[RFC PATCH 3/3] Include sample script named ima-signhashes.sh

[Mimi Zohar]

This script extracts the sha256sum file from the deb package,
appends the file signatures using the ima-evm-utils package, and
inserts the sha256sum file with signatures in the package.
---
 examples/ima-signhashes.sh | 79 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100755 examples/ima-signhashes.sh

diff --git a/examples/ima-signhashes.sh b/examples/ima-signhashes.sh
new file mode 100755
index 0000000..4137467
--- /dev/null
+++ b/examples/ima-signhashes.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# ima-signhashes.sh - replace the sha256sums file in the .deb package with
+# a version containing the file signatures.  The file signatures provide 
+# file authenticity and provenance.  As part of the package install process,
+# the file signatures are stored as extended attributes associated with
+# the file. IMA-appraisal, if enabled, will appraise file integrity based 
+# on these file signatures.
+# 
+# Mimi Zohar <zo...@linux.vnet.ibm.com>
+
+# format: <debian package pathname> <private key pathname>
+
+set -e
+DEBPACKAGE="${1}"
+PRIVKEY="$2"
+tmpdir="${DEBPACKAGE}.tmp"
+
+if [ $# -ne 2 ]; then
+       echo "$0: <debian package pathname> <private key pathname>"
+       exit -1
+fi
+
+if [ ! -f "${DEBPACKAGE}" ]; then
+       echo ".deb package not found: ${DEBPACKAGE}" 
+       exit -1
+fi
+
+if [ ! -f "${PRIVKEY}" ]; then
+       echo "Private key not found: ${PRIVKEY}" 
+       exit -1
+fi
+
+# extract files from the .deb archive into a temporary directory
+if [ -d "${tmpdir}" ]; then
+       rm -rf "${tmpdir}"
+       if [ $? -ne 0 ]; then
+               echo "Deleting directory failed: ${tmpdir}"
+               exit -1 
+       fi
+fi
+mkdir -p "${tmpdir/DEBIAN}"
+if [ $? -ne 0 ]; then
+       echo "Creating directory failed: ${tmpdir}/DEBIAN"
+       exit -1
+fi
+
+cd $tmpdir 
+ar -x "../$DEBPACKAGE"
+#ls -lat 
+
+# untar the control file in the DEBIAN subdirectory
+if [ ! -f ./control.tar.gz ]; then
+       echo ".deb package missing 'control.tar.gz' file"
+       exit -1
+fi
+mkdir -p DEBIAN
+cd DEBIAN
+tar -xvzf ../control.tar.gz
+if [ ! -f ./sha256sums ]; then
+       echo "'control.tar.gz' missing sha256 file"
+       ls -lat 
+       exit -1
+fi
+cat sha256sums
+
+# Replace sha256sums with one containing file signatures
+cat ./sha256sums | evmctl sign_hash -a sha256 --key "${PRIVKEY}" > 
sha256sums.sig
+if [ $? == 0 ]; then
+       cp ./sha256sums.sig ./sha256sums
+       rm ./sha256sums.sig
+fi
+
+# create the control tar containing the new sha256sums with the signatures
+tar -cvzf ../control.tar.gz ./*
+
+# replace the existing compressed tar file in the  .deb package
+cd ..
+ar -r "../$DEBPACKAGE" control.tar.gz
-- 
1.8.1.4


-- 
To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1407517061-22451-4-git-send-email-zo...@linux.vnet.ibm.com