Add Debian packaging

.gitignore

@@ -1,3 +1,10 @@
 build/
 venv/
 .vscode
+fwupd*.build
+*.gz
+*.changes
+*.deb
+*.xz
+*.dsc
+*.buildinfo

contrib/ci.sh

@@ -1,4 +1,9 @@
-#!/bin/sh -e
+#!/bin/bash
+set -e
+set -x
+shopt -s extglob
+rm -rf build/
+
 if [ "$OS" = "fedora" ]; then
     meson build
     VERSION=`meson introspect build --projectinfo | jq -r .version`
@@ -18,6 +23,19 @@ if [ "$OS" = "fedora" ]; then
     rpmbuild -ba build/fwupd-efi.spec
     mkdir -p dist
     cp $HOME/rpmbuild/RPMS/*/*.rpm dist
+elif [ "$OS" = "debian-x86_64" ] || [ "$OS" = "debian-i386" ]; then
+    export DEBFULLNAME="CI Builder"
+    export DEBEMAIL="[email protected]"
+    VERSION=`head meson.build | grep ' version :' | cut -d \' -f2`
+    mkdir -p build
+    cp -lR !(build|dist|venv) build/
+    pushd build
+    mv contrib/debian .
+    sed s/quilt/native/ debian/source/format -i
+    #build the package
+    EDITOR=/bin/true dch --create --package fwupd-efi -v $VERSION "CI Build"
+    debuild --no-lintian --preserve-envvar CI --preserve-envvar CC \
+        --preserve-envvar QUBES_OPTION
 else
     meson build
     ninja -C build

contrib/debian/compat

@@ -0,0 +1 @@
+12

contrib/debian/control

@@ -0,0 +1,69 @@
+Source: fwupd-efi
+Priority: optional
+Maintainer: Debian EFI <[email protected]>
+Uploaders: Steve McIntyre <[email protected]>,
+           Matthias Klumpp <[email protected]>,
+           Mario Limonciello <[email protected]>
+Build-Depends: gnu-efi [amd64 arm64 armhf i386],
+               meson,
+               mingw-w64-tools [amd64 arm64 armhf i386],
+Standards-Version: 4.5.0
+Section: admin
+Homepage: https://github.com/fwupd/fwupd-efi
+Vcs-Git: https://salsa.debian.org/efi-team/fwupd-efi.git
+Vcs-Browser: https://salsa.debian.org/efi-team/fwupd-efi
+
+Package: fwupd-unsigned
+Architecture: amd64 arm64 armhf i386
+Depends: ${misc:Depends},
+         ${shlibs:Depends},
+Recommends: fwupd-signed
+Multi-Arch: foreign
+Description: Firmware update daemon (Unsigned EFI binaries)
+ fwupd is a daemon to allow session software to update device firmware.
+ You can either use a GUI software manager like GNOME Software to view and
+ apply updates, the command-line tool or the system D-Bus interface directly.
+ Firmware updates are supported for a variety of technologies.
+ See <https://github.com/fwupd/fwupd> for details
+ .
+ This package provides the EFI binaries used for UEFI capsule updates
+
+Package: fwupd-unsigned-dev
+Architecture: all
+Depends: fwupd-unsigned (= ${binary:Version})
+Description: Firmware update daemon (Development information)
+ fwupd is a daemon to allow session software to update device firmware.
+ You can either use a GUI software manager like GNOME Software to view and
+ apply updates, the command-line tool or the system D-Bus interface directly.
+ Firmware updates are supported for a variety of technologies.
+ See <https://github.com/fwupd/fwupd> for details
+ .
+ This package provides the dependencies for the fwupd daemon to resolve
+
+Package: fwupd-amd64-signed-template
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-i386-signed-template
+Architecture: i386
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-armhf-signed-template
+Architecture: armhf
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-arm64-signed-template
+Architecture: arm64
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.

contrib/debian/copyright

@@ -0,0 +1,24 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: fwupd-efi
+Source: https://github.com/fwupd/fwupd-efi
+
+Files: debian/*
+Copyright:  2021 Mario Limonciello <[email protected]>
+License: LGPL-2.1+
+
+License: LGPL-2.1+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU Lesser General
+ Public License version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1".

contrib/debian/fwupd-unsigned-dev.install

@@ -0,0 +1 @@
+usr/lib/*/pkgconfig/

contrib/debian/fwupd-unsigned.install

@@ -0,0 +1 @@
+usr/libexec/fwupd/*

contrib/debian/gbp.conf

@@ -0,0 +1,7 @@
+[DEFAULT]
+debian-branch = debian
+upstream-tag = %(version)s
+
+[buildpackage]
+sign-tags = True
+dist = experimental

contrib/debian/gen_signing_changelog

@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# Generate a changelog file for the signed fwupdate package, based on
+# a changelog.in file and other state
+
+DIR=$1
+SOURCE=$2
+ARCH=$3
+IN="${DIR}/changelog.in"
+OUT="${DIR}/changelog"
+
+# Parse out fields from our changelg entry - want the signing-template
+# one to match all the important details where we can
+DISTRIBUTION="$(dpkg-parsechangelog | sed -ne 's/^Distribution: \(.*\)/\1/p')"
+URGENCY="$(dpkg-parsechangelog | sed -ne 's/^Urgency: \(.*\)/\1/p')"
+MAINT="$(dpkg-parsechangelog | sed -ne 's/^Maintainer: \(.*\)/\1/p')"
+DATE="$(dpkg-parsechangelog | sed -ne 's/^Date: \(.*\)/\1/p')"
+
+# If the version ends in "+bXXX", this is a binNMU. We don't want a new
+# source package to look like that, so change it to ".bXXX" instead
+VERSION="$(dpkg-parsechangelog | sed -ne 's/^Version: \(.*\)/\1/p')"
+MANGLED_VERSION="$(echo $VERSION | sed -r 's/-/\+/;s/\+(b[[:digit:]]+)$/.\1/')"
+
+printf "%s-%s-signed (%s) %s; urgency=%s\n" "${SOURCE}" "${ARCH}" "${MANGLED_VERSION}" "${DISTRIBUTION}" "${URGENCY}" > $OUT
+printf "\n" >> $OUT
+printf "  * Update to %s version %s\n" "${SOURCE}" "${VERSION}" >> $OUT
+printf "\n" >> $OUT
+printf " -- %s  %s\n" "${MAINT}" "${DATE}" >> $OUT
+printf "\n" >> $OUT
+
+cat $IN >> $OUT
+rm -f $IN

contrib/debian/gen_signing_json

@@ -0,0 +1,28 @@
+#!/bin/sh
+#
+# Generate a json file to go in the the fwupd-signed template
+# package. Describes exactly what needs to be signed, and how.
+
+DIR=$1
+SOURCE=$2
+ARCH=$3
+OUT="$DIR/files.json"
+
+# What file are we looking to sign?
+BINARY=$(find debian/tmp -name '*.efi' | xargs basename)
+
+# Actually needs full path within the binary deb
+BINARY="usr/libexec/${SOURCE}/efi/${BINARY}"
+
+rm -f $OUT
+
+printf '{\n' >> $OUT
+printf '  "packages": {\n' >> $OUT
+printf '    "%s": {\n' "${SOURCE}" >> $OUT
+printf '      "trusted_certs": [],\n' >> $OUT
+printf '      "files": [ \n' >> $OUT
+printf '        {"sig_type": "efi", "file": "%s"}\n' "${BINARY}" >> $OUT
+printf '      ]\n' >> $OUT
+printf '    }\n' >> $OUT
+printf '  }\n' >> $OUT
+printf '}\n' >> $OUT

contrib/debian/rules

@@ -0,0 +1,72 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+export LC_ALL := C.UTF-8
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+export DEB_LDFLAGS_MAINT_STRIP=-Wl,-Bsymbolic-functions
+
+CONFARGS =
+
+ifneq ($(CI),)
+	CONFARGS += --werror --wrap-mode=default
+endif
+
+SB_STYLE := debian
+deb_version := $(shell dpkg-parsechangelog --show-field Version)
+ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
+	SB_STYLE := ubuntu
+	tar_name := fwupd_$(deb_version)_$(DEB_HOST_ARCH).tar.gz
+	CONFARGS += -Defi_sbat_distro_id=ubuntu
+	CONFARGS += -Defi_sbat_distro_summary=Ubuntu
+	CONFARGS += -Defi_sbat_distro_pkgname=fwupd
+	CONFARGS += -Defi_sbat_distro_version=$(deb_version)
+	CONFARGS += -Defi_sbat_distro_url="https://launchpad.net/ubuntu/+source/fwupd"
+else
+	TMPLDIR  := debian/fwupd-$(DEB_HOST_ARCH)-signed-template/usr/share/code-signing/fwupd-$(DEB_HOST_ARCH)-signed-template
+	CONFARGS += -Defi_sbat_distro_id=debian
+	CONFARGS += -Defi_sbat_distro_summary=Debian
+	CONFARGS += -Defi_sbat_distro_pkgname=fwupd
+	CONFARGS += -Defi_sbat_distro_version=$(deb_version)
+	CONFARGS += -Defi_sbat_distro_url="https://tracker.debian.org/pkg/fwupd"
+endif
+
+%:
+	dh $@ --with gir
+
+override_dh_auto_clean:
+	rm -fr obj-*
+	rm -fr debian/build
+ifeq (ubuntu,$(SB_STYLE))
+	rm -rf debian/fwupd-images
+endif
+
+override_dh_auto_configure:
+	dh_auto_configure -- $(CONFARGS)
+
+override_dh_install:
+	dh_install
+ifeq (debian,$(SB_STYLE))
+	# Generate the template source for the Debian signing service to use
+	mkdir -p $(TMPLDIR)/source-template/debian
+	cp -a debian/signing-template/* $(TMPLDIR)/source-template/debian
+	find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNARCH,$(DEB_HOST_ARCH),"
+	find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNVERSION,$(deb_version),"
+	set -e; for file in $$(find $(TMPLDIR)/source-template/debian -type f -name '*SIGNARCH*'); do \
+		file1=$$(echo $$file | sed "s,SIGNARCH,$(DEB_HOST_ARCH),"); \
+		mv -v $$file $$file1; \
+	done
+	debian/gen_signing_changelog $(TMPLDIR)/source-template/debian fwupd $(DEB_HOST_ARCH)
+	debian/gen_signing_json $(TMPLDIR) fwupd ${DEB_HOST_ARCH}
+endif
+
+override_dh_builddeb:
+	dh_builddeb
+ifeq (ubuntu,$(SB_STYLE))
+	set -e; if [ -d debian/tmp/usr/libexec/fwupd/efi/ ]; then \
+		mkdir -p debian/fwupd-images/$(deb_version); \
+		cp debian/tmp/usr/libexec/fwupd/efi/fwupd*.efi debian/fwupd-images/$(deb_version); \
+		echo $(deb_version) > debian/fwupd-images/$(deb_version)/version; \
+		tar -C debian/fwupd-images -czvf ../$(tar_name) .; \
+		dpkg-distaddfile $(tar_name) raw-uefi -; \
+	fi
+endif

contrib/debian/signing-template/README.source

@@ -0,0 +1,4 @@
+This source package is generated by the Debian signing service from a
+template built by the fwupd package.  It should never be updated directly.
+
+ -- Steve McIntyre <[email protected]>  Sat, 07 Apr 2018 12:44:55 +0100

contrib/debian/signing-template/changelog.in

@@ -0,0 +1,5 @@
+fwupd-SIGNARCH-signed (1) unstable; urgency=medium
+
+  * Add template source package for signing
+
+ -- Steve McIntyre <[email protected]>  Sat, 07 Apr 2018 12:44:55 +0100

contrib/debian/signing-template/compat

@@ -0,0 +1 @@
+9

contrib/debian/signing-template/control

@@ -0,0 +1,27 @@
+Source: fwupd-SIGNARCH-signed
+Priority: optional
+Maintainer: Debian EFI <[email protected]>
+Uploaders: Steve McIntyre <[email protected]>,
+           Matthias Klumpp <[email protected]>,
+           Mario Limonciello <[email protected]>
+Build-Depends: debhelper (>= 9.0.0), sbsigntool [amd64 arm64 armhf i386], fwupd-unsigned (= SIGNVERSION) [SIGNARCH]
+Standards-Version: 4.5.0
+Section: libs
+Homepage: https://github.com/fwupd/fwupd
+Vcs-Git: https://salsa.debian.org/efi-team/fwupd.git
+Vcs-Browser: https://salsa.debian.org/efi-team/fwupd
+
+Package: fwupd-SIGNARCH-signed
+Section: admin
+Architecture: SIGNARCH
+Provides: fwupd-signed
+Depends: ${shlibs:Depends}, ${misc:Depends}, fwupd (= SIGNVERSION)
+Built-Using: fwupd (= SIGNVERSION)
+Description: Tools to manage UEFI firmware updates (signed)
+ fwupd provides functionality to update system firmware. It has been
+ initially designed to update firmware using UEFI capsule updates, but
+ it is designed to be extensible to other firmware update standards.
+ .
+ This package contains just the signed version of the fwupd binary,
+ needed if your system has UEFI Secure Boot enabled. It depends on the
+ normal fwupd package for everything else.

contrib/debian/signing-template/copyright

@@ -0,0 +1,33 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: fwupd
+Source: https://github.com/fwupd/fwupd
+
+Files: *
+Copyright: 2015 Richard Hughes <[email protected]>
+License: LGPL-2.1+
+
+Files: data/tests/colorhug/firmware.metainfo.xml
+Copyright: 2015 Richard Hughes <[email protected]>
+License: CC0-1.0
+
+Files: debian/*
+Copyright: 2015 Daniel Jared Dominguez <[email protected]>
+           2015 Mario Limonciello <[email protected]>
+License: LGPL-2.1+
+
+License: LGPL-2.1+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU Lesser General
+ Public License version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1".

contrib/debian/signing-template/fwupd-SIGNARCH-signed.install

@@ -0,0 +1 @@
+*.efi.signed /usr/libexec/fwupd/efi

contrib/debian/signing-template/rules

@@ -0,0 +1,15 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+PACKAGE_NAME  := fwupd
+SIG_PKG_NAME  := fwupd-SIGNARCH-signed
+SIGNATURE_DIR := debian/signatures/$(PACKAGE_NAME)
+BINARY        := $(shell find /usr/libexec/fwupd/efi -name '*.efi' | xargs basename)
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	cp /usr/libexec/fwupd/efi/$(BINARY) .
+	sbattach --attach $(SIGNATURE_DIR)/usr/libexec/fwupd/efi/$(BINARY).sig $(BINARY)
+	mv $(BINARY) $(BINARY).signed

contrib/debian/signing-template/source/format

@@ -0,0 +1 @@
+3.0 (native)

contrib/debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

contrib/debian/source/lintian-overrides

@@ -0,0 +1,2 @@
+#github doesn't have these
+fwupd-efi source: debian-watch-does-not-check-gpg-signature

contrib/debian/source/options

@@ -0,0 +1 @@
+extend-diff-ignore=".vscode"

contrib/debian/watch

@@ -0,0 +1,6 @@
+# You can run the "uscan" command to check for upstream updates and more.
+# See uscan(1) for format
+
+version=3
+opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/fwupd-efi-$1\.tar\.gz/ \
+https://github.com/fwupd/fwupd-efi/tags .*/v?(\d\S*)\.tar\.gz