Ubuntu
ssl-cert package

Merge ~vorlon/ubuntu/+source/ssl-cert:lp.2037869 into ubuntu/+source/ssl-cert:ubuntu/devel

  1. Git
  2. lp:~vorlon/ubuntu/+source/ssl-cert
  3. lp.2037869
  4. Merge into ubuntu/devel
Proposed by Steve Langasek
Status: Merged
Merged at revision: 2d4f9e8c4ab1023522aac967789df414b1ff060a
Proposed branch: ~vorlon/ubuntu/+source/ssl-cert:lp.2037869
Merge into: ubuntu/+source/ssl-cert:ubuntu/devel
Diff against target: 60 lines (+23/-1)
4 files modified
debian/changelog (+9/-0)
debian/control (+2/-1)
debian/rules (+1/-0)
debian/ssl-cert.service (+11/-0)
Reviewer Review Type Date Requested Status
Michael Hudson-Doyle (community) Needs Information
Nick Rosbrook (community) Approve
Ubuntu Server Pending
Dan Bungert Pending
Review via email: mp+452495@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Nick Rosbrook (enr0n) wrote :

The service file looks appropriately configured for first-boot, so LGTM.

review: Approve
Revision history for this message
Steve Langasek (vorlon) wrote :

Unfortunately, discussing the subiquity side of this and talking to xnox, it seems we can't trust ConditionFirstBoot to be correct, so I'm looking at doing this with ConditionFileExists instead

Revision history for this message
Nick Rosbrook (enr0n) wrote :

> Unfortunately, discussing the subiquity side of this and talking to xnox, it
> seems we can't trust ConditionFirstBoot to be correct, so I'm looking at doing
> this with ConditionFileExists instead

Ah, yeah I should have added that this depends on certain behavior around /etc/machine-id (or potentially systemd.condition-first-boot).

Revision history for this message
Steve Langasek (vorlon) wrote :

Adjusted to use ConditionPathExists=!/etc/ssl/private/ssl-cert-snakeoil.key

Revision history for this message
Michael Hudson-Doyle (mwhudson) :
review: Needs Fixing
Revision history for this message
Steve Langasek (vorlon) wrote :

right, fixed up the systemd service properly, and did a boot test with it in lxd. looks better to me now, WDYT?

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Still a bit of a quibble but I think it's a minor one if you just want to get this done.

review: Needs Information
Revision history for this message
Steve Langasek (vorlon) :

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 5e91747..b833c4c 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,12 @@
6+ssl-cert (1.1.2ubuntu1) mantic; urgency=medium
7+
8+ * Add a systemd unit to generate a fresh private key for each
9+ installed system when ssl-cert is preinstalled in installation media
10+ (true for all Ubuntu and flavor desktop live images today).
11+ LP: #2037869.
12+
13+ -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 30 Sep 2023 21:19:41 -0700
14+
15 ssl-cert (1.1.2) unstable; urgency=medium
16
17 [ Simon Chopin ]
18diff --git a/debian/control b/debian/control
19index 86165ba..ffd71ed 100644
20--- a/debian/control
21+++ b/debian/control
22@@ -1,7 +1,8 @@
23 Source: ssl-cert
24 Section: utils
25 Priority: optional
26-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
27+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
28+XSBC-Original-Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
29 Uploaders: Stefan Fritsch <sf@debian.org>
30 Build-Depends: debhelper-compat (= 12), po-debconf
31 Standards-Version: 4.6.0
32diff --git a/debian/rules b/debian/rules
33index 23d1661..ca6320d 100755
34--- a/debian/rules
35+++ b/debian/rules
36@@ -6,6 +6,7 @@ install:
37 dh_clean
38 dh_installdirs
39 dh_installdocs README
40+ dh_installsystemd
41 dh_installman make-ssl-cert.8
42 dh_installchangelogs
43 dh_lintian
44diff --git a/debian/ssl-cert.service b/debian/ssl-cert.service
45new file mode 100644
46index 0000000..09665f2
47--- /dev/null
48+++ b/debian/ssl-cert.service
49@@ -0,0 +1,11 @@
50+[Unit]
51+Description=Generate snakeoil SSL keypair
52+ConditionPathExists=!/etc/ssl/private/ssl-cert-snakeoil.key
53+
54+[Service]
55+Type=oneshot
56+RemainAfterExit=yes
57+ExecStart=-/usr/sbin/make-ssl-cert generate-default-snakeoil --force-overwrite
58+
59+[Install]
60+WantedBy=multi-user.target

Subscribers

People subscribed via source and target branches