[SRU][H][F][PATCH] UBUNTU: [Packaging] Add system trusted and revocation keys final check

Dimitri John Ledkov dimitri.ledkov at canonical.com
Wed Oct 13 16:20:38 UTC 2021


If certificates are packaged, the config keys to use them must be
enabled otherwise boot testing will fail. This check ensures early
detection of incorrect configuration when rebasing derivative kernels.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---
 debian/scripts/misc/final-checks | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/debian/scripts/misc/final-checks b/debian/scripts/misc/final-checks
index 9532716c7b..ab7c08a0f4 100755
--- a/debian/scripts/misc/final-checks
+++ b/debian/scripts/misc/final-checks
@@ -44,6 +44,18 @@ abi_check()
 	fi
 }
 
+if [ -d debian/certs ]; then
+    if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then
+        failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required"
+    fi
+fi
+
+if [ -d debian/revoked-certs ]; then
+    if ! grep -q '^CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"$' $debian/config/config.common.ubuntu; then
+        failure "'CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"' is required"
+    fi
+fi
+
 for arch in $archs
 do
 	image_pkg=$(awk -F '\\s*=\\s*' '$1 == "do_flavour_image_package" { print $2 }' $debian/rules.d/$arch.mk)
-- 
2.30.2




More information about the kernel-team mailing list