From 6d94a9d51b10597ddd6825567d185d498f696c9f Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Date: Wed, 13 Oct 2021 18:20:00 +0200
Subject: [PATCH] UBUNTU: [Packaging] Add system trusted and revocation keys
 final check

BugLink: https://bugs.launchpad.net/bugs/1947174

If certificates are packaged, the config keys to use them must be
enabled otherwise boot testing will fail. This check ensures early
detection of incorrect configuration when rebasing derivative kernels.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 debian/scripts/misc/final-checks | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/debian/scripts/misc/final-checks b/debian/scripts/misc/final-checks
index 9532716c7ba1..ab7c08a0f457 100755
--- a/debian/scripts/misc/final-checks
+++ b/debian/scripts/misc/final-checks
@@ -44,6 +44,18 @@ abi_check()
 	fi
 }
 
+if [ -d debian/certs ]; then
+    if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then
+        failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required"
+    fi
+fi
+
+if [ -d debian/revoked-certs ]; then
+    if ! grep -q '^CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"$' $debian/config/config.common.ubuntu; then
+        failure "'CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"' is required"
+    fi
+fi
+
 for arch in $archs
 do
 	image_pkg=$(awk -F '\\s*=\\s*' '$1 == "do_flavour_image_package" { print $2 }' $debian/rules.d/$arch.mk)
-- 
2.39.5