[linux-signed] 03/03: Change binary packages to replace their unsigned counterparts
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Jun 6 01:11:50 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository linux-signed.
commit ef800d2cca447853d86c02dc1e077b32082667ef
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon Jun 6 02:08:32 2016 +0100
Change binary packages to replace their unsigned counterparts
- Build-Depend on all unsigned linux-image packages
- Copy unsigned files and attach signatures at build time
- Copy package relations and description from unsigned packages at build time
- Copy maintainer script templates from src:linux
- Remove the bug-presubj template; we should use the usual bug scripts in the
future
- Add Built-Using relations from each binary package to linux
- Add Conflicts, Replaces and Provides relations from each binary package to
its unsigned counterpart
---
debian/TODO | 5 ++++
debian/bin/gencontrol.py | 14 ++++++---
debian/changelog | 1 +
debian/rules.real | 28 +++++++++++++-----
debian/templates/control.image-signed.in | 19 ++++++------
debian/templates/control.source.in | 3 +-
debian/templates/image-signed.bug-presubj.in | 5 ----
debian/templates/image-signed.postinst.in | 35 ++++++++++++----------
debian/templates/image-signed.postrm.in | 32 +++++++++++++-------
debian/templates/image-signed.preinst.in | 21 +++++++++++++
debian/templates/image-signed.prerm.in | 44 ++++++++++++++++++++++++++++
11 files changed, 155 insertions(+), 52 deletions(-)
diff --git a/debian/TODO b/debian/TODO
new file mode 100644
index 0000000..8e65b37
--- /dev/null
+++ b/debian/TODO
@@ -0,0 +1,5 @@
+Move bug scripts from src:linux to linux-base and use them from the
+signed binary packages.
+
+Include changelog and copyright files from src:linux in the signed
+binary packages.
diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index a43726d..cf2da6f 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -40,6 +40,12 @@ class Gencontrol(Base):
packages['source']['Build-Depends'].append(
'linux-support-%(abiname)s (= %(imageversion)s)' % vars)
+ def do_flavour_setup(self, vars, makeflags, arch, featureset, flavour, extra):
+ super(Gencontrol, self).do_flavour_setup(vars, makeflags, arch, featureset, flavour, extra)
+
+ config_image = self.config.merge('image', arch, featureset, flavour)
+ makeflags['IMAGE_INSTALL_STEM'] = vars['image-stem'] = config_image.get('install-stem')
+
def do_flavour_packages(self, packages, makefile, arch, featureset, flavour, vars, makeflags, extra):
if not (self.config.merge('build', arch, featureset, flavour)
.get('signed-modules', False)):
@@ -52,6 +58,9 @@ class Gencontrol(Base):
makeflags['ABINAME'] = vars['abiname']
makeflags['IMAGEVERSION'] = vars['imageversion']
+ packages['source']['Build-Depends'].append(
+ 'linux-image-%(abiname)s%(localversion)s (= %(imageversion)s) [%(arch)s]' % vars)
+
packages_signed = self.process_packages(
self.templates["control.image-signed"], vars)
@@ -69,10 +78,7 @@ class Gencontrol(Base):
cmds_binary_arch += ["$(MAKE) -f debian/rules.real install-signed PACKAGE_NAME='%s' %s" % (i['Package'], makeflags)]
makefile.add('binary-arch_%s_%s_%s_real' % (arch, featureset, flavour), cmds = cmds_binary_arch)
- # linux-image signature packages include a bug presubj message
- # directing reporters to the real image package, and maintainer
- # scripts to create and delete signed images.
- for name in ['bug-presubj', 'postinst', 'postrm']:
+ for name in ['postinst', 'postrm', 'preinst', 'prerm']:
self._substitute_file('image-signed.%s' % name, vars,
'debian/linux-image-%s%s-signed.%s' %
(vars['abiname'], vars['localversion'], name))
diff --git a/debian/changelog b/debian/changelog
index c502c58..b4b55f1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
linux-signed (1~exp7) UNRELEASED; urgency=medium
* Update to linux version 4.5.5-1
+ * Change binary packages to replace their unsigned counterparts
-- Ben Hutchings <ben at decadent.org.uk> Mon, 06 Jun 2016 01:58:08 +0100
diff --git a/debian/rules.real b/debian/rules.real
index 2d7494c..b167587 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -9,15 +9,23 @@ build-indep:
install-signed: DH_OPTIONS = -p$(PACKAGE_NAME)
install-signed: KERNEL_VERSION = $(ABINAME)$(LOCALVERSION)
install-signed: IMAGE_PACKAGE_NAME = linux-image-$(KERNEL_VERSION)
+install-signed: PACKAGE_DIR = debian/$(PACKAGE_NAME)
+install-signed: SIGNATURE_DIR = debian/signatures/$(IMAGE_PACKAGE_NAME)
install-signed:
- mkdir -p debian/$(PACKAGE_NAME)/lib/modules
- cp -R debian/signatures/$(IMAGE_PACKAGE_NAME)/lib/modules/$(KERNEL_VERSION) \
- debian/$(PACKAGE_NAME)/lib/modules/
- if [ -f debian/signatures/$(IMAGE_PACKAGE_NAME)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
- install -m 644 -D -t debian/$(PACKAGE_NAME)/usr/lib/$(PACKAGE_NAME)/boot/ \
- debian/signatures/$(IMAGE_PACKAGE_NAME)/boot/vmlinuz-$(KERNEL_VERSION).sig; \
- echo 'kernel:ImageSignTool=sbsigntool' >> debian/$(PACKAGE_NAME).substvars; \
+ mkdir -p $(PACKAGE_DIR)/boot
+ rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
+ $(PACKAGE_DIR)/boot/
+ if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+ sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+ $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
fi
+ mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
+ rsync -a $(addprefix /lib/modules/$(KERNEL_VERSION)/,kernel modules.builtin modules.order) \
+ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
+ while read path; do \
+ cat $(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION)/$$path \
+ >> $(PACKAGE_DIR)/$${path%.sig}; \
+ done < <(find $(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION) -name '*.sig' -printf %P)
dh_install
dh_bugfiles
dh_installchangelogs
@@ -25,6 +33,12 @@ install-signed:
dh_compress
dh_fixperms
dh_installdeb
+# Copy package relations and description from unsigned package
+ for field in Depends Provides Suggests Recommends Conflicts Breaks; do \
+ echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \
+ done
+ echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)"; \
+ echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -z 's/\$$/$${}/g; s/\n/$${Newline}/g')"; \
dh_gencontrol -- $(GENCONTROL_ARGS)
dh_md5sums
dh_builddeb
diff --git a/debian/templates/control.image-signed.in b/debian/templates/control.image-signed.in
index 36dca92..f8cebf2 100644
--- a/debian/templates/control.image-signed.in
+++ b/debian/templates/control.image-signed.in
@@ -1,10 +1,11 @@
Package: linux-image- at abiname@@localversion at -signed
-Depends: linux-image- at abiname@@localversion@ (= @imageversion@),
- kmod (>= 22-1.2~), initramfs-tools (>= 0.125~), ${kernel:ImageSignTool},
- ${misc:Depends}
-Breaks: busybox (<< 1:1.22.0-19~), busybox-static
-Description: Signatures for Linux @abiname@@localversion@ kernel and modules
- This package provides signatures for the kernel image and modules in
- linux-image- at abiname@@localversion at . If the system has Secure Boot
- enabled or the kernel is configured to check module signatures, both
- packages must be installed at the same time.
+Depends: ${unsigned:Depends}
+Recommends: ${unsigned:Recommends}
+Suggests: ${unsigned:Suggests}
+Breaks: ${unsigned:Breaks}
+Conflicts: linux-image- at abiname@@localversion@, ${unsigned:Conflicts}
+Replaces: linux-image- at abiname@@localversion@
+Provides: linux-image- at abiname@@localversion@, ${unsigned:Provides}
+Description: ${unsigned:DescriptionShort} (signed)
+ ${unsigned:DescriptionLong}
+Built-Using: linux (= @imageversion@)
diff --git a/debian/templates/control.source.in b/debian/templates/control.source.in
index 755c4a9..109e750 100644
--- a/debian/templates/control.source.in
+++ b/debian/templates/control.source.in
@@ -4,6 +4,7 @@ Priority: optional
Maintainer: Debian Kernel Team <debian-kernel at lists.debian.org>
Uploaders: Ben Hutchings <ben at decadent.org.uk>
Standards-Version: 3.9.6
-Build-Depends: debhelper (>= 9~)
+Build-Depends: debhelper (>= 9~), rsync
Vcs-Git: https://anonscm.debian.org/git/kernel/linux-signed.git
Vcs-Browser: https://anonscm.debian.org/cgit/kernel/linux-signed.git
+Homepage: https://www.kernel.org/
diff --git a/debian/templates/image-signed.bug-presubj.in b/debian/templates/image-signed.bug-presubj.in
deleted file mode 100644
index 5e547c7..0000000
--- a/debian/templates/image-signed.bug-presubj.in
+++ /dev/null
@@ -1,5 +0,0 @@
-You are about to report a bug in a Linux kernel signature package.
-This is probably not what you intended to do.
-
-If you want to report a bug in the Linux kernel or modules, you should use
-the package name linux-image- at abiname@@localversion@ instead.
diff --git a/debian/templates/image-signed.postinst.in b/debian/templates/image-signed.postinst.in
old mode 100644
new mode 100755
index e9efe23..ebd17df
--- a/debian/templates/image-signed.postinst.in
+++ b/debian/templates/image-signed.postinst.in
@@ -1,24 +1,29 @@
#!/bin/sh -e
-kernel_version='@abiname@@localversion@'
-package_name="linux-image-$kernel_version-signed"
-vmlinuz_name="vmlinuz-$kernel_version"
+version=@abiname@@localversion@
+image_path=/boot/@image-stem at -$version
-if [ "$1" = configure ] && \
- [ -f /usr/lib/$package_name/boot/$vmlinuz_name.sig ]; then
- cp -p /boot/$vmlinuz_name /boot/$vmlinuz_name.efi.unsigned
- sbattach --attach /usr/lib/$package_name/boot/$vmlinuz_name.sig \
- /boot/$vmlinuz_name.efi.unsigned
- sync /boot/$vmlinuz_name.efi.unsigned
- mv /boot/$vmlinuz_name.efi.unsigned /boot/$vmlinuz_name.efi.signed
- sync /boot/$vmlinuz_name.efi.signed
+if [ "$1" != configure ]; then
+ exit 0
fi
-if [ -d /etc/kernel/signed_postinst.d ]; then
- run-parts --report --exit-on-error --arg=$kernel_version \
- /etc/kernel/signed_postinst.d
+# Workaround for bug #817083 - ensure debconf template is loaded now
+# so we can use it in prerm script.
+. /usr/share/debconf/confmodule
+
+depmod $version
+
+if [ -f /lib/modules/$version/.fresh-install ]; then
+ change=install
+else
+ change=upgrade
fi
+linux-update-symlinks $change $version $image_path
+rm -f /lib/modules/$version/.fresh-install
-#DEBHELPER#
+if [ -d /etc/kernel/postinst.d ]; then
+ DEB_MAINT_PARAMS="$*" run-parts --report --exit-on-error --arg=$version \
+ --arg=$image_path /etc/kernel/postinst.d
+fi
exit 0
diff --git a/debian/templates/image-signed.postrm.in b/debian/templates/image-signed.postrm.in
old mode 100644
new mode 100755
index 1f5a25d..29e9c82
--- a/debian/templates/image-signed.postrm.in
+++ b/debian/templates/image-signed.postrm.in
@@ -1,21 +1,31 @@
#!/bin/sh -e
-kernel_version='@abiname@@localversion@'
-vmlinuz_name="vmlinuz-$kernel_version"
+version=@abiname@@localversion@
+image_path=/boot/@image-stem at -$version
-if [ "$1" = remove ]; then
- rm -f /boot/$vmlinuz_name.efi.unsigned
+rm -f /lib/modules/$version/.fresh-install
- if [ -f /boot/$vmlinuz_name.efi.signed ]; then
- rm -f /boot/$vmlinuz_name.efi.signed
- fi
+if [ "$1" != upgrade ] && command -v linux-update-symlinks >/dev/null; then
+ linux-update-symlinks remove $version $image_path
fi
-if [ -d /etc/kernel/signed_postrm.d ]; then
- run-parts --report --exit-on-error --arg=$kernel_version \
- /etc/kernel/signed_postrm.d
+if [ -d /etc/kernel/postrm.d ]; then
+ DEB_MAINT_PARAMS="$*" run-parts --report --exit-on-error --arg=$version \
+ --arg=$image_path /etc/kernel/postrm.d
fi
-#DEBHELPER#
+if [ "$1" = purge ]; then
+ for extra_file in modules.dep modules.isapnpmap modules.pcimap \
+ modules.usbmap modules.parportmap \
+ modules.generic_string modules.ieee1394map \
+ modules.ieee1394map modules.pnpbiosmap \
+ modules.alias modules.ccwmap modules.inputmap \
+ modules.symbols modules.ofmap \
+ modules.seriomap modules.\*.bin \
+ modules.softdep modules.devname; do
+ eval rm -f /lib/modules/$version/$extra_file
+ done
+ rmdir /lib/modules/$version
+fi
exit 0
diff --git a/debian/templates/image-signed.preinst.in b/debian/templates/image-signed.preinst.in
new file mode 100755
index 0000000..8a5658e
--- /dev/null
+++ b/debian/templates/image-signed.preinst.in
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+
+version=@abiname@@localversion@
+image_path=/boot/@image-stem at -$version
+
+if [ "$1" = abort-upgrade ]; then
+ exit 0
+fi
+
+if [ "$1" = install ]; then
+ # Create a flag file for postinst
+ mkdir -p /lib/modules/$version
+ touch /lib/modules/$version/.fresh-install
+fi
+
+if [ -d /etc/kernel/preinst.d ]; then
+ DEB_MAINT_PARAMS="$*" run-parts --report --exit-on-error --arg=$version \
+ --arg=$image_path /etc/kernel/preinst.d
+fi
+
+exit 0
diff --git a/debian/templates/image-signed.prerm.in b/debian/templates/image-signed.prerm.in
new file mode 100755
index 0000000..90aa640
--- /dev/null
+++ b/debian/templates/image-signed.prerm.in
@@ -0,0 +1,44 @@
+#!/bin/sh -e
+
+version=@abiname@@localversion@
+image_path=/boot/@image-stem at -$version
+package_name=linux-image-$version-signed
+
+if [ "$1" != remove ]; then
+ exit 0
+fi
+
+. /usr/share/debconf/confmodule
+
+# Are we in a container? Check for $container in pid 1's environment.
+in_container() {
+ grep -qz '^container=' /proc/1/environ
+}
+
+# Check to see if we are trying to remove a running kernel.
+if ! in_container && ! ischroot && [ "$(uname -r)" = $version ]; then
+ # If we can ask debconf questions, ask whether that's intended
+ # and abort if not.
+ if [ "$DEBIAN_FRONTEND" = noninteractive ]; then
+ echo >&2 "W: removing running kernel image."
+ else
+ question=${package_name}/prerm/removing-running-kernel-$version
+ db_fset $question seen false
+ db_subst $question running $version
+ db_input critical $question
+ db_go
+ db_get $question
+ if [ $RET = true ]; then
+ echo >&2 "Aborting removal of running kernel image."
+ exit 1
+ fi
+ echo >&2 "Ok, proceeding with removing running kernel image."
+ fi
+fi
+
+if [ -d /etc/kernel/prerm.d ]; then
+ DEB_MAINT_PARAMS="$*" run-parts --report --exit-on-error --arg=$version \
+ --arg=$image_path /etc/kernel/prerm.d
+fi
+
+exit 0
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux-signed.git
More information about the Kernel-svn-changes
mailing list