[linux-signed] 02/03: Use sign-file to detach and attach module signatures

Sun Jun 26 14:35:03 UTC 2016

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux-signed.

commit cad7c72d8356b185ec8652e0c706bc07a8a8d0e9
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sun Jun 26 15:01:23 2016 +0200

    Use sign-file to detach and attach module signatures
    
    We currently detach and attach signatures crudely by splitting and
    catting them.  The reason for doing that in the first place was to
    avoid adding a dependency on linux-kbuild to linux-image-signed
    packages, but that is irrelevant now that we attach signatures at
    build time.
    
    Use sign-file so we don't have to make assumptions about how
    signatures are attached.
---
 debian/bin/gencontrol.py           |  1 +
 debian/bin/sign.py                 | 20 ++++++--------------
 debian/changelog                   |  1 +
 debian/rules.real                  |  6 ++++--
 debian/templates/control.source.in |  2 +-
 5 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index 82103ea..7c75aaa 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -32,6 +32,7 @@ class Gencontrol(Base):
             f.write(self.substitute(self.templates[template], vars))
 
     def do_main_setup(self, vars, makeflags, extra):
+        makeflags['VERSION'] = self.version.linux_version
         makeflags['GENCONTROL_ARGS'] = '-v%s' % self.package_version
         makeflags['PACKAGE_VERSION'] = self.package_version
 
diff --git a/debian/bin/sign.py b/debian/bin/sign.py
index d1effe7..bf5c579 100755
--- a/debian/bin/sign.py
+++ b/debian/bin/sign.py
@@ -117,22 +117,14 @@ def get_package(mirror, suite, name, version, arch):
 
     return unpack_dir
 
-def detach_sig(unsigned_name, signed_file, signature_name):
-    # Signatures are appended, so we detach by copying everything beyond
-    # the unsigned file size
-    unsigned_size = os.stat(unsigned_name).st_size
-    os.makedirs(os.path.dirname(signature_name), exist_ok=True)
-    with open(signature_name, 'wb') as signature:
-        signed_file.seek(unsigned_size)
-        signature.write(signed_file.read())
-
 def sign_module(kbuild_dir, module_name, signature_name, privkey_name,
                 cert_name):
-    with tempfile.NamedTemporaryFile() as signed_module:
-        subprocess.check_call(['%s/scripts/sign-file' % kbuild_dir, 'sha256',
-                               privkey_name, cert_name, module_name,
-                               signed_module.name])
-        detach_sig(module_name, signed_module, signature_name)
+    os.makedirs(os.path.dirname(signature_name), exist_ok=True)
+    # 'sign-file -d' currently ignores any <dest> argument and always writes
+    # to <module>.p7s, so accept that and rename afterwards
+    subprocess.check_call(['%s/scripts/sign-file' % kbuild_dir, '-d',
+                           'sha256', privkey_name, cert_name, module_name])
+    os.rename(module_name + '.p7s', signature_name)
 
 def sign_modules(kbuild_dir, modules_dir, signature_dir, privkey_name,
                  cert_name):
diff --git a/debian/changelog b/debian/changelog
index 94e4dee..aa0c016 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 linux-signed (2.1) UNRELEASED; urgency=medium
 
   * Rename SUITE variable to MIRROR_SUITE and group it with MIRROR_URL
+  * Use sign-file to detach and attach module signatures
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 26 Jun 2016 15:11:25 +0200
 
diff --git a/debian/rules.real b/debian/rules.real
index 0cb1f77..cd7670e 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -26,8 +26,10 @@ install-signed:
 	rsync -a $(addprefix /lib/modules/$(KERNEL_VERSION)/,kernel modules.builtin modules.order) \
 		$(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
 	while read path; do \
-		cat $(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION)/$$path \
-			>> $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/$${path%.sig}; \
+		/usr/lib/linux-kbuild-$(VERSION)/scripts/sign-file -s \
+			$(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION)/$$path \
+			sha256 $(KERNEL_MODULES_CERT) \
+			$(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/$${path%.sig}; \
 	done < <(find $(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION) -name '*.sig' -printf '%P\n')
 # Copy bug scripts but change the info file to refer to the right package
 	mkdir -p $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)
diff --git a/debian/templates/control.source.in b/debian/templates/control.source.in
index 1f252ae..e6050df 100644
--- a/debian/templates/control.source.in
+++ b/debian/templates/control.source.in
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: Debian Kernel Team <debian-kernel at lists.debian.org>
 Uploaders: Ben Hutchings <ben at decadent.org.uk>
 Standards-Version: 3.9.6
-Build-Depends: debhelper (>= 9~), rsync, sbsigntool [amd64 i386], kernel-wedge (>= 2.94~)
+Build-Depends: debhelper (>= 9~), rsync, sbsigntool [amd64 i386], kernel-wedge (>= 2.94~), linux-kbuild- at version@
 Vcs-Git: https://anonscm.debian.org/git/kernel/linux-signed.git
 Vcs-Browser: https://anonscm.debian.org/cgit/kernel/linux-signed.git
 Homepage: https://www.kernel.org/

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux-signed.git

