Prepare Debian release 0.28.0-1

* Update downstream files * Add Dockerfile to make future downstream packaging easier See doc header for usage details. NOTE: Can't package latest upstream version (0.30.0), because of missing pyca/cryptography version in Debian. Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh · Nov 8, 2023 · 04531c5 · 04531c5
1 parent 88a3df2
commit 04531c5
Show file tree

Hide file tree

Showing 7 changed files with 154 additions and 114 deletions.
diff --git a/debian/Dockerfile b/debian/Dockerfile
@@ -0,0 +1,106 @@
+# Build secureystemslib for Debian on any host
+#
+# Release workflow (with example commands)
+# ----------------
+#
+# 1. Checkout "debian" branch and rebase on upstream release tag
+#
+#        git switch debian && git rebase v0.28.0
+#
+# 2. Update debian/* files, most notably add new entry to debian/changelog
+#
+# 3. Build (requires upstream VERSION as argument)
+#
+#    - Installs dev tools and build dependencies
+#    - Configures gpg + dput to upload to mentors
+#    - Fetches source dist from GitHub
+#    - Builds Debian package
+#
+#        docker build --build-arg VERSION=0.28.0 -t deb-build .
+#
+#    HINT: If the build fails, update debian/* files on host and rebuild.
+#    This might include downstream patching with `quilt`, which is also
+#    available outside of Debian (e.g. via brew on macOS).
+#
+# 4. Run to sign and upload (requires signing key as argument)
+#
+#        docker run --rm -it --name deb-build --entrypoint bash \
+#             --env GPG_KEY="$(gpg --armor --export-secret-key [email protected])" \
+#              deb-build
+#
+# 5. (on container) Import signing key, sign and upload to mentors
+#
+#        echo "$GPG_KEY" | gpg --import
+#        (cd securesystemslib-0.28.0 && debsign -k [email protected])
+#        dput mentors python-securesystemslib_0.28.0-1_arm64.changes
+#
+# 6. (optional) Copy package to host, if needed later as build dependency
+#
+#        docker cp deb-build:/home/build/python3-securesystemslib_0.28.0-1_all.deb .
+#
+# 7. Commit changed Debian files, push/pr into "debian" branch
+#
+FROM debian:sid
+
+# Copy debian files
+COPY . /tmp/debian
+
+# Install developer tools and build dependencies
+RUN apt-get update \
+  && apt-get install --no-install-recommends -yV \
+    build-essential \
+    devscripts \
+    debhelper \
+    equivs \
+    wget \
+    lintian \
+    dput
+
+RUN mk-build-deps \
+    --install \
+    --remove \
+    --tool 'apt-get --no-install-recommends -yV' /tmp/debian/control
+
+# Create user (some build tests related to permission fail as root)
+RUN useradd build --create-home
+USER build
+WORKDIR /home/build
+
+# Configure GPG
+COPY --chown=build:build <<-"EOT" .gnupg/gpg.conf
+use-agent
+pinentry-mode loopback
+EOT
+
+COPY --chown=build:build <<-"EOT" .gnupg/gpg-agent.conf
+allow-loopback-pinentry
+EOT
+
+
+# Configure DPUT
+COPY --chown=build:build <<-"EOT" .dput.cf
+[mentors]
+fqdn = mentors.debian.net
+incoming = /upload
+method = https
+allow_unsigned_uploads = 0
+progress_indicator = 2
+# Allow uploads for UNRELEASED packages
+allowed_distributions = .*
+EOT
+
+# Grab source dist and sig for VERSION from GitHub and prepare for building
+ARG VERSION
+RUN wget https://github.com/secure-systems-lab/securesystemslib/releases/download/v${VERSION}/securesystemslib-${VERSION}.tar.gz \
+          -O python-securesystemslib_${VERSION}.orig.tar.gz
+RUN wget https://github.com/secure-systems-lab/securesystemslib/releases/download/v${VERSION}/securesystemslib-${VERSION}.tar.gz.asc \
+          -O python-securesystemslib_${VERSION}.orig.tar.gz.asc
+RUN tar xf python-securesystemslib_${VERSION}.orig.tar.gz
+RUN cp -r /tmp/debian securesystemslib-${VERSION}
+
+# Build
+RUN cd securesystemslib-${VERSION} && debuild \
+  --unsigned-source \
+  --unsigned-changes \
+  --lintian-opts --display-level ">=pedantic" --display-experimental --tag-display-limit 0
+
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,20 @@
+python-securesystemslib (0.28.0-1) unstable; urgency=medium
+
+  * New upstream release includes among other things:
+    - Signer API improvements
+    - Experimental DSSE implementation
+    - And much more (see upstream CHANGELOG.md)
+
+  * d/control
+    - Change gnupg2 to gnupg (Closes: #1055407)
+  * d/patches
+    - 1 changed
+    - 1 removed
+  * d/Dockerfile
+    - Added Dockerfile used to build this release on macOS
+
+ -- Lukas Puehringer <[email protected]>  Tue, 07 Nov 2023 12:12:00 +0100
+
 python-securesystemslib (0.26.0-1) unstable; urgency=medium
 
   * New upstream release includes among other things:

diff --git a/debian/control b/debian/control
@@ -18,7 +18,7 @@ Build-Depends:
  python3-pykcs11,
  python3-asn1crypto,
  softhsm2,
- gnupg2,
+ gnupg,
 Standards-Version: 4.6.2
 Rules-Requires-Root: no
 Homepage: https://ssl.engineering.nyu.edu
@@ -31,7 +31,7 @@ Depends:
   ${python3:Depends},
   ${misc:Depends},
 Recommends:
- gnupg2,
+ gnupg,
  python3-cryptography,
  python3-nacl,
  python3-pykcs11,

diff --git a/debian/patches/01_rm_sphincs_tests.diff b/debian/patches/01_rm_sphincs_tests.diff
@@ -9,109 +9,44 @@ Author: Lukas Puehringer <[email protected]>
 Forwarded: not-needed
 ---
 This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-Index: securesystemslib-0.26.0/tests/test_keys.py
-===================================================================
---- securesystemslib-0.26.0.orig/tests/test_keys.py
-+++ securesystemslib-0.26.0/tests/test_keys.py
-@@ -40,7 +40,6 @@ class TestKeys(unittest.TestCase):  # py
-         cls.rsakey_dict = KEYS.generate_rsa_key()
-         cls.ed25519key_dict = KEYS.generate_ed25519_key()
-         cls.ecdsakey_dict = KEYS.generate_ecdsa_key()
--        cls.sphincskey_dict = KEYS.generate_sphincs_key()
+--- a/tests/test_keys.py
++++ b/tests/test_keys.py
+@@ -33,27 +33,6 @@
+ DATA = securesystemslib.formats.encode_canonical(DATA_STR).encode("utf-8")
 
-     def test_generate_rsa_key(self):
-         _rsakey_dict = KEYS.generate_rsa_key()  # pylint: disable=invalid-name
-@@ -267,7 +266,6 @@ class TestKeys(unittest.TestCase):  # py
-         # Creating a signature for 'DATA'.
-         rsa_signature = KEYS.create_signature(self.rsakey_dict, DATA)
-         ed25519_signature = KEYS.create_signature(self.ed25519key_dict, DATA)
--        sphincs_signature = KEYS.create_signature(self.sphincskey_dict, DATA)
 
-         # Check format of output.
-         self.assertEqual(
-@@ -284,13 +282,6 @@ class TestKeys(unittest.TestCase):  # py
-             ),
-             FORMAT_ERROR_MSG,
-         )
--        self.assertEqual(
--            None,
--            securesystemslib.formats.SIGNATURE_SCHEMA.check_match(
--                sphincs_signature
--            ),
--            FORMAT_ERROR_MSG,
--        )
-
-         # Test for invalid signature scheme.
-         args = (self.rsakey_dict, DATA)
-@@ -344,7 +335,6 @@ class TestKeys(unittest.TestCase):  # py
-         rsa_signature = KEYS.create_signature(self.rsakey_dict, DATA)
-         ed25519_signature = KEYS.create_signature(self.ed25519key_dict, DATA)
-         ecdsa_signature = KEYS.create_signature(self.ecdsakey_dict, DATA)
--        sphincs_signature = KEYS.create_signature(self.sphincskey_dict, DATA)
-
-         # Verifying the 'signature' of 'DATA'.
-         verified = KEYS.verify_signature(self.rsakey_dict, rsa_signature, DATA)
-@@ -368,24 +358,6 @@ class TestKeys(unittest.TestCase):  # py
-         )
-         self.ed25519key_dict["scheme"] = valid_scheme
-
--        # Verifying the 'sphincs_signature' of 'DATA'.
--        verified = KEYS.verify_signature(
--            self.sphincskey_dict, sphincs_signature, DATA
--        )
--        self.assertTrue(verified, "Incorrect signature.")
+-@unittest.skipIf(os.name == "nt", "PySPX n/a on Windows")
+-class TestSphincsKeys(unittest.TestCase):
+-    """Test create keys, sign and verify for sphincs keys."""
 -
--        # Verify that an invalid sphincs signature scheme is rejected.
--        valid_scheme = self.sphincskey_dict["scheme"]
--        self.sphincskey_dict["scheme"] = "invalid_scheme"
--        self.assertRaises(
--            securesystemslib.exceptions.UnsupportedAlgorithmError,
--            KEYS.verify_signature,
--            self.sphincskey_dict,
--            sphincs_signature,
--            DATA,
--        )
--        self.sphincskey_dict["scheme"] = valid_scheme
+-    def test_sphincs_keys(self):
+-        key = KEYS.generate_sphincs_key()
+-        sig = KEYS.create_signature(key, b"data")
+-        self.assertTrue(securesystemslib.formats.SIGNATURE_SCHEMA.matches(sig))
 -
-         # Verifying the 'ecdsa_signature' of 'DATA'.
-         verified = KEYS.verify_signature(
-             self.ecdsakey_dict, ecdsa_signature, DATA
-@@ -432,11 +404,6 @@ class TestKeys(unittest.TestCase):  # py
-         self.assertFalse(verified, "Returned 'True' on an incorrect signature.")
-
-         verified = KEYS.verify_signature(
--            self.sphincskey_dict, sphincs_signature, _DATA
--        )
--        self.assertFalse(verified, "Returned 'True' on an incorrect signature.")
+-        # Assert valid/invalid signature
+-        self.assertTrue(KEYS.verify_signature(key, sig, b"data"))
+-        self.assertFalse(KEYS.verify_signature(key, sig, b"not data"))
 -
--        verified = KEYS.verify_signature(
-             self.ecdsakey_dict, ecdsa_signature, _DATA
-         )
-         self.assertFalse(verified, "Returned 'True' on an incorrect signature.")
-@@ -484,14 +451,6 @@ class TestKeys(unittest.TestCase):  # py
-         )
-         self.assertTrue(verified, "Incorrect signature.")
-
--        # Verify that sphincs fails if PySPX is not installed
--        KEYS.sphincs_keys.SPX_AVAIL = False  # Monkey patch availability
+-        # Assert verificaiton failure for unsupported signing scheme
+-        key["scheme"] = "invalid_scheme"
 -        with self.assertRaises(
--            securesystemslib.exceptions.UnsupportedLibraryError
+-            securesystemslib.exceptions.UnsupportedAlgorithmError
 -        ):
--            KEYS.verify_signature(self.sphincskey_dict, sphincs_signature, DATA)
--        KEYS.sphincs_keys.SPX_AVAIL = True
+-            KEYS.verify_signature(key, sig, b"data")
+-
 -
-         # Verify ecdsa key with HEX encoded keyval instead of PEM encoded keyval
-         ecdsa_key = KEYS.generate_ecdsa_key()
-         ecdsa_key["keyval"]["public"] = "abcd"
-Index: securesystemslib-0.26.0/tests/test_signer.py
-===================================================================
---- securesystemslib-0.26.0.orig/tests/test_signer.py
-+++ securesystemslib-0.26.0/tests/test_signer.py
-@@ -168,7 +168,6 @@ class TestSigner(unittest.TestCase):
-             KEYS.generate_rsa_key(),
+ class TestKeys(unittest.TestCase):  # pylint: disable=missing-class-docstring
+     @classmethod
+     def setUpClass(cls):
+--- a/tests/test_signer.py
++++ b/tests/test_signer.py
+@@ -280,8 +280,6 @@
              KEYS.generate_ed25519_key(),
              KEYS.generate_ecdsa_key(),
--            KEYS.generate_sphincs_key(),
          ]
+-        if os.name != "nt":
+-            cls.keys.append(KEYS.generate_sphincs_key())
+
          cls.DATA = b"DATA"
 
diff --git a/debian/patches/02_fix_py2_shebang.diff b/debian/patches/02_fix_py2_shebang.diff
diff --git a/debian/patches/03_rm_vendored_gitignore.diff → debian/patches/02_rm_vendored_gitignore.diff b/debian/patches/03_rm_vendored_gitignore.diff → debian/patches/02_rm_vendored_gitignore.diff
diff --git a/debian/patches/series b/debian/patches/series
@@ -1,3 +1,2 @@
 01_rm_sphincs_tests.diff
-02_fix_py2_shebang.diff
-03_rm_vendored_gitignore.diff
+02_rm_vendored_gitignore.diff