Add Debian package meta-info and GitHub package builder action

.github/workflows/build-debian-package.yml

@@ -0,0 +1,27 @@
+name: Debian Package Builder
+on: [push, pull_request]
+
+# We use https://github.com/marketplace/actions/build-debian-packages to run
+# the debian package builder in a Debian docker container.
+
+jobs:
+  build-debs:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Build Debian package for amd64
+        uses: jtdor/build-deb-action@v1
+        # Output artifacts are copied to debian/artifacts, by default.
+        env:
+          DEB_BUILD_OPTIONS: noautodbgsym
+        with:
+          docker-image: debian:testing
+          host-arch: amd64
+          buildpackage-opts: --build=binary --no-sign
+      - name: Upload package artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: tpm-fido-debian-package-${{ github.sha }}
+          path: debian/artifacts/*

deb-build.bash

@@ -0,0 +1,14 @@
+#!/bin/bash
+#
+# Build a Debian package for the host machine architecture.
+
+msg-run() {
+	echo -e "\E[32;1m> $*\E[m"
+	"$@"
+}
+
+# Install build dependnecies.
+#msg-run sudo apt-get build-dep .
+msg-run dpkg-buildpackage -b --no-sign
+
+# Run ""./debian/rules clean" to cleanup artifacts.

debian/.gitignore

@@ -0,0 +1,9 @@
+*.debhelper
+*.log
+*.substvars
+/.debhelper/
+/debhelper-build-stamp
+/files
+# Debian temporary Go build dir.
+/_build
+/tpm-fido/

debian/README.md

@@ -0,0 +1,43 @@
+# The tpm-fido Debian Package
+
+## Build the package
+
+*From the tpm-fido directory, run the following:*
+```bash
+# Install build dependencies (packages needed to build this package).
+# You can build this in a docker container, if you don't like the idea of
+# polluting you manually installed package list.
+sudo apt-get build-dep .
+
+# Build the package.
+dpkg-buildpackage -b --no-sign
+```
+
+## User setup
+
+```bash
+# Install the package.
+sudo adduser $USER tss
+sudo adduser $USER uhid
+# reboot
+```
+
+*Check on relevant services:*
+```bash
+sudo systemctl status uhid-permission
+systemctl --user status tpm-fido
+
+# Monitor logs for tpm-fido service.
+journalctl --user -f -u tpm-fido
+```
+
+## Bump the debian changelog
+
+The debian/changelog file controls the output package version/revision.
+
+```bash
+export DEBFULLNAME="First Last"
+export DEBEMAIL="me@example.com"
+debchange -i
+debchange -r
+```

debian/changelog

@@ -0,0 +1,12 @@
+tpm-fido (0.0~git20230621.5f8828b-2) UNRELEASED; urgency=medium
+
+  * Add this unreleased entry to allow easily bumping the revision
+    using "debchange -i" without actually adding another entry.
+
+ -- Craig Hesling <craig@hesling.com>  Mon, 06 May 2024 02:05:05 -0700
+
+tpm-fido (0.0~git20230621.5f8828b-1) unstable; urgency=medium
+
+  * Initial release.
+
+ -- Craig Hesling <craig@hesling.com>  Sun, 05 May 2024 20:23:37 -0700

debian/control

@@ -0,0 +1,36 @@
+Source: tpm-fido
+Section: golang
+Priority: optional
+Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
+Uploaders: Craig Hesling <craig@hesling.com>
+Rules-Requires-Root: no
+# Pkg ca-certificates is required to be able to download (and verify) packages
+# with "go get". We need this because we are explicitly downloading dependencies
+# during the build phase. See the rules file for further explanation.
+# The ca-certificates pkg is usually installed as a recommendation/suggestion,
+# but may be omitted based on apt settings.
+Build-Depends: debhelper-compat (= 13),
+               dh-sequence-golang,
+               golang-any,
+               ca-certificates
+Testsuite: autopkgtest-pkg-go
+Standards-Version: 4.5.0
+Vcs-Browser: https://salsa.debian.org/go-team/packages/tpm-fido
+Vcs-Git: https://salsa.debian.org/go-team/packages/tpm-fido.git
+Homepage: https://github.com/psanford/tpm-fido
+XS-Go-Import-Path: github.com/psanford/tpm-fido
+
+Package: tpm-fido
+Section: utils
+Architecture: any
+Depends: pinentry-gnome3 | pinentry-gtk2 | pinentry-qt | pinentry-curses | pinentry-fltk | pinentry-tty,
+         ${misc:Depends},
+         ${shlibs:Depends}
+Built-Using: ${misc:Built-Using}
+Description: A WebAuthn/U2F token protected by a TPM
+ tpm-fido is FIDO token implementation for Linux that protects the token
+ keys by using your system's TPM. tpm-fido uses Linux's uhid
+ (https://github.com/psanford/uhid) facility to emulate a USB HID device
+ so that it is properly detected by browsers.
+ .
+ See https://github.com/psanford/tpm-fido for more info.

debian/copyright

@@ -0,0 +1,27 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: https://github.com/psanford/tpm-fido
+Upstream-Name: tpm-fido
+Upstream-Contact: Peter Sanford
+
+Files: *
+Copyright: 2021 Peter Sanford
+License: MIT
+
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included in all
+ copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.

debian/rules

@@ -0,0 +1,48 @@
+#!/usr/bin/make -f
+
+# Enabling DH_VERBOSE forces the logging of all build steps and commands.
+# See debhelper(7) for more info.
+export DH_VERBOSE = 1
+
+# Setting these environment variables re-enable the ability for Go to download
+# missing dependencies and honor modules. These are intentionally overridden
+# by the Debian golang build script to force the use of local libraries provided
+# by other Debian Go source packages. See the source that overrides these
+# for more info:
+# - https://salsa.debian.org/go-team/packages/dh-golang/-/blob/81892fe8d3a51a22c910a649052669dd9f18837e/lib/Debian/Debhelper/Buildsystem/golang.pm#L355-369
+# - /usr/share/perl5/Debian/Debhelper/Buildsystem/golang.pm
+# Also, checkout:
+# - https://go.dev/blog/go116-module-changes
+# - https://manpages.debian.org/testing/dh-golang/Debian::Debhelper::Buildsystem::golang.3pm.en.html
+# - https://manpages.debian.org/testing/dh-golang/dh_golang.1p.en.html
+# - https://people.debian.org/~stapelberg/2015/07/27/dh-make-golang.html
+# - https://go-team.pages.debian.net/packaging.html
+# - https://github.com/Debian/dh-make-golang/tree/master
+# - https://github.com/Debian/debhelper/tree/main
+export GO111MODULE = on
+export GOPROXY =
+
+%:
+	dh $@ --builddirectory=debian/_build --buildsystem=golang
+
+# It seems like the trend is to put user daemon binaries in /usr/bin (instead
+# of sbin) which is the default location for golang.pm's install script.
+# We are not installing source, since this is a binary executable pkg.
+override_dh_auto_install:
+	dh_auto_install -- --no-source
+
+execute_after_dh_install:
+	dh_installsysusers
+
+# We use dh_installsystemd and dh_installsystemduser for installing systemd
+# services. Checkout the following resources for more info:
+# - https://manpages.debian.org/testing/debhelper/dh_installsystemd.1.en.html
+# - https://manpages.debian.org/testing/debhelper/dh_installsystemduser.1.en.html
+
+override_dh_installsystemd:
+	dh_installsystemd --name=uhid-permission
+
+# Uncomment the following to not automatically unable the tpm-fido user service
+# after install. It also allows for the user to enable/disable the service.
+#override_dh_installsystemduser:
+#	dh_installsystemduser --no-enable

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

debian/tpm-fido.sysusers

@@ -0,0 +1,11 @@
+# Add the system group "uhid" to allow tpm-fido, running as our limited user,
+# access to /dev/uhid.
+# Note that this group will remain on the installed machine after the
+# controlling package is purged.
+#
+# References:
+# - https://manpages.debian.org/testing/debhelper/dh_installsysusers.1.en.html
+# - https://manpages.debian.org/testing/systemd/sysusers.d.5.en.html
+#
+#Type Name     ID             GECOS                 Home directory Shell
+g     uhid    -              -

debian/tpm-fido.udev.disabled

@@ -0,0 +1,16 @@
+# You can add this udev rule to the package by removing the ".disabled" from
+# the file name.
+#
+# This is a bit of a catch 22, since this udev rule won't trigger until
+# a service that has permission to access /dev/uhid interacts with it, but
+# our tpm-fido service doesn't have access to /dev/uhid until this udev rule
+# is triggered.
+#
+# You can see this by running "udevadm info -q path -n /dev/uhid" before
+# any service/program has accessed /dev/uhid. Udevadm will not have any
+# understanding of this path.
+# After you start a service that accesses /dev/uhid, run the following:
+# sudo udevadm test $(udevadm info -q path -n /dev/uhid)
+#
+# The tpm-fido package created the uhid system group.
+KERNEL=="uhid", SUBSYSTEM=="misc", GROUP="uhid", MODE="0660"

debian/tpm-fido.user.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=A WebAuthn/U2F token protected by a TPM
+After=uhid-permission.service
+
+[Service]
+Type=simple
+WorkingDirectory=%h
+ExecStart=/usr/bin/tpm-fido
+
+[Install]
+WantedBy=default.target

debian/uhid-permission.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Allow system group uhid access to /dev/uhid for the tpm-fido service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/chmod u=rw,g=rw,o= /dev/uhid
+ExecStart=/usr/bin/chown root:uhid /dev/uhid
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target