[unstable/kinetic][PATCH 1/3] UBUNTU: [Packaging] module-signature-check: Check debian.<foo>/signature-inclusion
Juerg Haefliger
juerg.haefliger at canonical.com
Fri Jul 29 08:49:19 UTC 2022
Derivatives might contain additional signed staging drivers so ensure that
that list is processed as well when checking module signatures.
Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
---
debian/rules.d/4-checks.mk | 3 +--
debian/scripts/module-signature-check | 23 ++++++++++++++++-------
2 files changed, 17 insertions(+), 9 deletions(-)
diff --git a/debian/rules.d/4-checks.mk b/debian/rules.d/4-checks.mk
index ecc6b82aeab5..1d44bf9f02a0 100644
--- a/debian/rules.d/4-checks.mk
+++ b/debian/rules.d/4-checks.mk
@@ -15,8 +15,7 @@ module-signature-check-%: $(stampdir)/stamp-install-%
@echo Debug: $@
$(DROOT)/scripts/module-signature-check "$*" \
"$(DROOT)/$(mods_pkg_name)-$*" \
- "$(DROOT)/$(mods_extra_pkg_name)-$*" \
- "$(DROOT)/signature-inclusion"
+ "$(DROOT)/$(mods_extra_pkg_name)-$*"
# Check the reptoline jmp/call functions against the last release.
retpoline-check-%: $(stampdir)/stamp-install-%
diff --git a/debian/scripts/module-signature-check b/debian/scripts/module-signature-check
index f28f4a89c913..80796b63e1be 100755
--- a/debian/scripts/module-signature-check
+++ b/debian/scripts/module-signature-check
@@ -3,17 +3,26 @@
flavor="${1}"
mods_dir="${2}"
mods_extra_dir="${3}"
-sig_inc="${4}"
echo "II: Checking signature of staging modules for ${flavor}..."
-if [ -f "${sig_inc}" ] ; then
- echo "II: Use signature inclusion file:"
- echo " ${sig_inc}"
+root=$(dirname "$(realpath -e "${0}")")/../..
+. "${root}"/debian/debian.env
+
+# Collect the signature-inclusion files
+sig_incs=()
+for d in debian "${DEBIAN}" ; do
+ if [ -f "${root}"/"${d}"/signature-inclusion ] ; then
+ sig_incs+=("${root}"/"${d}"/signature-inclusion)
+ fi
+done
+
+if [ "${#sig_incs[@]}" -gt 0 ] ; then
+ echo "II: Use signature inclusion file(s):"
+ printf " %s\n" "${sig_incs[@]}"
sig_all=0
else
- echo "WW: Signature inclusion file missing:"
- echo " ${sig_inc}"
+ echo "WW: Signature inclusion file(s) missing"
echo "II: All modules must be signed"
sig_all=1
fi
@@ -43,7 +52,7 @@ while IFS= read -r mod ; do
fi
must=0
- if [ ${sig_all} -eq 1 ] || grep -qFx "${mod##*/}" "${sig_inc}" ; then
+ if [ ${sig_all} -eq 1 ] || grep -qFx "${mod##*/}" "${sig_incs[@]}" ; then
# Module must be signed
must=1
fi
--
2.34.1
More information about the kernel-team
mailing list