From 08068f0babe97623a624f14fd4b18a060e716b4e Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Tue, 31 Mar 2020 10:03:19 +0100
Subject: [PATCH 1/4] Make the PKCS self-test even simpler

Signed-off-by: Simon McVittie <smcv@debian.org>
---
 debian/changelog                              |  4 +-
 ...-simple-string-instead-of-etc-machin.patch | 39 +++++++++++++++++++
 ...tc-os-release-instead-of-etc-machine.patch | 25 ------------
 debian/patches/series                         |  2 +-
 4 files changed, 42 insertions(+), 28 deletions(-)
 create mode 100644 debian/patches/jcat-self-test-Sign-a-simple-string-instead-of-etc-machin.patch
 delete mode 100644 debian/patches/jcat-self-test-Sign-etc-os-release-instead-of-etc-machine.patch

diff --git a/debian/changelog b/debian/changelog
index 525b60a..cfab09b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,9 +2,9 @@ libjcat (0.1.0-2) UNRELEASED; urgency=medium
 
   * Fix FTBFS:
     - Add missing B-D on help2man
-    - jcat-self-test: Sign /etc/os-release instead of /etc/machine-id.
+    - jcat-self-test: Sign a string in RAM instead of /etc/machine-id.
       The autobuilders use a minimal chroot that doesn't necessarily have
-      a machine ID, but base-files gives us /etc/os-release.
+      a machine ID.
     (Closes: #955234)
 
  -- Simon McVittie <smcv@debian.org>  Sat, 28 Mar 2020 16:48:23 +0000
diff --git a/debian/patches/jcat-self-test-Sign-a-simple-string-instead-of-etc-machin.patch b/debian/patches/jcat-self-test-Sign-a-simple-string-instead-of-etc-machin.patch
new file mode 100644
index 0000000..de14b8b
--- /dev/null
+++ b/debian/patches/jcat-self-test-Sign-a-simple-string-instead-of-etc-machin.patch
@@ -0,0 +1,39 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Sat, 28 Mar 2020 16:46:44 +0000
+Subject: jcat-self-test: Sign a simple string instead of /etc/machine-id
+
+Containers and minimal autobuilder environments don't always have
+a systemd machine ID, or any init system or related packages at all.
+There's no real reason why we need the machine ID or a file here,
+and jcat_get_contents_bytes() is exercised elsewhere, so we can sign a
+string from memory instead.
+
+Bug: https://github.com/hughsie/libjcat/issues/22
+Signed-off-by: Simon McVittie <smcv@debian.org>
+Forwarded: https://github.com/hughsie/libjcat/pull/23
+---
+ libjcat/jcat-self-test.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libjcat/jcat-self-test.c b/libjcat/jcat-self-test.c
+index 18f5136..8fe6d10 100644
+--- a/libjcat/jcat-self-test.c
++++ b/libjcat/jcat-self-test.c
+@@ -481,6 +481,7 @@ static void
+ jcat_pkcs7_engine_self_signed_func (void)
+ {
+ #ifdef ENABLE_PKCS7
++	static char payload_str[] = "Hello, world!";
+ 	g_autofree gchar *str = NULL;
+ 	g_autoptr(JcatBlob) signature = NULL;
+ 	g_autoptr(JcatContext) context = jcat_context_new ();
+@@ -504,8 +505,7 @@ jcat_pkcs7_engine_self_signed_func (void)
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (engine);
+ 
+-	payload = jcat_get_contents_bytes ("/etc/machine-id", &error);
+-	g_assert_no_error (error);
++	payload = g_bytes_new_static (payload_str, sizeof (payload_str));
+ 	g_assert_nonnull (payload);
+ 	signature = jcat_engine_self_sign (engine, payload, JCAT_SIGN_FLAG_ADD_TIMESTAMP, &error);
+ 	g_assert_no_error (error);
diff --git a/debian/patches/jcat-self-test-Sign-etc-os-release-instead-of-etc-machine.patch b/debian/patches/jcat-self-test-Sign-etc-os-release-instead-of-etc-machine.patch
deleted file mode 100644
index 0dc89db..0000000
--- a/debian/patches/jcat-self-test-Sign-etc-os-release-instead-of-etc-machine.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From: Simon McVittie <smcv@debian.org>
-Date: Sat, 28 Mar 2020 16:46:44 +0000
-Subject: jcat-self-test: Sign /etc/os-release instead of /etc/machine-id
-
-Containers and minimal autobuilder environments don't always have
-a systemd machine ID, but os-release is fairly ubiquitous.
-
-Signed-off-by: Simon McVittie <smcv@debian.org>
----
- libjcat/jcat-self-test.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libjcat/jcat-self-test.c b/libjcat/jcat-self-test.c
-index 93de1fd..7c3558b 100644
---- a/libjcat/jcat-self-test.c
-+++ b/libjcat/jcat-self-test.c
-@@ -486,7 +486,7 @@ jcat_pkcs7_engine_self_signed_func (void)
- 	g_assert_no_error (error);
- 	g_assert_nonnull (engine);
- 
--	payload = jcat_get_contents_bytes ("/etc/machine-id", &error);
-+	payload = jcat_get_contents_bytes ("/etc/os-release", &error);
- 	g_assert_no_error (error);
- 	g_assert_nonnull (payload);
- 	signature = jcat_engine_self_sign (engine, payload, JCAT_SIGN_FLAG_ADD_TIMESTAMP, &error);
diff --git a/debian/patches/series b/debian/patches/series
index d685412..0bea4e8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1 @@
-jcat-self-test-Sign-etc-os-release-instead-of-etc-machine.patch
+jcat-self-test-Sign-a-simple-string-instead-of-etc-machin.patch
-- 
GitLab


From 41b3026614d6d5784f664e0833290f53eda2003f Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Sat, 28 Mar 2020 17:37:36 +0000
Subject: [PATCH 2/4] Install test data so that the installed-tests can pass

Patch cherry-picked from upstream.
---
 ...ke-the-installed-tests-actually-work.patch | 305 ++++++++++++++++++
 debian/patches/series                         |   1 +
 2 files changed, 306 insertions(+)
 create mode 100644 debian/patches/Make-the-installed-tests-actually-work.patch

diff --git a/debian/patches/Make-the-installed-tests-actually-work.patch b/debian/patches/Make-the-installed-tests-actually-work.patch
new file mode 100644
index 0000000..a3f847b
--- /dev/null
+++ b/debian/patches/Make-the-installed-tests-actually-work.patch
@@ -0,0 +1,305 @@
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 30 Mar 2020 11:52:01 +0100
+Subject: Make the installed tests actually work
+
+If the source or build directory is not available then it currently fails,
+which isn't the idea of installed tests at all...
+
+Also, as we're here, make the build 100% reproducable by sharing the build dir
+as an environment variable to the local tests rather than a cflag.
+
+To run the installed tests users can use:
+
+    gnome-desktop-testing-runner libjcat/libjcat.test
+
+Bug: https://github.com/hughsie/libjcat/issues/19
+Origin: upstream, commit:d6dc3e90b0c805cc50bff9d1d1b87ff575e53769
+---
+ data/tests/colorhug/meson.build |  5 ++--
+ data/tests/pki/meson.build      |  7 +++++
+ libjcat/jcat-self-test.c        | 58 +++++++++++++++++++++++++++--------------
+ libjcat/meson.build             | 11 +++++---
+ meson.build                     |  2 +-
+ 5 files changed, 57 insertions(+), 26 deletions(-)
+
+diff --git a/data/tests/colorhug/meson.build b/data/tests/colorhug/meson.build
+index 1851fbf..82e4b8b 100644
+--- a/data/tests/colorhug/meson.build
++++ b/data/tests/colorhug/meson.build
+@@ -1,8 +1,9 @@
+ install_data([
+     'firmware.bin',
+     'firmware.bin.asc',
++    'firmware.bin.p7b',
+   ],
+-  install_dir: installed_test_datadir,
++  install_dir: join_paths(installed_test_datadir, 'colorhug'),
+ )
+ 
+ if get_option('pkcs7')
+@@ -17,6 +18,6 @@ if get_option('pkcs7')
+                         '--infile', '@INPUT@',
+                         '--outfile', '@OUTPUT@'],
+     install: true,
+-    install_dir: installed_test_datadir,
++    install_dir: join_paths(installed_test_datadir, 'colorhug'),
+   )
+ endif
+diff --git a/data/tests/pki/meson.build b/data/tests/pki/meson.build
+index f35f2a9..958a385 100644
+--- a/data/tests/pki/meson.build
++++ b/data/tests/pki/meson.build
+@@ -1,3 +1,10 @@
++install_data([
++    'GPG-KEY-Linux-Vendor-Firmware-Service',
++    'LVFS-CA.pem',
++  ],
++  install_dir: join_paths(installed_test_datadir, 'pki'),
++)
++
+ # generate certificate
+ pkcs7_config = join_paths(meson.current_source_dir(), 'test.cfg')
+ pkcs7_certificate = custom_target('test.pem',
+diff --git a/libjcat/jcat-self-test.c b/libjcat/jcat-self-test.c
+index 93de1fd..18f5136 100644
+--- a/libjcat/jcat-self-test.c
++++ b/libjcat/jcat-self-test.c
+@@ -14,6 +14,24 @@
+ #include "jcat-item-private.h"
+ #include "jcat-result-private.h"
+ 
++static const gchar *
++jcat_test_srcdir (void)
++{
++	const gchar *testdatadir = g_getenv ("TESTDATADIR_SRC");
++	if (testdatadir != NULL)
++		return testdatadir;
++	return INSTALLEDTESTDIR;
++}
++
++static const gchar *
++jcat_test_dstdir (void)
++{
++	const gchar *testdatadir = g_getenv ("TESTDATADIR_DST");
++	if (testdatadir != NULL)
++		return testdatadir;
++	return INSTALLEDTESTDIR;
++}
++
+ static void
+ jcat_blob_func (void)
+ {
+@@ -216,7 +234,7 @@ jcat_sha1_engine_func (void)
+ 	g_assert_cmpint (jcat_engine_get_verify_kind (engine), ==, JCAT_ENGINE_VERIFY_KIND_CHECKSUM);
+ 
+ 	/* verify checksum */
+-	fn_pass = g_build_filename (TESTDATADIR_SRC, "colorhug", "firmware.bin", NULL);
++	fn_pass = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin", NULL);
+ 	data_fwbin = jcat_get_contents_bytes (fn_pass, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_fwbin);
+@@ -230,7 +248,7 @@ jcat_sha1_engine_func (void)
+ 	g_assert_cmpstr (jcat_result_get_authority (result_pass), ==, NULL);
+ 
+ 	/* verify will fail */
+-	fn_fail = g_build_filename (TESTDATADIR_SRC, "meson.build",NULL);
++	fn_fail = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin.asc", NULL);
+ 	data_fail = jcat_get_contents_bytes (fn_fail, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_fail);
+@@ -274,7 +292,7 @@ jcat_sha256_engine_func (void)
+ 	g_assert_cmpint (jcat_engine_get_verify_kind (engine), ==, JCAT_ENGINE_VERIFY_KIND_CHECKSUM);
+ 
+ 	/* verify checksum */
+-	fn_pass = g_build_filename (TESTDATADIR_SRC, "colorhug", "firmware.bin", NULL);
++	fn_pass = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin", NULL);
+ 	data_fwbin = jcat_get_contents_bytes (fn_pass, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_fwbin);
+@@ -288,7 +306,7 @@ jcat_sha256_engine_func (void)
+ 	g_assert_cmpstr (jcat_result_get_authority (result_pass), ==, NULL);
+ 
+ 	/* verify will fail */
+-	fn_fail = g_build_filename (TESTDATADIR_SRC, "meson.build",NULL);
++	fn_fail = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin.asc", NULL);
+ 	data_fail = jcat_get_contents_bytes (fn_fail, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_fail);
+@@ -340,7 +358,7 @@ jcat_gpg_engine_func (void)
+ 
+ 	/* set up context */
+ 	jcat_context_set_keyring_path (context, "/tmp/libjcat-self-test/var");
+-	pki_dir = g_build_filename (TESTDATADIR_SRC, "pki", NULL);
++	pki_dir = g_build_filename (jcat_test_srcdir (), "pki", NULL);
+ 	jcat_context_add_public_keys (context, pki_dir);
+ 
+ 	/* get engine */
+@@ -356,7 +374,7 @@ jcat_gpg_engine_func (void)
+ 	g_assert_cmpstr (str, ==, str_perfect);
+ 
+ 	/* verify with GnuPG */
+-	fn_pass = g_build_filename (TESTDATADIR_SRC, "colorhug", "firmware.bin", NULL);
++	fn_pass = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin", NULL);
+ 	data_fwbin = jcat_get_contents_bytes (fn_pass, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_fwbin);
+@@ -371,7 +389,7 @@ jcat_gpg_engine_func (void)
+ 			 "3FC6B804410ED0840D8F2F9748A6D80E4538BAC2");
+ 
+ 	/* verify will fail with GnuPG */
+-	fn_fail = g_build_filename (TESTDATADIR_SRC, "meson.build",NULL);
++	fn_fail = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin.asc", NULL);
+ 	data_fail = jcat_get_contents_bytes (fn_fail, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_fail);
+@@ -406,7 +424,7 @@ jcat_pkcs7_engine_func (void)
+ 
+ 	/* set up context */
+ 	jcat_context_set_keyring_path (context, "/tmp/libjcat-self-test/var");
+-	pki_dir = g_build_filename (TESTDATADIR_SRC, "pki", NULL);
++	pki_dir = g_build_filename (jcat_test_srcdir (), "pki", NULL);
+ 	jcat_context_add_public_keys (context, pki_dir);
+ 
+ 	/* get engine */
+@@ -417,11 +435,11 @@ jcat_pkcs7_engine_func (void)
+ 	g_assert_cmpint (jcat_engine_get_verify_kind (engine), ==, JCAT_ENGINE_VERIFY_KIND_SIGNATURE);
+ 
+ 	/* verify with a signature from the old LVFS */
+-	fn_pass = g_build_filename (TESTDATADIR_SRC, "colorhug", "firmware.bin", NULL);
++	fn_pass = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin", NULL);
+ 	data_fwbin = jcat_get_contents_bytes (fn_pass, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_fwbin);
+-	fn_sig = g_build_filename (TESTDATADIR_SRC, "colorhug", "firmware.bin.p7b", NULL);
++	fn_sig = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin.p7b", NULL);
+ 	data_sig = jcat_get_contents_bytes (fn_sig, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_sig);
+@@ -434,7 +452,7 @@ jcat_pkcs7_engine_func (void)
+ 	g_assert_cmpstr (jcat_result_get_authority (result_pass), == , "O=Linux Vendor Firmware Project,CN=LVFS CA");
+ 
+ 	/* verify will fail with a self-signed signature */
+-	sig_fn2 = g_build_filename (TESTDATADIR_DST, "colorhug", "firmware.bin.p7c", NULL);
++	sig_fn2 = g_build_filename (jcat_test_dstdir (), "colorhug", "firmware.bin.p7c", NULL);
+ 	blob_sig2 = jcat_get_contents_bytes (sig_fn2, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (blob_sig2);
+@@ -445,7 +463,7 @@ jcat_pkcs7_engine_func (void)
+ 	g_clear_error (&error);
+ 
+ 	/* verify will fail with valid signature and different data */
+-	fn_fail = g_build_filename (TESTDATADIR_SRC, "meson.build",NULL);
++	fn_fail = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin.asc", NULL);
+ 	data_fail = jcat_get_contents_bytes (fn_fail, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_fail);
+@@ -533,7 +551,7 @@ jcat_context_verify_blob_func (void)
+ 
+ 	/* set up context */
+ 	jcat_context_set_keyring_path (context, "/tmp");
+-	pki_dir = g_build_filename (TESTDATADIR_SRC, "pki", NULL);
++	pki_dir = g_build_filename (jcat_test_srcdir (), "pki", NULL);
+ 	jcat_context_add_public_keys (context, pki_dir);
+ 
+ 	/* get all engines */
+@@ -554,11 +572,11 @@ jcat_context_verify_blob_func (void)
+ 	g_clear_error (&error);
+ 
+ 	/* verify blob */
+-	fn_pass = g_build_filename (TESTDATADIR_SRC, "colorhug", "firmware.bin", NULL);
++	fn_pass = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin", NULL);
+ 	data_fwbin = jcat_get_contents_bytes (fn_pass, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_fwbin);
+-	fn_sig = g_build_filename (TESTDATADIR_SRC, "colorhug", "firmware.bin.p7b", NULL);
++	fn_sig = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin.p7b", NULL);
+ 	data_sig = jcat_get_contents_bytes (fn_sig, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_sig);
+@@ -600,7 +618,7 @@ jcat_context_verify_item_sign_func (void)
+ 
+ 	/* set up context */
+ 	jcat_context_set_keyring_path (context, "/tmp");
+-	pki_dir = g_build_filename (TESTDATADIR_SRC, "pki", NULL);
++	pki_dir = g_build_filename (jcat_test_srcdir (), "pki", NULL);
+ 	jcat_context_add_public_keys (context, pki_dir);
+ 
+ 	/* get all engines */
+@@ -621,11 +639,11 @@ jcat_context_verify_item_sign_func (void)
+ 	g_clear_error (&error);
+ 
+ 	/* verify blob */
+-	fn_pass = g_build_filename (TESTDATADIR_SRC, "colorhug", "firmware.bin", NULL);
++	fn_pass = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin", NULL);
+ 	data_fwbin = jcat_get_contents_bytes (fn_pass, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_fwbin);
+-	fn_sig = g_build_filename (TESTDATADIR_SRC, "colorhug", "firmware.bin.p7b", NULL);
++	fn_sig = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin.p7b", NULL);
+ 	data_sig = jcat_get_contents_bytes (fn_sig, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_sig);
+@@ -679,7 +697,7 @@ jcat_context_verify_item_csum_func (void)
+ 
+ 	/* set up context */
+ 	jcat_context_set_keyring_path (context, "/tmp");
+-	pki_dir = g_build_filename (TESTDATADIR_SRC, "pki", NULL);
++	pki_dir = g_build_filename (jcat_test_srcdir (), "pki", NULL);
+ 	jcat_context_add_public_keys (context, pki_dir);
+ 
+ 	/* get all engines */
+@@ -700,7 +718,7 @@ jcat_context_verify_item_csum_func (void)
+ 	g_clear_error (&error);
+ 
+ 	/* verify blob */
+-	fn_pass = g_build_filename (TESTDATADIR_SRC, "colorhug", "firmware.bin", NULL);
++	fn_pass = g_build_filename (jcat_test_srcdir (), "colorhug", "firmware.bin", NULL);
+ 	data_fwbin = jcat_get_contents_bytes (fn_pass, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_nonnull (data_fwbin);
+diff --git a/libjcat/meson.build b/libjcat/meson.build
+index 00b8cc7..7a6c622 100644
+--- a/libjcat/meson.build
++++ b/libjcat/meson.build
+@@ -199,6 +199,12 @@ if get_option('tests')
+   if get_option('pkcs7')
+     test_deps += colorhug_pkcs7_signature
+   endif
++  testdatadirs = environment(
++    {
++      'TESTDATADIR_SRC' : testdatadir_src,
++      'TESTDATADIR_DST' : testdatadir_dst,
++    }
++  )
+   e = executable(
+     'jcat-self-test',
+     test_deps,
+@@ -222,13 +228,12 @@ if get_option('tests')
+       libjcat_deps,
+     ],
+     c_args : [
+-      '-DTESTDATADIR_SRC="' + testdatadir_src + '"',
+-      '-DTESTDATADIR_DST="' + testdatadir_dst + '"',
++      '-DINSTALLEDTESTDIR="' + installed_test_datadir + '"',
+     ],
+     install : true,
+     install_dir : installed_test_bindir
+   )
+-  test('jcat-self-test', e)
++  test('jcat-self-test', e, env : testdatadirs)
+ endif
+ 
+ jcat_incdir = include_directories('.')
+diff --git a/meson.build b/meson.build
+index 0ea1ae5..c94b8f1 100644
+--- a/meson.build
++++ b/meson.build
+@@ -1,7 +1,7 @@
+ project('libjcat', 'c',
+   version : '0.1.0',
+   license : 'LGPL-2.1+',
+-  meson_version : '>=0.47.0',
++  meson_version : '>=0.52.0',
+   default_options : ['warning_level=2', 'c_std=c99'],
+ )
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 0bea4e8..753da31 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
+Make-the-installed-tests-actually-work.patch
 jcat-self-test-Sign-a-simple-string-instead-of-etc-machin.patch
-- 
GitLab


From 63f73c3f3d761a57f99324435ca17d35eb5d5a7e Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Sat, 28 Mar 2020 16:28:29 +0000
Subject: [PATCH 3/4] Add some simple autopkgtest coverage

Closes: #955259
Signed-off-by: Simon McVittie <smcv@debian.org>
---
 debian/tests/control       |  6 ++++++
 debian/tests/libjcat-dev   | 37 +++++++++++++++++++++++++++++++++++++
 debian/tests/libjcat-tests |  4 ++++
 3 files changed, 47 insertions(+)
 create mode 100644 debian/tests/control
 create mode 100755 debian/tests/libjcat-dev
 create mode 100755 debian/tests/libjcat-tests

diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..02684f1
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,6 @@
+Tests: libjcat-tests
+Depends: gnome-desktop-testing, libjcat-tests
+
+Tests: libjcat-dev
+Depends: build-essential, libjcat-dev, pkg-config
+Restrictions: allow-stderr superficial
diff --git a/debian/tests/libjcat-dev b/debian/tests/libjcat-dev
new file mode 100755
index 0000000..4f5fd22
--- /dev/null
+++ b/debian/tests/libjcat-dev
@@ -0,0 +1,37 @@
+#!/bin/sh
+# autopkgtest check: Build and run a program against libjcat, to verify
+# that the headers and pkg-config file are installed correctly
+# (C) 2012 Canonical Ltd.
+# (C) 2018-2020 Simon McVittie
+# Authors: Martin Pitt, Simon McVittie
+
+set -eux
+
+WORKDIR=$(mktemp -d)
+export XDG_RUNTIME_DIR="$WORKDIR"
+trap 'rm -rf "$WORKDIR"' 0 INT QUIT ABRT PIPE TERM
+cd "$WORKDIR"
+
+if [ -n "${DEB_HOST_GNU_TYPE:-}" ]; then
+    CROSS_COMPILE="${DEB_HOST_GNU_TYPE}-"
+else
+    CROSS_COMPILE=
+fi
+
+cat <<'EOF' > simple.c
+#include <jcat.h>
+
+int main(void)
+{
+    g_assert_cmpstr(jcat_blob_kind_to_string(JCAT_BLOB_KIND_SHA256), ==, "sha256");
+    return 0;
+}
+EOF
+
+# Deliberately word-splitting pkg-config's output:
+# shellcheck disable=SC2046
+"${CROSS_COMPILE}gcc" -o simple simple.c $("${CROSS_COMPILE}pkg-config" --cflags --libs jcat)
+echo "build: OK"
+[ -x ./simple ]
+./simple
+echo "run: OK"
diff --git a/debian/tests/libjcat-tests b/debian/tests/libjcat-tests
new file mode 100755
index 0000000..bdc6edf
--- /dev/null
+++ b/debian/tests/libjcat-tests
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+set -eu
+gnome-desktop-testing-runner libjcat
-- 
GitLab


From 4ba8554319ae8aee159d889414529359a33c7d55 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Sat, 28 Mar 2020 19:44:38 +0000
Subject: [PATCH 4/4] Update changelog

Signed-off-by: Simon McVittie <smcv@debian.org>
---
 debian/changelog | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index cfab09b..30a05a9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,8 +6,18 @@ libjcat (0.1.0-2) UNRELEASED; urgency=medium
       The autobuilders use a minimal chroot that doesn't necessarily have
       a machine ID.
     (Closes: #955234)
+  * Fix -dev package dependencies:
+    - libjcat-dev: Add missing -dev dependencies for dependency libraries
+    - libjcat-dev: Add missing dependency on a matching libjcat1
+    - d/control: Enable gir debhelper sequence.
+      Otherwise ${gir:Depends} won't be generated.
+    (Closes: #955258)
+  * Install test data so that the installed-tests can pass
+    (patch cherry-picked from upstream).
+  * Add some simple autopkgtest coverage, now that it can pass
+    (Closes: #955259)
 
- -- Simon McVittie <smcv@debian.org>  Sat, 28 Mar 2020 16:48:23 +0000
+ -- Simon McVittie <smcv@debian.org>  Sat, 28 Mar 2020 19:43:32 +0000
 
 libjcat (0.1.0-1) unstable; urgency=medium
 
-- 
GitLab