Tasks used with the signing service

GenerateKey task

This is a signing task that generates a new key on a signing worker and stores it for later use.

The task_data for this task may contain the following keys:

  • purpose (required): the purpose of the key to generate: uefi or kmod

  • description (required): A text string with a human-readable description of the new key’s intended purpose.

The output will be provided as a debusine:signing-key artifact. The task should typically be configured with an update-collection-with-artifacts event reaction to attach the new signing key to the collection where it will be used, such as debian:suite-signing-keys.

Todo

This will need additional parameters once we start supporting HSMs.

Sign task

This is a signing task that signs the contents of a debusine:signing-input artifact on a signing worker.

The task_data for this task may contain the following keys:

  • purpose (required): the purpose of the key to sign with: uefi or kmod (needed separately from key so that the scheduler can check whether the worker has the necessary tools available)

  • unsigned (Single lookup, required): the debusine:signing-input artifact whose contents should be signed

  • key (Single lookup, required): the debusine:signing-key artifact to sign with; must match purpose

The output will be provided as a debusine:signing-output artifact.

AssembleSignedSource task

This is a worker task that takes debusine:signing-output artifacts produced by Sign tasks and assembles the resulting source package.

The task_data for this task may contain the following keys:

The task operates as follows:

  • It makes a copy of the /usr/share/code-signing/$binary_package_name/source-template/ directory from the template binary package.

  • It checks that debian/source/format is exactly 3.0 (native) and that neither debian/source/options nor debian/source/local-options exists.

  • It checks that files.json uses only relative paths with no .. components.

  • For each package name and file name in the template’s files.json, it finds the corresponding file in the signed artifacts and copies it into debian/signatures/$package/$file.sig.

  • It packs the resulting assembled source package using dpkg-source -b, and makes a suitable .changes file for it using dpkg-genchanges.

The output will be provided as a debian:source-package artifact, with a built-using relationship to the debian:binary-package artifacts that were related to the input to the Sign task, and a debian:upload artifact containing that source package and the corresponding .changes file.