Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
喜羊羊3508
Dak
提交
c70d20be
D
Dak
项目概览
喜羊羊3508
/
Dak
大约 1 年 前同步成功
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
Dak
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
c70d20be
编写于
7月 26, 2020
作者:
A
Ansgar
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
docs/debian-specific.rst: how to rotate various keys used by Secure Boot signing service
上级
e9f0c93f
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
72 addition
and
0 deletion
+72
-0
docs/debian-specific.rst
docs/debian-specific.rst
+72
-0
未找到文件。
docs/debian-specific.rst
浏览文件 @
c70d20be
...
...
@@ -81,6 +81,78 @@ machines: coccia fasolo respighi seger suchon usper
Also, to seperate code and actual runtime, the code is deployed (and
owned by) the seperate user dak-code
General
~~~~~~~
Rotating Secure Boot Keys
-------------------------
Four keys are used: dak signs a JSON file used by the signing service
(one key for main archive and security archive), the code-signing
service signs files trusted by Debian's Secure Boot CA and uploads
using a key trusted by dak.
To rotate keys used by dak:
- Generate new key::
export GNUPGHOME=${base}/s4kr1t/dot-gnupg
gpg --list-secret-keys
gpg --homedir --full-generate-key
gpg --keyring /srv/keyring.debian.org/keyrings/debian-keyring.gpg \
--local-user ${OLD_FINGERPRINT} --edit-key ${NEW_FINGERPRINT}
gpg -a --export ${NEW_FINGERPRINT}
When editing key, run `sign` command and `addrevoker` to add current
FTP masters as designated revokers.
- Tell dak to use new key. Edit dak.conf, update fingerprint used in
`ExportSigningKeys`.
- Tell code-signing to use new key (in `code-signing` project)::
gpg --no-default-keyring --keyring etc/external-signature-requests.kbx \
--import
To rotate Secure Boot key (in `code-signing` project):
- Get new key installed in YubiKey and `etc/debian-prod-cert.pem`
- Update `trusted_keys` in `etc/debian-prod.yaml` using::
openssl x509 -in etc/debian-prod-cert.pem -noout -text
openssl x509 -in etc/debian-prod-cert.pem -outform der | openssl dgst -sha256
- Update certificate comman name in `etc/debian-prod.yaml`; there are
two occurances in the `efi` group: `token` and part of `pkcs11_uri`.
To rotate upload key for code-signing service:
- Generate new key (as above for dak keys).
- Update `maintainer.key_id` in `etc/debian-prod.yaml` (in `code-signing`
project).
- Tell dak about new key::
gpg --no-default-keyring \
--keyring config/debian-common/keyrings/automatic-source-uploads.kbx \
--import
and update fingerprint `AllowSourceOnlyNewKeys` setting in
`config/debian/external-signatures.conf`
- Import key on `ftp-master` and `security-master`::
dak import-keyring -U "%s" \
${base}/config/debian-common/keyrings/automatic-source-uploads.kbx
- Update ACL on `ftp-master` and `security-master`::
dak acl export-per-source automatic-source-uploads
dak acl allow automatic-source-uploads ${NEW_FINGERPRINT} ${SOURCES}
dak acl deny automatic-source-uploads ${OLD_FINGERPRINT} ${SOURCES}
security archive
~~~~~~~~~~~~~~~~
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录