Cyber/releng
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
releng/README.rst
David Runge e7d931347a
Add documentation on iPXE code signing 
README.rst:
Add documentation on iPXE code signing and how to generate a new codesigning key pair.
2021-05-16 11:39:17 +02:00

49 lines
2.4 KiB
ReStructuredText
Raw Blame History

======
releng
======
This repository is used to create release artifacts for Arch Linux.
Code Signing
============
``mkarchiso`` (`archiso <https://gitlab.archlinux.org/archlinux/archiso>`_) offers the export of server-side artifacts,
that allow for `iPXE <https://ipxe.org>`_ to use them. The artifacts can optionally be codesigned which can establish a
trust path between a client and the server-side files.
How to establish a code signing authority is explained in the `iPXE upstream documentation <https://ipxe.org/crypto>`_.
The server-side artifacts are signed using a codesigning certificate and key pair. The codesigning certificate is then
embedded in the iPXE binary and is used during boot to validate the codesigning signature when downloading the file.
Additionally, CA certificates are embedded in the iPXE binary to validate the TLS connection over which the data is
transmitted.
.. code:: sh
iPXE binary Server
xxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx
x CA cert(s) x =====> x Transport Layer Security x
xxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx
x Codesigning Certificate x =====> x Codesigning Signature x
xxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Create a new Code Signing Key Pair
----------------------------------
1. Create a new code signing key pair using ``codesigning/create_codesigning_key_pair.sh``.
2. Embed the codesigning certificate in the binaries generated by `the ipxe
package <https://archlinux.org/packages/community/x86_64/ipxe/>`_ and release a new version of the package.
3. Add the codesigning certificate and key as `variables of type File
<https://docs.gitlab.com/ee/ci/variables/#project-cicd-variables>`_ to this repository
(``SECRET_CODESIGNING_CERT_FILE`` and ``SECRET_CODESIGNING_KEY_FILE``, respectively), so that they can be accessed
during build.
4. Build a new release with the respective artifacts being signed with the new codesigning key and make sure that the
release contains the iPXE binaries from the updated package (embedding the new codesigning certificate)
5. Once all official releases using the previous codesigning key pair have been removed, the previous codesigning
certificate can be removed from the ipxe package.
License
=======
Releng is licensed under the terms of the **GPL-3.0-or-later** (see `LICENSE <LICENSE>`_).
Reference in a new issue View git blame Copy permalink