[wireless-regdb] 24/24: Generate a detached signature at source preparation time (Closes: #725803)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sun Aug 30 09:25:50 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository wireless-regdb.

commit accf5092e3114899c5cffa5dd6d9ce6d3078ea36
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sun Aug 30 10:20:25 2015 +0100

    Generate a detached signature at source preparation time (Closes: #725803)
    
    Put the detached signature in the source package and append it to
    regulatory.bin when building the binary package.  This makes the
    package auto-buildable and reproducible.
    
    Closely based on Jérémy Bobbio's patches.
---
 debian/.gitignore                                  |  1 +
 debian/README.source                               |  8 +-
 debian/changelog                                   |  5 +-
 ...recording_and_using_an_external_signature.patch | 92 ++++++++++++++++++++++
 debian/patches/series                              |  2 +
 debian/patches/split_signature_generation.patch    | 45 +++++++++++
 debian/rules                                       | 11 ++-
 debian/source/include-binaries                     |  1 +
 8 files changed, 159 insertions(+), 6 deletions(-)

diff --git a/debian/.gitignore b/debian/.gitignore
index 8eda13e..5938a03 100644
--- a/debian/.gitignore
+++ b/debian/.gitignore
@@ -3,4 +3,5 @@
 /*.debhelper*
 /*.substvars
 /files
+/regulatory.bin.sig
 /wireless-regdb/
diff --git a/debian/README.source b/debian/README.source
index f796005..5808fc7 100644
--- a/debian/README.source
+++ b/debian/README.source
@@ -9,8 +9,8 @@ If you need to make an NMU, you'll first have to create a key-pair.
    modify this package to install it in /lib/crda/pubkeys.
 5. Set REGDB_AUTHOR=<author-id> in debian/rules.
 
-Note, you cannot build this package using an automated builder.  You can
-use e.g. 'pbuilder --login --bindmounts /home' to create a controlled
-chroot in which to build it.
+When preparing a source package, you must run 'debian/rules sign' to
+create a detached signature so that the private key is not needed when
+building the binary package.
 
- -- Ben Hutchings <ben at decadent.org.uk>, Mon, 11 Apr 2011 13:31:22 +0100
+ -- Ben Hutchings <ben at decadent.org.uk>, Sun, 30 Aug 2015 03:04:52 +0100
diff --git a/debian/changelog b/debian/changelog
index 8b0e79f..55f7cbf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -18,8 +18,11 @@ wireless-regdb (2015.07.20-1) unstable; urgency=medium
     - Update rules for Russia (RU): disable VHT80; add 60 GHz band
     - Update rules for United States (US): re-add channels 100..144
       (5490-5730 MHz)
+  * Generate a detached signature at source preparation time and append
+    it when building the binary package (thanks to Jérémy Bobbio)
+    (Closes: #725803)
 
- -- Ben Hutchings <ben at decadent.org.uk>  Sun, 30 Aug 2015 01:16:37 +0100
+ -- Ben Hutchings <ben at decadent.org.uk>  Sun, 30 Aug 2015 10:20:04 +0100
 
 wireless-regdb (2014.11.18-1) unstable; urgency=medium
 
diff --git a/debian/patches/enable_recording_and_using_an_external_signature.patch b/debian/patches/enable_recording_and_using_an_external_signature.patch
new file mode 100644
index 0000000..b5b5514
--- /dev/null
+++ b/debian/patches/enable_recording_and_using_an_external_signature.patch
@@ -0,0 +1,92 @@
+From: Jérémy Bobbio <lunar at debian.org>
+Date: Mon, 9 Feb 2015 19:52:17 +0100
+Subject: Enable recording and using an external signature
+Bug-Debian: https://bugs.debian.org/725803
+
+To make wireless-regdb build reproducibly, we need a way to save
+the signature of the database to an external file and later reuse
+it instead of requiring the private key.
+
+--- a/db2bin.py
++++ b/db2bin.py
+@@ -11,6 +11,8 @@ VERSION = 19
+ 
+ if len(sys.argv) < 3:
+     print 'Usage: %s output-file input-file [key-file]' % sys.argv[0]
++    print '       %s -s signature-file input-file key-file' % sys.argv[0]
++    print '       %s -i signature-file output-file input-file' % sys.argv[0]
+     sys.exit(2)
+ 
+ def create_rules(countries):
+@@ -48,8 +50,27 @@ class PTR(object):
+     def get(self):
+         return self._offset
+ 
++if sys.argv[1] == '-s':
++    signature_path = sys.argv[2]
++    input_path = sys.argv[3]
++    output_path = None
++    key_path = sys.argv[4]
++elif sys.argv[1] == '-i':
++    signature_path = sys.argv[2]
++    output_path = sys.argv[3]
++    input_path = sys.argv[4]
++    key_path = None
++else:
++    signature_path = None
++    output_path = sys.argv[1]
++    input_path = sys.argv[2]
++    if len(sys.argv) > 3:
++        key_path = sys.argv[3]
++    else:
++        key_path = None
++
+ p = DBParser()
+-countries = p.parse(file(sys.argv[2]))
++countries = p.parse(file(input_path))
+ power = []
+ bands = []
+ for c in countries.itervalues():
+@@ -119,27 +140,37 @@ for alpha2 in countrynames:
+     output.write(struct.pack('>ccxBI', str(alpha2[0]), str(alpha2[1]), coll.dfs_region, reg_rules_collections[coll.permissions]))
+ 
+ 
+-if len(sys.argv) > 3:
++if key_path:
+     # Load RSA only now so people can use this script
+     # without having those libraries installed to verify
+     # their SQL changes
+     from M2Crypto import RSA
+ 
+     # determine signature length
+-    key = RSA.load_key(sys.argv[3])
++    key = RSA.load_key(key_path)
+     hash = hashlib.sha1()
+     hash.update(output.getvalue())
+     sig = key.sign(hash.digest())
+-    # write it to file
+     siglen.set(len(sig))
++
+     # sign again
+     hash = hashlib.sha1()
+     hash.update(output.getvalue())
+     sig = key.sign(hash.digest())
+ 
++    if output_path:
++        output.write(sig)
++    else:
++        with file(signature_path, 'w') as sigfile:
++            sigfile.write(sig)
++elif signature_path and output_path:
++    with file(signature_path) as sigfile:
++      sig = sigfile.read()
++    siglen.set(len(sig))
+     output.write(sig)
+ else:
+     siglen.set(0)
+ 
+-outfile = open(sys.argv[1], 'w')
+-outfile.write(output.getvalue())
++if output_path:
++    outfile = open(output_path, 'w')
++    outfile.write(output.getvalue())
diff --git a/debian/patches/series b/debian/patches/series
index e7980ae..d748e10 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
 dont_auto_create_keypair
 keep-setting-NO_IBSS-flag.patch
+enable_recording_and_using_an_external_signature.patch
+split_signature_generation.patch
diff --git a/debian/patches/split_signature_generation.patch b/debian/patches/split_signature_generation.patch
new file mode 100644
index 0000000..a33477f
--- /dev/null
+++ b/debian/patches/split_signature_generation.patch
@@ -0,0 +1,45 @@
+From: Jérémy Bobbio <lunar at debian.org>
+Date: Mon, 9 Feb 2015 19:52:17 +0100
+Subject: Split signature generation
+Bug-Debian: https://bugs.debian.org/725803
+
+Now that db2bin.py supports recording a signature to re-use it later,
+we now split the generation of regulatory.bin to create an intermediate
+signature.
+
+The signature can then be shipped in the source to allow the build
+to be reproduced by independent parties.
+
+[bwh: Call the signature file regulatory.bin.sig, not signature]
+
+--- a/Makefile
++++ b/Makefile
+@@ -36,10 +36,11 @@ REGDB_UPSTREAM_PUBKEY ?= sforshee.key.pu
+ 
+ REGDB_CHANGED = $(shell $(SHA1SUM) -c --status sha1sum.txt >/dev/null 2>&1; \
+         if [ $$? -ne 0 ]; then \
+-                echo maintainer-clean $(REGDB_PUBKEY); \
++                echo maintainer-clean; \
+         fi)
+ 
+ .PHONY: all clean mrproper install maintainer-clean install-distro-key
++.SECONDARY: $(REGDB_PRIVKEY) $(REGDB_PUBKEY)
+ 
+ all: $(REGDB_CHANGED) regulatory.bin sha1sum.txt
+ 
+@@ -53,9 +54,12 @@ mrproper: clean maintainer-clean
+ 	@echo Removed public key, regulatory.bin and compresed man pages
+ 	@rm -f $(REGDB_PUBKEY) .custom
+ 
+-regulatory.bin: db.txt $(REGDB_PRIVKEY) $(REGDB_PUBKEY)
+-	@echo Generating $@ digitally signed by $(REGDB_AUTHOR)...
+-	./db2bin.py regulatory.bin db.txt $(REGDB_PRIVKEY)
++regulatory.bin: db.txt regulatory.bin.sig
++	./db2bin.py -i regulatory.bin.sig regulatory.bin db.txt
++
++regulatory.bin.sig: db.txt $(REGDB_PRIVKEY) $(REGDB_PUBKEY)
++	@echo Generating signature by $(REGDB_AUTHOR)...
++	./db2bin.py -s regulatory.bin.sig db.txt $(REGDB_PRIVKEY)
+ 
+ sha1sum.txt: db.txt
+ 	sha1sum $< > $@
diff --git a/debian/rules b/debian/rules
index 395f37c..b09f09e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -9,6 +9,9 @@ export LSB_ID        = Debian/Ubuntu
 %:
 	dh ${@}
 
+override_dh_auto_configure:
+	cp debian/regulatory.bin.sig .
+
 override_dh_install:
 	make DESTDIR=debian/wireless-regdb install
 # crda will install public keys
@@ -16,4 +19,10 @@ override_dh_install:
 
 override_dh_auto_clean:
 	dh_auto_clean -- mrproper
-	rm -f sha1sum.txt
+	rm -f regulatory.bin.sig sha1sum.txt
+
+sign: debian/regulatory.bin.sig
+	@:
+debian/regulatory.bin.sig: db.txt
+	make regulatory.bin.sig
+	cp regulatory.bin.sig debian/
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
new file mode 100644
index 0000000..a74e195
--- /dev/null
+++ b/debian/source/include-binaries
@@ -0,0 +1 @@
+debian/regulatory.bin.sig

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/wireless-regdb.git

More information about the Kernel-svn-changes mailing list