UBUNTU: [Packaging] signing -- switch to linux-image as signed when available

When we are signing for an architecture switch to producing a linux-image-unsigned package from the primary source. linux-signed will then produce the linux-image package which will be signed. We expect all consumers to use the signed form even if they are not utilising the signature. BugLink: http://bugs.launchpad.net/bugs/1764794Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

UBUNTU: [Packaging] signing -- switch to linux-image as signed when available
When we are signing for an architecture switch to producing a linux-image-unsigned package from the primary source. linux-signed will then produce the linux-image package which will be signed. We expect all consumers to use the signed form even if they are not utilising the signature. BugLink: http://bugs.launchpad.net/bugs/1764794Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
00997cf9 · Andy Whitcroft · Juerg Haefliger · 8cd938a7 · 00997cf9 · 00997cf9
Commit 00997cf9 authored Aug 04, 2017 by Andy Whitcroft Committed by Juerg Haefliger Feb 06, 2019
6 changed files
--- a/debian.master/control.d/flavour-control.stub
+++ b/debian.master/control.d/flavour-control.stub
@@ -21,20 +21,36 @@
 #
 # XXX: Leave the blank line before the first package!!
-Package: linux-image-PKGVER-ABINUM-FLAVOUR
+Package: linux-image=SIGN-ME-PKG=-PKGVER-ABINUM-FLAVOUR
 Build-Profiles: <!stage1>
 Architecture: ARCH
 Section: kernel
 Priority: optional
 Provides: linux-image, fuse-module, =PROVIDES=${linux:rprovides}
-Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base
+Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base, linux-modules-PKGVER-ABINUM-FLAVOUR
 Recommends: BOOTLOADER, initramfs-tools | linux-initramfs-tool
+Conflicts: linux-image=SIGN-PEER-PKG=-PKGVER-ABINUM-FLAVOUR
 Suggests: fdutils, SRCPKGNAME-doc-PKGVER | SRCPKGNAME-source-PKGVER, SRCPKGNAME-tools, linux-headers-PKGVER-ABINUM-FLAVOUR
 Description: Linux kernel image for version PKGVER on DESC
- This package contains the Linux kernel image for version PKGVER on
+ This package contains the=SIGN-ME-TXT= Linux kernel image for version PKGVER on
 DESC.
 .
- Also includes the corresponding System.map file, the modules built by the
+ Supports SUPPORTED processors.
+ .
+ TARGET
+ .
+ You likely do not want to install this package directly. Instead, install
+ the linux-FLAVOUR meta-package, which will ensure that upgrades work
+ correctly, and that supporting packages are also installed.
+Package: linux-modules-PKGVER-ABINUM-FLAVOUR
+Build-Profiles: <!stage1>
+Architecture: ARCH
+Section: kernel
+Priority: optional
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: Linux kernel extra modules for version PKGVER on DESC
+ Contains the corresponding System.map file, the modules built by the
 packager, and scripts that try to ensure that the system is not left in an
 unbootable state after an update.
 .
@@ -46,12 +62,12 @@ Description: Linux kernel image for version PKGVER on DESC
 the linux-FLAVOUR meta-package, which will ensure that upgrades work
 correctly, and that supporting packages are also installed.
-Package: linux-image-extra-PKGVER-ABINUM-FLAVOUR
+Package: linux-modules-extra-PKGVER-ABINUM-FLAVOUR
 Build-Profiles: <!stage1>
 Architecture: ARCH
 Section: kernel
 Priority: optional
-Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-PKGVER-ABINUM-FLAVOUR, crda | wireless-crda
+Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-PKGVER-ABINUM-FLAVOUR | linux-image-unsigned-PKGVER-ABINUM-FLAVOUR, crda | wireless-crda
 Description: Linux kernel extra modules for version PKGVER on DESC
 This package contains the Linux kernel extra modules for version PKGVER on
 DESC.
@@ -82,7 +98,7 @@ Description: Linux kernel headers for version PKGVER on DESC
 This is for sites that want the latest kernel headers.  Please read
 /usr/share/doc/linux-headers-PKGVER-ABINUM/debian.README.gz for details.
-Package: linux-image-PKGVER-ABINUM-FLAVOUR-dbgsym
+Package: linux-image=SIGN-ME-PKG=-PKGVER-ABINUM-FLAVOUR-dbgsym
 Build-Profiles: <!stage1>
 Architecture: ARCH
 Section: devel
@@ -90,7 +106,7 @@ Priority: optional
 Depends: ${misc:Depends}
 Provides: linux-debug
 Description: Linux kernel debug image for version PKGVER on DESC
- This package provides a kernel debug image for version PKGVER on
+ This package provides the=SIGN-ME-TXT= kernel debug image for version PKGVER on
 DESC.
 .
 This is for sites that wish to debug the kernel.

--- a/debian/rules
+++ b/debian/rules
@@ -43,6 +43,14 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
 	do_zfs=false
 endif
+# Are any of the kernel signing options enabled.
+any_signed=$(sort $(filter-out false,$(uefi_signed)))
+ifeq ($(any_signed),true)
+bin_pkg_name=$(bin_pkg_name_unsigned)
+else
+bin_pkg_name=$(bin_pkg_name_signed)
+endif
 # Stages -- support both DEB_STAGE=stage1 and DEB_BUILD_PROFILE=bootstrap
 ifeq ($(DEB_STAGE),stage1)
    DEB_BUILD_PROFILES=stage1
@@ -161,7 +169,7 @@ $(DEBIAN)/control.stub: $(DEBIAN)/d-i/kernel-versions.in	\
 	done
 	flavours="$(sort $(wildcard $(DEBIAN)/control.d/vars.* $(DEBIAN)/sub-flavours/*.vars))";\
 	for i in $$flavours; do							\
-	  $(SHELL) $(DROOT)/scripts/control-create $$i |				\
+	  $(SHELL) $(DROOT)/scripts/control-create $$i "$(any_signed)" |	\
 		sed -e 's/PKGVER/$(release)/g'                                  \
 		-e 's/ABINUM/$(abinum)/g'                                       \
 		-e 's/SRCPKGNAME/$(src_pkg_name)/g'                             \

--- a/debian/rules.d/0-common-vars.mk
+++ b/debian/rules.d/0-common-vars.mk
@@ -124,8 +124,10 @@ stampdir	:= $(CURDIR)/debian/stamps
 # are places that you'll find linux-image hard coded, but I guess thats OK since the
 # assumption that the binary package always starts with linux-image will never change.
 #
-bin_pkg_name=linux-image-$(abi_release)
+bin_pkg_name_signed=linux-image-$(abi_release)
-extra_pkg_name=linux-image-extra-$(abi_release)
+bin_pkg_name_unsigned=linux-image-unsigned-$(abi_release)
+mods_pkg_name=linux-modules-$(abi_release)
+mods_extra_pkg_name=linux-modules-extra-$(abi_release)
 hdrs_pkg_name=linux-headers-$(abi_release)
 indep_hdrs_pkg_name=$(src_pkg_name)-headers-$(abi_release)

--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -94,8 +94,9 @@ define install_control =
 endef
 # Install the finished build
-install-%: pkgdir = $(CURDIR)/debian/$(bin_pkg_name)-$*
+install-%: pkgdir_bin = $(CURDIR)/debian/$(bin_pkg_name)-$*
-install-%: pkgdir_ex = $(CURDIR)/debian/$(extra_pkg_name)-$*
+install-%: pkgdir = $(CURDIR)/debian/$(mods_pkg_name)-$*
+install-%: pkgdir_ex = $(CURDIR)/debian/$(mods_extra_pkg_name)-$*
 install-%: bindoc = $(pkgdir)/usr/share/doc/$(bin_pkg_name)-$*
 install-%: dbgpkgdir = $(CURDIR)/debian/$(bin_pkg_name)-$*-dbgsym
 install-%: signingv = $(CURDIR)/debian/$(bin_pkg_name)-signing/$(release)-$(revision)
@@ -122,6 +123,7 @@ install-%: checks-%
 	dh_testdir
 	dh_testroot
 	dh_clean -k -p$(bin_pkg_name)-$*
+	dh_clean -k -p$(mods_pkg_name)-$*
 	dh_clean -k -p$(hdrs_pkg_name)-$*
 ifneq ($(skipdbg),true)
 	dh_clean -k -p$(dbg_pkg_name)-$*
@@ -132,25 +134,26 @@ endif
 	# generate a zImage automatically out of the box
 ifeq ($(compress_file),)
 	install -m600 -D $(builddir)/build-$*/$(kernfile) \
-		$(pkgdir)/boot/$(instfile)-$(abi_release)-$*
+		$(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$*
 else
-	install -d $(pkgdir)/boot
+	install -d $(pkgdir_bin)/boot
 	gzip -c9v $(builddir)/build-$*/$(kernfile) > \
-		$(pkgdir)/boot/$(instfile)-$(abi_release)-$*
+		$(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$*
-	chmod 600 $(pkgdir)/boot/$(instfile)-$(abi_release)-$*
+	chmod 600 $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$*
 endif
 ifeq ($(uefi_signed),true)
 	install -d $(signingv)
 	# Check to see if this supports handoff, if not do not sign it.
 	# Check the identification area magic and version >= 0x020b
-	handoff=`dd if="$(pkgdir)/boot/$(instfile)-$(abi_release)-$*" bs=1 skip=514 count=6 2>/dev/null | od -s | gawk '($$1 == 0 && $$2 == 25672 && $$3 == 21362 && $$4 >= 523) { print "GOOD" }'`; \
+	handoff=`dd if="$(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$*" bs=1 skip=514 count=6 2>/dev/null | od -s | gawk '($$1 == 0 && $$2 == 25672 && $$3 == 21362 && $$4 >= 523) { print "GOOD" }'`; \
 	if [ "$$handoff" = "GOOD" ]; then \
-		cp -p $(pkgdir)/boot/$(instfile)-$(abi_release)-$* \
+		cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
 			$(signingv)/$(instfile)-$(abi_release)-$*.efi; \
 	fi
 endif
+	install -d $(pkgdir)/boot
 	install -m644 $(builddir)/build-$*/.config \
 		$(pkgdir)/boot/config-$(abi_release)-$*
 	install -m644 $(abidir)/$* \
@@ -242,11 +245,11 @@ endif
 	echo "interest linux-update-$(abi_release)-$*" >"$(DROOT)/$(bin_pkg_name)-$*.triggers"
 	$(call install_control,$(bin_pkg_name)-$*,image,postinst postrm preinst prerm)
+	$(call install_control,$(mods_pkg_name)-$*,extra,postinst postrm)
 ifeq ($(do_extras_package),true)
 	# Install the postinit/postrm scripts in the extras package.
 	if [ -f $(DEBIAN)/control.d/$(target_flavour).inclusion-list ] ; then	\
-		$(call install_control,$(extra_pkg_name)-$*,extra,postinst postrm); \
+		$(call install_control,$(mods_extra_pkg_name)-$*,extra,postinst postrm); \
 	fi
 endif
@@ -440,7 +443,8 @@ endif
 endif
 binary-%: pkgimg = $(bin_pkg_name)-$*
-binary-%: pkgimg_ex = $(extra_pkg_name)-$*
+binary-%: pkgimg_mods = $(mods_pkg_name)-$*
+binary-%: pkgimg_ex = $(mods_extra_pkg_name)-$*
 binary-%: pkghdr = $(hdrs_pkg_name)-$*
 binary-%: dbgpkg = $(bin_pkg_name)-$*-dbgsym
 binary-%: dbgpkgdir = $(CURDIR)/debian/$(bin_pkg_name)-$*-dbgsym
@@ -463,6 +467,16 @@ binary-%: install-%
 	dh_md5sums -p$(pkgimg)
 	dh_builddeb -p$(pkgimg) -- -Zbzip2 -z9
+	dh_installchangelogs -p$(pkgimg_mods)
+	dh_installdocs -p$(pkgimg_mods)
+	dh_compress -p$(pkgimg_mods)
+	dh_fixperms -p$(pkgimg_mods) -X/boot/
+	dh_installdeb -p$(pkgimg_mods)
+	dh_shlibdeps -p$(pkgimg_mods) $(shlibdeps_opts)
+	$(lockme) dh_gencontrol -p$(pkgimg_mods)
+	dh_md5sums -p$(pkgimg_mods)
+	dh_builddeb -p$(pkgimg_mods)
 ifeq ($(do_extras_package),true)
 	if [ -f $(DEBIAN)/control.d/$(target_flavour).inclusion-list ] ; then \
 		dh_installchangelogs -p$(pkgimg_ex); \
@@ -701,9 +715,9 @@ binary-debs: signingv = $(CURDIR)/debian/$(bin_pkg_name)-signing/$(release)-$(re
 binary-debs: signing_tar = $(src_pkg_name)_$(release)-$(revision)_$(arch).tar.gz
 binary-debs: binary-perarch $(addprefix binary-,$(flavours))
 	@echo Debug: $@
-ifeq ($(uefi_signed),true)
+ifeq ($(any_signed),true)
 	install -d $(signingv)/control
-	{ echo "tarball"; echo "signed-only"; } >$(signingv)/control/options
+	{ echo "tarball"; } >$(signingv)/control/options
 	cd $(signing) && tar czvf ../../../$(signing_tar) .
 	dpkg-distaddfile $(signing_tar) raw-signing -
 endif

--- a/debian/rules.d/5-udebs.mk
+++ b/debian/rules.d/5-udebs.mk
@@ -14,14 +14,17 @@ do-binary-udebs: debian/control
 	# unpack the kernels into a temporary directory
 	mkdir -p debian/d-i-${arch}
-	imagelist=$$(cat $(builddir)/kernel-versions | grep ^${arch} | gawk '{print $$4}') && \
+	imagelist=$$(cat $(CURDIR)/$(DEBIAN)/d-i/kernel-versions | grep ^${arch} | gawk '{print $$3}') && \
-	for i in $$imagelist; do \
+	for f in $$imagelist; do \
-	  dpkg -x $$(ls ../linux-image-$$i\_$(release)-$(revision)_${arch}.deb) \
+	  i=$(release)-$(abinum)-$$f; \
-		debian/d-i-${arch}; \
+          for f in \
-	  if [ -f ../linux-image-extra-$$i\_$(release)-$(revision)_${arch}.deb ] ; then \
+		../linux-image-$$i\_$(release)-$(revision)_${arch}.deb \
-	    dpkg -x ../linux-image-extra-$$i\_$(release)-$(revision)_${arch}.deb \
+		../linux-image-unsigned-$$i\_$(release)-$(revision)_${arch}.deb \
-		  debian/d-i-${arch}; \
+		../linux-modules-$$i\_$(release)-$(revision)_${arch}.deb \
-	  fi; \
+		../linux-modules-extra-$$i\_$(release)-$(revision)_${arch}.deb; \
+	  do \
+		  [ -f $$f ] && dpkg -x $$f debian/d-i-${arch}; \
+	  done; \
 	  /sbin/depmod -b debian/d-i-${arch} $$i; \
 	done

--- a/debian/scripts/control-create
+++ b/debian/scripts/control-create
@@ -3,18 +3,28 @@
 . debian/debian.env
 vars=$1
+any_signed=$2
 . $vars
 if [ "$is_sub" = "" ]; then
 	flavour=$(basename $vars | sed 's/.*\.//')
 	stub=${DEBIAN}/control.d/flavour-control.stub
+	if [ "$any_signed" = 'true' ]; then
+		sign_me_pkg="-unsigned"
+		sign_me_txt=" unsigned"
+		sign_peer_pkg=""
+	else
+		sign_me_pkg=""
+		sign_me_txt=""
+		sign_peer_pkg="-unsigned"
+	fi
 else
 	flavour=$(basename $vars .vars)
 	stub=${DEBIAN}/sub-flavours/control.stub
 fi
-cat $stub | grep -v '^#' | sed			\
+cat $stub | grep -v '^#' | sed \
 	-e "s#FLAVOUR#$flavour#g"		\
 	-e "s#DESC#$desc#g"			\
 	-e "s#ARCH#$arch#g"			\
@@ -22,4 +32,7 @@ cat $stub | grep -v '^#' | sed			\
 	-e "s#TARGET#$target#g"			\
 	-e "s#BOOTLOADER#$bootloader#g" 	\
 	-e "s#=PROVIDES=#$provides#g"		\
-	-e "s#=CONFLICTS=#$conflicts#g"
+	-e "s#=CONFLICTS=#$conflicts#g"		\
+	-e "s#=SIGN-ME-PKG=#$sign_me_pkg#g"	\
+	-e "s#=SIGN-ME-TXT=#$sign_me_txt#g"	\
+	-e "s#=SIGN-PEER-PKG=#$sign_peer_pkg#g"