From 3f29f37592a9d5d4bf2d824a8a5483d955878e20 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 16:15:00 +0200 Subject: Merging debian version 5. Signed-off-by: Daniel Baumann --- debian/changelog | 15 ++++++++++ debian/control | 2 +- debian/cryptsetup-nuke-password.lintian-overrides | 3 ++ debian/cryptsetup-nuke-password.postinst | 16 +++++++++++ debian/cryptsetup-nuke-password.postrm | 4 +-- debian/cryptsetup-nuke-password.preinst | 35 ++++++++++++++++++++++- 6 files changed, 71 insertions(+), 4 deletions(-) create mode 100644 debian/cryptsetup-nuke-password.lintian-overrides diff --git a/debian/changelog b/debian/changelog index a20c90d..a1075a2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +cryptsetup-nuke-password (5) experimental; urgency=medium + + * Team upload, acked by Raphaël. + + [ Raphaël Hertzog ] + * Request update of initramfs when nuke password is changed with + dpkg-reconfigure. + + [ Helmut Grohne ] + * Upgrade cryptsetup-bin dependency to cryptsetup, as that contains askpass. + * DEP17: Move files to /usr (M2) and mitigate file loss with diverions (P7). + (Closes: #1060269) + + -- Helmut Grohne Fri, 05 Jan 2024 18:53:10 +0100 + cryptsetup-nuke-password (4+nmu1-0.0~progress7.99u1) graograman-backports; urgency=medium * Initial reupload to graograman-backports. diff --git a/debian/control b/debian/control index 63668e6..8778988 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,7 @@ XSBC-Original-Vcs-Git: https://salsa.debian.org/pkg-security-team/cryptsetup-nuk Package: cryptsetup-nuke-password Architecture: any -Depends: cryptsetup-bin, ${shlibs:Depends}, ${misc:Depends} +Depends: cryptsetup (>= 2:2.7.0-1+exp2~), ${shlibs:Depends}, ${misc:Depends} Enhances: cryptsetup-initramfs Description: Erase the LUKS keys with a special password on the unlock prompt Installing this package lets you configure a special "nuke password" that diff --git a/debian/cryptsetup-nuke-password.lintian-overrides b/debian/cryptsetup-nuke-password.lintian-overrides new file mode 100644 index 0000000..3304653 --- /dev/null +++ b/debian/cryptsetup-nuke-password.lintian-overrides @@ -0,0 +1,3 @@ +# DEP17 P7 M18 +cryptsetup-nuke-password: diversion-for-unknown-file lib/cryptsetup/askpass [preinst:*] +cryptsetup-nuke-password: orphaned-diversion [preinst:*] diff --git a/debian/cryptsetup-nuke-password.postinst b/debian/cryptsetup-nuke-password.postinst index cc083bc..dacc804 100644 --- a/debian/cryptsetup-nuke-password.postinst +++ b/debian/cryptsetup-nuke-password.postinst @@ -49,7 +49,21 @@ store_password_hash() { db_reset cryptsetup-nuke-password/password-again || true } +update_initramfs() { + # The usual postinst run already triggers it due to the "triggers" + # file generated by dh_installinitramfs. But there's no harm in + # triggering twice and we want to make sure it also gets triggered + # when the postinst is run by dpkg-reconfigure. + dpkg-trigger --no-await update-initramfs +} + configure_nuke_password() { + if test "$(dpkg-divert --truename /lib/cryptsetup/askpass)" != /lib/cryptsetup/askpass; then + dpkg-divert --no-rename --package cryptsetup-nuke-password \ + --divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \ + --remove /lib/cryptsetup/askpass + fi + db_get cryptsetup-nuke-password/already-configured || true what="$RET" @@ -65,9 +79,11 @@ configure_nuke_password() { echo "INFO: Removing current nuke password." rm -f "$password_hash_path" fi + update_initramfs ;; overwrite) store_password_hash + update_initramfs ;; *) echo "WARNING: unexpected value in debconf's cryptsetup-nuke-password/already-configured: '$what'" >&2 diff --git a/debian/cryptsetup-nuke-password.postrm b/debian/cryptsetup-nuke-password.postrm index f6d4956..c558aba 100644 --- a/debian/cryptsetup-nuke-password.postrm +++ b/debian/cryptsetup-nuke-password.postrm @@ -4,8 +4,8 @@ set -e if [ "$1" = "remove" ]; then dpkg-divert --rename --package cryptsetup-nuke-password \ - --divert /lib/cryptsetup/askpass.cryptsetup \ - --remove /lib/cryptsetup/askpass + --divert /usr/lib/cryptsetup/askpass.cryptsetup \ + --remove /usr/lib/cryptsetup/askpass elif [ "$1" = "purge" ]; then rm -rf /etc/cryptsetup-nuke-password fi diff --git a/debian/cryptsetup-nuke-password.preinst b/debian/cryptsetup-nuke-password.preinst index 7836282..2b0580e 100644 --- a/debian/cryptsetup-nuke-password.preinst +++ b/debian/cryptsetup-nuke-password.preinst @@ -4,8 +4,41 @@ set -e if [ "$1" = "install" ]; then dpkg-divert --rename --package cryptsetup-nuke-password \ - --divert /lib/cryptsetup/askpass.cryptsetup \ + --divert /usr/lib/cryptsetup/askpass.cryptsetup \ + --add /usr/lib/cryptsetup/askpass + dpkg-divert --rename --package cryptsetup-nuke-password \ + --divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \ --add /lib/cryptsetup/askpass +elif [ "$1" = "upgrade" ]; then + TRUENAME=$(dpkg-divert --truename /usr/lib/cryptsetup/askpass) + if test "$TRUENAME" = /usr/lib/cryptsetup/askpass.usr-is-merged; then + # crypsetup.preinst duplicated the diversion for us + dpkg-divert --no-rename --package cryptsetup-nuke-password \ + --divert /usr/lib/cryptsetup/askpass.usr-is-merged \ + --remove /usr/lib/cryptsetup/askpass + dpkg-divert --no-rename --package cryptsetup-nuke-password \ + --divert /usr/lib/cryptsetup/askpass.cryptsetup \ + --add /usr/lib/cryptsetup/askpass + dpkg-divert --no-rename --package cryptsetup-nuke-password \ + --remove /lib/cryptsetup/askpass + dpkg-divert --no-rename --package cryptsetup-nuke-password \ + --divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \ + --add /lib/cryptsetup/askpass + mv "$TRUENAME" /usr/lib/cryptsetup/askpass.cryptsetup + elif test "$TRUENAME" != /usr/lib/cryptsetup/askpass.cryptsetup; then + dpkg-divert --no-rename --package cryptsetup-nuke-password \ + --divert /usr/lib/cryptsetup/askpass.cryptsetup \ + --add /usr/lib/cryptsetup/askpass + TRUENAME=$(dpkg-divert --truename /lib/cryptsetup/askpass) + dpkg-divert --no-rename --package cryptsetup-nuke-password \ + --remove /lib/cryptsetup/askpass + dpkg-divert --no-rename --package cryptsetup-nuke-password \ + --divert /lib/cryptsetup/askpass.cryptsetup.usr-is-merged \ + --add /lib/cryptsetup/askpass + if test -e "$TRUENAME"; then + mv "$TRUENAME" /lib/cryptsetup/askpass.cryptsetup.usr-is-merged + fi + fi fi #DEBHELPER# -- cgit v1.2.3