Tasks used with the signing service
GenerateKey task
This is a signing task that generates a new key on a signing worker and stores it for later use.
The task_data
for this task may contain the following keys:
purpose
(required): the purpose of the key to generate:uefi
orkmod
description
(required): A text string with a human-readable description of the new key’s intended purpose.
The output will be provided as a debusine:signing-key artifact. The task should typically be configured with an update-collection-with-artifacts event reaction to attach the new signing key to the collection where it will be used, such as debian:suite-signing-keys.
Todo
This will need additional parameters once we start supporting HSMs.
Sign task
This is a signing task that signs the contents of a debusine:signing-input artifact on a signing worker.
The task_data
for this task may contain the following keys:
purpose
(required): the purpose of the key to sign with:uefi
orkmod
(needed separately fromkey
so that the scheduler can check whether the worker has the necessary tools available)unsigned
(Single lookup, required): thedebusine:signing-input
artifact whose contents should be signedkey
(Single lookup, required): thedebusine:signing-key
artifact to sign with; must matchpurpose
The output will be provided as a debusine:signing-output artifact.
AssembleSignedSource task
This is a worker task that takes debusine:signing-output artifacts produced by Sign tasks and assembles the resulting source package.
The task_data
for this task may contain the following keys:
template
(Single lookup, required): a debian:binary-package artifact containing a source templatesigned
(Multiple lookup, required): signeddebusine:signing-output
artifacts matching the template
The task operates as follows:
It makes a copy of the
/usr/share/code-signing/$binary_package_name/source-template/
directory from the template binary package.It checks that
debian/source/format
is exactly3.0 (native)
and that neitherdebian/source/options
nordebian/source/local-options
exists.It checks that
files.json
uses only relative paths with no..
components.For each package name and file name in the template’s
files.json
, it finds the corresponding file in the signed artifacts and copies it intodebian/signatures/$package/$file.sig
.It packs the resulting assembled source package using
dpkg-source -b
, and makes a suitable.changes
file for it usingdpkg-genchanges
.
The output will be provided as a debian:source-package artifact, with a built-using
relationship to
the debian:binary-package artifacts that
were related to the input to the Sign task,
and a debian:upload artifact containing that source
package and the corresponding .changes
file.