Implement an sk-api version selection shim deb package

When OpenSSH increments the sk-api version, it breaks existing middleware until they upgrade the API version they target. To accommodate this, we now have a top-level shim deb package that depends on different packages, each one depending on a different sk-api version. As long as each of those lower-level packages depends on a disjoint set of OpenSSH versions, dpkg will automatically choose the correct version for us.
mgbowen · Nov 11, 2020 · 85dae67 · 85dae67
1 parent f9422ae
commit 85dae67
Show file tree

Hide file tree

Showing 3 changed files with 109 additions and 20 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -7,8 +7,8 @@ option(BUILD_TESTS "Build tests" ON)
 
 # Configurable OpenSSH security key API version
 set(SK_API_VERSION 5 CACHE STRING "OpenSSH security key API version to target")
-list(APPEND valid_sk_api_versions 5 7)
-if (NOT SK_API_VERSION IN_LIST valid_sk_api_versions)
+list(APPEND VALID_SK_API_VERSIONS 5 7)
+if (NOT SK_API_VERSION IN_LIST VALID_SK_API_VERSIONS)
     message(FATAL_ERROR "Unrecognized OpenSSH security key API version \"${SK_API_VERSION}\"")
 endif()
 
@@ -98,14 +98,10 @@ elseif (BUILD_WINDOWS_TARGET)
     add_subdirectory(src/windows)
 endif()
 
-# Only install in a deb
-install(FILES "${CMAKE_SOURCE_DIR}/package/deb/copyright"
-    DESTINATION share/doc/windows-fido-bridge
-    COMPONENT deb
-    EXCLUDE_FROM_ALL
-)
-
 set(CPACK_GENERATOR DEB)
+set(CPACK_DEB_COMPONENT_INSTALL ON)
+set(CPACK_COMPONENTS_ALL_IN_ONE_PACKAGE OFF)
+set(CPACK_COMPONENTS_GROUPING ONE_PER_GROUP)
 
 set(CPACK_PACKAGE_VERSION_MAJOR 1)
 set(CPACK_PACKAGE_VERSION_MINOR 0)
@@ -114,18 +110,90 @@ set(CPACK_PACKAGE_VERSION_PATCH 0)
 set(CPACK_PACKAGE_CONTACT "Matthew Bowen <matthew@mgbowen.com>")
 set(CPACK_PACKAGE_HOMEPAGE_URL "https://github.com/mgbowen/windows-fido-bridge")
 
-set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "\
-an OpenSSH security key middleware for WSL \
-\n windows-fido-bridge is an OpenSSH security key middleware that allows you \
-\n to use a FIDO2/U2F security key (e.g. a YubiKey) to SSH into a remote server \
+#
+# real_deb_group
+#
+
+set(CPACK_DEBIAN_REAL_DEB_GROUP_PACKAGE_NAME "windows-fido-bridge-skapiv${SK_API_VERSION}")
+
+set(CPACK_COMPONENT_REAL_DEB_GROUP_DESCRIPTION "\
+an OpenSSH security key middleware for WSL (for OpenSSH sk-api v${SK_API_VERSION}) \
+\nwindows-fido-bridge is an OpenSSH security key middleware that allows you \
+\nto use a FIDO2/U2F security key (e.g. a YubiKey) to SSH into a remote server \
 \n from WSL.")
 
-set(CPACK_DEBIAN_FILE_NAME DEB-DEFAULT)
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "openssh-client (>=1:8.3)")
-set(CPACK_DEBIAN_PACKAGE_SHLIBDEPS ON)
+# Only install in a deb
+install(FILES "${CMAKE_SOURCE_DIR}/package/deb/copyright"
+    DESTINATION "share/doc/${CPACK_DEBIAN_REAL_DEB_GROUP_PACKAGE_NAME}"
+    COMPONENT real_deb
+    EXCLUDE_FROM_ALL
+)
+
+set(CPACK_DEBIAN_REAL_DEB_GROUP_PACKAGE_DEPENDS
+    "windows-fido-bridge (= ${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH})"
+)
 
-set(CPACK_COMPONENTS_ALL Unspecified deb)
-set(CPACK_COMPONENTS_ALL_IN_ONE_PACKAGE ON)
-set(CPACK_DEB_COMPONENT_INSTALL ON)
+if ("${SK_API_VERSION}" EQUAL 5)
+    set(CPACK_DEBIAN_REAL_DEB_GROUP_PACKAGE_DEPENDS
+        "${CPACK_DEBIAN_REAL_DEB_GROUP_PACKAGE_DEPENDS}, openssh-client (>= 1:8.3), openssh-client (<< 1:8.4)"
+    )
+elseif ("${SK_API_VERSION}" EQUAL 7)
+    set(CPACK_DEBIAN_REAL_DEB_GROUP_PACKAGE_DEPENDS
+        "${CPACK_DEBIAN_REAL_DEB_GROUP_PACKAGE_DEPENDS}, openssh-client (>= 1:8.4)"
+    )
+else()
+    message(FATAL_ERROR "Unknown SK_API_VERSION ${SK_API_VERSION} when configuring deb package")
+endif()
+
+set(CPACK_DEBIAN_REAL_DEB_GROUP_PACKAGE_SHLIBDEPS ON)
+
+# Transitioning to separate packages for each OpenSSH sk-api, so we need to
+# conflict with the first public release to avoid installation problems.
+set(CPACK_DEBIAN_REAL_DEB_GROUP_PACKAGE_CONFLICTS "windows-fido-bridge (<< 1.1.0)")
+
+# Conflict with all other known sk-api versions.
+foreach (ver IN LISTS VALID_SK_API_VERSIONS)
+    if ("${ver}" EQUAL "${SK_API_VERSION}")
+        set(CPACK_DEBIAN_REAL_DEB_GROUP_PACKAGE_CONFLICTS
+            "${CPACK_DEBIAN_REAL_DEB_GROUP_PACKAGE_CONFLICTS}, windows-fido-bridge-skapiv${ver}"
+        )
+    endif()
+endforeach()
+
+set(CPACK_COMPONENT_REAL_DEB_GROUP real_deb_group)
+set(CPACK_COMPONENT_UNSPECIFIED_GROUP real_deb_group)
+set(CPACK_DEBIAN_REAL_DEB_GROUP_FILE_NAME DEB-DEFAULT)
+
+#
+# version_selection_shim_group
+#
+
+set(CPACK_DEBIAN_VERSION_SELECTION_SHIM_GROUP_PACKAGE_NAME "windows-fido-bridge")
+
+set(CPACK_COMPONENT_VERSION_SELECTION_SHIM_GROUP_DESCRIPTION "\
+an OpenSSH security key middleware for WSL (skapi version selection shim) \
+\nwindows-fido-bridge is an OpenSSH security key middleware that allows you \
+\nto use a FIDO2/U2F security key (e.g. a YubiKey) to SSH into a remote server \
+\n from WSL.")
+
+# Only install in a deb
+install(FILES "${CMAKE_SOURCE_DIR}/package/deb/version-selection-shim-copyright"
+    DESTINATION share/doc/windows-fido-bridge
+    RENAME copyright
+    COMPONENT version_selection_shim
+    EXCLUDE_FROM_ALL
+)
+
+set(CPACK_DEBIAN_VERSION_SELECTION_SHIM_GROUP_PACKAGE_DEPENDS "")
+foreach (ver IN LISTS VALID_SK_API_VERSIONS)
+    if (NOT "${CPACK_DEBIAN_VERSION_SELECTION_SHIM_GROUP_PACKAGE_DEPENDS}" STREQUAL "")
+        set(CPACK_DEBIAN_VERSION_SELECTION_SHIM_GROUP_PACKAGE_DEPENDS "${CPACK_DEBIAN_VERSION_SELECTION_SHIM_GROUP_PACKAGE_DEPENDS} | ")
+    endif()
+
+    set(CPACK_DEBIAN_VERSION_SELECTION_SHIM_GROUP_PACKAGE_DEPENDS "${CPACK_DEBIAN_VERSION_SELECTION_SHIM_GROUP_PACKAGE_DEPENDS}windows-fido-bridge-skapiv${ver}")
+endforeach()
+
+set(CPACK_COMPONENT_VERSION_SELECTION_SHIM_GROUP version_selection_shim_group)
+set(CPACK_DEBIAN_VERSION_SELECTION_SHIM_GROUP_FILE_NAME DEB-DEFAULT)
 
 include(CPack)
diff --git a/README.md b/README.md
@@ -63,7 +63,7 @@ installing that package instead of using `make install`:
 sudo apt install debhelper
 
 make package
-sudo apt install ./windows-fido-bridge_*_*.deb
+sudo apt install ./windows-fido-bridge_*_*.deb ./windows-fido-bridge-skapi*_*_*.deb
 ```
 
 Note that if you install the deb package, apt will place the built binaries in

diff --git a/package/deb/version-selection-shim-copyright b/package/deb/version-selection-shim-copyright
@@ -0,0 +1,21 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+
+Files: *
+Copyright: 2020, Matthew Bowen
+License: Apache-2
+
+License: Apache-2
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ .
+     http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ .
+ On Debian systems, the full text of the Apache License, Version 2.0 can be
+ found in the file `/usr/share/common-licenses/Apache-2.0'.