File: assemble-signed-source.rst

package info (click to toggle)
debusine 0.14.2
  • links: PTS, VCS
  • area: main
  • in suites: forky
  • size: 15,200 kB
  • sloc: python: 195,951; sh: 849; javascript: 335; makefile: 116
file content (52 lines) | stat: -rw-r--r-- 2,491 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
.. task:: AssembleSignedSource

AssembleSignedSource task
-------------------------

This is a worker task that takes :artifact:`debusine:signing-output`
artifacts produced by :task:`Sign` tasks and assembles the resulting source
package.

The ``task_data`` for this task may contain the following keys:

* ``environment`` (:ref:`lookup-single` with default category
  :collection:`debian:environments`, required):
  :artifact:`debian:system-tarball` artifact that will be used to pack the
  source package using the ``unshare`` backend.  ``dpkg-dev`` will be
  installed there if necessary.
* ``template`` (:ref:`lookup-single`, required): a
  :artifact:`debian:binary-package` artifact containing a `source template
  <https://wiki.debian.org/SecureBoot/Discussion#Source_template_inside_a_binary_package>`_
* ``signed`` (:ref:`lookup-multiple`, required): signed
  :artifact:`debusine:signing-output` artifacts matching the template

The task operates as follows:

* It makes a copy of the
  ``/usr/share/code-signing/$binary_package_name/source-template/``
  directory from the template binary package.
* It checks that ``debian/source/format`` is exactly ``3.0 (native)`` and
  that neither ``debian/source/options`` nor ``debian/source/local-options``
  exists.
* It checks that ``files.json`` uses only relative paths with no ``..``
  components.
* For each package name and file name in the template's ``files.json``, it
  finds the corresponding file in the signed artifacts and copies it into
  ``debian/signatures/$package/$file.sig``.  For this to work, the names of
  the files in the :artifact:`debusine:signing-input` and
  :artifact:`debusine:signing-output` artifacts must be composed of the
  binary package name, followed by ``/``, followed by the path in the
  corresponding ``file`` key in ``files.json``.
* It packs the resulting assembled source package using ``dpkg-source -b``,
  and makes a suitable ``.changes`` file for it using ``dpkg-genchanges``.

The task computes dynamic metadata as:

.. dynamic_data::
  :method: debusine.tasks.assemble_signed_source::AssembleSignedSource.build_dynamic_data

The output will be provided as a :artifact:`debian:source-package` artifact,
with a ``built-using`` relationship to the :artifact:`debian:binary-package`
artifacts that were related to the :artifact:`input to the Sign task
<debusine:signing-input>`, and a :artifact:`debian:upload` artifact
containing that source package and the corresponding ``.changes`` file.