proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-08-14 15:50:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update the template building service for the move to fwupd

Browse Source 
Since the EFI binary copied to fwupd the signing service will
also need to use templates from fwupd.
This commit is contained in:
Mario Limonciello 2018-07-12 09:14:33 -05:00
parent 88428c744d
commit fc4ebfa35e
11 changed files with 155 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
debian/README.Debian vendored
View File

@ -1,7 +1,18 @@
fwupd for Debian signed vs unsigned fwupd programs
---------------- ------------------------------------
fwupd is still heavily in development. As of this date, the functionality fwupd 1.1.0 is configured to understand when to use a signed version
it provides is not yet available on most systems. of the EFI binary. If the signed version isn't installed but secure
boot is turned on, it will avoid copying to the EFI system partition.
This allows supporting secure boot even if not turned on at install, or
changed later after install.
In Ubuntu, both fwupd-signed and fwupd are seeded in the default
installation. Nothing is installed to the ESP until it's needed.
In Debian, the package name for the signed version is slightly
different due to different infrastructure. fwupd-signed-$ARCH and
fwupd should both be installed and then things will work similarly
to what's described above.
-- Daniel Jared Dominguez <Jared_Dominguez@Dell.com> Wed, 20 May 2015 17:16:02 -0500

10
debian/changelog vendored
View File

@ -1,10 +1,20 @@
fwupd (1.1.0-1) UNRELEASED; urgency=medium fwupd (1.1.0-1) UNRELEASED; urgency=medium
[ Steve Mcintyre ]
* Initial support for UEFI Secure Boot in Debian infrastructure
+ When building, also generate a fwupdate-$ARCH-signed-template package
which contains metadata needed by the Debian signing service. This
will end up being turned into a new source package including a signed
version of the fwupdate binary.
[ Mario Limonciello ]
* New upstream version (1.1.0) * New upstream version (1.1.0)
* Drop patches merged upstream. * Drop patches merged upstream.
* debian/control: * debian/control:
- Add a patch from upstream that will add gnu-efi to dependencies - Add a patch from upstream that will add gnu-efi to dependencies
- No longer recommends for fwupdate as it has been merged into fwupd. - No longer recommends for fwupdate as it has been merged into fwupd.
* Adjust infrastructure for fwupdate signed package to be used by fwupd signed
package
-- Mario Limonciello <mario.limonciello@dell.com> Thu, 12 Jul 2018 08:28:32 -0500 -- Mario Limonciello <mario.limonciello@dell.com> Thu, 12 Jul 2018 08:28:32 -0500

28
debian/control vendored
View File

@ -166,3 +166,31 @@ Description: GObject introspection data for libfwupd
. .
It can be used by packages using the GIRepository format to generate It can be used by packages using the GIRepository format to generate
dynamic bindings. dynamic bindings.
Package: fwupd-amd64-signed-template
Architecture: amd64
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Template for signed fwupd package
This package is used to control code signing by the Debian signing
service.
Package: fwupd-i386-signed-template
Architecture: i386
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Template for signed fwupd package
This package is used to control code signing by the Debian signing
service.
Package: fwupd-armhf-signed-template
Architecture: armhf
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Template for signed fwupd package
This package is used to control code signing by the Debian signing
service.
Package: fwupd-arm64-signed-template
Architecture: arm64
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Template for signed fwupd package
This package is used to control code signing by the Debian signing
service.

28
debian/control.in vendored
View File

@ -120,3 +120,31 @@ Description: GObject introspection data for libfwupd
. .
It can be used by packages using the GIRepository format to generate It can be used by packages using the GIRepository format to generate
dynamic bindings. dynamic bindings.
Package: fwupd-amd64-signed-template
Architecture: amd64
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Template for signed fwupd package
This package is used to control code signing by the Debian signing
service.
Package: fwupd-i386-signed-template
Architecture: i386
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Template for signed fwupd package
This package is used to control code signing by the Debian signing
service.
Package: fwupd-armhf-signed-template
Architecture: armhf
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Template for signed fwupd package
This package is used to control code signing by the Debian signing
service.
Package: fwupd-arm64-signed-template
Architecture: arm64
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: Template for signed fwupd package
This package is used to control code signing by the Debian signing
service.

4
debian/gen_signing_json vendored
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Generate a json file to go in the the fwupdate-signed template # Generate a json file to go in the the fwupd-signed template
# package. Describes exactly what needs to be signed, and how. # package. Describes exactly what needs to be signed, and how.
DIR=$1 DIR=$1
@ -12,7 +12,7 @@ OUT="$DIR/files.json"
BINARY=$(find debian/tmp -name '*.efi' | xargs basename) BINARY=$(find debian/tmp -name '*.efi' | xargs basename)
# Actually needs full path within the binary deb # Actually needs full path within the binary deb
BINARY="usr/lib/${SOURCE}/${BINARY}" BINARY="usr/lib/${SOURCE}/efi/${BINARY}"
rm -f $OUT rm -f $OUT

36
debian/rules vendored
View File

@ -22,12 +22,23 @@ ifeq ($(DEB_TARGET_ARCH),$(filter $(DEB_TARGET_ARCH),amd64 i386 armhf arm64))
export UEFI=-Dplugin_uefi=true export UEFI=-Dplugin_uefi=true
endif endif
SB_STYLE := debian
ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
SB_STYLE := ubuntu
tar_name := fwupd_$(deb_version)_$(DEB_HOST_ARCH).tar.gz
else
TMPLDIR := debian/fwupd-$(DEB_HOST_ARCH)-signed-template/usr/share/code-signing/fwupd-$(DEB_HOST_ARCH)-signed-template
endif
%: %:
[ -f debian/control ] || debian/rules regenerate_control [ -f debian/control ] || debian/rules regenerate_control
dh $@ --with gir,systemd dh $@ --with gir,systemd
override_dh_auto_clean: regenerate_control override_dh_auto_clean: regenerate_control
rm -fr debian/build rm -fr debian/build
ifeq (ubuntu,$(SB_STYLE))
rm -rf debian/fwupd-images
endif
override_dh_auto_configure: override_dh_auto_configure:
if pkg-config --exists libsmbios_c; then \ if pkg-config --exists libsmbios_c; then \
@ -46,6 +57,20 @@ override_dh_install:
#this is placed in fwupd-tests #this is placed in fwupd-tests
rm -f debian/fwupd/usr/lib/*/fwupd-plugins-3/libfu_plugin_test.so rm -f debian/fwupd/usr/lib/*/fwupd-plugins-3/libfu_plugin_test.so
ifeq (debian,$(SB_STYLE))
# Generate the template source for the Debian signing service to use
mkdir -p $(TMPLDIR)/source-template/debian
cp -a debian/signing-template/* $(TMPLDIR)/source-template/debian
cp debian/README.Debian $(TMPLDIR)/source-template/debian
find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNARCH,$(DEB_HOST_ARCH),"
find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNVERSION,$(deb_version),"
for file in $$(find $(TMPLDIR)/source-template/debian -type f -name *SIGNARCH*); do file1=$$(echo $$file | sed "s,SIGNARCH,$(DEB_HOST_ARCH),"); mv -v $$file $$file1; done
install -m 0755 debian/fwupd.postinst $(TMPLDIR)/source-template/debian/fwupd-$(DEB_HOST_ARCH)-signed.postinst
install -m 0755 debian/fwupd.postrm $(TMPLDIR)/source-template/debian/fwupd-$(DEB_HOST_ARCH)-signed.postrm
./debian/gen_signing_changelog $(TMPLDIR)/source-template/debian fwupd $(DEB_HOST_ARCH)
./debian/gen_signing_json $(TMPLDIR) fwupd ${DEB_HOST_ARCH}
endif
override_dh_strip_nondeterminism: override_dh_strip_nondeterminism:
dh_strip_nondeterminism -Xfirmware-example.xml.gz dh_strip_nondeterminism -Xfirmware-example.xml.gz
@ -53,3 +78,14 @@ override_dh_auto_test:
if [ -x /usr/bin/valgrind ] ; then \ if [ -x /usr/bin/valgrind ] ; then \
dh_auto_test; \ dh_auto_test; \
fi fi
override_dh_builddeb:
dh_builddeb -- -Zxz
ifeq (ubuntu,$(SB_STYLE))
mkdir -p debian/fwupd-images/$(deb_version)
cp debian/tmp/usr/lib/fwupd/efi/fwupd*.efi debian/fwupd-images/$(deb_version)
echo $(deb_version) \
> debian/fwupd-images/$(deb_version)/version
cd debian/fwupd-images && tar czvf ../../../$(tar_name) .
dpkg-distaddfile $(tar_name) raw-uefi -
endif

2
debian/signing-template/README.source vendored
View File

@ -1,4 +1,4 @@
This source package is generated by the Debian signing service from a This source package is generated by the Debian signing service from a
template built by the fwupdate package. It should never be updated directly. template built by the fwupd package. It should never be updated directly.
-- Steve McIntyre <93sam@debian.org> Sat, 07 Apr 2018 12:44:55 +0100 -- Steve McIntyre <93sam@debian.org> Sat, 07 Apr 2018 12:44:55 +0100

2
debian/signing-template/changelog.in vendored
View File

@ -1,4 +1,4 @@
fwupdate-SIGNARCH-signed (1) unstable; urgency=medium fwupd-SIGNARCH-signed (1) unstable; urgency=medium
* Add template source package for signing * Add template source package for signing

20
debian/signing-template/control vendored
View File

@ -1,23 +1,23 @@
Source: fwupdate-SIGNARCH-signed Source: fwupd-SIGNARCH-signed
Priority: optional Priority: optional
Maintainer: Debian EFI <debian-efi@lists.debian.org> Maintainer: Debian EFI <debian-efi@lists.debian.org>
Uploaders: Daniel Jared Dominguez <jared.dominguez@dell.com>, Steve McIntyre <93sam@debian.org>, Mario Limonciello <mario.limonciello@dell.com> Uploaders: Daniel Jared Dominguez <jared.dominguez@dell.com>, Steve McIntyre <93sam@debian.org>, Mario Limonciello <mario.limonciello@dell.com>
Build-Depends: debhelper (>= 9.0.0), sbsigntool [amd64 arm64 armhf i386], fwupdate (= SIGNVERSION) [SIGNARCH] Build-Depends: debhelper (>= 9.0.0), sbsigntool [amd64 arm64 armhf i386], fwupd (= SIGNVERSION) [SIGNARCH]
Standards-Version: 4.1.3 Standards-Version: 4.1.3
Section: libs Section: libs
Homepage: https://github.com/rhinstaller/fwupdate Homepage: https://github.com/hughsie/fwupd
Vcs-Git: https://salsa.debian.org/efi-team/fwupdate.git Vcs-Git: https://salsa.debian.org/efi-team/fwupd.git
Vcs-Browser: https://salsa.debian.org/efi-team/fwupdate Vcs-Browser: https://salsa.debian.org/efi-team/fwupd
Package: fwupdate-SIGNARCH-signed Package: fwupd-SIGNARCH-signed
Section: admin Section: admin
Architecture: SIGNARCH Architecture: SIGNARCH
Depends: ${shlibs:Depends}, ${misc:Depends}, fwupdate (= SIGNVERSION}) Depends: ${shlibs:Depends}, ${misc:Depends}, fwupd (= SIGNVERSION})
Description: Tools to manage UEFI firmware updates (signed) Description: Tools to manage UEFI firmware updates (signed)
fwupdate provides functionality to update system firmware. It has been fwupd provides functionality to update system firmware. It has been
initially designed to update firmware using UEFI capsule updates, but initially designed to update firmware using UEFI capsule updates, but
it is designed to be extensible to other firmware update standards. it is designed to be extensible to other firmware update standards.
. .
This package contains just the signed version of the fwupdate binary, This package contains just the signed version of the fwupd binary,
needed if your system has UEFI Secure Boot enabled. It depends on the needed if your system has UEFI Secure Boot enabled. It depends on the
normal fwupdate package for everything else. normal fwupd package for everything else.

36
debian/signing-template/copyright vendored
View File

@ -1,24 +1,24 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: fwupdate Upstream-Name: fwupd
Source: https://github.com/rhinstaller/fwupdate Source: https://github.com/hughsie/fwupd
Comment:
This file describes only the fwupdate-signed-SIGNARCH source package. Its
binary packages are built largely from source in the fwupdate source
package. Look there for more details.
Files: * Files: *
Copyright: 2014-2015 Peter Jones <pjones@redhat.com> Copyright: 2015 Richard Hughes <richard@hughsie.com>
License: GPL-2.0+ License: LGPL-2.1+
Files: data/tests/colorhug/firmware.metainfo.xml
Copyright: 2015 Richard Hughes <richard@hughsie.com>
License: CC0-1.0
Files: debian/* Files: debian/*
Copyright: 2015-2018 Daniel Jared Dominguez <Jared_Dominguez@Dell.com>, Steve McIntyre <93sam@debian.org> Copyright: 2015 Daniel Jared Dominguez <Jared_Dominguez@Dell.com>
License: GPL-2.0+ 2015 Mario Limonciello <mario_limonciello@dell.com>
License: LGPL-2.1+
License: GPL-2.0+ License: LGPL-2.1+
This package is free software; you can redistribute it and/or modify This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2 of the License, or the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version. (at your option) any later version.
. .
This package is distributed in the hope that it will be useful, This package is distributed in the hope that it will be useful,
@ -26,8 +26,8 @@ License: GPL-2.0+
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details. GNU General Public License for more details.
. .
You should have received a copy of the GNU General Public License You should have received a copy of the GNU Lesser General Public License
along with this program. If not, see <http://www.gnu.org/licenses/> along with this program. If not, see <http://www.gnu.org/licenses/>
. .
On Debian systems, the complete text of the GNU General On Debian systems, the complete text of the GNU Lesser General
Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". Public License version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1".

6
debian/signing-template/rules vendored
View File

@ -1,14 +1,14 @@
#!/usr/bin/make -f #!/usr/bin/make -f
# -*- makefile -*- # -*- makefile -*-
SIGNATURE_DIR := debian/signatures/fwupdate SIGNATURE_DIR := debian/signatures/fwupd
BINARY := $(shell find /usr/lib/fwupdate/ -name '*.efi') BINARY := $(shell find /usr/lib/fwupd/efi/ -name '*.efi')
%: %:
dh $@ dh $@
override_dh_auto_build: override_dh_auto_build:
mkdir -p debian/${PACKAGE_NAME}/usr/lib/fwupdate mkdir -p debian/${PACKAGE_NAME}/usr/lib/fwupd/efi
cp $(BINARY) debian/${PACKAGE_NAME}/$(BINARY) cp $(BINARY) debian/${PACKAGE_NAME}/$(BINARY)
sbattach --attach $(SIGNATURE_DIR)/$(BINARY).sig debian/${PACKAGE_NAME}/$(BINARY) sbattach --attach $(SIGNATURE_DIR)/$(BINARY).sig debian/${PACKAGE_NAME}/$(BINARY)
mv debian/${PACKAGE_NAME}/$(BINARY) debian/${PACKAGE_NAME}/$(BINARY).signed mv debian/${PACKAGE_NAME}/$(BINARY) debian/${PACKAGE_NAME}/$(BINARY).signed