Starting with buster, some packages are signed as part of the Secure Boot chain. The basic practical result of this is that an update to any of the packages actually involves several source packages being updated together, and we should ensure that we treat these as a unit when processing them. For uploads corresponding to DSAs, this implies that we should not accept any of the packages unless the complete set is available. For uploads to p-u, we should provide clearly visible indications when one or more packages are not yet available, so that we can ensure the situation is resolved before a point release (or skip including the incomplete portions of the set if need be). The general pattern is that a source package produces binary packages named *-signed-template. When dak sees one of these packages in a binary upload, it uses the signing service to generate a (or several?) new source package containing signed files. The file to be signed, type of signature required and metadata for the source package to be generated are shipped in the -template packages in /usr/share/code-signing. For example: dpkg-deb -c /srv/mirrors/debian/pool/main/l/linux/linux-image-amd64-signed-template_4.19.37-6_amd64.deb drwxr-xr-x root/root 0 2019-07-18 22:23 ./ drwxr-xr-x root/root 0 2019-07-18 22:23 ./usr/ drwxr-xr-x root/root 0 2019-07-18 22:23 ./usr/share/ drwxr-xr-x root/root 0 2019-07-18 22:23 ./usr/share/code-signing/ drwxr-xr-x root/root 0 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/ -rw-r--r-- root/root 870698 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/files.json drwxr-xr-x root/root 0 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/ drwxr-xr-x root/root 0 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/ -rw-r--r-- root/root 219 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/README.source -rw-r--r-- root/root 722074 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/changelog -rw-r--r-- root/root 2 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/compat -rw-r--r-- root/root 20340 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/control -rw-r--r-- root/root 11923 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/copyright -rw-r--r-- root/root 505 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-amd64.postinst -rw-r--r-- root/root 1028 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-amd64.postrm -rw-r--r-- root/root 447 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-amd64.preinst -rw-r--r-- root/root 315 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-amd64.prerm -rw-r--r-- root/root 511 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-cloud-amd64.postinst -rw-r--r-- root/root 1034 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-cloud-amd64.postrm -rw-r--r-- root/root 453 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-cloud-amd64.preinst -rw-r--r-- root/root 321 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-cloud-amd64.prerm -rw-r--r-- root/root 508 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-rt-amd64.postinst -rw-r--r-- root/root 1031 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-rt-amd64.postrm -rw-r--r-- root/root 450 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-rt-amd64.preinst -rw-r--r-- root/root 318 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-rt-amd64.prerm -rwxr-xr-x root/root 383 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/rules -rw-r--r-- root/root 5130 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/rules.gen -rw-r--r-- root/root 3314 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/rules.real drwxr-xr-x root/root 0 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/source/ -rw-r--r-- root/root 13 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/source/format drwxr-xr-x root/root 0 2019-07-18 22:23 ./usr/share/doc/ drwxr-xr-x root/root 0 2019-07-18 22:23 ./usr/share/doc/linux-image-amd64-signed-template/ -rw-r--r-- root/root 261108 2019-07-18 22:23 ./usr/share/doc/linux-image-amd64-signed-template/changelog.Debian.gz -rw-r--r-- root/root 11923 2019-07-18 22:02 ./usr/share/doc/linux-image-amd64-signed-template/copyright drwxr-xr-x root/root 0 2019-07-18 22:23 ./usr/share/lintian/ drwxr-xr-x root/root 0 2019-07-18 22:23 ./usr/share/lintian/overrides/ -rw-r--r-- root/root 2094 2019-07-18 22:23 ./usr/share/lintian/overrides/linux-image-amd64-signed-template It would be helpful to avoid needing to introspect the source package in order to determine which other source packages are expected to be generated. There is one notable exception to this pattern - the shim-signed package is uploaded by DDs, rather than generated by the signing service, as the signature is from Microsoft. Nevertheless, shim and shim-signed should be treated as a functional unit in this case. https://wiki.debian.org/SecureBoot/Discussion https://salsa.debian.org/ftp-team/dak/blob/master/config/debian/external-signatures.conf https://incoming.debian.org/debian-buildd/project/external-signatures/requests.json https://debamax.com/blog/2019/04/19/an-overview-of-secure-boot-in-debian/ The signing service uses a specific key which is allowed to bypass NEW and has a UID of ftpmaster@debian.org. One can determine the set of such uploads that are currently in stable via: SELECT DISTINCT source.source FROM binaries inner JOIN source ON binaries.source = source.id inner join fingerprint on source.sig_fpr = fingerprint.id inner join uid on fingerprint.uid = uid.id inner JOIN src_associations ON source.id = src_associations.source inner JOIN suite ON src_associations.suite = suite.id WHERE suite.suite_name = 'stable' and uid.uid='ftpmaster@debian.org'; The signed binary packages should include Built-Using fields which point back to the unsigned source package from which they were generated, so this can be determined via: SELECT DISTINCT binaries_metadata.value, source.source FROM metadata_keys left join binaries_metadata on metadata_keys.key_id = binaries_metadata.key_id left join binaries on binaries.id = binaries_metadata.bin_id inner JOIN source ON binaries.source = source.id inner join fingerprint on source.sig_fpr = fingerprint.id inner join uid on fingerprint.uid = uid.id inner JOIN src_associations ON source.id = src_associations.source inner JOIN suite ON src_associations.suite = suite.id WHERE suite.suite_name = 'stable' and uid.uid='ftpmaster@debian.org' and metadata_keys.key='Built-Using'; Not all packages currently expose this information, but it has been requested: 16:09 < BTS> Opened #932756 in src:fwupdate by Adam D. Barratt «fwupdate: should include Built-Using fields in the signed packages». https://bugs.debian.org/932756 16:09 < BTS> Opened #932757 in src:fwupd 1.2.5-2 by Adam D. Barratt «fwupd: should include Built-Using fields in the signed packages». https://bugs.debian.org/932757 Assuming built-using was in place, a signed to unsigned package mapping: SELECT DISTINCT split_part(T.value,' ',1) unsigned, array_agg( distinct A.source) signed FROM ( select source.source from binaries inner JOIN source ON binaries.source = source.id inner join fingerprint on source.sig_fpr = fingerprint.id inner join uid on fingerprint.uid = uid.id inner JOIN src_associations ON source.id = src_associations.source inner JOIN suite ON src_associations.suite = suite.id WHERE suite.suite_name = 'stable' and uid.uid='ftpmaster@debian.org' union -- hacks select 'shim-signed' ) A left join ( SELECT DISTINCT source.source, binaries_metadata.value FROM metadata_keys left join binaries_metadata on metadata_keys.key_id = binaries_metadata.key_id left join binaries on binaries.id = binaries_metadata.bin_id inner JOIN source ON binaries.source = source.id inner join fingerprint on source.sig_fpr = fingerprint.id inner join uid on fingerprint.uid = uid.id inner JOIN src_associations ON source.id = src_associations.source inner JOIN suite ON src_associations.suite = suite.id WHERE suite.suite_name = 'stable' and uid.uid='ftpmaster@debian.org' and metadata_keys.key='Built-Using' union -- hacks select 'shim-signed', 'shim' ) T on A.source=T.source group by 1 ; unsigned | signed +------------------ grub2 | {grub-efi-amd64-signed,grub-efi-arm64-signed,grub-efi-ia32-signed} linux | {linux-signed-amd64,linux-signed-arm64,linux-signed-i386} shim | {shim-helpers-amd64-signed,shim-helpers-arm64-signed,shim-helpers-i386-signed,shim-signed} | {fwupd-amd64-signed,fwupd-arm64-signed,fwupd-armhf-signed,fwupd-i386-signed,fwupdate-amd64-signed,fwupdate-arm64-signed,fwupdate-armhf-signed,fwupdate-i386-signed} (4 rows)