[Deepin-Kernel-SIG] [linux 6.18.y] [Deepin] scripts: package: adapt to UOS/deepin Secure Boot signing routine

[opsiff]

openssl x509 -in scripts/package/UEFI-CA-CERT-2024/UOS-UEFI-RSA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:ea:37:6e:14:46:72:36:a9:db:a5:25:2d:52:72:76:5d:20:37
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, O = Uniontech, OU = Uniontech Certification Authority, CN = Uniontech UEFI CA
Validity
Not Before: Jan 16 03:11:23 2024 GMT
Not After : Jan 16 00:00:00 2054 GMT
Subject: C = CN, O = Uniontech, OU = Uniontech OS, CN = Uniontech UEFI Bootloader Publisher 2024
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:f7:a6:b6:80:d3:4c:64:4f:c6:28:b5:90:8d:f4:
f6:b9:27:78:d1:25:90:0a:9f:db:e1:53:c4:2a:2d:
f9:91:90:21:50:25:cf:45:65:9e:8a:84:f8:86:f0:
6b:0f:f4:e7:c7:8d:f3:ef:5e:ad:0e:48:b4:be:29:
f0:c8:24:86:fa:ca:18:b3:06:1c:1f:23:68:64:5b:
16:79:9e:1c:a0:bc:1f:fb:63:c0:4d:91:55:9b:c3:
f0:ab:7c:14:65:ad:af:19:08:46:85:61:58:d8:d3:
d1:e7:61:1d:c3:6f:0b:d3:1a:6d:4e:b9:7e:d4:9f:
52:fe:b1:54:b6:86:c6:ca:0b:e7:6f:ff:60:1a:79:
2c:0b:a7:da:9d:9d:76:2a:2f:65:53:47:5b:6e:73:
74:51:d4:9c:30:ce:40:b8:50:45:54:c7:1d:30:77:
cc:38:7d:b2:35:d8:5d:ce:aa:a9:e5:98:07:a4:7c:
8b:c6:7d:16:af:e9:e5:90:71:54:20:2c:0d:4c:67:
f0:da:0f:22:f7:93:45:c1:52:66:70:ed:0f:6b:da:
21:9c:75:3f:9c:c9:ca:82:6e:d9:c2:d9:01:9e:91:
61:cb:b3:25:78:5d:a5:dc:59:88:1b:85:05:c6:e5:
79:3a:3a:68:5b:eb:0f:12:74:ee:57:1b:50:3e:cc:
fc:4d:b0:8f:a8:41:8e:c2:d0:da:47:17:97:a4:b0:
93:13:ee:13:cb:e2:6a:41:08:52:b4:93:d1:f0:52:
49:b7:86:e8:bf:04:15:2e:58:66:1c:84:da:bd:6c:
e7:f9:b8:4f:91:e4:71:57:61:cf:27:1c:9f:fb:01:
7b:d3:e4:86:b3:1e:32:03:31:f1:49:88:29:d3:e4:
fb:de:ca:3e:e7:e2:c7:41:92:88:56:a6:20:77:2b:
ef:28:1c:f3:c7:ed:9f:f3:01:05:f6:ba:a0:f8:a4:
b2:30:0f:39:99:e1:38:88:c9:62:4e:61:49:fa:e0:
7e:25:c2:7b:c2:c6:47:74:14:8e:ec:ae:b0:fa:69:
43:75:82:c6:2e:14:72:f1:dc:af:2b:0e:38:0b:ae:
ab:c0:2b:fd:98:85:e9:70:d1:df:19:f2:01:ee:8b:
22:eb:c8:1e:5f:a9:0b:d1:31:97:1a:0a:81:c7:9b:
53:27:33:cb:57:72:e4:50:9a:da:14:e7:96:d0:a1:
55:98:24:a6:f1:35:77:d9:82:60:30:d2:9b:ef:17:
da:b7:e2:5f:b4:f4:fa:83:45:00:8b:c9:83:e7:fc:
a8:f6:86:a0:49:ed:87:3c:8e:2e:26:c9:96:ea:6f:
af:92:ac:65:18:10:62:75:4e:48:3d:69:7c:75:e8:
04:83:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
2D:D8:CD:70:0A:34:9E:1B:2B:52:4F:87:D3:B1:24:D1:C7:B9:6B:0D
X509v3 Authority Key Identifier:
keyid:D0:5D:4C:E6:4E:1B:9D:C0:C5:85:7B:C0:17:C6:51:0C:7B:5C:CB:17

        X509v3 Certificate Policies: 
            Policy: 1.2.156.115230.9.8.7.1
              CPS: http://www.uosca.cn/policy/
            Policy: 1.2.156.115230.9.8.7.1
              CPS: https://pki.uniontech.com/ca/cps

Signature Algorithm: sha256WithRSAEncryption
     a6:92:2c:4d:88:b4:15:db:01:06:6f:89:e7:3f:1b:55:66:bc:
     30:64:01:0c:7b:f4:55:74:48:fe:7c:25:eb:34:c2:c3:83:b7:
     bf:97:a3:fa:d8:c5:56:4a:06:20:18:05:0f:77:10:88:56:d9:
     18:5f:ca:f0:5d:5d:11:fc:0f:bd:e3:8a:35:61:44:86:5b:65:
     5a:52:ef:64:41:6b:9d:64:73:0e:6e:31:5f:f5:4c:23:72:69:
     c3:4a:0f:0c:2d:3c:2d:57:b3:63:be:26:76:5e:c2:4b:a7:0d:
     6f:4a:7a:13:99:3b:e1:07:a6:94:b4:a4:a1:97:de:f9:3b:5c:
     58:4d:c2:d0:f8:52:9c:96:b3:38:68:30:98:e0:61:2d:f9:fa:
     03:90:10:cf:c3:47:8e:b8:ef:12:cb:5a:1d:cc:2c:d2:a6:f9:
     97:e4:2d:69:7a:41:de:3d:5c:cc:d4:cb:4c:c3:0b:e4:7a:ef:
     5a:b9:a8:8b:4e:ff:c4:fa:55:ea:93:8d:fb:19:9e:dc:0d:0f:
     ed:e7:90:55:ac:01:35:05:e4:26:ac:0d:e4:1b:c2:7b:e5:b0:
     00:8f:5a:d3:13:9f:de:00:e2:d9:48:7a:31:f9:13:27:bb:61:
     1e:b0:5a:8f:a3:f5:f8:97:f4:6e:c7:a9:d2:e2:d5:0e:39:d4:
     df:09:50:52:f1:f9:4f:3c:e0:cc:fb:03:53:20:b8:87:6d:5b:
     b7:80:d3:20:c6:52:39:3a:50:43:0b:36:67:77:8a:84:ec:6b:
     de:b1:7e:13:36:07:59:e5:93:db:ba:21:4f:43:a7:56:0a:ba:
     04:75:05:9a:93:52:9d:36:2e:3e:83:02:47:7d:16:94:14:21:
     a9:44:39:08:86:e3:eb:07:4f:51:23:4a:d3:de:d4:e9:ce:9c:
     09:da:29:11:e9:75:ed:cf:ee:0b:f3:8d:1a:54:1a:99:85:17:
     ad:93:0a:42:66:20:4f:64:c3:ee:96:0c:ee:01:35:5b:3f:8a:
     76:6a:09:19:bf:a1:19:b5:fa:fd:5f:c2:39:cb:85:40:b5:a5:
     b1:ea:38:70:e6:99:bf:f8:7d:b3:f6:1b:54:81:66:64:96:7a:
     dd:27:05:0d:55:d7:79:6f:77:00:ca:57:85:0e:89:75:d8:18:
     40:d9:e7:a2:5b:a0:df:1f:06:13:79:b4:e7:27:c7:69:c0:25:
     42:71:15:2b:72:84:b9:23:ff:c9:af:9f:bc:d6:45:8f:b3:9d:
     47:54:aa:ca:d9:9a:ed:ed:af:4e:97:c2:f5:ba:77:38:e9:a2:
     fa:e5:32:5e:d3:5d:4a:19:53:47:1e:64:cb:33:e5:84:cf:57:
     21:34:10:dd:1f:a5:01:f8

openssl x509 -in scripts/package/UEFI-CA-CERT/DEEPIN-UEFI-RSA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:56:87:95:2b:8f:7e:68:ce:f7:d3:f9:b6:e5:57:50:54:d8:fb:a4
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = Hubei, L = Wuhan, O = "Wuhan Deepin Technology Co., Ltd.", OU = Secure Boot Maintenance Department., CN = Deepin Secure Boot CA
Validity
Not Before: Jun 10 12:42:56 2020 GMT
Not After : Jun 3 12:42:56 2050 GMT
Subject: C = CN, ST = Hubei, L = Wuhan, O = "Wuhan Deepin Technology Co., Ltd.", OU = Secure Boot Maintenance Department., CN = Deepin Secure Boot CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:b6:c1:fd:20:83:ce:c0:03:8c:2c:d0:e9:d4:5c:
f0:09:e1:4b:d4:e1:ee:a3:5b:2d:dd:dc:b6:7d:63:
73:f7:0d:76:d8:5b:6e:02:ac:36:5a:6b:a8:22:ca:
65:0c:3a:e1:25:e7:19:42:0e:3f:6a:c0:71:ba:7c:
0b:e3:45:78:a6:12:e4:46:10:2e:48:af:a9:e2:00:
01:55:d2:ae:2b:03:5d:07:a6:e8:a0:51:0a:5c:fc:
f7:de:f1:25:72:0b:4f:c5:d9:9c:58:fc:73:8a:2c:
8f:fa:4d:5a:3e:08:a0:71:8f:50:15:1a:e8:90:e8:
48:9a:4c:5e:ad:ae:aa:10:6a:f6:a7:44:8b:56:aa:
38:f5:be:d2:ac:67:f9:1b:a6:f0:10:69:6b:df:36:
ac:ca:8c:51:7d:a7:65:33:7e:8c:a6:ef:20:b4:73:
57:97:4c:4b:d1:21:58:39:de:c8:4e:1d:64:bc:fc:
be:75:5b:fe:a1:c9:2f:12:8f:e5:f8:cf:ab:70:68:
39:98:df:cd:a5:8c:7c:e2:02:6b:65:f6:aa:51:29:
4c:3a:13:69:e6:6e:70:16:59:26:a9:2a:d6:f8:25:
ae:9b:2c:c6:a4:8d:0c:a7:9a:13:31:9c:4c:e9:ce:
4c:2d:a9:4a:dd:e9:c0:c4:f7:b4:2b:31:17:18:98:
57:f6:36:16:56:ef:fd:41:8f:e4:71:3d:4b:de:06:
db:ee:97:65:31:0f:d6:db:b5:80:f3:fd:65:2d:2f:
16:11:db:c2:21:d7:61:6a:75:8b:f2:67:79:20:6e:
8e:fd:e7:f3:46:38:be:be:55:fe:d2:e6:d8:83:1e:
29:98:17:aa:e2:f8:a3:64:f5:28:d2:39:62:07:9c:
f0:89:29:20:08:60:d8:d2:21:ea:38:0e:58:74:21:
24:47:4c:8c:f0:f7:d6:3b:27:5c:d5:1d:d1:e6:69:
78:b2:67:0c:8f:6a:11:91:55:0b:76:20:57:a7:c3:
db:06:88:bc:aa:26:9b:4c:69:c5:2d:84:f8:c3:52:
51:e9:6f:10:d7:36:e1:0a:34:91:31:9a:63:96:62:
6e:54:51:28:53:8d:d9:2a:3d:82:4c:93:c7:16:c2:
c2:1b:cf:b2:ce:77:bf:2a:be:af:5c:29:66:ad:10:
37:2d:74:16:4a:38:cf:38:68:1b:b5:9d:c2:05:c9:
df:80:2b:8e:8c:c2:88:e5:74:90:ae:e0:28:d7:08:
70:47:73:2d:95:6b:a5:06:94:39:0d:d3:d8:00:83:
9b:09:60:9d:e6:73:c4:26:57:7a:1b:5b:ee:50:b5:
f7:69:5c:1d:d2:b3:45:13:cb:27:13:f1:28:26:f0:
bb:c8:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:https://www.deepin.com/crt/secure-boot-ca

        Netscape Cert Type: 
            SSL Client, SSL Server, S/MIME, Object Signing, SSL CA, S/MIME CA, Object Signing CA
        X509v3 Extended Key Usage: 
            Code Signing
        X509v3 Key Usage: critical
            Digital Signature, Certificate Sign, CRL Sign
        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Subject Key Identifier: 
            46:84:59:49:14:E0:59:AE:E3:27:90:69:57:48:A1:85:C6:7D:81:A0
        X509v3 Authority Key Identifier: 
            keyid:46:84:59:49:14:E0:59:AE:E3:27:90:69:57:48:A1:85:C6:7D:81:A0

Signature Algorithm: sha256WithRSAEncryption
     8c:8d:ff:96:de:cb:43:b8:a9:df:a9:31:b4:1e:18:0e:52:94:
     e7:8c:5d:cf:0c:78:dc:09:75:64:5a:89:d9:73:76:07:e2:09:
     e4:ad:00:07:c1:be:14:0c:c8:fd:ff:fc:8e:7b:e8:4a:b1:49:
     a8:a5:a5:ce:4f:5a:7f:51:46:d0:99:cf:c2:76:9e:c8:5d:01:
     b1:80:f9:31:c8:4c:60:f6:d3:46:03:bd:2e:57:e4:b8:c5:ed:
     ab:a3:da:93:36:37:f2:d3:08:0c:5a:d2:ce:f9:69:9d:55:3e:
     ce:06:c7:80:7f:97:bc:dd:85:38:b8:1d:a5:1f:f7:72:1a:87:
     72:8a:75:79:f2:7f:d0:8d:d4:ad:0d:92:2e:24:22:cb:a8:ac:
     68:d7:af:0d:4d:8f:9d:ca:f6:dc:5b:3f:cd:37:ab:c0:66:3b:
     31:e9:1f:d4:86:ab:21:fd:f0:b3:87:2f:86:ec:0c:bb:a8:90:
     fc:b3:6d:de:18:2c:b4:5b:a1:9b:ec:74:39:fb:18:02:84:03:
     d6:26:b7:e8:55:73:71:3c:bd:80:64:fe:01:ed:27:43:df:e2:
     db:a2:75:c1:e5:4e:4e:87:d3:c6:65:e4:c8:04:46:1e:62:9a:
     bd:60:47:06:d8:68:7e:fa:18:92:00:90:e4:2c:fd:0f:22:68:
     79:96:4e:c9:45:ee:83:86:b6:d0:fb:23:53:57:98:5c:9e:c5:
     75:62:ca:06:c1:fa:9e:de:7a:ab:a5:ed:de:e4:fc:0f:ae:d6:
     8e:3b:96:7a:17:d3:b8:56:2a:f8:9e:7a:ef:e7:0a:19:8c:f9:
     12:3e:04:54:05:b5:80:8e:89:5e:5a:d4:3c:42:c5:5f:a3:ba:
     dc:80:12:67:a3:8e:1c:ec:06:cb:80:8d:a3:1f:b3:a0:94:8d:
     a1:94:31:2d:7e:58:a9:27:51:8b:d9:aa:90:94:77:e0:9c:91:
     74:f3:01:16:fd:f9:ec:6e:68:0b:eb:b5:0b:94:f7:53:f4:a0:
     4d:ac:ff:ca:07:29:d0:d2:10:e9:c4:55:9f:b8:01:eb:50:22:
     33:9c:da:54:91:d6:a3:85:a8:2f:f8:1c:38:93:1a:db:57:ec:
     29:8f:1b:62:75:9b:09:1a:43:ab:dd:6d:e7:37:c1:46:ec:dc:
     83:34:fa:7d:3d:65:bb:ef:70:3d:27:4a:27:d2:65:d9:62:4a:
     73:c1:0b:75:18:6e:62:17:2c:46:84:4c:dc:c9:ac:13:79:6c:
     ba:6c:a3:68:0e:27:71:2f:2b:c1:03:f6:a2:e4:65:65:bd:a0:
     7b:a4:66:ee:ca:94:f1:11:46:dd:3a:9a:11:17:c8:fb:c3:09:
     40:3a:ec:53:f1:41:a2:11

openssl x509 -in scripts/package/UEFI-CA-CERT/UOS-UEFI-RSA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4a:82:d0:78:5b:33:a4:9c:79:51:c5:60:7d:a5:94:ef
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, O = UOS, CN = UOS APP Signing CA
Validity
Not Before: Jan 8 11:23:11 2020 GMT
Not After : Jan 8 11:23:11 2023 GMT
Subject: C = CN, O = \E7\BB\9F\E4\BF\A1\E8\BD\AF\E4\BB\B6\E6\8A\80\E6\9C\AF\E6\9C\89\E9\99\90\E5\85\AC\E5\8F\B8, CN = \E7\BB\9F\E4\BF\A1\E8\BD\AF\E4\BB\B6\E6\8A\80\E6\9C\AF\E6\9C\89\E9\99\90\E5\85\AC\E5\8F\B8
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b9:a8:a7:d2:1b:6b:c2:f6:fc:c7:0e:d1:a8:5e:
25:17:f2:fe:c8:8a:1b:39:5a:3d:35:62:fb:2f:36:
5d:be:f0:58:05:6a:73:49:54:97:2d:93:57:38:b2:
93:66:15:97:36:44:e9:1f:54:89:ca:1a:0b:d9:d5:
57:83:e7:a1:d6:d5:a6:34:69:a0:57:6a:d3:d0:63:
fa:bd:f1:7f:61:50:ce:8d:58:66:1e:be:4f:42:f1:
2c:36:4e:73:71:c2:be:53:2f:37:5a:c0:37:0c:f3:
f2:92:5a:d4:c8:e9:1e:ec:99:e8:3b:81:1d:42:1c:
a5:d6:e7:91:2a:5c:45:11:ae:81:f2:09:98:cd:d4:
91:51:e5:2f:40:c8:d0:c6:05:bc:ca:e3:7f:96:f7:
bf:f6:de:6c:88:85:54:09:49:ea:49:d4:fa:e6:cd:
e1:a0:e8:09:e6:cf:2e:6b:cd:e5:30:8c:5b:d0:c1:
c3:d1:ab:66:60:1f:03:3c:da:25:b8:86:dc:47:73:
3c:45:51:37:44:20:45:ef:2c:ae:20:03:5c:91:53:
1f:01:3d:7f:26:00:ca:13:27:1d:1b:90:ce:3a:28:
d4:59:21:8a:39:a6:1d:8c:f7:db:dd:9b:27:20:cb:
12:28:5c:4e:14:92:aa:d7:fb:9a:b9:60:a9:6e:6e:
60:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
AE:59:1C:1C:82:B0:7D:CA:EA:BF:40:4C:A0:DC:5D:D0:FC:54:E9:E9
X509v3 Authority Key Identifier:
keyid:52:93:B3:82:E1:4F:E3:1B:45:F3:94:8C:16:30:8D:6F:84:5F:90:06

        Authority Information Access: 
            OCSP - URI:http://ocsp.uosca.cn
            CA Issuers - URI:http://aia.uosca.cn/uos-app.cer

        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.uosca.cn/uos-app.crl

        X509v3 Certificate Policies: 
            Policy: 1.2.156.115230.9.8.6.1
              CPS: http://www.uosca.cn/policy/

Signature Algorithm: sha256WithRSAEncryption
     38:e5:eb:cb:f8:ea:91:59:8c:a2:41:b0:08:47:70:28:eb:dc:
     a8:f1:6e:8c:82:47:32:50:04:59:f9:65:a1:ff:10:ea:15:8a:
     5e:28:fc:14:c8:db:16:2c:86:f3:65:cd:a4:57:55:82:e0:14:
     31:ad:da:25:9a:e0:ff:7f:23:cc:ea:f7:42:a8:db:ee:27:c9:
     3f:3d:47:9b:7c:0f:38:f5:1a:85:8b:50:b9:16:c8:42:82:1f:
     c8:73:29:b6:e8:41:ea:2d:2a:92:a8:68:49:2e:3f:d6:11:b2:
     8a:c2:fd:9e:bc:69:54:63:4c:2d:25:41:c2:6b:ae:ec:26:eb:
     7f:96:77:ab:76:6c:dc:38:a6:d7:8f:f7:60:6b:57:8d:7a:93:
     18:41:12:07:aa:72:3a:95:66:87:6e:19:b3:fd:ce:50:e6:9d:
     97:ac:61:a0:ed:5e:af:cf:d7:3a:b1:f3:9c:ab:3d:72:33:ca:
     a7:0f:9b:95:11:b2:61:e5:50:08:5f:a2:ca:6f:b4:d4:95:28:
     db:8d:88:bb:b6:15:d8:35:e6:31:09:53:c1:ff:f6:ec:98:4c:
     e0:a0:da:c2:19:fa:a6:3a:8c:52:d1:c2:ad:01:2d:14:92:3b:
     22:70:b1:60:3a:44:4c:5b:2f:35:50:74:04:21:a4:40:ea:b5:
     03:b1:02:2c

Summary by Sourcery

Update Debian packaging scripts to integrate UOS/deepin Secure Boot signing certificates for kernel packages.

Build:

• Adjust builddeb packaging script to use UEFI Secure Boot signing certificates for generated Debian packages.

Chores:

• Add UOS and Deepin UEFI RSA certificate PEM files, including a new 2024 UOS UEFI signing certificate, to the scripts/package tree for use by the signing routine.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates the Debian packaging script to use new UOS/deepin Secure Boot signing certificates and adds the corresponding PEM files to the tree for the 6.18.y Deepin kernel.

File-Level Changes

Change	Details	Files
Add UOS/deepin Secure Boot CA certificates used for kernel package signing to the source tree.	Introduce new 2024 UEFI bootloader publisher end-entity certificate PEM file under a versioned UEFI-CA-CERT-2024 directory. Add Deepin Secure Boot CA RSA 4096 CA certificate PEM used for secure boot signing. Add legacy/previous UOS UEFI RSA code-signing certificate PEM, likely for compatibility with existing signing flows.	scripts/package/UEFI-CA-CERT-2024/UOS-UEFI-RSA.pem scripts/package/UEFI-CA-CERT/DEEPIN-UEFI-RSA.pem scripts/package/UEFI-CA-CERT/UOS-UEFI-RSA.pem
Adjust Debian build script to integrate the UOS/deepin Secure Boot signing routine with the new certificates.	Update scripts/package/builddeb logic so that the kernel deb packaging process uses the UOS/deepin secure boot signing path. Ensure the signing routine points at the new certificate locations added under scripts/package/UEFI-CA-CERT* directories.	scripts/package/builddeb

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from opsiff. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider making the UEFI certificate paths configurable (e.g., via environment variables or build-time options) rather than hardcoding specific PEM locations into the packaging script so you can rotate or swap certificates without code changes.
• The UOS UEFI RSA certificate that expired in 2023 is still being added; if it is only needed for legacy/signature verification scenarios, clarifying and isolating its usage in the build logic may help avoid accidentally using an expired certificate for new signing operations.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider making the UEFI certificate paths configurable (e.g., via environment variables or build-time options) rather than hardcoding specific PEM locations into the packaging script so you can rotate or swap certificates without code changes.
- The UOS UEFI RSA certificate that expired in 2023 is still being added; if it is only needed for legacy/signature verification scenarios, clarifying and isolating its usage in the build logic may help avoid accidentally using an expired certificate for new signing operations.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

Updates the Debian kernel packaging flow to optionally sign the packaged kernel image using UOS/deepin Secure Boot certificates, and adds the required PEM certificates under scripts/package/.

Changes:

• Add conditional kernel image signing steps to scripts/package/builddeb based on marker files in ${srctree}.
• Introduce bundled UOS and Deepin certificate PEMs (including a 2024 UOS cert) under scripts/package/UEFI-CA-CERT*.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
scripts/package/builddeb	Adds conditional Secure Boot signing (including a second “2024” signing pass) during Debian image packaging.
scripts/package/UEFI-CA-CERT/UOS-UEFI-RSA.pem	Adds UOS certificate PEM intended for signing flow.
scripts/package/UEFI-CA-CERT/DEEPIN-UEFI-RSA.pem	Adds Deepin certificate PEM intended for signing flow.
scripts/package/UEFI-CA-CERT-2024/UOS-UEFI-RSA.pem	Adds 2024 UOS UEFI certificate PEM intended for signing flow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The bundled UOS-UEFI-RSA.pem appears (per the certificate metadata in the PR description) to be issued by "UOS APP Signing CA" and to have a Not After date in 2023. If this certificate is actually used for UEFI Secure Boot signing, consider replacing it with the correct/current UEFI signing certificate (or clarifying/renaming the file) to avoid using an outdated or mismatched cert in the signing flow.

[Copilot]

The signing routine hardcodes a private signing server IP (10.0.32.114) and ports (8080/9090). This makes the packaging script non-portable and brittle in different build environments; consider making these values configurable via environment variables (with sane defaults) or a config file, and fail with a clear message when unset.

[Copilot]

This adds a dependency on external signing commands (notably sbsign-2024 and custom sbsign flags like --swkey/--hwkey/--ip/--port) without checking they exist. If the marker file is present but the tools aren't installed, the script will fail with a generic "command not found"; consider validating required commands up front and emitting a more actionable error.

[Copilot]

Lines 68-71 are indented with spaces, while the surrounding script consistently uses tabs for indentation. Please align indentation to match the rest of the file to avoid noisy diffs and style inconsistencies.

Suggested change

	# UEFI Secure Boot CA paths.
	deepin_uefi_ca="${srctree}/scripts/package/UEFI-CA-CERT/DEEPIN-UEFI-RSA.pem"
	uos_uefi_ca="${srctree}/scripts/package/UEFI-CA-CERT/UOS-UEFI-RSA.pem"
	uos_uefi_ca_2024="${srctree}/scripts/package/UEFI-CA-CERT-2024/UOS-UEFI-RSA.pem"
	# UEFI Secure Boot CA paths.
	deepin_uefi_ca="${srctree}/scripts/package/UEFI-CA-CERT/DEEPIN-UEFI-RSA.pem"
	uos_uefi_ca="${srctree}/scripts/package/UEFI-CA-CERT/UOS-UEFI-RSA.pem"
	uos_uefi_ca_2024="${srctree}/scripts/package/UEFI-CA-CERT-2024/UOS-UEFI-RSA.pem"