commit a0c4595a769c606de78d7e74da34f6acae63ce02
author Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> Wed Dec 11 16:55:57 2024 -0800
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Dec 11 16:55:57 2024 -0800
tree 3bd7bfde61d0077710005828c0acbc11feef0222
parent 940701c595df54a575c1e533fec842052593e865
parent 74b3ac900db1bfca57e45adca6047631444a6f2b

Merge "build/debian: Verify checksums and signature for kernel sources" into main

build/debian/build.sh

diff --git a/build/debian/build.sh b/build/debian/build.sh
index cc38dfd..9bb1481 100755
--- a/build/debian/build.sh
+++ b/build/debian/build.sh
@@ -238,15 +238,23 @@
 	local custom_flavour="avf"
 	local ksrc_base_url="https://deb.debian.org/debian/pool/main/l/linux"
 
+	local dsc_url="${ksrc_base_url}/linux_${debian_kver}.dsc"
 	local debian_ksrc_url="${ksrc_base_url}/linux_${debian_kver}.debian.tar.xz"
 	local orig_ksrc_url="${ksrc_base_url}/linux_${debian_kver%-*}.orig.tar.xz"
 
-	# 1. Grab original kernel source, merge debian patches etc.
-	mkdir -p "${workdir}/kernel/avf-${debian_arch}"
+	# 0. Grab the kernel sources, and the latest debian keyrings
+	mkdir -p "${workdir}/kernel"
 	pushd "${workdir}/kernel" > /dev/null
+	wget "$dsc_url"
 	wget "$orig_ksrc_url"
-	pushd "avf-${debian_arch}" > /dev/null
-	wget "${debian_ksrc_url}" -O - | tar xJ
+	wget "$debian_ksrc_url"
+	rsync -az --progress keyring.debian.org::keyrings/keyrings/ /usr/share/keyrings/
+
+	# 1. Verify, extract and merge patches into the original kernel sources
+	dpkg-source --require-strong-checksums \
+	            --require-valid-signature \
+	            --extract linux_${debian_kver}.dsc
+	pushd "linux-${debian_kver%-*}" > /dev/null
 	# TODO: Copy our own kernel patches to debian/patches
 	#       and add patch file names in the desired order to debian/patches/series
 	./debian/rules orig