summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/changelog15
-rw-r--r--debian/control2
-rw-r--r--debian/cryptsetup-nuke-password.lintian-overrides3
-rw-r--r--debian/cryptsetup-nuke-password.postinst16
-rw-r--r--debian/cryptsetup-nuke-password.postrm4
-rw-r--r--debian/cryptsetup-nuke-password.preinst35
6 files changed, 71 insertions, 4 deletions
diff --git a/debian/changelog b/debian/changelog
index a20c90d..a1075a2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+cryptsetup-nuke-password (5) experimental; urgency=medium
+
+ * Team upload, acked by Raphaël.
+
+ [ Raphaël Hertzog ]
+ * Request update of initramfs when nuke password is changed with
+ dpkg-reconfigure.
+
+ [ Helmut Grohne ]
+ * Upgrade cryptsetup-bin dependency to cryptsetup, as that contains askpass.
+ * DEP17: Move files to /usr (M2) and mitigate file loss with diverions (P7).
+ (Closes: #1060269)
+
+ -- Helmut Grohne <helmut@subdivi.de> Fri, 05 Jan 2024 18:53:10 +0100
+
cryptsetup-nuke-password (4+nmu1-0.0~progress7.99u1) graograman-backports; urgency=medium
* Initial reupload to graograman-backports.
diff --git a/debian/control b/debian/control
index 63668e6..8778988 100644
--- a/debian/control
+++ b/debian/control
@@ -16,7 +16,7 @@ XSBC-Original-Vcs-Git: https://salsa.debian.org/pkg-security-team/cryptsetup-nuk
Package: cryptsetup-nuke-password
Architecture: any
-Depends: cryptsetup-bin, ${shlibs:Depends}, ${misc:Depends}
+Depends: cryptsetup (>= 2:2.7.0-1+exp2~), ${shlibs:Depends}, ${misc:Depends}
Enhances: cryptsetup-initramfs
Description: Erase the LUKS keys with a special password on the unlock prompt
Installing this package lets you configure a special "nuke password" that
diff --git a/debian/cryptsetup-nuke-password.lintian-overrides b/debian/cryptsetup-nuke-password.lintian-overrides
new file mode 100644
index 0000000..3304653
--- /dev/null
+++ b/debian/cryptsetup-nuke-password.lintian-overrides
@@ -0,0 +1,3 @@
+# DEP17 P7 M18
+cryptsetup-nuke-password: diversion-for-unknown-file lib/cryptsetup/askpass [preinst:*]
+cryptsetup-nuke-password: orphaned-diversion [preinst:*]
diff --git a/debian/cryptsetup-nuke-password.postinst b/debian/cryptsetup-nuke-password.postinst
index cc083bc..dacc804 100644
--- a/debian/cryptsetup-nuke-password.postinst
+++ b/debian/cryptsetup-nuke-password.postinst
@@ -49,7 +49,21 @@ store_password_hash() {
db_reset cryptsetup-nuke-password/password-again || true
}
+update_initramfs() {
+ # The usual postinst run already triggers it due to the "triggers"
+ # file generated by dh_installinitramfs. But there's no harm in
+ # triggering twice and we want to make sure it also gets triggered
+ # when the postinst is run by dpkg-reconfigure.
+ dpkg-trigger --no-await update-initramfs
+}
+
configure_nuke_password() {
+ if test "$(dpkg-divert --truename /lib/cryptsetup/askpass)" != /lib/cryptsetup/askpass; then
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \
+ --remove /lib/cryptsetup/askpass
+ fi
+
db_get cryptsetup-nuke-password/already-configured || true
what="$RET"
@@ -65,9 +79,11 @@ configure_nuke_password() {
echo "INFO: Removing current nuke password."
rm -f "$password_hash_path"
fi
+ update_initramfs
;;
overwrite)
store_password_hash
+ update_initramfs
;;
*)
echo "WARNING: unexpected value in debconf's cryptsetup-nuke-password/already-configured: '$what'" >&2
diff --git a/debian/cryptsetup-nuke-password.postrm b/debian/cryptsetup-nuke-password.postrm
index f6d4956..c558aba 100644
--- a/debian/cryptsetup-nuke-password.postrm
+++ b/debian/cryptsetup-nuke-password.postrm
@@ -4,8 +4,8 @@ set -e
if [ "$1" = "remove" ]; then
dpkg-divert --rename --package cryptsetup-nuke-password \
- --divert /lib/cryptsetup/askpass.cryptsetup \
- --remove /lib/cryptsetup/askpass
+ --divert /usr/lib/cryptsetup/askpass.cryptsetup \
+ --remove /usr/lib/cryptsetup/askpass
elif [ "$1" = "purge" ]; then
rm -rf /etc/cryptsetup-nuke-password
fi
diff --git a/debian/cryptsetup-nuke-password.preinst b/debian/cryptsetup-nuke-password.preinst
index 7836282..2b0580e 100644
--- a/debian/cryptsetup-nuke-password.preinst
+++ b/debian/cryptsetup-nuke-password.preinst
@@ -4,8 +4,41 @@ set -e
if [ "$1" = "install" ]; then
dpkg-divert --rename --package cryptsetup-nuke-password \
- --divert /lib/cryptsetup/askpass.cryptsetup \
+ --divert /usr/lib/cryptsetup/askpass.cryptsetup \
+ --add /usr/lib/cryptsetup/askpass
+ dpkg-divert --rename --package cryptsetup-nuke-password \
+ --divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \
--add /lib/cryptsetup/askpass
+elif [ "$1" = "upgrade" ]; then
+ TRUENAME=$(dpkg-divert --truename /usr/lib/cryptsetup/askpass)
+ if test "$TRUENAME" = /usr/lib/cryptsetup/askpass.usr-is-merged; then
+ # crypsetup.preinst duplicated the diversion for us
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --divert /usr/lib/cryptsetup/askpass.usr-is-merged \
+ --remove /usr/lib/cryptsetup/askpass
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --divert /usr/lib/cryptsetup/askpass.cryptsetup \
+ --add /usr/lib/cryptsetup/askpass
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --remove /lib/cryptsetup/askpass
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \
+ --add /lib/cryptsetup/askpass
+ mv "$TRUENAME" /usr/lib/cryptsetup/askpass.cryptsetup
+ elif test "$TRUENAME" != /usr/lib/cryptsetup/askpass.cryptsetup; then
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --divert /usr/lib/cryptsetup/askpass.cryptsetup \
+ --add /usr/lib/cryptsetup/askpass
+ TRUENAME=$(dpkg-divert --truename /lib/cryptsetup/askpass)
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --remove /lib/cryptsetup/askpass
+ dpkg-divert --no-rename --package cryptsetup-nuke-password \
+ --divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \
+ --add /lib/cryptsetup/askpass
+ if test -e "$TRUENAME"; then
+ mv "$TRUENAME" /lib/cryptsetup/askpass.cryptsetup.usr-is-merged
+ fi
+ fi
fi
#DEBHELPER#