tags 725803 + patch
user reproducible-builds@lists.alioth.debian.org
usertags 725803 + signature
thanks

Ben Hutchings:
> It is true that this package cannot be auto-built, but it does not
> need to be.  This is explained in debian/README.source.

A way to make the package build reproducibly, the database could be
built and signed once during the clean target (or another target). The
signature could then be shipped as part of the source package, and
re-inserted during the build.

The attached patch implements this solution. The package should then be
auto-buildable in a reproducible manner.

-- 
Lunar                                .''`. 
lu...@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   
From 2eb8fed0af2efd51c3a9ff1f1984335212022f4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Bobbio?= <lu...@debian.org>
Date: Mon, 9 Feb 2015 19:52:17 +0100
Subject: [PATCH] Allow the package to be built reproducibly

As wireless-regdb requires a signature, it needs to be recorded
during the first build and copied as is on subsequent rebuilds.

In order to do so, we first patch db2bin.py to allow saving and
re-using a signature. Then, another patch will make the Makefile
use an intermediate signature file.

Finally, the clean rule is modified to refresh the signature if
required.
---
 .gitignore                                         |  2 +
 ...nable_recording_and_using_an_external_signature | 93 ++++++++++++++++++++++
 debian/patches/series                              |  2 +
 debian/patches/split_signature_generation          | 43 ++++++++++
 debian/rules                                       | 15 +++-
 5 files changed, 154 insertions(+), 1 deletion(-)
 create mode 100644 debian/patches/enable_recording_and_using_an_external_signature
 create mode 100644 debian/patches/split_signature_generation

diff --git a/.gitignore b/.gitignore
index 2011007..7046ec5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@ dbparse.pyc
 *.pub.pem
 regulatory.bin
 sha1sum.txt
+signature
+debian/signature.b64
diff --git a/debian/patches/enable_recording_and_using_an_external_signature b/debian/patches/enable_recording_and_using_an_external_signature
new file mode 100644
index 0000000..2a72de8
--- /dev/null
+++ b/debian/patches/enable_recording_and_using_an_external_signature
@@ -0,0 +1,93 @@
+From: Jérémy Bobbio <lu...@debian.org>
+Subject: [PATCH] Enable recording and using an external signature
+
+To make wireless-regdb build reproducibly, we need a way to save
+the signature of the database to an external file and later reuse
+it instead of requiring the private key.
+
+diff --git a/db2bin.py b/db2bin.py
+index 41d3741..0ae01f3 100755
+--- a/db2bin.py
++++ b/db2bin.py
+@@ -11,6 +11,8 @@ VERSION = 19
+ 
+ if len(sys.argv) < 3:
+     print 'Usage: %s output-file input-file [key-file]' % sys.argv[0]
++    print '       %s -s signature-file input-file key-file' % sys.argv[0]
++    print '       %s -i signature-file output-file input-file' % sys.argv[0]
+     sys.exit(2)
+ 
+ def create_rules(countries):
+@@ -48,8 +50,27 @@ class PTR(object):
+     def get(self):
+         return self._offset
+ 
++if sys.argv[1] == '-s':
++    signature_path = sys.argv[2]
++    input_path = sys.argv[3]
++    output_path = None
++    key_path = sys.argv[4]
++elif sys.argv[1] == '-i':
++    signature_path = sys.argv[2]
++    output_path = sys.argv[3]
++    input_path = sys.argv[4]
++    key_path = None
++else:
++    signature_path = None
++    output_path = sys.argv[1]
++    input_path = sys.argv[2]
++    if len(sys.argv) > 3:
++        key_path = sys.argv[3]
++    else:
++        key_path = None
++
+ p = DBParser()
+-countries = p.parse(file(sys.argv[2]))
++countries = p.parse(file(input_path))
+ power = []
+ bands = []
+ for c in countries.itervalues():
+@@ -118,28 +139,37 @@ for alpha2 in countrynames:
+     # struct regdb_file_reg_country
+     output.write(struct.pack('>ccxBI', str(alpha2[0]), str(alpha2[1]), coll.dfs_region, reg_rules_collections[coll.permissions]))
+ 
+-
+-if len(sys.argv) > 3:
++if key_path:
+     # Load RSA only now so people can use this script
+     # without having those libraries installed to verify
+     # their SQL changes
+     from M2Crypto import RSA
+ 
+     # determine signature length
+-    key = RSA.load_key(sys.argv[3])
++    key = RSA.load_key(key_path)
+     hash = hashlib.sha1()
+     hash.update(output.getvalue())
+     sig = key.sign(hash.digest())
+-    # write it to file
+     siglen.set(len(sig))
++
+     # sign again
+     hash = hashlib.sha1()
+     hash.update(output.getvalue())
+     sig = key.sign(hash.digest())
+ 
++    if output_path:
++        output.write(sig)
++    else:
++        with file(signature_path, 'w') as sigfile:
++            sigfile.write(sig)
++elif signature_path and output_path:
++    with file(signature_path) as sigfile:
++      sig = sigfile.read()
++    siglen.set(len(sig))
+     output.write(sig)
+ else:
+     siglen.set(0)
+ 
+-outfile = open(sys.argv[1], 'w')
+-outfile.write(output.getvalue())
++if output_path:
++    outfile = open(output_path, 'w')
++    outfile.write(output.getvalue())
diff --git a/debian/patches/series b/debian/patches/series
index e7980ae..85de9e4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
 dont_auto_create_keypair
+enable_recording_and_using_an_external_signature
+split_signature_generation
 keep-setting-NO_IBSS-flag.patch
diff --git a/debian/patches/split_signature_generation b/debian/patches/split_signature_generation
new file mode 100644
index 0000000..823aedb
--- /dev/null
+++ b/debian/patches/split_signature_generation
@@ -0,0 +1,43 @@
+From: Jérémy Bobbio <lu...@debian.org>
+Subject: [PATCH] Split signature generation
+
+Now that db2bin.py supports recording a signature to re-use it later,
+we now split the generation of regulatory.bin to create an intermediate
+signature.
+
+The signature can then be shipped in the source to allow the build
+to be reproduced by independent parties.
+
+Index: git/Makefile
+===================================================================
+--- git.orig/Makefile	2015-02-09 22:37:40.766075931 +0100
++++ git/Makefile	2015-02-09 22:38:53.174661350 +0100
+@@ -36,10 +36,11 @@
+ 
+ REGDB_CHANGED = $(shell $(SHA1SUM) -c --status sha1sum.txt >/dev/null 2>&1; \
+         if [ $$? -ne 0 ]; then \
+-                echo maintainer-clean $(REGDB_PUBKEY); \
++                echo maintainer-clean; \
+         fi)
+ 
+ .PHONY: all clean mrproper install maintainer-clean install-distro-key
++.SECONDARY: $(REGDB_PRIVKEY) $(REGDB_PUBKEY)
+ 
+ all: $(REGDB_CHANGED) regulatory.bin sha1sum.txt
+ 
+@@ -53,9 +54,12 @@
+ 	@echo Removed public key, regulatory.bin and compresed man pages
+ 	@rm -f $(REGDB_PUBKEY) .custom
+ 
+-regulatory.bin: db.txt $(REGDB_PRIVKEY) $(REGDB_PUBKEY)
+-	@echo Generating $@ digitally signed by $(REGDB_AUTHOR)...
+-	./db2bin.py regulatory.bin db.txt $(REGDB_PRIVKEY)
++regulatory.bin: db.txt signature
++	./db2bin.py -i signature regulatory.bin db.txt
++
++signature: db.txt $(REGDB_PRIVKEY) $(REGDB_PUBKEY)
++	@echo Generating signature by $(REGDB_AUTHOR)...
++	./db2bin.py -s signature db.txt $(REGDB_PRIVKEY)
+ 
+ sha1sum.txt: db.txt
+ 	sha1sum $< > $@
diff --git a/debian/rules b/debian/rules
index 395f37c..a51fce4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -14,6 +14,19 @@ override_dh_install:
 # crda will install public keys
 	rm -r debian/wireless-regdb/lib/crda/pubkeys
 
+override_dh_auto_configure:
+	python -c 'import base64; print base64.b64decode(open("debian/signature.b64").read())' \
+		> signature
+
 override_dh_auto_clean:
-	dh_auto_clean -- mrproper
+	dh_auto_clean -- maintainer-clean
+	set -e && \
+	if [ -f $(HOME)/.wireless-regdb-$(REGDB_AUTHOR).key.priv.pem ]; then \
+		make signature; \
+		python -c 'import base64; print base64.b64encode(open("signature").read())' \
+			> debian/signature.b64; \
+		rm -f signature; \
+	fi
 	rm -f sha1sum.txt
+	rm -f .custom $(REGDB_AUTHOR).key.pub.pem
+	rm -f dbparse.pyc
-- 
1.9.1

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Reply via email to