WIP: bump version

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

Makefile

@@ -4,9 +4,9 @@ KERNEL_MIN=2
 KERNEL_PATCHLEVEL=6
 # increment KREL if the ABI changes (abicheck target in debian/rules)
 # rebuild packages with new KREL and run 'make abiupdate'
-KREL=1
+KREL=2
 
-PKGREL=1
+PKGREL=2~secureboot1
 
 KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN)
 KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL)

debian/certs/proxmox-uefi-ca.pem

@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGbjCCBFagAwIBAgIUTVo8veNlt0qzt14J+H2mhEB2SNUwDQYJKoZIhvcNAQEL
+BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
+ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
+BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
+eG1veC5jb20wHhcNMjMwMzA2MTM1MTM0WhcNMzMwMzAzMTM1MTM0WjCBkzELMAkG
+A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
+VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEXMBUGA1UEAwwOU2Vj
+dXJlIEJvb3QgQ0ExITAfBgkqhkiG9w0BCQEWEm9mZmljZUBwcm94bW94LmNvbTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ59mP8gRLqsA6P53ejy0wMk
+0qLlICtDkPXsJoi4QRHjlPErxXv5zsZ4WqSG2bQ8EW95FAf8EOF6ge+G17neYt1w
+DmlvHzLBfqTJj5EBRgVjdWOjX3AkS/elOyzHdq4rKOteUSpQlMP4ub2cAUdy/8rp
+ouTbduttNv8mymAO89/kbXCEmKFiRS+av+hykFFyXH/KTRa2QnvLVadMEkmtA+vm
++yQhYWCTD8hdisa1o3dKM0Z2l8LyzfIOsVXcwHHB7AhtR4tbLR9Tz2p/m9Gz//vj
+82dBaChh6kxIMZ8kACP28dA561R2P6ZcjzLSJ0Tq5e4tiW9SNEzuTYKTRvFeQoQh
+4usDdSF3ifXDuimShpv8Yaf4fntyIaUfnm6H5tvNr9b9Rw6ZL200LV5VugQ1EpfE
+F0+c3LQfurwT7svISgXSY62Fe/TiHFANOVXM5j3/Dr2ktKyce7BUGN4ewpWPvP99
+io+rdd4bTReuDh8j0nhsSdYKfvuOmvQpgL8Smzno54/hdpuO6cv+slCr1ApDexl8
+gAPPwCZRsH7aPc92g+YPzDm3k77RqkCXPA19KKQLYKvL7a+H3rnqgO81CdGFPHOz
+I5UruKLLeDGAWR0bo0JqDMEL8/oPh9IvGo8lFcTros0NEof6A7p8SGmxM2NodTo9
+spDVs84xDPlp4yX4u8A9AgMBAAGjgbcwgbQwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFLXxsR5I
+LbWGkynLl1qjUgX4cs16MB8GA1UdIwQYMBaAFLXxsR5ILbWGkynLl1qjUgX4cs16
+MB0GA1UdEQQWMBSBEm9mZmljZUBwcm94bW94LmNvbTAdBgNVHRIEFjAUgRJvZmZp
+Y2VAcHJveG1veC5jb20wDQYJKoZIhvcNAQELBQADggIBAAUGWTt792ibVtE9yKgq
+9YtmybKGWjDHdMKl5AcnxLD60z7cEgcUBpEXaUbTzic5rz7fYhUM29LZkF8NIA2a
+rzrF0w+J1zZZKG2VvTWmdgynNNKQ/iTRbhgSZ94hEWOwumlEW4O6HwUN+VYFx8wf
+jvyWc1K6cdCc70IeC5POjYTlXKPoDq8ysPMLhxm7dsk7DDWcR0siMbYqGLLK5cJB
+lZE+9Q3Nj/q4m3odjK1ILrDGKqWWJgxopE21e903Ej+TNw+TduXygHqwVloEXUi4
+clmMMwCfhEBI9Vuy0+QSLxvrHKbwYpWd59RBQEsUubi8sT8Oh7njgmEd/Pf9uD7U
+1Rd9I+1MkNOZXyoyvaJQl9NZ9RpyG+ZbeQoFcL2CeCy0jJQQSilI5k4RtiDrGn6R
+GxlRL/FTvGWBkQGNwvoeFwD6i7zYainf1Z7f1Dh83MxKarxpAwX61K+rHpvAvjN/
+Hd4dslj5C+p188FnGaqiFlFAgVcF//F+yZFGYu1sTIQJ5f0C3LiFLeQYi3SPTf0L
+wk78eHgo6x1cIOM3/Ct4mflHBxnrfOJ9YdEAn2MklpDT5dif+9+zpN1myCQn4HoW
+OgoWIacSuvuFczHTQf2IX4ZEEE5SZwE31f7E0cqjgXmwbz1a81UMZHzvr71rDeWi
+oRgE3Pe1htzpOmw5Ygvjtn8k
+-----END CERTIFICATE-----

debian/certs/proxmox-uefi-signer-2023.pem

@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGbzCCBFegAwIBAgIUakjebPHbd0vTEj9dEa3OF+gioGMwDQYJKoZIhvcNAQEL
+BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
+ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
+BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
+eG1veC5jb20wHhcNMjMwMzA2MTQwNTI1WhcNMjcwNDE0MTQwNTI1WjCBmjELMAkG
+A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
+VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEeMBwGA1UEAwwVU2Vj
+dXJlIEJvb3QgU2lnbiAyMDIzMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJveG1v
+eC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJGReH5i3aihb/
+frdbzzNueHBt7DC9W2/GXYf0wfl8izCXz2SYM/UIZavbpzF2uhgxli3Dj4M0FyR2
+oTKRseWyy+YMiwuhQcqCw0KRS6uOUiGjOtPHsEqDFO6DP8d1gNjYkF0jzY/CNf0N
+5Sc+w8jknQJgZ9G1RGcC2ihZATx2pgG9nYA30Op8qHyhcF2KrUmh8wpXky21u0Ja
+0/whsNFNSfQrvosgUroxLd2TvBdcBJu3SXt0B15jfY4Qssjmwgfs/oU8YGaAYnIp
+PLJRqzho/kpDA3PH2lsgxv5BJHQgDuODLj3Q3dx09C71Qdb3FlQ6z9hIdFUoPrvC
+kUpZ5lEwGUyvFZtJJQvGm/1BpDj1G7P8lqODyfkJ4c77XoH7M9z945HmxrfAyjP7
+9Jk8NXA9bSy+ygPHPHlTLEc10HKvk/SRg/sGGUveTr9C6rObfP8EmvXogpS46xSn
+W9s2vFSVFyOBvLpdIhU91McBFinvQaqY0r2XTNrsU3Zp5YG3z6hh6BOLCpD/pixc
+BQyfT8wGeI59dobVSSrWqt+1vNxO02I5t7Mlam687Ix1e3C/nk7+i44WMcmB8n+x
+Dq/v/L+UJlQ75u2dsaAiYUrGcsHQWAZ34oIAfec9qCgG+OLTwobwXXiOlaWiO51n
+0xCQ4ePK+vZuDxRHaXL7hOxFCe3iKwIDAQABo4GxMIGuMB0GA1UdDgQWBBRr/2t+
+Hu0KTVTbNhd31p7aJH15IjAfBgNVHSMEGDAWgBS18bEeSC21hpMpy5dao1IF+HLN
+ejAdBgNVHREEFjAUgRJvZmZpY2VAcHJveG1veC5jb20wHQYDVR0SBBYwFIESb2Zm
+aWNlQHByb3htb3guY29tMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
+AwMwCwYDVR0PBAQDAgbAMA0GCSqGSIb3DQEBCwUAA4ICAQBYmLgWPJSK/pP/CkZE
+iYttW1Vd0Wm4DeZVSyUh2c9AI+A+IT5otEXjCflU8sYU4vm0eEtNwhmGdVf8oZe4
+tS/2eFawDAqEQ8xMsinbMJoqvcYx9uEZPiOOo3GS2YjfUy03Q3BAOV3rMFOjP4y+
+dfYF3IWnKQxvUV0wapRyDbT62plKt4UCtBagUPcm838YRD6ax+4yK/5sojMQM1IW
+2yGgEz8jeCyPI19Ots2RBZTJU2BZ1QqRPLybvLfsENtKgKqOE14BEp6WqtYBaj89
+QZD4tbP9Mqcmnj8AfG89pb1Fj6tq0MLZsboF6i0J7uuQ6CKkb5ksQhLODLMwAZi1
+1EAgWk5btwj6ZvoOHFOjAXGJ13tmUeYt/Zipyy/ie+5LSEdFevQ+zmZzsglfX3QK
+6skoBpHs3kLcuPsoe8uhCvn/b22lHkFdYYkIwIUQFPJgdvBzD8LYHnD8P60UdsQO
+vSSt9qzsq04DCEjwhmNJUeddL9ESGNL8vgpB9GvNjFEq6QMncELkdXDoAeqGFolE
+/dj+8sVq+34plRsvD1GDDx70UWk0ZtQlvhqDJ0kxeT+yYASrwLoujK44SLq8cMJr
+JYxDoxFOy5MSw+EzEXTP9LLkYNdPv/nzPbEz3lEctczyOgBWr22272Kdv3QCHBdP
+v4+vFbHnrXmu8cC9T45r2aX3rQ==
+-----END CERTIFICATE-----

debian/changelog

@@ -1,3 +1,9 @@
+pve-kernel (6.2.6-2~secureboot1) bullseye; urgency=medium
+
+  * test build with lockdown, trusted key and module signing
+
+ -- Proxmox Support Team <support@proxmox.com>  Thu, 16 Mar 2023 14:56:01 +0100
+
 pve-kernel (6.2.6-1) bullseye; urgency=medium
 
   * update to Ubuntu-6.2.0-17.17 based on 6.2.6

debian/control.in

@@ -80,6 +80,13 @@ Description: Proxmox Kernel debug image
  to analyze kernel crashes. This package also contains the pve-kernel modules
  in their unstripped version.
 
+Package: pve-kernel-@KVNAME@-signed-template
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed kernel package
+ This package is used to control code signing by the Proxmox signing
+ service.
+
 Package: pve-kernel-libc-dev
 Section: devel
 Priority: optional

debian/rules

@@ -18,6 +18,8 @@ PVE_KERNEL_PKG=pve-kernel-${KVNAME}
 PVE_DEBUG_KERNEL_PKG=pve-kernel-${KVNAME}-dbgsym
 PVE_HEADER_PKG=pve-headers-${KVNAME}
 PVE_USR_HEADER_PKG=pve-kernel-libc-dev
+PVE_KERNEL_SIGNING_TEMPLATE_PKG=pve-kernel-${KVNAME}-signed-template
+PVE_KERNEL_SIGNED_VERSION := $(shell echo ${DEB_VERSION} | sed -e 's/-/+/')
 LINUX_TOOLS_PKG=linux-tools-${KERNEL_MAJMIN}
 KERNEL_SRC_COPY=${KERNEL_SRC}_tmp
 
@@ -51,7 +53,13 @@ PVE_CONFIG_OPTS= \
 -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
 -e CONFIG_SYSFB_SIMPLEFB \
 -e CONFIG_DRM_SIMPLEDRM \
--d CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG_ALL \
+-e CONFIG_MODULE_SIG_FORMAT \
+--set-str CONFIG_MODULE_SIG_HASH sha512 \
+--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
+-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
+-e CONFIG_MODULE_SIG_SHA512 \
 -d CONFIG_MEMCG_DISABLED \
 -e CONFIG_MEMCG_SWAP_ENABLED \
 -e CONFIG_HYPERV \
@@ -82,11 +90,11 @@ PVE_CONFIG_OPTS= \
 -d CONFIG_UNWINDER_ORC \
 -d CONFIG_UNWINDER_GUESS \
 -e CONFIG_UNWINDER_FRAME_POINTER \
---set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
+--set-str CONFIG_SYSTEM_TRUSTED_KEYS "../debian/certs/combined.pem"\
 --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
--d CONFIG_SECURITY_LOCKDOWN_LSM \
--d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
---set-str CONFIG_LSM yama,integrity,apparmor \
+-e CONFIG_SECURITY_LOCKDOWN_LSM \
+-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
+--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
 -e CONFIG_PAGE_TABLE_ISOLATION
 
 debian/control: $(wildcard debian/*.in)
@@ -100,6 +108,20 @@ debian/control: $(wildcard debian/*.in)
 	chmod +x debian/${PVE_HEADER_PKG}.postinst
 	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/${KERNEL_MAJMIN}/g' < debian/control.in > debian/control
 
+	# combine trusted certificates
+	cat debian/certs/*.pem > debian/certs/combined.pem
+
+	# signing-template
+	sed -e '1 s/pve-kernel/pve-kernel-signed/' -e '1 s/${DEB_VERSION}/${PVE_KERNEL_SIGNED_VERSION}/' < debian/changelog > debian/signing-template/changelog
+	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@UNSIGNED_VERSION@/${DEB_VERSION}/g' < debian/signing-template/control.in > debian/signing-template/control
+	sed -e 's/@KVNAME@/${KVNAME}/g' < debian/signing-template/files.json.in > debian/signing-template/files.json
+	sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@PKG_VERSION@/${DEB_VERSION}/' < debian/signing-template/rules.in > debian/signing-template/rules
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.prerm.in > debian/signing-template/prerm
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postrm.in > debian/signing-template/postrm
+	sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postinst.in > debian/signing-template/postinst
+	rm debian/signing-template/*.in
+	cp debian/SOURCE debian/signing-template/
+
 build: .compile_mark .tools_compile_mark .modules_compile_mark
 
 install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark
@@ -161,6 +183,14 @@ endif
 
 	# strip debug info
 	find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+
+	# sign modules using ephemeral, embedded key
+	if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
+		find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do \
+			./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
+		done; \
+		rm ./ubuntu-kernel/certs/signing_key.pem ; \
+	fi
 	# finalize
 	/sbin/depmod -b debian/${PVE_KERNEL_PKG}/ ${KVNAME}
 	# Autogenerate blacklist for watchdog devices (see README)
@@ -170,6 +200,22 @@ endif
 	cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/${PVE_KERNEL_PKG}/lib/modprobe.d/blacklist_${PVE_KERNEL_PKG}.conf
 	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/source
 	rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/build
+
+	# copy signing template contents
+	rm -rf debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}
+	mkdir -p debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+	cp -R debian/copyright \
+		debian/signing-template/rules \
+		debian/signing-template/control \
+		debian/signing-template/source \
+		debian/signing-template/changelog \
+		debian/signing-template/prerm \
+		debian/signing-template/postrm \
+		debian/signing-template/postinst \
+		debian/signing-template/SOURCE \
+		debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+	cp debian/signing-template/files.json debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/
+
 	touch $@
 
 .tools_compile_mark: .compile_mark

debian/signing-template/control.in

@@ -0,0 +1,25 @@
+Source: pve-kernel-signed
+Section: kernel
+Priority: optional
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Standards-Version: 4.2.0
+Build-Depends: debhelper-compat (= 12), dh-exec, python3:any, rsync, sbsigntool, pve-kernel-@KVNAME@ (= @UNSIGNED_VERSION@)
+Rules-Requires-Root: no
+Vcs-Git: git://git.proxmox.com/git/pve-kernel
+Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
+
+Package: pve-kernel-@KVNAME@-signed
+Section: admin
+Priority: optional
+Architecture: any
+Provides: linux-image-@KVNAME@-amd64, pve-kernel-@KVNAME@
+Depends: ${unsigned:Depends}, ${misc:Depends}
+Recommends: ${unsigned:Recommends}
+Suggests: ${unsigned:Suggests}
+Breaks: ${unsigned:Breaks}
+Conflicts: pve-kernel-@KVNAME@
+Replaces: pve-kernel-@KVNAME@
+Description: ${unsigned:DescriptionShort} (signed)
+ ${unsigned:DescriptionLong}
+ .
+ This package contains the kernel image signed by the Proxmox Secure Boot CA.

debian/signing-template/files.json.in

@@ -0,0 +1,13 @@
+{
+	"packages": {
+		"pve-kernel-@KVNAME@": {
+			"trusted_certs": [],
+			"files": [
+				{
+					"sig_type": "efi",
+					"file": "boot/vmlinuz-@KVNAME@"
+				}
+			]
+		}
+	}
+}

debian/signing-template/rules.in

@@ -0,0 +1,58 @@
+#!/usr/bin/make -f
+
+SHELL := bash -e
+
+export DH_OPTIONS
+
+include /usr/share/dpkg/architecture.mk
+
+KERNEL_VERSION=@KVNAME@
+IMAGE_PACKAGE_NAME=pve-kernel-$(KERNEL_VERSION)
+PACKAGE_NAME=$(IMAGE_PACKAGE_NAME)-signed
+PACKAGE_VERSION=@PKG_VERSION@
+PACKAGE_DIR=debian/$(PACKAGE_NAME)
+SIGNATURE_DIR=debian/signatures/${IMAGE_PACKAGE_NAME}
+
+build: build-arch build-indep
+build-arch:
+build-indep:
+
+clean:
+	dh_testdir
+	dh_clean
+
+binary: binary-arch binary-indep
+binary-arch:
+	dh_testdir
+	mkdir -p $(PACKAGE_DIR)/boot
+	rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map vmlinuz) $(PACKAGE_DIR)/boot/
+	if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+		sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+			$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+	else \
+		echo "No signature for image 'vmlinuz-$(KERNEL_VERSION)' found in '$(SIGNATURE_DIR)'"; \
+		false; \
+	fi
+	mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
+	rsync -ar /lib/modules/$(KERNEL_VERSION)/ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
+	mkdir -p $(PACKAGE_DIR)/lib/modprobe.d/
+	cp /lib/modprobe.d/blacklist_$(IMAGE_PACKAGE_NAME).conf $(PACKAGE_DIR)/lib/modprobe.d/
+	dh_install
+	dh_installchangelogs
+	dh_installdocs -A debian/copyright debian/SOURCE
+	dh_lintian
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	# Copy most package relations and description from unsigned package
+	for field in Depends Suggests Recommends Breaks; do \
+		echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \
+	done
+	echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)"
+	echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')"
+	dh_gencontrol -- -v$(PACKAGE_VERSION)
+	dh_md5sums
+	dh_builddeb
+binary-indep:
+
+.PHONY: build build-arch build-indep clean binary binary-arch binary-indep

debian/signing-template/source/format

@@ -0,0 +1 @@
+3.0 (native)