Tasks used with the signing service

GenerateKey task

This is a signing task that generates a new key on a signing worker and stores it for later use.

The task_data for this task may contain the following keys:

purpose (required): the purpose of the key to generate: uefi or kmod
description (required): A text string with a human-readable description of the new key’s intended purpose.

The output will be provided as a debusine:signing-key artifact. The task should typically be configured with an update-collection-with-artifacts event reaction to attach the new signing key to the collection where it will be used, such as debian:suite-signing-keys.

Todo

This will need additional parameters once we start supporting HSMs.

This is a signing task that signs the contents of a debusine:signing-input artifact on a signing worker.

The task_data for this task may contain the following keys:

purpose (required): the purpose of the key to sign with: uefi or kmod (needed separately from key so that the scheduler can check whether the worker has the necessary tools available)
unsigned (Single lookup, required): the debusine:signing-input artifact whose contents should be signed
key (Single lookup, required): the debusine:signing-key artifact to sign with; must match purpose

The output will be provided as a debusine:signing-output artifact.

This is a worker task that takes debusine:signing-output artifacts produced by Sign tasks and assembles the resulting source package.

The task_data for this task may contain the following keys:

template (Single lookup, required): a debian:binary-package artifact containing a source template
signed (Multiple lookup, required): signed debusine:signing-output artifacts matching the template

The task operates as follows:

It makes a copy of the /usr/share/code-signing/$binary_package_name/source-template/ directory from the template binary package.
It checks that debian/source/format is exactly 3.0 (native) and that neither debian/source/options nor debian/source/local-options exists.
It checks that files.json uses only relative paths with no .. components.
For each package name and file name in the template’s files.json, it finds the corresponding file in the signed artifacts and copies it into debian/signatures/$package/$file.sig.
It packs the resulting assembled source package using dpkg-source -b, and makes a suitable .changes file for it using dpkg-genchanges.

The output will be provided as a debian:source-package artifact, with a built-using relationship to the debian:binary-package artifacts that were related to the input to the Sign task, and a debian:upload artifact containing that source package and the corresponding .changes file.