Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: remove dpkg-sig #755

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions Taskfile.yml
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,15 @@ tasks:
- task: docs:generate
- "mkdocs build -f www/mkdocs.yml"

schema:generate:
desc: Generate JSONSchema
cmds:
- go run ./cmd/nfpm/ schema -o ./www/docs/static/schema.json
sources:
- pkg/config/config.go
generates:
- ./www/docs/static/schema.json

release:
desc: Create a new tag
vars:
Expand Down
41 changes: 18 additions & 23 deletions acceptance_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -283,30 +283,25 @@ func TestRPMSign(t *testing.T) {
func TestDebSign(t *testing.T) {
t.Parallel()
for _, arch := range formatArchs["deb"] {
for _, sigtype := range []string{"dpkg-sig", "debsign"} {
func(t *testing.T, testSigtype, testArch string) {
t.Run(fmt.Sprintf("deb/%s/%s", testArch, testSigtype), func(t *testing.T) {
t.Parallel()
target := "signed"
if testSigtype == "dpkg-sig" {
target = "dpkg-signed"
}
if testArch == "ppc64le" && os.Getenv("NO_TEST_PPC64LE") == "true" {
t.Skip("ppc64le arch not supported in pipeline")
}
accept(t, acceptParms{
Name: fmt.Sprintf("%s_sign_%s", testSigtype, testArch),
Conf: fmt.Sprintf("deb.%s.sign.yaml", testSigtype),
Format: "deb",
Docker: dockerParams{
File: "deb.dockerfile",
Target: target,
Arch: testArch,
},
})
func(t *testing.T, testArch string) {
t.Run(fmt.Sprintf("deb/%s", testArch), func(t *testing.T) {
t.Parallel()
target := "signed"
if testArch == "ppc64le" && os.Getenv("NO_TEST_PPC64LE") == "true" {
t.Skip("ppc64le arch not supported in pipeline")
}
accept(t, acceptParms{
Name: fmt.Sprintf("debsign_sign_%s", testArch),
Conf: fmt.Sprintf("deb.debsign.sign.yaml"),
Format: "deb",
Docker: dockerParams{
File: "deb.dockerfile",
Target: target,
Arch: testArch,
},
})
}(t, sigtype, arch)
}
})
}(t, arch)
}
}

Expand Down
81 changes: 1 addition & 80 deletions deb/deb.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
"bytes"
"compress/gzip"
"crypto/md5" // nolint:gas
"crypto/sha1"
"errors"
"fmt"
"io"
Expand Down Expand Up @@ -157,35 +156,12 @@
func doSign(info *nfpm.Info, debianBinary, controlTarGz, dataTarball []byte) ([]byte, string, error) {
switch info.Deb.Signature.Method {
case "dpkg-sig":
return dpkgSign(info, debianBinary, controlTarGz, dataTarball)
return nil, "", fmt.Errorf("this signature type is no longer supported, please use 'debsign' instead")

Check warning on line 159 in deb/deb.go

View check run for this annotation

Codecov / codecov/patch

deb/deb.go#L159

Added line #L159 was not covered by tests
default:
return debSign(info, debianBinary, controlTarGz, dataTarball)
}
}

func dpkgSign(info *nfpm.Info, debianBinary, controlTarGz, dataTarball []byte) ([]byte, string, error) {
sigType := "builder"
if info.Deb.Signature.Type != "" {
sigType = info.Deb.Signature.Type
}

data, err := readDpkgSigData(info, debianBinary, controlTarGz, dataTarball)
if err != nil {
return nil, sigType, &nfpm.ErrSigningFailure{Err: err}
}

var sig []byte
if signFn := info.Deb.Signature.SignFn; signFn != nil {
sig, err = signFn(data)
} else {
sig, err = sign.PGPClearSignWithKeyID(data, info.Deb.Signature.KeyFile, info.Deb.Signature.KeyPassphrase, info.Deb.Signature.KeyID)
}
if err != nil {
return nil, sigType, &nfpm.ErrSigningFailure{Err: err}
}
return sig, sigType, nil
}

func debSign(info *nfpm.Info, debianBinary, controlTarGz, dataTarball []byte) ([]byte, string, error) {
data := readDebsignData(debianBinary, controlTarGz, dataTarball)

Expand Down Expand Up @@ -218,61 +194,6 @@
bytes.NewReader(dataTarball))
}

// reference: https://manpages.debian.org/jessie/dpkg-sig/dpkg-sig.1.en.html
const dpkgSigTemplate = `
Hash: SHA1

Version: 4
Signer: {{ .Signer }}
Date: {{ .Date }}
Role: {{ .Role }}
Files:
{{range .Files}}{{ .Md5Sum }} {{ .Sha1Sum }} {{ .Size }} {{ .Name }}{{end}}
`

type dpkgSigData struct {
Signer string
Date time.Time
Role string
Files []dpkgSigFileLine
Info *nfpm.Info
}
type dpkgSigFileLine struct {
Md5Sum [16]byte
Sha1Sum [20]byte
Size int
Name string
}

func newDpkgSigFileLine(name string, fileContent []byte) dpkgSigFileLine {
return dpkgSigFileLine{
Name: name,
Md5Sum: md5.Sum(fileContent),
Sha1Sum: sha1.Sum(fileContent),
Size: len(fileContent),
}
}

func readDpkgSigData(info *nfpm.Info, debianBinary, controlTarGz, dataTarball []byte) (io.Reader, error) {
data := dpkgSigData{
Signer: info.Deb.Signature.Signer,
Date: info.MTime,
Role: info.Deb.Signature.Type,
Files: []dpkgSigFileLine{
newDpkgSigFileLine("debian-binary", debianBinary),
newDpkgSigFileLine("control.tar.gz", controlTarGz),
newDpkgSigFileLine("data.tar.gz", dataTarball),
},
}
temp, _ := template.New("dpkg-sig").Parse(dpkgSigTemplate)
buf := &bytes.Buffer{}
err := temp.Execute(buf, data)
if err != nil {
return nil, fmt.Errorf("dpkg-sig template error: %w", err)
}
return buf, nil
}

func (*Deb) SetPackagerDefaults(info *nfpm.Info) {
// Priority should be set on all packages per:
// https://www.debian.org/doc/debian-policy/ch-archive.html#priorities
Expand Down
48 changes: 0 additions & 48 deletions deb/deb_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -988,54 +988,6 @@ func TestDebsigsSignatureCallback(t *testing.T) {
require.NoError(t, err)
}

func TestDpkgSigSignature(t *testing.T) {
info := exampleInfo()
info.Deb.Signature.KeyFile = "../internal/sign/testdata/privkey.asc"
info.Deb.Signature.KeyPassphrase = "hunter2"
info.Deb.Signature.Method = "dpkg-sig"
info.Deb.Signature.Signer = "bob McRobert"

var deb bytes.Buffer
err := Default.Package(info, &deb)
require.NoError(t, err)

signature := extractFileFromAr(t, deb.Bytes(), "_gpgbuilder")

err = sign.PGPReadMessage(signature, "../internal/sign/testdata/pubkey.asc")
require.NoError(t, err)
}

func TestDpkgSigSignatureError(t *testing.T) {
info := exampleInfo()
info.Deb.Signature.KeyFile = "/does/not/exist"
info.Deb.Signature.Method = "dpkg-sig"

var deb bytes.Buffer
err := Default.Package(info, &deb)
require.Error(t, err)

var expectedError *nfpm.ErrSigningFailure
require.ErrorAs(t, err, &expectedError)
}

func TestDpkgSigSignatureCallback(t *testing.T) {
info := exampleInfo()
info.Deb.Signature.SignFn = func(r io.Reader) ([]byte, error) {
return sign.PGPClearSignWithKeyID(r, "../internal/sign/testdata/privkey.asc", "hunter2", nil)
}
info.Deb.Signature.Method = "dpkg-sig"
info.Deb.Signature.Signer = "bob McRobert"

var deb bytes.Buffer
err := Default.Package(info, &deb)
require.NoError(t, err)

signature := extractFileFromAr(t, deb.Bytes(), "_gpgbuilder")

err = sign.PGPReadMessage(signature, "../internal/sign/testdata/pubkey.asc")
require.NoError(t, err)
}

func TestDisableGlobbing(t *testing.T) {
info := exampleInfo()
info.DisableGlobbing = true
Expand Down
4 changes: 2 additions & 2 deletions nfpm.go
Original file line number Diff line number Diff line change
Expand Up @@ -413,8 +413,8 @@ type Deb struct {

type DebSignature struct {
PackageSignature `yaml:",inline" json:",inline"`
// debsign, or dpkg-sig (defaults to debsign)
Method string `yaml:"method,omitempty" json:"method,omitempty" jsonschema:"title=method role,enum=debsign,enum=dpkg-sig,default=debsign"`
// debsign (defaults to debsign)
Method string `yaml:"method,omitempty" json:"method,omitempty" jsonschema:"title=method role,enum=debsign,default=debsign"`
// origin, maint or archive (defaults to origin)
Type string `yaml:"type,omitempty" json:"type,omitempty" jsonschema:"title=signer role,enum=origin,enum=maint,enum=archive,default=origin"`
Signer string `yaml:"signer,omitempty" json:"signer,omitempty" jsonschema:"title=signer"`
Expand Down
14 changes: 3 additions & 11 deletions testdata/acceptance/deb.dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM debian:11 AS test_base
FROM debian AS test_base
ARG package
RUN echo "${package}"
COPY ${package} /tmp/foo.deb
Expand Down Expand Up @@ -85,14 +85,6 @@ RUN debsig-verify /tmp/foo.deb | grep "debsig: Verified package from 'Test packa
RUN echo "" > /etc/dpkg/dpkg.cfg
RUN dpkg -i /tmp/foo.deb

# ---- signed dpkg-sig test ----
FROM test_base AS dpkg-signed
RUN apt update -y
RUN apt install -y dpkg-sig
# TODO: we should properly check the signature here, not sure how to do so.
RUN dpkg-sig --verify /tmp/foo.deb | grep "UNKNOWNSIG _gpgbuilder 15BD80B3"
RUN dpkg -i /tmp/foo.deb

# ---- overrides test ----
FROM min AS overrides
RUN test -e /usr/bin/fake
Expand Down Expand Up @@ -120,8 +112,8 @@ FROM min AS env-var-version
ENV EXPECTVER=" Version: 1.0.0~0.1.b1+git.abcdefgh"
RUN dpkg --info /tmp/foo.deb | grep "Version" > found
RUN export FOUND_VER="$(cat found)" && \
echo "Expected: '${EXPECTVER}' :: Found: '${FOUND_VER}'" && \
test "${FOUND_VER}" = "${EXPECTVER}"
echo "Expected: '${EXPECTVER}' :: Found: '${FOUND_VER}'" && \
test "${FOUND_VER}" = "${EXPECTVER}"


# ---- changelog test ----
Expand Down
15 changes: 0 additions & 15 deletions testdata/acceptance/deb.dpkg-sig.sign.yaml

This file was deleted.

4 changes: 2 additions & 2 deletions www/docs/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -397,9 +397,9 @@ deb:

# The package is signed if a key_file is set
signature:
# Signature method, either "dpkg-sig" or "debsign".
# Signature method.
# Defaults to "debsign"
method: dpkg-sig
method: debsign

# PGP secret key (can also be ASCII-armored). The passphrase is taken
# from the environment variable $NFPM_DEB_PASSPHRASE with a fallback
Expand Down
3 changes: 1 addition & 2 deletions www/docs/static/schema.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading