#1089433 shim-helpers-arm64-signed: Supporting rootless builds by default

#1089433#5
Date:
2024-12-07 20:38:02 UTC
From:
To:
Dear maintainer,

During a test rebuild for building packages with
`Rules-Requires-Root: no` as the default in `dpkg`,
shim-helpers-arm64-signed failed to rebuild.

Log Summary:
-------------------------------------------------------------------------------
[...]

+------------------------------------------------------------------------------+
| Build
                                                                        |
+------------------------------------------------------------------------------+


Unpack source
-------------

Format: 3.0 (native)
Source: shim-helpers-arm64-signed
Binary: shim-helpers-arm64-signed
Architecture: arm64
Version: 1+15.8+1
Maintainer: Debian EFI team <debian-efi@lists.debian.org>
Standards-Version: 4.3.0
Build-Depends: debhelper (>= 10.1~), sbsigntool [amd64 arm64 i386],
shim-unsigned (= 15.8-1)
Package-List:
  shim-helpers-arm64-signed deb admin optional arch=arm64
Checksums-Sha1:
  acc84dcdd40224f958eb448d1d7ab4f788d88931 4852 shim-helpers-arm64-
signed_1+15.8+1.tar.xz
Checksums-Sha256:
  4a09ab968aaea8558aa5d4cd5fafd09d0527860f034ae2097fe96872c01cf53e 4852
shim-helpers-arm64-signed_1+15.8+1.tar.xz
Files:
  25bae887a6404fcf651b774bf3f316f2 4852 shim-helpers-arm64-
signed_1+15.8+1.tar.xz


gpgv: Signature made Mon May  6 13:51:41 2024 UTC
gpgv:                using RSA key 7CA15FBC7108FA0914F84F9D8B415188B74E3736
gpgv: Can't check signature: No public key
dpkg-source: warning: cannot verify inline signature for ./shim-helpers-
arm64-signed_1+15.8+1.dsc: no acceptable signature found
dpkg-source: info: extracting shim-helpers-arm64-signed in /<<PKGBUILDDIR>>
dpkg-source: info: unpacking shim-helpers-arm64-signed_1+15.8+1.tar.xz

Check disk space
----------------

Sufficient free space for build

User Environment
----------------

APT_CONFIG=/var/lib/sbuild/apt.conf
HOME=/sbuild-nonexistent
LANG=C.UTF-8
LC_ALL=C.UTF-8
LOGNAME=debusine-worker
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
SHELL=/bin/sh
USER=debusine-worker

dpkg-buildpackage
-----------------

Command: dpkg-buildpackage -us -uc -b -rfakeroot
dpkg-buildpackage: info: source package shim-helpers-arm64-signed
dpkg-buildpackage: info: source version 1+15.8+1
dpkg-buildpackage: info: source distribution unstable
dpkg-buildpackage: info: source changed by Debian signing service
<ftpmaster@debian.org>
  dpkg-source --before-build .
dpkg-buildpackage: info: host architecture arm64
  debian/rules clean
dh clean
    dh_clean
  debian/rules binary
dh binary
    dh_update_autotools_config
    dh_autoreconf
    create-stamp debian/debhelper-build-stamp
    dh_prep
    debian/rules override_dh_auto_install
make[1]: Entering directory '/<<PKGBUILDDIR>>'
set -e ; \
find "debian/signatures/shim-unsigned" -name '*.sig' -printf '%P\n' | \
while read sig; do \
	install -o 0 -g 0 -m 0755 -d "debian/tmp/${sig%/*}" ; \
	install -o 0 -g 0 -m 0644 "/${sig%.sig}" "debian/tmp/${sig}ned" ; \
	sbattach --attach "debian/signatures/shim-unsigned/$sig" "debian/tmp/
${sig}ned" ; \
done
install: cannot change owner and permissions of ‘debian/tmp/usr/lib/
shim’: Operation not permitted
make[1]: *** [debian/rules:9: override_dh_auto_install] Error 1
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
make: *** [debian/rules:6: binary] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit
status 2
--------------------------------------------------------------------------------
Build finished at 2024-11-18T14:43:41Z
-------------------------------------------------------------------------------


The above is just how the build ends and not necessarily the most
relevant part. If required, the full build log is available here:

https://people.debian.org/~nthykier/rrr-no-as-default/logs/1044524.gz

You can find common solutions at
https://people.debian.org/~nthykier/rrr-no-as-default/docs/solutions.md

If this is really a bug in one of the build-depends, please use
reassign and affects, so that this is still visible in the BTS web
page for this package.

If this package is listed in
https://people.debian.org/~nthykier/rrr-no-as-default/docs/static-
ownership.list,
then please just set `Rules-Requires-Root: binary-targets` to the source
stanza of `debian/control` as a fix to this bug.

If this package is listed in
https://people.debian.org/~nthykier/rrr-no-as-default/docs/maybe-
misbuilds.list,
then the package was deemed at risk for misbuilding (having wrong
ownership) but had a FTBFS problem we tested it. Please test whether the
package works with `Rules-Requires-Root: no` validating that the
resulting deb has the correct ownership for all paths in the deb.

The goal is to have the default changed in `dpkg` either in `Trixie` or
`Forky`, depending on progress and feasibility with the release schedule
for Trixie.

For more information on this bug filing, please see:
https://lists.debian.org/debian-dpkg/2024/11/msg00016.html

Thanks,


PS: The builds were performed in mid-November. If you fixed the problem
between between then and this bug being filed, then please just close
the bug with the version it was fixed in.

#1089433#10
Date:
2024-12-28 12:06:42 UTC
From:
To:
Control: tags -1 patch

Please review attached as an example of how to fix this problem.

Note: Untested, since I was doing my testing on amd64.

Best regards,
Niels

#1089433#21
Date:
2025-04-11 19:11:38 UTC
From:
To:
Hello Niels,

LGTM. I applied your patch and built the package with a regular user as
follows:

$ dpkg-buildpackage -us -uc -b -rfakeroot

The signed files in the resulting binary have the right user, group, and
permissions:

$ dpkg --contents shim-helpers-arm64-signed_1+15.8+1+nmu1_arm64.deb | grep -F .signed
-rw-r--r-- root/root     90752 2024-12-28 12:03 ./usr/lib/shim/fbaa64.efi.signed
-rw-r--r-- root/root    887472 2024-12-28 12:03 ./usr/lib/shim/mmaa64.efi.signed

As far as I understand though, the shim-helpers-arm64-signed source
package is generated by shim. I think the file we want to change is
debian/signing-template/rules in the shim sources. Ditto for
debian/signing-template/control.in.

See attached patch.

#1089433#32
Date:
2025-04-17 15:54:51 UTC
From:
To:
control: tags -1 +pending

Hsy guys,

Sorry, I've not been updating bugs here enough to share progress.

I've had changes for this ready for some time, just not pushed yet.

The shim 16.0 release has already happened upstream, and it passes CI
for me locally.

*However*, we're waiting on a bugfix for

https://github.com/rhboot/shim/issues/74

which is a show-stopper bug for secure boot chains where UKIs are
going to be a thing. A fix is coming Real Soon Now, I've been
promised. That's going to prompt a 16.1 release.

In the meantime, I really don't want to upload a 16.0 build, as that
makes things much more awkward in terms of the signing pipeline (etc.)