Separate the helper scripts into a new shim-signed-common package

Separate this from the actual signed shim binaries so that we can
sensibly support co-installability using Multi-Arch. Closes: #928486

debian/changelog

@@ -2,6 +2,10 @@ shim-signed (1.31) UNRELEASED; urgency=medium
 
   * update-secureboot-policy: fix error if /var/lib/dkms does not
     exist. Closes: #923718
+  * Separate the helper scripts into a new shim-signed-common package,
+    apart from the actual signed shim binaries so that we can
+    sensibly support co-installability using Multi-Arch.
+    Closes: #928486
 
  -- Steve McIntyre <93sam@debian.org>  Sat, 25 May 2019 02:25:24 +0100
 

debian/control

@@ -18,6 +18,7 @@ Vcs-Git: https://salsa.debian.org/efi-team/shim-signed.git
 
 Package: shim-signed
 Architecture: amd64 i386 arm64
+Multi-Arch: same
 Depends: ${misc:Depends},
  grub-efi-amd64-bin [amd64],
  shim-helpers-amd64-signed (>= 1+15+1533136590.3beb971+5) [amd64],
@@ -25,8 +26,7 @@ Depends: ${misc:Depends},
  shim-helpers-i386-signed (>= 1+15+1533136590.3beb971+5) [i386],
  grub-efi-arm64-bin [arm64],
  shim-helpers-arm64-signed (>= 1+15+1533136590.3beb971+5) [arm64],
- grub2-common (>= 2.02+dfsg1-16),
+ grub2-common (>= 2.02+dfsg1-16)
- mokutil
 Recommends: secureboot-db
 Built-Using: shim (= 15+1533136590.3beb971-6)
 Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
@@ -38,3 +38,17 @@ Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
  .
  This package contains the version of the bootloader binary signed by the
  Microsoft UEFI CA.
+
+Package: shim-signed-common
+Multi-Arch: foreign
+Architecture: all
+Depends: ${misc:Depends}, mokutil
+Description: Secure Boot chain-loading bootloader (common helper scripts)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database.  Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ This package contains common helper scripts for all versions of the
+ shim-signed package.

debian/lintian-overrides

@@ -1 +0,0 @@
-shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy

debian/rules

@@ -18,14 +18,21 @@ endif
 %:
 	dh $@
 
-docdir := debian/shim-signed/usr/share/doc/shim-signed
+docdir := debian/shim-signed-common/usr/share/doc/shim-signed-common
 
 override_dh_installchangelogs:
-	dh_installchangelogs
+	dh_installchangelogs -p shim-signed-common
 	# Quieten lintian, which otherwise gets confused by our odd version
 	# number.
 	ln $(docdir)/changelog $(docdir)/changelog.Debian
 
+override_dh_installdocs:
+	dh_installdocs -p shim-signed-common
+	dh_installdocs --remaining-packages --link-doc=shim-signed-common
+
+override_dh_installdebconf:
+	dh_installdebconf -p shim-signed-common
+
 override_dh_gencontrol:
 	dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \
 		-Vshim:Version=$(SHIM_VERSION)

debian/shim-signed-common.install

@@ -0,0 +1,2 @@
+debian/source_shim-signed.py /usr/share/apport/package-hooks/
+update-secureboot-policy /usr/sbin/

debian/shim-signed-common.lintian-overrides

@@ -0,0 +1 @@
+shim-signed-common: debconf-is-not-a-registry usr/sbin/update-secureboot-policy

debian/shim-signed.install

@@ -1,3 +1 @@
 build/shim*.efi.signed /usr/lib/shim
-debian/source_shim-signed.py /usr/share/apport/package-hooks/
-update-secureboot-policy /usr/sbin/