Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
path: root/.gitlab/ci
diff options
context:
space:
mode:
authornl6720 <nl6720@gmail.com>2023-06-01 09:37:11 +0300
committernl6720 <nl6720@gmail.com>2023-08-02 16:06:49 +0300
commit8ddd08f51dc4117fc940541225d09cbc805aedeb (patch)
tree20dede273c8fd9a2dd2402b7bd723ec65eb99f09 /.gitlab/ci
parent279d3c09711bd75f1ba3b31eb942f69052d3bbed (diff)
.gitlab/ci/build_archiso.sh: create a valid code signing certificate
Make sure the certificate has a extendedKeyUsage section with codeSigning per the iPXE requirements. Fixes #195
Diffstat (limited to '.gitlab/ci')
-rwxr-xr-x.gitlab/ci/build_archiso.sh21
1 files changed, 6 insertions, 15 deletions
diff --git a/.gitlab/ci/build_archiso.sh b/.gitlab/ci/build_archiso.sh
index 248cb8c..0504fd2 100755
--- a/.gitlab/ci/build_archiso.sh
+++ b/.gitlab/ci/build_archiso.sh
@@ -252,25 +252,16 @@ create_ephemeral_codesigning_keys() {
-days 2 \
-out "${ca_cert}"
- cat <<EOF >>"${ca_conf}"
-
-[ v3_intermediate_ca ]
-# Extensions for a typical intermediate CA ('man x509v3_config').
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical, CA:true, pathlen:0
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-EOF
-
- cat <<EOF >>"${codesigning_conf}"
-
+ local extension_text
+ IFS='' read -r -d '' extension_text <<EOF || true
[codesigning]
keyUsage=digitalSignature
extendedKeyUsage=codeSigning, clientAuth, emailProtection
-
EOF
+ printf '%s' "${extension_text}" >> "${ca_conf}"
+ printf '%s' "${extension_text}" >> "${codesigning_conf}"
+
openssl req \
-newkey rsa:4096 \
-keyout "${codesigning_key}" \
@@ -285,7 +276,7 @@ EOF
openssl ca \
-batch \
-config "${ca_conf}" \
- -extensions v3_intermediate_ca \
+ -extensions codesigning \
-days 2 \
-notext \
-md sha256 \