[SRU][UNSTABLE][I][PATCH] UBUNTU: [Packaging] Add system trusted and revocation keys final check
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Wed Oct 13 16:20:37 UTC 2021
If certificates are packaged, the config keys to use them must be
enabled otherwise boot testing will fail. This check ensures early
detection of incorrect configuration when rebasing derivative kernels.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---
debian/scripts/misc/final-checks | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/debian/scripts/misc/final-checks b/debian/scripts/misc/final-checks
index 6619dcec50..8a977745a6 100755
--- a/debian/scripts/misc/final-checks
+++ b/debian/scripts/misc/final-checks
@@ -56,6 +56,18 @@ then
failure "$abi_version ABI version mismatch ($abi != $version)"
fi
+if [ -d debian/certs ]; then
+ if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then
+ failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required"
+ fi
+fi
+
+if [ -d debian/revoked-certs ]; then
+ if ! grep -q '^CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"$' $debian/config/config.common.ubuntu; then
+ failure "'CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"' is required"
+ fi
+fi
+
for arch in $archs
do
image_pkg=$(awk -F '\\s*=\\s*' '$1 == "do_flavour_image_package" { print $2 }' $debian/rules.d/$arch.mk)
--
2.30.2
More information about the kernel-team
mailing list