[RFC PATCH 1/3] Define a new debhelper dh_installfile-sigs and postinst autoscript
This patch defines a debhelper dh_installfile-sigs and autoscript
postinst-file-sigs to install the ELF file and script signatures
stored in the sha256sums file.
---
autoscripts/postinst-file-sigs | 17 ++++++++++++++++
dh | 1 +
dh_installfile-sigs | 46 ++++++++++++++++++++++++++++++++++++++++++
3 files changed, 64 insertions(+)
create mode 100644 autoscripts/postinst-file-sigs
create mode 100755 dh_installfile-sigs
diff --git a/autoscripts/postinst-file-sigs b/autoscripts/postinst-file-sigs
new file mode 100644
index 0000000..8430d0b
--- /dev/null
+++ b/autoscripts/postinst-file-sigs
@@ -0,0 +1,17 @@
+file=$(dpkg-query --control-path #PACKAGE# sha256sums)
+if [ "$1" = "configure" ]; then
+ if [ -e "${file}" ]; then
+ while read -r line; do
+ fn=$(echo "${line}" | awk '{print $2}')
+ sig=$(echo "${line}" | awk '{print $3}')
+ if [ ! -n "$sig" ]; then
+ continue;
+ fi
+
+ file --brief $fn | grep -e 'ELF' -e 'script' > /dev/null
+ if [ $? -eq 0 ]; then
+ setfattr -n 'security.ima' -v 0x$sig $fn
+ fi
+ done < "${file}"
+ fi
+fi
diff --git a/dh b/dh
index f3bd321..4f80f75 100755
--- a/dh
+++ b/dh
@@ -373,6 +373,7 @@ my @i = qw{
dh_installifupdown
dh_installinfo
dh_installinit
+ dh_installfile-sigs
dh_installmenu
dh_installmime
dh_installmodules
diff --git a/dh_installfile-sigs b/dh_installfile-sigs
new file mode 100755
index 0000000..200932d
--- /dev/null
+++ b/dh_installfile-sigs
@@ -0,0 +1,46 @@
+#!/usr/bin/perl -w
+
+=head1 NAME
+
+dh_installfile-sigs - install file signatures in the DEBIAN/sha256sums file as xattrs
+
+=cut
+
+use strict;
+use Cwd;
+use Debian::Debhelper::Dh_Lib;
+
+=head1 SYNOPSIS
+
+B<dh_installfile-sigs>
+
+=head1 DESCRIPTION
+
+B<dh_installfile-sigs> is a debhelper program that is responsible for automatically
+generating the F<postinst> commands needed to install file signatures contained in
+the F<DEBIAN/sha256sums> file. These commands are inserted into the maintainer
+scripts by L<dh_installdeb(1)>.
+
+=cut
+
+init();
+
+foreach my $package (@{$dh{DOPACKAGES}}) {
+
+ if (! $dh{NOSCRIPTS}) {
+ autoscript($package,"postinst","postinst-file-sigs","s!#PACKAGE#!$package!g");
+ }
+}
+
+
+=head1 SEE ALSO
+
+L<debhelper(7)>
+
+This program is a part of debhelper.
+
+=head1 AUTHOR
+
+Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+=cut
--
1.8.1.4
Reply to: