faerbit/archiso
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

.gitlab/ci/build_archiso.sh: create a valid code signing certificate

Browse Source 
Make sure the certificate has a extendedKeyUsage section with
codeSigning per the iPXE requirements.

Fixes #195
This commit is contained in:
nl6720 2023-06-01 09:37:11 +03:00
parent 279d3c0971
commit 8ddd08f51d
No known key found for this signature in database
GPG Key ID: 5CE88535E188D369
1 changed files with 6 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
.gitlab/ci/build_archiso.sh
View File

@ -252,25 +252,16 @@ create_ephemeral_codesigning_keys() {
-days 2 \ -days 2 \
-out "${ca_cert}" -out "${ca_cert}"
cat <<EOF >>"${ca_conf}" local extension_text
IFS='' read -r -d '' extension_text <<EOF || true
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA ('man x509v3_config').
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
cat <<EOF >>"${codesigning_conf}"
[codesigning] [codesigning]
keyUsage=digitalSignature keyUsage=digitalSignature
extendedKeyUsage=codeSigning, clientAuth, emailProtection extendedKeyUsage=codeSigning, clientAuth, emailProtection
EOF EOF
printf '%s' "${extension_text}" >> "${ca_conf}"
printf '%s' "${extension_text}" >> "${codesigning_conf}"
openssl req \ openssl req \
-newkey rsa:4096 \ -newkey rsa:4096 \
-keyout "${codesigning_key}" \ -keyout "${codesigning_key}" \
@ -285,7 +276,7 @@ EOF
openssl ca \ openssl ca \
-batch \ -batch \
-config "${ca_conf}" \ -config "${ca_conf}" \
-extensions v3_intermediate_ca \ -extensions codesigning \
-days 2 \ -days 2 \
-notext \ -notext \
-md sha256 \ -md sha256 \