build/
venv/
.vscode
+fwupd*.build
+*.gz
+*.changes
+*.deb
+*.xz
+*.dsc
+*.buildinfo
-#!/bin/sh -e
+#!/bin/bash
+set -e
+set -x
+shopt -s extglob
+rm -rf build/
+
if [ "$OS" = "fedora" ]; then
meson build
VERSION=`meson introspect build --projectinfo | jq -r .version`
rpmbuild -ba build/fwupd-efi.spec
mkdir -p dist
cp $HOME/rpmbuild/RPMS/*/*.rpm dist
+elif [ "$OS" = "debian-x86_64" ] || [ "$OS" = "debian-i386" ]; then
+ export DEBFULLNAME="CI Builder"
+ export DEBEMAIL="ci@travis-ci.org"
+ VERSION=`head meson.build | grep ' version :' | cut -d \' -f2`
+ mkdir -p build
+ cp -lR !(build|dist|venv) build/
+ pushd build
+ mv contrib/debian .
+ sed s/quilt/native/ debian/source/format -i
+ #build the package
+ EDITOR=/bin/true dch --create --package fwupd-efi -v $VERSION "CI Build"
+ debuild --no-lintian --preserve-envvar CI --preserve-envvar CC \
+ --preserve-envvar QUBES_OPTION
else
meson build
ninja -C build
--- /dev/null
+Source: fwupd-efi
+Priority: optional
+Maintainer: Debian EFI <debian-efi@lists.debian.org>
+Uploaders: Steve McIntyre <93sam@debian.org>,
+ Matthias Klumpp <mak@debian.org>,
+ Mario Limonciello <superm1@gmail.com>
+Build-Depends: gnu-efi [amd64 arm64 armhf i386],
+ meson,
+ mingw-w64-tools [amd64 arm64 armhf i386],
+Standards-Version: 4.5.0
+Section: admin
+Homepage: https://github.com/fwupd/fwupd-efi
+Vcs-Git: https://salsa.debian.org/efi-team/fwupd-efi.git
+Vcs-Browser: https://salsa.debian.org/efi-team/fwupd-efi
+
+Package: fwupd-unsigned
+Architecture: amd64 arm64 armhf i386
+Depends: ${misc:Depends},
+ ${shlibs:Depends},
+Recommends: fwupd-signed
+Multi-Arch: foreign
+Description: Firmware update daemon (Unsigned EFI binaries)
+ fwupd is a daemon to allow session software to update device firmware.
+ You can either use a GUI software manager like GNOME Software to view and
+ apply updates, the command-line tool or the system D-Bus interface directly.
+ Firmware updates are supported for a variety of technologies.
+ See <https://github.com/fwupd/fwupd> for details
+ .
+ This package provides the EFI binaries used for UEFI capsule updates
+
+Package: fwupd-unsigned-dev
+Architecture: all
+Depends: fwupd-unsigned (= ${binary:Version})
+Description: Firmware update daemon (Development information)
+ fwupd is a daemon to allow session software to update device firmware.
+ You can either use a GUI software manager like GNOME Software to view and
+ apply updates, the command-line tool or the system D-Bus interface directly.
+ Firmware updates are supported for a variety of technologies.
+ See <https://github.com/fwupd/fwupd> for details
+ .
+ This package provides the dependencies for the fwupd daemon to resolve
+
+Package: fwupd-amd64-signed-template
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-i386-signed-template
+Architecture: i386
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-armhf-signed-template
+Architecture: armhf
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
+
+Package: fwupd-arm64-signed-template
+Architecture: arm64
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed fwupd package
+ This package is used to control code signing by the Debian signing
+ service.
--- /dev/null
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: fwupd-efi
+Source: https://github.com/fwupd/fwupd-efi
+
+Files: debian/*
+Copyright: 2021 Mario Limonciello <superm1@gmail.com>
+License: LGPL-2.1+
+
+License: LGPL-2.1+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU Lesser General
+ Public License version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1".
--- /dev/null
+usr/lib/*/pkgconfig/
--- /dev/null
+usr/libexec/fwupd/*
--- /dev/null
+[DEFAULT]
+debian-branch = debian
+upstream-tag = %(version)s
+
+[buildpackage]
+sign-tags = True
+dist = experimental
--- /dev/null
+#!/bin/sh
+#
+# Generate a changelog file for the signed fwupdate package, based on
+# a changelog.in file and other state
+
+DIR=$1
+SOURCE=$2
+ARCH=$3
+IN="${DIR}/changelog.in"
+OUT="${DIR}/changelog"
+
+# Parse out fields from our changelg entry - want the signing-template
+# one to match all the important details where we can
+DISTRIBUTION="$(dpkg-parsechangelog | sed -ne 's/^Distribution: \(.*\)/\1/p')"
+URGENCY="$(dpkg-parsechangelog | sed -ne 's/^Urgency: \(.*\)/\1/p')"
+MAINT="$(dpkg-parsechangelog | sed -ne 's/^Maintainer: \(.*\)/\1/p')"
+DATE="$(dpkg-parsechangelog | sed -ne 's/^Date: \(.*\)/\1/p')"
+
+# If the version ends in "+bXXX", this is a binNMU. We don't want a new
+# source package to look like that, so change it to ".bXXX" instead
+VERSION="$(dpkg-parsechangelog | sed -ne 's/^Version: \(.*\)/\1/p')"
+MANGLED_VERSION="$(echo $VERSION | sed -r 's/-/\+/;s/\+(b[[:digit:]]+)$/.\1/')"
+
+printf "%s-%s-signed (%s) %s; urgency=%s\n" "${SOURCE}" "${ARCH}" "${MANGLED_VERSION}" "${DISTRIBUTION}" "${URGENCY}" > $OUT
+printf "\n" >> $OUT
+printf " * Update to %s version %s\n" "${SOURCE}" "${VERSION}" >> $OUT
+printf "\n" >> $OUT
+printf " -- %s %s\n" "${MAINT}" "${DATE}" >> $OUT
+printf "\n" >> $OUT
+
+cat $IN >> $OUT
+rm -f $IN
--- /dev/null
+#!/bin/sh
+#
+# Generate a json file to go in the the fwupd-signed template
+# package. Describes exactly what needs to be signed, and how.
+
+DIR=$1
+SOURCE=$2
+ARCH=$3
+OUT="$DIR/files.json"
+
+# What file are we looking to sign?
+BINARY=$(find debian/tmp -name '*.efi' | xargs basename)
+
+# Actually needs full path within the binary deb
+BINARY="usr/libexec/${SOURCE}/efi/${BINARY}"
+
+rm -f $OUT
+
+printf '{\n' >> $OUT
+printf ' "packages": {\n' >> $OUT
+printf ' "%s": {\n' "${SOURCE}" >> $OUT
+printf ' "trusted_certs": [],\n' >> $OUT
+printf ' "files": [ \n' >> $OUT
+printf ' {"sig_type": "efi", "file": "%s"}\n' "${BINARY}" >> $OUT
+printf ' ]\n' >> $OUT
+printf ' }\n' >> $OUT
+printf ' }\n' >> $OUT
+printf '}\n' >> $OUT
--- /dev/null
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+export LC_ALL := C.UTF-8
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+export DEB_LDFLAGS_MAINT_STRIP=-Wl,-Bsymbolic-functions
+
+CONFARGS =
+
+ifneq ($(CI),)
+ CONFARGS += --werror --wrap-mode=default
+endif
+
+SB_STYLE := debian
+deb_version := $(shell dpkg-parsechangelog --show-field Version)
+ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
+ SB_STYLE := ubuntu
+ tar_name := fwupd_$(deb_version)_$(DEB_HOST_ARCH).tar.gz
+ CONFARGS += -Defi_sbat_distro_id=ubuntu
+ CONFARGS += -Defi_sbat_distro_summary=Ubuntu
+ CONFARGS += -Defi_sbat_distro_pkgname=fwupd
+ CONFARGS += -Defi_sbat_distro_version=$(deb_version)
+ CONFARGS += -Defi_sbat_distro_url="https://launchpad.net/ubuntu/+source/fwupd"
+else
+ TMPLDIR := debian/fwupd-$(DEB_HOST_ARCH)-signed-template/usr/share/code-signing/fwupd-$(DEB_HOST_ARCH)-signed-template
+ CONFARGS += -Defi_sbat_distro_id=debian
+ CONFARGS += -Defi_sbat_distro_summary=Debian
+ CONFARGS += -Defi_sbat_distro_pkgname=fwupd
+ CONFARGS += -Defi_sbat_distro_version=$(deb_version)
+ CONFARGS += -Defi_sbat_distro_url="https://tracker.debian.org/pkg/fwupd"
+endif
+
+%:
+ dh $@ --with gir
+
+override_dh_auto_clean:
+ rm -fr obj-*
+ rm -fr debian/build
+ifeq (ubuntu,$(SB_STYLE))
+ rm -rf debian/fwupd-images
+endif
+
+override_dh_auto_configure:
+ dh_auto_configure -- $(CONFARGS)
+
+override_dh_install:
+ dh_install
+ifeq (debian,$(SB_STYLE))
+ # Generate the template source for the Debian signing service to use
+ mkdir -p $(TMPLDIR)/source-template/debian
+ cp -a debian/signing-template/* $(TMPLDIR)/source-template/debian
+ find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNARCH,$(DEB_HOST_ARCH),"
+ find $(TMPLDIR)/source-template/debian -type f | xargs sed -i "s,SIGNVERSION,$(deb_version),"
+ set -e; for file in $$(find $(TMPLDIR)/source-template/debian -type f -name '*SIGNARCH*'); do \
+ file1=$$(echo $$file | sed "s,SIGNARCH,$(DEB_HOST_ARCH),"); \
+ mv -v $$file $$file1; \
+ done
+ debian/gen_signing_changelog $(TMPLDIR)/source-template/debian fwupd $(DEB_HOST_ARCH)
+ debian/gen_signing_json $(TMPLDIR) fwupd ${DEB_HOST_ARCH}
+endif
+
+override_dh_builddeb:
+ dh_builddeb
+ifeq (ubuntu,$(SB_STYLE))
+ set -e; if [ -d debian/tmp/usr/libexec/fwupd/efi/ ]; then \
+ mkdir -p debian/fwupd-images/$(deb_version); \
+ cp debian/tmp/usr/libexec/fwupd/efi/fwupd*.efi debian/fwupd-images/$(deb_version); \
+ echo $(deb_version) > debian/fwupd-images/$(deb_version)/version; \
+ tar -C debian/fwupd-images -czvf ../$(tar_name) .; \
+ dpkg-distaddfile $(tar_name) raw-uefi -; \
+ fi
+endif
--- /dev/null
+This source package is generated by the Debian signing service from a
+template built by the fwupd package. It should never be updated directly.
+
+ -- Steve McIntyre <93sam@debian.org> Sat, 07 Apr 2018 12:44:55 +0100
--- /dev/null
+fwupd-SIGNARCH-signed (1) unstable; urgency=medium
+
+ * Add template source package for signing
+
+ -- Steve McIntyre <93sam@debian.org> Sat, 07 Apr 2018 12:44:55 +0100
--- /dev/null
+Source: fwupd-SIGNARCH-signed
+Priority: optional
+Maintainer: Debian EFI <debian-efi@lists.debian.org>
+Uploaders: Steve McIntyre <93sam@debian.org>,
+ Matthias Klumpp <mak@debian.org>,
+ Mario Limonciello <superm1@gmail.com>
+Build-Depends: debhelper (>= 9.0.0), sbsigntool [amd64 arm64 armhf i386], fwupd-unsigned (= SIGNVERSION) [SIGNARCH]
+Standards-Version: 4.5.0
+Section: libs
+Homepage: https://github.com/fwupd/fwupd
+Vcs-Git: https://salsa.debian.org/efi-team/fwupd.git
+Vcs-Browser: https://salsa.debian.org/efi-team/fwupd
+
+Package: fwupd-SIGNARCH-signed
+Section: admin
+Architecture: SIGNARCH
+Provides: fwupd-signed
+Depends: ${shlibs:Depends}, ${misc:Depends}, fwupd (= SIGNVERSION)
+Built-Using: fwupd (= SIGNVERSION)
+Description: Tools to manage UEFI firmware updates (signed)
+ fwupd provides functionality to update system firmware. It has been
+ initially designed to update firmware using UEFI capsule updates, but
+ it is designed to be extensible to other firmware update standards.
+ .
+ This package contains just the signed version of the fwupd binary,
+ needed if your system has UEFI Secure Boot enabled. It depends on the
+ normal fwupd package for everything else.
--- /dev/null
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: fwupd
+Source: https://github.com/fwupd/fwupd
+
+Files: *
+Copyright: 2015 Richard Hughes <richard@hughsie.com>
+License: LGPL-2.1+
+
+Files: data/tests/colorhug/firmware.metainfo.xml
+Copyright: 2015 Richard Hughes <richard@hughsie.com>
+License: CC0-1.0
+
+Files: debian/*
+Copyright: 2015 Daniel Jared Dominguez <Jared_Dominguez@Dell.com>
+ 2015 Mario Limonciello <mario.limonciello@dell.com>
+License: LGPL-2.1+
+
+License: LGPL-2.1+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU Lesser General
+ Public License version 2.1 can be found in "/usr/share/common-licenses/LGPL-2.1".
--- /dev/null
+*.efi.signed /usr/libexec/fwupd/efi
--- /dev/null
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+PACKAGE_NAME := fwupd
+SIG_PKG_NAME := fwupd-SIGNARCH-signed
+SIGNATURE_DIR := debian/signatures/$(PACKAGE_NAME)
+BINARY := $(shell find /usr/libexec/fwupd/efi -name '*.efi' | xargs basename)
+
+%:
+ dh $@
+
+override_dh_auto_build:
+ cp /usr/libexec/fwupd/efi/$(BINARY) .
+ sbattach --attach $(SIGNATURE_DIR)/usr/libexec/fwupd/efi/$(BINARY).sig $(BINARY)
+ mv $(BINARY) $(BINARY).signed
--- /dev/null
+3.0 (native)
--- /dev/null
+3.0 (quilt)
--- /dev/null
+#github doesn't have these
+fwupd-efi source: debian-watch-does-not-check-gpg-signature
--- /dev/null
+extend-diff-ignore=".vscode"
--- /dev/null
+# You can run the "uscan" command to check for upstream updates and more.
+# See uscan(1) for format
+
+version=3
+opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/fwupd-efi-$1\.tar\.gz/ \
+https://github.com/fwupd/fwupd-efi/tags .*/v?(\d\S*)\.tar\.gz