[linux-signed] 05/05: Install the signatures

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Mon Apr 4 18:39:11 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux-signed.

commit f971668491ab692403a9360787a976a46a6dd261
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Mon Apr 4 17:27:25 2016 +0100

    Install the signatures
    
    TODO: Require updated initramfs-tools and force update after installation
---
 debian/bin/gencontrol.py                  | 14 ++++++++++----
 debian/rules.real                         |  8 ++++++++
 debian/templates/control.image-signed.in  |  2 +-
 debian/templates/image-signed.postinst.in | 24 ++++++++++++++++++++++++
 debian/templates/image-signed.postrm.in   | 21 +++++++++++++++++++++
 5 files changed, 64 insertions(+), 5 deletions(-)

diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index 4093da5..c1ddd83 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -29,6 +29,10 @@ class Gencontrol(Base):
         changelog_version = Changelog()[0].version
         self.package_version = '%s+%s' % (image_version, changelog_version.complete)
 
+    def _substitute_file(self, template, vars, target, append=False):
+        with codecs.open(target, 'a' if append else 'w', 'utf-8') as f:
+            f.write(self.substitute(self.templates[template], vars))
+
     def do_main_setup(self, vars, makeflags, extra):
         makeflags['GENCONTROL_ARGS'] = '-v%s' % self.package_version
 
@@ -71,10 +75,12 @@ class Gencontrol(Base):
         makefile.add('binary-arch_%s_%s_%s_real' % (arch, featureset, flavour), cmds = cmds_binary_arch)
 
         # linux-image signature packages include a bug presubj message
-        # directing reporters to the real image package.
-        bug_presubj = self.substitute(
-            self.templates["image-signed.bug-presubj"], vars)
-        codecs.open("debian/%s.bug-presubj" % packages_signed[0]['Package'], 'w', 'utf-8').write(bug_presubj)
+        # directing reporters to the real image package, and maintainer
+        # scripts to create and delete signed images.
+        for name in ['bug-presubj', 'postinst', 'postrm']:
+            self._substitute_file('image-signed.%s' % name, vars,
+                                  'debian/linux-image-%s%s-signed.%s' %
+                                  (vars['abiname'], vars['localversion'], name))
 
 if __name__ == '__main__':
     Gencontrol(sys.argv[1] + "/config.defines.dump", sys.argv[2])()
diff --git a/debian/rules.real b/debian/rules.real
index 963912c..7a2948e 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -5,8 +5,16 @@ include debian/rules.defs
 build-indep:
 
 install-signed: DH_OPTIONS = -p$(PACKAGE_NAME)
+install-signed: KERNEL_VERSION = $(ABINAME)$(LOCALVERSION)
+install-signed: IMAGE_PACKAGE_NAME = linux-image-$(KERNEL_VERSION)
 install-signed:
 	echo kernel:ImageVersion=$(KERNEL_IMAGE_VERSION) >> debian/$(PACKAGE_NAME).substvars
+	mkdir -p debian/$(PACKAGE_NAME)/lib/modules
+	cp -R debian/signatures/$(IMAGE_PACKAGE_NAME)/lib/modules/$(KERNEL_VERSION) \
+		debian/$(PACKAGE_NAME)/lib/modules/
+	! [ -f debian/signatures/$(IMAGE_PACKAGE_NAME)/boot/vmlinuz-$(KERNEL_VERSION).sig ] || \
+	install -m 644 -D -t debian/$(PACKAGE_NAME)/usr/lib/$(PACKAGE_NAME)/boot/ \
+		debian/signatures/$(IMAGE_PACKAGE_NAME)/boot/vmlinuz-$(KERNEL_VERSION).sig
 	dh_install
 	dh_bugfiles
 	dh_installchangelogs
diff --git a/debian/templates/control.image-signed.in b/debian/templates/control.image-signed.in
index c2f36ca..d4b5795 100644
--- a/debian/templates/control.image-signed.in
+++ b/debian/templates/control.image-signed.in
@@ -1,6 +1,6 @@
 Package: linux-image- at abiname@@localversion at -signed
 Depends: linux-image- at abiname@@localversion@ (= ${kernel:ImageVersion}),
- kmod (>= 22-1.1~), ${misc:Depends}
+ kmod (>= 22-1.2~), sbsigntool, ${misc:Depends}
 Description: Signatures for Linux @abiname@@localversion@ kernel and modules
  This package provides signatures for the kernel image and modules in
  linux-image- at abiname@@localversion at .  If the system has Secure Boot
diff --git a/debian/templates/image-signed.postinst.in b/debian/templates/image-signed.postinst.in
new file mode 100644
index 0000000..6f5b33f
--- /dev/null
+++ b/debian/templates/image-signed.postinst.in
@@ -0,0 +1,24 @@
+#!/bin/sh -e
+
+kernel_version='@abiname@@localversion@'
+package_name="linux-image-$kernel_version-signed"
+vmlinuz_name="vmlinuz-$kernel_version"
+
+if [ "$1" = configure ] && \
+   [ -f /usr/lib/$package_name/boot/$vmlinuz_name.sig  ]; then
+    cp -p /boot/$vmlinuz_name /boot/$vmlinuz_name.efi.unsigned
+    sbattach --attach /usr/lib/$package_name/boot/$vmlinuz_name.sig \
+	     /boot/$vmlinuz_name.efi.unsigned
+    sync /boot/$vmlinuz_name.efi.unsigned
+    mv /boot/$vmlinuz_name.efi.unsigned /boot/$vmlinuz_name.efi.signed
+    sync /boot/$vmlinuz_name.efi.signed
+
+    # Currently only GRUB supports signature verification
+    if command -v update-grub >/dev/null; then
+	update-grub
+    fi
+fi
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/templates/image-signed.postrm.in b/debian/templates/image-signed.postrm.in
new file mode 100644
index 0000000..940d2e8
--- /dev/null
+++ b/debian/templates/image-signed.postrm.in
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+
+kernel_version='@abiname@@localversion@'
+vmlinuz_name="vmlinuz-$kernel_version"
+
+if [ "$1" = remove ]; then
+    rm -f /boot/$vmlinuz_name.efi.unsigned
+
+    if [ -f /boot/$vmlinuz_name.efi.signed ]; then
+	rm -f /boot/$vmlinuz_name.efi.signed
+
+	# Currently only GRUB supports signature verification
+	if command -v update-grub >/dev/null; then
+	    update-grub
+	fi
+    fi
+fi
+
+#DEBHELPER#
+
+exit 0

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux-signed.git

More information about the Kernel-svn-changes mailing list