Browse Source

Initial packaging

Christoph Biedl 3 years ago
parent
commit
f76b219aec

+ 5 - 0
debian/changelog

@@ -0,0 +1,5 @@
+clevis (8-1) unstable; urgency=medium
+
+  * Initial release. Closes: #854410
+
+ -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de>  Wed, 29 Nov 2017 00:01:49 +0100

+ 3 - 0
debian/clevis-dracut.install

@@ -0,0 +1,3 @@
+
+usr/lib/dracut/modules.d/60clevis/clevis-hook.sh
+usr/lib/dracut/modules.d/60clevis/module-setup.sh

+ 4 - 0
debian/clevis-luks.install

@@ -0,0 +1,4 @@
+
+usr/bin/clevis-bind-luks
+usr/bin/clevis-luks-bind
+usr/bin/clevis-luks-unlock

+ 4 - 0
debian/clevis-luks.manpages

@@ -0,0 +1,4 @@
+
+debian/tmp/usr/share/man/man1/clevis-luks-bind.1
+debian/tmp/usr/share/man/man1/clevis-luks-unlock.1
+debian/tmp/usr/share/man/man7/clevis-luks-unlockers.7

+ 5 - 0
debian/clevis-systemd.install

@@ -0,0 +1,5 @@
+
+lib/systemd/system/clevis-luks-askpass.path
+lib/systemd/system/clevis-luks-askpass.service
+
+usr/lib/*/clevis-luks-askpass

+ 3 - 0
debian/clevis-udisks2.install

@@ -0,0 +1,3 @@
+
+etc/xdg/autostart/clevis-luks-udisks2.desktop
+usr/lib/*/clevis-luks-udisks2

+ 9 - 0
debian/clevis.install

@@ -0,0 +1,9 @@
+
+usr/bin/clevis
+usr/bin/clevis-decrypt
+usr/bin/clevis-decrypt-http
+usr/bin/clevis-decrypt-sss
+usr/bin/clevis-decrypt-tang
+usr/bin/clevis-encrypt-http
+usr/bin/clevis-encrypt-sss
+usr/bin/clevis-encrypt-tang

+ 6 - 0
debian/clevis.manpages

@@ -0,0 +1,6 @@
+
+debian/tmp/usr/share/man/man1/clevis-decrypt.1
+debian/tmp/usr/share/man/man1/clevis-encrypt-http.1
+debian/tmp/usr/share/man/man1/clevis-encrypt-sss.1
+debian/tmp/usr/share/man/man1/clevis-encrypt-tang.1
+debian/tmp/usr/share/man/man1/clevis.1

+ 1 - 0
debian/compat

@@ -0,0 +1 @@
+10

+ 78 - 0
debian/control

@@ -0,0 +1,78 @@
+Source: clevis
+Maintainer: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Homepage: https://github.com/latchset/clevis
+Standards-Version: 4.1.1
+Build-Depends: debhelper (>= 10~),
+    curl,
+    dracut,
+    jose,
+    libaudit-dev (>= 1:2.7.8),
+    libglib2.0-dev,
+    libjansson4 (>= 2.10),
+    libjose-dev,
+    libluksmeta-dev (>= 8),
+    libpwquality-tools,
+    libssl-dev,
+    libudisks2-dev,
+    pkg-config,
+    systemd,
+    tang,
+Priority: optional
+Section: net
+
+Package: clevis
+Architecture: linux-any
+Depends: ${misc:Depends}, ${shlibs:Depends},
+    cracklib-runtime,
+    curl,
+    jose,
+    libpwquality-tools,
+    luksmeta,
+Recommends:
+    cryptsetup,
+Description: automated encryption framework
+ Clevis is a plugable framework for automated decryption. It can be used
+ to provide automated decryption of data or even automated unlocking of
+ LUKS volumes.
+ .
+ It supports tang, shamir secret sharing, escrow using HTTP.
+
+Package: clevis-dracut
+Architecture: all
+Depends: ${misc:Depends},
+    clevis-systemd,
+    dracut-network,
+Description: Dracut integration for clevis
+ Clevis is a plugable framework for automated decryption. This package
+ provides integration for the dracut initramfs to automatically unlock
+ LUKSv1 block devices in early boot.
+
+Package: clevis-luks
+Architecture: all
+Depends: ${misc:Depends},
+    clevis,
+    cryptsetup,
+    luksmeta,
+Description: LUKSv1 integration for clevis
+ This package allows you to bind a LUKSv1 volume to a clevis unlocking
+ policy. For automated unlocking, an unlocker will also be required.
+ See, for example, clevis-dracut and clevis-udisks2.
+
+Package: clevis-systemd
+Architecture: linux-any
+Depends: ${misc:Depends},
+    clevis-luks,
+    socat,
+    systemd,
+Description: systemd integration for clevis
+ Clevis is a plugable framework for automated decryption. This package
+ provides automatic unlocking of LUKSv1 _netdev block devices from
+ /etc/crypttab.
+
+Package: clevis-udisks2
+Architecture: linux-any
+Depends: ${misc:Depends}, ${shlibs:Depends},
+Description: UDisks2/Storaged integration for clevis
+ Clevis is a plugable framework for automated decryption. This package
+ provides automatic unlocking LUKSv1 block devices in desktop
+ environments that use UDisks2 or storaged.

+ 38 - 0
debian/copyright

@@ -0,0 +1,38 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: clevis
+Source: https://github.com/latchset/clevis
+
+Files: *
+Copyright: Copyright (c) 2015-2017 Red Hat, Inc.
+License: GPL-3.0+ with OpenSSL exception
+
+License: GPL-3.0+ with OpenSSL exception
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 3 can be found in "/usr/share/common-licenses/GPL-3".
+ .
+ In addition, as a special exception, the copyright holders give
+ permission to link the code of portions of this program with the
+ OpenSSL library under certain conditions as described in each
+ individual source file, and distribute linked combinations
+ including the two.
+ .
+ You must obey the GNU General Public License in all respects
+ for all of the code used other than OpenSSL.  If you modify
+ file(s) with this exception, you may extend this exception to your
+ version of the file(s), but you are not obligated to do so.  If you
+ do not wish to do so, delete this exception statement from your
+ version.  If you delete this exception statement from all source
+ files in the program, then also delete it here.

+ 16 - 0
debian/patches/cherry-pick.v8-1-g69524aa.fix-typo-in-libaudit-requirement.patch

@@ -0,0 +1,16 @@
+Subject: Fix typo in libaudit requirement
+Origin: v8-1-g69524aa
+Upstream-Author: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Tue Nov 14 10:24:35 2017 -0500
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -18,7 +18,7 @@
+ PKG_CHECK_MODULES([jose], [jose >= 8])
+ PKG_CHECK_MODULES([systemd], [systemd])
+ PKG_CHECK_MODULES([dracut], [dracut])
+-PKG_CHECK_MODULES([audit], [audit >> 2.7.8])
++PKG_CHECK_MODULES([audit], [audit >= 2.7.8])
+ 
+ AC_CHECK_PROG([PWMAKE], [pwmake], [yes])
+ test -n "$PWMAKE" || AC_MSG_ERROR([pwmake required!])

+ 20 - 0
debian/patches/disable-dracut-check.patch

@@ -0,0 +1,20 @@
+Description: Disable configure check for dracut
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date: 2017-11-06
+Forwarded: not-needed
+
+    The dracut package does not provide dracut.pc, so this check would
+    always fail.
+
+    See also: https://bugs.debian.org/880984
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -17,7 +17,6 @@
+ PKG_CHECK_MODULES([udisks2], [udisks2])
+ PKG_CHECK_MODULES([jose], [jose >= 8])
+ PKG_CHECK_MODULES([systemd], [systemd])
+-PKG_CHECK_MODULES([dracut], [dracut])
+ PKG_CHECK_MODULES([audit], [audit >= 2.7.8])
+ 
+ AC_CHECK_PROG([PWMAKE], [pwmake], [yes])

+ 19 - 0
debian/patches/fix-manpage-add-name.patch

@@ -0,0 +1,19 @@
+Description: Add missing name in clevis-luks-unlockers manpage
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date: 2017-11-06
+Forwarded: https://github.com/latchset/clevis/issues/21
+
+--- a/doc/clevis-luks-unlockers.7
++++ b/doc/clevis-luks-unlockers.7
+@@ -1,7 +1,10 @@
+ .\" Automatically generated by Pandoc 1.19.1
+ .\"
+ .TH "CLEVIS\-LUKS\-UNLOCKERS" "7" "October 2017" "" ""
+-.hy
++.
++.SH "NAME"
++\fBclevis-luks-unlockers\fR \- Clevis unlockers overview
++.
+ .SH OVERVIEW
+ .PP
+ Clevis provides unlockers for LUKS volumes which can use LUKS policy:

+ 5 - 0
debian/patches/series

@@ -0,0 +1,5 @@
+cherry-pick.v8-1-g69524aa.fix-typo-in-libaudit-requirement.patch
+test-exec-path.patch
+disable-dracut-check.patch
+fix-manpage-add-name.patch
+use-socat.patch

+ 23 - 0
debian/patches/test-exec-path.patch

@@ -0,0 +1,23 @@
+Description: Fix path to tangd-* executables in test suite
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date: 2017-11-06
+Forwarded: not-needed
+
+--- a/tests/pin-tang
++++ b/tests/pin-tang
+@@ -31,12 +31,12 @@
+ mkdir -p $TMP/cache
+ 
+ # Generate the server keys
+-/usr/libexec/tangd-keygen $TMP/db sig exc
+-/usr/libexec/tangd-update $TMP/db $TMP/cache
++/usr/lib/${DEB_HOST_MULTIARCH}/tangd-keygen $TMP/db sig exc
++/usr/lib/${DEB_HOST_MULTIARCH}/tangd-update $TMP/db $TMP/cache
+ 
+ # Start the server
+ port=`shuf -i 1024-65536 -n 1`
+-$SD_ACTIVATE -l 127.0.0.1:$port -a /usr/libexec/tangd $TMP/cache &
++$SD_ACTIVATE -l 127.0.0.1:$port -a /usr/lib/${DEB_HOST_MULTIARCH}/tangd $TMP/cache &
+ export PID=$!
+ sleep 0.25
+ 

+ 34 - 0
debian/patches/use-socat.patch

@@ -0,0 +1,34 @@
+Description: Use socat in clevis-luks-askpass
+Author: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Date: 2017-11-28
+Forwarded: not-needed
+   
+    Upstream assumes the nc program is ncat as provided by nmap. Since
+    nmap is a fairly huge package and does not ship a separate ncat
+    package (#881639), use socat instead for the time being.
+
+    Thanks Anthony R Fletcher <arif@mail.nih.gov> for figuring out
+    and testing.
+
+--- a/src/dracut/module-setup.sh.in
++++ b/src/dracut/module-setup.sh.in
+@@ -43,7 +43,7 @@
+         clevis \
+         curl \
+         jose \
+-        nc
++        socat
+ 
+     dracut_need_initqueue
+ }
+--- a/src/systemd/clevis-luks-askpass
++++ b/src/systemd/clevis-luks-askpass
+@@ -41,7 +41,7 @@
+         [ "$uuid" != "$UUID" ] && continue
+ 
+         if pt="`luksmeta load -d $d -s $slot -u $UUID | clevis decrypt`"; then
+-            echo -n "+$pt" | nc -U -u --send-only "$s"
++            echo -n "+$pt" | socat -U "UNIX:$s" -
+             break
+         fi
+     done

+ 15 - 0
debian/rules

@@ -0,0 +1,15 @@
+#!/usr/bin/make -f
+
+export DEB_BUILD_MAINT_OPTIONS := hardening=+all
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
+%:
+	dh $@
+
+# wait for #880984
+override_dh_auto_configure:
+	dh_auto_configure -- --with-dracutmodulesdir=/usr/lib/dracut/modules.d
+
+override_dh_missing:
+	dh_missing --fail-missing

+ 1 - 0
debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

+ 4 - 0
debian/watch

@@ -0,0 +1,4 @@
+
+version=3
+https://github.com/latchset/clevis/releases \
+    /latchset/clevis/releases/download/[^/]+/clevis-([0-9][.0-9]*)\.tar\.bz2