<div dir="auto">Acked-by: Sultan Alsawaf <<a href="mailto:sultan.alsawaf@canonical.com">sultan.alsawaf@canonical.com</a>></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Oct 29, 2019, 12:25 PM Seth Forshee <<a href="mailto:seth.forshee@canonical.com">seth.forshee@canonical.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">BugLink: <a href="https://bugs.launchpad.net/bugs/1850234" rel="noreferrer noreferrer" target="_blank">https://bugs.launchpad.net/bugs/1850234</a><br>
<br>
When adding .gnu_debuglink sections to modules we sign modules<br>
without regard to whether or not they were signed previously. As<br>
a result modules from staging which should not have been signed<br>
are ending up with signature. Change this to check for a module<br>
signature before modifying the binary, then sign the result only<br>
if the original module was signed.<br>
<br>
Signed-off-by: Seth Forshee <<a href="mailto:seth.forshee@canonical.com" target="_blank" rel="noreferrer">seth.forshee@canonical.com</a>><br>
---<br>
 debian/rules.d/<a href="http://2-binary-arch.mk" rel="noreferrer noreferrer" target="_blank">2-binary-arch.mk</a> | 4 +++-<br>
 1 file changed, 3 insertions(+), 1 deletion(-)<br>
<br>
diff --git a/debian/rules.d/<a href="http://2-binary-arch.mk" rel="noreferrer noreferrer" target="_blank">2-binary-arch.mk</a> b/debian/rules.d/<a href="http://2-binary-arch.mk" rel="noreferrer noreferrer" target="_blank">2-binary-arch.mk</a><br>
index 82e4d80e469f..050f867060cb 100644<br>
--- a/debian/rules.d/<a href="http://2-binary-arch.mk" rel="noreferrer noreferrer" target="_blank">2-binary-arch.mk</a><br>
+++ b/debian/rules.d/<a href="http://2-binary-arch.mk" rel="noreferrer noreferrer" target="_blank">2-binary-arch.mk</a><br>
@@ -413,10 +413,12 @@ ifneq ($(skipdbg),true)<br>
          -name '*.ko' | while read path_module ; do \<br>
                module="/lib/modules/$${path_module#*/lib/modules/}"; \<br>
                if [[ -f "$(dbgpkgdir)/usr/lib/debug/$$module" ]] ; then \<br>
+                       signer=$$(/sbin/modinfo -F signer "$$path_module"); \<br>
                        $(CROSS_COMPILE)objcopy \<br>
                                --add-gnu-debuglink=$(dbgpkgdir)/usr/lib/debug/$$module \<br>
                                $$path_module; \<br>
-                       if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config; then \<br>
+                       if grep -q CONFIG_MODULE_SIG=y $(builddir)/build-$*/.config && \<br>
+                          [ -n "$$signer" ]; then \<br>
                                $(builddir)/build-$*/scripts/sign-file $(MODHASHALGO) \<br>
                                        $(MODSECKEY) \<br>
                                        $(MODPUBKEY) \<br>
-- <br>
2.20.1<br>
<br>
<br>
-- <br>
kernel-team mailing list<br>
<a href="mailto:kernel-team@lists.ubuntu.com" target="_blank" rel="noreferrer">kernel-team@lists.ubuntu.com</a><br>
<a href="https://lists.ubuntu.com/mailman/listinfo/kernel-team" rel="noreferrer noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/kernel-team</a><br>
</blockquote></div>