drop signing
This commit is contained in:
parent
3a08f39a8b
commit
f63f36de4f
1
debian/.gitignore
vendored
1
debian/.gitignore
vendored
@ -10,7 +10,6 @@
|
|||||||
!/lib/
|
!/lib/
|
||||||
!/patches*/
|
!/patches*/
|
||||||
!/rules.d/
|
!/rules.d/
|
||||||
!/signing_templates/
|
|
||||||
!/source/
|
!/source/
|
||||||
!/templates/
|
!/templates/
|
||||||
!/upstream/
|
!/upstream/
|
||||||
|
27
debian/README.source
vendored
27
debian/README.source
vendored
@ -267,30 +267,3 @@ linux-source-<version> binary package. Currently kernel builds use
|
|||||||
debian/build/build_<arch>_<featureset>_<flavour>, userland code uses
|
debian/build/build_<arch>_<featureset>_<flavour>, userland code uses
|
||||||
debian/build/build-tools/<source-dir> and documentation uses
|
debian/build/build-tools/<source-dir> and documentation uses
|
||||||
debian/build/build-doc.
|
debian/build/build-doc.
|
||||||
|
|
||||||
Code signing
|
|
||||||
============
|
|
||||||
|
|
||||||
The kernel image and modules may be signed after building, to support
|
|
||||||
a Secure Boot or Trusted Boot policy. In Debian, this is performed by
|
|
||||||
a "code signing service" that is separate from the normal package
|
|
||||||
build process.
|
|
||||||
|
|
||||||
The initial package build generates binary packages named
|
|
||||||
linux-image-<arch>-signed-template, that contain a source package
|
|
||||||
template and metadata about the files to be signed. The code signing
|
|
||||||
service will download this and the linux-image packages to be signed.
|
|
||||||
It will add detached signatures to the source package, then upload it
|
|
||||||
(without ever running debian/rules).
|
|
||||||
|
|
||||||
The source package template is generated by
|
|
||||||
debian/bin/gencontrol_signed.py and debian/rules.real with files from
|
|
||||||
debian/signing_templates and debian/templates. To test changes to
|
|
||||||
these:
|
|
||||||
|
|
||||||
1. Build the linux source package.
|
|
||||||
2. Generate the signed source package by running the script
|
|
||||||
"debian-test-sign" from the kernel-team.git repository. It is
|
|
||||||
also possible to set up a development configuration of the
|
|
||||||
official code signing service, but this is more complicated.
|
|
||||||
3. Build the signed source package.
|
|
||||||
|
92
debian/bin/gencontrol.py
vendored
92
debian/bin/gencontrol.py
vendored
@ -33,10 +33,7 @@ locale.setlocale(locale.LC_CTYPE, "C.UTF-8")
|
|||||||
|
|
||||||
|
|
||||||
class Gencontrol(Base):
|
class Gencontrol(Base):
|
||||||
disable_signed: bool
|
|
||||||
|
|
||||||
env_flags = [
|
env_flags = [
|
||||||
('DEBIAN_KERNEL_DISABLE_SIGNED', 'disable_signed', 'signed code'),
|
|
||||||
]
|
]
|
||||||
|
|
||||||
def __init__(
|
def __init__(
|
||||||
@ -187,34 +184,6 @@ class Gencontrol(Base):
|
|||||||
) -> None:
|
) -> None:
|
||||||
arch = config.name
|
arch = config.name
|
||||||
|
|
||||||
if not self.disable_signed:
|
|
||||||
build_signed = config.build.enable_signed
|
|
||||||
else:
|
|
||||||
build_signed = False
|
|
||||||
|
|
||||||
if build_signed:
|
|
||||||
# Make sure variables remain
|
|
||||||
vars['signedtemplate_binaryversion'] = '@signedtemplate_binaryversion@'
|
|
||||||
vars['signedtemplate_sourceversion'] = '@signedtemplate_sourceversion@'
|
|
||||||
|
|
||||||
self.bundle.add('signed-template', (arch,), makeflags, vars, arch=arch)
|
|
||||||
|
|
||||||
bundle_signed = self.bundles[f'signed-{arch}'] = \
|
|
||||||
PackagesBundle(f'signed-{arch}', 'signed.source.control', vars, self.templates)
|
|
||||||
|
|
||||||
with bundle_signed.open('source/lintian-overrides', 'w') as f:
|
|
||||||
f.write(self.substitute(
|
|
||||||
self.templates.get('signed.source.lintian-overrides'), vars))
|
|
||||||
|
|
||||||
with bundle_signed.open('changelog.head', 'w') as f:
|
|
||||||
dist = self.changelog[0].distribution
|
|
||||||
urgency = self.changelog[0].urgency
|
|
||||||
f.write(f'''\
|
|
||||||
linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={urgency}
|
|
||||||
|
|
||||||
* Sign kernel from {self.changelog[0].source} @signedtemplate_binaryversion@
|
|
||||||
''')
|
|
||||||
|
|
||||||
if config.packages.source and list(config.featuresets):
|
if config.packages.source and list(config.featuresets):
|
||||||
self.bundle.add('config', (arch, ), makeflags, vars)
|
self.bundle.add('config', (arch, ), makeflags, vars)
|
||||||
|
|
||||||
@ -329,31 +298,11 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
|
|||||||
|
|
||||||
packages_own = []
|
packages_own = []
|
||||||
|
|
||||||
if not self.disable_signed:
|
|
||||||
build_signed = config.build.enable_signed
|
|
||||||
else:
|
|
||||||
build_signed = False
|
|
||||||
|
|
||||||
if build_signed:
|
|
||||||
bundle_signed = self.bundles[f'signed-{arch}']
|
|
||||||
else:
|
|
||||||
bundle_signed = self.bundle
|
|
||||||
|
|
||||||
vars.setdefault('desc', '')
|
vars.setdefault('desc', '')
|
||||||
|
|
||||||
if build_signed:
|
packages_image = (
|
||||||
packages_image_unsigned = (
|
self.bundle.add('image', ruleid, makeflags, vars, arch=arch)
|
||||||
self.bundle.add('image-unsigned', ruleid, makeflags, vars, arch=arch)
|
)
|
||||||
)
|
|
||||||
packages_image = packages_image_unsigned[:]
|
|
||||||
packages_image.extend(
|
|
||||||
bundle_signed.add('signed.image', ruleid, makeflags, vars, arch=arch)
|
|
||||||
)
|
|
||||||
|
|
||||||
else:
|
|
||||||
packages_image = packages_image_unsigned = (
|
|
||||||
bundle_signed.add('image', ruleid, makeflags, vars, arch=arch)
|
|
||||||
)
|
|
||||||
|
|
||||||
for field in ('Depends', 'Provides', 'Suggests', 'Recommends',
|
for field in ('Depends', 'Provides', 'Suggests', 'Recommends',
|
||||||
'Conflicts', 'Breaks'):
|
'Conflicts', 'Breaks'):
|
||||||
@ -387,19 +336,13 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
|
|||||||
packages_own.extend(packages_image)
|
packages_own.extend(packages_image)
|
||||||
packages_own.extend(packages_headers)
|
packages_own.extend(packages_headers)
|
||||||
|
|
||||||
# The image meta-packages will depend on signed linux-image
|
|
||||||
# packages where applicable, so should be built from the
|
|
||||||
# signed source packages The header meta-packages will also be
|
|
||||||
# built along with the signed packages, to create a dependency
|
|
||||||
# relationship that ensures src:linux and src:linux-signed-*
|
|
||||||
# transition to testing together.
|
|
||||||
if do_meta:
|
if do_meta:
|
||||||
packages_meta = (
|
packages_meta = (
|
||||||
bundle_signed.add('image.meta', ruleid, makeflags, vars, arch=arch)
|
self.bundle.add('image.meta', ruleid, makeflags, vars, arch=arch)
|
||||||
)
|
)
|
||||||
assert len(packages_meta) == 1
|
assert len(packages_meta) == 1
|
||||||
packages_meta += (
|
packages_meta += (
|
||||||
bundle_signed.add(build_signed and 'signed.headers.meta' or 'headers.meta',
|
self.bundle.add('headers.meta',
|
||||||
ruleid, makeflags, vars, arch=arch)
|
ruleid, makeflags, vars, arch=arch)
|
||||||
)
|
)
|
||||||
assert len(packages_meta) == 2
|
assert len(packages_meta) == 2
|
||||||
@ -503,31 +446,6 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
|
|||||||
|
|
||||||
def write(self) -> None:
|
def write(self) -> None:
|
||||||
super().write()
|
super().write()
|
||||||
self.write_signed()
|
|
||||||
|
|
||||||
def write_signed(self) -> None:
|
|
||||||
for bundle in self.bundles.values():
|
|
||||||
pkg_sign_entries = {}
|
|
||||||
|
|
||||||
for p in bundle.packages.values():
|
|
||||||
if not isinstance(p, BinaryPackage):
|
|
||||||
continue
|
|
||||||
|
|
||||||
if pkg_sign_pkg := p.meta_sign_package:
|
|
||||||
pkg_sign_entries[pkg_sign_pkg] = {
|
|
||||||
'trusted_certs': [],
|
|
||||||
'files': [
|
|
||||||
{
|
|
||||||
'sig_type': e.split(':', 1)[-1],
|
|
||||||
'file': e.split(':', 1)[0],
|
|
||||||
}
|
|
||||||
for e in p.meta_sign_files
|
|
||||||
],
|
|
||||||
}
|
|
||||||
|
|
||||||
if pkg_sign_entries:
|
|
||||||
with bundle.path('files.json').open('w') as f:
|
|
||||||
json.dump({'packages': pkg_sign_entries}, f, indent=2)
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
|
1
debian/config/amd64/defines.toml
vendored
1
debian/config/amd64/defines.toml
vendored
@ -20,7 +20,6 @@ hardware_long = 'cloud platforms including Amazon EC2, Microsoft Azure, and Goog
|
|||||||
name = 'none'
|
name = 'none'
|
||||||
|
|
||||||
[build]
|
[build]
|
||||||
enable_signed = true
|
|
||||||
enable_vdso = true
|
enable_vdso = true
|
||||||
kernel_file = 'arch/x86/boot/bzImage'
|
kernel_file = 'arch/x86/boot/bzImage'
|
||||||
kernel_stem = 'vmlinuz'
|
kernel_stem = 'vmlinuz'
|
||||||
|
1
debian/config/arm64/defines.toml
vendored
1
debian/config/arm64/defines.toml
vendored
@ -27,7 +27,6 @@ name = 'none'
|
|||||||
|
|
||||||
[build]
|
[build]
|
||||||
compiler_gnutype_compat = 'arm-linux-gnueabihf'
|
compiler_gnutype_compat = 'arm-linux-gnueabihf'
|
||||||
enable_signed = true
|
|
||||||
enable_vdso = true
|
enable_vdso = true
|
||||||
kernel_file = 'arch/arm64/boot/Image'
|
kernel_file = 'arch/arm64/boot/Image'
|
||||||
kernel_stem = 'vmlinuz'
|
kernel_stem = 'vmlinuz'
|
||||||
|
1
debian/lib/python/debian_linux/config_v2.py
vendored
1
debian/lib/python/debian_linux/config_v2.py
vendored
@ -37,7 +37,6 @@ class ConfigBuild:
|
|||||||
compiler_gnutype_compat: Optional[str] = None
|
compiler_gnutype_compat: Optional[str] = None
|
||||||
config: list[Path] = dataclasses.field(default_factory=list)
|
config: list[Path] = dataclasses.field(default_factory=list)
|
||||||
config_default: list[Path] = dataclasses.field(default_factory=list, repr=False)
|
config_default: list[Path] = dataclasses.field(default_factory=list, repr=False)
|
||||||
enable_signed: Optional[bool] = None
|
|
||||||
enable_vdso: Optional[bool] = None
|
enable_vdso: Optional[bool] = None
|
||||||
kernel_file: Optional[str] = None
|
kernel_file: Optional[str] = None
|
||||||
kernel_stem: Optional[str] = None
|
kernel_stem: Optional[str] = None
|
||||||
|
11
debian/lib/python/debian_linux/debian.py
vendored
11
debian/lib/python/debian_linux/debian.py
vendored
@ -686,14 +686,3 @@ class BinaryPackage(_BasePackage):
|
|||||||
default=None,
|
default=None,
|
||||||
deb822_dump=None,
|
deb822_dump=None,
|
||||||
)
|
)
|
||||||
meta_sign_package: Optional[str] = field_deb822(
|
|
||||||
'Meta-Sign-Package',
|
|
||||||
default=None,
|
|
||||||
deb822_dump=None,
|
|
||||||
)
|
|
||||||
meta_sign_files: list[str] = field_deb822(
|
|
||||||
'Meta-Sign-Files',
|
|
||||||
default_factory=list,
|
|
||||||
deb822_load=lambda v: v.split(),
|
|
||||||
deb822_dump=None,
|
|
||||||
)
|
|
||||||
|
30
debian/rules.real
vendored
30
debian/rules.real
vendored
@ -481,36 +481,6 @@ endif
|
|||||||
ln -s ../../../boot/vmlinux-$(REAL_VERSION) $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vmlinux
|
ln -s ../../../boot/vmlinux-$(REAL_VERSION) $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vmlinux
|
||||||
$(dh_binary_post)
|
$(dh_binary_post)
|
||||||
|
|
||||||
build_signed-template:
|
|
||||||
|
|
||||||
binary_signed-template: GEN_DIR = debian/generated.signed-$(ARCH)
|
|
||||||
binary_signed-template: CODE_SIGNING_DIR = $(DESTDIR)/usr/share/code-signing/$(PACKAGE_NAME)
|
|
||||||
binary_signed-template: DEBIAN_DIR = $(CODE_SIGNING_DIR)/source-template/debian
|
|
||||||
binary_signed-template: VERSION_TEMPLATE = $(shell echo $(DEB_VERSION) | sed -Ee 's/\+b(\d+)$$/.b\1/' -e 's/-/+/g')
|
|
||||||
binary_signed-template:
|
|
||||||
$(dh_binary_pre)
|
|
||||||
rm -rf $(CODE_SIGNING_DIR)
|
|
||||||
mkdir -p $(DEBIAN_DIR)/source
|
|
||||||
for i in $$(find $(GEN_DIR) -type f -printf '%P\n'); do \
|
|
||||||
sed -E \
|
|
||||||
-e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \
|
|
||||||
-e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \
|
|
||||||
$(GEN_DIR)/$$i > $(DEBIAN_DIR)/$$i; \
|
|
||||||
done
|
|
||||||
for i in $$(find debian/signing_templates -type f -printf '%P\n'); do \
|
|
||||||
sed -E \
|
|
||||||
-e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \
|
|
||||||
-e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \
|
|
||||||
debian/signing_templates/$$i > $(DEBIAN_DIR)/$$i; \
|
|
||||||
done
|
|
||||||
mv $(DEBIAN_DIR)/changelog.head $(DEBIAN_DIR)/changelog
|
|
||||||
tail +2 debian/changelog >> $(DEBIAN_DIR)/changelog
|
|
||||||
mv $(DEBIAN_DIR)/files.json $(CODE_SIGNING_DIR)/
|
|
||||||
chmod 755 $(DEBIAN_DIR)/rules
|
|
||||||
cp -R debian/copyright \
|
|
||||||
$(CODE_SIGNING_DIR)/source-template/debian/
|
|
||||||
$(dh_binary_post)
|
|
||||||
|
|
||||||
build_source:
|
build_source:
|
||||||
|
|
||||||
binary_source: BUILDDEB_ARGS = -Zxz -z0
|
binary_source: BUILDDEB_ARGS = -Zxz -z0
|
||||||
|
4
debian/signing_templates/README.source
vendored
4
debian/signing_templates/README.source
vendored
@ -1,4 +0,0 @@
|
|||||||
This source package is generated by the Debian signing service from a
|
|
||||||
template built by the linux package. It should never be updated directly.
|
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Fri, 06 Apr 2018 10:23:29 +0100
|
|
24
debian/signing_templates/rules
vendored
24
debian/signing_templates/rules
vendored
@ -1,24 +0,0 @@
|
|||||||
#!/usr/bin/make -f
|
|
||||||
|
|
||||||
include /usr/share/dpkg/architecture.mk
|
|
||||||
|
|
||||||
SHELL := sh -e
|
|
||||||
|
|
||||||
include debian/rules.defs
|
|
||||||
|
|
||||||
build: build-arch build-indep
|
|
||||||
build-arch:
|
|
||||||
build-indep:
|
|
||||||
|
|
||||||
clean:
|
|
||||||
dh_testdir
|
|
||||||
rm -rf $(BUILD_DIR) $(STAMPS_DIR)
|
|
||||||
dh_clean
|
|
||||||
|
|
||||||
binary: binary-arch binary-indep
|
|
||||||
binary-arch: debian/control
|
|
||||||
dh_testdir
|
|
||||||
$(MAKE) -f debian/rules.gen binary-arch_$(DEB_HOST_ARCH)
|
|
||||||
binary-indep:
|
|
||||||
|
|
||||||
.PHONY: build build-arch build-indep clean binary binary-arch binary-indep
|
|
2
debian/signing_templates/rules.defs
vendored
2
debian/signing_templates/rules.defs
vendored
@ -1,2 +0,0 @@
|
|||||||
BUILD_DIR = debian/build
|
|
||||||
STAMPS_DIR = debian/stamps
|
|
108
debian/signing_templates/rules.real
vendored
108
debian/signing_templates/rules.real
vendored
@ -1,108 +0,0 @@
|
|||||||
include /usr/share/dpkg/default.mk
|
|
||||||
|
|
||||||
SHELL := bash -e
|
|
||||||
|
|
||||||
include debian/rules.defs
|
|
||||||
|
|
||||||
export DH_OPTIONS
|
|
||||||
|
|
||||||
export DEB_RULES_REQUIRES_ROOT ?= no
|
|
||||||
|
|
||||||
GENCONTROL_ARGS := -v@signedtemplate_binaryversion@
|
|
||||||
BUILDDEB_ARGS := -Zxz $(if $(filter pkg.linux.quick,$(DEB_BUILD_PROFILES)),-z0)
|
|
||||||
|
|
||||||
stamp = [ -d $(dir $@) ] || mkdir $(dir $@); touch $@
|
|
||||||
|
|
||||||
define dh_binary_pre
|
|
||||||
dh_testroot
|
|
||||||
dh_prep
|
|
||||||
dh_installdirs
|
|
||||||
endef
|
|
||||||
|
|
||||||
define dh_binary_post
|
|
||||||
dh_install $(DH_INSTALL_ARGS)
|
|
||||||
# Workaround #1068189. By Debian policy and aligned debhelper behaviour /usr/share/doc/package
|
|
||||||
# is permitted to be a symbolic link to another directory in /usr/share/doc only if the two
|
|
||||||
# packages come from the same source package. The package build will fail with the new debhelper
|
|
||||||
# version since debhelper/13.15. As the linux-signed-* packages are quite special in the eco-
|
|
||||||
# system, make the workaround to fallback to the old behaviour until it is agreed on how to
|
|
||||||
# resolve the situation policy conformant.
|
|
||||||
# https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information
|
|
||||||
$(if $(INSTALLDOCS_LINK_DOC),
|
|
||||||
mkdir -p debian/$(PACKAGE_NAME)/usr/share/doc && ln -sf $(INSTALLDOCS_LINK_DOC) debian/$(PACKAGE_NAME)/usr/share/doc/$(PACKAGE_NAME),
|
|
||||||
dh_installdocs)
|
|
||||||
dh_installchangelogs
|
|
||||||
dh_installexamples
|
|
||||||
dh_installman
|
|
||||||
dh_installudev
|
|
||||||
dh_bugfiles
|
|
||||||
dh_ucf
|
|
||||||
dh_lintian
|
|
||||||
dh_icons
|
|
||||||
dh_link
|
|
||||||
dh_compress
|
|
||||||
dh_fixperms
|
|
||||||
dh_missing
|
|
||||||
dh_strip $(DH_STRIP_ARGS) -Xvmlinux -Xvmlinuz
|
|
||||||
dh_makeshlibs -Xvmlinux -Xvmlinuz
|
|
||||||
dh_shlibdeps $(DH_SHLIBDEPS_ARGS)
|
|
||||||
dh_installdeb
|
|
||||||
if command -v dh_movetousr >/dev/null; then dh_movetousr; fi
|
|
||||||
dh_gencontrol -- $(GENCONTROL_ARGS)
|
|
||||||
dh_md5sums
|
|
||||||
dh_builddeb -- $(BUILDDEB_ARGS)
|
|
||||||
endef
|
|
||||||
|
|
||||||
build-indep:
|
|
||||||
|
|
||||||
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): REAL_VERSION = $(ABINAME)$(LOCALVERSION)
|
|
||||||
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned
|
|
||||||
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): SIGNATURE_DIR = debian/signatures/$(IMAGE_PACKAGE_NAME)
|
|
||||||
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): INSTALL_DIR=$(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
|
|
||||||
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR):
|
|
||||||
mkdir -p $(INSTALL_DIR)/boot
|
|
||||||
rsync -a $(patsubst %,/boot/%-$(REAL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
|
|
||||||
$(INSTALL_DIR)/boot/
|
|
||||||
sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(REAL_VERSION).sig \
|
|
||||||
$(INSTALL_DIR)/boot/vmlinuz-$(REAL_VERSION)
|
|
||||||
mkdir -p $(INSTALL_DIR)/lib/modules/$(REAL_VERSION)
|
|
||||||
rsync -a $(addprefix /lib/modules/$(REAL_VERSION)/,kernel modules.builtin modules.builtin.modinfo modules.order) \
|
|
||||||
$(INSTALL_DIR)/lib/modules/$(REAL_VERSION)/
|
|
||||||
# Copy any device tree files
|
|
||||||
if [ -d /usr/lib/linux-image-$(REAL_VERSION) ]; then \
|
|
||||||
mkdir -p $(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION); \
|
|
||||||
rsync -a /usr/lib/linux-image-$(REAL_VERSION)/ \
|
|
||||||
$(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION)/; \
|
|
||||||
fi
|
|
||||||
$(stamp)
|
|
||||||
|
|
||||||
build_image:
|
|
||||||
|
|
||||||
binary_image: DH_OPTIONS = -p$(PACKAGE_NAME)
|
|
||||||
binary_image: DH_STRIP_ARGS = --no-automatic-dbgsym
|
|
||||||
binary_image: REAL_VERSION = $(ABINAME)$(LOCALVERSION)
|
|
||||||
binary_image: IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned
|
|
||||||
binary_image: DIR2 = $(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
|
|
||||||
binary_image: PACKAGE_DIR = debian/$(PACKAGE_NAME)
|
|
||||||
binary_image: $(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
|
|
||||||
binary_image:
|
|
||||||
$(dh_binary_pre)
|
|
||||||
dh_install --sourcedir=$(DIR2) boot
|
|
||||||
dh_install --sourcedir=$(DIR2) lib
|
|
||||||
if [ -d $(DIR2)/usr ]; then dh_install --sourcedir=$(DIR2) usr; fi
|
|
||||||
# Copy bug scripts but change the info file to refer to the right package
|
|
||||||
mkdir -p $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)
|
|
||||||
rsync -a /usr/share/bug/$(IMAGE_PACKAGE_NAME)/ \
|
|
||||||
$(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/
|
|
||||||
sed -i -e 's/^PACKAGE_NAME=.*/PACKAGE_NAME=$(PACKAGE_NAME)/' \
|
|
||||||
-e 's/^PACKAGE_VERSION=.*/PACKAGE_VERSION=$(PACKAGE_VERSION)/' \
|
|
||||||
$(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/info
|
|
||||||
$(dh_binary_post)
|
|
||||||
|
|
||||||
build_meta:
|
|
||||||
|
|
||||||
binary_meta:
|
|
||||||
$(dh_binary_pre)
|
|
||||||
$(dh_binary_post)
|
|
||||||
|
|
||||||
.PHONY: build_% binary_%
|
|
1
debian/signing_templates/source/format
vendored
1
debian/signing_templates/source/format
vendored
@ -1 +0,0 @@
|
|||||||
3.0 (native)
|
|
5
debian/templates/config.control.in
vendored
5
debian/templates/config.control.in
vendored
@ -6,8 +6,7 @@ Multi-Arch: same
|
|||||||
Depends: ${misc:Depends}
|
Depends: ${misc:Depends}
|
||||||
Recommends: @source_basename@-source-@version@
|
Recommends: @source_basename@-source-@version@
|
||||||
Description: Debian kernel configurations for Linux @version@
|
Description: Debian kernel configurations for Linux @version@
|
||||||
This package contains the configuration files used to build the
|
This package contains the configuration files used to build kernel
|
||||||
official Debian kernel files, but without references to Debian's
|
files.
|
||||||
signing certificates.
|
|
||||||
.
|
.
|
||||||
These can be used as a basis for configuring custom kernels.
|
These can be used as a basis for configuring custom kernels.
|
||||||
|
2
debian/templates/headers.control.in
vendored
2
debian/templates/headers.control.in
vendored
@ -3,7 +3,7 @@ Meta-Rules-Target: headers
|
|||||||
Build-Profiles: <!pkg.linux.nokernel>
|
Build-Profiles: <!pkg.linux.nokernel>
|
||||||
Depends:
|
Depends:
|
||||||
linux-headers-@abiname@-common@localversion_headers@ (= ${source:Version}),
|
linux-headers-@abiname@-common@localversion_headers@ (= ${source:Version}),
|
||||||
linux-image-@abiname@@localversion@ (= ${binary:Version}) | linux-image-@abiname@@localversion@-unsigned (= ${binary:Version}),
|
linux-image-@abiname@@localversion@ (= ${binary:Version}),
|
||||||
linux-kbuild-@abiname@,
|
linux-kbuild-@abiname@,
|
||||||
${misc:Depends}
|
${misc:Depends}
|
||||||
Description: Header files for Linux @abiname@@localversion@
|
Description: Header files for Linux @abiname@@localversion@
|
||||||
|
1
debian/templates/image-unsigned.NEWS.j2
vendored
1
debian/templates/image-unsigned.NEWS.j2
vendored
@ -1 +0,0 @@
|
|||||||
image.NEWS.j2
|
|
11
debian/templates/image-unsigned.control.in
vendored
11
debian/templates/image-unsigned.control.in
vendored
@ -1,11 +0,0 @@
|
|||||||
Package: linux-image-@abiname@@localversion@-unsigned
|
|
||||||
Meta-Rules-Target: image
|
|
||||||
Build-Profiles: <!pkg.linux.nokernel>
|
|
||||||
Build-Depends:
|
|
||||||
kmod,
|
|
||||||
Depends: kmod, linux-base (>= 4.3~), ${misc:Depends}
|
|
||||||
Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook
|
|
||||||
Conflicts: linux-image-@abiname@@localversion@
|
|
||||||
Replaces: linux-image-@abiname@@localversion@
|
|
||||||
Description: Linux @upstreamversion@ for @class@
|
|
||||||
The Linux kernel @upstreamversion@ and modules for use on @longclass@.
|
|
@ -1 +0,0 @@
|
|||||||
image.lintian-overrides.j2
|
|
1
debian/templates/image-unsigned.postinst.in
vendored
1
debian/templates/image-unsigned.postinst.in
vendored
@ -1 +0,0 @@
|
|||||||
image.postinst.in
|
|
1
debian/templates/image-unsigned.postrm.in
vendored
1
debian/templates/image-unsigned.postrm.in
vendored
@ -1 +0,0 @@
|
|||||||
image.postrm.in
|
|
1
debian/templates/image-unsigned.preinst.in
vendored
1
debian/templates/image-unsigned.preinst.in
vendored
@ -1 +0,0 @@
|
|||||||
image.preinst.in
|
|
1
debian/templates/image-unsigned.prerm.in
vendored
1
debian/templates/image-unsigned.prerm.in
vendored
@ -1 +0,0 @@
|
|||||||
image.prerm.in
|
|
7
debian/templates/signed-template.control.in
vendored
7
debian/templates/signed-template.control.in
vendored
@ -1,7 +0,0 @@
|
|||||||
Package: linux-image@source_suffix@-@arch@-signed-template
|
|
||||||
Meta-Rules-Target: signed-template
|
|
||||||
Build-Profiles: <!pkg.linux.nokernel>
|
|
||||||
Depends: dpkg-dev, python3:any, ${misc:Depends}
|
|
||||||
Description: Template for signed linux-image packages for @arch@
|
|
||||||
This package is used to control code signing by the Debian signing
|
|
||||||
service.
|
|
@ -1 +0,0 @@
|
|||||||
linux-image@source_suffix@-@arch@-signed-template: script-not-executable
|
|
@ -1 +0,0 @@
|
|||||||
headers.meta.control.in
|
|
@ -1,3 +0,0 @@
|
|||||||
# linux-signed-* source packages are generated by the linux source
|
|
||||||
# package, so it is OK for their binaries to share documentation
|
|
||||||
@package@: usr-share-doc-symlink-to-foreign-package linux-headers-@abiname@@localversion@
|
|
@ -1 +0,0 @@
|
|||||||
headers.meta.maintscript.in
|
|
1
debian/templates/signed.image.NEWS.j2
vendored
1
debian/templates/signed.image.NEWS.j2
vendored
@ -1 +0,0 @@
|
|||||||
image.NEWS.j2
|
|
19
debian/templates/signed.image.control.in
vendored
19
debian/templates/signed.image.control.in
vendored
@ -1,19 +0,0 @@
|
|||||||
Package: linux-image-@abiname@@localversion@
|
|
||||||
Meta-Rules-Target: image
|
|
||||||
Meta-Sign-Package: linux-image-@abiname@@localversion@-unsigned
|
|
||||||
Meta-Sign-Files: boot/@image-stem@-@abiname@@localversion@:efi
|
|
||||||
Build-Profiles: <!pkg.linux.nokernel>
|
|
||||||
Build-Depends:
|
|
||||||
linux-image-@abiname@@localversion@-unsigned (= @signedtemplate_binaryversion@),
|
|
||||||
kmod,
|
|
||||||
# Used by debian/signing_templates/rules.real
|
|
||||||
rsync,
|
|
||||||
Built-Using: @source_basename@@source_suffix@ (= @version_complete@)
|
|
||||||
Depends: kmod, linux-base (>= 4.3~), ${misc:Depends}
|
|
||||||
Conflicts: linux-image-@abiname@@localversion@-unsigned
|
|
||||||
Replaces: linux-image-@abiname@@localversion@-unsigned
|
|
||||||
Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook
|
|
||||||
Description: Linux @upstreamversion@ for @class@ (signed)
|
|
||||||
The Linux kernel @upstreamversion@ and modules for use on @longclass@.
|
|
||||||
.
|
|
||||||
The kernel image is signed for use with Secure Boot.
|
|
1
debian/templates/signed.image.postinst.in
vendored
1
debian/templates/signed.image.postinst.in
vendored
@ -1 +0,0 @@
|
|||||||
image.postinst.in
|
|
1
debian/templates/signed.image.postrm.in
vendored
1
debian/templates/signed.image.postrm.in
vendored
@ -1 +0,0 @@
|
|||||||
image.postrm.in
|
|
1
debian/templates/signed.image.preinst.in
vendored
1
debian/templates/signed.image.preinst.in
vendored
@ -1 +0,0 @@
|
|||||||
image.preinst.in
|
|
1
debian/templates/signed.image.prerm.in
vendored
1
debian/templates/signed.image.prerm.in
vendored
@ -1 +0,0 @@
|
|||||||
image.prerm.in
|
|
14
debian/templates/signed.source.control.in
vendored
14
debian/templates/signed.source.control.in
vendored
@ -1,14 +0,0 @@
|
|||||||
Source: linux-signed@source_suffix@-@arch@
|
|
||||||
Section: kernel
|
|
||||||
Priority: optional
|
|
||||||
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
|
|
||||||
Uploaders: Bastian Blank <waldi@debian.org>, maximilian attems <maks@debian.org>, Ben Hutchings <benh@debian.org>, Salvatore Bonaccorso <carnil@debian.org>
|
|
||||||
Standards-Version: 4.2.0
|
|
||||||
Build-Depends:
|
|
||||||
debhelper-compat (= 13),
|
|
||||||
python3:any,
|
|
||||||
sbsigntool [amd64 arm64],
|
|
||||||
Rules-Requires-Root: no
|
|
||||||
Vcs-Git: https://salsa.debian.org/kernel-team/linux.git
|
|
||||||
Vcs-Browser: https://salsa.debian.org/kernel-team/linux
|
|
||||||
Homepage: https://www.kernel.org/
|
|
@ -1,7 +0,0 @@
|
|||||||
# linux-signed-* source packages are generated by the linux source
|
|
||||||
# package, and produce binaries with the same versions, even in case
|
|
||||||
# of a binNMU of linux
|
|
||||||
linux-signed-@arch@ source: version-substvar-for-external-package Depends *${binary:Version} linux-headers-* -> linux-headers-*
|
|
||||||
|
|
||||||
# The changelog is mostly copied from linux which is non-native
|
|
||||||
linux-signed-@arch@ source: odd-historical-debian-changelog-version * (for native)*
|
|
Loading…
Reference in New Issue
Block a user