Bug#973692: thunderbird: I can't resize the window, part is hidden, can't read emails
Package: thunderbird Version: 1:78.4.0-1 Followup-For: Bug #973692 Dear Maintainer, I see the same error reported here: > xprop -name " - Mozilla Thunderbird" WM_NORMAL_HINTS WM_NORMAL_HINTS(WM_SIZE_HINTS): program specified minimum size: 1014 by 1829 program specified maximum size: 32766 by 32766 program specified base size: 1014 by 1829 window gravity: NorthWest I can't reduce vertically the size of the window, it hides part of the window and I can't read part of my email. Maybe this is related to these issues reported upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1674990 https://bugzilla.mozilla.org/show_bug.cgi?id=1674998 -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.9.0-1-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages thunderbird depends on: ii debianutils 4.11.2 ii fontconfig 2.13.1-4.2 ii libatk1.0-0 2.36.0-2 ii libbotan-2-15 2.15.0+dfsg-2+b1 ii libbz2-1.0 1.0.8-4 ii libc6 2.31-4 ii libcairo-gobject2 1.16.0-4 ii libcairo2 1.16.0-4 ii libdbus-1-3 1.12.20-1 ii libdbus-glib-1-20.110-5 ii libevent-2.1-7 2.1.12-stable-1 ii libffi7 3.3-4 ii libfontconfig1 2.13.1-4.2 ii libfreetype62.10.2+dfsg-4 ii libgcc-s1 10.2.0-16 ii libgdk-pixbuf2.0-0 2.40.0+dfsg-5 ii libglib2.0-02.66.2-1 ii libgtk-3-0 3.24.23-2 ii libicu6767.1-4 ii libjson-c5 0.15-1 ii libnspr42:4.29-1 ii libnss3 2:3.58-1 ii libpango-1.0-0 1.46.2-1 ii libstdc++6 10.2.0-16 ii libvpx6 1.8.2-1 ii libx11-62:1.6.12-1 ii libx11-xcb1 2:1.6.12-1 ii libxcb-shm0 1.14-2 ii libxcb1 1.14-2 ii libxext62:1.3.3-1+b2 ii libxrender1 1:0.9.10-1 ii psmisc 23.3-1 ii x11-utils 7.7+5 ii zlib1g 1:1.2.11.dfsg-2 Versions of packages thunderbird recommends: ii hunspell-en-us [hunspell-dictionary] 1:2019.10.06-1 Versions of packages thunderbird suggests: ii apparmor 2.13.5-1 ii fonts-lyx 2.3.5.2-1 ii libgssapi-krb5-2 1.17-10 ii libgtk2.0-0 2.24.32-4 -- no debconf information
Bug#956559: gdm3: Login screen buttons aren't clickable
Package: gdm3 Version: 3.34.1-3 Severity: important Dear Maintainer, In my gdm3 screen: https://people.collabora.com/~koike/gdm3-screen.jpeg Clicking on buttons on top won't do anything, and when selecting a user, clicking in the gear button to select a Desktop Environment also doesn't do anything (which is particularly annoying since I would like to switch between Gnome, Gnome on Xorg, Xfce and others). Also, when I press enter on top of an user to add my password, the "Not listed?" appears in front as shown here https://people.collabora.com/~koike/gdm3-screen-not-listed.jpeg I can type my password and login normally, but it would be nice to easily switch desktop environment. I tried switching from Wayland to Xorg by editing /etc/gdm3/daemon.conf with WaylandEnable=false But I get the same results. The command: sudo journalctl -b -g gdm doesn't seem to show anything relevant http://ix.io/2hMK Please let me know where I can find relevant logs, or how I can get more information to help debug this. Thanks a lot for your work as a maintainer. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.5.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gdm3 depends on: ii accountsservice 0.6.55-1 ii adduser 3.118 ii dconf-cli 0.36.0-1 ii dconf-gsettings-backend 0.36.0-1 ii debconf [debconf-2.0] 1.5.73 ii gir1.2-gdm-1.03.34.1-3 ii gnome-session [x-session-manager] 3.36.0-2 ii gnome-session-bin 3.36.0-2 ii gnome-settings-daemon 3.36.0-1 ii gnome-shell 3.36.1-5 ii gnome-terminal [x-terminal-emulator] 3.36.1.1-2 ii gsettings-desktop-schemas 3.36.0-1 ii libaccountsservice0 0.6.55-1 ii libaudit1 1:2.8.5-3 ii libc6 2.30-4 ii libcanberra-gtk3-00.30-7 ii libcanberra0 0.30-7 ii libgdk-pixbuf2.0-02.40.0+dfsg-4 ii libgdm1 3.34.1-3 ii libglib2.0-0 2.64.1-1 ii libglib2.0-bin2.64.1-1 ii libgtk-3-03.24.18-1 ii libkeyutils1 1.6.1-2 ii libpam-modules1.3.1-5 ii libpam-runtime1.3.1-5 ii libpam-systemd245.4-3 ii libpam0g 1.3.1-5 ii librsvg2-common 2.48.2-1 ii libselinux1 3.0-1+b2 ii libsystemd0 245.4-3 ii libwrap0 7.6.q-30 ii libx11-6 2:1.6.9-2 ii libxau6 1:1.0.8-1+b2 ii libxcb1 1.14-2 ii libxdmcp6 1:1.1.2-3 ii lsb-base 11.1.0 ii mutter [x-window-manager] 3.36.1-4 ii policykit-1 0.105-26 ii procps2:3.3.16-4 ii terminator [x-terminal-emulator] 1.91-4 ii ucf 3.0038+nmu1 ii x11-common1:7.7+20 ii x11-xserver-utils 7.7+8 ii xfce4-session [x-session-manager] 4.14.1-1 ii xfwm4 [x-window-manager] 4.14.0-2 Versions of packages gdm3 recommends: ii at-spi2-core2.36.0-2 ii desktop-base10.0.3 ii x11-xkb-utils 7.7+5 ii xserver-xephyr 2:1.20.8-2 ii xserver-xorg1:7.7+20 ii zenity 3.32.0-5 Versions of packages gdm3 suggests: ii gnome-orca3.36.1-1 pn libpam-fprintd ii libpam-gnome-keyring 3.36.0-1 -- Configuration Files: /etc/gdm3/daemon.conf changed: [daemon] WaylandEnable=false [security] [xdmcp] [chooser] [debug] -- debconf information: gdm3/daemon_name: /usr/sbin/gdm3 * shared/default-x-display-manager: gdm3
Bug#895874: (no subject)
Hi, I'm using a docker image "FROM debian:10", and to get git-send-email working properly, I had to install libmailtools-perl by hand. It would be great if it was added as a dependency for the package. Thanks
Bug#932634: lintian: false-positive embedded-library libyaml due to matching string (defined in data/binaries/embedded-libs) with package rust-yaml-rust
Hi Chris, On Fri, Jul 26, 2019 at 5:33 AM Chris Lamb wrote: > > Hi Helen, > > > right, the binary package is not called rust-bat but the source package is > > [1]. > > Can lintian check for the source package name? (also not sure if it is > > a good idea). > > It could but, alas, the I think the "package exception" mechanism > regarding the binaries/embedded-libs data file appears to use the > binary package name... > > > Do you think it would be a good idea to rename the binary package? > > Just to silence this Lintian warning? That would seem like extreme > overkill to me! Regarding finding another string that is present in. > libyaml and not in rust-yaml-rust, do you have any suggestion at this > point? This is the output of "strings libyaml-0.so.2.0.5": http://ix.io/1PAz And this is the output of "strings bat": http://ix.io/1PAJ Maybe we can get a string that is not present in both and long enough to not conflict with other things? e.g.: - "unexpected low surrogate area" - "control characters are not allowed" - "found a tab character where an indentation space is expected" (I also checked that these strings are not present in rust-yaml-rust package, in case the compiler is optimizing something when compiling bat) What do you think? > > > Just a question regarding how lintian works: one thing that confused me is > > that > > bat doesn't depend on rust-yaml-rust directly, it depends on rust-syntect > > which > > depends on rust-yaml-rust. So I was wondering why I didn't get this > > error in lintian when building rust-syntect. > > I have not checked but isn't the question/issue around Rust embedding > the code of the library in question rather separate to the chain of > Debian-level dependencies. In other words, isn't this apparent > perculiarity explained by that bat embeds the rust-yaml-rust bit of > YAML parsing/generation code whilst that bit of rust-yaml-rust isn't > used in rust-syntect and thus is not embedded? I just noticed that librust*.deb packages just provides source code in rust, I think that is why the same lintian warning wasn't fired on rust-syntec (as librust-syntect-dev*.deb just provides source code). So when compiling in a final binary (bat in this case), lintian detects the embedded-binary. Thanks Helen > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` la...@debian.org chris-lamb.co.uk >`-
Bug#932634: lintian: false-positive embedded-library libyaml due to matching string (defined in data/binaries/embedded-libs) with package rust-yaml-rust
Hi Chris, On Wed, Jul 24, 2019 at 2:51 PM Chris Lamb wrote: > > tags 932634 + moreinfo > thanks > > Hi Helen, > > > In lintian/data/binaries/embedded-libs, the criterium to detect if a > > library was linked statically against libyaml is to verify the string: > > > > libyaml ||(?m)^did not find expected > > > > But this string is also found in package rust-yaml-rust. > > Indeed. So, I not sure how Lintian is meant to "know" that this is > from the Rust version of YAML over the libyaml version. If bat was > called, say, "rust-bat" instead then we could use embedded-libs's > ability to filter via a regular expression, but that is alas not the > case. Any ideas...? right, the binary package is not called rust-bat but the source package is [1]. Can lintian check for the source package name? (also not sure if it is a good idea). Do you think it would be a good idea to rename the binary package? Or maybe we could try find another string that is present in libyaml and not in rust-yaml-rust. Just a question regarding how lintian works: one thing that confused me is that bat doesn't depend on rust-yaml-rust directly, it depends on rust-syntect which depends on rust-yaml-rust. So I was wondering why I didn't get this error in lintian when building rust-syntect. [1] https://ftp-master.debian.org/new/rust-bat_0.11.0-1.html Thanks Helen > > > Best wishes,, > > -- > ,''`. > : :' : Chris Lamb > `. `'` la...@debian.org chris-lamb.co.uk >`-
Bug#932634: lintian: false-positive embedded-library libyaml due to matching string (defined in data/binaries/embedded-libs) with package rust-yaml-rust
Package: lintian Version: 2.15.0 Severity: important Dear Maintainer, In lintian/data/binaries/embedded-libs, the criterium to detect if a library was linked statically against libyaml is to verify the string: libyaml ||(?m)^did not find expected But this string is also found in package rust-yaml-rust. This caused a false positive when packaging bat [1]. [1] https://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/2019-July/006335.html -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lintian depends on: ii binutils 2.32.51.20190707-1 ii bzip2 1.0.6-9.2 ii diffstat 1.62-1 ii dpkg 1.19.7 ii dpkg-dev 1.19.7 ii file 1:5.35-4 ii gettext0.19.8.1-9 ii gpg2.2.13-2 ii intltool-debian0.35.0+20060710.5 ii libapt-pkg-perl0.1.36+b1 ii libarchive-zip-perl1.64-1 ii libcapture-tiny-perl 0.48-1 ii libcgi-pm-perl 4.40-1 ii libclass-accessor-perl 0.51-1 ii libclone-perl 0.41-1+b1 pn libdigest-sha-perl ii libdpkg-perl 1.19.7 ii libemail-valid-perl1.202-1 ii libfile-basedir-perl 0.08-1 ii libio-async-perl 0.72-1 ii libipc-run-perl20180523.0-1 ii liblist-moreutils-perl 0.416-1+b4 ii libparse-debianchangelog-perl 1.2.0-13 ii libpath-tiny-perl 0.108-1 ii libtext-levenshtein-perl 0.13-1 ii libtimedate-perl 2.3000-2 ii libtry-tiny-perl 0.30-1 ii liburi-perl1.76-1 ii libxml-simple-perl 2.25-1 ii libyaml-libyaml-perl 0.76+repack-1 ii man-db 2.8.5-2 ii patchutils 0.3.4-2 ii perl 5.28.1-6 ii t1utils1.41-3 ii xz-utils 5.2.4-1 Versions of packages lintian recommends: ii libperlio-gzip-perl 0.19-1+b5 Versions of packages lintian suggests: pn binutils-multiarch ii libhtml-parser-perl3.72-3+b3 ii libtext-template-perl 1.55-1 -- no debconf information
Bug#907080: bat
On Fri, 25 Jan 2019 10:17:43 +0100 Paride Legovini wrote: > Gürkan Myczko wrote on 25/01/2019: > > Hello > > > > My collegues would like to know if this will make it into buster or not? > > > > Best, > > Hello Gürkan, > > I very much doubt it will, unfortunately: there are still a lot of > missing dependencies to be packaged. > > Paride > > Hi, I just updated bat and added the missing dependencies in debcargo-conf [1]. If anyone could review it (and hopefully release it), it would be great. [1] https://salsa.debian.org/rust-team/debcargo-conf/merge_requests/44 Thanks Helen
Bug#895575: closed by Hanno 'Rince' Wagner (Mailing list created)
Hi Hanno, Thanks you, but there is a typo in the name of the list, it should end with an 's' -> s/debian-mulhere/debian-mulheres Could you please renamed it? Thanks On Wed, Oct 3, 2018 at 2:21 PM Debian Bug Tracking System wrote: > > This is an automatic notification regarding your Bug report > which was filed against the lists.debian.org package: > > #895575: lists.debian.org: Request for a new mailing list: debian-mulheres > (debian-woman for Portuguese speakers) > > It has been closed by Hanno 'Rince' Wagner . > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Hanno 'Rince' Wagner > by > replying to this email. > > > -- > 895575: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895575 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > > > > -- Forwarded message -- > From: "Hanno 'Rince' Wagner" > To: 895575-d...@bugs.debian.org > Cc: > Bcc: > Date: Wed, 3 Oct 2018 19:10:09 +0200 > Subject: Mailing list created > Hi, > > the mailinglist > debian-mulh...@lists.debian.org > > has been created per your request. please use it wisely. > > best regards, Hanno Wagner, Listmaster of the day > -- > | Hanno Wagner | Member of the HTML Writers Guild | Rince@IRC | > | Eine gewerbliche Nutzung meiner Email-Adressen ist nicht gestattet! | > | 74 a3 53 cc 0b 19 - we did it! |Generation @ | > Fachbegriffe der Informatik : EDV-Beauftagter > -> Ehrenamt für den, »der Ahnung von Computer hat«. > Dieter Funck > > > > -- Forwarded message -- > From: Helen Koike > To: Debian Bug Tracking System > Cc: > Bcc: > Date: Thu, 12 Apr 2018 17:59:17 -0300 > Subject: lists.debian.org: Request for a new mailing list: debian-mulheres > (debian-woman for Portuguese speakers) > Package: lists.debian.org > Severity: wishlist > > Dear Maintainer, > > Name: > - > debian-mulheres > > > Rationale: > - > The following women present at the MiniDebConf at Curitiba Brazil: > * Helen Koike > * Foz > * Renata (rsip22) > * Ana Mendes > would like to create a version of debian women list for Portuguese > speakers to promote diversity in Debian (mainly in Brazil) and to remove > a possible language barrier for newcomers. > FYI: Mulheres means women in Portuguese > > > Short description: > - > Debian women for Portuguese speakers > > > Long description: > - > Debian users and developers who wish to involve more women, > trans, non-binary and gender non-conforming in the Debian project. For > discussion and sharing of ideas as well as project collaboration in > Portuguese. > > > Category > > Miscellaneous Debian > > > Subscription Policy > --- > Open > > > Post Policy > --- > Open > > > Web Archive > --- > Yes > > > -- System Information: > Debian Release: buster/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US:en (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled -- Helen Koike
Bug#877557: gtk-recordmydesktop: I have the same error
Package: gtk-recordmydesktop Version: 0.3.8-4.1 Followup-For: Bug #877557 I am getting the same error, I believe this started happening when I migrated to wayland. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gtk-recordmydesktop depends on: ii python 2.7.15-3 ii python-gtk2 2.24.0-5.1+b1 ii python2.72.7.15-4 ii recordmydesktop 0.3.8.1+svn602-1+b2 gtk-recordmydesktop recommends no packages. gtk-recordmydesktop suggests no packages. -- no debconf information
Bug#908769: Removing extensions fixed the problem
I saw in the log some issues with extensions (see below). So I saw through https://extensions.gnome.org/local/ that there was some extensions in "ERROR" state. I removed those and now it works, more specifically I removed workspace-grid Sep 16 13:08:15 floko gnome-software[21013]: no app for changed window-l...@gnome-shell-extensions.gcampax.github.com Sep 16 13:08:15 floko gnome-shell[20848]: Object St.Bin (0x5579a3f83fa0), has been already deallocated - impossible to access to it. This might be caused by the fact that the object has been destroyed from C code using something such as destroy(), dispose(), or remove() vfuncs Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: == Stack trace for context 0x5579a28be340 == Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #0 0x5579a2c874a0 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:947 (0x7fe15c9041a8 @ 275) Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #1 0x5579a2c87408 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:937 (0x7fe15c904120 @ 128) Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #2 0x5579a2c87368 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1102 (0x7fe15c9044d8 @ 296) Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #3 0x5579a2c872d8 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1280 (0x7fe15c9049a0 @ 16) .. I attached the full log Now I wonder if this is a bug in the extension or if the gnome-shell shouldn't allow this bug to happen Sep 16 13:08:15 floko gnome-shell[1034]: Screen lock is locked down, not locking Sep 16 13:08:15 floko gnome-shell[1034]: Failed to set power save mode for output DP-3: Permission denied Sep 16 13:08:15 floko gnome-shell[1034]: Failed to set power save mode for output eDP-1: Permission denied Sep 16 13:08:15 floko gnome-shell[1034]: An active wireless connection, in infrastructure mode, involves no access point? Sep 16 13:08:15 floko gnome-software[21013]: no app for changed window-l...@gnome-shell-extensions.gcampax.github.com Sep 16 13:08:15 floko gnome-shell[20848]: Object St.Bin (0x5579a3f83fa0), has been already deallocated - impossible to access to it. This might be caused by the fact that the object has been destroyed from C code using something such as destroy(), dispose(), or remove() vfuncs Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #0 0x5579a2c874a0 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:947 (0x7fe15c9041a8 @ 275) Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #1 0x5579a2c87408 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:937 (0x7fe15c904120 @ 128) Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #2 0x5579a2c87368 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1102 (0x7fe15c9044d8 @ 296) Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #3 0x5579a2c872d8 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1280 (0x7fe15c9049a0 @ 16) Sep 16 13:08:15 floko gnome-shell[20848]: Object St.Bin (0x5579a3f85500), has been already deallocated - impossible to access to it. This might be caused by the fact that the object has been destroyed from C code using something such as destroy(), dispose(), or remove() vfuncs Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #0 0x5579a2c874a0 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:948 (0x7fe15c9041a8 @ 304) Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #1 0x5579a2c87408 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:937 (0x7fe15c904120 @ 128) Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #2 0x5579a2c87368 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1102 (0x7fe15c9044d8 @ 296) Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #3 0x5579a2c872d8 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1280 (0x7fe15c9049a0 @ 16) Sep 16 13:08:15 floko gnome-shell[20848]: Object St.Bin (0x5579a3f85500), has been already finalized. Impossible to set any property to it. Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #0 0x5579a2c87368 i /home/koike/.local/share/gnome-shell/extensions/workspace-g...@mathematical.coffee.gmail.com/extension.js:1104 (0x7fe15c9044d8 @ 339) Sep 16 13:08:15 floko org.gnome.Shell.desktop[20848]: #1 0x5579a2c872d8 i
Bug#908769: How to reproduce
I could reproduce it consistently now, it always happen when it returns from suspend, I login and I press the super key.
Bug#908769: gnome-shell: freeze when super (windows) key is pressed
Package: gnome-shell Version: 3.30.0-1 Severity: important Dear Maintainer, When pressing the super key, sometimes the screen just show the greyed backgroud, without the search input on the top, nor the workspace bar on the right, not the favorits bar on the left, not the reduced window application in the center, it just shows the top bar and the greyed backgroud. I can see the mouse cursor and move it, but clicking doesn't do much. It is not easy to reproduce but it is happening quite often(about once every 2 hours). I found the following errors in the logs: Sep 12 19:18:51 floko gnome-shell[2073]: JS ERROR: TypeError: this._init is undefined _Base.prototype._construct@resource:///org/gnome/gjs/modules/_legacy.js:18:5 Class.prototype._construct/newClass@resource:///org/gnome/gjs/modules/_legacy.js:114:32 _updateWorkspacesViews@resource:///org/gnome/shell/ui/workspacesView.js:572:24 wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22 show@resource:///org/gnome/shell/ui/workspacesView.js:502:9 wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22 show@resource:///org/gnome/shell/ui/viewSelector.js:285:9 wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22 _animateVisible@resource:///org/gnome/shell/ui/overview.js:554:9 wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22 show@resource:///org/gnome/shell/ui/overview.js:540:9 wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22 toggle@resource:///org/gnome/shell/ui/overview.js:670:13 wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22 _initializeUI/<@resource:///org/gnome/shell/ui/main.js:197:13 Sep 12 19:19:02 floko org.gnome.Shell.desktop[2073]: libinput error: event12 - DLL06E4:01 06CB:7A13 Touchpad: kernel bug: Touch jump detected and discarded. Sep 12 19:19:02 floko org.gnome.Shell.desktop[2073]: See https://wayland.freedesktop.org/libinput/doc/1.12.0/touchpad-jumping-cursor.html for details Sep 12 19:19:18 floko kernel: nouveau :01:00.0: bus: MMIO read of FAULT at 619444 [ IBUS ] Sep 12 19:19:18 floko kernel: rfkill: input handler enabled Sep 12 19:19:22 floko gdm-password][13776]: gkr-pam: unlocked login keyring Sep 12 19:19:22 floko kernel: rfkill: input handler disabled Sep 12 19:19:22 floko gnome-shell[2073]: JS ERROR: Exception in callback for signal: monitors-changed: TypeError: this._activeWorkspaceChanged is undefined _createThumbnails@resource:///org/gnome/shell/ui/workspaceThumbnail.js:880:1 wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22 _init/<@resource:///org/gnome/shell/ui/workspaceThumbnail.js:684:17 _emit@resource:///org/gnome/gjs/modules/signals.js:128:27 _monitorsChanged@resource:///org/gnome/shell/ui/layout.js:530:9 wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22 Sep 12 19:19:25 floko kernel: rfkill: input handler enabled It seems that this was also reported in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/gnome-shell/+bug/1788691?comments=all It usually happens when I am using chromium, but I am not sure if this is related. Please, let me know if I shouldn't report it here as it was already reported in Ubuntu. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gnome-shell depends on: ii dconf-gsettings-backend [gsettings-backend] 0.30.0-1 ii evolution-data-server3.30.0-1 ii gir1.2-accountsservice-1.0 0.6.45-1 ii gir1.2-atspi-2.0 2.28.0-3 ii gir1.2-freedesktop 1.58.0-1 ii gir1.2-gcr-3 3.28.0-1 ii gir1.2-gdesktopenums-3.0 3.28.0-1 ii gir1.2-gdm-1.0 3.28.2-4 ii gir1.2-geoclue-2.0 2.4.12-2 ii
Bug#908287: /usr/bin/mc: Custom hide/show panel keybind doesn't work for "show"
Package: mc Version: 3:4.8.21-1 Severity: normal File: /usr/bin/mc Dear Maintainer, I am trying to modify the Shell keybind from midnight commander. So I did the following: cp /etc/mc/mc.keymap ~/.config/mc/ And edited all occurrences of "Shell = ctrl-o" to another keybiding (I tested with several others), e.g. "Shell = alt-q" Now, when I open mc and I type alt-q, it hides the panel and go to the prompt shell, but if I hit alt-q again nothing happens, I need to hit ctrl-o to make the panel to appear again, but I removed all occurrences of ctrl-o from ~/.config/mc/mc.keymap, so it seems that ctrl-o is hardcoded somewhere else. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.17.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages mc depends on: ii libc6 2.27-5 ii libext2fs21.44.4-2 ii libglib2.0-0 2.58.0-1 ii libgpm2 1.20.7-5 ii libslang2 2.3.2-1+b1 ii libssh2-1 1.8.0-2 ii mc-data 3:4.8.21-1 Versions of packages mc recommends: ii mime-support 3.61 ii perl 5.26.2-7 ii unzip 6.0-21 Versions of packages mc suggests: pn arj ii bzip21.0.6-9 pn dbview pn djvulibre-bin ii evince [pdf-viewer] 3.30.0-1 ii file 1:5.34-2 ii genisoimage 9:1.1.11-3+b2 pn gv ii imagemagick 8:6.9.10.8+dfsg-1 ii imagemagick-6.q16 [imagemagick] 8:6.9.10.8+dfsg-1 pn libaspell-dev ii lynx 2.8.9rel.1-2 pn odt2txt ii poppler-utils0.63.0-2 ii python 2.7.15-3 pn python-boto ii python-tz2018.5-1 ii texlive-binaries 2018.20180824.48463-1 ii zip 3.0-11+b1 -- no debconf information
Bug#905319: bug in dell's firmware
It seems this is a bug in the Dell's firmware. Sledge helped with a workaround: configure grub to self-install in the EFI removable media path (which is a fallback path for the firmware). dpkg-reconfigure grub-efi-amd64 And select Yes in "Force extra installation to the EFI removable media path?" Then grub will also install it self at /boot/efi/EFI/BOOT/BOOTX64.EFI signature.asc Description: OpenPGP digital signature
Bug#904811: workaround
I found the documentation to fix this: https://pbuilder-docs.readthedocs.io/en/latest/faq.html#avoiding-the-ln-invalid-cross-device-link-message We just need to set: APTCACHEHARDLINK=no But it would be nice if it could detect automatically, so moving this bug to whishlist.
Bug#904811: /usr/bin/pbuilder-dist: pbuild-dist fails when /home is in a different partition
Package: ubuntu-dev-tools Version: 0.165 Severity: important File: /usr/bin/pbuilder-dist Dear Maintainer, I have /home in a different partition from root /, and pbuilder-dist installs files under /home/user/pbuilder/ folder. Causing the following error when trying to build a package: ln: failed to create hard link '/home/koike/pbuilder/aptcache/debian/libxdamage1_1%3a1.1.4-3_amd64.deb' => '/var/cache/pbuilder/build/16417/var/cache/apt/archives/libxdamage1_1%3a1.1.4-3_amd64.deb': Invalid cross-device link This happends because it is trying to create a hardlink between two different partitions. My current partitions/mouting points: /dev/mapper/floko--vg-root / /dev/mapper/floko--vg-home /home How to reproduce: mkdir tmp && cd tmp apt source ibus-chewing debhelper pbuilder-dist buster amd64 create pbuilder-dist buster amd64 build ibus-chewing_1.5.1-3.dsc -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ubuntu-dev-tools depends on: ii binutils 2.30-20 ii dctrl-tools2.24-2+b1 ii devscripts 2.18.3 ii diffstat 1.61-1+b1 ii distro-info0.18 ii dpkg-dev 1.19.0.5 ii lsb-release9.20170808 ii perl 5.26.2-5 ii python 2.7.15~rc1-1 ii python-apt 1.6.0 ii python-debian 0.1.32 ii python-distro-info 0.18 ii python-httplib20.9.2+dfsg-1 ii python-launchpadlib1.10.6-1 ii python-lazr.restfulclient 0.14.0-1 ii python-ubuntutools 0.165 ii sensible-utils 0.0.12 ii sudo 1.8.23-1 Versions of packages ubuntu-dev-tools recommends: ii bzr 2.7.0+bzr6622-11 ii bzr-builddeb2.8.10 ii ca-certificates 20170717 ii debian-archive-keyring 2017.7 ii debian-keyring 2018.03.24 ii debootstrap 1.0.102 ii dput1.0.2 ii genisoimage 9:1.1.11-3+b2 ii libwww-perl 6.33-1 ii lintian 2.5.88 ii patch 2.7.6-2 ii pbuilder0.229.3 ii python-dns 2.3.6-4 ii python-soappy 0.12.22-1 ii quilt 0.65-1 ii reportbug 7.1.10 Versions of packages ubuntu-dev-tools suggests: ii python 2.7.15~rc1-1 ii python-simplejson 3.15.0-1+b1 ii qemu-user-static 1:2.12+dfsg-1+b1 -- no debconf information
Bug#900505: segfault at 21c1, error 4 in tmux[559568e28000+84000]
Package: tmux Version: 2.7-1+b1 Severity: normal Dear Maintainer, I got this error: tmux: server[2747]: segfault at 21c1 ip 559568e52a5a sp 7ffefc121c68 error 4 in tmux[559568e28000+84000] I'm not entirely sure how to reproduce it, I am filing this report in case anyone else has the same issue. I'll add more information if I manage to reproduce it. I was using tmux with several panes and with fish shell, I had just copied something to one of the panels and tmux crashed. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages tmux depends on: ii libc6 2.27-3 ii libevent-2.1-6 2.1.8-stable-4 ii libtinfo6 6.1+20180210-4 ii libutempter01.1.6-3 tmux recommends no packages. tmux suggests no packages. -- no debconf information
Bug#899155: vmdebootstrap: command failed: umount /tmp/tmp... | ERROR: /tmp/tmp.../etc/machine-id: Device or resource busy
Package: vmdebootstrap Version: 1.11-1 Severity: important Dear Maintainer, I am trying to run vmdebootstrap, but I am getting the error below: - $ sudo vmdebootstrap --verbose --image=${IMG} --size=5g --distribution=sid --grub --enable-dhcp --package=openssh-server --owner=$USER Creating disk image Creating partitions Creating filesystem ext4 Mounting /dev/mapper/loop1p1 on /tmp/tmpyf1aME Debootstrapping sid [amd64] Give root an empty password Removing udev persistent cd and net rules Enabling systemd-networkd for DHCP Enabling systemctl-resolved for DNS Updating the initramfs Configuring grub2 Optimizing image for compression Umounting /tmp/tmpyf1aME EEEK! Something bad happened... command failed: ['umount', '/tmp/tmpyf1aME'] umount: /tmp/tmpyf1aME: target is busy. Cleaning up ERROR: /tmp/tmpyf1aME/etc/machine-id: Device or resource busy - Also the versions the package reports seems to diverge the version reported by the binary: # /usr/sbin/vmdebootstrap --version 1.6 $ dpkg -s vmdebootstrap Package: vmdebootstrap Status: install ok installed Priority: extra Section: admin Installed-Size: 353 Maintainer: Lars WirzeniusArchitecture: amd64 Version: 1.11-1 ... -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages vmdebootstrap depends on: ii debootstrap 1.0.99 ii kpartx 0.7.4-3 ii libjs-sphinxdoc 1.7.4-1 ii parted 3.2-21+b1 ii python 2.7.15~rc1-1 ii python-cliapp 1.20170827-1 ii python-distro-info 0.18 ii python2.7 2.7.15-1 ii qemu-utils 1:2.12+dfsg-1+b1 Versions of packages vmdebootstrap recommends: ii dosfstools4.1-2 ii extlinux 3:6.03+dfsg1-2 ii grub2-common 2.02+dfsg1-4 ii python-guestfs1:1.38.1-1 ii qemu-system 1:2.12+dfsg-1+b1 ii qemu-user-static 1:2.12+dfsg-1+b1 ii squashfs-tools1:4.3-6 Versions of packages vmdebootstrap suggests: pn cmdtest pn mbr ii pandoc 2.2-1 pn u-boot -- no debconf information
Bug#895575: lists.debian.org: Request for a new mailing list: debian-mulheres (debian-woman for Portuguese speakers)
Package: lists.debian.org Severity: wishlist Dear Maintainer, Name: - debian-mulheres Rationale: - The following women present at the MiniDebConf at Curitiba Brazil: * Helen Koike * Foz * Renata (rsip22) * Ana Mendes would like to create a version of debian women list for Portuguese speakers to promote diversity in Debian (mainly in Brazil) and to remove a possible language barrier for newcomers. FYI: Mulheres means women in Portuguese Short description: - Debian women for Portuguese speakers Long description: - Debian users and developers who wish to involve more women, trans, non-binary and gender non-conforming in the Debian project. For discussion and sharing of ideas as well as project collaboration in Portuguese. Category Miscellaneous Debian Subscription Policy --- Open Post Policy --- Open Web Archive --- Yes -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#881747: gnome-session-canberra: Failed to play sound: Invalid state
Package: gnome-session-canberra Version: 0.30-4 Severity: normal Tags: l10n Dear Maintainer, When I execute the following, I get this error: $ canberra-gtk-play --file=/usr/share/sounds/gnome/default/alerts/bark.ogg Failed to play sound: Invalid state In strace I can see the errors: ... open("/usr/share/locale/en_US/LC_MESSAGES/pulseaudio.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_MESSAGES/pulseaudio.mo", O_RDONLY) = -1 ENOENT (No such file or directory) ... connect(15, {sa_family=AF_UNIX, sun_path="/run/user/1000/pulse/native"}, 110) = 0 sendto(13, "W", 1, MSG_NOSIGNAL, NULL, 0) = -1 ENOTSOCK (Socket operation on non-socket) ... I installed pulseaudio but it seems it doesn't provide the en_US pulseaudio.mo file -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gnome-session-canberra depends on: ii libc6 2.24-17 ii libcanberra-gtk00.30-4 ii libcanberra-gtk3-0 0.30-4 ii libcanberra00.30-4 ii libglib2.0-02.54.2-1 ii libgtk-3-0 3.22.26-1 gnome-session-canberra recommends no packages. gnome-session-canberra suggests no packages. -- no debconf information
Bug#820129: This is not a bug, but a feature
On 2017-01-31 03:40 PM, Linn Crosetto wrote: On Thu, Dec 08, 2016 at 04:44:18PM +0100, Andreas Heinlein wrote: I do not think this should be done, it would make it difficult if not impossible to boot custom kernels. For your own use, you could always build your own signed kernel and add the signing key to the UEFI firmware, or turn off SecureBoot altogether. However, for authors of Debian-based live systems like I am (www.discreete-linux.org), we need a way that will boot the live system on as many computers and platforms as possible without user interaction, including those users which regulary use only windows, and including platforms like Intel-based Tablets/Detachables which often do not allow to turn off Secureboot. Our live system requires a special kernel to work, it cannot work with any generic kernel/initrd signed by Debian. UEFI/SecureBoot specs do not require to keep the chain of signatures through to the kernel/initrd, it is optional. There should at least be a choice by providing two packages, one which allows booting unsigned kernels and one which doesn't. Or we can find a way for projects to get their kernels and/or own grub signed by Debian. If secure boot is enabled then no untrusted system should be allowed to run. If you need to run a custom kernel when Secure Boot is enabled that doesn't require user interaction, then you can make your system trustworthy by getting your own shim signed with your own embedded certificated that will allow booting any custom grub2, then it doesn't need to be signed by Debian, which make sense to me as custom images are not officially part of Debian, thus not officially trusted by the Debian community. I don't think we should have two types of packages to allow booting unsigned and signed kernels. Without verifying the kernel, the additional security features in the kernel become largely useless and we lose much of the value that a root of trust can provide. Note that this patch only affects systems with UEFI Secure Boot enabled. To allow boot without user interaction on a system with Secure Boot enabled, you could build shim with your key and get it signed. ack
Bug#821051: [PATCH] dak: byhand-code sign with dsigning-box
Hi, Sorry for the delay to send this. I prepared a simple packaged named dsigning-box that should be installed in the same machine that have access to the tokens: https://github.com/helen-fornazier/dsigning-box For now it only contain a script to sign efi and kernel modules from a tarball, it is almost the same script in the previous patch (byhand-code-sign-user), I just changed where it gets the tarball and where it places the signatures (which can be changed by a configuration file). As before, I tested with and without a yubikey using this script: https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh Please review. I also made dak patches to integrate with dsigning-box in a remote machine: https://github.com/helen-fornazier/dak/commits/review This patches add a script called byhand-code-sign which will send (rsync) the tarball with the images to be signed to the machine that has dsigning-box installed. This script execute a command by ssh in dsigning-box to sign the images. As we don't have a dedicated machine yet to install dsigning-box the signatures will be copied to another machine (coccia.debian.org?) that can be changed in the configuration file (this is temporary as the signatures should stay in the signing box). Please review all this and let me know if I should alter anything. Let me know if you prefer that I send email patches to be easier to review. Helen
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
On 2016-12-12 07:35 PM, Joerg Jaspert wrote: On 14519 March 1977, Ben Hutchings wrote: We offer the archives, including security, by rsync too. And that should stay. Mirrors of security do exist, for good reasons.[1] Why does it need to be in the archive? [...] I don't know of any other way of getting files back out of dak. So my first thought it will be. Some random structure on some random place. Possibly an apache run by DSA or so, but nothing relying on our mirrors. Should we request DSA team to setup this then? What is the next step? As "getting files back out of dak" is simple. dak writes files where we tell it to, see for example our changelog/metadata exports, buildd queues, etc which don't live on the usual mirror network.
Bug#821051: Secure-boot - auto publishing signature in Dak (closes #821051) - Overview
Hi, Could someone please take a look at the patch series https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821051#200 ? With those patches, Dak will be able to sign efi image and linux modules through a Yubikey and publish the signatures, allowing grub2-signed, linux-signed and fwupdate-signed to be built. In short, the maintainer of the main package upload a ${package}-code-sign_${version}_${arch}.tar.xz containing a changelog file and all the binaries to be signed, and Dak will publish a $ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head -c 64)_${arch}.tar.xz containing all the detached signatures throught a byhand script. Thanks Helen Follow below an overview of the discussed issues so far: NOTE: quotes below are from Ben Hutchings * The first version was bypassing embargoed packages, but the proposed solution was: "1. Directory listing is disabled for the directory containing signature tarballs. 2. In main source package, debian/rules adds debian/changelog to the code-sign tarball. 3. Byhand script generates the signature tarball name thus: OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog").tar.xz" 4. In signed source package, preparation script takes main source package's changelog as input." * binNMU concerns: "I suppose binNMUs are not such a problem, they just add some complication - the preparation script will have to fetch an arbitrary binary package to get the text of the added changelog entry." * Avoid the delay between publishing the main package and the *-signed version: Maintainers of both packages will need to coordinate their uploads, the main process would be something like: "1. Mantainer uploads main source package 2. Security team accepts it into the embargoed queue 3. Buildds upload unsigned binary packages 4. Security team accepts these into the embargoed queue. By-hand script generates and immediately publishes signatures. 5. Maintainer downloads signatures and prepares signed source package 6. Maintainer uploads signed source package 7. Security team accepts it into the embargoed queue 8. Buildds upload signed binary packages 9. Security team accepts these into the embargoed queue 10. Security team publishes both sets of source and binary packages"
Bug#821051: [PATCH v5 0/3] Add byhand script to perform code signing for secure boot
Publish the signature of packages automatically when the package is processed based on previous package prepared by the maintainer with all the efi images and linux modules. The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images and/or linux modules, and a changelog file. When processing the package from the queue, the byhand-code-sign script is called, read this .tar.xz package, sign all the efi or modules inside it and publish a tarball with all the signatures at $ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head -c 64)_$ARCH.tar.xz This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed, grub2-signed, fwupdate-signed) to construct the *-signed versions. NOTE: The maintainers of the main package and the -signed package will have to coordinate their uploads to reduce de propagation delay of a security fix to be incorporated in the -signed package Script used for testing byhand-code-sign-user: https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh Check each commit message for more information on testing Patches are also available here: https://github.com/helen-fornazier/dak/tree/review Changes since v4: Apend _$ARCH in the end of the tar.xz file Remove extra new line diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign index 40afdc6..86abd6e 100755 --- a/scripts/debian/byhand-code-sign +++ b/scripts/debian/byhand-code-sign @@ -53,9 +53,8 @@ if [ ! -f "$IN_DIR/changelog" ]; then error "Can't find changelog file in $IN_TARBALL" fi - TARGET="$ftpdir/dists/$suitedir/main/code-sign" -OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz" +OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64)_$ARCH.tar.xz" # Check that this source/arch/version hasn't already been signed if [ -e "$OUT_TARBALL" ]; then Helen Koike (3): byhand-code-sign-user: signing script for efi images and linux modules byhand-code-sign: intermediate script for code sign dak.conf: add packages that trigger byhand-code-sign config/debian-security/byhand-code-sign.conf | 43 +++ config/debian-security/dak.conf | 24 +++ config/debian/byhand-code-sign.conf | 43 +++ config/debian/dak.conf | 21 ++ scripts/debian/byhand-code-sign | 67 + scripts/debian/byhand-code-sign-user | 103 +++ 6 files changed, 301 insertions(+) create mode 100644 config/debian-security/byhand-code-sign.conf create mode 100644 config/debian/byhand-code-sign.conf create mode 100755 scripts/debian/byhand-code-sign create mode 100755 scripts/debian/byhand-code-sign-user -- 2.7.4
Bug#821051: [PATCH v5 2/3] byhand-code-sign: intermediate script for code sign
This script is meant to be called by AutomaticByHandPackages mechanism, it will receive the a .tar.xz file with efi images and/or linux modules, call byhand-code-sign-user as codesign user to generate another .tar.xz with detached signatures and publish it in the $ftpdir/dists/$suitedir/main/code-sign/ Contributions: Ben Hutchings--- This patch series is based on https://ftp-master.debian.org/git/dak.git master Patches are also available here: https://github.com/helen-fornazier/dak/tree/review Changes since v4: Append _$ARCH in the end of the tar.xz file Remove extra new line --- scripts/debian/byhand-code-sign | 67 + 1 file changed, 67 insertions(+) create mode 100755 scripts/debian/byhand-code-sign diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign new file mode 100755 index 000..86abd6e --- /dev/null +++ b/scripts/debian/byhand-code-sign @@ -0,0 +1,67 @@ +#!/bin/bash + +set -u +set -e +set -o pipefail + +if [ $# -lt 5 ]; then + echo "Usage: $0 filename version arch changes_file suite" + exit 1 +fi + +IN_TARBALL="$1"# Tarball to read, compressed with xz +VERSION="$2" +ARCH="$3" +CHANGES="$4" # Changes file for the upload +SUITE="$5" + +error() { + echo >&2 "E: $*" + exit 1 +} + +# Read dak configuration for security or main archive. +# Also determine subdirectory for the suite. +case "$0" in +/srv/security-master.debian.org/*) + configdir="/srv/security-master.debian.org/dak/config/debian-security" + suitedir="$SUITE/updates" + ;; +/srv/ftp-master.debian.org/*) + configdir="/srv/ftp-master.debian.org/dak/config/debian" + suitedir="$SUITE" + ;; +*) + error "$0: Can't tell if security or not" + ;; +esac +. "$configdir/vars" + +# cleanup the temporary directories on EXIT +IN_DIR= +cleanup() { + test -z "$IN_DIR" || rm -rf "$IN_DIR" +} +trap cleanup EXIT + +# Extract the data from stdin into the input directory +IN_DIR="$(mktemp -td byhand-code-sign-in.XX)" +tar xaf "$IN_TARBALL" --directory="$IN_DIR" + +# Check if tarball contain the changelog file +if [ ! -f "$IN_DIR/changelog" ]; then + error "Can't find changelog file in $IN_TARBALL" +fi + +TARGET="$ftpdir/dists/$suitedir/main/code-sign" +OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64)_$ARCH.tar.xz" + +# Check that this source/arch/version hasn't already been signed +if [ -e "$OUT_TARBALL" ]; then + error "Signature tarball already exists: $OUT_TARBALL" +fi + +mkdir -p "${OUT_TARBALL%/*}" + +sudo -u codesign "${0%/*}/byhand-code-sign-user" "$configdir/byhand-code-sign.conf" < "$IN_TARBALL" > "$OUT_TARBALL" +echo "I: Created $OUT_TARBALL" -- 2.7.4
Bug#821051: [PATCH v5 1/3] byhand-code-sign-user: signing script for efi images and linux modules
The byhand-code-sign-user script receives a .tar.xz file (that can contain efi images and linux modules) in stdin, sign them using keys as configured in the configuration file and generate a .tar.xz with all the signatures in stdout This script is meant to be called by another byhand script which will run it as a different user. stdin and stdout is used for passing the .tar.xz files as this script may not have permission to access the .tar.xz It can sign using a token as a Yubikey or through a certificate database depending on the configuration Contributions: Julien CristauBen Hutchings --- This patch series is based on https://ftp-master.debian.org/git/dak.git master Patches are also available here: https://github.com/helen-fornazier/dak/tree/review TESTS - I tested the byhan-code-sign-user using the script here: https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh That covers with and without an Yubikey and creating a privkey with or without a password To execute it, create a test.tar.xz files with efi and linux modules, install gnutls-bin, yubico-piv-tool, libnss3-tools and run ./dak-codesign-test.sh test.tar.xz It should work with a yubikey with default configuration (key and pin code), otherwise you will need to adjust those parameters in the script. Changes from last version: None --- config/debian-security/byhand-code-sign.conf | 43 +++ config/debian/byhand-code-sign.conf | 43 +++ scripts/debian/byhand-code-sign-user | 103 +++ 3 files changed, 189 insertions(+) create mode 100644 config/debian-security/byhand-code-sign.conf create mode 100644 config/debian/byhand-code-sign.conf create mode 100755 scripts/debian/byhand-code-sign-user diff --git a/config/debian-security/byhand-code-sign.conf b/config/debian-security/byhand-code-sign.conf new file mode 100644 index 000..7818b8d --- /dev/null +++ b/config/debian-security/byhand-code-sign.conf @@ -0,0 +1,43 @@ +# Configuration for byhand-sign shell script + +# The directory of the certificate database created with certutil +# where the certificate and possibly the private key (if a token +# is not used) for signing efi images are stored +#EFI_CERT_DIR=/etc/dak/efi/certdir +EFI_CERT_DIR= + +# The name that identifies the certificate in the certificate +# database or in the token. +# Yubikey is usually "Certificate for Digital Signature" +# The label can be verified by executing: +# pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O +EFI_CERT_NAME="Certificate for Digital Signature" + +# The label of the token as shown in `p11tool --list-tokens` +# Set to "NSS Certificate DB" if the private key is in the certificate +# database and a token will not be used +#EFI_TOKEN_NAME="NSS Certificate DB" +EFI_TOKEN_NAME="PIV_II (PIV Card Holder pin)" + +# The token pin or the certificate database slot password (if a +# token is not used) for signing efi images. This is optional in +# case a token is not used and no slot password is set +#EFI_SIGN_PIN=123456 + +# The sign-file linux program to sign modules +#LINUX_SIGNFILE=/usr/lib/linux-kbuild-4.6/scripts/sign-file +LINUX_SIGNFILE= + +# The private key to use to sign the kernel modules or the token URI +# as shown by `p11tool --list-tokens` +#LINUX_MODULES_PRIVKEY=/etc/dak/efi/kernel-key.rsa +LINUX_MODULES_PRIVKEY="pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29" + +# The certificate to verify the kernel modules signature +#LINUX_MODULES_CERT=/etc/dat/efi/kernel-cert.pem +LINUX_MODULES_CERT= + +# The token pin or the certificate database slot password (if a +# token is not used) for signing kernel modules. This is optional in +# case no slot password is set +#LINUX_SIGN_PIN=123456 diff --git a/config/debian/byhand-code-sign.conf b/config/debian/byhand-code-sign.conf new file mode 100644 index 000..7818b8d --- /dev/null +++ b/config/debian/byhand-code-sign.conf @@ -0,0 +1,43 @@ +# Configuration for byhand-sign shell script + +# The directory of the certificate database created with certutil +# where the certificate and possibly the private key (if a token +# is not used) for signing efi images are stored +#EFI_CERT_DIR=/etc/dak/efi/certdir +EFI_CERT_DIR= + +# The name that identifies the certificate in the certificate +# database or in the token. +# Yubikey is usually "Certificate for Digital Signature" +# The label can be verified by executing: +# pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O +EFI_CERT_NAME="Certificate for Digital Signature" + +# The label of the token as shown in `p11tool --list-tokens` +# Set to "NSS Certificate DB" if the private key is in the certificate +# database and a token will not be used +#EFI_TOKEN_NAME="NSS Certificate DB" +EFI_TOKEN_NAME="PIV_II (PIV Card Holder pin)" + +# The token pin or
Bug#821051: [PATCH v5 3/3] dak.conf: add packages that trigger byhand-code-sign
Add linux, grub2 and fwupdate to publish their signatures by calling byhand-code-sign as they are supposed to have a *-signed version Contributions: Ben Hutchings--- This patch series is based on https://ftp-master.debian.org/git/dak.git master Patches are also available here: https://github.com/helen-fornazier/dak/tree/review To test it, after building the package (grub, linux or fwupdate) create a file called ${package}-code-sign_${version}_${arch}.tar.xz with the efi images or kernel modules to be signed After building the package, add the file in the changes file: > changestool ${package}-code-sign_${version}_${arch}.changes addrawfile > ${package}-code-sign_${version}_${arch}.tar.xz Edit the .changes file to replace the double dashes by "byhand optional" > sed -i -e "s/- - ${package}-code-sign_${version}_${arch}.tar.xz/byhand > optional ${package}-code-sign_${version}_${arch}.tar.xz/g" > ${package}-code-sign_${version}_${arch}.changes Sign the .changes file > gpg --clearsign ${package}-code-sign_${version}_${arch}.changes > mv ${package}-code-sign_${version}_${arch}.changes.asc > ${package}-code-sign_${version}_${arch}.changes Add to uncheck queue > cp -r ../* /srv/dak/queue/unchecked/ Process the package > dak process-upload -d /srv/dak/queue/unchecked --- Changes since last version: None config/debian-security/dak.conf | 24 config/debian/dak.conf | 21 + 2 files changed, 45 insertions(+) diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf index f342a55..dbf5395 100644 --- a/config/debian-security/dak.conf +++ b/config/debian-security/dak.conf @@ -127,6 +127,30 @@ SuiteMappings "reject oldoldstable"; }; +AutomaticByHandPackages +{ + "linux-code-sign" { +Source "linux"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "grub2-code-sign" { +Source "grub2"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "fwupdate-code-sign" { +Source "fwupdate"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; +}; + Dir { Base "/srv/security-master.debian.org/"; diff --git a/config/debian/dak.conf b/config/debian/dak.conf index 10322cc..6de05f2 100644 --- a/config/debian/dak.conf +++ b/config/debian/dak.conf @@ -185,6 +185,27 @@ AutomaticByHandPackages { Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-di"; }; + "linux-code-sign" { +Source "linux"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "grub2-code-sign" { +Source "grub2"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "fwupdate-code-sign" { +Source "fwupdate"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + "tag-overrides" { Source "tag-overrides"; Section "byhand"; -- 2.7.4
Bug#821051: [PATCH v4 1/3] byhand-code-sign-user: signing script for efi images and linux modules
The byhand-code-sign-user script receives a .tar.xz file (that can contain efi images and linux modules) in stdin, sign them using keys as configured in the configuration file and generate a .tar.xz with all the signatures in stdout This script is meant to be called by another byhand script which will run it as a different user. stdin and stdout is used for passing the .tar.xz files as this script may not have permission to access the .tar.xz It can sign using a token as a Yubikey or through a certificate database depending on the configuration Contributions: Julien CristauBen Hutchings --- This patch series is based on https://ftp-master.debian.org/git/dak.git master Patches are also available here: https://github.com/helen-fornazier/dak/tree/review TESTS - I tested the byhan-code-sign-user using the script here: https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh That covers with and without an Yubikey and creating a privkey with or without a password To execute it, create a test.tar.xz files with efi and linux modules, install gnutls-bin, yubico-piv-tool, libnss3-tools and run ./dak-codesign-test.sh test.tar.xz It should work with a yubikey with default configuration (key and pin code), otherwise you will need to adjust those parameters in the script. Changes from last version: Skip the changelog file /scripts/debian/byhand-code-sign-user @@ -52,6 +52,10 @@ tar xJ --directory="$in_dir" <&0 out_dir="$(mktemp -td byhand-code-sign-out.XX)" while read filename; do + # Skip changelog + if [ "$filename" == changelog ]; then + continue + fi mkdir -p "$out_dir/${filename%/*}" case "${filename##*/}" in *.efi | vmlinuz-*) --- config/debian-security/byhand-code-sign.conf | 43 +++ config/debian/byhand-code-sign.conf | 43 +++ scripts/debian/byhand-code-sign-user | 103 +++ 3 files changed, 189 insertions(+) create mode 100644 config/debian-security/byhand-code-sign.conf create mode 100644 config/debian/byhand-code-sign.conf create mode 100755 scripts/debian/byhand-code-sign-user diff --git a/config/debian-security/byhand-code-sign.conf b/config/debian-security/byhand-code-sign.conf new file mode 100644 index 000..7818b8d --- /dev/null +++ b/config/debian-security/byhand-code-sign.conf @@ -0,0 +1,43 @@ +# Configuration for byhand-sign shell script + +# The directory of the certificate database created with certutil +# where the certificate and possibly the private key (if a token +# is not used) for signing efi images are stored +#EFI_CERT_DIR=/etc/dak/efi/certdir +EFI_CERT_DIR= + +# The name that identifies the certificate in the certificate +# database or in the token. +# Yubikey is usually "Certificate for Digital Signature" +# The label can be verified by executing: +# pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O +EFI_CERT_NAME="Certificate for Digital Signature" + +# The label of the token as shown in `p11tool --list-tokens` +# Set to "NSS Certificate DB" if the private key is in the certificate +# database and a token will not be used +#EFI_TOKEN_NAME="NSS Certificate DB" +EFI_TOKEN_NAME="PIV_II (PIV Card Holder pin)" + +# The token pin or the certificate database slot password (if a +# token is not used) for signing efi images. This is optional in +# case a token is not used and no slot password is set +#EFI_SIGN_PIN=123456 + +# The sign-file linux program to sign modules +#LINUX_SIGNFILE=/usr/lib/linux-kbuild-4.6/scripts/sign-file +LINUX_SIGNFILE= + +# The private key to use to sign the kernel modules or the token URI +# as shown by `p11tool --list-tokens` +#LINUX_MODULES_PRIVKEY=/etc/dak/efi/kernel-key.rsa +LINUX_MODULES_PRIVKEY="pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29" + +# The certificate to verify the kernel modules signature +#LINUX_MODULES_CERT=/etc/dat/efi/kernel-cert.pem +LINUX_MODULES_CERT= + +# The token pin or the certificate database slot password (if a +# token is not used) for signing kernel modules. This is optional in +# case no slot password is set +#LINUX_SIGN_PIN=123456 diff --git a/config/debian/byhand-code-sign.conf b/config/debian/byhand-code-sign.conf new file mode 100644 index 000..7818b8d --- /dev/null +++ b/config/debian/byhand-code-sign.conf @@ -0,0 +1,43 @@ +# Configuration for byhand-sign shell script + +# The directory of the certificate database created with certutil +# where the certificate and possibly the private key (if a token +# is not used) for signing efi images are stored +#EFI_CERT_DIR=/etc/dak/efi/certdir +EFI_CERT_DIR= + +# The name that identifies the certificate in the certificate +# database or in the token. +# Yubikey is usually "Certificate for Digital Signature" +# The label can be verified by executing:
Bug#821051: [PATCH v4 0/3] Add byhand script to perform code signing for secure boot
Publish the signature of packages automatically when the package is processed based on previous package prepared by the maintainer with all the efi images and linux modules. The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images and/or linux modules, and a changelog file. When processing the package from the queue, the byhand-code-sign script is called, read this .tar.xz package, sign all the efi or modules inside it and publish a tarball with all the signatures at $ftpdir/dists/$suitedir/main/code-sign/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed, grub2-signed, fwupdate-signed) to construct the *-signed versions. NOTE: this causes a delay between publishing embargoed updates and publishing *-signed packages that can be a problem since we avoid to leak the existence of a security flaw before its fix has being released. The proposed solution for this is by making dak to publish the *-signed packages automatically. Since we already have this problem anyway, we can add this patch in dak and add the mechanism to automatically publish the *-signed packages latter in incremental basis as we advance constructing the *-signed source packages Script used for testing byhand-code-sign-user: https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh Check each commit message for more information on testing Patches are also available here: https://github.com/helen-fornazier/dak/tree/review Changes since v3: Use hash of changelog file to generate the output tarball name with the signatures diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign index f3eceab..40afdc6 100755 --- a/scripts/debian/byhand-code-sign +++ b/scripts/debian/byhand-code-sign @@ -37,9 +37,25 @@ case "$0" in esac . "$configdir/vars" -TARGET="$ftpdir/dists/$suitedir/main/code-sign/" -OUT_TARBALL="$TARGET/${IN_TARBALL##*/}" -OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz" +# cleanup the temporary directories on EXIT +IN_DIR= +cleanup() { + test -z "$IN_DIR" || rm -rf "$IN_DIR" +} +trap cleanup EXIT + +# Extract the data from stdin into the input directory +IN_DIR="$(mktemp -td byhand-code-sign-in.XX)" +tar xaf "$IN_TARBALL" --directory="$IN_DIR" + +# Check if tarball contain the changelog file +if [ ! -f "$IN_DIR/changelog" ]; then + error "Can't find changelog file in $IN_TARBALL" +fi + + +TARGET="$ftpdir/dists/$suitedir/main/code-sign" +OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz" # Check that this source/arch/version hasn't already been signed if [ -e "$OUT_TARBALL" ]; then diff --git a/scripts/debian/byhand-code-sign-user b/scripts/debian/byhand-code-sign-user index 91520d6..3477d6c 100755 --- a/scripts/debian/byhand-code-sign-user +++ b/scripts/debian/byhand-code-sign-user @@ -52,6 +52,10 @@ tar xJ --directory="$in_dir" <&0 out_dir="$(mktemp -td byhand-code-sign-out.XX)" while read filename; do + # Skip changelog + if [ "$filename" == changelog ]; then + continue + fi mkdir -p "$out_dir/${filename%/*}" case "${filename##*/}" in *.efi | vmlinuz-*) Helen Koike (3): byhand-code-sign-user: signing script for efi images and linux modules byhand-code-sign: intermediate script for code sign dak.conf: add packages that trigger byhand-code-sign config/debian-security/byhand-code-sign.conf | 43 +++ config/debian-security/dak.conf | 24 +++ config/debian/byhand-code-sign.conf | 43 +++ config/debian/dak.conf | 21 ++ scripts/debian/byhand-code-sign | 68 ++ scripts/debian/byhand-code-sign-user | 103 +++ 6 files changed, 302 insertions(+) create mode 100644 config/debian-security/byhand-code-sign.conf create mode 100644 config/debian/byhand-code-sign.conf create mode 100755 scripts/debian/byhand-code-sign create mode 100755 scripts/debian/byhand-code-sign-user -- 2.7.4
Bug#821051: [PATCH v4 2/3] byhand-code-sign: intermediate script for code sign
This script is meant to be called by AutomaticByHandPackages mechanism, it will receive the a .tar.xz file with efi images and/or linux modules, call byhand-code-sign-user as codesign user to generate another .tar.xz with detached signatures and publish it in the $ftpdir/dists/$suitedir/main/code-sign/ Contributions: Ben Hutchings--- This patch series is based on https://ftp-master.debian.org/git/dak.git master Patches are also available here: https://github.com/helen-fornazier/dak/tree/review Changes since last version: Check if file changelog is present in the IN_TARBALL Generate the OUT_TARBALL using the sha256sum of the changelog /scripts/debian/byhand-code-sign @@ -37,9 +37,25 @@ case "$0" in esac . "$configdir/vars" -TARGET="$ftpdir/dists/$suitedir/main/code-sign/" -OUT_TARBALL="$TARGET/${IN_TARBALL##*/}" -OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz" +# cleanup the temporary directories on EXIT +IN_DIR= +cleanup() { + test -z "$IN_DIR" || rm -rf "$IN_DIR" +} +trap cleanup EXIT + +# Extract the data from stdin into the input directory +IN_DIR="$(mktemp -td byhand-code-sign-in.XX)" +tar xaf "$IN_TARBALL" --directory="$IN_DIR" + +# Check if tarball contain the changelog file +if [ ! -f "$IN_DIR/changelog" ]; then + error "Can't find changelog file in $IN_TARBALL" +fi + + +TARGET="$ftpdir/dists/$suitedir/main/code-sign" +OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz" # Check that this source/arch/version hasn't already been signed if [ -e "$OUT_TARBALL" ]; then --- scripts/debian/byhand-code-sign | 68 + 1 file changed, 68 insertions(+) create mode 100755 scripts/debian/byhand-code-sign diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign new file mode 100755 index 000..40afdc6 --- /dev/null +++ b/scripts/debian/byhand-code-sign @@ -0,0 +1,68 @@ +#!/bin/bash + +set -u +set -e +set -o pipefail + +if [ $# -lt 5 ]; then + echo "Usage: $0 filename version arch changes_file suite" + exit 1 +fi + +IN_TARBALL="$1"# Tarball to read, compressed with xz +VERSION="$2" +ARCH="$3" +CHANGES="$4" # Changes file for the upload +SUITE="$5" + +error() { + echo >&2 "E: $*" + exit 1 +} + +# Read dak configuration for security or main archive. +# Also determine subdirectory for the suite. +case "$0" in +/srv/security-master.debian.org/*) + configdir="/srv/security-master.debian.org/dak/config/debian-security" + suitedir="$SUITE/updates" + ;; +/srv/ftp-master.debian.org/*) + configdir="/srv/ftp-master.debian.org/dak/config/debian" + suitedir="$SUITE" + ;; +*) + error "$0: Can't tell if security or not" + ;; +esac +. "$configdir/vars" + +# cleanup the temporary directories on EXIT +IN_DIR= +cleanup() { + test -z "$IN_DIR" || rm -rf "$IN_DIR" +} +trap cleanup EXIT + +# Extract the data from stdin into the input directory +IN_DIR="$(mktemp -td byhand-code-sign-in.XX)" +tar xaf "$IN_TARBALL" --directory="$IN_DIR" + +# Check if tarball contain the changelog file +if [ ! -f "$IN_DIR/changelog" ]; then + error "Can't find changelog file in $IN_TARBALL" +fi + + +TARGET="$ftpdir/dists/$suitedir/main/code-sign" +OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog" | head -c 64).tar.xz" + +# Check that this source/arch/version hasn't already been signed +if [ -e "$OUT_TARBALL" ]; then + error "Signature tarball already exists: $OUT_TARBALL" +fi + +mkdir -p "${OUT_TARBALL%/*}" + +sudo -u codesign "${0%/*}/byhand-code-sign-user" "$configdir/byhand-code-sign.conf" < "$IN_TARBALL" > "$OUT_TARBALL" +echo "I: Created $OUT_TARBALL" -- 2.7.4
Bug#821051: [PATCH v4 3/3] dak.conf: add packages that trigger byhand-code-sign
Add linux, grub2 and fwupdate to publish their signatures by calling byhand-code-sign as they are supposed to have a *-signed version Contributions: Ben Hutchings--- This patch series is based on https://ftp-master.debian.org/git/dak.git master Patches are also available here: https://github.com/helen-fornazier/dak/tree/review To test it, after building the package (grub, linux or fwupdate) create a file called ${package}-code-sign_${version}_${arch}.tar.xz with the efi images or kernel modules to be signed After building the package, add the file in the changes file: > changestool ${package}-code-sign_${version}_${arch}.changes addrawfile > ${package}-code-sign_${version}_${arch}.tar.xz Edit the .changes file to replace the double dashes by "byhand optional" > sed -i -e "s/- - ${package}-code-sign_${version}_${arch}.tar.xz/byhand > optional ${package}-code-sign_${version}_${arch}.tar.xz/g" > ${package}-code-sign_${version}_${arch}.changes Sign the .changes file > gpg --clearsign ${package}-code-sign_${version}_${arch}.changes > mv ${package}-code-sign_${version}_${arch}.changes.asc > ${package}-code-sign_${version}_${arch}.changes Add to uncheck queue > cp -r ../* /srv/dak/queue/unchecked/ Process the package > dak process-upload -d /srv/dak/queue/unchecked Changes since last version: No changes --- config/debian-security/dak.conf | 24 config/debian/dak.conf | 21 + 2 files changed, 45 insertions(+) diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf index f342a55..dbf5395 100644 --- a/config/debian-security/dak.conf +++ b/config/debian-security/dak.conf @@ -127,6 +127,30 @@ SuiteMappings "reject oldoldstable"; }; +AutomaticByHandPackages +{ + "linux-code-sign" { +Source "linux"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "grub2-code-sign" { +Source "grub2"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "fwupdate-code-sign" { +Source "fwupdate"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; +}; + Dir { Base "/srv/security-master.debian.org/"; diff --git a/config/debian/dak.conf b/config/debian/dak.conf index 10322cc..6de05f2 100644 --- a/config/debian/dak.conf +++ b/config/debian/dak.conf @@ -185,6 +185,27 @@ AutomaticByHandPackages { Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-di"; }; + "linux-code-sign" { +Source "linux"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "grub2-code-sign" { +Source "grub2"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "fwupdate-code-sign" { +Source "fwupdate"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + "tag-overrides" { Source "tag-overrides"; Section "byhand"; -- 2.7.4
Bug#821051: [PATCH v3 2/3] byhand-code-sign: intermediate script for code sign
On 2016-11-20 09:24 AM, Ben Hutchings wrote: On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote: [...] +TARGET="$ftpdir/dists/$suitedir/main/code-sign/" +OUT_TARBALL="$TARGET/${IN_TARBALL##*/}" +OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz" [...] This naming may have to change; see Ansgar's message at <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821051#90> and my reply below. Otherwise, I think this is fine. Ben. I am not sure I understand the pointed message regarding naming, what should be a better naming here ? Helen
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
On 2016-11-20 09:27 AM, Ben Hutchings wrote: On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote: Add linux, grub2 and fwupdate to publish their signatures by calling byhand-code-sign as they are supposed to have a *-signed version NOTE: this bypass embargoed updates. The proposed solution for this is by making dak to publish the *-signed packages automatically, this will be implemented in incremental basis as we advance to have a base code of the *-signed packages [...] I missed that discussion so I don't understand how that's supposed to work. Is there a log somewhere? Ben. Log: http://pastebin.com/bSsUPrrA
Bug#821051: [PATCH v3] Add byhand script to perform code signing for secure boot
Publish the signature of packages automatically when the package is processed based on previous package prepared by the maintainer with all the efi images and linux modules. The maintainer prepare a ${package}-code-sign_${version}_${arch}.tar.xz with all the efi images and/or linux modules. When processing the package from the queue, the byhand-code-sign script is called, read this .tar.xz package, sign all the efi or modules inside it and publish another ${package}-code-sign_${version}_${arch}_sigs.tar.xz at $ftpdir/dists/$suitedir/main/code-sign/ This signature are then retrieved by the maintainers of the *-signed packages (e.g. linux-signed, grub2-signed, fwupdate-signed) to construct the *-signed versions. NOTE: this causes a delay between publishing embargoed updates and publishing *-signed packages that can be a problem since we avoid to leak the existence of a security flaw before its fix has being released. The proposed solution for this is by making dak to publish the *-signed packages automatically. Since we already have this problem anyway, we can add this patch in dak and add the mechanism to automatically publish the *-signed packages latter in incremental basis as we advance constructing the *-signed source packages Changes since last version: - Patches based on https://ftp-master.debian.org/git/dak.git master to be easier to review - byhand-code-sign-user-exp was deleted, the expect part to enter pin code is embedded in bash script byhand-code-sign-user - Add default configuration file for yubikey with more docs - Also add grub2 and fwupdate in dak.conf AutomaticByHandPackages - Call pesign just once in the script (no matter if we have a token or not, with a password or not) Script used for testing byhand-code-sign-user: https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh Check each commit message for more information on testing Patches are also available here: https://github.com/helen-fornazier/dak/tree/review Helen Koike (3): byhand-code-sign-user: signing script for efi images and linux modules byhand-code-sign: intermediate script for code sign dak.conf: add packages that trigger byhand-code-sign config/debian-security/byhand-code-sign.conf | 43 config/debian-security/dak.conf | 24 +++ config/debian/byhand-code-sign.conf | 43 config/debian/dak.conf | 21 ++ scripts/debian/byhand-code-sign | 52 +++ scripts/debian/byhand-code-sign-user | 99 6 files changed, 282 insertions(+) create mode 100644 config/debian-security/byhand-code-sign.conf create mode 100644 config/debian/byhand-code-sign.conf create mode 100755 scripts/debian/byhand-code-sign create mode 100755 scripts/debian/byhand-code-sign-user -- 2.7.4
Bug#821051: [PATCH v3 1/3] byhand-code-sign-user: signing script for efi images and linux modules
The byhand-code-sign-user script receives a .tar.xz file (that can contain efi images and linux modules) in stdin, sign them using keys as configured in the configuration file and generate a .tar.xz with all the signatures in stdout This script is meant to be called by another byhand script which will run it as a different user. stdin and stdout is used for passing the .tar.xz files as this script may not have permission to access the .tar.xz It can sign using a token as a Yubikey or through a certificate database depending on the configuration Contributions: Julien CristauBen Hutchings --- This patch series is based on https://ftp-master.debian.org/git/dak.git master Patches are also available here: https://github.com/helen-fornazier/dak/tree/review TESTS - I tested the byhan-code-sign-user using the script here: https://github.com/helen-fornazier/dak-codesign-test/blob/master/dak-codesign-test.sh That covers with and without an Yubikey and creating a privkey with or without a password To execute it, create a test.tar.xz files with efi and linux modules, install gnutls-bin, yubico-piv-tool, libnss3-tools and run ./dak-codesign-test.sh test.tar.xz It should work with a yubikey with default configuration (key and pin code), otherwise you will need to adjust those parameters in the script. Changes from last version: - remove byhan-code-sign-user-exp, now the expect script is embedded in this one - style changes - changes in config variables to support signing with and without token - fixed bugs when running with or without pin - fix linux signing with token - add more doc and example in the base config file --- config/debian-security/byhand-code-sign.conf | 43 config/debian/byhand-code-sign.conf | 43 scripts/debian/byhand-code-sign-user | 99 3 files changed, 185 insertions(+) create mode 100644 config/debian-security/byhand-code-sign.conf create mode 100644 config/debian/byhand-code-sign.conf create mode 100755 scripts/debian/byhand-code-sign-user diff --git a/config/debian-security/byhand-code-sign.conf b/config/debian-security/byhand-code-sign.conf new file mode 100644 index 000..7818b8d --- /dev/null +++ b/config/debian-security/byhand-code-sign.conf @@ -0,0 +1,43 @@ +# Configuration for byhand-sign shell script + +# The directory of the certificate database created with certutil +# where the certificate and possibly the private key (if a token +# is not used) for signing efi images are stored +#EFI_CERT_DIR=/etc/dak/efi/certdir +EFI_CERT_DIR= + +# The name that identifies the certificate in the certificate +# database or in the token. +# Yubikey is usually "Certificate for Digital Signature" +# The label can be verified by executing: +# pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -O +EFI_CERT_NAME="Certificate for Digital Signature" + +# The label of the token as shown in `p11tool --list-tokens` +# Set to "NSS Certificate DB" if the private key is in the certificate +# database and a token will not be used +#EFI_TOKEN_NAME="NSS Certificate DB" +EFI_TOKEN_NAME="PIV_II (PIV Card Holder pin)" + +# The token pin or the certificate database slot password (if a +# token is not used) for signing efi images. This is optional in +# case a token is not used and no slot password is set +#EFI_SIGN_PIN=123456 + +# The sign-file linux program to sign modules +#LINUX_SIGNFILE=/usr/lib/linux-kbuild-4.6/scripts/sign-file +LINUX_SIGNFILE= + +# The private key to use to sign the kernel modules or the token URI +# as shown by `p11tool --list-tokens` +#LINUX_MODULES_PRIVKEY=/etc/dak/efi/kernel-key.rsa +LINUX_MODULES_PRIVKEY="pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29" + +# The certificate to verify the kernel modules signature +#LINUX_MODULES_CERT=/etc/dat/efi/kernel-cert.pem +LINUX_MODULES_CERT= + +# The token pin or the certificate database slot password (if a +# token is not used) for signing kernel modules. This is optional in +# case no slot password is set +#LINUX_SIGN_PIN=123456 diff --git a/config/debian/byhand-code-sign.conf b/config/debian/byhand-code-sign.conf new file mode 100644 index 000..7818b8d --- /dev/null +++ b/config/debian/byhand-code-sign.conf @@ -0,0 +1,43 @@ +# Configuration for byhand-sign shell script + +# The directory of the certificate database created with certutil +# where the certificate and possibly the private key (if a token +# is not used) for signing efi images are stored +#EFI_CERT_DIR=/etc/dak/efi/certdir +EFI_CERT_DIR= + +# The name that identifies the certificate in the certificate +# database or in the token. +# Yubikey is usually "Certificate for Digital Signature" +# The label can be verified by executing: +# pkcs11-tool
Bug#821051: [PATCH v3 2/3] byhand-code-sign: intermediate script for code sign
This script is meant to be called by AutomaticByHandPackages mechanism, it will receive the a .tar.xz file with efi images and/or linux modules, call byhand-code-sign-user as codesign user to generate another .tar.xz with detached signatures and publish it in the $ftpdir/dists/$suitedir/main/code-sign/ Contributions: Ben Hutchings--- This patch series is based on https://ftp-master.debian.org/git/dak.git master Patches are also available here: https://github.com/helen-fornazier/dak/tree/review scripts/debian/byhand-code-sign | 52 + 1 file changed, 52 insertions(+) create mode 100755 scripts/debian/byhand-code-sign diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign new file mode 100755 index 000..f3eceab --- /dev/null +++ b/scripts/debian/byhand-code-sign @@ -0,0 +1,52 @@ +#!/bin/bash + +set -u +set -e +set -o pipefail + +if [ $# -lt 5 ]; then + echo "Usage: $0 filename version arch changes_file suite" + exit 1 +fi + +IN_TARBALL="$1"# Tarball to read, compressed with xz +VERSION="$2" +ARCH="$3" +CHANGES="$4" # Changes file for the upload +SUITE="$5" + +error() { + echo >&2 "E: $*" + exit 1 +} + +# Read dak configuration for security or main archive. +# Also determine subdirectory for the suite. +case "$0" in +/srv/security-master.debian.org/*) + configdir="/srv/security-master.debian.org/dak/config/debian-security" + suitedir="$SUITE/updates" + ;; +/srv/ftp-master.debian.org/*) + configdir="/srv/ftp-master.debian.org/dak/config/debian" + suitedir="$SUITE" + ;; +*) + error "$0: Can't tell if security or not" + ;; +esac +. "$configdir/vars" + +TARGET="$ftpdir/dists/$suitedir/main/code-sign/" +OUT_TARBALL="$TARGET/${IN_TARBALL##*/}" +OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz" + +# Check that this source/arch/version hasn't already been signed +if [ -e "$OUT_TARBALL" ]; then + error "Signature tarball already exists: $OUT_TARBALL" +fi + +mkdir -p "${OUT_TARBALL%/*}" + +sudo -u codesign "${0%/*}/byhand-code-sign-user" "$configdir/byhand-code-sign.conf" < "$IN_TARBALL" > "$OUT_TARBALL" +echo "I: Created $OUT_TARBALL" -- 2.7.4
Bug#821051: [PATCH v3 3/3] dak.conf: add packages that trigger byhand-code-sign
Add linux, grub2 and fwupdate to publish their signatures by calling byhand-code-sign as they are supposed to have a *-signed version NOTE: this bypass embargoed updates. The proposed solution for this is by making dak to publish the *-signed packages automatically, this will be implemented in incremental basis as we advance to have a base code of the *-signed packages Contributions: Ben Hutchings--- This patch series is based on https://ftp-master.debian.org/git/dak.git master Patches are also available here: https://github.com/helen-fornazier/dak/tree/review To test it, after building the package (grub, linux or fwupdate) create a file called ${package}-code-sign_${version}_${arch}.tar.xz with the efi images or kernel modules to be signed After building the package, add the file in the changes file: > changestool ${package}-code-sign_${version}_${arch}.changes addrawfile > ${package}-code-sign_${version}_${arch}.tar.xz Edit the .changes file to replace the double dashes by "byhand optional" > sed -i -e "s/- - ${package}-code-sign_${version}_${arch}.tar.xz/byhand > optional ${package}-code-sign_${version}_${arch}.tar.xz/g" > ${package}-code-sign_${version}_${arch}.changes Sign the .changes file > gpg --clearsign ${package}-code-sign_${version}_${arch}.changes > mv ${package}-code-sign_${version}_${arch}.changes.asc > ${package}-code-sign_${version}_${arch}.changes Add to uncheck queue > cp -r ../* /srv/dak/queue/unchecked/ Process the package > dak process-upload -d /srv/dak/queue/unchecked --- config/debian-security/dak.conf | 24 config/debian/dak.conf | 21 + 2 files changed, 45 insertions(+) diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf index f342a55..dbf5395 100644 --- a/config/debian-security/dak.conf +++ b/config/debian-security/dak.conf @@ -127,6 +127,30 @@ SuiteMappings "reject oldoldstable"; }; +AutomaticByHandPackages +{ + "linux-code-sign" { +Source "linux"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "grub2-code-sign" { +Source "grub2"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "fwupdate-code-sign" { +Source "fwupdate"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/security-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; +}; + Dir { Base "/srv/security-master.debian.org/"; diff --git a/config/debian/dak.conf b/config/debian/dak.conf index 10322cc..6de05f2 100644 --- a/config/debian/dak.conf +++ b/config/debian/dak.conf @@ -185,6 +185,27 @@ AutomaticByHandPackages { Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-di"; }; + "linux-code-sign" { +Source "linux"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "grub2-code-sign" { +Source "grub2"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + + "fwupdate-code-sign" { +Source "fwupdate"; +Section "byhand"; +Extension "tar.xz"; +Script "/srv/ftp-master.debian.org/dak/scripts/debian/byhand-code-sign"; + }; + "tag-overrides" { Source "tag-overrides"; Section "byhand"; -- 2.7.4
Bug#821051: Need support for uploading and signing EFI executables
On 2016-10-18 07:34 PM, Ansgar Burchardt wrote: Ben Hutchings writes: On Tue, 2016-10-18 at 22:55 +0200, Ansgar Burchardt wrote: Is there any documentation how this is supposed to work? Nothing comprehensive as yet. Where should it go? It doesn't need to be comprehensive. I just would like to understand what needs to happen. What uses the signatures the archive is planned to write to dists/*? Scripts for preparing the source packages that build signed binaries. (Which will probably be included in those source packages, but don't have to be.) How does building signed binaries work? That sounds like the signature gets merged into the binaries dak signed in some way? It looks wrong to bypass embargoed for the signatures. We avoid showing which packages will get security updates in the future. That's a fair point. But they need to be findable by a maintainer who doesn't have access to embargoed packages in general. How about using a hash of the changelog? Wouldn't the maintainer need access to the embargoed binaries as well as the signatures to prepare the signed version? As we briefly discussed on irc, we could solve all this by making dak to publish the -signed packages automatically, is this a good solution? Please, let me know your opinion so I can go ahead and implement a first version of it. Thanks Helen Koike
Bug#820050: Monolithic grub for signing (grub2-signed/secure-boot)
Hi, To be able to create grub2-signed package we need a monolithic version of grub available, as grub doesn't know how verify the signatures of its modules loaded from the disk, so we need a monolithic version containing grub and all it's modules into a single image to be signed. Then grub2-signed package can depend on the signature and on monolithic grub package to be used when secure boot is enabled. So I was wondering it is would be ok to change the packages grub-efi-deb to create a monolithic version of grub or if it will be preferable to create a grub-efi-monolithicdeb, or do you have any other idea? Thanks Helen Koike
Bug#821051: [PATCH v2] byhand-code-sign: sign using another user
--- Hi, Thanks Jakub for your review. I modified the script to read the .tar.xz from stdin and output the -sign.tar.xz to stdout. It is also available here: https://github.com/helen-fornazier/dak Changes since last version: - add quotes around variables - remove unnecessary chmod 700 - receive tar.xz from stdin in byhand-code-sign-user script - generate the -sign.tar.xz to stdout in byhand-code-sign-user script I would appreciate if someone could review this version Thank you Helen scripts/debian/byhand-code-sign | 104 +--- scripts/debian/byhand-code-sign-user | 135 +++ scripts/debian/byhand-code-sign-user-exp | 17 3 files changed, 154 insertions(+), 102 deletions(-) create mode 100755 scripts/debian/byhand-code-sign-user create mode 100755 scripts/debian/byhand-code-sign-user-exp diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign index fbd6855..18bd09e 100755 --- a/scripts/debian/byhand-code-sign +++ b/scripts/debian/byhand-code-sign @@ -20,8 +20,6 @@ error() { exit 1 } -export OPENSSL_CONF=/dev/null - # Read dak configuration for security or main archive. # Also determine subdirectory for the suite. case "$0" in @@ -39,14 +37,6 @@ case "$0" in esac . "$configdir/vars" -# Read and trivially validate our configuration -. "$configdir/byhand-code-sign.conf" -for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \ - LINUX_SIGNFILE LINUX_MODULE_PRIVKEY LINUX_MODULE_CERT; do - test -v $var || error "$var is not defined in configuration" - test -n "${!var}" || error "$var is empty in configuration" -done - TARGET="$ftpdir/dists/$suitedir/main/code-sign/" OUT_TARBALL="$TARGET/${IN_TARBALL##*/}" OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz" @@ -56,99 +46,9 @@ if [ -e "$OUT_TARBALL" ]; then error "Signature tarball already exists: $OUT_TARBALL" fi -# If we fail somewhere, cleanup the temporary directories -IN_DIR= -OUT_DIR= -CERT_DIR= -cleanup() { - for dir in "$IN_DIR" "$OUT_DIR" "$CERT_DIR"; do - test -z "$dir" || rm -rf "$dir" - done -} -trap cleanup EXIT - -# Extract the data into the input directory -IN_DIR="$(mktemp -td byhand-code-sign-in.XX)" -tar xaf "$IN_TARBALL" --directory="$IN_DIR" - -case "$EFI_BINARY_PRIVKEY" in -pkcs11:*) - # Translate from OpenSSL PKCS#11 enigne syntax to pesign parameters - # See: https://sources.debian.net/src/engine-pkcs11/0.2.2-1/src/engine_pkcs11.c - pkcs11_pin_value= - old_IFS="$IFS" - IFS=';' - for kv in ${EFI_BINARY_PRIVKEY#pkcs11:}; do - case "$kv" in - token=*) - pkcs11_token="${kv#*=}" - ;; - object=*) - pkcs11_object="${kv#*=}" - ;; - pin-value=*) - pkcs11_pin_value="${kv#*=}" - ;; - esac - done - IFS="$old_IFS" - unset old_IFS - # TODO: unlock it - PESIGN_PARAMS=(-t "$pkcs11_token" -c "$pkcs11_object") - ;; -*) - # Create certificate store for pesign - CERT_DIR="$(mktemp -td byhand-code-sign-cert.XX)" - chmod 700 "$CERT_DIR" - mkdir "$CERT_DIR/store" - certutil -N --empty-password -d "$CERT_DIR/store" - openssl pkcs12 -export \ - -inkey "$EFI_BINARY_PRIVKEY" -in "$EFI_BINARY_CERT" \ - -out "$CERT_DIR/efi-image.p12" -passout pass: \ - -name efi-image - pk12util -i "$CERT_DIR/efi-image.p12" -d "$CERT_DIR/store" -K '' -W '' - PESIGN_PARAMS=(-n "$CERT_DIR/store" -c efi-image) - ;; -esac - -# Create hierarchy of detached signatures in parallel to the uploaded files -OUT_DIR="$(mktemp -td byhand-code-sign-out.XX)" -while read filename; do - mkdir -p "$OUT_DIR/${filename%/*}" - case "${filename##*/}" in - *.efi | vmlinuz-*) - pesign -i "$IN_DIR/$filename" \ - --export-signature "$OUT_DIR/$filename.sig" --sign \ - -d sha256 "${PESIGN_PARAMS[@]}" - ;; - *.ko) - "$LINUX_SIGNFILE" -d sha256 "$LINUX_MODULE_PRIVKEY" \ - "$LINUX_MODULE_CERT" "$IN_DIR/$filename" - mv "$IN_DIR/$filename.p7s" "$OUT_DIR/$filename.sig" - ;; - *) - echo >&2 "W: Not signing unrecognised file: $filename" - continue - ;; - esac - if [ ${#filename} -gt 60 ]; then - filename_trunc="...${filename:$((${#filename} - 57)):57}" - else - filename_trunc="$filename" - fi - printf 'I: Signed %-60s\r' "$filename_trunc" -done < <(find "$IN_DIR" -type f -printf '%P\n') - -# Clear last progress message -printf '%-70s\r' '' +mkdir -p "${OUT_TARBALL%/*}" -# Build tarball of
Bug#821051: git branch with code signing script
Hi, On Sun, 25 Sep 2016 01:06:06 +0100 Ben Hutchings <b...@decadent.org.uk> wrote: > I've pushed all my changes to a git repo at: > https://git.decadent.org.uk/git/dak.git > > Ben. > > -- > Ben Hutchings > No political challenge can be met by shopping. - George Monbiot I modified this code and also got some code from Julien Cristau to sign the packages as another user, please, see patch below and let me know your feedback. The following patch applies on top of https://git.decadent.org.uk/git/dak.git I didn't teste with a real token because I don't have one, could someone check this please? Thank you Helen Koike diff --git a/scripts/debian/byhand-code-sign b/scripts/debian/byhand-code-sign index fbd6855..6b48d26 100755 --- a/scripts/debian/byhand-code-sign +++ b/scripts/debian/byhand-code-sign @@ -20,8 +20,6 @@ error() { exit 1 } -export OPENSSL_CONF=/dev/null - # Read dak configuration for security or main archive. # Also determine subdirectory for the suite. case "$0" in @@ -39,116 +37,12 @@ case "$0" in esac . "$configdir/vars" -# Read and trivially validate our configuration -. "$configdir/byhand-code-sign.conf" -for var in EFI_BINARY_PRIVKEY EFI_BINARY_CERT \ - LINUX_SIGNFILE LINUX_MODULE_PRIVKEY LINUX_MODULE_CERT; do - test -v $var || error "$var is not defined in configuration" - test -n "${!var}" || error "$var is empty in configuration" -done - TARGET="$ftpdir/dists/$suitedir/main/code-sign/" OUT_TARBALL="$TARGET/${IN_TARBALL##*/}" OUT_TARBALL="${OUT_TARBALL%.tar.xz}_sigs.tar.xz" -# Check that this source/arch/version hasn't already been signed -if [ -e "$OUT_TARBALL" ]; then - error "Signature tarball already exists: $OUT_TARBALL" -fi - -# If we fail somewhere, cleanup the temporary directories -IN_DIR= -OUT_DIR= -CERT_DIR= -cleanup() { - for dir in "$IN_DIR" "$OUT_DIR" "$CERT_DIR"; do - test -z "$dir" || rm -rf "$dir" - done -} -trap cleanup EXIT - -# Extract the data into the input directory -IN_DIR="$(mktemp -td byhand-code-sign-in.XX)" -tar xaf "$IN_TARBALL" --directory="$IN_DIR" - -case "$EFI_BINARY_PRIVKEY" in -pkcs11:*) - # Translate from OpenSSL PKCS#11 enigne syntax to pesign parameters - # See: https://sources.debian.net/src/engine-pkcs11/0.2.2-1/src/engine_pkcs11.c - pkcs11_pin_value= - old_IFS="$IFS" - IFS=';' - for kv in ${EFI_BINARY_PRIVKEY#pkcs11:}; do - case "$kv" in - token=*) - pkcs11_token="${kv#*=}" - ;; - object=*) - pkcs11_object="${kv#*=}" - ;; - pin-value=*) - pkcs11_pin_value="${kv#*=}" - ;; - esac - done - IFS="$old_IFS" - unset old_IFS - # TODO: unlock it - PESIGN_PARAMS=(-t "$pkcs11_token" -c "$pkcs11_object") - ;; -*) - # Create certificate store for pesign - CERT_DIR="$(mktemp -td byhand-code-sign-cert.XX)" - chmod 700 "$CERT_DIR" - mkdir "$CERT_DIR/store" - certutil -N --empty-password -d "$CERT_DIR/store" - openssl pkcs12 -export \ - -inkey "$EFI_BINARY_PRIVKEY" -in "$EFI_BINARY_CERT" \ - -out "$CERT_DIR/efi-image.p12" -passout pass: \ - -name efi-image - pk12util -i "$CERT_DIR/efi-image.p12" -d "$CERT_DIR/store" -K '' -W '' - PESIGN_PARAMS=(-n "$CERT_DIR/store" -c efi-image) - ;; -esac - -# Create hierarchy of detached signatures in parallel to the uploaded files -OUT_DIR="$(mktemp -td byhand-code-sign-out.XX)" -while read filename; do - mkdir -p "$OUT_DIR/${filename%/*}" - case "${filename##*/}" in - *.efi | vmlinuz-*) - pesign -i "$IN_DIR/$filename" \ - --export-signature "$OUT_DIR/$filename.sig" --sign \ - -d sha256 "${PESIGN_PARAMS[@]}" - ;; - *.ko) - "$LINUX_SIGNFILE" -d sha256 "$LINUX_MODULE_PRIVKEY" \ - "$LINUX_MODULE_CERT" "$IN_DIR/$filename" - mv "$IN_DIR/$filename.p7s" "$OUT_DIR/$filename.sig" - ;; - *) - echo >&2 "W: Not signing unrecognised file: $filename" - continue - ;; - esac - if [ ${#filename} -gt