One additional concern: the grub maintainer script is not the only place that grub-install might be called. In particular, shim-signed will also call grub-install --target=x86_64-efi from its postinst - as will grub-efi-amd64-signed, which is from a different source package. And with the most recent adjustment of the dependencies (grub-efi-amd64-signed now depends on grub-efi-amd64 | grub-pc; which means some users in 18.04 and newer will actually have grub-pc installed, whose postinst /should not/ fail to configure due to the kernel secureboot question), grub-efi-amd64-signed may actually have its dependencies satisfied even though there are unsigned kernels.
So I think the right place for the grub-check-signatures code to run is as an inlined wrapper of grub-install. Do you agree?
Comments inline.
One additional concern: the grub maintainer script is not the only place that grub-install might be called. In particular, shim-signed will also call grub-install --target=x86_64-efi from its postinst - as will grub-efi- amd64-signed, which is from a different source package. And with the most recent adjustment of the dependencies (grub-efi- amd64-signed now depends on grub-efi-amd64 | grub-pc; which means some users in 18.04 and newer will actually have grub-pc installed, whose postinst /should not/ fail to configure due to the kernel secureboot question), grub-efi- amd64-signed may actually have its dependencies satisfied even though there are unsigned kernels.
So I think the right place for the grub-check- signatures code to run is as an inlined wrapper of grub-install. Do you agree?