debian/python/UEFI/SignedBinary.py

   1 #
   2 # Copyright 2022 Canonical Ltd.
   3 # Authors:
   4 # - dann frazier <dann.frazier@canonical.com>
   5 #
   6 # This program is free software: you can redistribute it and/or modify it
   7 # under the terms of the GNU General Public License version 3, as published
   8 # by the Free Software Foundation.
   9 #
  10 # This program is distributed in the hope that it will be useful, but WITHOUT
  11 # ANY WARRANTY; without even the implied warranties of MERCHANTABILITY,
  12 # SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  13 # General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License along with
  16 # this program.  If not, see <http://www.gnu.org/licenses/>.
  17 #
  18
  19 import os
  20 import subprocess
  21 import tempfile
  22
  23
  24 class SignedBinary:
  25     def __init__(self, binary_path, key_path, cert_path, password=None):
  26         openssl_password_args = []
  27         if password:
  28             openssl_password_args = [
  29                 "-passin", f"pass:{password}"
  30             ]
  31         with tempfile.NamedTemporaryFile() as keytmp:
  32             subprocess.check_call(
  33                 [
  34                     "openssl", "rsa",
  35                 ] + openssl_password_args + [
  36                     "-in", f"{key_path}",
  37                     "-out", f"{keytmp.name}",
  38                 ]
  39             )
  40             with tempfile.NamedTemporaryFile(delete=False) as f:
  41                 self.path = f.name
  42
  43             subprocess.check_call(
  44                 [
  45                     "sbsign", "--key", f"{keytmp.name}",
  46                     "--cert", f"{cert_path}",
  47                     binary_path, "--output", f"{self.path}"
  48                 ]
  49             )
  50
  51     def __del__(self):
  52         os.unlink(self.path)