diff --git a/.gitignore b/.gitignore index 2093be0..a869650 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,10 @@ build/ venv/ .vscode +fwupd*.build +*.gz +*.changes +*.deb +*.xz +*.dsc +*.buildinfo diff --git a/contrib/ci.sh b/contrib/ci.sh index 8868ed2..4842116 100755 --- a/contrib/ci.sh +++ b/contrib/ci.sh @@ -1,4 +1,9 @@ -#!/bin/sh -e +#!/bin/bash +set -e +set -x +shopt -s extglob +rm -rf build/ + if [ "$OS" = "fedora" ]; then meson build VERSION=`meson introspect build --projectinfo | jq -r .version` @@ -18,6 +23,19 @@ if [ "$OS" = "fedora" ]; then rpmbuild -ba build/fwupd-efi.spec mkdir -p dist cp $HOME/rpmbuild/RPMS/*/*.rpm dist +elif [ "$OS" = "debian-x86_64" ] || [ "$OS" = "debian-i386" ]; then + export DEBFULLNAME="CI Builder" + export DEBEMAIL="ci@travis-ci.org" + VERSION=`head meson.build | grep ' version :' | cut -d \' -f2` + mkdir -p build + cp -lR !(build|dist|venv) build/ + pushd build + mv contrib/debian . + sed s/quilt/native/ debian/source/format -i + #build the package + EDITOR=/bin/true dch --create --package fwupd-efi -v $VERSION "CI Build" + debuild --no-lintian --preserve-envvar CI --preserve-envvar CC \ + --preserve-envvar QUBES_OPTION else meson build ninja -C build diff --git a/contrib/debian/compat b/contrib/debian/compat new file mode 100644 index 0000000..48082f7 --- /dev/null +++ b/contrib/debian/compat @@ -0,0 +1 @@ +12 diff --git a/contrib/debian/control b/contrib/debian/control new file mode 100644 index 0000000..6360bce --- /dev/null +++ b/contrib/debian/control @@ -0,0 +1,69 @@ +Source: fwupd-efi +Priority: optional +Maintainer: Debian EFI +Uploaders: Steve McIntyre <93sam@debian.org>, + Matthias Klumpp , + Mario Limonciello +Build-Depends: gnu-efi [amd64 arm64 armhf i386], + meson, + mingw-w64-tools [amd64 arm64 armhf i386], +Standards-Version: 4.5.0 +Section: admin +Homepage: https://github.com/fwupd/fwupd-efi +Vcs-Git: https://salsa.debian.org/efi-team/fwupd-efi.git +Vcs-Browser: https://salsa.debian.org/efi-team/fwupd-efi + +Package: fwupd-unsigned +Architecture: amd64 arm64 armhf i386 +Depends: ${misc:Depends}, + ${shlibs:Depends}, +Recommends: fwupd-signed +Multi-Arch: foreign +Description: Firmware update daemon (Unsigned EFI binaries) + fwupd is a daemon to allow session software to update device firmware. + You can either use a GUI software manager like GNOME Software to view and + apply updates, the command-line tool or the system D-Bus interface directly. + Firmware updates are supported for a variety of technologies. + See for details + . + This package provides the EFI binaries used for UEFI capsule updates + +Package: fwupd-unsigned-dev +Architecture: all +Depends: fwupd-unsigned (= ${binary:Version}) +Description: Firmware update daemon (Development information) + fwupd is a daemon to allow session software to update device firmware. + You can either use a GUI software manager like GNOME Software to view and + apply updates, the command-line tool or the system D-Bus interface directly. + Firmware updates are supported for a variety of technologies. + See for details + . + This package provides the dependencies for the fwupd daemon to resolve + +Package: fwupd-amd64-signed-template +Architecture: amd64 +Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. + +Package: fwupd-i386-signed-template +Architecture: i386 +Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. + +Package: fwupd-armhf-signed-template +Architecture: armhf +Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. + +Package: fwupd-arm64-signed-template +Architecture: arm64 +Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev +Description: Template for signed fwupd package + This package is used to control code signing by the Debian signing + service. diff --git a/contrib/debian/copyright b/contrib/debian/copyright new file mode 100644 index 0000000..1f86d54 --- /dev/null +++ b/contrib/debian/copyright @@ -0,0 +1,24 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: fwupd-efi +Source: https://github.com/fwupd/fwupd-efi + +Files: debian/* +Copyright: 2021 Mario Limonciello +License: LGPL-2.1+ + +License: LGPL-2.1+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see + . + On Debian systems, the complete text of the GNU Lesser General + Public License version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1". diff --git a/contrib/debian/fwupd-unsigned-dev.install b/contrib/debian/fwupd-unsigned-dev.install new file mode 100644 index 0000000..fd653c1 --- /dev/null +++ b/contrib/debian/fwupd-unsigned-dev.install @@ -0,0 +1 @@ +usr/lib/*/pkgconfig/ diff --git a/contrib/debian/fwupd-unsigned.install b/contrib/debian/fwupd-unsigned.install new file mode 100644 index 0000000..77b7ead --- /dev/null +++ b/contrib/debian/fwupd-unsigned.install @@ -0,0 +1 @@ +usr/libexec/fwupd/* diff --git a/contrib/debian/gbp.conf b/contrib/debian/gbp.conf new file mode 100644 index 0000000..980ac86 --- /dev/null +++ b/contrib/debian/gbp.conf @@ -0,0 +1,7 @@ +[DEFAULT] +debian-branch = debian +upstream-tag = %(version)s + +[buildpackage] +sign-tags = True +dist = experimental diff --git a/contrib/debian/gen_signing_changelog b/contrib/debian/gen_signing_changelog new file mode 100755 index 0000000..d6f132d --- /dev/null +++ b/contrib/debian/gen_signing_changelog @@ -0,0 +1,32 @@ +#!/bin/sh +# +# Generate a changelog file for the signed fwupdate package, based on +# a changelog.in file and other state + +DIR=$1 +SOURCE=$2 +ARCH=$3 +IN="${DIR}/changelog.in" +OUT="${DIR}/changelog" + +# Parse out fields from our changelg entry - want the signing-template +# one to match all the important details where we can +DISTRIBUTION="$(dpkg-parsechangelog | sed -ne 's/^Distribution: \(.*\)/\1/p')" +URGENCY="$(dpkg-parsechangelog | sed -ne 's/^Urgency: \(.*\)/\1/p')" +MAINT="$(dpkg-parsechangelog | sed -ne 's/^Maintainer: \(.*\)/\1/p')" +DATE="$(dpkg-parsechangelog | sed -ne 's/^Date: \(.*\)/\1/p')" + +# If the version ends in "+bXXX", this is a binNMU. We don't want a new +# source package to look like that, so change it to ".bXXX" instead +VERSION="$(dpkg-parsechangelog | sed -ne 's/^Version: \(.*\)/\1/p')" +MANGLED_VERSION="$(echo $VERSION | sed -r 's/-/\+/;s/\+(b[[:digit:]]+)$/.\1/')" + +printf "%s-%s-signed (%s) %s; urgency=%s\n" "${SOURCE}" "${ARCH}" "${MANGLED_VERSION}" "${DISTRIBUTION}" "${URGENCY}" > $OUT +printf "\n" >> $OUT +printf " * Update to %s version %s\n" "${SOURCE}" "${VERSION}" >> $OUT +printf "\n" >> $OUT +printf " -- %s %s\n" "${MAINT}" "${DATE}" >> $OUT +printf "\n" >> $OUT + +cat $IN >> $OUT +rm -f $IN diff --git a/contrib/debian/gen_signing_json b/contrib/debian/gen_signing_json new file mode 100755 index 0000000..6105e97 --- /dev/null +++ b/contrib/debian/gen_signing_json @@ -0,0 +1,28 @@ +#!/bin/sh +# +# Generate a json file to go in the the fwupd-signed template +# package. Describes exactly what needs to be signed, and how. + +DIR=$1 +SOURCE=$2 +ARCH=$3 +OUT="$DIR/files.json" + +# What file are we looking to sign? +BINARY=$(find debian/tmp -name '*.efi' | xargs basename) + +# Actually needs full path within the binary deb +BINARY="usr/libexec/${SOURCE}/efi/${BINARY}" + +rm -f $OUT + +printf '{\n' >> $OUT +printf ' "packages": {\n' >> $OUT +printf ' "%s": {\n' "${SOURCE}" >> $OUT +printf ' "trusted_certs": [],\n' >> $OUT +printf ' "files": [ \n' >> $OUT +printf ' {"sig_type": "efi", "file": "%s"}\n' "${BINARY}" >> $OUT +printf ' ]\n' >> $OUT +printf ' }\n' >> $OUT +printf ' }\n' >> $OUT +printf '}\n' >> $OUT diff --git a/contrib/debian/rules b/contrib/debian/rules new file mode 100755 index 0000000..b13430e --- /dev/null +++ b/contrib/debian/rules @@ -0,0 +1,72 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +export LC_ALL := C.UTF-8 +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +export DEB_LDFLAGS_MAINT_STRIP=-Wl,-Bsymbolic-functions + +CONFARGS = + +ifneq ($(CI),) + CONFARGS += --werror --wrap-mode=default +endif + +SB_STYLE := debian +deb_version := $(shell dpkg-parsechangelog --show-field Version) +ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes)) + SB_STYLE := ubuntu + tar_name := fwupd_$(deb_version)_$(DEB_HOST_ARCH).tar.gz + CONFARGS += -Defi_sbat_distro_id=ubuntu + CONFARGS += -Defi_sbat_distro_summary=Ubuntu + CONFARGS += -Defi_sbat_distro_pkgname=fwupd + CONFARGS += -Defi_sbat_distro_version=$(deb_version) + CONFARGS += -Defi_sbat_distro_url="https://launchpad.net/ubuntu/+source/fwupd" +else + TMPLDIR := debian/fwupd-$(DEB_HOST_ARCH)-signed-template/usr/share/code-signing/fwupd-$(DEB_HOST_ARCH)-signed-template + CONFARGS += -Defi_sbat_distro_id=debian + CONFARGS += -Defi_sbat_distro_summary=Debian + CONFARGS += -Defi_sbat_distro_pkgname=fwupd + CONFARGS += -Defi_sbat_distro_version=$(deb_version) + CONFARGS += -Defi_sbat_distro_url="https://tracker.debian.org/pkg/fwupd" +endif + +%: + dh $@ --with gir + +override_dh_auto_clean: + rm -fr obj-* + rm -fr debian/build +ifeq (ubuntu,$(SB_STYLE)) + rm -rf debian/fwupd-images +endif + +override_dh_auto_configure: + dh_auto_configure -- $(CONFARGS) + +override_dh_install: + dh_install +ifeq (debian,$(SB_STYLE)) + # Generate the template source for the Debian signing service to use + mkdir -p $(TMPLDIR)/source-template/debian + cp -a debian/signing-template/* $(TMPLDIR)/source-template/debian + find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNARCH,$(DEB_HOST_ARCH)," + find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNVERSION,$(deb_version)," + set -e; for file in $$(find $(TMPLDIR)/source-template/debian -type f -name '*SIGNARCH*'); do \ + file1=$$(echo $$file | sed "s,SIGNARCH,$(DEB_HOST_ARCH),"); \ + mv -v $$file $$file1; \ + done + debian/gen_signing_changelog $(TMPLDIR)/source-template/debian fwupd $(DEB_HOST_ARCH) + debian/gen_signing_json $(TMPLDIR) fwupd ${DEB_HOST_ARCH} +endif + +override_dh_builddeb: + dh_builddeb +ifeq (ubuntu,$(SB_STYLE)) + set -e; if [ -d debian/tmp/usr/libexec/fwupd/efi/ ]; then \ + mkdir -p debian/fwupd-images/$(deb_version); \ + cp debian/tmp/usr/libexec/fwupd/efi/fwupd*.efi debian/fwupd-images/$(deb_version); \ + echo $(deb_version) > debian/fwupd-images/$(deb_version)/version; \ + tar -C debian/fwupd-images -czvf ../$(tar_name) .; \ + dpkg-distaddfile $(tar_name) raw-uefi -; \ + fi +endif diff --git a/contrib/debian/signing-template/README.source b/contrib/debian/signing-template/README.source new file mode 100644 index 0000000..36fb03e --- /dev/null +++ b/contrib/debian/signing-template/README.source @@ -0,0 +1,4 @@ +This source package is generated by the Debian signing service from a +template built by the fwupd package. It should never be updated directly. + + -- Steve McIntyre <93sam@debian.org> Sat, 07 Apr 2018 12:44:55 +0100 diff --git a/contrib/debian/signing-template/changelog.in b/contrib/debian/signing-template/changelog.in new file mode 100644 index 0000000..188ab79 --- /dev/null +++ b/contrib/debian/signing-template/changelog.in @@ -0,0 +1,5 @@ +fwupd-SIGNARCH-signed (1) unstable; urgency=medium + + * Add template source package for signing + + -- Steve McIntyre <93sam@debian.org> Sat, 07 Apr 2018 12:44:55 +0100 diff --git a/contrib/debian/signing-template/compat b/contrib/debian/signing-template/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/contrib/debian/signing-template/compat @@ -0,0 +1 @@ +9 diff --git a/contrib/debian/signing-template/control b/contrib/debian/signing-template/control new file mode 100644 index 0000000..ad0a80f --- /dev/null +++ b/contrib/debian/signing-template/control @@ -0,0 +1,27 @@ +Source: fwupd-SIGNARCH-signed +Priority: optional +Maintainer: Debian EFI +Uploaders: Steve McIntyre <93sam@debian.org>, + Matthias Klumpp , + Mario Limonciello +Build-Depends: debhelper (>= 9.0.0), sbsigntool [amd64 arm64 armhf i386], fwupd-unsigned (= SIGNVERSION) [SIGNARCH] +Standards-Version: 4.5.0 +Section: libs +Homepage: https://github.com/fwupd/fwupd +Vcs-Git: https://salsa.debian.org/efi-team/fwupd.git +Vcs-Browser: https://salsa.debian.org/efi-team/fwupd + +Package: fwupd-SIGNARCH-signed +Section: admin +Architecture: SIGNARCH +Provides: fwupd-signed +Depends: ${shlibs:Depends}, ${misc:Depends}, fwupd (= SIGNVERSION) +Built-Using: fwupd (= SIGNVERSION) +Description: Tools to manage UEFI firmware updates (signed) + fwupd provides functionality to update system firmware. It has been + initially designed to update firmware using UEFI capsule updates, but + it is designed to be extensible to other firmware update standards. + . + This package contains just the signed version of the fwupd binary, + needed if your system has UEFI Secure Boot enabled. It depends on the + normal fwupd package for everything else. diff --git a/contrib/debian/signing-template/copyright b/contrib/debian/signing-template/copyright new file mode 100644 index 0000000..b684e6a --- /dev/null +++ b/contrib/debian/signing-template/copyright @@ -0,0 +1,33 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: fwupd +Source: https://github.com/fwupd/fwupd + +Files: * +Copyright: 2015 Richard Hughes +License: LGPL-2.1+ + +Files: data/tests/colorhug/firmware.metainfo.xml +Copyright: 2015 Richard Hughes +License: CC0-1.0 + +Files: debian/* +Copyright: 2015 Daniel Jared Dominguez + 2015 Mario Limonciello +License: LGPL-2.1+ + +License: LGPL-2.1+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see + . + On Debian systems, the complete text of the GNU Lesser General + Public License version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1". diff --git a/contrib/debian/signing-template/fwupd-SIGNARCH-signed.install b/contrib/debian/signing-template/fwupd-SIGNARCH-signed.install new file mode 100644 index 0000000..d113c93 --- /dev/null +++ b/contrib/debian/signing-template/fwupd-SIGNARCH-signed.install @@ -0,0 +1 @@ +*.efi.signed /usr/libexec/fwupd/efi diff --git a/contrib/debian/signing-template/rules b/contrib/debian/signing-template/rules new file mode 100755 index 0000000..252939f --- /dev/null +++ b/contrib/debian/signing-template/rules @@ -0,0 +1,15 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +PACKAGE_NAME := fwupd +SIG_PKG_NAME := fwupd-SIGNARCH-signed +SIGNATURE_DIR := debian/signatures/$(PACKAGE_NAME) +BINARY := $(shell find /usr/libexec/fwupd/efi -name '*.efi' | xargs basename) + +%: + dh $@ + +override_dh_auto_build: + cp /usr/libexec/fwupd/efi/$(BINARY) . + sbattach --attach $(SIGNATURE_DIR)/usr/libexec/fwupd/efi/$(BINARY).sig $(BINARY) + mv $(BINARY) $(BINARY).signed diff --git a/contrib/debian/signing-template/source/format b/contrib/debian/signing-template/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/contrib/debian/signing-template/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/contrib/debian/source/format b/contrib/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/contrib/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/contrib/debian/source/lintian-overrides b/contrib/debian/source/lintian-overrides new file mode 100644 index 0000000..c56de29 --- /dev/null +++ b/contrib/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +#github doesn't have these +fwupd-efi source: debian-watch-does-not-check-gpg-signature diff --git a/contrib/debian/source/options b/contrib/debian/source/options new file mode 100644 index 0000000..fe6161a --- /dev/null +++ b/contrib/debian/source/options @@ -0,0 +1 @@ +extend-diff-ignore=".vscode" diff --git a/contrib/debian/watch b/contrib/debian/watch new file mode 100644 index 0000000..dc8642b --- /dev/null +++ b/contrib/debian/watch @@ -0,0 +1,6 @@ +# You can run the "uscan" command to check for upstream updates and more. +# See uscan(1) for format + +version=3 +opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/fwupd-efi-$1\.tar\.gz/ \ +https://github.com/fwupd/fwupd-efi/tags .*/v?(\d\S*)\.tar\.gz