debian/extra/gen-signing-template


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

#!/bin/bash

set -euE

export DEB_VERSION="$1"
export DEB_HOST_ARCH="$2"
export DEB_HOST_ARCH_EFI="$3"

DISTRIBUTION="$(dpkg-parsechangelog -SDistribution)"
URGENCY="$(dpkg-parsechangelog -SUrgency)"
MAINT="$(dpkg-parsechangelog -SMaintainer)"
DATE="$(dpkg-parsechangelog -SDate)"

DEB_VERSION_MANGLED="$(echo "$DEB_VERSION" | sed -re 's/-/\+/;s/\+(b[[:digit:]]+)$/.\1/')"
DEB_VERSION_SOURCE="$(echo "$DEB_VERSION" | sed -re 's/\+b[[:digit:]]+$//')"
export DEB_VERSION_SOURCE
SIGN_TEMPLATE_DIR="debian/systemd-boot-efi-${DEB_HOST_ARCH}-signed-template/usr/share/code-signing/systemd-boot-efi-${DEB_HOST_ARCH}-signed-template"
SIGN_SOURCE_DIR="${SIGN_TEMPLATE_DIR}/source-template/debian"
FILE=usr/lib/systemd/boot/efi/systemd-boot${DEB_HOST_ARCH_EFI}.efi

for i in $(find debian/signing-template -type f -printf '%P\n'); do
	mkdir -p "$SIGN_SOURCE_DIR/$(dirname "$i")"
	envsubst < "debian/signing-template/$i" > "$SIGN_SOURCE_DIR/$i"
done

(
	echo "systemd-boot-efi-${DEB_HOST_ARCH}-signed (${DEB_VERSION_MANGLED}) ${DISTRIBUTION}; urgency=${URGENCY}"
	echo
	echo "  * Sign EFI binaries from systemd-boot-efi ${DEB_VERSION}"
	dpkg-parsechangelog -SChanges | sed -rne 's/^.$//p' -e '/^ /p'
	echo
	echo " -- ${MAINT}  ${DATE}"
) > "$SIGN_SOURCE_DIR/changelog"

jq -n --arg file "${FILE}" '
{
	"packages": {
		"systemd-boot-efi": {
			"trusted_certs": [],
			"files": [
				{"sig_type": "efi", "file": $file}
			]
		}
	}
}' > "$SIGN_TEMPLATE_DIR/files.json"