UBUNTU: [Packaging] build canonical-certs.pem from branch/arch certs

Merge common, branch-specific, and arch-specific certs and form a certs database for inclusion in the kernel keyring. BugLink: https://bugs.launchpad.net/bugs/1898716 Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>
mariux64 · Feb 26, 2021 · 8c29a6f · 8c29a6f
1 parent bca769b
commit 8c29a6f
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
@@ -358,7 +358,7 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING                 mark<ENFORCED>
 
 # Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys
 CONFIG_SYSTEM_TRUSTED_KEYRING                   policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}>
+CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE            policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}>
 CONFIG_SECONDARY_TRUSTED_KEYRING                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>

diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
@@ -10403,7 +10403,7 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
 CONFIG_SYSVIPC=y
 CONFIG_SYSVIPC_COMPAT=y
 CONFIG_SYSVIPC_SYSCTL=y

diff --git a/debian/rules b/debian/rules
@@ -129,7 +129,7 @@ binary: binary-indep binary-arch
 
 build: build-arch build-indep
 
-clean: debian/control
+clean: debian/control debian/canonical-certs.pem
 	dh_testdir
 	dh_testroot
 	dh_clean
@@ -227,3 +227,15 @@ debian/control: $(DEBIAN)/control.stub
 	LANG=C kernel-wedge gen-control $(release)-$(abinum) | \
 		perl -f $(DROOT)/scripts/misc/kernel-wedge-arch.pl $(arch) \
 		>>$(CURDIR)/debian/control
+
+debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DROOT)/certs/*-$(arch).pem) $(wildcard $(DEBIAN)/certs/*-all.pem) $(wildcard $(DEBIAN)/certs/*-$(arch).pem)
+	for cert in $(sort $(notdir $^));					\
+	do									\
+		for dir in $(DEBIAN) $(DROOT);					\
+		do								\
+			if [ -f "$$dir/certs/$$cert" ]; then			\
+				cat "$$dir/certs/$$cert";			\
+				break;						\
+			fi;							\
+		done;								\
+	done >"$@"