Starting with buster, some packages are signed as part of the Secure Boot chain. The basic practical result of this is that an update to any of the packages actually involves several source packages being updated together, and we should ensure that we treat these as a unit when processing them. For uploads corresponding to DSAs, this implies that we should not accept any of the packages unless the complete set is available. For uploads to p-u, we should provide clearly visible indications when one or more packages are not yet available, so that we can ensure the situation is resolved before a point release (or skip including the incomplete portions of the set if need be).

The general pattern is that a source package produces binary packages named *-signed-template. When dak sees one of these packages in a binary upload, it uses the signing service to generate a (or several?) new source package containing signed files. The file to be signed, type of signature required and metadata for the source package to be generated are shipped in the -template packages in /usr/share/code-signing. For example:

dpkg-deb -c /srv/mirrors/debian/pool/main/l/linux/linux-image-amd64-signed-template_4.19.37-6_amd64.deb
drwxr-xr-x root/root         0 2019-07-18 22:23 ./
drwxr-xr-x root/root         0 2019-07-18 22:23 ./usr/
drwxr-xr-x root/root         0 2019-07-18 22:23 ./usr/share/
drwxr-xr-x root/root         0 2019-07-18 22:23 ./usr/share/code-signing/
drwxr-xr-x root/root         0 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/
-rw-r--r-- root/root    870698 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/files.json
drwxr-xr-x root/root         0 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/
drwxr-xr-x root/root         0 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/
-rw-r--r-- root/root       219 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/README.source
-rw-r--r-- root/root    722074 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/changelog
-rw-r--r-- root/root         2 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/compat
-rw-r--r-- root/root     20340 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/control
-rw-r--r-- root/root     11923 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/copyright
-rw-r--r-- root/root       505 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-amd64.postinst
-rw-r--r-- root/root      1028 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-amd64.postrm
-rw-r--r-- root/root       447 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-amd64.preinst
-rw-r--r-- root/root       315 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-amd64.prerm
-rw-r--r-- root/root       511 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-cloud-amd64.postinst
-rw-r--r-- root/root      1034 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-cloud-amd64.postrm
-rw-r--r-- root/root       453 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-cloud-amd64.preinst
-rw-r--r-- root/root       321 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-cloud-amd64.prerm
-rw-r--r-- root/root       508 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-rt-amd64.postinst
-rw-r--r-- root/root      1031 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-rt-amd64.postrm
-rw-r--r-- root/root       450 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-rt-amd64.preinst
-rw-r--r-- root/root       318 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/linux-image-4.19.0-5-rt-amd64.prerm
-rwxr-xr-x root/root       383 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/rules
-rw-r--r-- root/root      5130 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/rules.gen
-rw-r--r-- root/root      3314 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/rules.real
drwxr-xr-x root/root         0 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/source/
-rw-r--r-- root/root        13 2019-07-18 22:23 ./usr/share/code-signing/linux-image-amd64-signed-template/source-template/debian/source/format
drwxr-xr-x root/root         0 2019-07-18 22:23 ./usr/share/doc/
drwxr-xr-x root/root         0 2019-07-18 22:23 ./usr/share/doc/linux-image-amd64-signed-template/
-rw-r--r-- root/root    261108 2019-07-18 22:23 ./usr/share/doc/linux-image-amd64-signed-template/changelog.Debian.gz
-rw-r--r-- root/root     11923 2019-07-18 22:02 ./usr/share/doc/linux-image-amd64-signed-template/copyright
drwxr-xr-x root/root         0 2019-07-18 22:23 ./usr/share/lintian/
drwxr-xr-x root/root         0 2019-07-18 22:23 ./usr/share/lintian/overrides/
-rw-r--r-- root/root      2094 2019-07-18 22:23 ./usr/share/lintian/overrides/linux-image-amd64-signed-template

It would be helpful to avoid needing to introspect the source package in order to determine which other source packages are expected to be generated.

There is one notable exception to this pattern - the shim-signed package is uploaded by DDs, rather than generated by the signing service, as the signature is from Microsoft. Nevertheless, shim and shim-signed should be treated as a functional unit in this case.

https://wiki.debian.org/SecureBoot/Discussion
https://salsa.debian.org/ftp-team/dak/blob/master/config/debian/external-signatures.conf
https://incoming.debian.org/debian-buildd/project/external-signatures/requests.json
https://debamax.com/blog/2019/04/19/an-overview-of-secure-boot-in-debian/

The signing service uses a specific key which is allowed to bypass NEW and has a UID of ftpmaster@debian.org. One can determine the set of such uploads that are currently in stable via:

SELECT DISTINCT
source.source FROM
binaries
 inner JOIN source ON binaries.source = source.id       
inner join fingerprint on source.sig_fpr = fingerprint.id
inner join uid on fingerprint.uid = uid.id
inner JOIN src_associations ON source.id = src_associations.source
inner JOIN suite ON src_associations.suite = suite.id
WHERE suite.suite_name = 'stable' and uid.uid='ftpmaster@debian.org';

The signed binary packages should include Built-Using fields which point back to the unsigned source package from which they were generated, so this can be determined via:

SELECT DISTINCT binaries_metadata.value, 
source.source FROM metadata_keys left join binaries_metadata on metadata_keys.key_id = binaries_metadata.key_id left join 
binaries on binaries.id = binaries_metadata.bin_id          
 inner JOIN source ON binaries.source = source.id       
inner join fingerprint on source.sig_fpr = fingerprint.id
inner join uid on fingerprint.uid = uid.id
inner JOIN src_associations ON source.id = src_associations.source
inner JOIN suite ON src_associations.suite = suite.id
WHERE suite.suite_name = 'stable' and uid.uid='ftpmaster@debian.org' and metadata_keys.key='Built-Using';

Not all packages currently expose this information, but it has been requested:


16:09 < BTS> Opened #932756 in src:fwupdate by Adam D. Barratt <adam@adam-ba...> «fwupdate: should include Built-Using fields in the signed packages». https://bugs.debian.org/932756
16:09 < BTS> Opened #932757 in src:fwupd 1.2.5-2 by Adam D. Barratt <adam@adam-ba...> «fwupd: should include Built-Using fields in the signed packages». https://bugs.debian.org/932757

Assuming built-using was in place, a signed to unsigned package mapping:

SELECT DISTINCT
split_part(T.value,' ',1) unsigned, array_agg( distinct A.source) signed
FROM (
select source.source from binaries
inner JOIN source ON binaries.source = source.id       
inner join fingerprint on source.sig_fpr = fingerprint.id
inner join uid on fingerprint.uid = uid.id
inner JOIN src_associations ON source.id = src_associations.source
inner JOIN suite ON src_associations.suite = suite.id
WHERE suite.suite_name = 'stable' and uid.uid='ftpmaster@debian.org'
union
-- hacks
select 'shim-signed'
) A
left join (
SELECT DISTINCT source.source, binaries_metadata.value
FROM metadata_keys
left join binaries_metadata on metadata_keys.key_id = binaries_metadata.key_id
left join binaries on binaries.id = binaries_metadata.bin_id          
inner JOIN source ON binaries.source = source.id       
inner join fingerprint on source.sig_fpr = fingerprint.id
inner join uid on fingerprint.uid = uid.id
inner JOIN src_associations ON source.id = src_associations.source
inner JOIN suite ON src_associations.suite = suite.id
WHERE suite.suite_name = 'stable'
and uid.uid='ftpmaster@debian.org'
and metadata_keys.key='Built-Using'
union
-- hacks
select 'shim-signed', 'shim'
) T
on A.source=T.source group by 1
;

 unsigned | signed 
+------------------
 grub2    | {grub-efi-amd64-signed,grub-efi-arm64-signed,grub-efi-ia32-signed}
 linux    | {linux-signed-amd64,linux-signed-arm64,linux-signed-i386}
 shim     | {shim-helpers-amd64-signed,shim-helpers-arm64-signed,shim-helpers-i386-signed,shim-signed}
          | {fwupd-amd64-signed,fwupd-arm64-signed,fwupd-armhf-signed,fwupd-i386-signed,fwupdate-amd64-signed,fwupdate-arm64-signed,fwupdate-armhf-signed,fwupdate-i386-signed}
(4 rows)