drop signing

2024-10-29 05:12:06 +03:00 · 2024-10-29 05:12:06 +03:00 · f63f36de4f
commit f63f36de4f
parent 3a08f39a8b
35 changed files with 8 additions and 377 deletions
--- a/debian/.gitignore
+++ b/debian/.gitignore
@ -10,7 +10,6 @@
 !/lib/
 !/patches*/
 !/rules.d/
 !/signing_templates/
 !/source/
 !/templates/
 !/upstream/
--- a/debian/README.source
+++ b/debian/README.source
@ -267,30 +267,3 @@ linux-source-<version> binary package.  Currently kernel builds use
 debian/build/build_<arch>_<featureset>_<flavour>, userland code uses
 debian/build/build-tools/<source-dir> and documentation uses
 debian/build/build-doc.
 Code signing
 ============
 The kernel image and modules may be signed after building, to support
 a Secure Boot or Trusted Boot policy.  In Debian, this is performed by
 a "code signing service" that is separate from the normal package
 build process.
 The initial package build generates binary packages named
 linux-image-<arch>-signed-template, that contain a source package
 template and metadata about the files to be signed.  The code signing
 service will download this and the linux-image packages to be signed.
 It will add detached signatures to the source package, then upload it
 (without ever running debian/rules).
 The source package template is generated by
 debian/bin/gencontrol_signed.py and debian/rules.real with files from
 debian/signing_templates and debian/templates.  To test changes to
 these:
 1. Build the linux source package.
 2. Generate the signed source package by running the script
   "debian-test-sign" from the kernel-team.git repository.  It is
   also possible to set up a development configuration of the
   official code signing service, but this is more complicated.
 3. Build the signed source package.
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@ -33,10 +33,7 @@ locale.setlocale(locale.LC_CTYPE, "C.UTF-8")
 class Gencontrol(Base):
    disable_signed: bool
    env_flags = [
        ('DEBIAN_KERNEL_DISABLE_SIGNED', 'disable_signed', 'signed code'),
    ]
    def __init__(
@ -187,34 +184,6 @@ class Gencontrol(Base):
    ) -> None:
        arch = config.name
        if not self.disable_signed:
            build_signed = config.build.enable_signed
        else:
            build_signed = False
        if build_signed:
            # Make sure variables remain
            vars['signedtemplate_binaryversion'] = '@signedtemplate_binaryversion@'
            vars['signedtemplate_sourceversion'] = '@signedtemplate_sourceversion@'
            self.bundle.add('signed-template', (arch,), makeflags, vars, arch=arch)
            bundle_signed = self.bundles[f'signed-{arch}'] = \
                PackagesBundle(f'signed-{arch}', 'signed.source.control', vars, self.templates)
            with bundle_signed.open('source/lintian-overrides', 'w') as f:
                f.write(self.substitute(
                    self.templates.get('signed.source.lintian-overrides'), vars))
            with bundle_signed.open('changelog.head', 'w') as f:
                dist = self.changelog[0].distribution
                urgency = self.changelog[0].urgency
                f.write(f'''\
 linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={urgency}
  * Sign kernel from {self.changelog[0].source} @signedtemplate_binaryversion@
 ''')
        if config.packages.source and list(config.featuresets):
            self.bundle.add('config', (arch, ), makeflags, vars)
@ -329,31 +298,11 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
        packages_own = []
        if not self.disable_signed:
            build_signed = config.build.enable_signed
        else:
            build_signed = False
        if build_signed:
            bundle_signed = self.bundles[f'signed-{arch}']
        else:
            bundle_signed = self.bundle
        vars.setdefault('desc', '')
-        if build_signed:
+        packages_image = (
-            packages_image_unsigned = (
+            self.bundle.add('image', ruleid, makeflags, vars, arch=arch)
-                self.bundle.add('image-unsigned', ruleid, makeflags, vars, arch=arch)
+        )
            )
            packages_image = packages_image_unsigned[:]
            packages_image.extend(
                bundle_signed.add('signed.image', ruleid, makeflags, vars, arch=arch)
            )
        else:
            packages_image = packages_image_unsigned = (
                bundle_signed.add('image', ruleid, makeflags, vars, arch=arch)
            )
        for field in ('Depends', 'Provides', 'Suggests', 'Recommends',
                      'Conflicts', 'Breaks'):
@ -387,19 +336,13 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
        packages_own.extend(packages_image)
        packages_own.extend(packages_headers)
        # The image meta-packages will depend on signed linux-image
        # packages where applicable, so should be built from the
        # signed source packages The header meta-packages will also be
        # built along with the signed packages, to create a dependency
        # relationship that ensures src:linux and src:linux-signed-*
        # transition to testing together.
        if do_meta:
            packages_meta = (
-                bundle_signed.add('image.meta', ruleid, makeflags, vars, arch=arch)
+                self.bundle.add('image.meta', ruleid, makeflags, vars, arch=arch)
            )
            assert len(packages_meta) == 1
            packages_meta += (
-                bundle_signed.add(build_signed and 'signed.headers.meta' or 'headers.meta',
+                self.bundle.add('headers.meta',
                                  ruleid, makeflags, vars, arch=arch)
            )
            assert len(packages_meta) == 2
@ -503,31 +446,6 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
    def write(self) -> None:
        super().write()
        self.write_signed()
    def write_signed(self) -> None:
        for bundle in self.bundles.values():
            pkg_sign_entries = {}
            for p in bundle.packages.values():
                if not isinstance(p, BinaryPackage):
                    continue
                if pkg_sign_pkg := p.meta_sign_package:
                    pkg_sign_entries[pkg_sign_pkg] = {
                        'trusted_certs': [],
                        'files': [
                            {
                                'sig_type': e.split(':', 1)[-1],
                                'file': e.split(':', 1)[0],
                            }
                            for e in p.meta_sign_files
                        ],
                    }
            if pkg_sign_entries:
                with bundle.path('files.json').open('w') as f:
                    json.dump({'packages': pkg_sign_entries}, f, indent=2)
 if __name__ == '__main__':
--- a/debian/config/amd64/defines.toml
+++ b/debian/config/amd64/defines.toml
@ -20,7 +20,6 @@ hardware_long = 'cloud platforms including Amazon EC2, Microsoft Azure, and Goog
 name = 'none'
 [build]
 enable_signed = true
 enable_vdso = true
 kernel_file = 'arch/x86/boot/bzImage'
 kernel_stem = 'vmlinuz'
--- a/debian/config/arm64/defines.toml
+++ b/debian/config/arm64/defines.toml
@ -27,7 +27,6 @@ name = 'none'
 [build]
 compiler_gnutype_compat = 'arm-linux-gnueabihf'
 enable_signed = true
 enable_vdso = true
 kernel_file = 'arch/arm64/boot/Image'
 kernel_stem = 'vmlinuz'
--- a/debian/lib/python/debian_linux/config_v2.py
+++ b/debian/lib/python/debian_linux/config_v2.py
@ -37,7 +37,6 @@ class ConfigBuild:
    compiler_gnutype_compat: Optional[str] = None
    config: list[Path] = dataclasses.field(default_factory=list)
    config_default: list[Path] = dataclasses.field(default_factory=list, repr=False)
    enable_signed: Optional[bool] = None
    enable_vdso: Optional[bool] = None
    kernel_file: Optional[str] = None
    kernel_stem: Optional[str] = None
--- a/debian/lib/python/debian_linux/debian.py
+++ b/debian/lib/python/debian_linux/debian.py
@ -686,14 +686,3 @@ class BinaryPackage(_BasePackage):
        default=None,
        deb822_dump=None,
    )
    meta_sign_package: Optional[str] = field_deb822(
        'Meta-Sign-Package',
        default=None,
        deb822_dump=None,
    )
    meta_sign_files: list[str] = field_deb822(
        'Meta-Sign-Files',
        default_factory=list,
        deb822_load=lambda v: v.split(),
        deb822_dump=None,
    )
--- a/debian/rules.real
+++ b/debian/rules.real
@ -481,36 +481,6 @@ endif
 	ln -s ../../../boot/vmlinux-$(REAL_VERSION) $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vmlinux
 	$(dh_binary_post)
 build_signed-template:
 binary_signed-template: GEN_DIR = debian/generated.signed-$(ARCH)
 binary_signed-template: CODE_SIGNING_DIR = $(DESTDIR)/usr/share/code-signing/$(PACKAGE_NAME)
 binary_signed-template: DEBIAN_DIR = $(CODE_SIGNING_DIR)/source-template/debian
 binary_signed-template: VERSION_TEMPLATE = $(shell echo $(DEB_VERSION) | sed -Ee 's/\+b(\d+)$$/.b\1/' -e 's/-/+/g')
 binary_signed-template:
 	$(dh_binary_pre)
 	rm -rf $(CODE_SIGNING_DIR)
 	mkdir -p $(DEBIAN_DIR)/source
 	for i in $$(find $(GEN_DIR) -type f -printf '%P\n'); do \
 		sed -E \
 			-e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \
 			-e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \
 			$(GEN_DIR)/$$i > $(DEBIAN_DIR)/$$i; \
 	done
 	for i in $$(find debian/signing_templates -type f -printf '%P\n'); do \
 		sed -E \
 			-e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \
 			-e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \
 			debian/signing_templates/$$i > $(DEBIAN_DIR)/$$i; \
 	done
 	mv $(DEBIAN_DIR)/changelog.head $(DEBIAN_DIR)/changelog
 	tail +2 debian/changelog >> $(DEBIAN_DIR)/changelog
 	mv $(DEBIAN_DIR)/files.json $(CODE_SIGNING_DIR)/
 	chmod 755 $(DEBIAN_DIR)/rules
 	cp -R	debian/copyright \
 		$(CODE_SIGNING_DIR)/source-template/debian/
 	$(dh_binary_post)
 build_source:
 binary_source: BUILDDEB_ARGS = -Zxz -z0
--- a/debian/signing_templates/README.source
+++ b/debian/signing_templates/README.source
@ -1,4 +0,0 @@
 This source package is generated by the Debian signing service from a
 template built by the linux package.  It should never be updated directly.
 -- Ben Hutchings <ben@decadent.org.uk>  Fri, 06 Apr 2018 10:23:29 +0100
--- a/debian/signing_templates/rules
+++ b/debian/signing_templates/rules
@ -1,24 +0,0 @@
 #!/usr/bin/make -f
 include /usr/share/dpkg/architecture.mk
 SHELL := sh -e
 include debian/rules.defs
 build: build-arch build-indep
 build-arch:
 build-indep:
 clean:
 	dh_testdir
 	rm -rf $(BUILD_DIR) $(STAMPS_DIR)
 	dh_clean
 binary: binary-arch binary-indep
 binary-arch: debian/control
 	dh_testdir
 	$(MAKE) -f debian/rules.gen binary-arch_$(DEB_HOST_ARCH)
 binary-indep:
 .PHONY: build build-arch build-indep clean binary binary-arch binary-indep
--- a/debian/signing_templates/rules.defs
+++ b/debian/signing_templates/rules.defs
@ -1,2 +0,0 @@
 BUILD_DIR = debian/build
 STAMPS_DIR = debian/stamps
--- a/debian/signing_templates/rules.real
+++ b/debian/signing_templates/rules.real
@ -1,108 +0,0 @@
 include /usr/share/dpkg/default.mk
 SHELL := bash -e
 include debian/rules.defs
 export DH_OPTIONS
 export DEB_RULES_REQUIRES_ROOT ?= no
 GENCONTROL_ARGS := -v@signedtemplate_binaryversion@
 BUILDDEB_ARGS := -Zxz $(if $(filter pkg.linux.quick,$(DEB_BUILD_PROFILES)),-z0)
 stamp = [ -d $(dir $@) ] || mkdir $(dir $@); touch $@
 define dh_binary_pre
 	dh_testroot
 	dh_prep
 	dh_installdirs
 endef
 define dh_binary_post
 	dh_install $(DH_INSTALL_ARGS)
 	# Workaround #1068189. By Debian policy and aligned debhelper behaviour /usr/share/doc/package
 	# is permitted to be a symbolic link to another directory in /usr/share/doc only if the two
 	# packages come from the same source package. The package build will fail with the new debhelper
 	# version since debhelper/13.15. As the linux-signed-* packages are quite special in the eco-
 	# system, make the workaround to fallback to the old behaviour until it is agreed on how to
 	# resolve the situation policy conformant.
 	# https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information
 	$(if $(INSTALLDOCS_LINK_DOC),
 		mkdir -p debian/$(PACKAGE_NAME)/usr/share/doc && ln -sf $(INSTALLDOCS_LINK_DOC) debian/$(PACKAGE_NAME)/usr/share/doc/$(PACKAGE_NAME),
 		dh_installdocs)
 	dh_installchangelogs
 	dh_installexamples
 	dh_installman
 	dh_installudev
 	dh_bugfiles
 	dh_ucf
 	dh_lintian
 	dh_icons
 	dh_link
 	dh_compress
 	dh_fixperms
 	dh_missing
 	dh_strip $(DH_STRIP_ARGS) -Xvmlinux -Xvmlinuz
 	dh_makeshlibs -Xvmlinux -Xvmlinuz
 	dh_shlibdeps $(DH_SHLIBDEPS_ARGS)
 	dh_installdeb
 	if command -v dh_movetousr >/dev/null; then dh_movetousr; fi
 	dh_gencontrol -- $(GENCONTROL_ARGS)
 	dh_md5sums
 	dh_builddeb -- $(BUILDDEB_ARGS)
 endef
 build-indep:
 $(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): REAL_VERSION = $(ABINAME)$(LOCALVERSION)
 $(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned
 $(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): SIGNATURE_DIR = debian/signatures/$(IMAGE_PACKAGE_NAME)
 $(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): INSTALL_DIR=$(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
 $(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR):
 	mkdir -p $(INSTALL_DIR)/boot
 	rsync -a $(patsubst %,/boot/%-$(REAL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
 		$(INSTALL_DIR)/boot/
 	sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(REAL_VERSION).sig \
 		$(INSTALL_DIR)/boot/vmlinuz-$(REAL_VERSION)
 	mkdir -p $(INSTALL_DIR)/lib/modules/$(REAL_VERSION)
 	rsync -a $(addprefix /lib/modules/$(REAL_VERSION)/,kernel modules.builtin modules.builtin.modinfo modules.order) \
 		$(INSTALL_DIR)/lib/modules/$(REAL_VERSION)/
 # Copy any device tree files
 	if [ -d /usr/lib/linux-image-$(REAL_VERSION) ]; then \
 		mkdir -p $(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION); \
 		rsync -a /usr/lib/linux-image-$(REAL_VERSION)/ \
 			$(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION)/; \
 	fi
 	$(stamp)
 build_image:
 binary_image: DH_OPTIONS = -p$(PACKAGE_NAME)
 binary_image: DH_STRIP_ARGS = --no-automatic-dbgsym
 binary_image: REAL_VERSION = $(ABINAME)$(LOCALVERSION)
 binary_image: IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned
 binary_image: DIR2 = $(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
 binary_image: PACKAGE_DIR = debian/$(PACKAGE_NAME)
 binary_image: $(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
 binary_image:
 	$(dh_binary_pre)
 	dh_install --sourcedir=$(DIR2) boot
 	dh_install --sourcedir=$(DIR2) lib
 	if [ -d $(DIR2)/usr ]; then dh_install --sourcedir=$(DIR2) usr; fi
 # Copy bug scripts but change the info file to refer to the right package
 	mkdir -p $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)
 	rsync -a /usr/share/bug/$(IMAGE_PACKAGE_NAME)/ \
 		$(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/
 	sed -i -e 's/^PACKAGE_NAME=.*/PACKAGE_NAME=$(PACKAGE_NAME)/' \
 		-e 's/^PACKAGE_VERSION=.*/PACKAGE_VERSION=$(PACKAGE_VERSION)/' \
 		$(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/info
 	$(dh_binary_post)
 build_meta:
 binary_meta:
 	$(dh_binary_pre)
 	$(dh_binary_post)
 .PHONY: build_% binary_%
--- a/debian/signing_templates/source/format
+++ b/debian/signing_templates/source/format
@ -1 +0,0 @@
 3.0 (native)
--- a/debian/templates/config.control.in
+++ b/debian/templates/config.control.in
@ -6,8 +6,7 @@ Multi-Arch: same
 Depends: ${misc:Depends}
 Recommends: @source_basename@-source-@version@
 Description: Debian kernel configurations for Linux @version@
- This package contains the configuration files used to build the
+ This package contains the configuration files used to build kernel
- official Debian kernel files, but without references to Debian's
+ files.
 signing certificates.
 .
 These can be used as a basis for configuring custom kernels.
--- a/debian/templates/headers.control.in
+++ b/debian/templates/headers.control.in
@ -3,7 +3,7 @@ Meta-Rules-Target: headers
 Build-Profiles: <!pkg.linux.nokernel>
 Depends:
 linux-headers-@abiname@-common@localversion_headers@ (= ${source:Version}),
- linux-image-@abiname@@localversion@ (= ${binary:Version}) | linux-image-@abiname@@localversion@-unsigned (= ${binary:Version}),
+ linux-image-@abiname@@localversion@ (= ${binary:Version}),
 linux-kbuild-@abiname@,
 ${misc:Depends}
 Description: Header files for Linux @abiname@@localversion@
--- a/debian/templates/image-unsigned.NEWS.j2
+++ b/debian/templates/image-unsigned.NEWS.j2
@ -1 +0,0 @@
 image.NEWS.j2
--- a/debian/templates/image-unsigned.control.in
+++ b/debian/templates/image-unsigned.control.in
@ -1,11 +0,0 @@
 Package: linux-image-@abiname@@localversion@-unsigned
 Meta-Rules-Target: image
 Build-Profiles: <!pkg.linux.nokernel>
 Build-Depends:
 kmod,
 Depends: kmod, linux-base (>= 4.3~), ${misc:Depends}
 Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook
 Conflicts: linux-image-@abiname@@localversion@
 Replaces: linux-image-@abiname@@localversion@
 Description: Linux @upstreamversion@ for @class@
 The Linux kernel @upstreamversion@ and modules for use on @longclass@.
--- a/debian/templates/image-unsigned.lintian-overrides.j2
+++ b/debian/templates/image-unsigned.lintian-overrides.j2
@ -1 +0,0 @@
 image.lintian-overrides.j2
--- a/debian/templates/image-unsigned.postinst.in
+++ b/debian/templates/image-unsigned.postinst.in
@ -1 +0,0 @@
 image.postinst.in
--- a/debian/templates/image-unsigned.postrm.in
+++ b/debian/templates/image-unsigned.postrm.in
@ -1 +0,0 @@
 image.postrm.in
--- a/debian/templates/image-unsigned.preinst.in
+++ b/debian/templates/image-unsigned.preinst.in
@ -1 +0,0 @@
 image.preinst.in
--- a/debian/templates/image-unsigned.prerm.in
+++ b/debian/templates/image-unsigned.prerm.in
@ -1 +0,0 @@
 image.prerm.in
--- a/debian/templates/signed-template.control.in
+++ b/debian/templates/signed-template.control.in
@ -1,7 +0,0 @@
 Package: linux-image@source_suffix@-@arch@-signed-template
 Meta-Rules-Target: signed-template
 Build-Profiles: <!pkg.linux.nokernel>
 Depends: dpkg-dev, python3:any, ${misc:Depends}
 Description: Template for signed linux-image packages for @arch@
 This package is used to control code signing by the Debian signing
 service.
--- a/debian/templates/signed-template.lintian-overrides.in
+++ b/debian/templates/signed-template.lintian-overrides.in
@ -1 +0,0 @@
 linux-image@source_suffix@-@arch@-signed-template: script-not-executable
--- a/debian/templates/signed.headers.meta.control.in
+++ b/debian/templates/signed.headers.meta.control.in
@ -1 +0,0 @@
 headers.meta.control.in
--- a/debian/templates/signed.headers.meta.lintian-overrides.in
+++ b/debian/templates/signed.headers.meta.lintian-overrides.in
@ -1,3 +0,0 @@
 # linux-signed-* source packages are generated by the linux source
 # package, so it is OK for their binaries to share documentation
@package@: usr-share-doc-symlink-to-foreign-package linux-headers-@abiname@@localversion@
--- a/debian/templates/signed.headers.meta.maintscript.in
+++ b/debian/templates/signed.headers.meta.maintscript.in
@ -1 +0,0 @@
 headers.meta.maintscript.in
--- a/debian/templates/signed.image.NEWS.j2
+++ b/debian/templates/signed.image.NEWS.j2
@ -1 +0,0 @@
 image.NEWS.j2
--- a/debian/templates/signed.image.control.in
+++ b/debian/templates/signed.image.control.in
@ -1,19 +0,0 @@
 Package: linux-image-@abiname@@localversion@
 Meta-Rules-Target: image
 Meta-Sign-Package: linux-image-@abiname@@localversion@-unsigned
 Meta-Sign-Files: boot/@image-stem@-@abiname@@localversion@:efi
 Build-Profiles: <!pkg.linux.nokernel>
 Build-Depends:
 linux-image-@abiname@@localversion@-unsigned (= @signedtemplate_binaryversion@),
 kmod,
 # Used by debian/signing_templates/rules.real
 rsync,
 Built-Using: @source_basename@@source_suffix@ (= @version_complete@)
 Depends: kmod, linux-base (>= 4.3~), ${misc:Depends}
 Conflicts: linux-image-@abiname@@localversion@-unsigned
 Replaces: linux-image-@abiname@@localversion@-unsigned
 Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook
 Description: Linux @upstreamversion@ for @class@ (signed)
 The Linux kernel @upstreamversion@ and modules for use on @longclass@.
 .
 The kernel image is signed for use with Secure Boot.
--- a/debian/templates/signed.image.postinst.in
+++ b/debian/templates/signed.image.postinst.in
@ -1 +0,0 @@
 image.postinst.in
--- a/debian/templates/signed.image.postrm.in
+++ b/debian/templates/signed.image.postrm.in
@ -1 +0,0 @@
 image.postrm.in
--- a/debian/templates/signed.image.preinst.in
+++ b/debian/templates/signed.image.preinst.in
@ -1 +0,0 @@
 image.preinst.in
--- a/debian/templates/signed.image.prerm.in
+++ b/debian/templates/signed.image.prerm.in
@ -1 +0,0 @@
 image.prerm.in
--- a/debian/templates/signed.source.control.in
+++ b/debian/templates/signed.source.control.in
@ -1,14 +0,0 @@
 Source: linux-signed@source_suffix@-@arch@
 Section: kernel
 Priority: optional
 Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
 Uploaders: Bastian Blank <waldi@debian.org>, maximilian attems <maks@debian.org>, Ben Hutchings <benh@debian.org>, Salvatore Bonaccorso <carnil@debian.org>
 Standards-Version: 4.2.0
 Build-Depends:
 debhelper-compat (= 13),
 python3:any,
 sbsigntool [amd64 arm64],
 Rules-Requires-Root: no
 Vcs-Git: https://salsa.debian.org/kernel-team/linux.git
 Vcs-Browser: https://salsa.debian.org/kernel-team/linux
 Homepage: https://www.kernel.org/
--- a/debian/templates/signed.source.lintian-overrides.in
+++ b/debian/templates/signed.source.lintian-overrides.in
@ -1,7 +0,0 @@
 # linux-signed-* source packages are generated by the linux source
 # package, and produce binaries with the same versions, even in case
 # of a binNMU of linux
 linux-signed-@arch@ source: version-substvar-for-external-package Depends *${binary:Version} linux-headers-* -> linux-headers-*
 # The changelog is mostly copied from linux which is non-native
 linux-signed-@arch@ source: odd-historical-debian-changelog-version * (for native)*
		`@ -1,2 +0,0 @@`
			`BUILD_DIR = debian/build`
			`STAMPS_DIR = debian/stamps`
		`@ -1 +0,0 @@`
			`linux-image@source_suffix@-@arch@-signed-template: script-not-executable`