ExtractForSigning task
This is a worker task that takes the output of the Sbuild task and extracts debusine:signing-input artifacts from them for use by the Sign task.
The task_data for this task may contain the following keys:
input(required): a dictionary describing the input data:template_artifact(Single lookup, required): adebian:binary-packageartifact containing a template packagebinary_artifacts(Multiple lookup, required): a list ofdebian:binary-packageartifacts used to find the packages referred to by the template’sfiles.json
environment(Single lookup with default categorydebian:environments, required):debian:system-tarballartifact that will be used to unpack binary packages using theunsharebackend
The task operates as follows:
It extracts the
/usr/share/code-signing/$binary_package_name/files.jsonfile from the template binary package.It checks that
files.jsonuses only relative paths with no..components.For each package in the template’s
files.json:It checks that the package name is a syntactically-valid Debian package name.
It finds the corresponding package among the binary artifacts.
If there is a
trusted_certsentry, it copies it into the corresponding output artifact.For each file:
It checks that the file name uses only relative paths with no
..components, and that the resulting path within the extracted binary package does not traverse symlinks to outside the extracted binary package.It stores a copy of the file in the output artifact with the name
$package/$file.
The output will be provided as debusine:signing-input artifacts, one for each package in the template’s
files.json, with each artifact having a relates-to relationship to
the template package and to the binary package from which its files were
extracted.