On Tue, 2016-11-29 at 12:23 -0200, Helen Koike wrote:
>
> On 2016-11-20 09:27 AM, Ben Hutchings wrote:
> > On Wed, 2016-11-16 at 00:45 -0200, Helen Koike wrote:
> > > Add linux, grub2 and fwupdate to publish their signatures by calling
> > > byhand-code-sign as they are supposed to have a *-signed version
> > >
> > > NOTE: this bypass embargoed updates. The proposed solution for this is by
> > > making dak to publish the *-signed packages automatically, this will be
> > > implemented in incremental basis as we advance to have a base code of the
> > > *-signed packages
> >
> > [...]
> >
> > I missed that discussion so I don't understand how that's supposed to
> > work. Is there a log somewhere?
> >
> > Ben.
> >
>
> Log: http://pastebin.com/bSsUPrrA
OK, so it is only a high-level proposal, not something that we know how
to do. It would presumably require much bigger changes to dak.
So let's instead work out how to publish signatures without revealing
which package they are for. I think the following changes would be
almost sufficient:
1. Directory listing is disabled for the directory containing
signature tarballs.
2. In main source package, debian/rules adds debian/changelog to the
code-sign tarball.
3. Byhand script generates the signature tarball name thus:
OUT_TARBALL="$TARGET/$(sha256sum "$IN_DIR/changelog").tar.xz"
4. In signed source package, preparation script takes main source
package's changelog as input.
This is not binNMU-safe, so possibly we would need to keep the current
naming for non-security uploads.
Ben.
--
Ben Hutchings
Theory and practice are closer in theory than in practice.
- John Levine, moderator of
comp.compilers
Attachment:
signature.asc
Description: This is a digitally signed message part