debian/block_signed_deb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

#!/bin/sh
#
# Helper script for generating dbx entries for the Debian shim package
#
# GPL v2+
#
# Copyright 2020- Steve McIntyre <93sam@debian.org>

REASON=""

usage () {
    echo "$0 <options> <deb1> ... <debN>"
    echo
    echo "generate hashes for the signed binaries in deb file(s) in"
    echo "the correct format to go in the dbx.hashes file"
    echo
    echo " -r <reason> - the reason for the blacklisting, required for dbx"
    echo
    echo "and a list of .deb files to scan"
}

while getopts ":r:" o; do
    case "${o}" in
        r)
            REASON=${OPTARG}
            ;;
        *)
            echo "Unknown option ${o}"
            usage
            exit 1
            ;;
    esac
done
shift $((OPTIND-1))

if [ "$REASON"x = ""x ]; then
    echo "$0: Needs a reason to be specified"
    echo
    usage
    exit 1
fi

for DEB in $@; do
    DIR=$(mktemp -d)
    if [ -f $DEB ]; then
	BASEDEB=$(basename $DEB)
	echo "###############################"
	echo "# Files from $BASEDEB"
	echo "# ($REASON)"
	dpkg -x $DEB $DIR
	for EFI in $(find $DIR -name *.signed); do
	    BASE=$(basename $EFI)
	    case $BASE in
		*aa64*efi.signed)
		    EFIARCH=aa64;;
		*x64*efi.signed)
		    EFIARCH=x64;;
		*ia32*efi.signed)
		    EFIARCH=ia32;;
		*)
		    echo "Can't determine EFI arch from $BASE. Abort"
		    exit 1
		    ;;
	    esac
	    echo "# $BASE"
	    HASH=$(pesign --hash --padding --in $EFI | awk '{print $2}')
	    echo "$HASH $EFIARCH"
	done
	echo "###############################"
	echo
    fi
    rm -rf $DIR
done