[wireless-regdb] 24/24: Generate a detached signature at source preparation time (Closes: #725803)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Aug 30 09:25:50 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository wireless-regdb.
commit accf5092e3114899c5cffa5dd6d9ce6d3078ea36
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Aug 30 10:20:25 2015 +0100
Generate a detached signature at source preparation time (Closes: #725803)
Put the detached signature in the source package and append it to
regulatory.bin when building the binary package. This makes the
package auto-buildable and reproducible.
Closely based on Jérémy Bobbio's patches.
---
debian/.gitignore | 1 +
debian/README.source | 8 +-
debian/changelog | 5 +-
...recording_and_using_an_external_signature.patch | 92 ++++++++++++++++++++++
debian/patches/series | 2 +
debian/patches/split_signature_generation.patch | 45 +++++++++++
debian/rules | 11 ++-
debian/source/include-binaries | 1 +
8 files changed, 159 insertions(+), 6 deletions(-)
diff --git a/debian/.gitignore b/debian/.gitignore
index 8eda13e..5938a03 100644
--- a/debian/.gitignore
+++ b/debian/.gitignore
@@ -3,4 +3,5 @@
/*.debhelper*
/*.substvars
/files
+/regulatory.bin.sig
/wireless-regdb/
diff --git a/debian/README.source b/debian/README.source
index f796005..5808fc7 100644
--- a/debian/README.source
+++ b/debian/README.source
@@ -9,8 +9,8 @@ If you need to make an NMU, you'll first have to create a key-pair.
modify this package to install it in /lib/crda/pubkeys.
5. Set REGDB_AUTHOR=<author-id> in debian/rules.
-Note, you cannot build this package using an automated builder. You can
-use e.g. 'pbuilder --login --bindmounts /home' to create a controlled
-chroot in which to build it.
+When preparing a source package, you must run 'debian/rules sign' to
+create a detached signature so that the private key is not needed when
+building the binary package.
- -- Ben Hutchings <ben at decadent.org.uk>, Mon, 11 Apr 2011 13:31:22 +0100
+ -- Ben Hutchings <ben at decadent.org.uk>, Sun, 30 Aug 2015 03:04:52 +0100
diff --git a/debian/changelog b/debian/changelog
index 8b0e79f..55f7cbf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -18,8 +18,11 @@ wireless-regdb (2015.07.20-1) unstable; urgency=medium
- Update rules for Russia (RU): disable VHT80; add 60 GHz band
- Update rules for United States (US): re-add channels 100..144
(5490-5730 MHz)
+ * Generate a detached signature at source preparation time and append
+ it when building the binary package (thanks to Jérémy Bobbio)
+ (Closes: #725803)
- -- Ben Hutchings <ben at decadent.org.uk> Sun, 30 Aug 2015 01:16:37 +0100
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 30 Aug 2015 10:20:04 +0100
wireless-regdb (2014.11.18-1) unstable; urgency=medium
diff --git a/debian/patches/enable_recording_and_using_an_external_signature.patch b/debian/patches/enable_recording_and_using_an_external_signature.patch
new file mode 100644
index 0000000..b5b5514
--- /dev/null
+++ b/debian/patches/enable_recording_and_using_an_external_signature.patch
@@ -0,0 +1,92 @@
+From: Jérémy Bobbio <lunar at debian.org>
+Date: Mon, 9 Feb 2015 19:52:17 +0100
+Subject: Enable recording and using an external signature
+Bug-Debian: https://bugs.debian.org/725803
+
+To make wireless-regdb build reproducibly, we need a way to save
+the signature of the database to an external file and later reuse
+it instead of requiring the private key.
+
+--- a/db2bin.py
++++ b/db2bin.py
+@@ -11,6 +11,8 @@ VERSION = 19
+
+ if len(sys.argv) < 3:
+ print 'Usage: %s output-file input-file [key-file]' % sys.argv[0]
++ print ' %s -s signature-file input-file key-file' % sys.argv[0]
++ print ' %s -i signature-file output-file input-file' % sys.argv[0]
+ sys.exit(2)
+
+ def create_rules(countries):
+@@ -48,8 +50,27 @@ class PTR(object):
+ def get(self):
+ return self._offset
+
++if sys.argv[1] == '-s':
++ signature_path = sys.argv[2]
++ input_path = sys.argv[3]
++ output_path = None
++ key_path = sys.argv[4]
++elif sys.argv[1] == '-i':
++ signature_path = sys.argv[2]
++ output_path = sys.argv[3]
++ input_path = sys.argv[4]
++ key_path = None
++else:
++ signature_path = None
++ output_path = sys.argv[1]
++ input_path = sys.argv[2]
++ if len(sys.argv) > 3:
++ key_path = sys.argv[3]
++ else:
++ key_path = None
++
+ p = DBParser()
+-countries = p.parse(file(sys.argv[2]))
++countries = p.parse(file(input_path))
+ power = []
+ bands = []
+ for c in countries.itervalues():
+@@ -119,27 +140,37 @@ for alpha2 in countrynames:
+ output.write(struct.pack('>ccxBI', str(alpha2[0]), str(alpha2[1]), coll.dfs_region, reg_rules_collections[coll.permissions]))
+
+
+-if len(sys.argv) > 3:
++if key_path:
+ # Load RSA only now so people can use this script
+ # without having those libraries installed to verify
+ # their SQL changes
+ from M2Crypto import RSA
+
+ # determine signature length
+- key = RSA.load_key(sys.argv[3])
++ key = RSA.load_key(key_path)
+ hash = hashlib.sha1()
+ hash.update(output.getvalue())
+ sig = key.sign(hash.digest())
+- # write it to file
+ siglen.set(len(sig))
++
+ # sign again
+ hash = hashlib.sha1()
+ hash.update(output.getvalue())
+ sig = key.sign(hash.digest())
+
++ if output_path:
++ output.write(sig)
++ else:
++ with file(signature_path, 'w') as sigfile:
++ sigfile.write(sig)
++elif signature_path and output_path:
++ with file(signature_path) as sigfile:
++ sig = sigfile.read()
++ siglen.set(len(sig))
+ output.write(sig)
+ else:
+ siglen.set(0)
+
+-outfile = open(sys.argv[1], 'w')
+-outfile.write(output.getvalue())
++if output_path:
++ outfile = open(output_path, 'w')
++ outfile.write(output.getvalue())
diff --git a/debian/patches/series b/debian/patches/series
index e7980ae..d748e10 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
dont_auto_create_keypair
keep-setting-NO_IBSS-flag.patch
+enable_recording_and_using_an_external_signature.patch
+split_signature_generation.patch
diff --git a/debian/patches/split_signature_generation.patch b/debian/patches/split_signature_generation.patch
new file mode 100644
index 0000000..a33477f
--- /dev/null
+++ b/debian/patches/split_signature_generation.patch
@@ -0,0 +1,45 @@
+From: Jérémy Bobbio <lunar at debian.org>
+Date: Mon, 9 Feb 2015 19:52:17 +0100
+Subject: Split signature generation
+Bug-Debian: https://bugs.debian.org/725803
+
+Now that db2bin.py supports recording a signature to re-use it later,
+we now split the generation of regulatory.bin to create an intermediate
+signature.
+
+The signature can then be shipped in the source to allow the build
+to be reproduced by independent parties.
+
+[bwh: Call the signature file regulatory.bin.sig, not signature]
+
+--- a/Makefile
++++ b/Makefile
+@@ -36,10 +36,11 @@ REGDB_UPSTREAM_PUBKEY ?= sforshee.key.pu
+
+ REGDB_CHANGED = $(shell $(SHA1SUM) -c --status sha1sum.txt >/dev/null 2>&1; \
+ if [ $$? -ne 0 ]; then \
+- echo maintainer-clean $(REGDB_PUBKEY); \
++ echo maintainer-clean; \
+ fi)
+
+ .PHONY: all clean mrproper install maintainer-clean install-distro-key
++.SECONDARY: $(REGDB_PRIVKEY) $(REGDB_PUBKEY)
+
+ all: $(REGDB_CHANGED) regulatory.bin sha1sum.txt
+
+@@ -53,9 +54,12 @@ mrproper: clean maintainer-clean
+ @echo Removed public key, regulatory.bin and compresed man pages
+ @rm -f $(REGDB_PUBKEY) .custom
+
+-regulatory.bin: db.txt $(REGDB_PRIVKEY) $(REGDB_PUBKEY)
+- @echo Generating $@ digitally signed by $(REGDB_AUTHOR)...
+- ./db2bin.py regulatory.bin db.txt $(REGDB_PRIVKEY)
++regulatory.bin: db.txt regulatory.bin.sig
++ ./db2bin.py -i regulatory.bin.sig regulatory.bin db.txt
++
++regulatory.bin.sig: db.txt $(REGDB_PRIVKEY) $(REGDB_PUBKEY)
++ @echo Generating signature by $(REGDB_AUTHOR)...
++ ./db2bin.py -s regulatory.bin.sig db.txt $(REGDB_PRIVKEY)
+
+ sha1sum.txt: db.txt
+ sha1sum $< > $@
diff --git a/debian/rules b/debian/rules
index 395f37c..b09f09e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -9,6 +9,9 @@ export LSB_ID = Debian/Ubuntu
%:
dh ${@}
+override_dh_auto_configure:
+ cp debian/regulatory.bin.sig .
+
override_dh_install:
make DESTDIR=debian/wireless-regdb install
# crda will install public keys
@@ -16,4 +19,10 @@ override_dh_install:
override_dh_auto_clean:
dh_auto_clean -- mrproper
- rm -f sha1sum.txt
+ rm -f regulatory.bin.sig sha1sum.txt
+
+sign: debian/regulatory.bin.sig
+ @:
+debian/regulatory.bin.sig: db.txt
+ make regulatory.bin.sig
+ cp regulatory.bin.sig debian/
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
new file mode 100644
index 0000000..a74e195
--- /dev/null
+++ b/debian/source/include-binaries
@@ -0,0 +1 @@
+debian/regulatory.bin.sig
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/wireless-regdb.git
More information about the Kernel-svn-changes
mailing list