drop signing
This commit is contained in:
parent
3a08f39a8b
commit
f63f36de4f
1
debian/.gitignore
vendored
1
debian/.gitignore
vendored
@ -10,7 +10,6 @@
|
||||
!/lib/
|
||||
!/patches*/
|
||||
!/rules.d/
|
||||
!/signing_templates/
|
||||
!/source/
|
||||
!/templates/
|
||||
!/upstream/
|
||||
|
27
debian/README.source
vendored
27
debian/README.source
vendored
@ -267,30 +267,3 @@ linux-source-<version> binary package. Currently kernel builds use
|
||||
debian/build/build_<arch>_<featureset>_<flavour>, userland code uses
|
||||
debian/build/build-tools/<source-dir> and documentation uses
|
||||
debian/build/build-doc.
|
||||
|
||||
Code signing
|
||||
============
|
||||
|
||||
The kernel image and modules may be signed after building, to support
|
||||
a Secure Boot or Trusted Boot policy. In Debian, this is performed by
|
||||
a "code signing service" that is separate from the normal package
|
||||
build process.
|
||||
|
||||
The initial package build generates binary packages named
|
||||
linux-image-<arch>-signed-template, that contain a source package
|
||||
template and metadata about the files to be signed. The code signing
|
||||
service will download this and the linux-image packages to be signed.
|
||||
It will add detached signatures to the source package, then upload it
|
||||
(without ever running debian/rules).
|
||||
|
||||
The source package template is generated by
|
||||
debian/bin/gencontrol_signed.py and debian/rules.real with files from
|
||||
debian/signing_templates and debian/templates. To test changes to
|
||||
these:
|
||||
|
||||
1. Build the linux source package.
|
||||
2. Generate the signed source package by running the script
|
||||
"debian-test-sign" from the kernel-team.git repository. It is
|
||||
also possible to set up a development configuration of the
|
||||
official code signing service, but this is more complicated.
|
||||
3. Build the signed source package.
|
||||
|
92
debian/bin/gencontrol.py
vendored
92
debian/bin/gencontrol.py
vendored
@ -33,10 +33,7 @@ locale.setlocale(locale.LC_CTYPE, "C.UTF-8")
|
||||
|
||||
|
||||
class Gencontrol(Base):
|
||||
disable_signed: bool
|
||||
|
||||
env_flags = [
|
||||
('DEBIAN_KERNEL_DISABLE_SIGNED', 'disable_signed', 'signed code'),
|
||||
]
|
||||
|
||||
def __init__(
|
||||
@ -187,34 +184,6 @@ class Gencontrol(Base):
|
||||
) -> None:
|
||||
arch = config.name
|
||||
|
||||
if not self.disable_signed:
|
||||
build_signed = config.build.enable_signed
|
||||
else:
|
||||
build_signed = False
|
||||
|
||||
if build_signed:
|
||||
# Make sure variables remain
|
||||
vars['signedtemplate_binaryversion'] = '@signedtemplate_binaryversion@'
|
||||
vars['signedtemplate_sourceversion'] = '@signedtemplate_sourceversion@'
|
||||
|
||||
self.bundle.add('signed-template', (arch,), makeflags, vars, arch=arch)
|
||||
|
||||
bundle_signed = self.bundles[f'signed-{arch}'] = \
|
||||
PackagesBundle(f'signed-{arch}', 'signed.source.control', vars, self.templates)
|
||||
|
||||
with bundle_signed.open('source/lintian-overrides', 'w') as f:
|
||||
f.write(self.substitute(
|
||||
self.templates.get('signed.source.lintian-overrides'), vars))
|
||||
|
||||
with bundle_signed.open('changelog.head', 'w') as f:
|
||||
dist = self.changelog[0].distribution
|
||||
urgency = self.changelog[0].urgency
|
||||
f.write(f'''\
|
||||
linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={urgency}
|
||||
|
||||
* Sign kernel from {self.changelog[0].source} @signedtemplate_binaryversion@
|
||||
''')
|
||||
|
||||
if config.packages.source and list(config.featuresets):
|
||||
self.bundle.add('config', (arch, ), makeflags, vars)
|
||||
|
||||
@ -329,31 +298,11 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
|
||||
|
||||
packages_own = []
|
||||
|
||||
if not self.disable_signed:
|
||||
build_signed = config.build.enable_signed
|
||||
else:
|
||||
build_signed = False
|
||||
|
||||
if build_signed:
|
||||
bundle_signed = self.bundles[f'signed-{arch}']
|
||||
else:
|
||||
bundle_signed = self.bundle
|
||||
|
||||
vars.setdefault('desc', '')
|
||||
|
||||
if build_signed:
|
||||
packages_image_unsigned = (
|
||||
self.bundle.add('image-unsigned', ruleid, makeflags, vars, arch=arch)
|
||||
)
|
||||
packages_image = packages_image_unsigned[:]
|
||||
packages_image.extend(
|
||||
bundle_signed.add('signed.image', ruleid, makeflags, vars, arch=arch)
|
||||
)
|
||||
|
||||
else:
|
||||
packages_image = packages_image_unsigned = (
|
||||
bundle_signed.add('image', ruleid, makeflags, vars, arch=arch)
|
||||
)
|
||||
packages_image = (
|
||||
self.bundle.add('image', ruleid, makeflags, vars, arch=arch)
|
||||
)
|
||||
|
||||
for field in ('Depends', 'Provides', 'Suggests', 'Recommends',
|
||||
'Conflicts', 'Breaks'):
|
||||
@ -387,19 +336,13 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
|
||||
packages_own.extend(packages_image)
|
||||
packages_own.extend(packages_headers)
|
||||
|
||||
# The image meta-packages will depend on signed linux-image
|
||||
# packages where applicable, so should be built from the
|
||||
# signed source packages The header meta-packages will also be
|
||||
# built along with the signed packages, to create a dependency
|
||||
# relationship that ensures src:linux and src:linux-signed-*
|
||||
# transition to testing together.
|
||||
if do_meta:
|
||||
packages_meta = (
|
||||
bundle_signed.add('image.meta', ruleid, makeflags, vars, arch=arch)
|
||||
self.bundle.add('image.meta', ruleid, makeflags, vars, arch=arch)
|
||||
)
|
||||
assert len(packages_meta) == 1
|
||||
packages_meta += (
|
||||
bundle_signed.add(build_signed and 'signed.headers.meta' or 'headers.meta',
|
||||
self.bundle.add('headers.meta',
|
||||
ruleid, makeflags, vars, arch=arch)
|
||||
)
|
||||
assert len(packages_meta) == 2
|
||||
@ -503,31 +446,6 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
|
||||
|
||||
def write(self) -> None:
|
||||
super().write()
|
||||
self.write_signed()
|
||||
|
||||
def write_signed(self) -> None:
|
||||
for bundle in self.bundles.values():
|
||||
pkg_sign_entries = {}
|
||||
|
||||
for p in bundle.packages.values():
|
||||
if not isinstance(p, BinaryPackage):
|
||||
continue
|
||||
|
||||
if pkg_sign_pkg := p.meta_sign_package:
|
||||
pkg_sign_entries[pkg_sign_pkg] = {
|
||||
'trusted_certs': [],
|
||||
'files': [
|
||||
{
|
||||
'sig_type': e.split(':', 1)[-1],
|
||||
'file': e.split(':', 1)[0],
|
||||
}
|
||||
for e in p.meta_sign_files
|
||||
],
|
||||
}
|
||||
|
||||
if pkg_sign_entries:
|
||||
with bundle.path('files.json').open('w') as f:
|
||||
json.dump({'packages': pkg_sign_entries}, f, indent=2)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
1
debian/config/amd64/defines.toml
vendored
1
debian/config/amd64/defines.toml
vendored
@ -20,7 +20,6 @@ hardware_long = 'cloud platforms including Amazon EC2, Microsoft Azure, and Goog
|
||||
name = 'none'
|
||||
|
||||
[build]
|
||||
enable_signed = true
|
||||
enable_vdso = true
|
||||
kernel_file = 'arch/x86/boot/bzImage'
|
||||
kernel_stem = 'vmlinuz'
|
||||
|
1
debian/config/arm64/defines.toml
vendored
1
debian/config/arm64/defines.toml
vendored
@ -27,7 +27,6 @@ name = 'none'
|
||||
|
||||
[build]
|
||||
compiler_gnutype_compat = 'arm-linux-gnueabihf'
|
||||
enable_signed = true
|
||||
enable_vdso = true
|
||||
kernel_file = 'arch/arm64/boot/Image'
|
||||
kernel_stem = 'vmlinuz'
|
||||
|
1
debian/lib/python/debian_linux/config_v2.py
vendored
1
debian/lib/python/debian_linux/config_v2.py
vendored
@ -37,7 +37,6 @@ class ConfigBuild:
|
||||
compiler_gnutype_compat: Optional[str] = None
|
||||
config: list[Path] = dataclasses.field(default_factory=list)
|
||||
config_default: list[Path] = dataclasses.field(default_factory=list, repr=False)
|
||||
enable_signed: Optional[bool] = None
|
||||
enable_vdso: Optional[bool] = None
|
||||
kernel_file: Optional[str] = None
|
||||
kernel_stem: Optional[str] = None
|
||||
|
11
debian/lib/python/debian_linux/debian.py
vendored
11
debian/lib/python/debian_linux/debian.py
vendored
@ -686,14 +686,3 @@ class BinaryPackage(_BasePackage):
|
||||
default=None,
|
||||
deb822_dump=None,
|
||||
)
|
||||
meta_sign_package: Optional[str] = field_deb822(
|
||||
'Meta-Sign-Package',
|
||||
default=None,
|
||||
deb822_dump=None,
|
||||
)
|
||||
meta_sign_files: list[str] = field_deb822(
|
||||
'Meta-Sign-Files',
|
||||
default_factory=list,
|
||||
deb822_load=lambda v: v.split(),
|
||||
deb822_dump=None,
|
||||
)
|
||||
|
30
debian/rules.real
vendored
30
debian/rules.real
vendored
@ -481,36 +481,6 @@ endif
|
||||
ln -s ../../../boot/vmlinux-$(REAL_VERSION) $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vmlinux
|
||||
$(dh_binary_post)
|
||||
|
||||
build_signed-template:
|
||||
|
||||
binary_signed-template: GEN_DIR = debian/generated.signed-$(ARCH)
|
||||
binary_signed-template: CODE_SIGNING_DIR = $(DESTDIR)/usr/share/code-signing/$(PACKAGE_NAME)
|
||||
binary_signed-template: DEBIAN_DIR = $(CODE_SIGNING_DIR)/source-template/debian
|
||||
binary_signed-template: VERSION_TEMPLATE = $(shell echo $(DEB_VERSION) | sed -Ee 's/\+b(\d+)$$/.b\1/' -e 's/-/+/g')
|
||||
binary_signed-template:
|
||||
$(dh_binary_pre)
|
||||
rm -rf $(CODE_SIGNING_DIR)
|
||||
mkdir -p $(DEBIAN_DIR)/source
|
||||
for i in $$(find $(GEN_DIR) -type f -printf '%P\n'); do \
|
||||
sed -E \
|
||||
-e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \
|
||||
-e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \
|
||||
$(GEN_DIR)/$$i > $(DEBIAN_DIR)/$$i; \
|
||||
done
|
||||
for i in $$(find debian/signing_templates -type f -printf '%P\n'); do \
|
||||
sed -E \
|
||||
-e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \
|
||||
-e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \
|
||||
debian/signing_templates/$$i > $(DEBIAN_DIR)/$$i; \
|
||||
done
|
||||
mv $(DEBIAN_DIR)/changelog.head $(DEBIAN_DIR)/changelog
|
||||
tail +2 debian/changelog >> $(DEBIAN_DIR)/changelog
|
||||
mv $(DEBIAN_DIR)/files.json $(CODE_SIGNING_DIR)/
|
||||
chmod 755 $(DEBIAN_DIR)/rules
|
||||
cp -R debian/copyright \
|
||||
$(CODE_SIGNING_DIR)/source-template/debian/
|
||||
$(dh_binary_post)
|
||||
|
||||
build_source:
|
||||
|
||||
binary_source: BUILDDEB_ARGS = -Zxz -z0
|
||||
|
4
debian/signing_templates/README.source
vendored
4
debian/signing_templates/README.source
vendored
@ -1,4 +0,0 @@
|
||||
This source package is generated by the Debian signing service from a
|
||||
template built by the linux package. It should never be updated directly.
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Fri, 06 Apr 2018 10:23:29 +0100
|
24
debian/signing_templates/rules
vendored
24
debian/signing_templates/rules
vendored
@ -1,24 +0,0 @@
|
||||
#!/usr/bin/make -f
|
||||
|
||||
include /usr/share/dpkg/architecture.mk
|
||||
|
||||
SHELL := sh -e
|
||||
|
||||
include debian/rules.defs
|
||||
|
||||
build: build-arch build-indep
|
||||
build-arch:
|
||||
build-indep:
|
||||
|
||||
clean:
|
||||
dh_testdir
|
||||
rm -rf $(BUILD_DIR) $(STAMPS_DIR)
|
||||
dh_clean
|
||||
|
||||
binary: binary-arch binary-indep
|
||||
binary-arch: debian/control
|
||||
dh_testdir
|
||||
$(MAKE) -f debian/rules.gen binary-arch_$(DEB_HOST_ARCH)
|
||||
binary-indep:
|
||||
|
||||
.PHONY: build build-arch build-indep clean binary binary-arch binary-indep
|
2
debian/signing_templates/rules.defs
vendored
2
debian/signing_templates/rules.defs
vendored
@ -1,2 +0,0 @@
|
||||
BUILD_DIR = debian/build
|
||||
STAMPS_DIR = debian/stamps
|
108
debian/signing_templates/rules.real
vendored
108
debian/signing_templates/rules.real
vendored
@ -1,108 +0,0 @@
|
||||
include /usr/share/dpkg/default.mk
|
||||
|
||||
SHELL := bash -e
|
||||
|
||||
include debian/rules.defs
|
||||
|
||||
export DH_OPTIONS
|
||||
|
||||
export DEB_RULES_REQUIRES_ROOT ?= no
|
||||
|
||||
GENCONTROL_ARGS := -v@signedtemplate_binaryversion@
|
||||
BUILDDEB_ARGS := -Zxz $(if $(filter pkg.linux.quick,$(DEB_BUILD_PROFILES)),-z0)
|
||||
|
||||
stamp = [ -d $(dir $@) ] || mkdir $(dir $@); touch $@
|
||||
|
||||
define dh_binary_pre
|
||||
dh_testroot
|
||||
dh_prep
|
||||
dh_installdirs
|
||||
endef
|
||||
|
||||
define dh_binary_post
|
||||
dh_install $(DH_INSTALL_ARGS)
|
||||
# Workaround #1068189. By Debian policy and aligned debhelper behaviour /usr/share/doc/package
|
||||
# is permitted to be a symbolic link to another directory in /usr/share/doc only if the two
|
||||
# packages come from the same source package. The package build will fail with the new debhelper
|
||||
# version since debhelper/13.15. As the linux-signed-* packages are quite special in the eco-
|
||||
# system, make the workaround to fallback to the old behaviour until it is agreed on how to
|
||||
# resolve the situation policy conformant.
|
||||
# https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information
|
||||
$(if $(INSTALLDOCS_LINK_DOC),
|
||||
mkdir -p debian/$(PACKAGE_NAME)/usr/share/doc && ln -sf $(INSTALLDOCS_LINK_DOC) debian/$(PACKAGE_NAME)/usr/share/doc/$(PACKAGE_NAME),
|
||||
dh_installdocs)
|
||||
dh_installchangelogs
|
||||
dh_installexamples
|
||||
dh_installman
|
||||
dh_installudev
|
||||
dh_bugfiles
|
||||
dh_ucf
|
||||
dh_lintian
|
||||
dh_icons
|
||||
dh_link
|
||||
dh_compress
|
||||
dh_fixperms
|
||||
dh_missing
|
||||
dh_strip $(DH_STRIP_ARGS) -Xvmlinux -Xvmlinuz
|
||||
dh_makeshlibs -Xvmlinux -Xvmlinuz
|
||||
dh_shlibdeps $(DH_SHLIBDEPS_ARGS)
|
||||
dh_installdeb
|
||||
if command -v dh_movetousr >/dev/null; then dh_movetousr; fi
|
||||
dh_gencontrol -- $(GENCONTROL_ARGS)
|
||||
dh_md5sums
|
||||
dh_builddeb -- $(BUILDDEB_ARGS)
|
||||
endef
|
||||
|
||||
build-indep:
|
||||
|
||||
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): REAL_VERSION = $(ABINAME)$(LOCALVERSION)
|
||||
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned
|
||||
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): SIGNATURE_DIR = debian/signatures/$(IMAGE_PACKAGE_NAME)
|
||||
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): INSTALL_DIR=$(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
|
||||
$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR):
|
||||
mkdir -p $(INSTALL_DIR)/boot
|
||||
rsync -a $(patsubst %,/boot/%-$(REAL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
|
||||
$(INSTALL_DIR)/boot/
|
||||
sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(REAL_VERSION).sig \
|
||||
$(INSTALL_DIR)/boot/vmlinuz-$(REAL_VERSION)
|
||||
mkdir -p $(INSTALL_DIR)/lib/modules/$(REAL_VERSION)
|
||||
rsync -a $(addprefix /lib/modules/$(REAL_VERSION)/,kernel modules.builtin modules.builtin.modinfo modules.order) \
|
||||
$(INSTALL_DIR)/lib/modules/$(REAL_VERSION)/
|
||||
# Copy any device tree files
|
||||
if [ -d /usr/lib/linux-image-$(REAL_VERSION) ]; then \
|
||||
mkdir -p $(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION); \
|
||||
rsync -a /usr/lib/linux-image-$(REAL_VERSION)/ \
|
||||
$(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION)/; \
|
||||
fi
|
||||
$(stamp)
|
||||
|
||||
build_image:
|
||||
|
||||
binary_image: DH_OPTIONS = -p$(PACKAGE_NAME)
|
||||
binary_image: DH_STRIP_ARGS = --no-automatic-dbgsym
|
||||
binary_image: REAL_VERSION = $(ABINAME)$(LOCALVERSION)
|
||||
binary_image: IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned
|
||||
binary_image: DIR2 = $(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
|
||||
binary_image: PACKAGE_DIR = debian/$(PACKAGE_NAME)
|
||||
binary_image: $(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
|
||||
binary_image:
|
||||
$(dh_binary_pre)
|
||||
dh_install --sourcedir=$(DIR2) boot
|
||||
dh_install --sourcedir=$(DIR2) lib
|
||||
if [ -d $(DIR2)/usr ]; then dh_install --sourcedir=$(DIR2) usr; fi
|
||||
# Copy bug scripts but change the info file to refer to the right package
|
||||
mkdir -p $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)
|
||||
rsync -a /usr/share/bug/$(IMAGE_PACKAGE_NAME)/ \
|
||||
$(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/
|
||||
sed -i -e 's/^PACKAGE_NAME=.*/PACKAGE_NAME=$(PACKAGE_NAME)/' \
|
||||
-e 's/^PACKAGE_VERSION=.*/PACKAGE_VERSION=$(PACKAGE_VERSION)/' \
|
||||
$(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/info
|
||||
$(dh_binary_post)
|
||||
|
||||
build_meta:
|
||||
|
||||
binary_meta:
|
||||
$(dh_binary_pre)
|
||||
$(dh_binary_post)
|
||||
|
||||
.PHONY: build_% binary_%
|
1
debian/signing_templates/source/format
vendored
1
debian/signing_templates/source/format
vendored
@ -1 +0,0 @@
|
||||
3.0 (native)
|
5
debian/templates/config.control.in
vendored
5
debian/templates/config.control.in
vendored
@ -6,8 +6,7 @@ Multi-Arch: same
|
||||
Depends: ${misc:Depends}
|
||||
Recommends: @source_basename@-source-@version@
|
||||
Description: Debian kernel configurations for Linux @version@
|
||||
This package contains the configuration files used to build the
|
||||
official Debian kernel files, but without references to Debian's
|
||||
signing certificates.
|
||||
This package contains the configuration files used to build kernel
|
||||
files.
|
||||
.
|
||||
These can be used as a basis for configuring custom kernels.
|
||||
|
2
debian/templates/headers.control.in
vendored
2
debian/templates/headers.control.in
vendored
@ -3,7 +3,7 @@ Meta-Rules-Target: headers
|
||||
Build-Profiles: <!pkg.linux.nokernel>
|
||||
Depends:
|
||||
linux-headers-@abiname@-common@localversion_headers@ (= ${source:Version}),
|
||||
linux-image-@abiname@@localversion@ (= ${binary:Version}) | linux-image-@abiname@@localversion@-unsigned (= ${binary:Version}),
|
||||
linux-image-@abiname@@localversion@ (= ${binary:Version}),
|
||||
linux-kbuild-@abiname@,
|
||||
${misc:Depends}
|
||||
Description: Header files for Linux @abiname@@localversion@
|
||||
|
1
debian/templates/image-unsigned.NEWS.j2
vendored
1
debian/templates/image-unsigned.NEWS.j2
vendored
@ -1 +0,0 @@
|
||||
image.NEWS.j2
|
11
debian/templates/image-unsigned.control.in
vendored
11
debian/templates/image-unsigned.control.in
vendored
@ -1,11 +0,0 @@
|
||||
Package: linux-image-@abiname@@localversion@-unsigned
|
||||
Meta-Rules-Target: image
|
||||
Build-Profiles: <!pkg.linux.nokernel>
|
||||
Build-Depends:
|
||||
kmod,
|
||||
Depends: kmod, linux-base (>= 4.3~), ${misc:Depends}
|
||||
Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook
|
||||
Conflicts: linux-image-@abiname@@localversion@
|
||||
Replaces: linux-image-@abiname@@localversion@
|
||||
Description: Linux @upstreamversion@ for @class@
|
||||
The Linux kernel @upstreamversion@ and modules for use on @longclass@.
|
@ -1 +0,0 @@
|
||||
image.lintian-overrides.j2
|
1
debian/templates/image-unsigned.postinst.in
vendored
1
debian/templates/image-unsigned.postinst.in
vendored
@ -1 +0,0 @@
|
||||
image.postinst.in
|
1
debian/templates/image-unsigned.postrm.in
vendored
1
debian/templates/image-unsigned.postrm.in
vendored
@ -1 +0,0 @@
|
||||
image.postrm.in
|
1
debian/templates/image-unsigned.preinst.in
vendored
1
debian/templates/image-unsigned.preinst.in
vendored
@ -1 +0,0 @@
|
||||
image.preinst.in
|
1
debian/templates/image-unsigned.prerm.in
vendored
1
debian/templates/image-unsigned.prerm.in
vendored
@ -1 +0,0 @@
|
||||
image.prerm.in
|
7
debian/templates/signed-template.control.in
vendored
7
debian/templates/signed-template.control.in
vendored
@ -1,7 +0,0 @@
|
||||
Package: linux-image@source_suffix@-@arch@-signed-template
|
||||
Meta-Rules-Target: signed-template
|
||||
Build-Profiles: <!pkg.linux.nokernel>
|
||||
Depends: dpkg-dev, python3:any, ${misc:Depends}
|
||||
Description: Template for signed linux-image packages for @arch@
|
||||
This package is used to control code signing by the Debian signing
|
||||
service.
|
@ -1 +0,0 @@
|
||||
linux-image@source_suffix@-@arch@-signed-template: script-not-executable
|
@ -1 +0,0 @@
|
||||
headers.meta.control.in
|
@ -1,3 +0,0 @@
|
||||
# linux-signed-* source packages are generated by the linux source
|
||||
# package, so it is OK for their binaries to share documentation
|
||||
@package@: usr-share-doc-symlink-to-foreign-package linux-headers-@abiname@@localversion@
|
@ -1 +0,0 @@
|
||||
headers.meta.maintscript.in
|
1
debian/templates/signed.image.NEWS.j2
vendored
1
debian/templates/signed.image.NEWS.j2
vendored
@ -1 +0,0 @@
|
||||
image.NEWS.j2
|
19
debian/templates/signed.image.control.in
vendored
19
debian/templates/signed.image.control.in
vendored
@ -1,19 +0,0 @@
|
||||
Package: linux-image-@abiname@@localversion@
|
||||
Meta-Rules-Target: image
|
||||
Meta-Sign-Package: linux-image-@abiname@@localversion@-unsigned
|
||||
Meta-Sign-Files: boot/@image-stem@-@abiname@@localversion@:efi
|
||||
Build-Profiles: <!pkg.linux.nokernel>
|
||||
Build-Depends:
|
||||
linux-image-@abiname@@localversion@-unsigned (= @signedtemplate_binaryversion@),
|
||||
kmod,
|
||||
# Used by debian/signing_templates/rules.real
|
||||
rsync,
|
||||
Built-Using: @source_basename@@source_suffix@ (= @version_complete@)
|
||||
Depends: kmod, linux-base (>= 4.3~), ${misc:Depends}
|
||||
Conflicts: linux-image-@abiname@@localversion@-unsigned
|
||||
Replaces: linux-image-@abiname@@localversion@-unsigned
|
||||
Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook
|
||||
Description: Linux @upstreamversion@ for @class@ (signed)
|
||||
The Linux kernel @upstreamversion@ and modules for use on @longclass@.
|
||||
.
|
||||
The kernel image is signed for use with Secure Boot.
|
1
debian/templates/signed.image.postinst.in
vendored
1
debian/templates/signed.image.postinst.in
vendored
@ -1 +0,0 @@
|
||||
image.postinst.in
|
1
debian/templates/signed.image.postrm.in
vendored
1
debian/templates/signed.image.postrm.in
vendored
@ -1 +0,0 @@
|
||||
image.postrm.in
|
1
debian/templates/signed.image.preinst.in
vendored
1
debian/templates/signed.image.preinst.in
vendored
@ -1 +0,0 @@
|
||||
image.preinst.in
|
1
debian/templates/signed.image.prerm.in
vendored
1
debian/templates/signed.image.prerm.in
vendored
@ -1 +0,0 @@
|
||||
image.prerm.in
|
14
debian/templates/signed.source.control.in
vendored
14
debian/templates/signed.source.control.in
vendored
@ -1,14 +0,0 @@
|
||||
Source: linux-signed@source_suffix@-@arch@
|
||||
Section: kernel
|
||||
Priority: optional
|
||||
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
|
||||
Uploaders: Bastian Blank <waldi@debian.org>, maximilian attems <maks@debian.org>, Ben Hutchings <benh@debian.org>, Salvatore Bonaccorso <carnil@debian.org>
|
||||
Standards-Version: 4.2.0
|
||||
Build-Depends:
|
||||
debhelper-compat (= 13),
|
||||
python3:any,
|
||||
sbsigntool [amd64 arm64],
|
||||
Rules-Requires-Root: no
|
||||
Vcs-Git: https://salsa.debian.org/kernel-team/linux.git
|
||||
Vcs-Browser: https://salsa.debian.org/kernel-team/linux
|
||||
Homepage: https://www.kernel.org/
|
@ -1,7 +0,0 @@
|
||||
# linux-signed-* source packages are generated by the linux source
|
||||
# package, and produce binaries with the same versions, even in case
|
||||
# of a binNMU of linux
|
||||
linux-signed-@arch@ source: version-substvar-for-external-package Depends *${binary:Version} linux-headers-* -> linux-headers-*
|
||||
|
||||
# The changelog is mostly copied from linux which is non-native
|
||||
linux-signed-@arch@ source: odd-historical-debian-changelog-version * (for native)*
|
Loading…
Reference in New Issue
Block a user