UBUNTU: [Packaging] Add system trusted and revocation keys final check

BugLink: https://bugs.launchpad.net/bugs/1947174
If certificates are packaged, the config keys to use them must be
enabled otherwise boot testing will fail. This check ensures early
detection of incorrect configuration when rebasing derivative kernels.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

diff --git a/debian/scripts/misc/final-checks b/debian/scripts/misc/final-checks
index 9532716c7ba1441666472ff95593e408abf5aa1a..ab7c08a0f4572758923d40a1e1298d747ab82637 100755 (executable)
--- a/debian/scripts/misc/final-checks
+++ b/debian/scripts/misc/final-checks
@@ -44,6 +44,18 @@ abi_check()
        fi
 }
 
+if [ -d debian/certs ]; then
+    if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then
+        failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required"
+    fi
+fi
+
+if [ -d debian/revoked-certs ]; then
+    if ! grep -q '^CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"$' $debian/config/config.common.ubuntu; then
+        failure "'CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"' is required"
+    fi
+fi
+
 for arch in $archs
 do
        image_pkg=$(awk -F '\\s*=\\s*' '$1 == "do_flavour_image_package" { print $2 }' $debian/rules.d/$arch.mk)