Bug#821051: [PATCH v4 3/3] dak.conf: add packages that trigger byhand-code-sign

Wed, 30 Nov 2016 17:15:39 -0800 

Add linux, grub2 and fwupdate to publish their signatures by calling
byhand-code-sign as they are supposed to have a *-signed version

Contributions:
        Ben Hutchings <b...@decadent.org.uk>

---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

To test it, after building the package (grub, linux or fwupdate) create
a file called ${package}-code-sign_${version}_${arch}.tar.xz
with the efi images or kernel modules to be signed

After building the package, add the file in the changes file:

> changestool ${package}-code-sign_${version}_${arch}.changes addrawfile 
> ${package}-code-sign_${version}_${arch}.tar.xz

Edit the .changes file to replace the double dashes by "byhand optional"

> sed -i -e "s/- - ${package}-code-sign_${version}_${arch}.tar.xz/byhand 
> optional ${package}-code-sign_${version}_${arch}.tar.xz/g" 
> ${package}-code-sign_${version}_${arch}.changes

Sign the .changes file
> gpg --clearsign ${package}-code-sign_${version}_${arch}.changes
> mv ${package}-code-sign_${version}_${arch}.changes.asc 
> ${package}-code-sign_${version}_${arch}.changes

Add to uncheck queue
> cp -r ../* /srv/dak/queue/unchecked/

Process the package
> dak process-upload -d /srv/dak/queue/unchecked

Changes since last version:
        No changes

---
 config/debian-security/dak.conf | 24 ++++++++++++++++++++++++
 config/debian/dak.conf          | 21 +++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index f342a55..dbf5395 100644
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -127,6 +127,30 @@ SuiteMappings
   "reject oldoldstable";
 };
 
+AutomaticByHandPackages
+{
+  "linux-code-sign" {
+    Source "linux";
+    Section "byhand";
+    Extension "tar.xz";
+    Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "grub2-code-sign" {
+    Source "grub2";
+    Section "byhand";
+    Extension "tar.xz";
+    Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "fwupdate-code-sign" {
+    Source "fwupdate";
+    Section "byhand";
+    Extension "tar.xz";
+    Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+};
+
 Dir
 {
   Base "/srv/security-master.debian.org/";
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index 10322cc..6de05f2 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -185,6 +185,27 @@ AutomaticByHandPackages {
     Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-di";
   };
 
+  "linux-code-sign" {
+    Source "linux";
+    Section "byhand";
+    Extension "tar.xz";
+    Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "grub2-code-sign" {
+    Source "grub2";
+    Section "byhand";
+    Extension "tar.xz";
+    Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "fwupdate-code-sign" {
+    Source "fwupdate";
+    Section "byhand";
+    Extension "tar.xz";
+    Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
   "tag-overrides" {
     Source "tag-overrides";
     Section "byhand";
-- 
2.7.4

Reply via email to