3 # Consider this file an example.
5 # For Junos this is how we obtain trust anchor .pems
6 # the signing server (http://www.crufty.net/sjg/blog/signing-server.htm)
7 # for each key will provide the appropriate certificate chain on request
9 # force these for Junos
10 #MANIFEST_SKIP_ALWAYS= boot
21 VE_SIGNATURE_EXT_LIST= \
27 .if ${MACHINE} == "host" && ${.CURDIR:T} == "tests"
32 VE_SIGNATURE_EXT_LIST+= \
36 # add OpenPGP support - possibly dormant
37 VE_SIGNATURE_LIST+= OPENPGP
38 VE_SIGNATURE_EXT_LIST+= asc
40 SIGNER ?= ${SB_TOOLS_PATH:U/volume/buildtools/bin}/sign.py
43 SIGN_HOST ?= ${SB_SITE:Usvl}-junos-signer.juniper.net
44 ECDSA_PORT:= ${133%y:L:gmtime}
45 SIGN_ECDSA= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${ECDSA_PORT} -h sha256
46 RSA2_PORT:= ${163%y:L:gmtime}
47 SIGN_RSA2= ${PYTHON} ${SIGNER} -u ${SIGN_HOST}:${RSA2_PORT} -h sha256
49 # deal with quirk of our .esig format
50 XCFLAGS.vets+= -DVE_ECDSA_HASH_AGAIN
52 .if !empty(OPENPGP_SIGN_URL)
53 XCFLAGS.opgp_key+= -DHAVE_TA_ASC_H
55 VE_SIGNATURE_LIST+= OPENPGP
56 VE_SIGNATURE_EXT_LIST+= asc
58 SIGN_OPENPGP= ${PYTHON} ${SIGNER:H}/openpgp-sign.py -a -u ${OPENPGP_SIGN_URL}
61 ${SIGN_OPENPGP} -C ${.TARGET}
63 ta_asc.h: ta_openpgp.asc
65 .if ${VE_SELF_TESTS} != "no"
67 vc_openpgp.asc: ta_openpgp.asc
68 ${SIGN_OPENPGP} ${.ALLSRC:M*.asc}
69 mv ta_openpgp.asc.asc ${.TARGET}
71 ta_asc.h: vc_openpgp.asc
76 ${SIGN_RSA2} -C ${.TARGET}
79 ${SIGN_ECDSA} -C ${.TARGET}
81 .if ${VE_SIGNATURE_LIST:tu:MECDSA} != ""
82 # the last cert in the chain is the one we want
83 ta_ec.pem: ecerts.pem _LAST_PEM_USE
85 .if ${VE_SELF_TESTS} != "no"
86 # these are for verification self test
87 vc_ec.pem: ecerts.pem _2ndLAST_PEM_USE
92 .if ${VE_SIGNATURE_LIST:tu:MRSA} != ""
93 ta_rsa.pem: rcerts.pem _LAST_PEM_USE
95 .if ${VE_SELF_TESTS} != "no"
96 vc_rsa.pem: rcerts.pem _2ndLAST_PEM_USE
101 # we take the mtime of this as our baseline time
102 #BUILD_UTC_FILE= ecerts.pem
104 #VE_VERBOSE_DEFAULT=1
107 # you need to provide t*.pem or t*.asc files for each trust anchor
108 .if empty(TRUST_ANCHORS)
109 TRUST_ANCHORS!= cd ${.CURDIR} && 'ls' -1 *.pem t*.asc 2> /dev/null
111 .if empty(TRUST_ANCHORS) && ${MK_LOADER_EFI_SECUREBOOT} != "yes"
112 .error Need TRUST_ANCHORS see ${.CURDIR}/README.rst
114 .if ${TRUST_ANCHORS:T:Mt*.pem} != ""
115 ta.h: ${TRUST_ANCHORS:M*.pem}
117 .if ${TRUST_ANCHORS:T:Mt*.asc} != ""
118 VE_SIGNATURE_LIST+= OPENPGP
119 VE_SIGNATURE_EXT_LIST+= asc
120 ta_asc.h: ${TRUST_ANCHORS:M*.asc}
122 # we take the mtime of this as our baseline time
123 BUILD_UTC_FILE?= ${TRUST_ANCHORS:[1]}