[signer] Remove non-signing tools from the signing container

The signing container was originally envisioned to cover both signing
and odd small tasks (such as constructing multi-architecture ISO and
USB disk images) that did not justify a dedicated container image.

The architecture-independent utility toolchain is better placed to
handle these odd small tasks, and removing this responsibility from
the signing container allows us to reduce the attack surface by
removing unnecessary packages.

Strip out packages that are not required for signing, and update the
checker to verify that signing a binary (with a locally generated test
certificate) works as expected.

Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>

Author: mcb30

signer/Dockerfile

@@ -9,31 +9,24 @@ FROM fedora:${FEDORA} AS signer
 RUN echo "install_weak_deps=False" >> /etc/dnf/dnf.conf \
     && dnf update -y \
     && dnf install -y \
-	genisoimage \
-	mtools \
 	opensc \
 	openssl \
 	openssl-pkcs11 \
 	osslsigncode \
 	pkcs11-provider \
-	syslinux \
     && dnf clean all -y
 
 FROM signer AS check-signer
 
 RUN dnf install -y \
-	libcdio \
 	shim-x64 \
     && dnf clean all -y
 
-RUN ln -s /bin/true dummy.lkrn
-
-RUN ln -s /boot/efi/EFI/BOOT/BOOTX64.EFI dummy.efi
-
-ADD https://github.com/ipxe/ipxe.git /ipxe
-
-CMD /ipxe/src/util/genfsimg -o dummy.iso dummy.lkrn dummy.efi && \
-    iso-info dummy.iso
+CMD openssl req -newkey rsa:2048 -nodes -keyout test.key \
+		-subj '/CN=test/' -x509 -out test.crt && \
+    osslsigncode sign -certs test.crt -key test.key \
+		      -in /boot/efi/EFI/BOOT/BOOTX64.EFI -out test.efi && \
+    osslsigncode verify -CAfile test.crt test.efi
 
 #
 # Service container for pcscd