Bug#1089433: shim-helpers-arm64-signed: Supporting rootless builds by default

To: Niels Thykier <niels@thykier.net>, 1089433@bugs.debian.org
Subject: Bug#1089433: shim-helpers-arm64-signed: Supporting rootless builds by default
From: Emanuele Rocca <ema@debian.org>
Date: Fri, 11 Apr 2025 21:11:38 +0200
Message-id: <[🔎] Z_lpahQ06PzkQ-fe@ariel.home>
Reply-to: Emanuele Rocca <ema@debian.org>, 1089433@bugs.debian.org
In-reply-to: <d72649da-a42f-4668-a0de-73b85def475c@thykier.net>
References: <0faa5cdf-e4fe-4bcd-9072-4552815400e4@thykier.net> <0faa5cdf-e4fe-4bcd-9072-4552815400e4@thykier.net> <0faa5cdf-e4fe-4bcd-9072-4552815400e4@thykier.net> <d72649da-a42f-4668-a0de-73b85def475c@thykier.net> <0faa5cdf-e4fe-4bcd-9072-4552815400e4@thykier.net>

Hello Niels,

On 2024-12-28 01:06, Niels Thykier wrote:
> Please review attached as an example of how to fix this problem.
> 
> Note: Untested, since I was doing my testing on amd64.

LGTM. I applied your patch and built the package with a regular user as
follows:

$ dpkg-buildpackage -us -uc -b -rfakeroot

The signed files in the resulting binary have the right user, group, and
permissions:

$ dpkg --contents shim-helpers-arm64-signed_1+15.8+1+nmu1_arm64.deb | grep -F .signed
-rw-r--r-- root/root     90752 2024-12-28 12:03 ./usr/lib/shim/fbaa64.efi.signed
-rw-r--r-- root/root    887472 2024-12-28 12:03 ./usr/lib/shim/mmaa64.efi.signed

As far as I understand though, the shim-helpers-arm64-signed source
package is generated by shim. I think the file we want to change is
debian/signing-template/rules in the shim sources. Ditto for
debian/signing-template/control.in.

See attached patch.

diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in
index 9d75d92..3d02823 100644
--- a/debian/signing-template/control.in
+++ b/debian/signing-template/control.in
@@ -2,6 +2,7 @@ Source: shim-helpers-@arch@-signed
 Section: admin
 Priority: optional
 Maintainer: Debian EFI team <debian-efi@lists.debian.org>
+Rules-Requires-Root: no
 Standards-Version: 4.3.0
 Build-Depends: debhelper (>= 10.1~),
  sbsigntool [amd64 arm64 i386],
diff --git a/debian/signing-template/rules b/debian/signing-template/rules
index a972e7d..f034f83 100755
--- a/debian/signing-template/rules
+++ b/debian/signing-template/rules
@@ -9,8 +9,8 @@ override_dh_auto_install:
 	set -e ; \
 	find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
 	while read sig; do \
-		install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
-		install -o 0 -g 0 -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
+		install -m 0755 -d "debian/tmp/$${sig%/*}" ; \
+		install -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
 		sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
 	done

Reply to:

Follow-Ups:
- Bug#1089433: shim-helpers-arm64-signed: Supporting rootless builds by default
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Processing of pesign_116-8.1_source.changes
Next by Date: Processed: reassign 1089433 to shim
Previous by thread: Bug#1075379: marked as done (pesign: ftbfs with GCC-14)
Next by thread: Bug#1089433: shim-helpers-arm64-signed: Supporting rootless builds by default
Index(es):
- Date
- Thread