summaryrefslogtreecommitdiffstats
path: root/debian/signing_templates
diff options
context:
space:
mode:
Diffstat (limited to 'debian/signing_templates')
-rw-r--r--debian/signing_templates/README.source4
-rw-r--r--debian/signing_templates/headers.meta.lintian-overrides.in3
-rw-r--r--debian/signing_templates/image.control.in12
-rwxr-xr-xdebian/signing_templates/rules20
-rw-r--r--debian/signing_templates/rules.real94
-rwxr-xr-xdebian/signing_templates/sign-file-attach56
-rw-r--r--debian/signing_templates/source.control.in16
-rw-r--r--debian/signing_templates/source.lintian-overrides.in7
-rw-r--r--debian/signing_templates/source/format1
9 files changed, 213 insertions, 0 deletions
diff --git a/debian/signing_templates/README.source b/debian/signing_templates/README.source
new file mode 100644
index 000000000..f175c35b3
--- /dev/null
+++ b/debian/signing_templates/README.source
@@ -0,0 +1,4 @@
+This source package is generated by the Debian signing service from a
+template built by the linux package. It should never be updated directly.
+
+ -- Ben Hutchings <ben@decadent.org.uk> Fri, 06 Apr 2018 10:23:29 +0100
diff --git a/debian/signing_templates/headers.meta.lintian-overrides.in b/debian/signing_templates/headers.meta.lintian-overrides.in
new file mode 100644
index 000000000..4a0a7c08c
--- /dev/null
+++ b/debian/signing_templates/headers.meta.lintian-overrides.in
@@ -0,0 +1,3 @@
+# linux-signed-* source packages are generated by the linux source
+# package, so it is OK for their binaries to share documentation
+@package@: usr-share-doc-symlink-to-foreign-package linux-headers-@abiname@@localversion@
diff --git a/debian/signing_templates/image.control.in b/debian/signing_templates/image.control.in
new file mode 100644
index 000000000..4fffd2b6f
--- /dev/null
+++ b/debian/signing_templates/image.control.in
@@ -0,0 +1,12 @@
+Package: linux-image-@abiname@@localversion@
+Meta-Rules-Target: image
+Depends: ${unsigned:Depends}, ${misc:Depends}
+Recommends: ${unsigned:Recommends}
+Suggests: ${unsigned:Suggests}
+Breaks: ${unsigned:Breaks}
+Conflicts: linux-image-@abiname@@localversion@-unsigned
+Replaces: linux-image-@abiname@@localversion@-unsigned
+Description: ${unsigned:DescriptionShort} (signed)
+ ${unsigned:DescriptionLong}
+ .
+ ${signed:Description}
diff --git a/debian/signing_templates/rules b/debian/signing_templates/rules
new file mode 100755
index 000000000..ad6156b87
--- /dev/null
+++ b/debian/signing_templates/rules
@@ -0,0 +1,20 @@
+#!/usr/bin/make -f
+SHELL := sh -e
+
+include /usr/share/dpkg/architecture.mk
+
+build: build-arch build-indep
+build-arch:
+build-indep:
+
+clean:
+ dh_testdir
+ dh_clean
+
+binary: binary-arch binary-indep
+binary-arch: debian/control
+ dh_testdir
+ $(MAKE) -f debian/rules.gen binary-arch_$(DEB_HOST_ARCH)
+binary-indep:
+
+.PHONY: build build-arch build-indep clean binary binary-arch binary-indep
diff --git a/debian/signing_templates/rules.real b/debian/signing_templates/rules.real
new file mode 100644
index 000000000..d445e2672
--- /dev/null
+++ b/debian/signing_templates/rules.real
@@ -0,0 +1,94 @@
+SHELL := bash -e
+
+export DH_OPTIONS
+
+BUILDDEB_ARGS := -Zxz $(if $(filter pkg.linux.quick,$(DEB_BUILD_PROFILES)),-z0)
+
+build-indep:
+
+build_image:
+
+binary_image: DH_OPTIONS = -p$(PACKAGE_NAME)
+binary_image: KERNEL_VERSION = $(ABINAME)$(LOCALVERSION)
+binary_image: IMAGE_PACKAGE_NAME = linux-image-$(KERNEL_VERSION)-unsigned
+binary_image: PACKAGE_DIR = debian/$(PACKAGE_NAME)
+binary_image: SIGNATURE_DIR = debian/signatures/$(IMAGE_PACKAGE_NAME)
+binary_image:
+ mkdir -p $(PACKAGE_DIR)/boot
+ rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
+ $(PACKAGE_DIR)/boot/
+ if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+ sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+ $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+ echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \
+ else \
+ echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \
+ fi
+ mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
+ rsync -a $(addprefix /lib/modules/$(KERNEL_VERSION)/,modules.builtin modules.builtin.modinfo modules.order) \
+ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
+ find $(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION) -name '*.sig' -printf '%P\n' | \
+ debian/sign-file-attach \
+ $(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION) \
+ /lib/modules/$(KERNEL_VERSION) \
+ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
+# Copy any device tree files
+ if [ -d /usr/lib/linux-image-$(KERNEL_VERSION) ]; then \
+ mkdir -p $(PACKAGE_DIR)/usr/lib/linux-image-$(KERNEL_VERSION); \
+ rsync -a /usr/lib/linux-image-$(KERNEL_VERSION)/ \
+ $(PACKAGE_DIR)/usr/lib/linux-image-$(KERNEL_VERSION)/; \
+ fi
+# Copy bug scripts but change the info file to refer to the right package
+ mkdir -p $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)
+ rsync -a /usr/share/bug/$(IMAGE_PACKAGE_NAME)/ \
+ $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/
+ sed -i -e 's/^PACKAGE_NAME=.*/PACKAGE_NAME=$(PACKAGE_NAME)/' \
+ -e 's/^PACKAGE_VERSION=.*/PACKAGE_VERSION=$(PACKAGE_VERSION)/' \
+ $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/info
+ dh_install
+ dh_installchangelogs
+ ln -sf linux-image.NEWS debian/$(PACKAGE_NAME).NEWS
+ dh_installdocs
+ dh_lintian
+ dh_compress
+ dh_fixperms
+ dh_installdeb
+# Copy most package relations and description from unsigned package
+ for field in Depends Suggests Recommends Breaks; do \
+ echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \
+ done
+ echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)"
+ echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')"
+ dh_gencontrol -- $(GENCONTROL_ARGS)
+ dh_md5sums
+ dh_builddeb -- $(BUILDDEB_ARGS)
+
+build_meta:
+
+binary_meta:
+ dh_testdir
+ dh_prep
+ dh_bugfiles
+ dh_installdocs --link-doc=$(INSTALLDOCS_LINK_DOC)
+ dh_lintian
+ dh_compress
+ dh_fixperms
+ dh_installdeb
+ dh_gencontrol -- $(GENCONTROL_ARGS)
+ dh_md5sums
+ dh_builddeb -- $(BUILDDEB_ARGS)
+
+build_udeb:
+
+binary_udeb: export KW_DEFCONFIG_DIR=/usr/share/linux-support-$(ABINAME)/installer
+binary_udeb: export KW_CONFIG_DIR=/usr/share/linux-support-$(ABINAME)/installer
+binary_udeb:
+ dh_testdir
+ dh_prep
+ kernel-wedge install-files $(ABINAME)
+ kernel-wedge check $(PACKAGE_NAMES)
+ dh_fixperms
+ dh_gencontrol -- $(GENCONTROL_ARGS)
+ dh_builddeb -- $(BUILDDEB_ARGS)
+
+.PHONY: build_% binary_%
diff --git a/debian/signing_templates/sign-file-attach b/debian/signing_templates/sign-file-attach
new file mode 100755
index 000000000..6a8a18cac
--- /dev/null
+++ b/debian/signing_templates/sign-file-attach
@@ -0,0 +1,56 @@
+#!/usr/bin/python3
+
+import argparse
+import pathlib
+import shutil
+import struct
+import sys
+
+
+module_magic = b'~Module signature appended~\n'
+# Only relevant fields are id_type and sig_len
+module_signature = struct.Struct('!2xB2x3xL')
+module_signature_PKEY_ID_PKCS7 = 2
+
+
+def sign_file_attach(sig_base: pathlib.Path, module_base: pathlib.Path, output_base: pathlib.Path) -> None:
+ for line in sys.stdin:
+ path, _, file = line.strip().rpartition('/')
+ name, _, _ = file.partition('.')
+
+ sig = sig_base / path / f'{name}.ko.sig'
+ module = module_base / path / f'{name}.ko'
+ output = output_base / path / f'{name}.ko'
+ output.parent.mkdir(parents=True, exist_ok=True)
+
+ with sig.open('rb') as f_sig, module.open('rb') as f_module, output.open('wb') as f_output:
+ shutil.copyfileobj(f_module, f_output)
+ shutil.copyfileobj(f_sig, f_output)
+ len_sig = f_sig.tell()
+ f_output.write(module_signature.pack(
+ module_signature_PKEY_ID_PKCS7,
+ len_sig,
+ ))
+ f_output.write(module_magic)
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser()
+ parser.add_argument(
+ 'sig_base',
+ metavar='SIGNATURE',
+ type=pathlib.Path,
+ )
+ parser.add_argument(
+ 'module_base',
+ metavar='MODULE',
+ type=pathlib.Path,
+ )
+ parser.add_argument(
+ 'output_base',
+ metavar='OUTPUT',
+ type=pathlib.Path,
+ )
+ args = parser.parse_args()
+
+ sign_file_attach(**vars(args))
diff --git a/debian/signing_templates/source.control.in b/debian/signing_templates/source.control.in
new file mode 100644
index 000000000..2468a8c14
--- /dev/null
+++ b/debian/signing_templates/source.control.in
@@ -0,0 +1,16 @@
+Source: linux-signed@source_suffix@-@arch@
+Section: kernel
+Priority: optional
+Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
+Uploaders: Bastian Blank <waldi@debian.org>, maximilian attems <maks@debian.org>, Ben Hutchings <benh@debian.org>, Salvatore Bonaccorso <carnil@debian.org>
+Standards-Version: 4.2.0
+Build-Depends:
+ debhelper-compat (= 12), dh-exec,
+ python3:any,
+ rsync,
+ sbsigntool [amd64 arm64 i386],
+ kernel-wedge (>= 2.102~),
+Rules-Requires-Root: no
+Vcs-Git: https://salsa.debian.org/kernel-team/linux.git
+Vcs-Browser: https://salsa.debian.org/kernel-team/linux
+Homepage: https://www.kernel.org/
diff --git a/debian/signing_templates/source.lintian-overrides.in b/debian/signing_templates/source.lintian-overrides.in
new file mode 100644
index 000000000..34d68e762
--- /dev/null
+++ b/debian/signing_templates/source.lintian-overrides.in
@@ -0,0 +1,7 @@
+# linux-signed-* source packages are generated by the linux source
+# package, and produce binaries with the same versions, even in case
+# of a binNMU of linux
+linux-signed-@arch@ source: version-substvar-for-external-package Depends *${binary:Version} linux-headers-* -> linux-headers-*
+
+# The changelog is mostly copied from linux which is non-native
+linux-signed-@arch@ source: odd-historical-debian-changelog-version * (for native)*
diff --git a/debian/signing_templates/source/format b/debian/signing_templates/source/format
new file mode 100644
index 000000000..89ae9db8f
--- /dev/null
+++ b/debian/signing_templates/source/format
@@ -0,0 +1 @@
+3.0 (native)