diff options
Diffstat (limited to '')
| -rwxr-xr-x | debian/signing-template.generate | 49 | ||||
| -rw-r--r-- | debian/signing-template.json.in | 14 | ||||
| -rw-r--r-- | debian/signing-template/README.source | 4 | ||||
| -rw-r--r-- | debian/signing-template/bug-control.in | 1 | ||||
| -rw-r--r-- | debian/signing-template/changelog.in | 11 | ||||
| -rw-r--r-- | debian/signing-template/compat | 1 | ||||
| -rw-r--r-- | debian/signing-template/control.in | 28 | ||||
| -rw-r--r-- | debian/signing-template/copyright | 51 | ||||
| -rwxr-xr-x | debian/signing-template/rules.in | 19 | ||||
| -rw-r--r-- | debian/signing-template/source/format | 1 |
10 files changed, 179 insertions, 0 deletions
diff --git a/debian/signing-template.generate b/debian/signing-template.generate new file mode 100755 index 0000000..4718eab --- /dev/null +++ b/debian/signing-template.generate @@ -0,0 +1,49 @@ +#!/bin/sh +set -e -u + +pkg_base="${1?:missing binary package name}" +pkg_unsigned="${pkg_base}-bin" +pkg_signed="${pkg_base}-signed" +pkg_tmpl="${pkg_signed}-template" + +distribution="$(dpkg-parsechangelog -S Distribution)" +urgency="$(dpkg-parsechangelog -S Urgency)" +date="$(dpkg-parsechangelog -S Date)" +version_binary="$(dpkg-parsechangelog -S Version)" +version_mangled="$(dpkg-parsechangelog -S Version | tr '-' '+')" + +subst () { + sed \ + -e "s/@pkg_unsigned@/${pkg_unsigned}/g" \ + -e "s/@pkg_signed@/${pkg_signed}/g" \ + -e "s/@pkg_tmpl@/${pkg_tmpl}/g" \ + -e "s/@efi@/${SB_EFI_NAME}/g" \ + -e "s/@efi_platform@/${SB_PLATFORM}/g" \ + -e "s/@arch@/${DEB_HOST_ARCH}/g" \ + -e "s/@version_binary@/${version_binary}/g" \ + -e "s/@version_mangled@/${version_mangled}/g" \ + -e "s/@distribution@/${distribution}/g" \ + -e "s/@urgency@/${urgency}/g" \ + -e "s/@date@/${date}/g" \ + "$@" +} + +template='./debian/signing-template' +pkg_dir="debian/${pkg_tmpl}/usr/share/code-signing/${pkg_tmpl}" +pkg_deb="${pkg_dir}/source-template/debian" + +install -m 0755 -d "${pkg_dir}" +subst < ./debian/signing-template.json.in > "${pkg_dir}/files.json" + +find "${template}" -type f -printf '%P\n' | +while read path +do + src="${template}/${path}" + dst="${pkg_deb}/${path}" + + install -m 0755 -d "${dst%/*}" + subst < "${src}" > "${dst%.in}" + chmod --reference="${src}" "${dst%.in}" +done + +exit 0 diff --git a/debian/signing-template.json.in b/debian/signing-template.json.in new file mode 100644 index 0000000..bd72396 --- /dev/null +++ b/debian/signing-template.json.in @@ -0,0 +1,14 @@ +{ + "version": "2", + "packages": { + "@pkg_unsigned@": { + "trusted_certs": [], + "files": [ + {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/gcd@efi@.efi"}, + {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@.efi"}, + {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@-installer.efi"}, + {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grub@efi@.efi"} + ] + } + } +} diff --git a/debian/signing-template/README.source b/debian/signing-template/README.source new file mode 100644 index 0000000..116a66b --- /dev/null +++ b/debian/signing-template/README.source @@ -0,0 +1,4 @@ +This source package is generated by the Debian signing service from a +template built by the grub2 package. It should never be updated directly. + + -- Philipp Matthias Hahn <pmhahn@debian.org> Sat, 07 Apr 2018 16:26:11 +0200 diff --git a/debian/signing-template/bug-control.in b/debian/signing-template/bug-control.in new file mode 100644 index 0000000..ef95218 --- /dev/null +++ b/debian/signing-template/bug-control.in @@ -0,0 +1 @@ +Submit-As: @pkg_unsigned@ diff --git a/debian/signing-template/changelog.in b/debian/signing-template/changelog.in new file mode 100644 index 0000000..3b4df18 --- /dev/null +++ b/debian/signing-template/changelog.in @@ -0,0 +1,11 @@ +@pkg_signed@ (1+@version_mangled@) @distribution@; urgency=@urgency@ + + * Update to grub2 @version_binary@ + + -- Debian signing service <ftpmaster@debian.org> @date@ + +@pkg_signed@ (1) unstable; urgency=medium + + * Add template source package for signing + + -- Philipp Matthias Hahn <pmhahn@debian.org> Sat, 07 Apr 2018 17:16:27 +0200 diff --git a/debian/signing-template/compat b/debian/signing-template/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/signing-template/compat @@ -0,0 +1 @@ +9 diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in new file mode 100644 index 0000000..cd928c6 --- /dev/null +++ b/debian/signing-template/control.in @@ -0,0 +1,28 @@ +Source: @pkg_signed@ +Section: admin +Priority: optional +Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net> +Uploaders: Felix Zielcke <fzielcke@z-51.de>, Jordi Mallach <jordi@debian.org>, Colin Watson <cjwatson@debian.org>, Ian Campbell <ijc@debian.org> +Standards-Version: 3.9.8 +Build-Depends: debhelper (>= 10.1~), + sbsigntool [amd64 arm64 i386], + @pkg_unsigned@ (= @version_binary@), +Rules-Requires-Root: no + +Package: @pkg_signed@ +Architecture: @arch@ +Depends: grub-common (>= @version_binary@) +Recommends: shim-signed +Built-Using: grub2 (= @version_binary@) +Description: GRand Unified Bootloader, version 2 (@arch@ UEFI signed by Debian) + GRUB is a portable, powerful bootloader. This version of GRUB is based on a + cleaner design than its predecessors, and provides the following new features: + . + - Scripting in grub.cfg using BASH-like syntax. + - Support for modern partition maps such as GPT. + - Modular generation of grub.cfg via update-grub. Packages providing GRUB + add-ons can plug in their own script rules and trigger updates by invoking + update-grub. + . + This package contains the binaries signed by the Debian UEFI CA to be used by + shim-signed. diff --git a/debian/signing-template/copyright b/debian/signing-template/copyright new file mode 100644 index 0000000..d94e00b --- /dev/null +++ b/debian/signing-template/copyright @@ -0,0 +1,51 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Comment: + This file describes only the grub2-signed source package. + +Files: debian/signatures/* +License: public-domain + Digital signatures and certificates are presumed not to be + copyrightable works, and no copyright is claimed for them. +Comment: + The signatures and certificates in this package cannot be regenerated + as-is without the associated private key material, but they can be + replaced using alternate private keys. + +Files: debian/rules +Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org> +License: GPL-2 + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License version 2 as + published by the Free Software Foundation. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + . + On Debian systems, the complete text of the GNU General Public + License version 2 can be found in `/usr/share/common-licenses/GPL-2'. + +Files: debian/* +Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org> +License: GPL-2+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or (at + your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + . + On Debian systems, the complete text of the GNU General Public + License version 2 can be found in `/usr/share/common-licenses/GPL-2'. diff --git a/debian/signing-template/rules.in b/debian/signing-template/rules.in new file mode 100755 index 0000000..fec6ca5 --- /dev/null +++ b/debian/signing-template/rules.in @@ -0,0 +1,19 @@ +#!/usr/bin/make -f + +SIG_DIR := debian/signatures/@pkg_unsigned@ + +%: + dh $@ + +override_dh_auto_install: + set -e ; \ + find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \ + while read sig; do \ + dst="debian/tmp/$${sig%/monolithic/*}-signed/$${sig##*/}ned" ; \ + install -m 0755 -d "$${dst%/*}" ; \ + install -m 0644 "/$${sig%.sig}" "$$dst" ; \ + sbattach --attach "$(SIG_DIR)/$$sig" "$$dst" ; \ + done + +override_dh_install: + dh_install --sourcedir=debian/tmp . diff --git a/debian/signing-template/source/format b/debian/signing-template/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/signing-template/source/format @@ -0,0 +1 @@ +3.0 (native) |