diff options
-rw-r--r-- | debian/changelog | 22 | ||||
-rw-r--r-- | debian/compat | 1 | ||||
-rw-r--r-- | debian/control | 88 | ||||
-rw-r--r-- | debian/copyright | 15 | ||||
-rw-r--r-- | debian/gbp.conf | 6 | ||||
-rw-r--r-- | debian/lacme-accountd.install | 2 | ||||
-rw-r--r-- | debian/lacme-accountd.manpages | 1 | ||||
-rw-r--r-- | debian/lacme.dirs | 1 | ||||
-rw-r--r-- | debian/lacme.install | 5 | ||||
-rw-r--r-- | debian/lacme.manpages | 1 | ||||
-rw-r--r-- | debian/patches/0001-Mention-the-Debian-BTS-in-the-manpages.patch | 47 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rwxr-xr-x | debian/rules | 4 | ||||
-rw-r--r-- | debian/source.lintian-overrides | 2 | ||||
-rw-r--r-- | debian/source/format | 1 |
15 files changed, 197 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..f05b265 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,22 @@ +lacme (0.3-1) UNRELEASED; urgency=low + + * New upstream release. + * Provide nginx configuration snippet in /etc/lacme/nginx.conf + * debian/control: Bump Standards-Version to 4.0.0. No changes. + + -- Guilhem Moulin <guilhem@debian.org> Wed, 28 Jun 2017 22:14:15 +0200 + +lacme (0.2-1) unstable; urgency=low + + * New upstream release. + * debian/control: + + Promote lacme-accountd from lacme's Suggests to Recommends. + + Bump Standards-Version to 3.9.8. No changes. + + -- Guilhem Moulin <guilhem@guilhem.org> Mon, 05 Dec 2016 16:35:59 +0100 + +lacme (0.1-1) unstable; urgency=low + + * Initial release. (Closes: #827357, #827358.) + + -- Guilhem Moulin <guilhem@guilhem.org> Tue, 08 Dec 2015 18:58:20 +0100 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..93c26f7 --- /dev/null +++ b/debian/control @@ -0,0 +1,88 @@ +Source: lacme +Section: utils +Priority: optional +Maintainer: Guilhem Moulin <guilhem@debian.org> +Build-Depends: debhelper (>= 9), jq, pandoc +Standards-Version: 4.0.0 +Homepage: https://git.guilhem.org/lacme/about/ +Vcs-Git: https://git.guilhem.org/lacme +Vcs-Browser: https://git.guilhem.org/lacme + +Package: lacme +Architecture: all +Depends: ${misc:Depends}, ${perl:Depends}, + openssl, + libconfig-tiny-perl, + libjson-perl, + libwww-perl, + libnet-ssleay-perl +Recommends: liblwp-protocol-https-perl, lacme-accountd (= ${binary:Version}) +Description: ACME client written with process isolation and minimal privileges in mind + lacme is divided into four components, each with its own executable: + . + * A process to manage the account key and issue SHA-256 signatures needed for + each ACME command. (This process binds to a UNIX-domain socket to reply to + signature requests from the ACME client.) One can use the UNIX-domain + socket forwarding facility of OpenSSH 6.7 and later to run this process on + a different host. + . + * A "master" process, which runs as root and is the only component + with access to the private key material of the server keys. It is used to + fork the ACME client (and optionally the ACME webserver) after dropping + root privileges. For certificate issuances, it also generates Certificate + Signing Requests, then verifies the validity of the issued certificate, and + optionally reloads or restarts services. + . + * An actual ACME client, which builds ACME commands and dialogues with + the remote ACME server. Since ACME commands need to be signed with the + account key, the "master" process passes the UNIX-domain socket of the + account key manager to the ACME client: data signatures are requested by + writing the data to be signed to the socket. + . + * For certificate issuances, an optional webserver, which is spawned + by the "master" process when no service is listening on the HTTP port. + (The only challenge type currently supported is "http-01", which requires a + webserver to answer challenges.) That webserver only processes GET and + HEAD requests under the "/.well-known/acme-challenge/" URI. By default + some iptables(8) rules are automatically installed to open the HTTP port, + and removed afterwards. + +Package: lacme-accountd +Architecture: all +Depends: ${misc:Depends}, ${perl:Depends}, + libconfig-tiny-perl, + libjson-perl +Recommends: libcrypt-openssl-rsa-perl +Description: lacme account key manager + lacme is an ACME client written with process isolation and minimal privileges + in mind. It is divided into four components, each with its own executable: + . + * A process to manage the account key and issue SHA-256 signatures needed for + each ACME command. (This process binds to a UNIX-domain socket to reply to + signature requests from the ACME client.) One can use the UNIX-domain + socket forwarding facility of OpenSSH 6.7 and later to run this process on + a different host. + . + * A "master" process, which runs as root and is the only component + with access to the private key material of the server keys. It is used to + fork the ACME client (and optionally the ACME webserver) after dropping + root privileges. For certificate issuances, it also generates Certificate + Signing Requests, then verifies the validity of the issued certificate, and + optionally reloads or restarts services. + . + * An actual ACME client, which builds ACME commands and dialogues with + the remote ACME server. Since ACME commands need to be signed with the + account key, the "master" process passes the UNIX-domain socket of the + account key manager to the ACME client: data signatures are requested by + writing the data to be signed to the socket. + . + * For certificate issuances, an optional webserver, which is spawned + by the "master" process when no service is listening on the HTTP port. + (The only challenge type currently supported is "http-01", which requires a + webserver to answer challenges.) That webserver only processes GET and + HEAD requests under the "/.well-known/acme-challenge/" URI. By default + some iptables(8) rules are automatically installed to open the HTTP port, + and removed afterwards. + . + lacme-accountd is the first (account key manager) component. It is the only + component with access to the account key. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..51440e8 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,15 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Source: native package + +Files: * +Copyright: © 2015 Guilhem Moulin <guilhem@fripost.org> +License: GPL-3+ + +License: GPL-3+ + This package is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 3 of the License, or (at your + option) any later version. + . + On Debian systems, the complete text of the GNU General Public License + version 3 can be found in file "/usr/share/common-licenses/GPL-3". diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..4daf79f --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,6 @@ +[DEFAULT] +upstream-branch = master +debian-branch = debian +upstream-tag = upstream/%(version)s +debian-tag = debian/%(version)s +pristine-tar = False diff --git a/debian/lacme-accountd.install b/debian/lacme-accountd.install new file mode 100644 index 0000000..9070589 --- /dev/null +++ b/debian/lacme-accountd.install @@ -0,0 +1,2 @@ +lacme-accountd /usr/bin +config/lacme-accountd.conf /etc/lacme diff --git a/debian/lacme-accountd.manpages b/debian/lacme-accountd.manpages new file mode 100644 index 0000000..953a66d --- /dev/null +++ b/debian/lacme-accountd.manpages @@ -0,0 +1 @@ +lacme-accountd.1 diff --git a/debian/lacme.dirs b/debian/lacme.dirs new file mode 100644 index 0000000..47f5aa9 --- /dev/null +++ b/debian/lacme.dirs @@ -0,0 +1 @@ +etc/lacme/lacme-certs.conf.d diff --git a/debian/lacme.install b/debian/lacme.install new file mode 100644 index 0000000..3525aa2 --- /dev/null +++ b/debian/lacme.install @@ -0,0 +1,5 @@ +lacme /usr/sbin +client webserver /usr/lib/lacme +config/lacme-certs.conf config/lacme.conf /etc/lacme +snippets/apache2.conf snippets/nginx.conf /etc/lacme +certs/lets-encrypt-x[1-4]-cross-signed.pem /usr/share/lacme diff --git a/debian/lacme.manpages b/debian/lacme.manpages new file mode 100644 index 0000000..e438c58 --- /dev/null +++ b/debian/lacme.manpages @@ -0,0 +1 @@ +lacme.1 diff --git a/debian/patches/0001-Mention-the-Debian-BTS-in-the-manpages.patch b/debian/patches/0001-Mention-the-Debian-BTS-in-the-manpages.patch new file mode 100644 index 0000000..d43231c --- /dev/null +++ b/debian/patches/0001-Mention-the-Debian-BTS-in-the-manpages.patch @@ -0,0 +1,47 @@ +From 736780d04831312953466c1a69f339af0ec7f2a9 Mon Sep 17 00:00:00 2001 +From: Guilhem Moulin <guilhem@debian.org> +Date: Thu, 1 Dec 2016 00:49:17 +0100 +Subject: [PATCH] Mention the Debian BTS in the manpages. + +--- + lacme-accountd.md | 6 ++++++ + lacme.md | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/lacme-accountd.md b/lacme-accountd.md +index 4d3e1a5..fd5d360 100644 +--- a/lacme-accountd.md ++++ b/lacme-accountd.md +@@ -130,6 +130,12 @@ execute [`lacme`(1)] remotely: + ~$ ssh -oExitOnForwardFailure=yes -tt -R /path/to/remote.sock:$XDG_RUNTIME_DIR/S.lacme user@example.org \ + sudo lacme --socket=/path/to/remote.sock new-cert + ++Bugs and feedback ++================= ++ ++Bugs or feature requests for `lacme-accountd` should be filed with the ++Debian project's bug tracker at <<https://www.debian.org/Bugs/>>. ++ + See also + ======== + +diff --git a/lacme.md b/lacme.md +index b086fe7..8d85075 100644 +--- a/lacme.md ++++ b/lacme.md +@@ -387,6 +387,12 @@ Examples + ~$ sudo lacme new-cert + ~$ sudo lacme revoke-cert /path/to/server/certificate.pem + ++Bugs and feedback ++================= ++ ++Bugs or feature requests for `lacme` should be filed with the Debian ++project's bug tracker at <<https://www.debian.org/Bugs/>>. ++ + See also + ======== + +-- +2.10.2 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..98a1097 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +0001-Mention-the-Debian-BTS-in-the-manpages.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..2d33f6a --- /dev/null +++ b/debian/rules @@ -0,0 +1,4 @@ +#!/usr/bin/make -f + +%: + dh $@ diff --git a/debian/source.lintian-overrides b/debian/source.lintian-overrides new file mode 100644 index 0000000..264ad5e --- /dev/null +++ b/debian/source.lintian-overrides @@ -0,0 +1,2 @@ +# this repository is also upstream +debian-watch-file-is-missing diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) |