp/build-kmod-VirtualBox.sh && \
+    /tmp/dual-sign.sh && \
+    for RPM in $(find /var/cache/akmods/ -type f -name \*.rpm); do \
         cp "${RPM}" /var/cache/rpms/kmods/; \
-    done
-
-RUN find /var/cache/rpms
+    done && \
+    for RPM in $(find /root/rpmbuild/RPMS/"$(uname -m)"/ -type f -name \*.rpm); do \
+        cp "${RPM}" /var/cache/rpms/kmods/; \
+    done && \
+    find /var/cache/rpms
 
 FROM scratch
 

diff --git a/Containerfile.nvidia b/Containerfile.nvidia
@@ -15,8 +15,9 @@ FROM ${BUILDER_BASE} AS builder
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
 ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}"
 ARG RPMFUSION_MIRROR=""
+ARG DUAL_SIGN="true"
 
-COPY build*.sh /tmp
+COPY build*.sh dual-sign.sh /tmp/
 COPY certs /tmp/certs
 
 # cached kernel rpms
@@ -29,25 +30,25 @@ COPY files/usr/lib/systemd/system/ublue-nvctk-cdi.service /tmp/ublue-os-nvidia-a
 COPY files/usr/lib/systemd/system-preset/70-ublue-nvctk-cdi.preset /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/70-ublue-nvctk-cdi.preset
 
 
-RUN /tmp/build-prep.sh
-
-RUN /tmp/build-ublue-os-nvidia-addons.sh
-
-RUN if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \
+RUN --mount=type=cache,dst=/var/cache/dnf \
+    /tmp/build-prep.sh && \
+    /tmp/build-ublue-os-nvidia-addons.sh && \
+    if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \
        export KERNEL_NAME="kernel" \
     ; else \
        export KERNEL_NAME="kernel-surface" \
     ; fi && \
-    /tmp/build-kmod-nvidia.sh 550
-
-RUN cp /tmp/ublue-os-nvidia-addons/rpmbuild/RPMS/noarch/ublue-os-nvidia-addons*.rpm \
-      /var/cache/rpms/ublue-os/
-
-RUN for RPM in $(find /var/cache/akmods/ -type f -name \*.rpm); do \
+    /tmp/build-kmod-nvidia.sh 550 && \
+    /tmp/dual-sign.sh && \
+    cp /tmp/ublue-os-nvidia-addons/rpmbuild/RPMS/noarch/ublue-os-nvidia-addons*.rpm \
+      /var/cache/rpms/ublue-os/ && \
+    for RPM in $(find /var/cache/akmods/ -type f -name \*.rpm); do \
         cp "${RPM}" /var/cache/rpms/kmods/; \
-    done
-
-RUN find /var/cache/rpms
+    done && \
+    for RPM in $(find /root/rpmbuild/RPMS/"$(uname -m)"/ -type f -name \*.rpm); do \
+        cp "${RPM}" /var/cache/rpms/kmods/; \
+    done && \
+    find /var/cache/rpms
 
 FROM scratch
 

diff --git a/Containerfile.zfs b/Containerfile.zfs
@@ -14,24 +14,26 @@ FROM ${BUILDER_BASE} AS builder
 
 ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}"
 ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-coreos-stable}"
+ARG DUAL_SIGN="true"
 ARG RPMFUSION_MIRROR=""
 ARG ZFS_MINOR_VERSION="${ZFS_MINOR_VERSION:-2.2}"
 
-COPY build*.sh /tmp
+COPY build*.sh dual-sign-zfs.sh /tmp/
 COPY certs /tmp/certs
 
 # cached kernel rpms
 COPY --from=kernel_cache /tmp/rpms /tmp/kernel_cache
 
 # Set kernel name
-RUN /tmp/build-prep.sh && \
-    /tmp/build-kmod-zfs.sh
-
-RUN for RPM in $(find /var/cache/akmods/ -type f -name \*.rpm); do \
-        cp "${RPM}" /var/cache/rpms/kmods/; \
-    done
-
-RUN find /var/cache/rpms
+RUN --mount=type=cache,dst=/var/cache/dnf \
+    /tmp/build-prep.sh && \
+    if grep -qv "surface" <<< "${KERNEL_FLAVOR}"; then \
+        export KERNEL_NAME="kernel" \
+    ; else \
+        export KERNEL_NAME="kernel-surface" \
+    ; fi && \
+    /tmp/build-kmod-zfs.sh && \
+    /tmp/dual-sign-zfs.sh
 
 FROM scratch
 

diff --git a/build-prep.sh b/build-prep.sh
@@ -1,10 +1,10 @@
-#!/bin/sh
+#!/usr/bin/bash
 
 set -oeux pipefail
 
 
 ### PREPARE REPOS
-ARCH="$(rpm -E '%_arch')"
+# ARCH="$(rpm -E '%_arch')"
 RELEASE="$(rpm -E '%fedora')"
 
 sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
@@ -28,8 +28,8 @@ if [ -n "${RPMFUSION_MIRROR}" ]; then
     RPMFUSION_MIRROR_RPMS=${RPMFUSION_MIRROR}
 fi
 dnf install -y \
-    ${RPMFUSION_MIRROR_RPMS}/free/fedora/rpmfusion-free-release-${RELEASE}.noarch.rpm \
-    ${RPMFUSION_MIRROR_RPMS}/nonfree/fedora/rpmfusion-nonfree-release-${RELEASE}.noarch.rpm \
+    "${RPMFUSION_MIRROR_RPMS}"/free/fedora/rpmfusion-free-release-"${RELEASE}".noarch.rpm \
+    "${RPMFUSION_MIRROR_RPMS}"/nonfree/fedora/rpmfusion-nonfree-release-"${RELEASE}".noarch.rpm \
     fedora-repos-archive
 
 # after F41 launches, bump to 42
@@ -61,10 +61,24 @@ fi
 install -Dm644 /tmp/certs/public_key.der   /etc/pki/akmods/certs/public_key.der
 install -Dm644 /tmp/certs/private_key.priv /etc/pki/akmods/private/private_key.priv
 
+if [[ "${DUAL_SIGN}" == "true" ]]; then
+    dnf install -y rpmrebuild
+    if [[ ! -s "/tmp/certs/private_key_2.priv" ]]; then
+        echo "WARNING: Using test signing key. Run './generate-akmods-key' for production builds."
+        cp /tmp/certs/private_key_2.priv{.test,}
+        cp /tmp/certs/public_key_2.der{.test,}
+    fi
+    openssl x509 -in /tmp/certs/public_key_2.der -out /tmp/certs/public_key_2.crt
+    openssl x509 -in /tmp/certs/public_key.der -out /tmp/certs/public_key.crt
+    cat /tmp/certs/private_key.priv <(echo) /tmp/certs/public_key.crt >> /tmp/certs/signing_key_1.pem
+    cat /tmp/certs/private_key_2.priv <(echo) /tmp/certs/public_key_2.crt >> /tmp/certs/signing_key_2.pem
+    cat /tmp/certs/public_key.crt <(echo) /tmp/certs/public_key_2.crt >> /tmp/certs/public_key_chain.pem
+fi
+
 # This is for ZFS more than CoreOS
 if [[ "${KERNEL_FLAVOR}" =~ "coreos" ]]; then
-    install -Dm644 /tmp/certs/public_key.der /lib/modules/${KERNEL_VERSION}/build/certs/signing_key.x509
-    install -Dm644 /tmp/certs/private_key.priv /lib/modules/${KERNEL_VERSION}/build/certs/signing_key.pem
+    install -Dm644 /tmp/certs/public_key.der /lib/modules/"${KERNEL_VERSION}"/build/certs/signing_key.x509
+    install -Dm644 /tmp/certs/private_key.priv /lib/modules/"${KERNEL_VERSION}"/build/certs/signing_key.pem
     dnf install -y \
         autoconf \
         automake \

diff --git a/certs/private_key_2.priv b/certs/private_key_2.priv
diff --git a/certs/private_key_2.priv.test b/certs/private_key_2.priv.test
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCnVfa8014cwVhH
+8SKJFg94/krdWYAAbEG+BVMWfJf84v19bqEUWO9GKYUHTXIOYTzOcdyyYkBDm8hL
+DpUGHWtgAut4l4cDpDCkL9sJzAhKS6lOW0pCqaZzqJoq8AUyK84j/l3vEBwuucZo
+HypEyK+GeaWFc5fo3P/UQmYML78YgS2Lbb/MDwH+Zfrmt9IoKv75oIdmOVC/dpzS
+MiJZB1trjKyS+31o6gXCI43kpMsRGSHHqW6k5zhNNEAN/0uiGI28C2WDrB4v2igg
+bpF6QOMyrCqKs+oHUWndadUzG6Dwz+f4oZ1F7M/J5Xn8N2F1VEDqvvMBU2ZquRyX
+NLzbJvcnAgMBAAECggEAQ9LI7iHxvE/1eztWVx/054KST4NOKV23i9BWq/+WDu7l
+9agYa8ncOaDshVgziXaKEdb+r+K4z25d0WY4qsDT25dzX25zT9uFx5aJ/j+PgKWI
+GvVPdROUHr7QteSRBpPQurAH3LS354xuyZcQJ877rdKybxO6F60zmBHNkNTtbH2P
+M5eN88lF398v8Pu3fDce6CWSP9SGqLp43FJMbFMYrWkppzX28Ru0JqDOT3LSWeQy
+JAmrC/Oh5S2mLu6AhlqrMJEJ5ErIVpk9n3QZsa5knXsB56dP/kzWyQgirMWotF+O
+K4jGo6iHSfFGmYJhopJjVYsuMrJtgpZN8u1VRbMIEQKBgQDakV86A7k7s5ORfI22
+lwB5QukkiA/XT7lP/kcGEem12hW/Gi7vfuwJLMA1i2JP0pmKANMxQG5YweaHSUhX
+/09H7BGlqPvwpWBJ5qqW7hkSh0N6VMwEmnYvHfNZh9PiQx2q9zL8+SOoUXCF2je3
+etKZToutMD47gRfeAtDiPQEyjwKBgQDD/m86tBMu1o4Qjj2l3/6mwg4XNbh18f0Q
+x1v3t4Wu5HROPPHF1HSwVp6iqSS0HhoDgIYVjgqpH4q2urRQ92urHAq56hUV8dn/
+6VprCcAJOTLvu//bu9FXMu4Ys+v915Z6J4oIkEGLwOL4QAUC6dzCM1luEGAirpyf
+ePWIMC5d6QKBgQCkHDMcJF+Y7CUJQDRHvOmmIw9bVq5ORJYn8gzyCdEpsi5R5x8G
+xI4F9Yv8qEORG9gdPrFUccRo8G5fdi7To+erYR1+/XruHb5GvuOnn+9DcjzARZtK
+eY/zoNFvkAUQBsTn8eRe/dJAN6X9WvQq2BX49nj5+RdBJpT9JbAhrxyPEQKBgDvB
+Pg5KyrJ0Dbo0c8033r7e2UbwRP4Iulw8O+jpliN9WYxk/l2Pacg9kH4NTbhwmQPK
+UpcNyGhJypPtln49ASGZGhgWqzkWlJ12eu+5eEgXnVUEH3zR5YBNcdQsPt4Utbcm
+iOoVeTZvp4OCmUSLIpg+6Zwp9/V7ARuJ2GoeLnTJAoGBANOjf4lQBz1/U0aeog/H
+OCscSv+pbfHLo778FDJYcEBL0twofifnMLoED2E28F3ptbwUoE89KUrBvvDTgiXj
+4Gd5eMU64iKo2utA9crzcxXEhvEyl04fQyZtaqOIfmUHiV5CHV1oCgoa8Rq1Zxc/
+5bzd1lBjif4fuc6RXjooHX+3
+-----END PRIVATE KEY-----
diff --git a/certs/public_key.der b/certs/public_key.der
diff --git a/certs/public_key_2.der b/certs/public_key_2.der
diff --git a/certs/public_key_2.der.test b/certs/public_key_2.der.test
diff --git a/dual-sign-zfs.sh b/dual-sign-zfs.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/bash
+
+set -eoux pipefail
+
+KERNEL="$(rpm -q "${KERNEL_NAME}" --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
+SIGNING_KEY_1="/tmp/certs/signing_key_1.pem"
+SIGNING_KEY_2="/tmp/certs/signing_key_2.pem"
+PUBLIC_CHAIN="/tmp/certs/public_key_chain.pem"
+
+if [[ "${DUAL_SIGN}" == "true" ]]; then
+    dnf install -y /var/cache/rpms/kmods/zfs/*.rpm pv
+    modinfo /usr/lib/modules/"${KERNEL}"/extra/zfs/spl.ko
+    for module in /usr/lib/modules/"${KERNEL}"/extra/zfs/*.ko*;
+    do
+        module_basename=${module:0:-3}
+        module_suffix=${module: -3}
+        if [[ "$module_suffix" == ".xz" ]]; then
+                xz --decompress "$module"
+                openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap
+                /usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_CHAIN}" "${module_basename}"
+                xz -f "${module_basename}"
+        elif [[ "$module_suffix" == ".gz" ]]; then
+                gzip -d "$module"
+                openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module_basename" -outform DER -out "${module_basename}.cms" -nocerts -noattr -nosmimecap
+                /usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module_basename}.cms" sha256 "${PUBLIC_CHAIN}" "${module_basename}"
+                gzip -9f "${module_basename}"
+        else
+                openssl cms -sign -signer "${SIGNING_KEY_1}" -signer "${SIGNING_KEY_2}" -binary -in "$module" -outform DER -out "${module}.cms" -nocerts -noattr -nosmimecap
+                /usr/src/kernels/"${KERNEL}"/scripts/sign-file -s "${module}.cms" sha256 "${PUBLIC_CHAIN}" "${module}"
+        fi
+    done
+    rpmrebuild --batch /var/cache/rpms/kmods/zfs/kmod-zfs-*.rpm
+    rm -rf /usr/lib/modules/"${KERNEL}"/extra
+    dnf reinstall -y /root/rpmbuild/RPMS/"$(uname -m)"/kmod-*-"${KERNEL}"-*.rpm
+    for module in /usr/lib/modules/"${KERNEL}"/extra/*/*.ko*; do
+        if ! modinfo "${module}"; then
+            exit 1
+        fi
+    done
+    mv -f /root/rpmbuild/RPMS/"$(uname -m)"/kmod-*.rpm /var/cache/rpms/kmods/zfs/
+fi
+
+for RPM in $(find /var/cache/akmods/ -type f -name \*.rpm); do
+    cp "${RPM}" /var/cache/rpms/kmods/
+done
+
+find /var/cache/rpms