build/debian: Verify checksums and signature for kernel sources
In this CL, we add some basic validation for the kernel sources,
before introducing our own patches, and finally building the kernel.
Specifically, we verify the source package checksums,
and that the source package contains a GPG signature
that can be be verified using `debian-keyring`.
The build fails if either of these conditions are unmet.
Bug: 380176863
Test: ./build_in_container.sh -k
Test: ./build_in_container.sh -a aarch64 -k
Change-Id: I235ff507b03e368183fa44737db6ab34ec0a7ddc
diff --git a/build/debian/build.sh b/build/debian/build.sh
index cc38dfd..9bb1481 100755
--- a/build/debian/build.sh
+++ b/build/debian/build.sh
@@ -238,15 +238,23 @@
local custom_flavour="avf"
local ksrc_base_url="https://deb.debian.org/debian/pool/main/l/linux"
+ local dsc_url="${ksrc_base_url}/linux_${debian_kver}.dsc"
local debian_ksrc_url="${ksrc_base_url}/linux_${debian_kver}.debian.tar.xz"
local orig_ksrc_url="${ksrc_base_url}/linux_${debian_kver%-*}.orig.tar.xz"
- # 1. Grab original kernel source, merge debian patches etc.
- mkdir -p "${workdir}/kernel/avf-${debian_arch}"
+ # 0. Grab the kernel sources, and the latest debian keyrings
+ mkdir -p "${workdir}/kernel"
pushd "${workdir}/kernel" > /dev/null
+ wget "$dsc_url"
wget "$orig_ksrc_url"
- pushd "avf-${debian_arch}" > /dev/null
- wget "${debian_ksrc_url}" -O - | tar xJ
+ wget "$debian_ksrc_url"
+ rsync -az --progress keyring.debian.org::keyrings/keyrings/ /usr/share/keyrings/
+
+ # 1. Verify, extract and merge patches into the original kernel sources
+ dpkg-source --require-strong-checksums \
+ --require-valid-signature \
+ --extract linux_${debian_kver}.dsc
+ pushd "linux-${debian_kver%-*}" > /dev/null
# TODO: Copy our own kernel patches to debian/patches
# and add patch file names in the desired order to debian/patches/series
./debian/rules orig