Accepting request 613226 from home:bluca:debian_secure_boot

Add _service file with tar_scm and dsc. The tar_scm is necessary, as for Debian builds it's necessary to have a tarball with the content.
RPM build is unchanged.

OBS-URL: https://build.opensuse.org/request/show/613226
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=57

_service

@@ -0,0 +1,79 @@
+<services>
+  <service name="tar_scm">
+    <param name="url">git://github.com/opensuse/pesign-obs-integration.git</param>
+    <param name="scm">git</param>
+    <param name="version">_none_</param>
+    <param name="exclude">.git</param>
+    <param name="changesgenerate">disable</param>
+    <param name="filename">pesign-obs-integration</param>
+    <param name="extract">pesign-obs-integration.changes</param>
+    <param name="extract">pesign-obs-integration.spec</param>
+    <param name="extract">brp-99-compress-vmlinux</param>
+    <param name="extract">brp-99-pesign</param>
+    <param name="extract">COPYING</param>
+    <param name="extract">gen-hmac</param>
+    <param name="extract">kernel-sign-file</param>
+    <param name="extract">modsign-repackage</param>
+    <param name="extract">pesign-gen-repackage-spec</param>
+    <param name="extract">pesign-obs-integration.changes</param>
+    <param name="extract">pesign-obs-integration.spec</param>
+    <param name="extract">pesign-repackage.spec.in</param>
+    <param name="extract">README</param>
+  </service>
+
+  <service name="extract_file">
+    <param name="archive">*.tar</param>
+    <param name="files">*/debian/changelog</param>
+    <param name="outfilename">debian.changelog</param>
+  </service>
+  <service name="extract_file">
+    <param name="archive">*.tar</param>
+    <param name="files">*/debian/compat</param>
+    <param name="outfilename">debian.compat</param>
+  </service>
+  <service name="extract_file">
+    <param name="archive">*.tar</param>
+    <param name="files">*/debian/control</param>
+    <param name="outfilename">debian.control</param>
+  </service>
+  <service name="extract_file">
+    <param name="archive">*.tar</param>
+    <param name="files">*/debian/copyright</param>
+    <param name="outfilename">debian.copyright</param>
+  </service>
+  <service name="extract_file">
+    <param name="archive">*.tar</param>
+    <param name="files">*/debian/rules</param>
+    <param name="outfilename">debian.rules</param>
+  </service>
+  <service name="extract_file">
+    <param name="archive">*.tar</param>
+    <param name="files">*/debian/docs</param>
+    <param name="outfilename">debian.docs</param>
+  </service>
+  <service name="extract_file">
+    <param name="archive">*.tar</param>
+    <param name="files">*/debian/pesign-obs-integration.install</param>
+    <param name="outfilename">debian.pesign-obs-integration.install</param>
+  </service>
+  <service name="extract_file">
+    <param name="archive">*.tar</param>
+    <param name="files">*/debian/dh-signobs.manpages</param>
+    <param name="outfilename">debian.dh-signobs.manpages</param>
+  </service>
+  <service name="extract_file">
+    <param name="archive">*.tar</param>
+    <param name="files">*/debian/dh-signobs.install</param>
+    <param name="outfilename">debian.dh-signobs.install</param>
+  </service>
+  <service name="extract_file">
+    <param name="archive">*.tar</param>
+    <param name="files">*/debian/dh-signobs.links</param>
+    <param name="outfilename">debian.dh-signobs.links</param>
+  </service>
+
+  <service name="recompress">
+    <param name="file">*.tar</param>
+    <param name="compression">gz</param>
+  </service>
+</services>

_service:extract_file:debian.changelog

@@ -0,0 +1,5 @@
+pesign-obs-integration (10.0) unstable; urgency=medium
+
+  * Initial Debian packaging.
+
+ -- Michal Marek <mmarek@suse.cz>  Tue, 31 Oct 2017 17:44:08 +0000

_service:extract_file:debian.compat

@@ -0,0 +1 @@
+7

_service:extract_file:debian.control

@@ -0,0 +1,22 @@
+Source: pesign-obs-integration
+Section: devel
+Priority: optional
+Maintainer: Michal Marek <mmarek@suse.cz>
+Build-Depends: debhelper (>= 7), openssl, shellcheck
+Standards-Version: 3.9.8
+
+Package: pesign-obs-integration
+Architecture: all
+Depends: ${perl:Depends}, ${misc:Depends}, libnss3-tools, openssl, pesign
+Description: Automate signing EFI binaries and kernel modules on OBS
+ This package provides scripts and rpm macros to automate signing of the
+ boot loader, kernel and kernel modules in the openSUSE Buildservice.
+
+Package: dh-signobs
+Architecture: all
+Enhances: debhelper
+Depends: ${misc:Depends}, debhelper, cpio, libnss3-tools, jq, pesign,
+ pesign-obs-integration, openssl
+Description: Debian Helper for EFI signing on OBS
+ Adds a helper sequence to dh to send EFI signatures to OBS and to
+ re-package them using the templates.

_service:extract_file:debian.copyright

@@ -0,0 +1,47 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: https://github.com/openSUSE/pesign-obs-integration
+
+Files: *
+Copyright: 2013-2017 SUSE LINUX Products GmbH
+License: GPL-2
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License version 2 as
+ published by the Free Software Foundation.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
+
+Files: dh_signobs
+       signobs.pm
+       debian/*
+Copyright: 2018 Luca Boccassi <bluca@debian.org>
+License: GPL-2+
+ This program is free software; you can redistribute it
+ and/or modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation; either
+ version 2 of the License, or (at your option) any later
+ version.
+ .
+ This program is distributed in the hope that it will be
+ useful, but WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE.  See the GNU General Public License for more
+ details.
+ .
+ You should have received a copy of the GNU General Public
+ License along with this package; if not, write to the Free
+ Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+ Boston, MA  02110-1301 USA
+ .
+ On Debian systems, the full text of the GNU General Public
+ License version 2 can be found in the file
+ `/usr/share/common-licenses/GPL-2'.

_service:extract_file:debian.dh-signobs.install

@@ -0,0 +1,2 @@
+dh_signobs usr/bin/
+signobs.pm usr/share/perl5/Debian/Debhelper/Sequence

_service:extract_file:debian.dh-signobs.links

@@ -0,0 +1,6 @@
+usr/bin/dh_signobs usr/bin/dh_signobs_pack
+usr/bin/dh_signobs usr/bin/dh_signobs_unpack
+usr/bin/dh_signobs usr/bin/dh_signobs_getcert
+usr/share/man/man1/dh_signobs.1 usr/share/man/man1/dh_signobs_pack.1
+usr/share/man/man1/dh_signobs.1 usr/share/man/man1/dh_signobs_unpack.1
+usr/share/man/man1/dh_signobs.1 usr/share/man/man1/dh_signobs_getcert.1

_service:extract_file:debian.dh-signobs.manpages

@@ -0,0 +1 @@
+dh_signobs.1

_service:extract_file:debian.docs

@@ -0,0 +1 @@
+README

_service:extract_file:debian.pesign-obs-integration.install

@@ -0,0 +1,7 @@
+pesign-gen-repackage-spec usr/lib/rpm/pesign/
+kernel-sign-file usr/lib/rpm/pesign/
+gen-hmac usr/lib/rpm/pesign/
+pesign-repackage.spec.in usr/lib/rpm/pesign/
+brp-99-pesign usr/lib/rpm/brp-suse.d/
+brp-99-compress-vmlinux usr/lib/rpm/brp-suse.d/
+modsign-repackage usr/bin/

_service:extract_file:debian.rules

@@ -0,0 +1,28 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+%:
+	dh $@
+
+override_dh_auto_clean:
+	rm -f pesign-cert.x509
+	dh_auto_clean
+
+override_dh_auto_build:
+	if test -e ../SOURCES/_projectcert.crt; then \
+		openssl x509 -inform PEM -in ../SOURCES/_projectcert.crt \
+		-outform DER -out pesign-cert.x509; \
+	fi
+	dh_auto_build
+
+override_dh_install:
+	dh_install
+	if test -e pesign-cert.x509; then \
+		dh_install -p pesign-obs-integration pesign-cert.x509 /usr/lib/rpm/pesign; \
+	fi
+
+override_dh_auto_test:
+	shellcheck dh_signobs

_service:recompress:tar_scm:pesign-obs-integration.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:570ab90869469403e2b86640b27441f7f7e722b8a5763370afa3592ffc84f487
+size 31207

_service:tar_scm:README

@@ -1,13 +1,19 @@
 Signing kernel modules and EFI binaries in the Open Build Service
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Packages that need to sign files during build should add the following lines
+RPM packages that need to sign files during build should add the following lines
 to the specfile
 
 # needssslcertforbuild
 export BRP_PESIGN_FILES='pattern...'
 BuildRequires: pesign-obs-integration
 
+Debian packages need to add the following line to the Source stanza in the
+debian/control file, which will add "Obs: needssslcertforbuild" to the generated
+.dsc file:
+
+XS-Obs: needssslcertforbuild
+
 The "# needssslcertforbuild" comment tells the buildservice to store the
 signing certificate in %_sourcedir/_projectcert.crt. At the end of the
 install phase, the brp-99-pesign script computes hashes of all
@@ -26,3 +32,7 @@ builds new RPMs with signed files. The supported file types are:
 efi binaries    - Signature embedded in a header. If a HMAC checksum named
                   .$file.hmac exists, it is regenerated
 
+Debian packages can use the dh-signobs debhelper to automate signing and
+repacking. Build-depend on dh-signobs and add --with signobs to the dh line
+in debian/rules to use the fully automated helper.
+Consult the dh_signobs manpage for more information.

_service:tar_scm:kernel-sign-file

@@ -4,8 +4,8 @@
 #
 
 my $USAGE =
-"Usage: scripts/sign-file [-dkpv] [-i <id type>] <hash algo> <key> <x509> <module> [<dest>]\n" .
-"       scripts/sign-file [-dkpv] [-i <id type>] -s <raw sig> <hash algo> <x509> <module> [<dest>]\n";
+"Usage: scripts/sign-file [-dkpv] [-i <id type>] <hash algo> <key> <x509 (DER format)> <module> [<dest>]\n" .
+"       scripts/sign-file [-dkpv] [-i <id type>] -s <raw sig> <hash algo> <x509 (DER format)> <module> [<dest>]\n";
 
 use strict;
 use FileHandle;

pesign-obs-integration.dsc

@@ -0,0 +1,17 @@
+Format: 1.0
+Source: pesign-obs-integration
+Binary: pesign-obs-integration, dh-signobs
+Architecture: all
+Version: 10.0
+Maintainer: Michal Marek <mmarek@suse.cz>
+Standards-Version: 3.9.8
+Build-Depends: debhelper (>= 7), openssl, shellcheck
+Package-List:
+ dh-signobs deb devel optional arch=all
+ pesign-obs-integration deb devel optional arch=all
+Checksums-Sha1:
+ e6339c1f0f8f9ea015d673ccc1083cfb67e1fc1b 254957 pesign-obs-integration_10.0.tar.gz
+Checksums-Sha256:
+ 64a5bf9f4ccc32525c33f9e231679786327424e9668b6a252c24cf14a30054fa 254957 pesign-obs-integration_10.0.tar.gz
+Files:
+ 983834c7295faecd090ffceaff24a61d 254957 pesign-obs-integration_10.0.tar.gz