[linux-signed] 05/05: Install the signatures
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Apr 4 18:39:11 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository linux-signed.
commit f971668491ab692403a9360787a976a46a6dd261
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon Apr 4 17:27:25 2016 +0100
Install the signatures
TODO: Require updated initramfs-tools and force update after installation
---
debian/bin/gencontrol.py | 14 ++++++++++----
debian/rules.real | 8 ++++++++
debian/templates/control.image-signed.in | 2 +-
debian/templates/image-signed.postinst.in | 24 ++++++++++++++++++++++++
debian/templates/image-signed.postrm.in | 21 +++++++++++++++++++++
5 files changed, 64 insertions(+), 5 deletions(-)
diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index 4093da5..c1ddd83 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -29,6 +29,10 @@ class Gencontrol(Base):
changelog_version = Changelog()[0].version
self.package_version = '%s+%s' % (image_version, changelog_version.complete)
+ def _substitute_file(self, template, vars, target, append=False):
+ with codecs.open(target, 'a' if append else 'w', 'utf-8') as f:
+ f.write(self.substitute(self.templates[template], vars))
+
def do_main_setup(self, vars, makeflags, extra):
makeflags['GENCONTROL_ARGS'] = '-v%s' % self.package_version
@@ -71,10 +75,12 @@ class Gencontrol(Base):
makefile.add('binary-arch_%s_%s_%s_real' % (arch, featureset, flavour), cmds = cmds_binary_arch)
# linux-image signature packages include a bug presubj message
- # directing reporters to the real image package.
- bug_presubj = self.substitute(
- self.templates["image-signed.bug-presubj"], vars)
- codecs.open("debian/%s.bug-presubj" % packages_signed[0]['Package'], 'w', 'utf-8').write(bug_presubj)
+ # directing reporters to the real image package, and maintainer
+ # scripts to create and delete signed images.
+ for name in ['bug-presubj', 'postinst', 'postrm']:
+ self._substitute_file('image-signed.%s' % name, vars,
+ 'debian/linux-image-%s%s-signed.%s' %
+ (vars['abiname'], vars['localversion'], name))
if __name__ == '__main__':
Gencontrol(sys.argv[1] + "/config.defines.dump", sys.argv[2])()
diff --git a/debian/rules.real b/debian/rules.real
index 963912c..7a2948e 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -5,8 +5,16 @@ include debian/rules.defs
build-indep:
install-signed: DH_OPTIONS = -p$(PACKAGE_NAME)
+install-signed: KERNEL_VERSION = $(ABINAME)$(LOCALVERSION)
+install-signed: IMAGE_PACKAGE_NAME = linux-image-$(KERNEL_VERSION)
install-signed:
echo kernel:ImageVersion=$(KERNEL_IMAGE_VERSION) >> debian/$(PACKAGE_NAME).substvars
+ mkdir -p debian/$(PACKAGE_NAME)/lib/modules
+ cp -R debian/signatures/$(IMAGE_PACKAGE_NAME)/lib/modules/$(KERNEL_VERSION) \
+ debian/$(PACKAGE_NAME)/lib/modules/
+ ! [ -f debian/signatures/$(IMAGE_PACKAGE_NAME)/boot/vmlinuz-$(KERNEL_VERSION).sig ] || \
+ install -m 644 -D -t debian/$(PACKAGE_NAME)/usr/lib/$(PACKAGE_NAME)/boot/ \
+ debian/signatures/$(IMAGE_PACKAGE_NAME)/boot/vmlinuz-$(KERNEL_VERSION).sig
dh_install
dh_bugfiles
dh_installchangelogs
diff --git a/debian/templates/control.image-signed.in b/debian/templates/control.image-signed.in
index c2f36ca..d4b5795 100644
--- a/debian/templates/control.image-signed.in
+++ b/debian/templates/control.image-signed.in
@@ -1,6 +1,6 @@
Package: linux-image- at abiname@@localversion at -signed
Depends: linux-image- at abiname@@localversion@ (= ${kernel:ImageVersion}),
- kmod (>= 22-1.1~), ${misc:Depends}
+ kmod (>= 22-1.2~), sbsigntool, ${misc:Depends}
Description: Signatures for Linux @abiname@@localversion@ kernel and modules
This package provides signatures for the kernel image and modules in
linux-image- at abiname@@localversion at . If the system has Secure Boot
diff --git a/debian/templates/image-signed.postinst.in b/debian/templates/image-signed.postinst.in
new file mode 100644
index 0000000..6f5b33f
--- /dev/null
+++ b/debian/templates/image-signed.postinst.in
@@ -0,0 +1,24 @@
+#!/bin/sh -e
+
+kernel_version='@abiname@@localversion@'
+package_name="linux-image-$kernel_version-signed"
+vmlinuz_name="vmlinuz-$kernel_version"
+
+if [ "$1" = configure ] && \
+ [ -f /usr/lib/$package_name/boot/$vmlinuz_name.sig ]; then
+ cp -p /boot/$vmlinuz_name /boot/$vmlinuz_name.efi.unsigned
+ sbattach --attach /usr/lib/$package_name/boot/$vmlinuz_name.sig \
+ /boot/$vmlinuz_name.efi.unsigned
+ sync /boot/$vmlinuz_name.efi.unsigned
+ mv /boot/$vmlinuz_name.efi.unsigned /boot/$vmlinuz_name.efi.signed
+ sync /boot/$vmlinuz_name.efi.signed
+
+ # Currently only GRUB supports signature verification
+ if command -v update-grub >/dev/null; then
+ update-grub
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/templates/image-signed.postrm.in b/debian/templates/image-signed.postrm.in
new file mode 100644
index 0000000..940d2e8
--- /dev/null
+++ b/debian/templates/image-signed.postrm.in
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+
+kernel_version='@abiname@@localversion@'
+vmlinuz_name="vmlinuz-$kernel_version"
+
+if [ "$1" = remove ]; then
+ rm -f /boot/$vmlinuz_name.efi.unsigned
+
+ if [ -f /boot/$vmlinuz_name.efi.signed ]; then
+ rm -f /boot/$vmlinuz_name.efi.signed
+
+ # Currently only GRUB supports signature verification
+ if command -v update-grub >/dev/null; then
+ update-grub
+ fi
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux-signed.git
More information about the Kernel-svn-changes
mailing list