From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9A70B158094 for ; Mon, 27 Jun 2022 19:18:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7FB44E0ACF; Mon, 27 Jun 2022 19:18:47 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id ED1A2E0ACA for ; Mon, 27 Jun 2022 19:18:46 +0000 (UTC) Date: Mon, 27 Jun 2022 15:18:41 -0400 From: Kenton Groombridge To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing Message-ID: <20220627191841.sojmigoiiglrkyrh@fuuko> References: <20220621181959.920941-1-concord@gentoo.org> <84e99a74d64f0d9dd326af0f2c54b9d5717b2f8d.camel@gentoo.org> <9317f3aa1815d9ef219625794c06a8fb3057d707.camel@gentoo.org> <20220627183531.palnmdpvgzf44ssk@fuuko> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wzg4htjrbu2g23fk" Content-Disposition: inline In-Reply-To: X-Archives-Salt: 6a80d799-37d5-4b0b-8588-866aa0ad6e52 X-Archives-Hash: 225195f7d24c6b9ad7332d378e970ce3 --wzg4htjrbu2g23fk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 22/06/27 02:56PM, Mike Gilbert wrote: > On Mon, Jun 27, 2022 at 2:35 PM Kenton Groombridge w= rote: > > > so looks like we need to combine both methods and do the following: > > > - if signing requested without compression - sign in pkg_preinst. > > > - if signing requested with compression - sign in src_install > > > > > > > Why can't we do both in pkg_preinst? I am thinking it would be best if > > we drop the current compression implementation and rework your old code > > to handle both compression and signing since the signing code is more or > > less already complete. >=20 > Signing modules in pkg_preinst seems like a bad idea to me. That means > you need to copy your private keys around to every host where the > package might be installed. >=20 > If you sign in src_compile or src_install, you only need private keys > on the system building your binpkg. >=20 Ah that makes sense. I think the question then is whether or not building binpkgs for kernel modules where the target system has its own signing keys is something we want to support. With that in mind I realize that doing compression in pkg_preinst means that target systems can use different compression methods (or no compression at all) if desired without much complication. --wzg4htjrbu2g23fk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEP+u3AkfbrORB/inCFt7v5V9Ft54FAmK6AoxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNG RUJCNzAyNDdEQkFDRTQ0MUZFMjlDMjE2REVFRkU1NUY0NUI3OUUACgkQFt7v5V9F t54ArQ//RZ82UKSrun+ARCxVZV8quL1twgZDCQQLI3ob0PaioiqQAqmLTPhdPeIl fnOH2An5g+0y+WwYhITH7lBlfcRqn29FpdQgEOP1Dw09bKJ5zUwZ+HyohFHmiiWy /9+0kxCes2NfRpQl63ES5DU1wb/Ev/MTHJOgRTYrthmrPkVuHckrQ0hW/VC5V3Wz fPLhIi0vNtm59GRsbqaAgB7Q2nffr6kQufL7/3UNVYVVf1oVGoURZKi1nv1jDrE9 3waENdL5JmhrnuwBtWSaTfitS55Ebq3UBNloNPeVGnxsWLeLYJreM9vrxl3rGhRh aV/CAIh28REtJBmVSjdR+zWlYUnNfQxsrTuc16fGknMHrvTegZlGTG+PtVJ3f69v oMQj4kCX3nKz7l6O8JjS/c+Ast/zr9VWkDt4GdZ03qYKKFHUiVAcwvylFaEyVgMg J9h3O5543xEJ1VWl9y1QNPgFLbgIlKoM39T6BfHqazxVh17x7cvvalIeKDS3BkkG D3ZKsSAbZhNxUKZibaB4rzL4f4IVIOWWLTp9cmViDQGxnDi98WMjiPcRdc6ktLyf ttfl5yIPTAAAsKnHJhF1VBorUzbsh7xGZv4tJVknBtQEwqPlh0cyV3VyuxMCXO7+ zULpK4BkMCDSkbjxKaU5UOI4U46tCRacfERwm8ElB5WG4Hh5lrQ= =MBF6 -----END PGP SIGNATURE----- --wzg4htjrbu2g23fk--