[linux-signed] 02/03: Use sign-file to detach and attach module signatures
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Jun 26 14:35:03 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository linux-signed.
commit cad7c72d8356b185ec8652e0c706bc07a8a8d0e9
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Jun 26 15:01:23 2016 +0200
Use sign-file to detach and attach module signatures
We currently detach and attach signatures crudely by splitting and
catting them. The reason for doing that in the first place was to
avoid adding a dependency on linux-kbuild to linux-image-signed
packages, but that is irrelevant now that we attach signatures at
build time.
Use sign-file so we don't have to make assumptions about how
signatures are attached.
---
debian/bin/gencontrol.py | 1 +
debian/bin/sign.py | 20 ++++++--------------
debian/changelog | 1 +
debian/rules.real | 6 ++++--
debian/templates/control.source.in | 2 +-
5 files changed, 13 insertions(+), 17 deletions(-)
diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index 82103ea..7c75aaa 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -32,6 +32,7 @@ class Gencontrol(Base):
f.write(self.substitute(self.templates[template], vars))
def do_main_setup(self, vars, makeflags, extra):
+ makeflags['VERSION'] = self.version.linux_version
makeflags['GENCONTROL_ARGS'] = '-v%s' % self.package_version
makeflags['PACKAGE_VERSION'] = self.package_version
diff --git a/debian/bin/sign.py b/debian/bin/sign.py
index d1effe7..bf5c579 100755
--- a/debian/bin/sign.py
+++ b/debian/bin/sign.py
@@ -117,22 +117,14 @@ def get_package(mirror, suite, name, version, arch):
return unpack_dir
-def detach_sig(unsigned_name, signed_file, signature_name):
- # Signatures are appended, so we detach by copying everything beyond
- # the unsigned file size
- unsigned_size = os.stat(unsigned_name).st_size
- os.makedirs(os.path.dirname(signature_name), exist_ok=True)
- with open(signature_name, 'wb') as signature:
- signed_file.seek(unsigned_size)
- signature.write(signed_file.read())
-
def sign_module(kbuild_dir, module_name, signature_name, privkey_name,
cert_name):
- with tempfile.NamedTemporaryFile() as signed_module:
- subprocess.check_call(['%s/scripts/sign-file' % kbuild_dir, 'sha256',
- privkey_name, cert_name, module_name,
- signed_module.name])
- detach_sig(module_name, signed_module, signature_name)
+ os.makedirs(os.path.dirname(signature_name), exist_ok=True)
+ # 'sign-file -d' currently ignores any <dest> argument and always writes
+ # to <module>.p7s, so accept that and rename afterwards
+ subprocess.check_call(['%s/scripts/sign-file' % kbuild_dir, '-d',
+ 'sha256', privkey_name, cert_name, module_name])
+ os.rename(module_name + '.p7s', signature_name)
def sign_modules(kbuild_dir, modules_dir, signature_dir, privkey_name,
cert_name):
diff --git a/debian/changelog b/debian/changelog
index 94e4dee..aa0c016 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
linux-signed (2.1) UNRELEASED; urgency=medium
* Rename SUITE variable to MIRROR_SUITE and group it with MIRROR_URL
+ * Use sign-file to detach and attach module signatures
-- Ben Hutchings <ben at decadent.org.uk> Sun, 26 Jun 2016 15:11:25 +0200
diff --git a/debian/rules.real b/debian/rules.real
index 0cb1f77..cd7670e 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -26,8 +26,10 @@ install-signed:
rsync -a $(addprefix /lib/modules/$(KERNEL_VERSION)/,kernel modules.builtin modules.order) \
$(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
while read path; do \
- cat $(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION)/$$path \
- >> $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/$${path%.sig}; \
+ /usr/lib/linux-kbuild-$(VERSION)/scripts/sign-file -s \
+ $(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION)/$$path \
+ sha256 $(KERNEL_MODULES_CERT) \
+ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/$${path%.sig}; \
done < <(find $(SIGNATURE_DIR)/lib/modules/$(KERNEL_VERSION) -name '*.sig' -printf '%P\n')
# Copy bug scripts but change the info file to refer to the right package
mkdir -p $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)
diff --git a/debian/templates/control.source.in b/debian/templates/control.source.in
index 1f252ae..e6050df 100644
--- a/debian/templates/control.source.in
+++ b/debian/templates/control.source.in
@@ -4,7 +4,7 @@ Priority: optional
Maintainer: Debian Kernel Team <debian-kernel at lists.debian.org>
Uploaders: Ben Hutchings <ben at decadent.org.uk>
Standards-Version: 3.9.6
-Build-Depends: debhelper (>= 9~), rsync, sbsigntool [amd64 i386], kernel-wedge (>= 2.94~)
+Build-Depends: debhelper (>= 9~), rsync, sbsigntool [amd64 i386], kernel-wedge (>= 2.94~), linux-kbuild- at version@
Vcs-Git: https://anonscm.debian.org/git/kernel/linux-signed.git
Vcs-Browser: https://anonscm.debian.org/cgit/kernel/linux-signed.git
Homepage: https://www.kernel.org/
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux-signed.git
More information about the Kernel-svn-changes
mailing list