7 files changed, 111 insertions, 0 deletions

diff --git a/debian/signing-template/README.source b/debian/signing-template/README.source
new file mode 100644
index 00000000..96d94ce4
--- /dev/null
+++ b/debian/signing-template/README.source
@@ -0,0 +1,4 @@
+This source package is generated by the Debian signing service from a
+template built by the shim package.  It should never be updated directly.
+
+ -- Philipp Matthias Hahn <pmhahn@debian.org>  Sat, 07 Apr 2018 16:26:11 +0200
diff --git a/debian/signing-template/changelog.in b/debian/signing-template/changelog.in
new file mode 100644
index 00000000..f2e4ba69
--- /dev/null
+++ b/debian/signing-template/changelog.in
@@ -0,0 +1,11 @@
+shim-helpers-@arch@-signed (1+@version_mangled@) @distribution@; urgency=@urgency@
+
+  * Update to shim @version_binary@
+
+ -- Debian signing service <ftpmaster@debian.org>  @date@
+
+shim-helpers-@arch@-signed (1) unstable; urgency=medium
+
+  * Add template source package for signing
+
+ -- Philipp Matthias Hahn <pmhahn@debian.org>  Sat, 07 Apr 2018 17:16:27 +0200
diff --git a/debian/signing-template/compat b/debian/signing-template/compat
new file mode 100644
index 00000000..b4de3947
--- /dev/null
+++ b/debian/signing-template/compat
@@ -0,0 +1 @@
+11
diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in
new file mode 100644
index 00000000..9d75d925
--- /dev/null
+++ b/debian/signing-template/control.in
@@ -0,0 +1,25 @@
+Source: shim-helpers-@arch@-signed
+Section: admin
+Priority: optional
+Maintainer: Debian EFI team <debian-efi@lists.debian.org>
+Standards-Version: 4.3.0
+Build-Depends: debhelper (>= 10.1~),
+ sbsigntool [amd64 arm64 i386],
+ shim-unsigned (= @version_binary@),
+
+Package: shim-helpers-@arch@-signed
+Architecture: @arch@
+Conflicts: shim (<< 15+1533136590.3beb971-3~),
+Replaces: shim (<< 15+1533136590.3beb971-3~), shim-signed (<< 1.29),
+Breaks: shim-signed (<< 1.29),
+Depends: shim-unsigned (>= @version_binary@), ${misc:Depends},
+Built-Using: shim (= @version_binary@)
+Description: boot loader to chain-load signed boot loaders (signed by Debian)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database.  Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ This package contains the MOK manager and fall-back manager signed by the
+ Debian UEFI CA to be used by shim-signed.
diff --git a/debian/signing-template/copyright b/debian/signing-template/copyright
new file mode 100644
index 00000000..955ccbf8
--- /dev/null
+++ b/debian/signing-template/copyright
@@ -0,0 +1,51 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Comment:
+ This file describes only the shim-helpers-signed-* source package.
+
+Files: debian/signatures/*
+License: public-domain
+ Digital signatures and certificates are presumed not to be
+ copyrightable works, and no copyright is claimed for them.
+Comment:
+ The signatures and certificates in this package cannot be regenerated
+ as-is without the associated private key material, but they can be
+ replaced using alternate private keys.
+
+Files: debian/rules
+Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
+License: GPL-2
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License version 2 as
+ published by the Free Software Foundation.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
+
+Files: debian/*
+Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
+License: GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or (at
+ your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
diff --git a/debian/signing-template/rules b/debian/signing-template/rules
new file mode 100755
index 00000000..a972e7df
--- /dev/null
+++ b/debian/signing-template/rules
@@ -0,0 +1,18 @@
+#!/usr/bin/make -f
+
+SIG_DIR := debian/signatures/shim-unsigned
+
+%:
+	dh $@
+
+override_dh_auto_install:
+	set -e ; \
+	find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
+	while read sig; do \
+		install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
+		install -o 0 -g 0 -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
+		sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
+	done
+
+override_dh_install:
+	dh_install --sourcedir=debian/tmp .
diff --git a/debian/signing-template/source/format b/debian/signing-template/source/format
new file mode 100644
index 00000000..89ae9db8
--- /dev/null
+++ b/debian/signing-template/source/format
@@ -0,0 +1 @@
+3.0 (native)