drop signing

debian/.gitignore

@@ -10,7 +10,6 @@
 !/lib/
 !/patches*/
 !/rules.d/
-!/signing_templates/
 !/source/
 !/templates/
 !/upstream/

debian/README.source

@@ -267,30 +267,3 @@ linux-source-<version> binary package.  Currently kernel builds use
 debian/build/build_<arch>_<featureset>_<flavour>, userland code uses
 debian/build/build-tools/<source-dir> and documentation uses
 debian/build/build-doc.
-
-Code signing
-============
-
-The kernel image and modules may be signed after building, to support
-a Secure Boot or Trusted Boot policy.  In Debian, this is performed by
-a "code signing service" that is separate from the normal package
-build process.
-
-The initial package build generates binary packages named
-linux-image-<arch>-signed-template, that contain a source package
-template and metadata about the files to be signed.  The code signing
-service will download this and the linux-image packages to be signed.
-It will add detached signatures to the source package, then upload it
-(without ever running debian/rules).
-
-The source package template is generated by
-debian/bin/gencontrol_signed.py and debian/rules.real with files from
-debian/signing_templates and debian/templates.  To test changes to
-these:
-
-1. Build the linux source package.
-2. Generate the signed source package by running the script
-   "debian-test-sign" from the kernel-team.git repository.  It is
-   also possible to set up a development configuration of the
-   official code signing service, but this is more complicated.
-3. Build the signed source package.

debian/bin/gencontrol.py

@@ -33,10 +33,7 @@ locale.setlocale(locale.LC_CTYPE, "C.UTF-8")
 
 
 class Gencontrol(Base):
-    disable_signed: bool
-
     env_flags = [
-        ('DEBIAN_KERNEL_DISABLE_SIGNED', 'disable_signed', 'signed code'),
     ]
 
     def __init__(
@@ -187,34 +184,6 @@ class Gencontrol(Base):
     ) -> None:
         arch = config.name
 
-        if not self.disable_signed:
-            build_signed = config.build.enable_signed
-        else:
-            build_signed = False
-
-        if build_signed:
-            # Make sure variables remain
-            vars['signedtemplate_binaryversion'] = '@signedtemplate_binaryversion@'
-            vars['signedtemplate_sourceversion'] = '@signedtemplate_sourceversion@'
-
-            self.bundle.add('signed-template', (arch,), makeflags, vars, arch=arch)
-
-            bundle_signed = self.bundles[f'signed-{arch}'] = \
-                PackagesBundle(f'signed-{arch}', 'signed.source.control', vars, self.templates)
-
-            with bundle_signed.open('source/lintian-overrides', 'w') as f:
-                f.write(self.substitute(
-                    self.templates.get('signed.source.lintian-overrides'), vars))
-
-            with bundle_signed.open('changelog.head', 'w') as f:
-                dist = self.changelog[0].distribution
-                urgency = self.changelog[0].urgency
-                f.write(f'''\
-linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={urgency}
-
-  * Sign kernel from {self.changelog[0].source} @signedtemplate_binaryversion@
-''')
-
         if config.packages.source and list(config.featuresets):
             self.bundle.add('config', (arch, ), makeflags, vars)
 
@@ -329,31 +298,11 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
 
         packages_own = []
 
-        if not self.disable_signed:
-            build_signed = config.build.enable_signed
-        else:
-            build_signed = False
-
-        if build_signed:
-            bundle_signed = self.bundles[f'signed-{arch}']
-        else:
-            bundle_signed = self.bundle
-
         vars.setdefault('desc', '')
 
-        if build_signed:
-            packages_image_unsigned = (
-                self.bundle.add('image-unsigned', ruleid, makeflags, vars, arch=arch)
-            )
-            packages_image = packages_image_unsigned[:]
-            packages_image.extend(
-                bundle_signed.add('signed.image', ruleid, makeflags, vars, arch=arch)
-            )
-
-        else:
-            packages_image = packages_image_unsigned = (
-                bundle_signed.add('image', ruleid, makeflags, vars, arch=arch)
-            )
+        packages_image = (
+            self.bundle.add('image', ruleid, makeflags, vars, arch=arch)
+        )
 
         for field in ('Depends', 'Provides', 'Suggests', 'Recommends',
                       'Conflicts', 'Breaks'):
@@ -387,19 +336,13 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
         packages_own.extend(packages_image)
         packages_own.extend(packages_headers)
 
-        # The image meta-packages will depend on signed linux-image
-        # packages where applicable, so should be built from the
-        # signed source packages The header meta-packages will also be
-        # built along with the signed packages, to create a dependency
-        # relationship that ensures src:linux and src:linux-signed-*
-        # transition to testing together.
         if do_meta:
             packages_meta = (
-                bundle_signed.add('image.meta', ruleid, makeflags, vars, arch=arch)
+                self.bundle.add('image.meta', ruleid, makeflags, vars, arch=arch)
             )
             assert len(packages_meta) == 1
             packages_meta += (
-                bundle_signed.add(build_signed and 'signed.headers.meta' or 'headers.meta',
+                self.bundle.add('headers.meta',
                                   ruleid, makeflags, vars, arch=arch)
             )
             assert len(packages_meta) == 2
@@ -503,31 +446,6 @@ linux-signed-{vars['arch']} (@signedtemplate_sourceversion@) {dist}; urgency={ur
 
     def write(self) -> None:
         super().write()
-        self.write_signed()
-
-    def write_signed(self) -> None:
-        for bundle in self.bundles.values():
-            pkg_sign_entries = {}
-
-            for p in bundle.packages.values():
-                if not isinstance(p, BinaryPackage):
-                    continue
-
-                if pkg_sign_pkg := p.meta_sign_package:
-                    pkg_sign_entries[pkg_sign_pkg] = {
-                        'trusted_certs': [],
-                        'files': [
-                            {
-                                'sig_type': e.split(':', 1)[-1],
-                                'file': e.split(':', 1)[0],
-                            }
-                            for e in p.meta_sign_files
-                        ],
-                    }
-
-            if pkg_sign_entries:
-                with bundle.path('files.json').open('w') as f:
-                    json.dump({'packages': pkg_sign_entries}, f, indent=2)
 
 
 if __name__ == '__main__':

debian/config/amd64/defines.toml

@@ -20,7 +20,6 @@ hardware_long = 'cloud platforms including Amazon EC2, Microsoft Azure, and Goog
 name = 'none'
 
 [build]
-enable_signed = true
 enable_vdso = true
 kernel_file = 'arch/x86/boot/bzImage'
 kernel_stem = 'vmlinuz'

debian/config/arm64/defines.toml

@@ -27,7 +27,6 @@ name = 'none'
 
 [build]
 compiler_gnutype_compat = 'arm-linux-gnueabihf'
-enable_signed = true
 enable_vdso = true
 kernel_file = 'arch/arm64/boot/Image'
 kernel_stem = 'vmlinuz'

debian/lib/python/debian_linux/config_v2.py

@@ -37,7 +37,6 @@ class ConfigBuild:
     compiler_gnutype_compat: Optional[str] = None
     config: list[Path] = dataclasses.field(default_factory=list)
     config_default: list[Path] = dataclasses.field(default_factory=list, repr=False)
-    enable_signed: Optional[bool] = None
     enable_vdso: Optional[bool] = None
     kernel_file: Optional[str] = None
     kernel_stem: Optional[str] = None

debian/lib/python/debian_linux/debian.py

@@ -686,14 +686,3 @@ class BinaryPackage(_BasePackage):
         default=None,
         deb822_dump=None,
     )
-    meta_sign_package: Optional[str] = field_deb822(
-        'Meta-Sign-Package',
-        default=None,
-        deb822_dump=None,
-    )
-    meta_sign_files: list[str] = field_deb822(
-        'Meta-Sign-Files',
-        default_factory=list,
-        deb822_load=lambda v: v.split(),
-        deb822_dump=None,
-    )

debian/rules.real

@@ -481,36 +481,6 @@ endif
 	ln -s ../../../boot/vmlinux-$(REAL_VERSION) $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vmlinux
 	$(dh_binary_post)
 
-build_signed-template:
-
-binary_signed-template: GEN_DIR = debian/generated.signed-$(ARCH)
-binary_signed-template: CODE_SIGNING_DIR = $(DESTDIR)/usr/share/code-signing/$(PACKAGE_NAME)
-binary_signed-template: DEBIAN_DIR = $(CODE_SIGNING_DIR)/source-template/debian
-binary_signed-template: VERSION_TEMPLATE = $(shell echo $(DEB_VERSION) | sed -Ee 's/\+b(\d+)$$/.b\1/' -e 's/-/+/g')
-binary_signed-template:
-	$(dh_binary_pre)
-	rm -rf $(CODE_SIGNING_DIR)
-	mkdir -p $(DEBIAN_DIR)/source
-	for i in $$(find $(GEN_DIR) -type f -printf '%P\n'); do \
-		sed -E \
-			-e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \
-			-e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \
-			$(GEN_DIR)/$$i > $(DEBIAN_DIR)/$$i; \
-	done
-	for i in $$(find debian/signing_templates -type f -printf '%P\n'); do \
-		sed -E \
-			-e 's/@signedtemplate_binaryversion@/$(DEB_VERSION)/g' \
-			-e 's/@signedtemplate_sourceversion@/$(VERSION_TEMPLATE)/g' \
-			debian/signing_templates/$$i > $(DEBIAN_DIR)/$$i; \
-	done
-	mv $(DEBIAN_DIR)/changelog.head $(DEBIAN_DIR)/changelog
-	tail +2 debian/changelog >> $(DEBIAN_DIR)/changelog
-	mv $(DEBIAN_DIR)/files.json $(CODE_SIGNING_DIR)/
-	chmod 755 $(DEBIAN_DIR)/rules
-	cp -R	debian/copyright \
-		$(CODE_SIGNING_DIR)/source-template/debian/
-	$(dh_binary_post)
-
 build_source:
 
 binary_source: BUILDDEB_ARGS = -Zxz -z0

debian/signing_templates/README.source

@@ -1,4 +0,0 @@
-This source package is generated by the Debian signing service from a
-template built by the linux package.  It should never be updated directly.
-
- -- Ben Hutchings <ben@decadent.org.uk>  Fri, 06 Apr 2018 10:23:29 +0100

debian/signing_templates/rules

@@ -1,24 +0,0 @@
-#!/usr/bin/make -f
-
-include /usr/share/dpkg/architecture.mk
-
-SHELL := sh -e
-
-include debian/rules.defs
-
-build: build-arch build-indep
-build-arch:
-build-indep:
-
-clean:
-	dh_testdir
-	rm -rf $(BUILD_DIR) $(STAMPS_DIR)
-	dh_clean
-
-binary: binary-arch binary-indep
-binary-arch: debian/control
-	dh_testdir
-	$(MAKE) -f debian/rules.gen binary-arch_$(DEB_HOST_ARCH)
-binary-indep:
-
-.PHONY: build build-arch build-indep clean binary binary-arch binary-indep

debian/signing_templates/rules.defs

@@ -1,2 +0,0 @@
-BUILD_DIR = debian/build
-STAMPS_DIR = debian/stamps

debian/signing_templates/rules.real

@@ -1,108 +0,0 @@
-include /usr/share/dpkg/default.mk
-
-SHELL := bash -e
-
-include debian/rules.defs
-
-export DH_OPTIONS
-
-export DEB_RULES_REQUIRES_ROOT ?= no
-
-GENCONTROL_ARGS := -v@signedtemplate_binaryversion@
-BUILDDEB_ARGS := -Zxz $(if $(filter pkg.linux.quick,$(DEB_BUILD_PROFILES)),-z0)
-
-stamp = [ -d $(dir $@) ] || mkdir $(dir $@); touch $@
-
-define dh_binary_pre
-	dh_testroot
-	dh_prep
-	dh_installdirs
-endef
-
-define dh_binary_post
-	dh_install $(DH_INSTALL_ARGS)
-	# Workaround #1068189. By Debian policy and aligned debhelper behaviour /usr/share/doc/package
-	# is permitted to be a symbolic link to another directory in /usr/share/doc only if the two
-	# packages come from the same source package. The package build will fail with the new debhelper
-	# version since debhelper/13.15. As the linux-signed-* packages are quite special in the eco-
-	# system, make the workaround to fallback to the old behaviour until it is agreed on how to
-	# resolve the situation policy conformant.
-	# https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information
-	$(if $(INSTALLDOCS_LINK_DOC),
-		mkdir -p debian/$(PACKAGE_NAME)/usr/share/doc && ln -sf $(INSTALLDOCS_LINK_DOC) debian/$(PACKAGE_NAME)/usr/share/doc/$(PACKAGE_NAME),
-		dh_installdocs)
-	dh_installchangelogs
-	dh_installexamples
-	dh_installman
-	dh_installudev
-	dh_bugfiles
-	dh_ucf
-	dh_lintian
-	dh_icons
-	dh_link
-	dh_compress
-	dh_fixperms
-	dh_missing
-	dh_strip $(DH_STRIP_ARGS) -Xvmlinux -Xvmlinuz
-	dh_makeshlibs -Xvmlinux -Xvmlinuz
-	dh_shlibdeps $(DH_SHLIBDEPS_ARGS)
-	dh_installdeb
-	if command -v dh_movetousr >/dev/null; then dh_movetousr; fi
-	dh_gencontrol -- $(GENCONTROL_ARGS)
-	dh_md5sums
-	dh_builddeb -- $(BUILDDEB_ARGS)
-endef
-
-build-indep:
-
-$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): REAL_VERSION = $(ABINAME)$(LOCALVERSION)
-$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned
-$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): SIGNATURE_DIR = debian/signatures/$(IMAGE_PACKAGE_NAME)
-$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR): INSTALL_DIR=$(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
-$(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR):
-	mkdir -p $(INSTALL_DIR)/boot
-	rsync -a $(patsubst %,/boot/%-$(REAL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
-		$(INSTALL_DIR)/boot/
-	sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(REAL_VERSION).sig \
-		$(INSTALL_DIR)/boot/vmlinuz-$(REAL_VERSION)
-	mkdir -p $(INSTALL_DIR)/lib/modules/$(REAL_VERSION)
-	rsync -a $(addprefix /lib/modules/$(REAL_VERSION)/,kernel modules.builtin modules.builtin.modinfo modules.order) \
-		$(INSTALL_DIR)/lib/modules/$(REAL_VERSION)/
-# Copy any device tree files
-	if [ -d /usr/lib/linux-image-$(REAL_VERSION) ]; then \
-		mkdir -p $(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION); \
-		rsync -a /usr/lib/linux-image-$(REAL_VERSION)/ \
-			$(INSTALL_DIR)/usr/lib/linux-image-$(REAL_VERSION)/; \
-	fi
-	$(stamp)
-
-build_image:
-
-binary_image: DH_OPTIONS = -p$(PACKAGE_NAME)
-binary_image: DH_STRIP_ARGS = --no-automatic-dbgsym
-binary_image: REAL_VERSION = $(ABINAME)$(LOCALVERSION)
-binary_image: IMAGE_PACKAGE_NAME = linux-image-$(REAL_VERSION)-unsigned
-binary_image: DIR2 = $(BUILD_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
-binary_image: PACKAGE_DIR = debian/$(PACKAGE_NAME)
-binary_image: $(STAMPS_DIR)/install_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
-binary_image:
-	$(dh_binary_pre)
-	dh_install --sourcedir=$(DIR2) boot
-	dh_install --sourcedir=$(DIR2) lib
-	if [ -d $(DIR2)/usr ]; then dh_install --sourcedir=$(DIR2) usr; fi
-# Copy bug scripts but change the info file to refer to the right package
-	mkdir -p $(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)
-	rsync -a /usr/share/bug/$(IMAGE_PACKAGE_NAME)/ \
-		$(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/
-	sed -i -e 's/^PACKAGE_NAME=.*/PACKAGE_NAME=$(PACKAGE_NAME)/' \
-		-e 's/^PACKAGE_VERSION=.*/PACKAGE_VERSION=$(PACKAGE_VERSION)/' \
-		$(PACKAGE_DIR)/usr/share/bug/$(PACKAGE_NAME)/info
-	$(dh_binary_post)
-
-build_meta:
-
-binary_meta:
-	$(dh_binary_pre)
-	$(dh_binary_post)
-
-.PHONY: build_% binary_%

debian/signing_templates/source/format

@@ -1 +0,0 @@
-3.0 (native)

debian/templates/config.control.in

@@ -6,8 +6,7 @@ Multi-Arch: same
 Depends: ${misc:Depends}
 Recommends: @source_basename@-source-@version@
 Description: Debian kernel configurations for Linux @version@
- This package contains the configuration files used to build the
- official Debian kernel files, but without references to Debian's
- signing certificates.
+ This package contains the configuration files used to build kernel
+ files.
  .
  These can be used as a basis for configuring custom kernels.

debian/templates/headers.control.in

@@ -3,7 +3,7 @@ Meta-Rules-Target: headers
 Build-Profiles: <!pkg.linux.nokernel>
 Depends:
  linux-headers-@abiname@-common@localversion_headers@ (= ${source:Version}),
- linux-image-@abiname@@localversion@ (= ${binary:Version}) | linux-image-@abiname@@localversion@-unsigned (= ${binary:Version}),
+ linux-image-@abiname@@localversion@ (= ${binary:Version}),
  linux-kbuild-@abiname@,
  ${misc:Depends}
 Description: Header files for Linux @abiname@@localversion@

debian/templates/image-unsigned.NEWS.j2

@@ -1 +0,0 @@
-image.NEWS.j2

debian/templates/image-unsigned.control.in

@@ -1,11 +0,0 @@
-Package: linux-image-@abiname@@localversion@-unsigned
-Meta-Rules-Target: image
-Build-Profiles: <!pkg.linux.nokernel>
-Build-Depends:
- kmod,
-Depends: kmod, linux-base (>= 4.3~), ${misc:Depends}
-Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook
-Conflicts: linux-image-@abiname@@localversion@
-Replaces: linux-image-@abiname@@localversion@
-Description: Linux @upstreamversion@ for @class@
- The Linux kernel @upstreamversion@ and modules for use on @longclass@.

debian/templates/image-unsigned.lintian-overrides.j2

@@ -1 +0,0 @@
-image.lintian-overrides.j2

debian/templates/image-unsigned.postinst.in

@@ -1 +0,0 @@
-image.postinst.in

debian/templates/image-unsigned.postrm.in

@@ -1 +0,0 @@
-image.postrm.in

debian/templates/image-unsigned.preinst.in

@@ -1 +0,0 @@
-image.preinst.in

debian/templates/image-unsigned.prerm.in

@@ -1 +0,0 @@
-image.prerm.in

debian/templates/signed-template.control.in

@@ -1,7 +0,0 @@
-Package: linux-image@source_suffix@-@arch@-signed-template
-Meta-Rules-Target: signed-template
-Build-Profiles: <!pkg.linux.nokernel>
-Depends: dpkg-dev, python3:any, ${misc:Depends}
-Description: Template for signed linux-image packages for @arch@
- This package is used to control code signing by the Debian signing
- service.

debian/templates/signed-template.lintian-overrides.in

@@ -1 +0,0 @@
-linux-image@source_suffix@-@arch@-signed-template: script-not-executable

debian/templates/signed.headers.meta.control.in

@@ -1 +0,0 @@
-headers.meta.control.in

debian/templates/signed.headers.meta.lintian-overrides.in

@@ -1,3 +0,0 @@
-# linux-signed-* source packages are generated by the linux source
-# package, so it is OK for their binaries to share documentation
-@package@: usr-share-doc-symlink-to-foreign-package linux-headers-@abiname@@localversion@

debian/templates/signed.headers.meta.maintscript.in

@@ -1 +0,0 @@
-headers.meta.maintscript.in

debian/templates/signed.image.NEWS.j2

@@ -1 +0,0 @@
-image.NEWS.j2

debian/templates/signed.image.control.in

@@ -1,19 +0,0 @@
-Package: linux-image-@abiname@@localversion@
-Meta-Rules-Target: image
-Meta-Sign-Package: linux-image-@abiname@@localversion@-unsigned
-Meta-Sign-Files: boot/@image-stem@-@abiname@@localversion@:efi
-Build-Profiles: <!pkg.linux.nokernel>
-Build-Depends:
- linux-image-@abiname@@localversion@-unsigned (= @signedtemplate_binaryversion@),
- kmod,
-# Used by debian/signing_templates/rules.real
- rsync,
-Built-Using: @source_basename@@source_suffix@ (= @version_complete@)
-Depends: kmod, linux-base (>= 4.3~), ${misc:Depends}
-Conflicts: linux-image-@abiname@@localversion@-unsigned
-Replaces: linux-image-@abiname@@localversion@-unsigned
-Suggests: firmware-linux-free, linux-doc-@version@, debian-kernel-handbook
-Description: Linux @upstreamversion@ for @class@ (signed)
- The Linux kernel @upstreamversion@ and modules for use on @longclass@.
- .
- The kernel image is signed for use with Secure Boot.

debian/templates/signed.image.postinst.in

@@ -1 +0,0 @@
-image.postinst.in

debian/templates/signed.image.postrm.in

@@ -1 +0,0 @@
-image.postrm.in

debian/templates/signed.image.preinst.in

@@ -1 +0,0 @@
-image.preinst.in

debian/templates/signed.image.prerm.in

@@ -1 +0,0 @@
-image.prerm.in

debian/templates/signed.source.control.in

@@ -1,14 +0,0 @@
-Source: linux-signed@source_suffix@-@arch@
-Section: kernel
-Priority: optional
-Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
-Uploaders: Bastian Blank <waldi@debian.org>, maximilian attems <maks@debian.org>, Ben Hutchings <benh@debian.org>, Salvatore Bonaccorso <carnil@debian.org>
-Standards-Version: 4.2.0
-Build-Depends:
- debhelper-compat (= 13),
- python3:any,
- sbsigntool [amd64 arm64],
-Rules-Requires-Root: no
-Vcs-Git: https://salsa.debian.org/kernel-team/linux.git
-Vcs-Browser: https://salsa.debian.org/kernel-team/linux
-Homepage: https://www.kernel.org/

debian/templates/signed.source.lintian-overrides.in

@@ -1,7 +0,0 @@
-# linux-signed-* source packages are generated by the linux source
-# package, and produce binaries with the same versions, even in case
-# of a binNMU of linux
-linux-signed-@arch@ source: version-substvar-for-external-package Depends *${binary:Version} linux-headers-* -> linux-headers-*
-
-# The changelog is mostly copied from linux which is non-native
-linux-signed-@arch@ source: odd-historical-debian-changelog-version * (for native)*