UBUNTU: [Packaging] Introduce debian/scripts/sign-module

Move the logic that determines if a module needs to be signed to a script and extend it to also check the signature-inclusion list of derivatives. Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
2022-07-29 10:49:20 +02:00
parent 9b0c1771bb
commit fd1e5c6c54
1 changed files with 40 additions and 0 deletions
@@ -0,0 +1,40 @@
+#!/bin/bash -eu
+#
+# Staging drivers must not be signed if they are not listed in a
+# signature-inclusion file to prevent loading of 'unsafe' drivers in a
+# Secure Boot environment.
+#
+# Exit with status 0 if the provided module needs to be signed, 1 otherwise
+#
+
+mod=${1}
+
+# Sign the module if not a staging driver
+if [ "${mod/\/drivers\/staging\//}" = "${mod}" ] ; then
+	exit 0
+fi
+
+root=$(dirname "$(realpath -e "${0}")")/../..
+. "${root}"/debian/debian.env
+
+# Collect the signature-inclusion files
+sig_incls=()
+for d in debian "${DEBIAN}" ; do
+	if [ -f "${root}"/"${d}"/signature-inclusion ] ; then
+		sig_incls+=("${root}"/"${d}"/signature-inclusion)
+	fi
+done
+
+# Sign the module if no signature-inclusion files
+if [ ${#sig_incls[@]} -eq 0 ] ; then
+	exit 0
+fi
+
+# Sign the module if listed in signature-inclusion files
+if grep -qFx "${mod##*/}" "${sig_incls[@]}" ; then
+	exit 0
+fi
+
+# Don't sign the module
+echo "UBUNTU: Not signing ${1}"
+exit 1