* Package name : sbctl Version : 0.10 Upstream Contact: Morten Linderud <morten@linderud.pw> * URL : https://github.com/Foxboron/sbctl/ * License : MIT Programming Lang: Go Description : Secure Boot Manager sbctl is a user-friendly secure boot key manager capable of setting up secure boot, offer key management capabilities, and keep track of files that needs to be signed in the boot chain. sbctl has a *much* easier to use interface than mokutil (just look at the screenshots!), but since I am not familiar with Go I hope that somebody else who is more qualified will package it.
https://salsa.debian.org/go-team/packages/sbctl as well as the missing dependency: https://salsa.debian.org/go-team/packages/golang-github-foxboron-go-uefi Note that there are two debian/patches for sbctl: 1) First, to use FHS paths, diverging from upstream's locations (which is non-ideal). Upstream issue #57 is open upstream: https://github.com/Foxboron/sbctl/issues/57 2) Second, to disable TPM support. It requires a long dependency chain for Go-Attestation that it felt too overwhelming for me. YMMV :) This package builds and works for me. I'm not up for maintaining it in the long-run though, so I'm leaving this as an RFP and *not* uploading it to unstable. Hopefully this initial packaging work is useful to whoever decides to pick it up. If anyone else is up for it, I may be available to sponsor the uploads and/or provide code reviews. Best, Faidon
Hi I have updated/finished packaging of the go-uefi dependency and uploaded it to NEW: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095271 I hope to upload 'sbctl' as well eventually, but latest 0.16 release requires landlock+libcap, see errors below. I put a pipeline of 'sbctl' here: https://salsa.debian.org/jas/sbctl/-/pipelines/ I looked into landlock+libcap but it looked a bit messy: 'libcap2' is in Debian but without the golang-*-dev package, and maybe this should be a separate source package if the Go wrapper has little to do with the C library. Hopefully I will resume on that or someone else beats me to it. /Simon src/github.com/foxboron/sbctl/config/config.go:11:2: cannot find package "github.com/landlock-lsm/go-landlock/landlock" in any of: /usr/lib/go-1.23/src/github.com/landlock-lsm/go-landlock/landlock (from $GOROOT) /build/sbctl-0.16/_build/src/github.com/landlock-lsm/go-landlock/landlock (from $GOPATH) src/github.com/foxboron/sbctl/lsm/lsm.go:10:2: cannot find package "github.com/landlock-lsm/go-landlock/landlock/syscall" in any of: /usr/lib/go-1.23/src/github.com/landlock-lsm/go-landlock/landlock/syscall (from $GOROOT) /build/sbctl-0.16/_build/src/github.com/landlock-lsm/go-landlock/landlock/syscall (from $GOPATH)
About libcap2, I also stumbled on this while packaging docker-buildx, I don't think that adding a new source package makes sense, but their Go build script seems a bit complicated. By the way, building the go packages will resolve #1064065 [1]. [1]: https://sources.debian.org/src/libcap2/1%3A2.66-5/go/Makefile/#L171-L181
Thank you for finishing up my packaging, uploading it and offering to maintain it in the long run, much appreciated! Best, Faidon
Faidon Liambotis <paravoid@debian.org> writes: Thanks for doing most of the work! I'm happy that I think we are getting closer to getting libcap's golang packages into Debian right now, which will allow 'sbctl' to finally be uploaded too. /Simon
I've noticed that the package would no longer build with the updated dependency: $ dpkg-buildpackage -uc -us -b dpkg-buildpackage: info: source package sbctl dpkg-buildpackage: info: source version 0.13-1 dpkg-buildpackage: info: source distribution UNRELEASED dpkg-buildpackage: info: source changed by Faidon Liambotis <paravoid@debian.org> dpkg-buildpackage: info: host architecture arm64 dpkg-source --before-build . debian/rules clean dh clean --builddirectory=_build --buildsystem=golang --with=golang dh_auto_clean -O--builddirectory=_build -O--buildsystem=golang debian/rules execute_after_dh_auto_clean make[1]: Entering directory '/home/erebion/git/sbctl' make clean make[2]: Entering directory '/home/erebion/git/sbctl' rm -f docs/sbctl.8 rm -f sbctl make[2]: Leaving directory '/home/erebion/git/sbctl' rm -rf contrib/completions/ make[1]: Leaving directory '/home/erebion/git/sbctl' dh_autoreconf_clean -O--builddirectory=_build -O--buildsystem=golang dh_clean -O--builddirectory=_build -O--buildsystem=golang debian/rules binary dh binary --builddirectory=_build --buildsystem=golang --with=golang dh_update_autotools_config -O--builddirectory=_build -O--buildsystem=golang dh_autoreconf -O--builddirectory=_build -O--buildsystem=golang dh_auto_configure -O--builddirectory=_build -O--buildsystem=golang dh_auto_build -O--builddirectory=_build -O--buildsystem=golang cd _build && go install -trimpath -v -p 8 github.com/foxboron/sbctl github.com/foxboron/sbctl/certs github.com/foxboron/sbctl/cmd/sbctl github.com/foxboron/sbctl/dmi github.com/foxboron/sbctl/fs github.com/foxboron/sbctl/hierarchy github.com/foxboron/sbctl/logging github.com/foxboron/sbctl/quirks github.com/foxboron/sbctl/stringset src/github.com/foxboron/sbctl/keys.go:18:2: cannot find package "github.com/foxboron/go-uefi/efi/pecoff" in any of: /usr/lib/go-1.24/src/github.com/foxboron/go-uefi/efi/pecoff (from $GOROOT) /home/erebion/git/sbctl/_build/src/github.com/foxboron/go-uefi/efi/pecoff (from $GOPATH) src/github.com/foxboron/sbctl/keys.go:19:2: cannot find package "github.com/foxboron/go-uefi/efi/pkcs7" in any of: /usr/lib/go-1.24/src/github.com/foxboron/go-uefi/efi/pkcs7 (from $GOROOT) /home/erebion/git/sbctl/_build/src/github.com/foxboron/go-uefi/efi/pkcs7 (from $GOPATH) dh_auto_build: error: cd _build && go install -trimpath -v -p 8 github.com/foxboron/sbctl github.com/foxboron/sbctl/certs github.com/foxboron/sbctl/cmd/sbctl github.com/foxboron/sbctl/dmi github.com/foxboron/sbctl/fs github.com/foxboron/sbctl/hierarchy github.com/foxboron/sbctl/logging github.com/foxboron/sbctl/quirks github.com/foxboron/sbctl/stringset returned exit code 1 make: *** [debian/rules:10: binary] Error 1 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 The newer version no longer includes the following folders: efi/pecoff efi/pkcs7 It did build fine with golang-github-foxboron-go-uefi-dev_0.0~git20231219.b6c4a74-1_all.deb, though. (Which I've build from the Salsa repo before it was uploaded.) The build process still looks for something which clearly it should no longer be looking for. I don't know go, but I thought this might be helpful. Have a nice day. :) erebion On Mon, 17 Feb 2025 00:28:19 +0100 Simon Josefsson <simon@josefsson.org> wrote: > Faidon Liambotis <paravoid@debian.org> writes: > > > On Thu, Feb 06, 2025 at 10:59:58AM +0100, Simon Josefsson wrote: > >> I have updated/finished packaging of the go-uefi dependency and uploaded > >> it to NEW: > >> > >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095271 > >> > >> I hope to upload 'sbctl' as well eventually, but latest 0.16 release > >> requires landlock+libcap, see errors below. > >> here: > > > > Thank you for finishing up my packaging, uploading it and offering to > > maintain it in the long run, much appreciated! > > Thanks for doing most of the work! I'm happy that I think we are > getting closer to getting libcap's golang packages into Debian right > now, which will allow 'sbctl' to finally be uploaded too. > > /Simon
Hi there. What is the status of sbctl right now? I see all the dependencies are in Debian (there is only golang-github-go-piv-piv-go-dev (>= 2.0) in experimental for now), that's great, guys! As I use sbctl myself I've made an update for your package: 1. new upstream version 2. bootctl integration to cover the situation, when systemd-boot-efi got updated. 3. New installation auto setup. 4. Use upstream git tags in gbp. I do not like current bootctl integration a lot, because it has 2 problems: * writing signed files to /usr/lib/systemd/boot/efi * calling bootctl update directly instead of triggering systemd-boot-signed Both moments could be discussed with systemd maintainers. Also there is tests/ dir in upstream sources, that contains plenty of pre-compiled binaries. May be we should exclude them from sources as I'm not sure all of them are DFSG-compatible. Feel free to use my work from https://salsa.debian.org/gq/sbctl And do not hesitate to contact me if any help is needed.
Alexander GQ Gerasiov <gq@debian.org> writes: What are the main changes compared to: https://salsa.debian.org/go-team/packages/sbctl ? I'll take a look, but last time we where waiting on dependencies, but if I managed to get them all into unstable now, let's revisit 'sbctl' itself! /Simon
Alexander GQ Gerasiov <gq@debian.org> writes: We should try to get that one into unstable, I think yubikey-agent and golang-github-smallstep-certificates needs attention and I've been working on the later one recently so this may be fixed by now. Thank you! I have merged some of these fixes now, into: https://salsa.debian.org/go-team/packages/sbctl/ with pipeline here: https://salsa.debian.org/jas/sbctl/-/pipelines/959775 The failures are mostly because of the experimental dependency. I didn't merge this, as I can't evaluate it. What do you think about having 'sbctl' as a package for the binary only, and a new separate package 'sbctl-setup' as a package that 'Depends: sbctl' and includes your postinst/prerm scripts? That would make me more comfortable, and allows simpler testing. Is there some advantage with that? I thought the Debian practice was to add a signed upstream/0.18 tag, to have some way to track if upchange is moving their tags around. Sure, and having this in 'sbctl-setup' make things easier to discuss, I think. We could try asking upstream to remove them, but we may not succeed. co-maintain this. /Simon
To avoid inventing a new naming scheme, you could have `sbctl-bin` and `sbctl`. This would match the scheme used by grub and others. Chris
Chris Hofstaedtler <zeha@debian.org> writes: Great suggestion, thank you. Alas there is some examples of using *-tools or *-utils or even *-util, I think, but at least your idea is better than my approach. Alexander, feel free to push this change if you want, alas I don't have more time to work on this today. /Simon
Hi. I have uploaded 7ff5b54618a566b450d18023fce48cb649fb691b to NEW using the 'sbctl' and 'sbctl-bin' naming, to get the NEW processing started. I have not dared to test the postinst/prerm 'sbctl' scripts on my machine, but I also don't think that is critical: we can sort out bugs in those scripts later on. Having this in experimental will allow more people to test it. https://salsa.debian.org/go-team/packages/sbctl/ https://salsa.debian.org/jas/sbctl/-/pipelines/961822 We can work out how to migrate golang-github-go-piv-piv-go (and then sbctl) to unstable eventually, the blocker for this is the 'yubikey-agent' package which is stuck on v1.x but sbctl requires v2.x. If the following upstream bug report doesn't see action, I suppose we could introduce a golang-github-go-piv-piv-go-v1-dev package to keep yubikey-agent happy, and let the golang-github-go-piv-piv-go package move forward and use v2 for upstream source. https://github.com/FiloSottile/yubikey-agent/issues/161 /Simon