From f63f36de4f0b4fe5cf7707af27e5e9cf8ebcba7d Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Tue, 29 Oct 2024 05:12:06 +0300 Subject: [PATCH] drop signing --- debian/.gitignore | 1 - debian/README.source | 27 ----- debian/bin/gencontrol.py | 92 +-------------- debian/config/amd64/defines.toml | 1 - debian/config/arm64/defines.toml | 1 - debian/lib/python/debian_linux/config_v2.py | 1 - debian/lib/python/debian_linux/debian.py | 11 -- debian/rules.real | 30 ----- debian/signing_templates/README.source | 4 - debian/signing_templates/rules | 24 ---- debian/signing_templates/rules.defs | 2 - debian/signing_templates/rules.real | 108 ------------------ debian/signing_templates/source/format | 1 - debian/templates/config.control.in | 5 +- debian/templates/headers.control.in | 2 +- debian/templates/image-unsigned.NEWS.j2 | 1 - debian/templates/image-unsigned.control.in | 11 -- .../image-unsigned.lintian-overrides.j2 | 1 - debian/templates/image-unsigned.postinst.in | 1 - debian/templates/image-unsigned.postrm.in | 1 - debian/templates/image-unsigned.preinst.in | 1 - debian/templates/image-unsigned.prerm.in | 1 - debian/templates/signed-template.control.in | 7 -- .../signed-template.lintian-overrides.in | 1 - .../templates/signed.headers.meta.control.in | 1 - .../signed.headers.meta.lintian-overrides.in | 3 - .../signed.headers.meta.maintscript.in | 1 - debian/templates/signed.image.NEWS.j2 | 1 - debian/templates/signed.image.control.in | 19 --- debian/templates/signed.image.postinst.in | 1 - debian/templates/signed.image.postrm.in | 1 - debian/templates/signed.image.preinst.in | 1 - debian/templates/signed.image.prerm.in | 1 - debian/templates/signed.source.control.in | 14 --- .../signed.source.lintian-overrides.in | 7 -- 35 files changed, 8 insertions(+), 377 deletions(-) delete mode 100644 debian/signing_templates/README.source delete mode 100755 debian/signing_templates/rules delete mode 100644 debian/signing_templates/rules.defs delete mode 100644 debian/signing_templates/rules.real delete mode 100644 debian/signing_templates/source/format delete mode 120000 debian/templates/image-unsigned.NEWS.j2 delete mode 100644 debian/templates/image-unsigned.control.in delete mode 120000 debian/templates/image-unsigned.lintian-overrides.j2 delete mode 120000 debian/templates/image-unsigned.postinst.in delete mode 120000 debian/templates/image-unsigned.postrm.in delete mode 120000 debian/templates/image-unsigned.preinst.in delete mode 120000 debian/templates/image-unsigned.prerm.in delete mode 100644 debian/templates/signed-template.control.in delete mode 100644 debian/templates/signed-template.lintian-overrides.in delete mode 120000 debian/templates/signed.headers.meta.control.in delete mode 100644 debian/templates/signed.headers.meta.lintian-overrides.in delete mode 120000 debian/templates/signed.headers.meta.maintscript.in delete mode 120000 debian/templates/signed.image.NEWS.j2 delete mode 100644 debian/templates/signed.image.control.in delete mode 120000 debian/templates/signed.image.postinst.in delete mode 120000 debian/templates/signed.image.postrm.in delete mode 120000 debian/templates/signed.image.preinst.in delete mode 120000 debian/templates/signed.image.prerm.in delete mode 100644 debian/templates/signed.source.control.in delete mode 100644 debian/templates/signed.source.lintian-overrides.in diff --git a/debian/.gitignore b/debian/.gitignore index e5c120f..376a1bb 100644 --- a/debian/.gitignore +++ b/debian/.gitignore @@ -10,7 +10,6 @@ !/lib/ !/patches*/ !/rules.d/ -!/signing_templates/ !/source/ !/templates/ !/upstream/ diff --git a/debian/README.source b/debian/README.source index e9d5a9f..67f5b2d 100644 --- a/debian/README.source +++ b/debian/README.source @@ -267,30 +267,3 @@ linux-source- binary package. Currently kernel builds use debian/build/build___, userland code uses debian/build/build-tools/ and documentation uses debian/build/build-doc. - -Code signing -============ - -The kernel image and modules may be signed after building, to support -a Secure Boot or Trusted Boot policy. In Debian, this is performed by -a "code signing service" that is separate from the normal package -build process. - -The initial package build generates binary packages named -linux-image--signed-template, that contain a source package -template and metadata about the files to be signed. The code signing -service will download this and the linux-image packages to be signed. -It will add detached signatures to the source package, then upload it -(without ever running debian/rules). - -The source package template is generated by -debian/bin/gencontrol_signed.py and debian/rules.real with files from -debian/signing_templates and debian/templates. To test changes to -these: - -1. Build the linux source package. -2. Generate the signed source package by running the script - "debian-test-sign" from the kernel-team.git repository. It is - also possible to set up a development configuration of the - official code signing service, but this is more complicated. -3. Build the signed source package. diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py index 7b01e33..7d22282 100755 --- a/debian/bin/gencontrol.py +++ b/debian/bin/gencontrol.py @@ -33,10 +33,7 @@ locale.setlocale(locale.LC_CTYPE, "C.UTF-8") class Gencontrol(Base): - disable_signed: bool - env_flags = [ - ('DEBIAN_KERNEL_DISABLE_SIGNED', 'disable_signed', 'signed code'), ] def __init__( @@ -187,34 +184,6 @@ class Gencontrol(Base): ) -> None: arch = config.name - if not self.disable_signed: - build_signed = config.build.enable_signed - else: - build_signed = False - - if build_signed: - # Make sure variables remain - vars['signedtemplate_binaryversion'] = '@signedtemplate_binaryversion@' - vars['signedtemplate_sourceversion'] = '@signedtemplate_sourceversion@' - - self.bundle.add('signed-template', (arch,), makeflags, vars, arch=arch) - - bundle_signed = self.bundles[f'signed-{arch}'] = \ - PackagesBundle(f'signed-{arch}', 'signed.source.control', vars, self.templates) - - with bundle_signed.open('source/lintian-overrides', 'w') as f: - f.write(self.substitute( - self.templates.get('signed.source.lintian-overrides'), vars)) - - with bundle_signed.open('changelog.head', 'w') as f: - dist = self.changelog[0].distribution - urgency = self.changelog[0].urgency - f.write(f'''\ -linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={urgency} - - * Sign kernel from {self.changelog[0].source} @signedtemplate_binaryversion@ -''') - if config.packages.source and list(config.featuresets): self.bundle.add('config', (arch, ), makeflags, vars) @@ -329,31 +298,11 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur packages_own = [] - if not self.disable_signed: - build_signed = config.build.enable_signed - else: - build_signed = False - - if build_signed: - bundle_signed = self.bundles[f'signed-{arch}'] - else: - bundle_signed = self.bundle - vars.setdefault('desc', '') - if build_signed: - packages_image_unsigned = ( - self.bundle.add('image-unsigned', ruleid, makeflags, vars, arch=arch) - ) - packages_image = packages_image_unsigned[:] - packages_image.extend( - bundle_signed.add('signed.image', ruleid, makeflags, vars, arch=arch) - ) - - else: - packages_image = packages_image_unsigned = ( - bundle_signed.add('image', ruleid, makeflags, vars, arch=arch) - ) + packages_image = ( + self.bundle.add('image', ruleid, makeflags, vars, arch=arch) + ) for field in ('Depends', 'Provides', 'Suggests', 'Recommends', 'Conflicts', 'Breaks'): @@ -387,19 +336,13 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur packages_own.extend(packages_image) packages_own.extend(packages_headers) - # The image meta-packages will depend on signed linux-image - # packages where applicable, so should be built from the - # signed source packages The header meta-packages will also be - # built along with the signed packages, to create a dependency - # relationship that ensures src:linux and src:linux-signed-* - # transition to testing together. if do_meta: packages_meta = ( - bundle_signed.add('image.meta', ruleid, makeflags, vars, arch=arch) + self.bundle.add('image.meta', ruleid, makeflags, vars, arch=arch) ) assert len(packages_meta) == 1 packages_meta += ( - bundle_signed.add(build_signed and 'signed.headers.meta' or 'headers.meta', + self.bundle.add('headers.meta', ruleid, makeflags, vars, arch=arch) ) assert len(packages_meta) == 2 @@ -503,31 +446,6 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur def write(self) -> None: super().write() - self.write_signed() - - def write_signed(self) -> None: - for bundle in self.bundles.values(): - pkg_sign_entries = {} - - for p in bundle.packages.values(): - if not isinstance(p, BinaryPackage): - continue - - if pkg_sign_pkg := p.meta_sign_package: - pkg_sign_entries[pkg_sign_pkg] = { - 'trusted_certs': [], - 'files': [ - { - 'sig_type': e.split(':', 1)[-1], - 'file': e.split(':', 1)[0], - } - for e in p.meta_sign_files - ], - } - - if pkg_sign_entries: - with bundle.path('files.json').open('w') as f: - json.dump({'packages': pkg_sign_entries}, f, indent=2) if __name__ == '__main__': diff --git a/debian/config/amd64/defines.toml b/debian/config/amd64/defines.toml index caa0f00..a5f8c6a 100644 --- a/debian/config/amd64/defines.toml +++ b/debian/config/amd64/defines.toml @@ -20,7 +20,6 @@ hardware_long = 'cloud platforms including Amazon EC2, Microsoft Azure, and Goog name = 'none' [build] -enable_signed = true enable_vdso = true kernel_file = 'arch/x86/boot/bzImage' kernel_stem = 'vmlinuz' diff --git a/debian/config/arm64/defines.toml b/debian/config/arm64/defines.toml index 34932a1..4117ca3 100644 --- a/debian/config/arm64/defines.toml +++ b/debian/config/arm64/defines.toml @@ -27,7 +27,6 @@ name = 'none' [build] compiler_gnutype_compat = 'arm-linux-gnueabihf' -enable_signed = true enable_vdso = true kernel_file = 'arch/arm64/boot/Image' kernel_stem = 'vmlinuz' diff --git a/debian/lib/python/debian_linux/config_v2.py b/debian/lib/python/debian_linux/config_v2.py index ac6bd8b..4c70b7d 100644 --- a/debian/lib/python/debian_linux/config_v2.py +++ b/debian/lib/python/debian_linux/config_v2.py @@ -37,7 +37,6 @@ class ConfigBuild: compiler_gnutype_compat: Optional[str] = None config: list[Path] = dataclasses.field(default_factory=list) config_default: list[Path] = dataclasses.field(default_factory=list, repr=False) - enable_signed: Optional[bool] = None enable_vdso: Optional[bool] = None kernel_file: Optional[str] = None kernel_stem: Optional[str] = None diff --git a/debian/lib/python/debian_linux/debian.py b/debian/lib/python/debian_linux/debian.py index f95cf15..6768584 100644 --- a/debian/lib/python/debian_linux/debian.py +++ b/debian/lib/python/debian_linux/debian.py @@ -686,14 +686,3 @@ class BinaryPackage(_BasePackage): default=None, deb822_dump=None, ) - meta_sign_package: Optional[str] = field_deb822( - 'Meta-Sign-Package', - default=None, - deb822_dump=None, - ) - meta_sign_files: list[str] = field_deb822( - 'Meta-Sign-Files', - default_factory=list, - deb822_load=lambda v: v.split(), - deb822_dump=None, - ) diff --git a/debian/rules.real b/debian/rules.real index c09ccde..8d17893 100644 --- a/debian/rules.real +++ b/debian/rules.real @@ -481,36 +481,6 @@ endif ln -s ../../../boot/vmlinux-$(REAL_VERSION) $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vmlinux $(dh_binary_post) -build_signed-template: - -binary_signed-template: GEN_DIR = debian/generated.signed-$(ARCH) -binary_signed-template: CODE_SIGNING_DIR = $(DESTDIR)/usr/share/code-signing/$(PACKAGE_NAME) -binary_signed-template: DEBIAN_DIR = $(CODE_SIGNING_DIR)/source-template/debian -binary_signed-template: VERSION_TEMPLATE = $(shell echo $(DEB_VERSION) | sed -Ee 's/\+b(\d+)$$/.b\1/' -e 's/-/+/g') -binary_signed-template: - $(dh_binary_pre) - rm -rf $(CODE_SIGNING_DIR) - mkdir -p $(DEBIAN_DIR)/source - for i in $$(find $(GEN_DIR) -type f -printf '%P\n'); do \ - sed -E \ - -e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \ - -e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \ - $(GEN_DIR)/$$i > $(DEBIAN_DIR)/$$i; \ - done - for i in $$(find debian/signing_templates -type f -printf '%P\n'); do \ - sed -E \ - -e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \ - -e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \ - debian/signing_templates/$$i > $(DEBIAN_DIR)/$$i; \ - done - mv $(DEBIAN_DIR)/changelog.head $(DEBIAN_DIR)/changelog - tail +2 debian/changelog >> $(DEBIAN_DIR)/changelog - mv $(DEBIAN_DIR)/files.json $(CODE_SIGNING_DIR)/ - chmod 755 $(DEBIAN_DIR)/rules - cp -R debian/copyright \ - $(CODE_SIGNING_DIR)/source-template/debian/ - $(dh_binary_post) - build_source: binary_source: BUILDDEB_ARGS = -Zxz -z0 diff --git a/debian/signing_templates/README.source b/debian/signing_templates/README.source deleted file mode 100644 index f175c35..0000000 --- a/debian/signing_templates/README.source +++ /dev/null @@ -1,4 +0,0 @@ -This source package is generated by the Debian signing service from a -template built by the linux package. It should never be updated directly. - - -- Ben Hutchings Fri, 06 Apr 2018 10:23:29 +0100 diff --git a/debian/signing_templates/rules b/debian/signing_templates/rules deleted file mode 100755 index c79af13..0000000 --- a/debian/signing_templates/rules +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/make -f - -include /usr/share/dpkg/architecture.mk - -SHELL := sh -e - -include debian/rules.defs - -build: build-arch build-indep -build-arch: -build-indep: - -clean: - dh_testdir - rm -rf $(BUILD_DIR) $(STAMPS_DIR) - dh_clean - -binary: binary-arch binary-indep -binary-arch: debian/control - dh_testdir - $(MAKE) -f debian/rules.gen binary-arch_$(DEB_HOST_ARCH) -binary-indep: - -.PHONY: build build-arch build-indep clean binary binary-arch binary-indep diff --git a/debian/signing_templates/rules.defs b/debian/signing_templates/rules.defs deleted file mode 100644 index e720ef3..0000000 --- a/debian/signing_templates/rules.defs +++ /dev/null @@ -1,2 +0,0 @@ -BUILD_DIR = debian/build -STAMPS_DIR = debian/stamps diff --git a/debian/signing_templates/rules.real b/debian/signing_templates/rules.real deleted file mode 100644 index dd5e0f7..0000000 --- a/debian/signing_templates/rules.real +++ /dev/null @@ -1,108 +0,0 @@ -include /usr/share/dpkg/default.mk - -SHELL := bash -e - -include debian/rules.defs - -export DH_OPTIONS - -export DEB_RULES_REQUIRES_ROOT ?= no - -GENCONTROL_ARGS := -v@signedtemplate_binaryversion@ -BUILDDEB_ARGS := -Zxz $(if $(filter pkg.linux.quick,$(DEB_BUILD_PROFILES)),-z0) - -stamp = [ -d $(dir $@) ] || mkdir $(dir $@); touch $@ - -define dh_binary_pre - dh_testroot - dh_prep - dh_installdirs -endef - -define dh_binary_post - dh_install $(DH_INSTALL_ARGS) - # Workaround #1068189. By Debian policy and aligned debhelper behaviour /usr/share/doc/package - # is permitted to be a symbolic link to another directory in /usr/share/doc only if the two - # packages come from the same source package. The package build will fail with the new debhelper - # version since debhelper/13.15. As the linux-signed-* packages are quite special in the eco- - # system, make the workaround to fallback to the old behaviour until it is agreed on how to - # resolve the situation policy conformant. - # https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information - $(if $(INSTALLDOCS_LINK_DOC), - mkdir -p debian/$(PACKAGE_NAME)/usr/share/doc && ln -sf $(INSTALLDOCS_LINK_DOC) debian/$(PACKAGE_NAME)/usr/share/doc/$(PACKAGE_NAME), - dh_installdocs) - dh_installchangelogs - dh_installexamples - dh_installman - dh_installudev - dh_bugfiles - dh_ucf - dh_lintian - dh_icons - dh_link - dh_compress - dh_fixperms - dh_missing - dh_strip $(DH_STRIP_ARGS) -Xvmlinux -Xvmlinuz - dh_makeshlibs -Xvmlinux -Xvmlinuz - dh_shlibdeps $(DH_SHLIBDEPS_ARGS) - dh_installdeb - if command -v dh_movetousr >/dev/null; then dh_movetousr; fi - dh_gencontrol -- $(GENCONTROL_ARGS) - dh_md5sums - dh_builddeb -- $(BUILDDEB_ARGS) -endef - -build-indep: - -$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): REAL_VERSION = $(ABINAME)$(LOCALVERSION) -$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned -$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): SIGNATURE_DIR = debian/signatures/$(IMAGE_PACKAGE_NAME) -$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): INSTALL_DIR=$(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR) -$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): - mkdir -p $(INSTALL_DIR)/boot - rsync -a $(patsubst %,/boot/%-$(REAL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \ - $(INSTALL_DIR)/boot/ - sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(REAL_VERSION).sig \ - $(INSTALL_DIR)/boot/vmlinuz-$(REAL_VERSION) - mkdir -p $(INSTALL_DIR)/lib/modules/$(REAL_VERSION) - rsync -a $(addprefix /lib/modules/$(REAL_VERSION)/,kernel modules.builtin modules.builtin.modinfo modules.order) \ - $(INSTALL_DIR)/lib/modules/$(REAL_VERSION)/ -# Copy any device tree files - if [ -d /usr/lib/linux-image-$(REAL_VERSION) ]; then \ - mkdir -p $(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION); \ - rsync -a /usr/lib/linux-image-$(REAL_VERSION)/ \ - $(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION)/; \ - fi - $(stamp) - -build_image: - -binary_image: DH_OPTIONS = -p$(PACKAGE_NAME) -binary_image: DH_STRIP_ARGS = --no-automatic-dbgsym -binary_image: REAL_VERSION = $(ABINAME)$(LOCALVERSION) -binary_image: IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned -binary_image: DIR2 = $(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR) -binary_image: PACKAGE_DIR = debian/$(PACKAGE_NAME) -binary_image: $(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR) -binary_image: - $(dh_binary_pre) - dh_install --sourcedir=$(DIR2) boot - dh_install --sourcedir=$(DIR2) lib - if [ -d $(DIR2)/usr ]; then dh_install --sourcedir=$(DIR2) usr; fi -# Copy bug scripts but change the info file to refer to the right package - mkdir -p $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME) - rsync -a /usr/share/bug/$(IMAGE_PACKAGE_NAME)/ \ - $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/ - sed -i -e 's/^PACKAGE_NAME=.*/PACKAGE_NAME=$(PACKAGE_NAME)/' \ - -e 's/^PACKAGE_VERSION=.*/PACKAGE_VERSION=$(PACKAGE_VERSION)/' \ - $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/info - $(dh_binary_post) - -build_meta: - -binary_meta: - $(dh_binary_pre) - $(dh_binary_post) - -.PHONY: build_% binary_% diff --git a/debian/signing_templates/source/format b/debian/signing_templates/source/format deleted file mode 100644 index 89ae9db..0000000 --- a/debian/signing_templates/source/format +++ /dev/null @@ -1 +0,0 @@ -3.0 (native) diff --git a/debian/templates/config.control.in b/debian/templates/config.control.in index 0248daf..0351a4a 100644 --- a/debian/templates/config.control.in +++ b/debian/templates/config.control.in @@ -6,8 +6,7 @@ Multi-Arch: same Depends: ${misc:Depends} Recommends: @source_basename@-source-@version@ Description: Debian kernel configurations for Linux @version@ - This package contains the configuration files used to build the - official Debian kernel files, but without references to Debian's - signing certificates. + This package contains the configuration files used to build kernel + files. . These can be used as a basis for configuring custom kernels. diff --git a/debian/templates/headers.control.in b/debian/templates/headers.control.in index ab14398..e0a22ae 100644 --- a/debian/templates/headers.control.in +++ b/debian/templates/headers.control.in @@ -3,7 +3,7 @@ Meta-Rules-Target: headers Build-Profiles: Depends: linux-headers-@abiname@-common@localversion_headers@ (= ${source:Version}), - linux-image-@abiname@@localversion@ (= ${binary:Version}) | linux-image-@abiname@@localversion@-unsigned (= ${binary:Version}), + linux-image-@abiname@@localversion@ (= ${binary:Version}), linux-kbuild-@abiname@, ${misc:Depends} Description: Header files for Linux @abiname@@localversion@ diff --git a/debian/templates/image-unsigned.NEWS.j2 b/debian/templates/image-unsigned.NEWS.j2 deleted file mode 120000 index 0833b65..0000000 --- a/debian/templates/image-unsigned.NEWS.j2 +++ /dev/null @@ -1 +0,0 @@ -image.NEWS.j2 \ No newline at end of file diff --git a/debian/templates/image-unsigned.control.in b/debian/templates/image-unsigned.control.in deleted file mode 100644 index 9e71e80..0000000 --- a/debian/templates/image-unsigned.control.in +++ /dev/null @@ -1,11 +0,0 @@ -Package: linux-image-@abiname@@localversion@-unsigned -Meta-Rules-Target: image -Build-Profiles: -Build-Depends: - kmod, -Depends: kmod, linux-base (>= 4.3~), ${misc:Depends} -Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook -Conflicts: linux-image-@abiname@@localversion@ -Replaces: linux-image-@abiname@@localversion@ -Description: Linux @upstreamversion@ for @class@ - The Linux kernel @upstreamversion@ and modules for use on @longclass@. diff --git a/debian/templates/image-unsigned.lintian-overrides.j2 b/debian/templates/image-unsigned.lintian-overrides.j2 deleted file mode 120000 index 495f21e..0000000 --- a/debian/templates/image-unsigned.lintian-overrides.j2 +++ /dev/null @@ -1 +0,0 @@ -image.lintian-overrides.j2 \ No newline at end of file diff --git a/debian/templates/image-unsigned.postinst.in b/debian/templates/image-unsigned.postinst.in deleted file mode 120000 index 0927bf1..0000000 --- a/debian/templates/image-unsigned.postinst.in +++ /dev/null @@ -1 +0,0 @@ -image.postinst.in \ No newline at end of file diff --git a/debian/templates/image-unsigned.postrm.in b/debian/templates/image-unsigned.postrm.in deleted file mode 120000 index 91fe50b..0000000 --- a/debian/templates/image-unsigned.postrm.in +++ /dev/null @@ -1 +0,0 @@ -image.postrm.in \ No newline at end of file diff --git a/debian/templates/image-unsigned.preinst.in b/debian/templates/image-unsigned.preinst.in deleted file mode 120000 index f71396d..0000000 --- a/debian/templates/image-unsigned.preinst.in +++ /dev/null @@ -1 +0,0 @@ -image.preinst.in \ No newline at end of file diff --git a/debian/templates/image-unsigned.prerm.in b/debian/templates/image-unsigned.prerm.in deleted file mode 120000 index 6f0e8a6..0000000 --- a/debian/templates/image-unsigned.prerm.in +++ /dev/null @@ -1 +0,0 @@ -image.prerm.in \ No newline at end of file diff --git a/debian/templates/signed-template.control.in b/debian/templates/signed-template.control.in deleted file mode 100644 index 36553a3..0000000 --- a/debian/templates/signed-template.control.in +++ /dev/null @@ -1,7 +0,0 @@ -Package: linux-image@source_suffix@-@arch@-signed-template -Meta-Rules-Target: signed-template -Build-Profiles: -Depends: dpkg-dev, python3:any, ${misc:Depends} -Description: Template for signed linux-image packages for @arch@ - This package is used to control code signing by the Debian signing - service. diff --git a/debian/templates/signed-template.lintian-overrides.in b/debian/templates/signed-template.lintian-overrides.in deleted file mode 100644 index 7fef9b1..0000000 --- a/debian/templates/signed-template.lintian-overrides.in +++ /dev/null @@ -1 +0,0 @@ -linux-image@source_suffix@-@arch@-signed-template: script-not-executable diff --git a/debian/templates/signed.headers.meta.control.in b/debian/templates/signed.headers.meta.control.in deleted file mode 120000 index 821bbb6..0000000 --- a/debian/templates/signed.headers.meta.control.in +++ /dev/null @@ -1 +0,0 @@ -headers.meta.control.in \ No newline at end of file diff --git a/debian/templates/signed.headers.meta.lintian-overrides.in b/debian/templates/signed.headers.meta.lintian-overrides.in deleted file mode 100644 index 4a0a7c0..0000000 --- a/debian/templates/signed.headers.meta.lintian-overrides.in +++ /dev/null @@ -1,3 +0,0 @@ -# linux-signed-* source packages are generated by the linux source -# package, so it is OK for their binaries to share documentation -@package@: usr-share-doc-symlink-to-foreign-package linux-headers-@abiname@@localversion@ diff --git a/debian/templates/signed.headers.meta.maintscript.in b/debian/templates/signed.headers.meta.maintscript.in deleted file mode 120000 index d711dac..0000000 --- a/debian/templates/signed.headers.meta.maintscript.in +++ /dev/null @@ -1 +0,0 @@ -headers.meta.maintscript.in \ No newline at end of file diff --git a/debian/templates/signed.image.NEWS.j2 b/debian/templates/signed.image.NEWS.j2 deleted file mode 120000 index 0833b65..0000000 --- a/debian/templates/signed.image.NEWS.j2 +++ /dev/null @@ -1 +0,0 @@ -image.NEWS.j2 \ No newline at end of file diff --git a/debian/templates/signed.image.control.in b/debian/templates/signed.image.control.in deleted file mode 100644 index 59b8f7a..0000000 --- a/debian/templates/signed.image.control.in +++ /dev/null @@ -1,19 +0,0 @@ -Package: linux-image-@abiname@@localversion@ -Meta-Rules-Target: image -Meta-Sign-Package: linux-image-@abiname@@localversion@-unsigned -Meta-Sign-Files: boot/@image-stem@-@abiname@@localversion@:efi -Build-Profiles: -Build-Depends: - linux-image-@abiname@@localversion@-unsigned (= @signedtemplate_binaryversion@), - kmod, -# Used by debian/signing_templates/rules.real - rsync, -Built-Using: @source_basename@@source_suffix@ (= @version_complete@) -Depends: kmod, linux-base (>= 4.3~), ${misc:Depends} -Conflicts: linux-image-@abiname@@localversion@-unsigned -Replaces: linux-image-@abiname@@localversion@-unsigned -Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook -Description: Linux @upstreamversion@ for @class@ (signed) - The Linux kernel @upstreamversion@ and modules for use on @longclass@. - . - The kernel image is signed for use with Secure Boot. diff --git a/debian/templates/signed.image.postinst.in b/debian/templates/signed.image.postinst.in deleted file mode 120000 index 0927bf1..0000000 --- a/debian/templates/signed.image.postinst.in +++ /dev/null @@ -1 +0,0 @@ -image.postinst.in \ No newline at end of file diff --git a/debian/templates/signed.image.postrm.in b/debian/templates/signed.image.postrm.in deleted file mode 120000 index 91fe50b..0000000 --- a/debian/templates/signed.image.postrm.in +++ /dev/null @@ -1 +0,0 @@ -image.postrm.in \ No newline at end of file diff --git a/debian/templates/signed.image.preinst.in b/debian/templates/signed.image.preinst.in deleted file mode 120000 index f71396d..0000000 --- a/debian/templates/signed.image.preinst.in +++ /dev/null @@ -1 +0,0 @@ -image.preinst.in \ No newline at end of file diff --git a/debian/templates/signed.image.prerm.in b/debian/templates/signed.image.prerm.in deleted file mode 120000 index 6f0e8a6..0000000 --- a/debian/templates/signed.image.prerm.in +++ /dev/null @@ -1 +0,0 @@ -image.prerm.in \ No newline at end of file diff --git a/debian/templates/signed.source.control.in b/debian/templates/signed.source.control.in deleted file mode 100644 index 3edb5a8..0000000 --- a/debian/templates/signed.source.control.in +++ /dev/null @@ -1,14 +0,0 @@ -Source: linux-signed@source_suffix@-@arch@ -Section: kernel -Priority: optional -Maintainer: Debian Kernel Team -Uploaders: Bastian Blank , maximilian attems , Ben Hutchings , Salvatore Bonaccorso -Standards-Version: 4.2.0 -Build-Depends: - debhelper-compat (= 13), - python3:any, - sbsigntool [amd64 arm64], -Rules-Requires-Root: no -Vcs-Git: https://salsa.debian.org/kernel-team/linux.git -Vcs-Browser: https://salsa.debian.org/kernel-team/linux -Homepage: https://www.kernel.org/ diff --git a/debian/templates/signed.source.lintian-overrides.in b/debian/templates/signed.source.lintian-overrides.in deleted file mode 100644 index 34d68e7..0000000 --- a/debian/templates/signed.source.lintian-overrides.in +++ /dev/null @@ -1,7 +0,0 @@ -# linux-signed-* source packages are generated by the linux source -# package, and produce binaries with the same versions, even in case -# of a binNMU of linux -linux-signed-@arch@ source: version-substvar-for-external-package Depends *${binary:Version} linux-headers-* -> linux-headers-* - -# The changelog is mostly copied from linux which is non-native -linux-signed-@arch@ source: odd-historical-debian-changelog-version * (for native)*