[debhelper-devel] [RFC PATCH v1 1/3] Define a new debhelper dh_installfile-sigs and postinst autoscript

[Mimi Zohar]

This patch defines a debhelper dh_installfile-sigs and autoscript
postinst-file-sigs to install the ELF file and script signatures
stored in the checksums file named DEBIAN/<algo sums>.

Changelog v1:
- Fix postinst script error msg, replacing 'grep' with 'case' statement.
---
 autoscripts/postinst-file-sigs | 30 +++++++++++++++++++++++++++
 dh                             |  1 +
 dh_installfile-sigs            | 46 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 77 insertions(+)
 create mode 100644 autoscripts/postinst-file-sigs
 create mode 100755 dh_installfile-sigs

diff --git a/autoscripts/postinst-file-sigs b/autoscripts/postinst-file-sigs
new file mode 100644
index 0000000..f0efbfe
--- /dev/null
+++ b/autoscripts/postinst-file-sigs
@@ -0,0 +1,30 @@
+file=$(dpkg-query --control-path #PACKAGE# sha256sums)
+if [ ! -e "${file}" ]; then
+	file=$(dpkg-query --control-path #PACKAGE# sha512sums)
+fi
+
+if [ "$1" = "configure" ]; then
+	if [ -e "${file}" ]; then
+		while read -r line; do
+			sig=$(echo "${line}" | awk '{print $3}')
+			if [ ! -n "$sig" ]; then
+				continue;
+
+			fn=$(echo "${line}" | awk '{print $2}')
+			if [ ! -e "${fn}" ]; then
+				continue;
+			fi
+
+			case "$(file --brief $fn)" in
+			*script*)
+				setfattr -n 'security.ima' -v 0x$sig ${fn}
+				;;
+			*ELF*)
+				setfattr -n 'security.ima' -v 0x$sig ${fn}
+				;;
+			esac
+		done < "${file}"
+	fi
+fi
+
+exit 0;
diff --git a/dh b/dh
index f3bd321..4f80f75 100755
--- a/dh
+++ b/dh
@@ -373,6 +373,7 @@ my @i = qw{
 	dh_installifupdown
 	dh_installinfo
 	dh_installinit
+	dh_installfile-sigs
 	dh_installmenu
 	dh_installmime
 	dh_installmodules
diff --git a/dh_installfile-sigs b/dh_installfile-sigs
new file mode 100755
index 0000000..8a8888b
--- /dev/null
+++ b/dh_installfile-sigs
@@ -0,0 +1,46 @@
+#!/usr/bin/perl -w
+
+=head1 NAME
+
+dh_installfile-sigs - install file signatures in the DEBIAN/<algo sums> file as xattrs
+
+=cut
+
+use strict;
+use Cwd;
+use Debian::Debhelper::Dh_Lib;
+
+=head1 SYNOPSIS
+
+B<dh_installfile-sigs>
+
+=head1 DESCRIPTION
+
+B<dh_installfile-sigs> is a debhelper program that is responsible for automatically
+generating the F<postinst> commands needed to install file signatures contained in
+the checksums file F<DEBIAN/algo sums>.  These commands are inserted into the maintainer
+scripts by L<dh_installdeb(1)>.
+
+=cut
+
+init();
+
+foreach my $package (@{$dh{DOPACKAGES}}) {
+
+	if (! $dh{NOSCRIPTS}) {
+		autoscript($package,"postinst","postinst-file-sigs","s!#PACKAGE#!$package!g");
+	}
+}
+
+
+=head1 SEE ALSO
+
+L<debhelper(7)>
+
+This program is a part of debhelper.
+
+=head1 AUTHOR
+
+Mimi Zohar <zohar at linux.vnet.ibm.com>
+
+=cut
-- 
1.8.1.4