limepotato/archiso
1
0
Fork 0
mirror of https://github.com/archlinux/archiso.git synced 2024-09-19 11:40:19 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

.gitlab/ci/build_archiso.sh: create a valid code signing certificate

Browse source 
Make sure the certificate has a extendedKeyUsage section with
codeSigning per the iPXE requirements.

Fixes #195
This commit is contained in:
nl6720 2023-06-01 09:37:11 +03:00
parent 279d3c0971
commit 8ddd08f51d
No known key found for this signature in database
GPG key ID: 5CE88535E188D369
1 changed files with 6 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
.gitlab/ci/build_archiso.sh
View file

@ -252,25 +252,16 @@ create_ephemeral_codesigning_keys() {
-days 2 \
-out "${ca_cert}"
cat <<EOF >>"${ca_conf}"
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA ('man x509v3_config').
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
EOF
cat <<EOF >>"${codesigning_conf}"
local extension_text
IFS='' read -r -d '' extension_text <<EOF || true
[codesigning]
keyUsage=digitalSignature
extendedKeyUsage=codeSigning, clientAuth, emailProtection
EOF
printf '%s' "${extension_text}" >> "${ca_conf}"
printf '%s' "${extension_text}" >> "${codesigning_conf}"
openssl req \
-newkey rsa:4096 \
-keyout "${codesigning_key}" \
@ -285,7 +276,7 @@ EOF
openssl ca \
-batch \
-config "${ca_conf}" \
-extensions v3_intermediate_ca \
-extensions codesigning \
-days 2 \
-notext \
-md sha256 \