.gitlab/ci/build_archiso.sh: create a valid code signing certificate
Make sure the certificate has a extendedKeyUsage section with codeSigning per the iPXE requirements. Fixes #195
This commit is contained in:
nl6720
parent
279d3c0971
commit
8ddd08f51d
@ -252,25 +252,16 @@ create_ephemeral_codesigning_keys() {
|
||||
-days 2 \
|
||||
-out "${ca_cert}"
|
||||
|
||||
cat <<EOF >>"${ca_conf}"
|
||||
|
||||
[ v3_intermediate_ca ]
|
||||
# Extensions for a typical intermediate CA ('man x509v3_config').
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
basicConstraints = critical, CA:true, pathlen:0
|
||||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||
|
||||
EOF
|
||||
|
||||
cat <<EOF >>"${codesigning_conf}"
|
||||
|
||||
local extension_text
|
||||
IFS='' read -r -d '' extension_text <<EOF || true
|
||||
[codesigning]
|
||||
keyUsage=digitalSignature
|
||||
extendedKeyUsage=codeSigning, clientAuth, emailProtection
|
||||
|
||||
EOF
|
||||
|
||||
printf '%s' "${extension_text}" >> "${ca_conf}"
|
||||
printf '%s' "${extension_text}" >> "${codesigning_conf}"
|
||||
|
||||
openssl req \
|
||||
-newkey rsa:4096 \
|
||||
-keyout "${codesigning_key}" \
|
||||
@ -285,7 +276,7 @@ EOF
|
||||
openssl ca \
|
||||
-batch \
|
||||
-config "${ca_conf}" \
|
||||
-extensions v3_intermediate_ca \
|
||||
-extensions codesigning \
|
||||
-days 2 \
|
||||
-notext \
|
||||
-md sha256 \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user