From 35602a868b282db3c5ea4a338675ebec24a8b38c Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 24 Apr 2016 23:37:43 +0200
Subject: [PATCH] linux-source: Fix up module signing configuration in included
 kernel config files

Our signing certificate isn't included in the source tarball and would
be pointless to include in custom kernels.  Custom kernels also won't
have a separate signing stage.  So remove our settings for
CONFIG_MODULE_SIG_ALL, CONFIG_MODULE_SIG_KEY and
CONFIG_SYSTEM_TRUSTED_KEYS.  This should cause custom kernels based on
the included configs to follow the upstream default for signing, which
is to use a new key pair for each build.
---
 debian/changelog  | 2 ++
 debian/rules.real | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 85dbd83d7..6d57ed15e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -119,6 +119,8 @@ linux (4.5.2-1) UNRELEASED; urgency=medium
     SND_SOC_INTEL_SKL_RT286_MACH, SND_SOC_INTEL_SKL_NAU88L25_SSM4567_MACH,
     SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH as modules
   * module: Invalidate signatures on force-loaded modules
+  * linux-source: Fix up module signing configuration in included kernel
+    config files
 
   [ Aurelien Jarno ]
   * [mips*] Emulate unaligned LDXC1 and SDXC1 instructions.
diff --git a/debian/rules.real b/debian/rules.real
index c9b44a230..b1b13b6f9 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -471,8 +471,10 @@ install-source: $(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).ta
 	dh_testroot
 	dh_installdirs /usr/src/linux-config-$(UPSTREAMVERSION)
 	dh_install '$^' /usr/src
+# Include our kernel config files, but with the module signing
+# configuration fixed to work for custom kernels.
 	for triplet in $(ALL_TRIPLETS); do \
-	  xz -c $(BUILD_DIR)/build_$$triplet/.config >debian/$(PACKAGE_NAME)/usr/src/linux-config-$(UPSTREAMVERSION)/config.$$triplet.xz; \
+	  sed '/CONFIG_\(MODULE_SIG_\(ALL\|KEY\)\|SYSTEM_TRUSTED_KEYS\)[ =]/d' $(BUILD_DIR)/build_$$triplet/.config | xz -c >debian/$(PACKAGE_NAME)/usr/src/linux-config-$(UPSTREAMVERSION)/config.$$triplet.xz; \
 	done
 # We don't want to recompress, but -Znone is not compatible with older
 # tools and is currently rejected by dak.  -Zgzip -z0 (uncompressed