Update the template building service for the move to fwupd

Since the EFI binary copied to fwupd the signing service will
also need to use templates from fwupd.

debian/README.Debian

@@ -1,7 +1,18 @@
-fwupd for Debian
-----------------
+signed vs unsigned fwupd programs
+------------------------------------
 
-fwupd is still heavily in development. As of this date, the functionality 
-it provides is not yet available on most systems.
+fwupd 1.1.0 is configured to understand when to use a signed version
+of the EFI binary.  If the signed version isn't installed but secure
+boot is turned on, it will avoid copying to the EFI system partition.
+
+This allows supporting secure boot even if not turned on at install, or
+changed later after install.
+
+In Ubuntu, both fwupd-signed and fwupd are seeded in the default
+installation. Nothing is installed to the ESP until it's needed.
+
+In Debian, the package name for the signed version is slightly
+different due to different infrastructure. fwupd-signed-$ARCH and
+fwupd should both be installed and then things will work similarly
+to what's described above.
 
- -- Daniel Jared Dominguez <Jared_Dominguez@Dell.com>  Wed, 20 May 2015 17:16:02 -0500

debian/changelog

@@ -1,10 +1,20 @@
 fwupd (1.1.0-1) UNRELEASED; urgency=medium
 
+  [ Steve Mcintyre ]
+  * Initial support for UEFI Secure Boot in Debian infrastructure
+    + When building, also generate a fwupdate-$ARCH-signed-template package
+      which contains metadata needed by the Debian signing service. This
+      will end up being turned into a new source package including a signed
+      version of the fwupdate binary.
+
+  [ Mario Limonciello ]
   * New upstream version (1.1.0)
   * Drop patches merged upstream.
   * debian/control:
     - Add a patch from upstream that will add gnu-efi to dependencies
     - No longer recommends for fwupdate as it has been merged into fwupd.
+  * Adjust infrastructure for fwupdate signed package to be used by fwupd signed
+    package
 
  -- Mario Limonciello <mario.limonciello@dell.com>  Thu, 12 Jul 2018 08:28:32 -0500
 
@@ -80,7 +90,7 @@ fwupd (1.0.3-1) unstable; urgency=medium
 fwupd (1.0.2-1) unstable; urgency=medium
 
   * New upstream version
-  * Drop patch for doing libsmbios on only supported architectures, 
+  * Drop patch for doing libsmbios on only supported architectures,
     now upstream.
 
  -- Mario Limonciello <mario.limonciello@dell.com>  Tue, 28 Nov 2017 09:36:57 -0600
@@ -299,7 +309,7 @@ fwupd (0.9.4-1) experimental; urgency=medium
   * Correct a cleanup rule
   * Drop intltool build dependency
   * Re-enable PIE for builds
-  * Add additional build dependencies that will be needed for generating 
+  * Add additional build dependencies that will be needed for generating
     capsule graphics
   * debian/control: sort build-dependencies
   * Drop packaging from debian/, it will be git mv'ed from contrib/ upstream

debian/control

@@ -166,3 +166,31 @@ Description: GObject introspection data for libfwupd
  .
  It can be used by packages using the GIRepository format to generate
  dynamic bindings.
+
+Package: fwupd-amd64-signed-template
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-i386-signed-template
+Architecture: i386
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-armhf-signed-template
+Architecture: armhf
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-arm64-signed-template
+Architecture: arm64
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.

debian/control.in

@@ -120,3 +120,31 @@ Description: GObject introspection data for libfwupd
  .
  It can be used by packages using the GIRepository format to generate
  dynamic bindings.
+
+Package: fwupd-amd64-signed-template
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-i386-signed-template
+Architecture: i386
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-armhf-signed-template
+Architecture: armhf
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-arm64-signed-template
+Architecture: arm64
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.

debian/gen_signing_json

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Generate a json file to go in the the fwupdate-signed template
+# Generate a json file to go in the the fwupd-signed template
 # package. Describes exactly what needs to be signed, and how.
 
 DIR=$1
@@ -12,7 +12,7 @@ OUT="$DIR/files.json"
 BINARY=$(find debian/tmp -name '*.efi' | xargs basename)
 
 # Actually needs full path within the binary deb
-BINARY="usr/lib/${SOURCE}/${BINARY}"
+BINARY="usr/lib/${SOURCE}/efi/${BINARY}"
 
 rm -f $OUT
 

debian/rules

@@ -22,12 +22,23 @@ ifeq ($(DEB_TARGET_ARCH),$(filter $(DEB_TARGET_ARCH),amd64 i386 armhf arm64))
 	export UEFI=-Dplugin_uefi=true
 endif
 
+SB_STYLE := debian
+ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
+	SB_STYLE := ubuntu
+	tar_name := fwupd_$(deb_version)_$(DEB_HOST_ARCH).tar.gz
+else
+	TMPLDIR  := debian/fwupd-$(DEB_HOST_ARCH)-signed-template/usr/share/code-signing/fwupd-$(DEB_HOST_ARCH)-signed-template
+endif
+
 %:
 	[ -f debian/control ] || debian/rules regenerate_control
 	dh $@ --with gir,systemd
 
 override_dh_auto_clean: regenerate_control
 	rm -fr debian/build
+ifeq (ubuntu,$(SB_STYLE))
+	rm -rf debian/fwupd-images
+endif
 
 override_dh_auto_configure:
 	if pkg-config --exists libsmbios_c; then \
@@ -46,6 +57,20 @@ override_dh_install:
 	#this is placed in fwupd-tests
 	rm -f debian/fwupd/usr/lib/*/fwupd-plugins-3/libfu_plugin_test.so
 
+ifeq (debian,$(SB_STYLE))
+	# Generate the template source for the Debian signing service to use
+	mkdir -p $(TMPLDIR)/source-template/debian
+	cp -a debian/signing-template/* $(TMPLDIR)/source-template/debian
+	cp debian/README.Debian $(TMPLDIR)/source-template/debian
+	find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNARCH,$(DEB_HOST_ARCH),"
+	find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNVERSION,$(deb_version),"
+	for file in $$(find $(TMPLDIR)/source-template/debian -type f -name *SIGNARCH*); do file1=$$(echo $$file | sed "s,SIGNARCH,$(DEB_HOST_ARCH),"); mv -v $$file $$file1; done
+	install -m 0755 debian/fwupd.postinst $(TMPLDIR)/source-template/debian/fwupd-$(DEB_HOST_ARCH)-signed.postinst
+	install -m 0755 debian/fwupd.postrm $(TMPLDIR)/source-template/debian/fwupd-$(DEB_HOST_ARCH)-signed.postrm
+	./debian/gen_signing_changelog $(TMPLDIR)/source-template/debian fwupd $(DEB_HOST_ARCH)
+	./debian/gen_signing_json $(TMPLDIR) fwupd ${DEB_HOST_ARCH}
+endif
+
 override_dh_strip_nondeterminism:
 	dh_strip_nondeterminism -Xfirmware-example.xml.gz
 
@@ -53,3 +78,14 @@ override_dh_auto_test:
 	if [ -x /usr/bin/valgrind ] ; then \
 		dh_auto_test; \
 	fi
+
+override_dh_builddeb:
+	dh_builddeb -- -Zxz
+ifeq (ubuntu,$(SB_STYLE))
+		mkdir -p debian/fwupd-images/$(deb_version)
+		cp debian/tmp/usr/lib/fwupd/efi/fwupd*.efi debian/fwupd-images/$(deb_version)
+		echo $(deb_version) \
+			> debian/fwupd-images/$(deb_version)/version
+			cd debian/fwupd-images && tar czvf ../../../$(tar_name) .
+			dpkg-distaddfile $(tar_name) raw-uefi -
+endif

debian/signing-template/README.source

@@ -1,4 +1,4 @@
 This source package is generated by the Debian signing service from a
-template built by the fwupdate package.  It should never be updated directly.
+template built by the fwupd package.  It should never be updated directly.
 
  -- Steve McIntyre <93sam@debian.org>  Sat, 07 Apr 2018 12:44:55 +0100

debian/signing-template/changelog.in

@@ -1,4 +1,4 @@
-fwupdate-SIGNARCH-signed (1) unstable; urgency=medium
+fwupd-SIGNARCH-signed (1) unstable; urgency=medium
 
   * Add template source package for signing
 

debian/signing-template/control

@@ -1,23 +1,23 @@
-Source: fwupdate-SIGNARCH-signed
+Source: fwupd-SIGNARCH-signed
 Priority: optional
 Maintainer: Debian EFI <debian-efi@lists.debian.org>
 Uploaders: Daniel Jared Dominguez <jared.dominguez@dell.com>, Steve McIntyre <93sam@debian.org>, Mario Limonciello <mario.limonciello@dell.com>
-Build-Depends: debhelper (>= 9.0.0), sbsigntool [amd64 arm64 armhf i386], fwupdate (= SIGNVERSION) [SIGNARCH]
+Build-Depends: debhelper (>= 9.0.0), sbsigntool [amd64 arm64 armhf i386], fwupd (= SIGNVERSION) [SIGNARCH]
 Standards-Version: 4.1.3
 Section: libs
-Homepage: https://github.com/rhinstaller/fwupdate
-Vcs-Git: https://salsa.debian.org/efi-team/fwupdate.git
-Vcs-Browser: https://salsa.debian.org/efi-team/fwupdate
+Homepage: https://github.com/hughsie/fwupd
+Vcs-Git: https://salsa.debian.org/efi-team/fwupd.git
+Vcs-Browser: https://salsa.debian.org/efi-team/fwupd
 
-Package: fwupdate-SIGNARCH-signed
+Package: fwupd-SIGNARCH-signed
 Section: admin
 Architecture: SIGNARCH
-Depends: ${shlibs:Depends}, ${misc:Depends}, fwupdate (= SIGNVERSION})
+Depends: ${shlibs:Depends}, ${misc:Depends}, fwupd (= SIGNVERSION})
 Description: Tools to manage UEFI firmware updates (signed)
- fwupdate provides functionality to update system firmware. It has been 
+ fwupd provides functionality to update system firmware. It has been 
  initially designed to update firmware using UEFI capsule updates, but 
  it is designed to be extensible to other firmware update standards.
  .
- This package contains just the signed version of the fwupdate binary,
+ This package contains just the signed version of the fwupd binary,
  needed if your system has UEFI Secure Boot enabled. It depends on the
- normal fwupdate package for everything else.
+ normal fwupd package for everything else.

debian/signing-template/copyright

@@ -1,24 +1,24 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: fwupdate
-Source: https://github.com/rhinstaller/fwupdate
-
-Comment:
- This file describes only the fwupdate-signed-SIGNARCH source package. Its
- binary packages are built largely from source in the fwupdate source
- package. Look there for more details.
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: fwupd
+Source: https://github.com/hughsie/fwupd
 
 Files: *
-Copyright: 2014-2015 Peter Jones <pjones@redhat.com>
-License: GPL-2.0+
+Copyright: 2015 Richard Hughes <richard@hughsie.com>
+License: LGPL-2.1+
+
+Files: data/tests/colorhug/firmware.metainfo.xml
+Copyright: 2015 Richard Hughes <richard@hughsie.com>
+License: CC0-1.0
 
 Files: debian/*
-Copyright: 2015-2018 Daniel Jared Dominguez <Jared_Dominguez@Dell.com>, Steve McIntyre <93sam@debian.org>
-License: GPL-2.0+
+Copyright: 2015 Daniel Jared Dominguez <Jared_Dominguez@Dell.com>
+           2015 Mario Limonciello <mario_limonciello@dell.com>
+License: LGPL-2.1+
 
-License: GPL-2.0+
+License: LGPL-2.1+
  This package is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ it under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.
  .
  This package is distributed in the hope that it will be useful,
@@ -26,8 +26,8 @@ License: GPL-2.0+
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  .
- You should have received a copy of the GNU General Public License
+ You should have received a copy of the GNU Lesser General Public License
  along with this program. If not, see <http://www.gnu.org/licenses/>
  .
- On Debian systems, the complete text of the GNU General
- Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
+ On Debian systems, the complete text of the GNU Lesser General
+ Public License version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1".

debian/signing-template/rules

@@ -1,14 +1,14 @@
 #!/usr/bin/make -f
 # -*- makefile -*-
 
-SIGNATURE_DIR := debian/signatures/fwupdate
-BINARY 	      := $(shell find /usr/lib/fwupdate/ -name '*.efi')
+SIGNATURE_DIR := debian/signatures/fwupd
+BINARY 	      := $(shell find /usr/lib/fwupd/efi/ -name '*.efi')
 
 %:
 	dh $@
 
 override_dh_auto_build:
-	mkdir -p debian/${PACKAGE_NAME}/usr/lib/fwupdate
+	mkdir -p debian/${PACKAGE_NAME}/usr/lib/fwupd/efi
 	cp $(BINARY) debian/${PACKAGE_NAME}/$(BINARY)
 	sbattach --attach $(SIGNATURE_DIR)/$(BINARY).sig debian/${PACKAGE_NAME}/$(BINARY)
 	mv debian/${PACKAGE_NAME}/$(BINARY) debian/${PACKAGE_NAME}/$(BINARY).signed