From 9b0c1771bb40c6c2bed23de59900c61e0ced71b7 Mon Sep 17 00:00:00 2001
From: Juerg Haefliger <juerg.haefliger@canonical.com>
Date: Fri, 29 Jul 2022 10:49:19 +0200
Subject: [PATCH] UBUNTU: [Packaging] module-signature-check: Check
 debian.<foo>/signature-inclusion

Derivatives might contain additional signed staging drivers so ensure that
that list is processed as well when checking module signatures.

Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
---
 debian/rules.d/4-checks.mk            |  3 +--
 debian/scripts/module-signature-check | 23 ++++++++++++++++-------
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/debian/rules.d/4-checks.mk b/debian/rules.d/4-checks.mk
index ecc6b82aeab5..1d44bf9f02a0 100644
--- a/debian/rules.d/4-checks.mk
+++ b/debian/rules.d/4-checks.mk
@@ -15,8 +15,7 @@ module-signature-check-%: $(stampdir)/stamp-install-%
 	@echo Debug: $@
 	$(DROOT)/scripts/module-signature-check "$*" \
 		"$(DROOT)/$(mods_pkg_name)-$*" \
-		"$(DROOT)/$(mods_extra_pkg_name)-$*" \
-		"$(DROOT)/signature-inclusion"
+		"$(DROOT)/$(mods_extra_pkg_name)-$*"
 
 # Check the reptoline jmp/call functions against the last release.
 retpoline-check-%: $(stampdir)/stamp-install-%
diff --git a/debian/scripts/module-signature-check b/debian/scripts/module-signature-check
index f28f4a89c913..80796b63e1be 100755
--- a/debian/scripts/module-signature-check
+++ b/debian/scripts/module-signature-check
@@ -3,17 +3,26 @@
 flavor="${1}"
 mods_dir="${2}"
 mods_extra_dir="${3}"
-sig_inc="${4}"
 
 echo "II: Checking signature of staging modules for ${flavor}..."
 
-if [ -f "${sig_inc}" ] ; then
-	echo "II: Use signature inclusion file:"
-	echo "    ${sig_inc}"
+root=$(dirname "$(realpath -e "${0}")")/../..
+. "${root}"/debian/debian.env
+
+# Collect the signature-inclusion files
+sig_incs=()
+for d in debian "${DEBIAN}" ; do
+	if [ -f "${root}"/"${d}"/signature-inclusion ] ; then
+		sig_incs+=("${root}"/"${d}"/signature-inclusion)
+	fi
+done
+
+if [ "${#sig_incs[@]}" -gt 0 ] ; then
+	echo "II: Use signature inclusion file(s):"
+	printf "    %s\n" "${sig_incs[@]}"
 	sig_all=0
 else
-	echo "WW: Signature inclusion file missing:"
-	echo "    ${sig_inc}"
+	echo "WW: Signature inclusion file(s) missing"
 	echo "II: All modules must be signed"
 	sig_all=1
 fi
@@ -43,7 +52,7 @@ while IFS= read -r mod ; do
 	fi
 
 	must=0
-	if [ ${sig_all} -eq 1 ] || grep -qFx "${mod##*/}" "${sig_inc}" ; then
+	if [ ${sig_all} -eq 1 ] || grep -qFx "${mod##*/}" "${sig_incs[@]}" ; then
 		# Module must be signed
 		must=1
 	fi