From cd2e16275204d2f87fe80ab9e10309e0d463a418 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?=
 <frederic.pierret@qubes-os.org>
Date: Sun, 10 Dec 2023 11:37:05 +0100
Subject: [PATCH] Add qubes.PESign

Related to https://github.com/QubesOS/qubes-issues/issues/8206
---
 rpc/qubes.PESign | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100755 rpc/qubes.PESign

diff --git a/rpc/qubes.PESign b/rpc/qubes.PESign
new file mode 100755
index 00000000..f58676de
--- /dev/null
+++ b/rpc/qubes.PESign
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -x -e -o pipefail
+
+CERTIFICATE="$1"
+[[ -z "$CERTIFICATE" ]] && { echo "Please provide certificate name"; exit 1; };
+
+PAYLOAD_DIR="$(mktemp -d)"
+
+cleanup() {
+    local payload_dir="$1"
+    if [ -n "${payload_dir}" ]; then
+        rm -rf "${payload_dir}"
+    fi
+}
+
+trap "cleanup ${PAYLOAD_DIR}" EXIT
+
+payload="${PAYLOAD_DIR}/payload"
+
+# Limit stdin size
+head --bytes=100MB > "$payload"
+
+# We don't allow payload being at least 100MB
+actual_size="$(wc -c < "$payload")"
+if [ "$actual_size" -eq $((100 * 1024 * 1024)) ]; then
+    echo "Input size is at least 100MB. Aborting."
+    exit 1
+fi
+
+pesign -s -c "${CERTIFICATE//__/ }" -i "$payload" -o "$payload".signed
+
+cat "$payload".signed