Bug#973692: thunderbird: I can't resize the window, part is hidden, can't read emails

2020-11-03 Thread Helen Koike 
Package: thunderbird
Version: 1:78.4.0-1
Followup-For: Bug #973692

Dear Maintainer,

I see the same error reported here:

> xprop -name " - Mozilla Thunderbird" WM_NORMAL_HINTS
WM_NORMAL_HINTS(WM_SIZE_HINTS):
program specified minimum size: 1014 by 1829
program specified maximum size: 32766 by 32766
program specified base size: 1014 by 1829
window gravity: NorthWest

I can't reduce vertically the size of the window, it hides part of the
window and I can't read part of my email.

Maybe this is related to these issues reported upstream:

https://bugzilla.mozilla.org/show_bug.cgi?id=1674990
https://bugzilla.mozilla.org/show_bug.cgi?id=1674998

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.9.0-1-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages thunderbird depends on:
ii  debianutils 4.11.2
ii  fontconfig  2.13.1-4.2
ii  libatk1.0-0 2.36.0-2
ii  libbotan-2-15   2.15.0+dfsg-2+b1
ii  libbz2-1.0  1.0.8-4
ii  libc6   2.31-4
ii  libcairo-gobject2   1.16.0-4
ii  libcairo2   1.16.0-4
ii  libdbus-1-3 1.12.20-1
ii  libdbus-glib-1-20.110-5
ii  libevent-2.1-7  2.1.12-stable-1
ii  libffi7 3.3-4
ii  libfontconfig1  2.13.1-4.2
ii  libfreetype62.10.2+dfsg-4
ii  libgcc-s1   10.2.0-16
ii  libgdk-pixbuf2.0-0  2.40.0+dfsg-5
ii  libglib2.0-02.66.2-1
ii  libgtk-3-0  3.24.23-2
ii  libicu6767.1-4
ii  libjson-c5  0.15-1
ii  libnspr42:4.29-1
ii  libnss3 2:3.58-1
ii  libpango-1.0-0  1.46.2-1
ii  libstdc++6  10.2.0-16
ii  libvpx6 1.8.2-1
ii  libx11-62:1.6.12-1
ii  libx11-xcb1 2:1.6.12-1
ii  libxcb-shm0 1.14-2
ii  libxcb1 1.14-2
ii  libxext62:1.3.3-1+b2
ii  libxrender1 1:0.9.10-1
ii  psmisc  23.3-1
ii  x11-utils   7.7+5
ii  zlib1g  1:1.2.11.dfsg-2

Versions of packages thunderbird recommends:
ii  hunspell-en-us [hunspell-dictionary]  1:2019.10.06-1

Versions of packages thunderbird suggests:
ii  apparmor  2.13.5-1
ii  fonts-lyx 2.3.5.2-1
ii  libgssapi-krb5-2  1.17-10
ii  libgtk2.0-0   2.24.32-4

-- no debconf information

Bug#956559: gdm3: Login screen buttons aren't clickable

2020-04-12 Thread Helen Koike 
Package: gdm3
Version: 3.34.1-3
Severity: important

Dear Maintainer,

In my gdm3 screen:

https://people.collabora.com/~koike/gdm3-screen.jpeg

Clicking on buttons on top won't do anything, and when selecting a
user, clicking in the gear button to select a Desktop Environment also
doesn't do anything (which is particularly annoying since I would like to
switch between Gnome, Gnome on Xorg, Xfce and others).

Also, when I press enter on top of an user to add my password, the "Not listed?"
appears in front as shown here 
https://people.collabora.com/~koike/gdm3-screen-not-listed.jpeg

I can type my password and login normally, but it would be nice to easily switch
desktop environment.

I tried switching from Wayland to Xorg by editing /etc/gdm3/daemon.conf with
WaylandEnable=false
But I get the same results.

The command:
sudo journalctl -b -g gdm 
doesn't seem to show anything relevant http://ix.io/2hMK

Please let me know where I can find relevant logs, or how I can get more 
information
to help debug this.

Thanks a lot for your work as a maintainer.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gdm3 depends on:
ii  accountsservice   0.6.55-1
ii  adduser   3.118
ii  dconf-cli 0.36.0-1
ii  dconf-gsettings-backend   0.36.0-1
ii  debconf [debconf-2.0] 1.5.73
ii  gir1.2-gdm-1.03.34.1-3
ii  gnome-session [x-session-manager] 3.36.0-2
ii  gnome-session-bin 3.36.0-2
ii  gnome-settings-daemon 3.36.0-1
ii  gnome-shell   3.36.1-5
ii  gnome-terminal [x-terminal-emulator]  3.36.1.1-2
ii  gsettings-desktop-schemas 3.36.0-1
ii  libaccountsservice0   0.6.55-1
ii  libaudit1 1:2.8.5-3
ii  libc6 2.30-4
ii  libcanberra-gtk3-00.30-7
ii  libcanberra0  0.30-7
ii  libgdk-pixbuf2.0-02.40.0+dfsg-4
ii  libgdm1   3.34.1-3
ii  libglib2.0-0  2.64.1-1
ii  libglib2.0-bin2.64.1-1
ii  libgtk-3-03.24.18-1
ii  libkeyutils1  1.6.1-2
ii  libpam-modules1.3.1-5
ii  libpam-runtime1.3.1-5
ii  libpam-systemd245.4-3
ii  libpam0g  1.3.1-5
ii  librsvg2-common   2.48.2-1
ii  libselinux1   3.0-1+b2
ii  libsystemd0   245.4-3
ii  libwrap0  7.6.q-30
ii  libx11-6  2:1.6.9-2
ii  libxau6   1:1.0.8-1+b2
ii  libxcb1   1.14-2
ii  libxdmcp6 1:1.1.2-3
ii  lsb-base  11.1.0
ii  mutter [x-window-manager] 3.36.1-4
ii  policykit-1   0.105-26
ii  procps2:3.3.16-4
ii  terminator [x-terminal-emulator]  1.91-4
ii  ucf   3.0038+nmu1
ii  x11-common1:7.7+20
ii  x11-xserver-utils 7.7+8
ii  xfce4-session [x-session-manager] 4.14.1-1
ii  xfwm4 [x-window-manager]  4.14.0-2

Versions of packages gdm3 recommends:
ii  at-spi2-core2.36.0-2
ii  desktop-base10.0.3
ii  x11-xkb-utils   7.7+5
ii  xserver-xephyr  2:1.20.8-2
ii  xserver-xorg1:7.7+20
ii  zenity  3.32.0-5

Versions of packages gdm3 suggests:
ii  gnome-orca3.36.1-1
pn  libpam-fprintd
ii  libpam-gnome-keyring  3.36.0-1

-- Configuration Files:
/etc/gdm3/daemon.conf changed:
[daemon]
WaylandEnable=false
[security]
[xdmcp]
[chooser]
[debug]


-- debconf information:
  gdm3/daemon_name: /usr/sbin/gdm3
* shared/default-x-display-manager: gdm3

Bug#895874: (no subject)

2019-07-31 Thread Helen Koike 
Hi,

I'm using a docker image "FROM debian:10", and to get git-send-email working
properly, I had to install libmailtools-perl by hand. It would be great if
it was added as a dependency for the package.

Thanks

Bug#932634: lintian: false-positive embedded-library libyaml due to matching string (defined in data/binaries/embedded-libs) with package rust-yaml-rust

2019-07-26 Thread Helen Koike 
Hi Chris,

On Fri, Jul 26, 2019 at 5:33 AM Chris Lamb  wrote:
>
> Hi Helen,
>
> > right, the binary package is not called rust-bat but the source package is 
> > [1].
> > Can lintian check for the source package name? (also not sure if it is
> > a good idea).
>
> It could but, alas, the I think the "package exception" mechanism
> regarding the binaries/embedded-libs data file appears to use the
> binary package name...
>
> > Do you think it would be a good idea to rename the binary package?
>
> Just to silence this Lintian warning? That would seem like extreme
> overkill to me! Regarding finding another string that is present in.
> libyaml and not in rust-yaml-rust, do you have any suggestion at this
> point?

This is the output of "strings libyaml-0.so.2.0.5": http://ix.io/1PAz
And this is the output of "strings bat": http://ix.io/1PAJ

Maybe we can get a string that is not present in both and long enough to not
conflict with other things? e.g.:
 - "unexpected low surrogate area"
- "control characters are not allowed"
- "found a tab character where an indentation space is expected"

(I also checked that these strings are not present in rust-yaml-rust package, in
case the compiler is optimizing something when compiling bat)

What do you think?

>
> > Just a question regarding how lintian works: one thing that confused me is 
> > that
> > bat doesn't depend on rust-yaml-rust directly, it depends on rust-syntect 
> > which
> > depends on rust-yaml-rust. So I was wondering why I didn't get this
> > error in lintian when building rust-syntect.
>
> I have not checked but isn't the question/issue around Rust embedding
> the code of the library in question rather separate to the chain of
> Debian-level dependencies. In other words, isn't this apparent
> perculiarity explained by that bat embeds the rust-yaml-rust bit of
> YAML parsing/generation code whilst that bit of rust-yaml-rust isn't
> used in rust-syntect and thus is not embedded?

I just noticed that librust*.deb packages just provides source code in
rust, I think
that is why the same lintian warning wasn't fired on rust-syntec (as
librust-syntect-dev*.deb just
provides source code).
So when compiling in a final binary (bat in this case), lintian
detects the embedded-binary.

Thanks
Helen

>
>
> Regards,
>
> --
>   ,''`.
>  : :'  : Chris Lamb
>  `. `'`  la...@debian.org chris-lamb.co.uk
>`-

Bug#932634: lintian: false-positive embedded-library libyaml due to matching string (defined in data/binaries/embedded-libs) with package rust-yaml-rust

2019-07-25 Thread Helen Koike 
Hi Chris,

On Wed, Jul 24, 2019 at 2:51 PM Chris Lamb  wrote:
>
> tags 932634 + moreinfo
> thanks
>
> Hi Helen,
>
> > In lintian/data/binaries/embedded-libs, the criterium to detect if a
> > library was linked statically against libyaml is to verify the string:
> >
> > libyaml   ||(?m)^did not find expected 
> >
> > But this string is also found in package rust-yaml-rust.
>
> Indeed. So, I not sure how Lintian is meant to "know" that this is
> from the Rust version of YAML over the libyaml version. If bat was
> called, say, "rust-bat" instead then we could use embedded-libs's
> ability to filter via a regular expression, but that is alas not the
> case. Any ideas...?

right, the binary package is not called rust-bat but the source package is [1].
Can lintian check for the source package name? (also not sure if it is
a good idea).
Do you think it would be a good idea to rename the binary package?
Or maybe we could try find another string that is present in libyaml and not
in rust-yaml-rust.

Just a question regarding how lintian works: one thing that confused me is that
bat doesn't depend on rust-yaml-rust directly, it depends on rust-syntect which
depends on rust-yaml-rust. So I was wondering why I didn't get this
error in lintian
when building rust-syntect.

[1] https://ftp-master.debian.org/new/rust-bat_0.11.0-1.html

Thanks
Helen

>
>
> Best wishes,,
>
> --
>   ,''`.
>  : :'  : Chris Lamb
>  `. `'`  la...@debian.org chris-lamb.co.uk
>`-

Bug#932634: lintian: false-positive embedded-library libyaml due to matching string (defined in data/binaries/embedded-libs) with package rust-yaml-rust

2019-07-21 Thread Helen Koike 
Package: lintian
Version: 2.15.0
Severity: important

Dear Maintainer,

In lintian/data/binaries/embedded-libs, the criterium to detect if a
library was linked statically against libyaml is to verify the string:

libyaml   ||(?m)^did not find expected 

But this string is also found in package rust-yaml-rust.

This caused a false positive when packaging bat [1].

[1] 
https://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/2019-July/006335.html

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lintian depends on:
ii  binutils   2.32.51.20190707-1
ii  bzip2  1.0.6-9.2
ii  diffstat   1.62-1
ii  dpkg   1.19.7
ii  dpkg-dev   1.19.7
ii  file   1:5.35-4
ii  gettext0.19.8.1-9
ii  gpg2.2.13-2
ii  intltool-debian0.35.0+20060710.5
ii  libapt-pkg-perl0.1.36+b1
ii  libarchive-zip-perl1.64-1
ii  libcapture-tiny-perl   0.48-1
ii  libcgi-pm-perl 4.40-1
ii  libclass-accessor-perl 0.51-1
ii  libclone-perl  0.41-1+b1
pn  libdigest-sha-perl 
ii  libdpkg-perl   1.19.7
ii  libemail-valid-perl1.202-1
ii  libfile-basedir-perl   0.08-1
ii  libio-async-perl   0.72-1
ii  libipc-run-perl20180523.0-1
ii  liblist-moreutils-perl 0.416-1+b4
ii  libparse-debianchangelog-perl  1.2.0-13
ii  libpath-tiny-perl  0.108-1
ii  libtext-levenshtein-perl   0.13-1
ii  libtimedate-perl   2.3000-2
ii  libtry-tiny-perl   0.30-1
ii  liburi-perl1.76-1
ii  libxml-simple-perl 2.25-1
ii  libyaml-libyaml-perl   0.76+repack-1
ii  man-db 2.8.5-2
ii  patchutils 0.3.4-2
ii  perl   5.28.1-6
ii  t1utils1.41-3
ii  xz-utils   5.2.4-1

Versions of packages lintian recommends:
ii  libperlio-gzip-perl  0.19-1+b5

Versions of packages lintian suggests:
pn  binutils-multiarch 
ii  libhtml-parser-perl3.72-3+b3
ii  libtext-template-perl  1.55-1

-- no debconf information

Bug#907080: bat

2019-07-19 Thread Helen Koike 
On Fri, 25 Jan 2019 10:17:43 +0100 Paride Legovini  wrote:
> Gürkan Myczko wrote on 25/01/2019:
> > Hello
> > 
> > My collegues would like to know if this will make it into buster or not?
> > 
> > Best,
> 
> Hello Gürkan,
> 
> I very much doubt it will, unfortunately: there are still a lot of
> missing dependencies to be packaged.
> 
> Paride
> 
> 

Hi,

I just updated bat and added the missing dependencies in debcargo-conf [1].

If anyone could review it (and hopefully release it), it would be great.

[1] https://salsa.debian.org/rust-team/debcargo-conf/merge_requests/44

Thanks
Helen

Bug#895575: closed by Hanno 'Rince' Wagner (Mailing list created)

2018-10-03 Thread Helen Koike Fornazier 
Hi Hanno,

Thanks you, but there is a typo in the name of the list, it should end
with an 's'  -> s/debian-mulhere/debian-mulheres
Could you please renamed it?

Thanks
On Wed, Oct 3, 2018 at 2:21 PM Debian Bug Tracking System
 wrote:
>
> This is an automatic notification regarding your Bug report
> which was filed against the lists.debian.org package:
>
> #895575: lists.debian.org: Request for a new mailing list: debian-mulheres 
> (debian-woman for Portuguese speakers)
>
> It has been closed by Hanno 'Rince' Wagner .
>
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Hanno 'Rince' Wagner 
>  by
> replying to this email.
>
>
> --
> 895575: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895575
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
>
>
>
> -- Forwarded message --
> From: "Hanno 'Rince' Wagner" 
> To: 895575-d...@bugs.debian.org
> Cc:
> Bcc:
> Date: Wed, 3 Oct 2018 19:10:09 +0200
> Subject: Mailing list created
> Hi,
>
> the mailinglist
> debian-mulh...@lists.debian.org
>
> has been created per your request. please use it wisely.
>
> best regards, Hanno Wagner, Listmaster of the day
> --
> |  Hanno Wagner  | Member of the HTML Writers Guild  | Rince@IRC  |
> | Eine gewerbliche Nutzung meiner Email-Adressen ist nicht gestattet! |
> | 74 a3 53 cc 0b 19 - we did it!  |Generation @   |
> Fachbegriffe der Informatik : EDV-Beauftagter
> ->  Ehrenamt für den, »der Ahnung von Computer hat«.
> Dieter Funck
>
>
>
> -- Forwarded message --
> From: Helen Koike 
> To: Debian Bug Tracking System 
> Cc:
> Bcc:
> Date: Thu, 12 Apr 2018 17:59:17 -0300
> Subject: lists.debian.org: Request for a new mailing list: debian-mulheres 
> (debian-woman for Portuguese speakers)
> Package: lists.debian.org
> Severity: wishlist
>
> Dear Maintainer,
>
> Name:
> -
> debian-mulheres
>
>
> Rationale:
> -
> The following women present at the MiniDebConf at Curitiba Brazil:
> * Helen Koike 
> * Foz 
> * Renata (rsip22) 
> * Ana Mendes 
> would like to create a version of debian women list for Portuguese
> speakers to promote diversity in Debian (mainly in Brazil) and to remove
> a possible language barrier for newcomers.
> FYI: Mulheres means women in Portuguese
>
>
> Short description:
> -
> Debian women for Portuguese speakers
>
>
> Long description:
> -
> Debian users and developers who wish to involve more women,
> trans, non-binary and gender non-conforming in the Debian project. For
> discussion and sharing of ideas as well as project collaboration in
> Portuguese.
>
>
> Category
> 
> Miscellaneous Debian
>
>
> Subscription Policy
> ---
> Open
>
>
> Post Policy
> ---
> Open
>
>
> Web Archive
> ---
> Yes
>
>
> -- System Information:
> Debian Release: buster/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
> LANGUAGE=en_US:en (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled



-- 
Helen Koike

Bug#877557: gtk-recordmydesktop: I have the same error

2018-09-19 Thread Helen Koike 
Package: gtk-recordmydesktop
Version: 0.3.8-4.1
Followup-For: Bug #877557

I am getting the same error, I believe this started happening when I
migrated to wayland.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gtk-recordmydesktop depends on:
ii  python   2.7.15-3
ii  python-gtk2  2.24.0-5.1+b1
ii  python2.72.7.15-4
ii  recordmydesktop  0.3.8.1+svn602-1+b2

gtk-recordmydesktop recommends no packages.

gtk-recordmydesktop suggests no packages.

-- no debconf information

Bug#908769: Removing extensions fixed the problem

2018-09-16 Thread Helen Koike 
I saw in the log some issues with extensions (see below).

So I saw through https://extensions.gnome.org/local/ that there was some
extensions in "ERROR" state.

I removed those and now it works, more specifically I removed workspace-grid


Sep 16 13:08:15 floko gnome-software[21013]: no app for changed
window-l...@gnome-shell-extensions.gcampax.github.com
Sep 16 13:08:15 floko gnome-shell[20848]: Object St.Bin
(0x5579a3f83fa0), has been already deallocated - impossible to access to
it. This might be caused by the fact that the object has been destroyed
from C code using something such as destroy(), dispose(), or remove() vfuncs
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: == Stack trace for
context 0x5579a28be340 ==
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #0 0x5579a2c874a0
i
/home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:947
(0x7fe15c9041a8 @ 275)
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #1 0x5579a2c87408
i
/home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:937
(0x7fe15c904120 @ 128)
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #2 0x5579a2c87368
i
/home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1102
(0x7fe15c9044d8 @ 296)
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #3 0x5579a2c872d8
i
/home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1280
(0x7fe15c9049a0 @ 16)
..


I attached the full log

Now I wonder if this is a bug in the extension or if the gnome-shell
shouldn't allow this bug to happen
Sep 16 13:08:15 floko gnome-shell[1034]: Screen lock is locked down, not locking
Sep 16 13:08:15 floko gnome-shell[1034]: Failed to set power save mode for output DP-3: Permission denied
Sep 16 13:08:15 floko gnome-shell[1034]: Failed to set power save mode for output eDP-1: Permission denied
Sep 16 13:08:15 floko gnome-shell[1034]: An active wireless connection, in infrastructure mode, involves no access point?
Sep 16 13:08:15 floko gnome-software[21013]: no app for changed window-l...@gnome-shell-extensions.gcampax.github.com
Sep 16 13:08:15 floko gnome-shell[20848]: Object St.Bin (0x5579a3f83fa0), has been already deallocated - impossible to access to it. This might be caused by the fact that the object has been destroyed from C code using something such as destroy(), dispose(), or remove() vfuncs
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #0 0x5579a2c874a0 i   /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:947 (0x7fe15c9041a8 @ 275)
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #1 0x5579a2c87408 i   /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:937 (0x7fe15c904120 @ 128)
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #2 0x5579a2c87368 i   /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1102 (0x7fe15c9044d8 @ 296)
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #3 0x5579a2c872d8 i   /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1280 (0x7fe15c9049a0 @ 16)
Sep 16 13:08:15 floko gnome-shell[20848]: Object St.Bin (0x5579a3f85500), has been already deallocated - impossible to access to it. This might be caused by the fact that the object has been destroyed from C code using something such as destroy(), dispose(), or remove() vfuncs
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #0 0x5579a2c874a0 i   /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:948 (0x7fe15c9041a8 @ 304)
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #1 0x5579a2c87408 i   /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:937 (0x7fe15c904120 @ 128)
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #2 0x5579a2c87368 i   /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1102 (0x7fe15c9044d8 @ 296)
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #3 0x5579a2c872d8 i   /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1280 (0x7fe15c9049a0 @ 16)
Sep 16 13:08:15 floko gnome-shell[20848]: Object St.Bin (0x5579a3f85500), has been already finalized. Impossible to set any property to it.
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #0 0x5579a2c87368 i   /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1104 (0x7fe15c9044d8 @ 339)
Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #1 0x5579a2c872d8 i

Bug#908769: How to reproduce

2018-09-13 Thread Helen Koike 
I could reproduce it consistently now, it always happen when it returns
from suspend, I login and I press the super key.

Bug#908769: gnome-shell: freeze when super (windows) key is pressed

2018-09-13 Thread Helen Koike 
Package: gnome-shell
Version: 3.30.0-1
Severity: important

Dear Maintainer,

When pressing the super key, sometimes the screen just show the greyed
backgroud, without the search input on the top, nor the workspace bar on the
right, not the favorits bar on the left, not the reduced window
application in the center, it just shows the top bar and the greyed backgroud.
I can see the mouse cursor and move it, but clicking doesn't do much.

It is not easy to reproduce but it is happening quite often(about once every
2 hours).

I found the following errors in the logs:


Sep 12 19:18:51 floko gnome-shell[2073]: JS ERROR: TypeError: this._init is 
undefined
 
_Base.prototype._construct@resource:///org/gnome/gjs/modules/_legacy.js:18:5
 
Class.prototype._construct/newClass@resource:///org/gnome/gjs/modules/_legacy.js:114:32
 
_updateWorkspacesViews@resource:///org/gnome/shell/ui/workspacesView.js:572:24
 
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
 
show@resource:///org/gnome/shell/ui/workspacesView.js:502:9
 
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
 
show@resource:///org/gnome/shell/ui/viewSelector.js:285:9
 
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
 
_animateVisible@resource:///org/gnome/shell/ui/overview.js:554:9
 
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
 
show@resource:///org/gnome/shell/ui/overview.js:540:9
 
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
 
toggle@resource:///org/gnome/shell/ui/overview.js:670:13
 
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
 
_initializeUI/<@resource:///org/gnome/shell/ui/main.js:197:13
Sep 12 19:19:02 floko org.gnome.Shell.desktop[2073]: libinput error: event12 - 
DLL06E4:01 06CB:7A13 Touchpad: kernel bug: Touch jump detected and discarded.
Sep 12 19:19:02 floko org.gnome.Shell.desktop[2073]: See 
https://wayland.freedesktop.org/libinput/doc/1.12.0/touchpad-jumping-cursor.html
 for details
Sep 12 19:19:18 floko kernel: nouveau :01:00.0: bus: MMIO read of  
FAULT at 619444 [ IBUS ]
Sep 12 19:19:18 floko kernel: rfkill: input handler enabled
Sep 12 19:19:22 floko gdm-password][13776]: gkr-pam: unlocked login keyring
Sep 12 19:19:22 floko kernel: rfkill: input handler disabled
Sep 12 19:19:22 floko gnome-shell[2073]: JS ERROR: Exception in callback for 
signal: monitors-changed: TypeError: this._activeWorkspaceChanged is undefined
 
_createThumbnails@resource:///org/gnome/shell/ui/workspaceThumbnail.js:880:1
 
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
 
_init/<@resource:///org/gnome/shell/ui/workspaceThumbnail.js:684:17
 
_emit@resource:///org/gnome/gjs/modules/signals.js:128:27
 
_monitorsChanged@resource:///org/gnome/shell/ui/layout.js:530:9
 
wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22
Sep 12 19:19:25 floko kernel: rfkill: input handler enabled


It seems that this was also reported in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1788691?comments=all

It usually happens when I am using chromium, but I am not sure if this
is related.

Please, let me know if I shouldn't report it here as it was already
reported in Ubuntu.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnome-shell depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.30.0-1
ii  evolution-data-server3.30.0-1
ii  gir1.2-accountsservice-1.0   0.6.45-1
ii  gir1.2-atspi-2.0 2.28.0-3
ii  gir1.2-freedesktop   1.58.0-1
ii  gir1.2-gcr-3 3.28.0-1
ii  gir1.2-gdesktopenums-3.0 3.28.0-1
ii  gir1.2-gdm-1.0   3.28.2-4
ii  gir1.2-geoclue-2.0   2.4.12-2
ii

Bug#908287: /usr/bin/mc: Custom hide/show panel keybind doesn't work for "show"

2018-09-07 Thread Helen Koike 
Package: mc
Version: 3:4.8.21-1
Severity: normal
File: /usr/bin/mc

Dear Maintainer,

I am trying to modify the Shell keybind from midnight commander.

So I did the following:

cp /etc/mc/mc.keymap ~/.config/mc/

And edited all occurrences of "Shell = ctrl-o" to another keybiding (I
tested with several others), e.g. "Shell = alt-q"

Now, when I open mc and I type alt-q, it hides the panel and go to the
prompt shell, but if I hit alt-q again nothing happens, I need to hit ctrl-o to
make the panel to appear again, but I removed all occurrences of ctrl-o
from ~/.config/mc/mc.keymap, so it seems that ctrl-o is hardcoded
somewhere else.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mc depends on:
ii  libc6 2.27-5
ii  libext2fs21.44.4-2
ii  libglib2.0-0  2.58.0-1
ii  libgpm2   1.20.7-5
ii  libslang2 2.3.2-1+b1
ii  libssh2-1 1.8.0-2
ii  mc-data   3:4.8.21-1

Versions of packages mc recommends:
ii  mime-support  3.61
ii  perl  5.26.2-7
ii  unzip 6.0-21

Versions of packages mc suggests:
pn  arj  
ii  bzip21.0.6-9
pn  dbview   
pn  djvulibre-bin
ii  evince [pdf-viewer]  3.30.0-1
ii  file 1:5.34-2
ii  genisoimage  9:1.1.11-3+b2
pn  gv   
ii  imagemagick  8:6.9.10.8+dfsg-1
ii  imagemagick-6.q16 [imagemagick]  8:6.9.10.8+dfsg-1
pn  libaspell-dev
ii  lynx 2.8.9rel.1-2
pn  odt2txt  
ii  poppler-utils0.63.0-2
ii  python   2.7.15-3
pn  python-boto  
ii  python-tz2018.5-1
ii  texlive-binaries 2018.20180824.48463-1
ii  zip  3.0-11+b1

-- no debconf information

Bug#905319: bug in dell's firmware

2018-08-13 Thread Helen Koike 
It seems this is a bug in the Dell's firmware.

Sledge helped with a workaround: configure grub to self-install in the
EFI removable media path (which is a fallback path for the firmware).

dpkg-reconfigure grub-efi-amd64

And select Yes in "Force extra installation to the EFI removable media
path?"

Then grub will also install it self at /boot/efi/EFI/BOOT/BOOTX64.EFI



signature.asc
Description: OpenPGP digital signature

Bug#904811: workaround

2018-07-28 Thread Helen Koike Fornazier 
I found the documentation to fix this:

https://pbuilder-docs.readthedocs.io/en/latest/faq.html#avoiding-the-ln-invalid-cross-device-link-message

We just need to set:

APTCACHEHARDLINK=no

But it would be nice if it could detect automatically, so moving this
bug to whishlist.

Bug#904811: /usr/bin/pbuilder-dist: pbuild-dist fails when /home is in a different partition

2018-07-28 Thread Helen Koike 
Package: ubuntu-dev-tools
Version: 0.165
Severity: important
File: /usr/bin/pbuilder-dist

Dear Maintainer,

I have /home in a different partition from root /, and pbuilder-dist installs 
files
under /home/user/pbuilder/ folder. Causing the following error when
trying to build a package:

ln: failed to create hard link 
'/home/koike/pbuilder/aptcache/debian/libxdamage1_1%3a1.1.4-3_amd64.deb' => 
'/var/cache/pbuilder/build/16417/var/cache/apt/archives/libxdamage1_1%3a1.1.4-3_amd64.deb':
 Invalid cross-device link

This happends because it is trying to create a hardlink between two
different partitions.

My current partitions/mouting points:

/dev/mapper/floko--vg-root /
/dev/mapper/floko--vg-home /home

How to reproduce:

mkdir tmp && cd tmp
apt source ibus-chewing debhelper
pbuilder-dist buster amd64 create
pbuilder-dist buster amd64 build ibus-chewing_1.5.1-3.dsc


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ubuntu-dev-tools depends on:
ii  binutils   2.30-20
ii  dctrl-tools2.24-2+b1
ii  devscripts 2.18.3
ii  diffstat   1.61-1+b1
ii  distro-info0.18
ii  dpkg-dev   1.19.0.5
ii  lsb-release9.20170808
ii  perl   5.26.2-5
ii  python 2.7.15~rc1-1
ii  python-apt 1.6.0
ii  python-debian  0.1.32
ii  python-distro-info 0.18
ii  python-httplib20.9.2+dfsg-1
ii  python-launchpadlib1.10.6-1
ii  python-lazr.restfulclient  0.14.0-1
ii  python-ubuntutools 0.165
ii  sensible-utils 0.0.12
ii  sudo   1.8.23-1

Versions of packages ubuntu-dev-tools recommends:
ii  bzr 2.7.0+bzr6622-11
ii  bzr-builddeb2.8.10
ii  ca-certificates 20170717
ii  debian-archive-keyring  2017.7
ii  debian-keyring  2018.03.24
ii  debootstrap 1.0.102
ii  dput1.0.2
ii  genisoimage 9:1.1.11-3+b2
ii  libwww-perl 6.33-1
ii  lintian 2.5.88
ii  patch   2.7.6-2
ii  pbuilder0.229.3
ii  python-dns  2.3.6-4
ii  python-soappy   0.12.22-1
ii  quilt   0.65-1
ii  reportbug   7.1.10

Versions of packages ubuntu-dev-tools suggests:
ii  python 2.7.15~rc1-1
ii  python-simplejson  3.15.0-1+b1
ii  qemu-user-static   1:2.12+dfsg-1+b1

-- no debconf information

Bug#900505: segfault at 21c1, error 4 in tmux[559568e28000+84000]

2018-05-31 Thread Helen Koike 
Package: tmux
Version: 2.7-1+b1
Severity: normal

Dear Maintainer,

I got this error:

tmux: server[2747]: segfault at 21c1 ip 559568e52a5a sp 7ffefc121c68 
error 4 in tmux[559568e28000+84000]

I'm not entirely sure how to reproduce it, I am filing this report in
case anyone else has the same issue. I'll add more information if I
manage to reproduce it.

I was using tmux with several panes and with fish shell, I had just copied
something to one of the panels and tmux crashed.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages tmux depends on:
ii  libc6   2.27-3
ii  libevent-2.1-6  2.1.8-stable-4
ii  libtinfo6   6.1+20180210-4
ii  libutempter01.1.6-3

tmux recommends no packages.

tmux suggests no packages.

-- no debconf information

Bug#899155: vmdebootstrap: command failed: umount /tmp/tmp... | ERROR: /tmp/tmp.../etc/machine-id: Device or resource busy

2018-05-19 Thread Helen Koike 
Package: vmdebootstrap
Version: 1.11-1
Severity: important

Dear Maintainer,

I am trying to run vmdebootstrap, but I am getting the error below:

-
$ sudo vmdebootstrap --verbose --image=${IMG} --size=5g --distribution=sid 
--grub --enable-dhcp --package=openssh-server --owner=$USER
Creating disk image
Creating partitions
Creating filesystem ext4
Mounting /dev/mapper/loop1p1 on /tmp/tmpyf1aME
Debootstrapping sid [amd64]
Give root an empty password
Removing udev persistent cd and net rules
Enabling systemd-networkd for DHCP
Enabling systemctl-resolved for DNS
Updating the initramfs
Configuring grub2
Optimizing image for compression
Umounting /tmp/tmpyf1aME
EEEK! Something bad happened...
command failed: ['umount', '/tmp/tmpyf1aME']

umount: /tmp/tmpyf1aME: target is busy.

Cleaning up
ERROR: /tmp/tmpyf1aME/etc/machine-id: Device or resource busy
-

Also the versions the package reports seems to diverge the version
reported by the binary:

# /usr/sbin/vmdebootstrap --version
1.6

$ dpkg -s vmdebootstrap
Package: vmdebootstrap
Status: install ok installed
Priority: extra
Section: admin
Installed-Size: 353
Maintainer: Lars Wirzenius 
Architecture: amd64
Version: 1.11-1
...

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages vmdebootstrap depends on:
ii  debootstrap 1.0.99
ii  kpartx  0.7.4-3
ii  libjs-sphinxdoc 1.7.4-1
ii  parted  3.2-21+b1
ii  python  2.7.15~rc1-1
ii  python-cliapp   1.20170827-1
ii  python-distro-info  0.18
ii  python2.7   2.7.15-1
ii  qemu-utils  1:2.12+dfsg-1+b1

Versions of packages vmdebootstrap recommends:
ii  dosfstools4.1-2
ii  extlinux  3:6.03+dfsg1-2
ii  grub2-common  2.02+dfsg1-4
ii  python-guestfs1:1.38.1-1
ii  qemu-system   1:2.12+dfsg-1+b1
ii  qemu-user-static  1:2.12+dfsg-1+b1
ii  squashfs-tools1:4.3-6

Versions of packages vmdebootstrap suggests:
pn  cmdtest  
pn  mbr  
ii  pandoc   2.2-1
pn  u-boot   

-- no debconf information

Bug#895575: lists.debian.org: Request for a new mailing list: debian-mulheres (debian-woman for Portuguese speakers)

2018-04-12 Thread Helen Koike 
Package: lists.debian.org
Severity: wishlist

Dear Maintainer,

Name:
-
debian-mulheres


Rationale:
-
The following women present at the MiniDebConf at Curitiba Brazil:
* Helen Koike 
* Foz 
* Renata (rsip22) 
* Ana Mendes 
would like to create a version of debian women list for Portuguese
speakers to promote diversity in Debian (mainly in Brazil) and to remove
a possible language barrier for newcomers.
FYI: Mulheres means women in Portuguese


Short description:
-
Debian women for Portuguese speakers


Long description:
-
Debian users and developers who wish to involve more women,
trans, non-binary and gender non-conforming in the Debian project. For
discussion and sharing of ideas as well as project collaboration in
Portuguese.


Category

Miscellaneous Debian


Subscription Policy
---
Open


Post Policy
---
Open


Web Archive
---
Yes


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#881747: gnome-session-canberra: Failed to play sound: Invalid state

2017-11-14 Thread Helen Koike 
Package: gnome-session-canberra
Version: 0.30-4
Severity: normal
Tags: l10n

Dear Maintainer,

When I execute the following, I get this error:

$ canberra-gtk-play --file=/usr/share/sounds/gnome/default/alerts/bark.ogg
Failed to play sound: Invalid state

In strace I can see the errors:

...
open("/usr/share/locale/en_US/LC_MESSAGES/pulseaudio.mo", O_RDONLY) = -1 
ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/pulseaudio.mo", O_RDONLY) = -1 
ENOENT (No such file or directory)
...
connect(15, {sa_family=AF_UNIX, sun_path="/run/user/1000/pulse/native"}, 
110) = 0
sendto(13, "W", 1, MSG_NOSIGNAL, NULL, 0) = -1 ENOTSOCK (Socket operation 
on non-socket)
...

I installed pulseaudio but it seems it doesn't provide the en_US
pulseaudio.mo file


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnome-session-canberra depends on:
ii  libc6   2.24-17
ii  libcanberra-gtk00.30-4
ii  libcanberra-gtk3-0  0.30-4
ii  libcanberra00.30-4
ii  libglib2.0-02.54.2-1
ii  libgtk-3-0  3.22.26-1

gnome-session-canberra recommends no packages.

gnome-session-canberra suggests no packages.

-- no debconf information

Bug#820129: This is not a bug, but a feature

2017-04-17 Thread Helen Koike 



On 2017-01-31 03:40 PM, Linn Crosetto wrote:

On Thu, Dec 08, 2016 at 04:44:18PM +0100, Andreas Heinlein wrote:

I do not think this should be done, it would make it difficult if not
impossible to boot custom kernels. For your own use, you could always
build your own signed kernel and add the signing key to the UEFI
firmware, or turn off SecureBoot altogether.
However, for authors of Debian-based live systems like I am
(www.discreete-linux.org), we need a way that will boot the live system
on as many computers and platforms as possible without user interaction,
including those users which regulary use only windows, and including
platforms like Intel-based Tablets/Detachables which often do not allow
to turn off Secureboot. Our live system requires a special kernel to
work, it cannot work with any generic kernel/initrd signed by Debian.

UEFI/SecureBoot specs do not require to keep the chain of signatures
through to the kernel/initrd, it is optional. There should at least be a
choice by providing two packages, one which allows booting unsigned
kernels and one which doesn't. Or we can find a way for projects to get
their kernels and/or own grub signed by Debian.


If secure boot is enabled then no untrusted system should be allowed to 
run. If you need to run a custom kernel when Secure Boot is enabled that 
doesn't require user interaction, then you can make your system 
trustworthy by getting your own shim signed with your own embedded 
certificated that will allow booting any custom grub2, then it doesn't 
need to be signed by Debian, which make sense to me as custom images are 
not officially part of Debian, thus not officially trusted by the Debian 
community.
I don't think we should have two types of packages to allow booting 
unsigned and signed kernels.




Without verifying the kernel, the additional security features in the kernel
become largely useless and we lose much of the value that a root of trust
can provide. Note that this patch only affects systems with UEFI Secure Boot
enabled.

To allow boot without user interaction on a system with Secure Boot enabled,
you could build shim with your key and get it signed.



ack

Bug#821051: [PATCH] dak: byhand-code sign with dsigning-box

2017-01-28 Thread Helen Koike 

Hi,

Sorry for the delay to send this.

I prepared a simple packaged named dsigning-box that should be installed 
in the same machine that have access to the tokens: 
https://github.com/helen-fornazier/dsigning-box
For now it only contain a script to sign efi and kernel modules from a 
tarball, it is almost the same script in the previous patch 
(byhand-code-sign-user), I just changed where it gets the tarball and 
where it places the signatures (which can be changed by a configuration 
file).
As before, I tested with and without a yubikey using this script: 
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh

Please review.

I also made dak patches to integrate with dsigning-box in a remote 
machine: https://github.com/helen-fornazier/dak/commits/review
This patches add a script called byhand-code-sign which will send 
(rsync) the tarball with the images to be signed to the machine that has 
dsigning-box installed. This script execute a command by ssh in 
dsigning-box to sign the images. As we don't have a dedicated machine 
yet to install dsigning-box the signatures will be copied to another 
machine (coccia.debian.org?) that can be changed in the configuration 
file (this is temporary as the signatures should stay in the signing box).


Please review all this and let me know if I should alter anything.

Let me know if you prefer that I send email patches to be easier to review.

Helen

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2017-01-04 Thread Helen Koike 



On 2016-12-12 07:35 PM, Joerg Jaspert wrote:

On 14519 March 1977, Ben Hutchings wrote:


We offer the archives, including security, by rsync too.
And that should stay. Mirrors of security do exist, for good
reasons.[1]
Why does it need to be in the archive?

[...]
I don't know of any other way of getting files back out of dak.


So my first thought it will be. Some random structure on some random
place. Possibly an apache run by DSA or so, but nothing relying on our
mirrors.


Should we request DSA team to setup this then? What is the next step?



As "getting files back out of dak" is simple. dak writes files where we
tell it to, see for example our changelog/metadata exports, buildd
queues, etc which don't live on the usual mirror network.

Bug#821051: Secure-boot - auto publishing signature in Dak (closes #821051) - Overview

2016-12-02 Thread Helen Koike 

Hi,

Could someone please take a look at the patch series 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821051#200 ?


With those patches, Dak will be able to sign efi image and linux modules 
through a Yubikey and publish the signatures, allowing grub2-signed, 
linux-signed and fwupdate-signed to be built.


In short, the maintainer of the main package upload a 
${package}-code-sign_${version}_${arch}.tar.xz containing a changelog 
file and all the binaries to be signed, and Dak will publish a 
$ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | 
head -c 64)_${arch}.tar.xz containing all the detached signatures 
throught a byhand script.



Thanks
Helen



Follow below an overview of the discussed issues so far:

NOTE: quotes below are from Ben Hutchings

* The first version was bypassing embargoed packages, but the proposed 
solution was:


"1. Directory listing is disabled for the directory containing
   signature tarballs.
2. In main source package, debian/rules adds debian/changelog to the
   code-sign tarball.
3. Byhand script generates the signature tarball name thus:
   OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog").tar.xz"
4. In signed source package, preparation script takes main source
   package's changelog as input."

* binNMU concerns:

"I suppose binNMUs are not such a problem, they just add some
complication - the preparation script will have to fetch an arbitrary
binary package to get the text of the added changelog entry."

* Avoid the delay between publishing the main package and the *-signed 
version:


Maintainers of both packages will need to coordinate their uploads, the 
main process would be something like:


"1. Mantainer uploads main source package
2. Security team accepts it into the embargoed queue
3. Buildds upload unsigned binary packages
4. Security team accepts these into the embargoed queue.
   By-hand script generates and immediately publishes signatures.
5. Maintainer downloads signatures and prepares signed source package
6. Maintainer uploads signed source package
7. Security team accepts it into the embargoed queue
8. Buildds upload signed binary packages
9. Security team accepts these into the embargoed queue
10. Security team publishes both sets of source and binary packages"

Bug#821051: [PATCH v5 0/3] Add byhand script to perform code signing for secure boot

2016-11-30 Thread Helen Koike 
Publish the signature of packages automatically when the package is processed 
based on previous
package prepared by the maintainer with all the efi images and linux modules.

The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with 
all the efi images
and/or linux modules, and a changelog file. When processing the package from 
the queue, the
byhand-code-sign script is called, read this .tar.xz package, sign all the efi 
or modules inside
it and publish a tarball with all the signatures at
$ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head 
-c 64)_$ARCH.tar.xz
This signature are then retrieved by the maintainers of the *-signed packages 
(e.g. linux-signed,
grub2-signed, fwupdate-signed) to construct the *-signed versions.

NOTE: The maintainers of the main package and the -signed package will have to 
coordinate their
uploads to reduce de propagation delay of a security fix to be incorporated in 
the -signed package

Script used for testing byhand-code-sign-user:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Check each commit message for more information on testing

Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

Changes since v4:
Apend _$ARCH in the end of the tar.xz file
Remove extra new line

diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index 40afdc6..86abd6e 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -53,9 +53,8 @@ if [ ! -f "$IN_DIR/changelog" ]; then
error "Can't find changelog file in $IN_TARBALL"
 fi
 
-
 TARGET="$ftpdir/dists/$suitedir/main/code-sign"
-OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz"
+OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 
64)_$ARCH.tar.xz"
 
 # Check that this source/arch/version hasn't already been signed
 if [ -e "$OUT_TARBALL" ]; then

Helen Koike (3):
  byhand-code-sign-user: signing script for efi images and linux modules
  byhand-code-sign: intermediate script for code sign
  dak.conf: add packages that trigger byhand-code-sign

 config/debian-security/byhand-code-sign.conf |  43 +++
 config/debian-security/dak.conf  |  24 +++
 config/debian/byhand-code-sign.conf  |  43 +++
 config/debian/dak.conf   |  21 ++
 scripts/debian/byhand-code-sign  |  67 +
 scripts/debian/byhand-code-sign-user | 103 +++
 6 files changed, 301 insertions(+)
 create mode 100644 config/debian-security/byhand-code-sign.conf
 create mode 100644 config/debian/byhand-code-sign.conf
 create mode 100755 scripts/debian/byhand-code-sign
 create mode 100755 scripts/debian/byhand-code-sign-user

-- 
2.7.4

Bug#821051: [PATCH v5 2/3] byhand-code-sign: intermediate script for code sign

2016-11-30 Thread Helen Koike 
This script is meant to be called by AutomaticByHandPackages mechanism,
it will receive the a .tar.xz file with efi images and/or linux
modules, call byhand-code-sign-user as codesign user to generate another
.tar.xz with detached signatures and publish it in the 
$ftpdir/dists/$suitedir/main/code-sign/

Contributions:
Ben Hutchings 
---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

Changes since v4:
Append _$ARCH in the end of the tar.xz file
Remove extra new line
---
 scripts/debian/byhand-code-sign | 67 +
 1 file changed, 67 insertions(+)
 create mode 100755 scripts/debian/byhand-code-sign

diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
new file mode 100755
index 000..86abd6e
--- /dev/null
+++ b/scripts/debian/byhand-code-sign
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+set -u
+set -e
+set -o pipefail
+
+if [ $# -lt 5 ]; then
+   echo "Usage: $0 filename version arch changes_file suite"
+   exit 1
+fi
+
+IN_TARBALL="$1"# Tarball to read, compressed with xz
+VERSION="$2"
+ARCH="$3"
+CHANGES="$4"   # Changes file for the upload
+SUITE="$5"
+
+error() {
+   echo >&2 "E: $*"
+   exit 1
+}
+
+# Read dak configuration for security or main archive.
+# Also determine subdirectory for the suite.
+case "$0" in
+/srv/security-master.debian.org/*)
+   configdir="/srv/security-master.debian.org/dak/config/debian-security"
+   suitedir="$SUITE/updates"
+   ;;
+/srv/ftp-master.debian.org/*)
+   configdir="/srv/ftp-master.debian.org/dak/config/debian"
+   suitedir="$SUITE"
+   ;;
+*)
+   error "$0: Can't tell if security or not"
+   ;;
+esac
+. "$configdir/vars"
+
+# cleanup the temporary directories on EXIT
+IN_DIR=
+cleanup() {
+   test -z "$IN_DIR" || rm -rf "$IN_DIR"
+}
+trap cleanup EXIT
+
+# Extract the data from stdin into the input directory
+IN_DIR="$(mktemp -td byhand-code-sign-in.XX)"
+tar xaf "$IN_TARBALL" --directory="$IN_DIR"
+
+# Check if tarball contain the changelog file
+if [ ! -f "$IN_DIR/changelog" ]; then
+   error "Can't find changelog file in $IN_TARBALL"
+fi
+
+TARGET="$ftpdir/dists/$suitedir/main/code-sign"
+OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 
64)_$ARCH.tar.xz"
+
+# Check that this source/arch/version hasn't already been signed
+if [ -e "$OUT_TARBALL" ]; then
+   error "Signature tarball already exists: $OUT_TARBALL"
+fi
+
+mkdir -p "${OUT_TARBALL%/*}"
+
+sudo -u codesign "${0%/*}/byhand-code-sign-user" 
"$configdir/byhand-code-sign.conf" < "$IN_TARBALL" > "$OUT_TARBALL"
+echo "I: Created $OUT_TARBALL"
-- 
2.7.4

Bug#821051: [PATCH v5 1/3] byhand-code-sign-user: signing script for efi images and linux modules

2016-11-30 Thread Helen Koike 
The byhand-code-sign-user script receives a .tar.xz file (that can
contain efi images and linux modules) in stdin, sign them using keys as
configured in the configuration file and generate a .tar.xz with all the
signatures in stdout

This script is meant to be called by another byhand script which will
run it as a different user.
stdin and stdout is used for passing the .tar.xz files as this script
may not have permission to access the .tar.xz

It can sign using a token as a Yubikey or through a certificate database
depending on the configuration

Contributions:
Julien Cristau 
Ben Hutchings 

---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

TESTS
-
I tested the byhan-code-sign-user using the script here:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh

That covers with and without an Yubikey and creating a
privkey with or without a password

To execute it, create a test.tar.xz files with efi and linux modules,
install gnutls-bin, yubico-piv-tool, libnss3-tools and run
./dak-codesign-test.sh test.tar.xz
It should work with a yubikey with default configuration (key and pin
code), otherwise you will need to adjust those parameters in the script.

Changes from last version:
None

---
 config/debian-security/byhand-code-sign.conf |  43 +++
 config/debian/byhand-code-sign.conf  |  43 +++
 scripts/debian/byhand-code-sign-user | 103 +++
 3 files changed, 189 insertions(+)
 create mode 100644 config/debian-security/byhand-code-sign.conf
 create mode 100644 config/debian/byhand-code-sign.conf
 create mode 100755 scripts/debian/byhand-code-sign-user

diff --git a/config/debian-security/byhand-code-sign.conf 
b/config/debian-security/byhand-code-sign.conf
new file mode 100644
index 000..7818b8d
--- /dev/null
+++ b/config/debian-security/byhand-code-sign.conf
@@ -0,0 +1,43 @@
+# Configuration for byhand-sign shell script
+
+# The directory of the certificate database created with certutil
+# where the certificate and possibly the private key (if a token
+# is not used) for signing efi images are stored
+#EFI_CERT_DIR=/etc/dak/efi/certdir
+EFI_CERT_DIR=
+
+# The name that identifies the certificate in the certificate
+# database or in the token.
+# Yubikey is usually "Certificate for Digital Signature"
+# The label can be verified by executing:
+# pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
+EFI_CERT_NAME="Certificate for Digital Signature"
+
+# The label of the token as shown in `p11tool --list-tokens`
+# Set to "NSS Certificate DB" if the private key is in the certificate
+# database and a token will not be used
+#EFI_TOKEN_NAME="NSS Certificate DB"
+EFI_TOKEN_NAME="PIV_II (PIV Card Holder pin)"
+
+# The token pin or the certificate database slot password (if a
+# token is not used) for signing efi images. This is optional in
+# case a token is not used and no slot password is set
+#EFI_SIGN_PIN=123456
+
+# The sign-file linux program to sign modules
+#LINUX_SIGNFILE=/usr/lib/linux-kbuild-4.6/scripts/sign-file
+LINUX_SIGNFILE=
+
+# The private key to use to sign the kernel modules or the token URI
+# as shown by `p11tool --list-tokens`
+#LINUX_MODULES_PRIVKEY=/etc/dak/efi/kernel-key.rsa
+LINUX_MODULES_PRIVKEY="pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29"
+
+# The certificate to verify the kernel modules signature
+#LINUX_MODULES_CERT=/etc/dat/efi/kernel-cert.pem
+LINUX_MODULES_CERT=
+
+# The token pin or the certificate database slot password (if a
+# token is not used) for signing kernel modules. This is optional in
+# case no slot password is set
+#LINUX_SIGN_PIN=123456
diff --git a/config/debian/byhand-code-sign.conf 
b/config/debian/byhand-code-sign.conf
new file mode 100644
index 000..7818b8d
--- /dev/null
+++ b/config/debian/byhand-code-sign.conf
@@ -0,0 +1,43 @@
+# Configuration for byhand-sign shell script
+
+# The directory of the certificate database created with certutil
+# where the certificate and possibly the private key (if a token
+# is not used) for signing efi images are stored
+#EFI_CERT_DIR=/etc/dak/efi/certdir
+EFI_CERT_DIR=
+
+# The name that identifies the certificate in the certificate
+# database or in the token.
+# Yubikey is usually "Certificate for Digital Signature"
+# The label can be verified by executing:
+# pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
+EFI_CERT_NAME="Certificate for Digital Signature"
+
+# The label of the token as shown in `p11tool --list-tokens`
+# Set to "NSS Certificate DB" if the private key is in the certificate
+# database and a token will not be used
+#EFI_TOKEN_NAME="NSS Certificate DB"
+EFI_TOKEN_NAME="PIV_II (PIV Card Holder pin)"
+
+# The token pin or

Bug#821051: [PATCH v5 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-11-30 Thread Helen Koike 
Add linux, grub2 and fwupdate to publish their signatures by calling
byhand-code-sign as they are supposed to have a *-signed version

Contributions:
Ben Hutchings 

---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

To test it, after building the package (grub, linux or fwupdate) create
a file called ${package}-code-sign_${version}_${arch}.tar.xz
with the efi images or kernel modules to be signed

After building the package, add the file in the changes file:

> changestool ${package}-code-sign_${version}_${arch}.changes addrawfile 
> ${package}-code-sign_${version}_${arch}.tar.xz

Edit the .changes file to replace the double dashes by "byhand optional"

> sed -i -e "s/- - ${package}-code-sign_${version}_${arch}.tar.xz/byhand 
> optional ${package}-code-sign_${version}_${arch}.tar.xz/g" 
> ${package}-code-sign_${version}_${arch}.changes

Sign the .changes file
> gpg --clearsign ${package}-code-sign_${version}_${arch}.changes
> mv ${package}-code-sign_${version}_${arch}.changes.asc 
> ${package}-code-sign_${version}_${arch}.changes

Add to uncheck queue
> cp -r ../* /srv/dak/queue/unchecked/

Process the package
> dak process-upload -d /srv/dak/queue/unchecked
---

Changes since last version:
None

 config/debian-security/dak.conf | 24 
 config/debian/dak.conf  | 21 +
 2 files changed, 45 insertions(+)

diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index f342a55..dbf5395 100644
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -127,6 +127,30 @@ SuiteMappings
   "reject oldoldstable";
 };
 
+AutomaticByHandPackages
+{
+  "linux-code-sign" {
+Source "linux";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "grub2-code-sign" {
+Source "grub2";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "fwupdate-code-sign" {
+Source "fwupdate";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+};
+
 Dir
 {
   Base "/srv/security-master.debian.org/";
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index 10322cc..6de05f2 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -185,6 +185,27 @@ AutomaticByHandPackages {
 Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-di";
   };
 
+  "linux-code-sign" {
+Source "linux";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "grub2-code-sign" {
+Source "grub2";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "fwupdate-code-sign" {
+Source "fwupdate";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
   "tag-overrides" {
 Source "tag-overrides";
 Section "byhand";
-- 
2.7.4

Bug#821051: [PATCH v4 1/3] byhand-code-sign-user: signing script for efi images and linux modules

2016-11-30 Thread Helen Koike 
The byhand-code-sign-user script receives a .tar.xz file (that can
contain efi images and linux modules) in stdin, sign them using keys as
configured in the configuration file and generate a .tar.xz with all the
signatures in stdout

This script is meant to be called by another byhand script which will
run it as a different user.
stdin and stdout is used for passing the .tar.xz files as this script
may not have permission to access the .tar.xz

It can sign using a token as a Yubikey or through a certificate database
depending on the configuration

Contributions:
Julien Cristau 
Ben Hutchings 

---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

TESTS
-
I tested the byhan-code-sign-user using the script here:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh

That covers with and without an Yubikey and creating a
privkey with or without a password

To execute it, create a test.tar.xz files with efi and linux modules,
install gnutls-bin, yubico-piv-tool, libnss3-tools and run
./dak-codesign-test.sh test.tar.xz
It should work with a yubikey with default configuration (key and pin
code), otherwise you will need to adjust those parameters in the script.

Changes from last version:
Skip the changelog file

/scripts/debian/byhand-code-sign-user
@@ -52,6 +52,10 @@ tar xJ --directory="$in_dir" <&0
 out_dir="$(mktemp -td byhand-code-sign-out.XX)"

 while read filename; do
+   # Skip changelog
+   if [ "$filename" == changelog ]; then
+   continue
+   fi
mkdir -p "$out_dir/${filename%/*}"
case "${filename##*/}" in
*.efi | vmlinuz-*)
---
 config/debian-security/byhand-code-sign.conf |  43 +++
 config/debian/byhand-code-sign.conf  |  43 +++
 scripts/debian/byhand-code-sign-user | 103 +++
 3 files changed, 189 insertions(+)
 create mode 100644 config/debian-security/byhand-code-sign.conf
 create mode 100644 config/debian/byhand-code-sign.conf
 create mode 100755 scripts/debian/byhand-code-sign-user

diff --git a/config/debian-security/byhand-code-sign.conf 
b/config/debian-security/byhand-code-sign.conf
new file mode 100644
index 000..7818b8d
--- /dev/null
+++ b/config/debian-security/byhand-code-sign.conf
@@ -0,0 +1,43 @@
+# Configuration for byhand-sign shell script
+
+# The directory of the certificate database created with certutil
+# where the certificate and possibly the private key (if a token
+# is not used) for signing efi images are stored
+#EFI_CERT_DIR=/etc/dak/efi/certdir
+EFI_CERT_DIR=
+
+# The name that identifies the certificate in the certificate
+# database or in the token.
+# Yubikey is usually "Certificate for Digital Signature"
+# The label can be verified by executing:
+# pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
+EFI_CERT_NAME="Certificate for Digital Signature"
+
+# The label of the token as shown in `p11tool --list-tokens`
+# Set to "NSS Certificate DB" if the private key is in the certificate
+# database and a token will not be used
+#EFI_TOKEN_NAME="NSS Certificate DB"
+EFI_TOKEN_NAME="PIV_II (PIV Card Holder pin)"
+
+# The token pin or the certificate database slot password (if a
+# token is not used) for signing efi images. This is optional in
+# case a token is not used and no slot password is set
+#EFI_SIGN_PIN=123456
+
+# The sign-file linux program to sign modules
+#LINUX_SIGNFILE=/usr/lib/linux-kbuild-4.6/scripts/sign-file
+LINUX_SIGNFILE=
+
+# The private key to use to sign the kernel modules or the token URI
+# as shown by `p11tool --list-tokens`
+#LINUX_MODULES_PRIVKEY=/etc/dak/efi/kernel-key.rsa
+LINUX_MODULES_PRIVKEY="pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29"
+
+# The certificate to verify the kernel modules signature
+#LINUX_MODULES_CERT=/etc/dat/efi/kernel-cert.pem
+LINUX_MODULES_CERT=
+
+# The token pin or the certificate database slot password (if a
+# token is not used) for signing kernel modules. This is optional in
+# case no slot password is set
+#LINUX_SIGN_PIN=123456
diff --git a/config/debian/byhand-code-sign.conf 
b/config/debian/byhand-code-sign.conf
new file mode 100644
index 000..7818b8d
--- /dev/null
+++ b/config/debian/byhand-code-sign.conf
@@ -0,0 +1,43 @@
+# Configuration for byhand-sign shell script
+
+# The directory of the certificate database created with certutil
+# where the certificate and possibly the private key (if a token
+# is not used) for signing efi images are stored
+#EFI_CERT_DIR=/etc/dak/efi/certdir
+EFI_CERT_DIR=
+
+# The name that identifies the certificate in the certificate
+# database or in the token.
+# Yubikey is usually "Certificate for Digital Signature"
+# The label can be verified by executing:

Bug#821051: [PATCH v4 0/3] Add byhand script to perform code signing for secure boot

2016-11-30 Thread Helen Koike 
Publish the signature of packages automatically when the package is processed 
based on previous
package prepared by the maintainer with all the efi images and linux modules.

The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with 
all the efi images
and/or linux modules, and a changelog file. When processing the package from 
the queue, the
byhand-code-sign script is called, read this .tar.xz package, sign all the efi 
or modules inside
it and publish a tarball with all the signatures at
$ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head 
-c 64).tar.xz
This signature are then retrieved by the maintainers of the *-signed packages 
(e.g. linux-signed,
grub2-signed, fwupdate-signed) to construct the *-signed versions.

NOTE: this causes a delay between publishing embargoed updates and publishing 
*-signed packages that can
be a problem since we avoid to leak the existence of a security flaw before its 
fix has being released.
The proposed solution for this is by making dak to publish the *-signed 
packages automatically.

Since we already have this problem anyway, we can add this patch in dak and add
the mechanism to automatically publish the *-signed packages latter in 
incremental basis as
we advance constructing the *-signed source packages

Script used for testing byhand-code-sign-user:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Check each commit message for more information on testing

Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

Changes since v3:
Use hash of changelog file to generate the output tarball name with the 
signatures

diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index f3eceab..40afdc6 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -37,9 +37,25 @@ case "$0" in
 esac
 . "$configdir/vars"
 
-TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
-OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
-OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"
+# cleanup the temporary directories on EXIT
+IN_DIR=
+cleanup() {
+   test -z "$IN_DIR" || rm -rf "$IN_DIR"
+}
+trap cleanup EXIT
+
+# Extract the data from stdin into the input directory
+IN_DIR="$(mktemp -td byhand-code-sign-in.XX)"
+tar xaf "$IN_TARBALL" --directory="$IN_DIR"
+
+# Check if tarball contain the changelog file
+if [ ! -f "$IN_DIR/changelog" ]; then
+   error "Can't find changelog file in $IN_TARBALL"
+fi
+
+
+TARGET="$ftpdir/dists/$suitedir/main/code-sign"
+OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz"
 
 # Check that this source/arch/version hasn't already been signed
 if [ -e "$OUT_TARBALL" ]; then
diff --git a/scripts/debian/byhand-code-sign-user 
b/scripts/debian/byhand-code-sign-user
index 91520d6..3477d6c 100755
--- a/scripts/debian/byhand-code-sign-user
+++ b/scripts/debian/byhand-code-sign-user
@@ -52,6 +52,10 @@ tar xJ --directory="$in_dir" <&0
 out_dir="$(mktemp -td byhand-code-sign-out.XX)"
 
 while read filename; do
+   # Skip changelog
+   if [ "$filename" == changelog ]; then
+   continue
+   fi
mkdir -p "$out_dir/${filename%/*}"
case "${filename##*/}" in
*.efi | vmlinuz-*)

Helen Koike (3):
  byhand-code-sign-user: signing script for efi images and linux modules
  byhand-code-sign: intermediate script for code sign
  dak.conf: add packages that trigger byhand-code-sign

 config/debian-security/byhand-code-sign.conf |  43 +++
 config/debian-security/dak.conf  |  24 +++
 config/debian/byhand-code-sign.conf  |  43 +++
 config/debian/dak.conf   |  21 ++
 scripts/debian/byhand-code-sign  |  68 ++
 scripts/debian/byhand-code-sign-user | 103 +++
 6 files changed, 302 insertions(+)
 create mode 100644 config/debian-security/byhand-code-sign.conf
 create mode 100644 config/debian/byhand-code-sign.conf
 create mode 100755 scripts/debian/byhand-code-sign
 create mode 100755 scripts/debian/byhand-code-sign-user

-- 
2.7.4

Bug#821051: [PATCH v4 2/3] byhand-code-sign: intermediate script for code sign

2016-11-30 Thread Helen Koike 
This script is meant to be called by AutomaticByHandPackages mechanism,
it will receive the a .tar.xz file with efi images and/or linux
modules, call byhand-code-sign-user as codesign user to generate another
.tar.xz with detached signatures and publish it in the 
$ftpdir/dists/$suitedir/main/code-sign/

Contributions:
Ben Hutchings 
---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

Changes since last version:
Check if file changelog is present in the IN_TARBALL
Generate the OUT_TARBALL using the sha256sum of the changelog

/scripts/debian/byhand-code-sign
@@ -37,9 +37,25 @@ case "$0" in
 esac
 . "$configdir/vars"

-TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
-OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
-OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"
+# cleanup the temporary directories on EXIT
+IN_DIR=
+cleanup() {
+   test -z "$IN_DIR" || rm -rf "$IN_DIR"
+}
+trap cleanup EXIT
+
+# Extract the data from stdin into the input directory
+IN_DIR="$(mktemp -td byhand-code-sign-in.XX)"
+tar xaf "$IN_TARBALL" --directory="$IN_DIR"
+
+# Check if tarball contain the changelog file
+if [ ! -f "$IN_DIR/changelog" ]; then
+   error "Can't find changelog file in $IN_TARBALL"
+fi
+
+
+TARGET="$ftpdir/dists/$suitedir/main/code-sign"
+OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz"

 # Check that this source/arch/version hasn't already been signed
 if [ -e "$OUT_TARBALL" ]; then
---
 scripts/debian/byhand-code-sign | 68 +
 1 file changed, 68 insertions(+)
 create mode 100755 scripts/debian/byhand-code-sign

diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
new file mode 100755
index 000..40afdc6
--- /dev/null
+++ b/scripts/debian/byhand-code-sign
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+set -u
+set -e
+set -o pipefail
+
+if [ $# -lt 5 ]; then
+   echo "Usage: $0 filename version arch changes_file suite"
+   exit 1
+fi
+
+IN_TARBALL="$1"# Tarball to read, compressed with xz
+VERSION="$2"
+ARCH="$3"
+CHANGES="$4"   # Changes file for the upload
+SUITE="$5"
+
+error() {
+   echo >&2 "E: $*"
+   exit 1
+}
+
+# Read dak configuration for security or main archive.
+# Also determine subdirectory for the suite.
+case "$0" in
+/srv/security-master.debian.org/*)
+   configdir="/srv/security-master.debian.org/dak/config/debian-security"
+   suitedir="$SUITE/updates"
+   ;;
+/srv/ftp-master.debian.org/*)
+   configdir="/srv/ftp-master.debian.org/dak/config/debian"
+   suitedir="$SUITE"
+   ;;
+*)
+   error "$0: Can't tell if security or not"
+   ;;
+esac
+. "$configdir/vars"
+
+# cleanup the temporary directories on EXIT
+IN_DIR=
+cleanup() {
+   test -z "$IN_DIR" || rm -rf "$IN_DIR"
+}
+trap cleanup EXIT
+
+# Extract the data from stdin into the input directory
+IN_DIR="$(mktemp -td byhand-code-sign-in.XX)"
+tar xaf "$IN_TARBALL" --directory="$IN_DIR"
+
+# Check if tarball contain the changelog file
+if [ ! -f "$IN_DIR/changelog" ]; then
+   error "Can't find changelog file in $IN_TARBALL"
+fi
+
+
+TARGET="$ftpdir/dists/$suitedir/main/code-sign"
+OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz"
+
+# Check that this source/arch/version hasn't already been signed
+if [ -e "$OUT_TARBALL" ]; then
+   error "Signature tarball already exists: $OUT_TARBALL"
+fi
+
+mkdir -p "${OUT_TARBALL%/*}"
+
+sudo -u codesign "${0%/*}/byhand-code-sign-user" 
"$configdir/byhand-code-sign.conf" < "$IN_TARBALL" > "$OUT_TARBALL"
+echo "I: Created $OUT_TARBALL"
-- 
2.7.4

Bug#821051: [PATCH v4 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-11-30 Thread Helen Koike 
Add linux, grub2 and fwupdate to publish their signatures by calling
byhand-code-sign as they are supposed to have a *-signed version

Contributions:
Ben Hutchings 

---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

To test it, after building the package (grub, linux or fwupdate) create
a file called ${package}-code-sign_${version}_${arch}.tar.xz
with the efi images or kernel modules to be signed

After building the package, add the file in the changes file:

> changestool ${package}-code-sign_${version}_${arch}.changes addrawfile 
> ${package}-code-sign_${version}_${arch}.tar.xz

Edit the .changes file to replace the double dashes by "byhand optional"

> sed -i -e "s/- - ${package}-code-sign_${version}_${arch}.tar.xz/byhand 
> optional ${package}-code-sign_${version}_${arch}.tar.xz/g" 
> ${package}-code-sign_${version}_${arch}.changes

Sign the .changes file
> gpg --clearsign ${package}-code-sign_${version}_${arch}.changes
> mv ${package}-code-sign_${version}_${arch}.changes.asc 
> ${package}-code-sign_${version}_${arch}.changes

Add to uncheck queue
> cp -r ../* /srv/dak/queue/unchecked/

Process the package
> dak process-upload -d /srv/dak/queue/unchecked

Changes since last version:
No changes

---
 config/debian-security/dak.conf | 24 
 config/debian/dak.conf  | 21 +
 2 files changed, 45 insertions(+)

diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index f342a55..dbf5395 100644
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -127,6 +127,30 @@ SuiteMappings
   "reject oldoldstable";
 };
 
+AutomaticByHandPackages
+{
+  "linux-code-sign" {
+Source "linux";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "grub2-code-sign" {
+Source "grub2";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "fwupdate-code-sign" {
+Source "fwupdate";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+};
+
 Dir
 {
   Base "/srv/security-master.debian.org/";
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index 10322cc..6de05f2 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -185,6 +185,27 @@ AutomaticByHandPackages {
 Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-di";
   };
 
+  "linux-code-sign" {
+Source "linux";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "grub2-code-sign" {
+Source "grub2";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "fwupdate-code-sign" {
+Source "fwupdate";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
   "tag-overrides" {
 Source "tag-overrides";
 Section "byhand";
-- 
2.7.4

Bug#821051: [PATCH v3 2/3] byhand-code-sign: intermediate script for code sign

2016-11-29 Thread Helen Koike 



On 2016-11-20 09:24 AM, Ben Hutchings wrote:

On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote:
[...]

+TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
+OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
+OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"

[...]

This naming may have to change; see Ansgar's message at
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821051#90> and my
reply below.

Otherwise, I think this is fine.

Ben.



I am not sure I understand the pointed message regarding naming, what 
should be a better naming here ?


Helen

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-11-29 Thread Helen Koike 



On 2016-11-20 09:27 AM, Ben Hutchings wrote:

On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote:

Add linux, grub2 and fwupdate to publish their signatures by calling
byhand-code-sign as they are supposed to have a *-signed version

NOTE: this bypass embargoed updates. The proposed solution for this is by
making dak to publish the *-signed packages automatically, this will be
implemented in incremental basis as we advance to have a base code of the
*-signed packages

[...]

I missed that discussion so I don't understand how that's supposed to
work.  Is there a log somewhere?

Ben.



Log: http://pastebin.com/bSsUPrrA

Bug#821051: [PATCH v3] Add byhand script to perform code signing for secure boot

2016-11-15 Thread Helen Koike 
Publish the signature of packages automatically when the package is processed 
based on previous
package prepared by the maintainer with all the efi images and linux modules.

The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with 
all the efi images
and/or linux modules. When processing the package from the queue, the 
byhand-code-sign script
is called, read this .tar.xz package, sign all the efi or modules inside it and 
publish another
${package}-code-sign_${version}_${arch}_sigs.tar.xz at 
$ftpdir/dists/$suitedir/main/code-sign/
This signature are then retrieved by the maintainers of the *-signed packages 
(e.g. linux-signed,
grub2-signed, fwupdate-signed) to construct the *-signed versions.

NOTE: this causes a delay between publishing embargoed updates and publishing 
*-signed packages that can
be a problem since we avoid to leak the existence of a security flaw before its 
fix has being released.
The proposed solution for this is by making dak to publish the *-signed 
packages automatically.

Since we already have this problem anyway, we can add this patch in dak and add
the mechanism to automatically publish the *-signed packages latter in 
incremental basis as
we advance constructing the *-signed source packages

Changes since last version:
- Patches based on https://ftp-master.debian.org/git/dak.git master to 
be easier to review
- byhand-code-sign-user-exp was deleted, the expect part to enter pin 
code is embedded in
bash script byhand-code-sign-user
- Add default configuration file for yubikey with more docs
- Also add grub2 and fwupdate in dak.conf AutomaticByHandPackages
- Call pesign just once in the script (no matter if we have a token or 
not, with a password or not)

Script used for testing byhand-code-sign-user:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh
Check each commit message for more information on testing

Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

Helen Koike (3):
  byhand-code-sign-user: signing script for efi images and linux modules
  byhand-code-sign: intermediate script for code sign
  dak.conf: add packages that trigger byhand-code-sign

 config/debian-security/byhand-code-sign.conf | 43 
 config/debian-security/dak.conf  | 24 +++
 config/debian/byhand-code-sign.conf  | 43 
 config/debian/dak.conf   | 21 ++
 scripts/debian/byhand-code-sign  | 52 +++
 scripts/debian/byhand-code-sign-user | 99 
 6 files changed, 282 insertions(+)
 create mode 100644 config/debian-security/byhand-code-sign.conf
 create mode 100644 config/debian/byhand-code-sign.conf
 create mode 100755 scripts/debian/byhand-code-sign
 create mode 100755 scripts/debian/byhand-code-sign-user

-- 
2.7.4

Bug#821051: [PATCH v3 1/3] byhand-code-sign-user: signing script for efi images and linux modules

2016-11-15 Thread Helen Koike 
The byhand-code-sign-user script receives a .tar.xz file (that can
contain efi images and linux modules) in stdin, sign them using keys as
configured in the configuration file and generate a .tar.xz with all the
signatures in stdout

This script is meant to be called by another byhand script which will
run it as a different user.
stdin and stdout is used for passing the .tar.xz files as this script
may not have permission to access the .tar.xz

It can sign using a token as a Yubikey or through a certificate database
depending on the configuration

Contributions:
Julien Cristau 
Ben Hutchings 

---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

TESTS
-
I tested the byhan-code-sign-user using the script here:
https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh

That covers with and without an Yubikey and creating a
privkey with or without a password

To execute it, create a test.tar.xz files with efi and linux modules,
install gnutls-bin, yubico-piv-tool, libnss3-tools and run
./dak-codesign-test.sh test.tar.xz
It should work with a yubikey with default configuration (key and pin
code), otherwise you will need to adjust those parameters in the script.

Changes from last version:
- remove byhan-code-sign-user-exp, now the expect script is
embedded in this one
- style changes
- changes in config variables to support signing with and
without token
- fixed bugs when running with or without pin
- fix linux signing with token
- add more doc and example in the base config file
---
 config/debian-security/byhand-code-sign.conf | 43 
 config/debian/byhand-code-sign.conf  | 43 
 scripts/debian/byhand-code-sign-user | 99 
 3 files changed, 185 insertions(+)
 create mode 100644 config/debian-security/byhand-code-sign.conf
 create mode 100644 config/debian/byhand-code-sign.conf
 create mode 100755 scripts/debian/byhand-code-sign-user

diff --git a/config/debian-security/byhand-code-sign.conf 
b/config/debian-security/byhand-code-sign.conf
new file mode 100644
index 000..7818b8d
--- /dev/null
+++ b/config/debian-security/byhand-code-sign.conf
@@ -0,0 +1,43 @@
+# Configuration for byhand-sign shell script
+
+# The directory of the certificate database created with certutil
+# where the certificate and possibly the private key (if a token
+# is not used) for signing efi images are stored
+#EFI_CERT_DIR=/etc/dak/efi/certdir
+EFI_CERT_DIR=
+
+# The name that identifies the certificate in the certificate
+# database or in the token.
+# Yubikey is usually "Certificate for Digital Signature"
+# The label can be verified by executing:
+# pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O
+EFI_CERT_NAME="Certificate for Digital Signature"
+
+# The label of the token as shown in `p11tool --list-tokens`
+# Set to "NSS Certificate DB" if the private key is in the certificate
+# database and a token will not be used
+#EFI_TOKEN_NAME="NSS Certificate DB"
+EFI_TOKEN_NAME="PIV_II (PIV Card Holder pin)"
+
+# The token pin or the certificate database slot password (if a
+# token is not used) for signing efi images. This is optional in
+# case a token is not used and no slot password is set
+#EFI_SIGN_PIN=123456
+
+# The sign-file linux program to sign modules
+#LINUX_SIGNFILE=/usr/lib/linux-kbuild-4.6/scripts/sign-file
+LINUX_SIGNFILE=
+
+# The private key to use to sign the kernel modules or the token URI
+# as shown by `p11tool --list-tokens`
+#LINUX_MODULES_PRIVKEY=/etc/dak/efi/kernel-key.rsa
+LINUX_MODULES_PRIVKEY="pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29"
+
+# The certificate to verify the kernel modules signature
+#LINUX_MODULES_CERT=/etc/dat/efi/kernel-cert.pem
+LINUX_MODULES_CERT=
+
+# The token pin or the certificate database slot password (if a
+# token is not used) for signing kernel modules. This is optional in
+# case no slot password is set
+#LINUX_SIGN_PIN=123456
diff --git a/config/debian/byhand-code-sign.conf 
b/config/debian/byhand-code-sign.conf
new file mode 100644
index 000..7818b8d
--- /dev/null
+++ b/config/debian/byhand-code-sign.conf
@@ -0,0 +1,43 @@
+# Configuration for byhand-sign shell script
+
+# The directory of the certificate database created with certutil
+# where the certificate and possibly the private key (if a token
+# is not used) for signing efi images are stored
+#EFI_CERT_DIR=/etc/dak/efi/certdir
+EFI_CERT_DIR=
+
+# The name that identifies the certificate in the certificate
+# database or in the token.
+# Yubikey is usually "Certificate for Digital Signature"
+# The label can be verified by executing:
+# pkcs11-tool

Bug#821051: [PATCH v3 2/3] byhand-code-sign: intermediate script for code sign

2016-11-15 Thread Helen Koike 
This script is meant to be called by AutomaticByHandPackages mechanism,
it will receive the a .tar.xz file with efi images and/or linux
modules, call byhand-code-sign-user as codesign user to generate another
.tar.xz with detached signatures and publish it in the 
$ftpdir/dists/$suitedir/main/code-sign/

Contributions:
Ben Hutchings 
---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

 scripts/debian/byhand-code-sign | 52 +
 1 file changed, 52 insertions(+)
 create mode 100755 scripts/debian/byhand-code-sign

diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
new file mode 100755
index 000..f3eceab
--- /dev/null
+++ b/scripts/debian/byhand-code-sign
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -u
+set -e
+set -o pipefail
+
+if [ $# -lt 5 ]; then
+   echo "Usage: $0 filename version arch changes_file suite"
+   exit 1
+fi
+
+IN_TARBALL="$1"# Tarball to read, compressed with xz
+VERSION="$2"
+ARCH="$3"
+CHANGES="$4"   # Changes file for the upload
+SUITE="$5"
+
+error() {
+   echo >&2 "E: $*"
+   exit 1
+}
+
+# Read dak configuration for security or main archive.
+# Also determine subdirectory for the suite.
+case "$0" in
+/srv/security-master.debian.org/*)
+   configdir="/srv/security-master.debian.org/dak/config/debian-security"
+   suitedir="$SUITE/updates"
+   ;;
+/srv/ftp-master.debian.org/*)
+   configdir="/srv/ftp-master.debian.org/dak/config/debian"
+   suitedir="$SUITE"
+   ;;
+*)
+   error "$0: Can't tell if security or not"
+   ;;
+esac
+. "$configdir/vars"
+
+TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
+OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
+OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"
+
+# Check that this source/arch/version hasn't already been signed
+if [ -e "$OUT_TARBALL" ]; then
+   error "Signature tarball already exists: $OUT_TARBALL"
+fi
+
+mkdir -p "${OUT_TARBALL%/*}"
+
+sudo -u codesign "${0%/*}/byhand-code-sign-user" 
"$configdir/byhand-code-sign.conf" < "$IN_TARBALL" > "$OUT_TARBALL"
+echo "I: Created $OUT_TARBALL"
-- 
2.7.4

Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign

2016-11-15 Thread Helen Koike 
Add linux, grub2 and fwupdate to publish their signatures by calling
byhand-code-sign as they are supposed to have a *-signed version

NOTE: this bypass embargoed updates. The proposed solution for this is by
making dak to publish the *-signed packages automatically, this will be
implemented in incremental basis as we advance to have a base code of the
*-signed packages

Contributions:
Ben Hutchings 

---

This patch series is based on https://ftp-master.debian.org/git/dak.git master
Patches are also available here: 
https://github.com/helen-fornazier/dak/tree/review

To test it, after building the package (grub, linux or fwupdate) create
a file called ${package}-code-sign_${version}_${arch}.tar.xz
with the efi images or kernel modules to be signed

After building the package, add the file in the changes file:

> changestool ${package}-code-sign_${version}_${arch}.changes addrawfile 
> ${package}-code-sign_${version}_${arch}.tar.xz

Edit the .changes file to replace the double dashes by "byhand optional"

> sed -i -e "s/- - ${package}-code-sign_${version}_${arch}.tar.xz/byhand 
> optional ${package}-code-sign_${version}_${arch}.tar.xz/g" 
> ${package}-code-sign_${version}_${arch}.changes

Sign the .changes file
> gpg --clearsign ${package}-code-sign_${version}_${arch}.changes
> mv ${package}-code-sign_${version}_${arch}.changes.asc 
> ${package}-code-sign_${version}_${arch}.changes

Add to uncheck queue
> cp -r ../* /srv/dak/queue/unchecked/

Process the package
> dak process-upload -d /srv/dak/queue/unchecked
---
 config/debian-security/dak.conf | 24 
 config/debian/dak.conf  | 21 +
 2 files changed, 45 insertions(+)

diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index f342a55..dbf5395 100644
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -127,6 +127,30 @@ SuiteMappings
   "reject oldoldstable";
 };
 
+AutomaticByHandPackages
+{
+  "linux-code-sign" {
+Source "linux";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "grub2-code-sign" {
+Source "grub2";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "fwupdate-code-sign" {
+Source "fwupdate";
+Section "byhand";
+Extension "tar.xz";
+Script 
"/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+};
+
 Dir
 {
   Base "/srv/security-master.debian.org/";
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index 10322cc..6de05f2 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -185,6 +185,27 @@ AutomaticByHandPackages {
 Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-di";
   };
 
+  "linux-code-sign" {
+Source "linux";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "grub2-code-sign" {
+Source "grub2";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
+  "fwupdate-code-sign" {
+Source "fwupdate";
+Section "byhand";
+Extension "tar.xz";
+Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign";
+  };
+
   "tag-overrides" {
 Source "tag-overrides";
 Section "byhand";
-- 
2.7.4

Bug#821051: Need support for uploading and signing EFI executables

2016-10-21 Thread Helen Koike 



On 2016-10-18 07:34 PM, Ansgar Burchardt wrote:

Ben Hutchings writes:

On Tue, 2016-10-18 at 22:55 +0200, Ansgar Burchardt wrote:

Is there any documentation how this is supposed to work?


Nothing comprehensive as yet.  Where should it go?


It doesn't need to be comprehensive.  I just would like to understand
what needs to happen.


What uses the signatures the archive is planned to write to dists/*?


Scripts for preparing the source packages that build signed binaries.
(Which will probably be included in those source packages, but don't
have to be.)


How does building signed binaries work? That sounds like the signature
gets merged into the binaries dak signed in some way?


It looks wrong to bypass embargoed for the signatures. We avoid showing
which packages will get security updates in the future.


That's a fair point.  But they need to be findable by a maintainer who
doesn't have access to embargoed packages in general.  How about using
a hash of the changelog?


Wouldn't the maintainer need access to the embargoed binaries as well as
the signatures to prepare the signed version?



As we briefly discussed on irc, we could solve all this by making dak to 
publish the -signed packages automatically, is this a good solution? 
Please, let me know your opinion so I can go ahead and implement a first 
version of it.


Thanks
Helen Koike

Bug#820050: Monolithic grub for signing (grub2-signed/secure-boot)

2016-10-20 Thread Helen Koike 

Hi,

To be able to create grub2-signed package we need a monolithic version 
of grub available, as grub doesn't know how verify the signatures of its 
modules loaded from the disk, so we need a monolithic version containing 
grub and all it's modules into a single image to be signed. Then 
grub2-signed package can depend on the signature and on monolithic grub 
package to be used when secure boot is enabled.


So I was wondering it is would be ok to change the packages 
grub-efi-deb to create a monolithic version of grub or if it will be 
preferable to create a grub-efi-monolithicdeb, or do you have any 
other idea?


Thanks
Helen Koike

Bug#821051: [PATCH v2] byhand-code-sign: sign using another user

2016-10-06 Thread Helen Koike 
---

Hi,

Thanks Jakub for your review.
I modified the script to read the .tar.xz from stdin and output the 
-sign.tar.xz to stdout.
It is also available here: https://github.com/helen-fornazier/dak

Changes since last version:
- add quotes around variables
- remove unnecessary chmod 700
- receive tar.xz from stdin in byhand-code-sign-user script
- generate the -sign.tar.xz to stdout in byhand-code-sign-user script

I would appreciate if someone could review this version
Thank you

Helen


 scripts/debian/byhand-code-sign  | 104 +---
 scripts/debian/byhand-code-sign-user | 135 +++
 scripts/debian/byhand-code-sign-user-exp |  17 
 3 files changed, 154 insertions(+), 102 deletions(-)
 create mode 100755 scripts/debian/byhand-code-sign-user
 create mode 100755 scripts/debian/byhand-code-sign-user-exp

diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index fbd6855..18bd09e 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -20,8 +20,6 @@ error() {
exit 1
 }
 
-export OPENSSL_CONF=/dev/null
-
 # Read dak configuration for security or main archive.
 # Also determine subdirectory for the suite.
 case "$0" in
@@ -39,14 +37,6 @@ case "$0" in
 esac
 . "$configdir/vars"
 
-# Read and trivially validate our configuration
-. "$configdir/byhand-code-sign.conf"
-for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \
-  LINUX_SIGNFILE LINUX_MODULE_PRIVKEY LINUX_MODULE_CERT; do
-   test -v $var || error "$var is not defined in configuration"
-   test -n "${!var}" || error "$var is empty in configuration"
-done
-
 TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
 OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
 OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"
@@ -56,99 +46,9 @@ if [ -e "$OUT_TARBALL" ]; then
error "Signature tarball already exists: $OUT_TARBALL"
 fi
 
-# If we fail somewhere, cleanup the temporary directories
-IN_DIR=
-OUT_DIR=
-CERT_DIR=
-cleanup() {
-   for dir in "$IN_DIR" "$OUT_DIR" "$CERT_DIR"; do
-   test -z "$dir" || rm -rf "$dir"
-   done
-}
-trap cleanup EXIT
-
-# Extract the data into the input directory
-IN_DIR="$(mktemp -td byhand-code-sign-in.XX)"
-tar xaf "$IN_TARBALL" --directory="$IN_DIR"
-
-case "$EFI_BINARY_PRIVKEY" in
-pkcs11:*)
-   # Translate from OpenSSL PKCS#11 enigne syntax to pesign parameters
-   # See: 
https://sources.debian.net/src/engine-pkcs11/0.2.2-1/src/engine_pkcs11.c
-   pkcs11_pin_value=
-   old_IFS="$IFS"
-   IFS=';'
-   for kv in ${EFI_BINARY_PRIVKEY#pkcs11:}; do
-   case "$kv" in
-   token=*)
-   pkcs11_token="${kv#*=}"
-   ;;
-   object=*)
-   pkcs11_object="${kv#*=}"
-   ;;
-   pin-value=*)
-   pkcs11_pin_value="${kv#*=}"
-   ;;
-   esac
-   done
-   IFS="$old_IFS"
-   unset old_IFS
-   # TODO: unlock it
-   PESIGN_PARAMS=(-t "$pkcs11_token" -c "$pkcs11_object")
-   ;;
-*)
-   # Create certificate store for pesign
-   CERT_DIR="$(mktemp -td byhand-code-sign-cert.XX)"
-   chmod 700 "$CERT_DIR"
-   mkdir "$CERT_DIR/store"
-   certutil -N --empty-password -d "$CERT_DIR/store"
-   openssl pkcs12 -export \
-   -inkey "$EFI_BINARY_PRIVKEY" -in "$EFI_BINARY_CERT" \
-   -out "$CERT_DIR/efi-image.p12" -passout pass: \
-   -name efi-image
-   pk12util -i "$CERT_DIR/efi-image.p12" -d "$CERT_DIR/store" -K '' -W ''
-   PESIGN_PARAMS=(-n "$CERT_DIR/store" -c efi-image)
-   ;;
-esac
-
-# Create hierarchy of detached signatures in parallel to the uploaded files
-OUT_DIR="$(mktemp -td byhand-code-sign-out.XX)"
-while read filename; do
-   mkdir -p "$OUT_DIR/${filename%/*}"
-   case "${filename##*/}" in
-   *.efi | vmlinuz-*)
-   pesign -i "$IN_DIR/$filename" \
-  --export-signature "$OUT_DIR/$filename.sig" --sign \
-  -d sha256 "${PESIGN_PARAMS[@]}"
-   ;;
-   *.ko)
-   "$LINUX_SIGNFILE" -d sha256 "$LINUX_MODULE_PRIVKEY" \
-   "$LINUX_MODULE_CERT" "$IN_DIR/$filename"
-   mv "$IN_DIR/$filename.p7s" "$OUT_DIR/$filename.sig"
-   ;;
-   *)
-   echo >&2 "W: Not signing unrecognised file: $filename"
-   continue
-   ;;
-   esac
-   if [ ${#filename} -gt 60 ]; then
-   filename_trunc="...${filename:$((${#filename} - 57)):57}"
-   else
-   filename_trunc="$filename"
-   fi
-   printf 'I: Signed %-60s\r' "$filename_trunc"
-done < <(find "$IN_DIR" -type f -printf '%P\n')
-
-# Clear last progress message
-printf '%-70s\r' ''
+mkdir -p "${OUT_TARBALL%/*}"
 
-# Build tarball of

Bug#821051: git branch with code signing script

2016-09-28 Thread Helen Koike 

Hi,

On Sun, 25 Sep 2016 01:06:06 +0100 Ben Hutchings <b...@decadent.org.uk> wrote:
> I've pushed all my changes to a git repo at:
> https://git.decadent.org.uk/git/dak.git
>
> Ben.
>
> --
> Ben Hutchings
> No political challenge can be met by shopping. - George Monbiot

I modified this code and also got some code from Julien Cristau to sign the 
packages as another user, please, see patch below and let me know your feedback.
The following patch applies on top of https://git.decadent.org.uk/git/dak.git
I didn't teste with a real token because I don't have one, could someone check 
this please?

Thank you
Helen Koike

diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign
index fbd6855..6b48d26 100755
--- a/scripts/debian/byhand-code-sign
+++ b/scripts/debian/byhand-code-sign
@@ -20,8 +20,6 @@ error() {
exit 1
 }
 
-export OPENSSL_CONF=/dev/null
-
 # Read dak configuration for security or main archive.
 # Also determine subdirectory for the suite.
 case "$0" in
@@ -39,116 +37,12 @@ case "$0" in
 esac
 . "$configdir/vars"
 
-# Read and trivially validate our configuration
-. "$configdir/byhand-code-sign.conf"
-for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \
-  LINUX_SIGNFILE LINUX_MODULE_PRIVKEY LINUX_MODULE_CERT; do
-   test -v $var || error "$var is not defined in configuration"
-   test -n "${!var}" || error "$var is empty in configuration"
-done
-
 TARGET="$ftpdir/dists/$suitedir/main/code-sign/"
 OUT_TARBALL="$TARGET/${IN_TARBALL##*/}"
 OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz"
 
-# Check that this source/arch/version hasn't already been signed
-if [ -e "$OUT_TARBALL" ]; then
-   error "Signature tarball already exists: $OUT_TARBALL"
-fi
-
-# If we fail somewhere, cleanup the temporary directories
-IN_DIR=
-OUT_DIR=
-CERT_DIR=
-cleanup() {
-   for dir in "$IN_DIR" "$OUT_DIR" "$CERT_DIR"; do
-   test -z "$dir" || rm -rf "$dir"
-   done
-}
-trap cleanup EXIT
-
-# Extract the data into the input directory
-IN_DIR="$(mktemp -td byhand-code-sign-in.XX)"
-tar xaf "$IN_TARBALL" --directory="$IN_DIR"
-
-case "$EFI_BINARY_PRIVKEY" in
-pkcs11:*)
-   # Translate from OpenSSL PKCS#11 enigne syntax to pesign parameters
-   # See: 
https://sources.debian.net/src/engine-pkcs11/0.2.2-1/src/engine_pkcs11.c
-   pkcs11_pin_value=
-   old_IFS="$IFS"
-   IFS=';'
-   for kv in ${EFI_BINARY_PRIVKEY#pkcs11:}; do
-   case "$kv" in
-   token=*)
-   pkcs11_token="${kv#*=}"
-   ;;
-   object=*)
-   pkcs11_object="${kv#*=}"
-   ;;
-   pin-value=*)
-   pkcs11_pin_value="${kv#*=}"
-   ;;
-   esac
-   done
-   IFS="$old_IFS"
-   unset old_IFS
-   # TODO: unlock it
-   PESIGN_PARAMS=(-t "$pkcs11_token" -c "$pkcs11_object")
-   ;;
-*)
-   # Create certificate store for pesign
-   CERT_DIR="$(mktemp -td byhand-code-sign-cert.XX)"
-   chmod 700 "$CERT_DIR"
-   mkdir "$CERT_DIR/store"
-   certutil -N --empty-password -d "$CERT_DIR/store"
-   openssl pkcs12 -export \
-   -inkey "$EFI_BINARY_PRIVKEY" -in "$EFI_BINARY_CERT" \
-   -out "$CERT_DIR/efi-image.p12" -passout pass: \
-   -name efi-image
-   pk12util -i "$CERT_DIR/efi-image.p12" -d "$CERT_DIR/store" -K '' -W ''
-   PESIGN_PARAMS=(-n "$CERT_DIR/store" -c efi-image)
-   ;;
-esac
-
-# Create hierarchy of detached signatures in parallel to the uploaded files
-OUT_DIR="$(mktemp -td byhand-code-sign-out.XX)"
-while read filename; do
-   mkdir -p "$OUT_DIR/${filename%/*}"
-   case "${filename##*/}" in
-   *.efi | vmlinuz-*)
-   pesign -i "$IN_DIR/$filename" \
-  --export-signature "$OUT_DIR/$filename.sig" --sign \
-  -d sha256 "${PESIGN_PARAMS[@]}"
-   ;;
-   *.ko)
-   "$LINUX_SIGNFILE" -d sha256 "$LINUX_MODULE_PRIVKEY" \
-   "$LINUX_MODULE_CERT" "$IN_DIR/$filename"
-   mv "$IN_DIR/$filename.p7s" "$OUT_DIR/$filename.sig"
-   ;;
-   *)
-   echo >&2 "W: Not signing unrecognised file: $filename"
-   continue
-   ;;
-   esac
-   if [ ${#filename} -gt