[neon/neon/keyring/Neon/unstable] debian: overhaul to a more modern packaging format, get rid of apt-key usage, migrate *.lists to signed-by: - required for noble

Carlos De Maine null at kde.org
Tue Aug 20 04:06:26 BST 2024 

Git commit 2eeea4596290e775199060cf9e06286e4bdc5d5a by Carlos De Maine.
Committed on 19/08/2024 at 10:10.
Pushed by carlosdem into branch 'Neon/unstable'.

overhaul to a more modern packaging format, get rid of apt-key usage, migrate *.lists to signed-by: - required for noble

M  +6    -0    debian/changelog
A  +1    -0    debian/compat
M  +12   -7    debian/control
D  +0    -6    debian/neon-keyring-udeb.postinst
A  +7    -0    debian/neon-keyring.install
A  +49   -0    debian/neon-keyring.postinst
D  +0    -24   debian/postinst
M  +10   -57   debian/rules

https://invent.kde.org/neon/neon/keyring/-/commit/2eeea4596290e775199060cf9e06286e4bdc5d5a

diff --git a/debian/changelog b/debian/changelog
index 85499ae..f8fcdf9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+neon-keyring (2024.08.09) jammy; urgency=medium
+
+  * Initial package
+
+ -- Jonathan Riddell <jriddell at ubuntu.com>  Fri, 09 Aug 2024 17:05:45 +0100
+
 neon-keyring (2016.06.06) xenial; urgency=medium
 
   * Initial package
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/debian/control b/debian/control
index 1b4cd64..09aea25 100644
--- a/debian/control
+++ b/debian/control
@@ -1,16 +1,21 @@
 Source: neon-keyring
-Section: misc
+Section: important
 Priority: optional
 Maintainer: Jonathan Riddell <jr at jriddell.org>
-Standards-Version: 3.8.7
+Standards-Version: 4.1.3
+Build-Depends: gnupg, debhelper (>= 10)
 Vcs-Browser: http://packaging.neon.kde.org/cgit/neon/keyring.git/
 Vcs-Git: git://packaging.neon.kde.org/neon/keyring
 
 Package: neon-keyring
-Priority: optional
+Priority: important
 Architecture: all
 Multi-Arch: foreign
-Recommends: gpgv
-Description: GnuPG keys of the Neon archive
- KDE neon signs its Release files. This package
- contains the archive keys used for that.
+Description: GnuPG keys used by Neon
+ KDE neon signs all packages and also Release files used by the archive.
+ .
+ KDE neon also signs all ISO's and containers it releases.
+ .
+ This package contains the various armored and dearmored gpg key's used
+ for that purpose.  This strengthens the web of trust around KDE neon's
+ artifacts.
diff --git a/debian/neon-keyring-udeb.postinst b/debian/neon-keyring-udeb.postinst
deleted file mode 100644
index cd54538..0000000
--- a/debian/neon-keyring-udeb.postinst
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-set -e
-DIR=/usr/share/keyrings
-if [ ! -e $DIR/archive.gpg ]; then
-	ln -s neon-archive-keyring.gpg $DIR/archive.gpg
-fi
diff --git a/debian/neon-keyring.install b/debian/neon-keyring.install
new file mode 100644
index 0000000..ae99464
--- /dev/null
+++ b/debian/neon-keyring.install
@@ -0,0 +1,7 @@
+neon-archive-keyring.asc usr/share/keyrings/
+neon-archive-keyring.gpg etc/apt/keyring/
+neon-archive-keyring.gpg usr/share/keyrings/
+
+neon-iso-keyring.asc usr/share/keyrings
+neon-iso-keyring.gpg etc/apt/keyring/
+neon-iso-keyring.gpg usr/share/keyrings/
diff --git a/debian/neon-keyring.postinst b/debian/neon-keyring.postinst
new file mode 100644
index 0000000..de11908
--- /dev/null
+++ b/debian/neon-keyring.postinst
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+set -ex
+
+ARCH= dpkg --print-architecture
+
+# move apt-key master key back to where it belongs if it was previously moved in unstable
+if [ ! -e /etc/apt/trusted.gpg ] && [ -e /etc/apt/trusted.gpg.d/apt-trusted.gpg ]; then
+	mv /etc/apt/trusted.gpg.d/apt-trusted.gpg /etc/apt/trusted.gpg
+fi
+
+# rm any neon keys from the apt-key keyring and update *.list
+if [ "$1" = 'configure' -a -n "$2" ]; then
+	# remove keys from the trusted.gpg file as they are now shipped in trusted.gpg.d
+	if dpkg --compare-versions "$2" 'lt' "2024.08.09" && which gpg > /dev/null && which apt-key > /dev/null; then
+		TRUSTEDFILE='/etc/apt/trusted.gpg'
+		eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
+		eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
+		if [ "$TRUSTEDFILE" ]; then
+            # rm neon archive-signing-key
+			for KEY in '444D ABCF 3667 D028 3F89  4EDD E6D4 7362 5575 1E5D'; do
+				# rm the historic post-install copy to stop apt-key re-entering that keyring
+				if [ -e /etc/apt/trusted.gpg.d/neon-archive-keyring ]; then
+					rm /etc/apt/trusted.gpg.d/neon-archive-keyring.gpg
+				fi
+				# rm the the key from the apt-key trusted.gpg keyring
+				apt-key --keyring "$TRUSTEDFILE" del $KEY > /dev/null 2>&1 || :
+				# update the *.list to reflect the signed key path
+				SIGNEDBY='[signed-by=/etc/apt/keyring/neon-archive-keyring.gpg]'
+				DEB_LIST=/etc/apt/sources.list.d/neon.list
+				sed -i "s#deb http#deb $SIGNEDBY http#" $DEB_LIST
+				sed -i "s#deb-src http#deb-src $SIGNEDBY http#" $DEB_LIST
+			done
+			# rm ancient Ubuntu Local Archive One-Time Signing Key <cdimage at ubuntu.com>
+			for KEY in '7B92 9DC5 3D6D 77FD 6427  45ED 1EC9 3359 A395 228C'; do
+				# rm the historic post-install copy to stop apt-key re-entering that keyring
+				if [ -e /etc/apt/trusted.gpg.d/ubuntu-local-archive-one-time-signing-key.gpg ]; then
+					rm /etc/apt/trusted.gpg.d/ubuntu-local-archive-one-time-signing-key.gpg
+				fi
+				# rm the the key from the apt-key trusted.gpg keyring
+				apt-key --keyring "$TRUSTEDFILE" del $KEY > /dev/null 2>&1 || :
+				# update the *.list to reflect the signed key path
+				SIGNEDBY='[signed-by=/etc/apt/keyring/ubuntu-local-archive-one-time-signing-key.gpg]'
+				DEB_LIST=/etc/apt/sources.list.d/preinstalled-pool.list
+				sed -i "s#deb [arch=$ARCH] file#deb [arch=$ARCH $SIGNEDBY file#" $DEB_LIST
+			done
+		fi
+	fi
+fi
diff --git a/debian/postinst b/debian/postinst
deleted file mode 100644
index f6053ab..0000000
--- a/debian/postinst
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/sh
-
-# the keyring in /var that gets fetched by apt-key net-update
-# if it does not yet exist, copy it to avoid uneeded net copy
-KEYRINGDIR="/var/lib/apt/keyrings"
-KEYRING="${KEYRINGDIR}/neon-archive-keyring.gpg"
-
-if ! test -d $KEYRINGDIR; then
-     mkdir -m 755 -p $KEYRINGDIR
-fi
-
-if ! test -f $KEYRING; then
-     cp /usr/share/keyrings/neon-archive-keyring.gpg $KEYRING
-     touch $KEYRING
-fi
-
-cp /usr/share/keyrings/neon-archive-keyring.gpg /etc/apt/trusted.gpg.d/
-
-# Deprecated file created for 'Ubuntu Local Archive One-Time Signing Key' but it creates an ugly error message
-# https://bugs.kde.org/show_bug.cgi?id=482341
-# And man apt-key deprecation notice
-if [ -e /etc/apt/trusted.gpg ]; then
-    mv /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/apt-trusted.gpg
-fi
diff --git a/debian/rules b/debian/rules
index b1f66ee..a369087 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,63 +1,16 @@
 #!/usr/bin/make -f
-# debian/rules file - for debian/keyring
-# Based on sample debian/rules file - for GNU Hello (1.3).
-# Copyright 1994,1995 by Ian Jackson.
-# Copyright 1998-2003 James Troup
-# I hereby give you perpetual unlimited permission to copy,
-# modify and relicense this file, provided that you do not remove
-# my name from the file itself.  (I assert my moral right of
-# paternity under the Copyright, Designs and Patents Act 1988.)
-# This file may have to be extensively modified
 
-install_dir=install -d -m 755
-install_file=install -m 644
-install_script=install -m 755
-install_binary=install -m 755 -s
+%:
+	dh $@
 
-VERSION := $(shell dpkg-parsechangelog | grep ^Version: | cut -d' ' -f2)
+binary: build_neon_keyring
 
-build:
+build_neon_keyring:
+	# regenerate the keyrings to test
+	gpg --no-default-keyring --export-options export-minimal --keyring ./keyrings/neon-archive-keyring.gpg --output ./neon-archive-keyring.gpg --export 444DABCF3667D0283F894EDDE6D4736255751E5D
+	gpg --export --keyring ./neon-archive-keyring.gpg --export-options export-minimal --armor > neon-archive-keyring.asc
 
-clean:
-	$(checkdir)
-	-rm -f foo foo.asc *.bak *~ */*~ debian/files* debian/*substvars
-	-rm -rf debian/tmp debian/neon-keyring-udeb
+	gpg --no-default-keyring --export-options export-minimal --keyring ./keyrings/neon-iso-keyring.gpg --output ./neon-iso-keyring.gpg --export 348C8651206633FD983A8FC4DEACEA00075E1D76
+	gpg --export --keyring ./neon-iso-keyring.gpg --export-options export-minimal --armor > neon-iso-keyring.asc
 
-binary-indep: checkroot
-	$(checkdir)
-	-rm -rf debian/tmp
-	$(install_dir) debian/tmp/DEBIAN/
-	$(install_script) debian/postinst debian/tmp/DEBIAN/
-
-	$(install_dir) debian/tmp/usr/share/keyrings/
-	$(install_file) keyrings/neon-archive-keyring.gpg debian/tmp/usr/share/keyrings/
-	$(install_file) keyrings/neon-iso-keyring.gpg debian/tmp/usr/share/keyrings/
-
-	$(install_dir) debian/tmp/usr/share/doc/neon-keyring/
-	$(install_file) debian/changelog debian/tmp/usr/share/doc/neon-keyring/changelog
-	gzip -9v debian/tmp/usr/share/doc/neon-keyring/*
-	$(install_file) debian/copyright debian/tmp/usr/share/doc/neon-keyring/
-	cd debian/tmp; find -type f \! -regex '.*/DEBIAN/.*' -printf '%P\0' | xargs -r0 md5sum >DEBIAN/md5sums
-
-	dpkg-gencontrol -pneon-keyring -isp
-	chown -R root.root debian/tmp
-	chmod -R go=rX debian/tmp
-	dpkg --build debian/tmp ..
-
-	-rm -rf debian/neon-keyring-udeb
-
-binary-arch:
-
-define checkdir
-	test -f keyrings/neon-archive-keyring.gpg
-endef
-
-# Below here is fairly generic really
-
-binary:		binary-indep binary-arch
-
-checkroot:
-	$(checkdir)
-	test root = "`whoami`"
-
-.PHONY: binary binary-arch binary-indep clean checkroot build
+test_keyrings:

More information about the Neon-commits mailing list