UBUNTU: [Packaging] build canonical-certs.pem from branch/arch certs

Merge common, branch-specific, and arch-specific certs and form
a certs database for inclusion in the kernel keyring.

BugLink: https://bugs.launchpad.net/bugs/1898716
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 8704be52a9a30d7959dafd947a92146d0afb980f..9c7f854aa756b3b0cebb41cf7d1b33eb8bd48cea 100644 (file)
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -358,7 +358,7 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING                 mark<ENFORCED>
 
 # Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys
 CONFIG_SYSTEM_TRUSTED_KEYRING                   policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}>
+CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE            policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}>
 CONFIG_SECONDARY_TRUSTED_KEYRING                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>

diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 34053d71afba2847a7f9eeea154d23b864fa0c2b..f1b7fcbaf7a27226ca987b0ac1adc30a776e8c4b 100644 (file)
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -10521,7 +10521,7 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
 CONFIG_SYSVIPC=y
 CONFIG_SYSVIPC_COMPAT=y
 CONFIG_SYSVIPC_SYSCTL=y

diff --git a/debian/rules b/debian/rules
index 4f64f55b8d8fc30a08559d0abb6ae67b810b0245..33558795e30a59757b09a0f16c80ddee599a9bb5 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -127,7 +127,7 @@ binary: binary-indep binary-arch
 
 build: build-arch build-indep
 
-clean: debian/control
+clean: debian/control debian/canonical-certs.pem
        dh_testdir
        dh_testroot
        dh_clean
@@ -225,3 +225,15 @@ debian/control: $(DEBIAN)/control.stub
        LANG=C kernel-wedge gen-control $(release)-$(abinum) | \
                perl -f $(DROOT)/scripts/misc/kernel-wedge-arch.pl $(arch) \
                >>$(CURDIR)/debian/control
+
+debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DROOT)/certs/*-$(arch).pem) $(wildcard $(DEBIAN)/certs/*-all.pem) $(wildcard $(DEBIAN)/certs/*-$(arch).pem)
+       for cert in $(sort $(notdir $^));                                       \
+       do                                                                      \
+               for dir in $(DEBIAN) $(DROOT);                                  \
+               do                                                              \
+                       if [ -f "$$dir/certs/$$cert" ]; then                    \
+                               cat "$$dir/certs/$$cert";                       \
+                               break;                                          \
+                       fi;                                                     \
+               done;                                                           \
+       done >"$@"