Code review comment for ~juliank/grub/+git/ubuntu:juliank/check-signed-kernels

> Comments inline.
>
> One additional concern: the grub maintainer script is not the only place that
> grub-install might be called. In particular, shim-signed will also call grub-
> install --target=x86_64-efi from its postinst - as will grub-efi-amd64-signed,
> which is from a different source package. And with the most recent adjustment
> of the dependencies (grub-efi-amd64-signed now depends on grub-efi-amd64 |
> grub-pc; which means some users in 18.04 and newer will actually have grub-pc
> installed, whose postinst /should not/ fail to configure due to the kernel
> secureboot question), grub-efi-amd64-signed may actually have its dependencies
> satisfied even though there are unsigned kernels.
>
> So I think the right place for the grub-check-signatures code to run is as an
> inlined wrapper of grub-install. Do you agree?

Your review on the last diff said to only check when we are switching the secure boot policy in grub - the only place we can do this is from the grub maintainer scripts, as we need to have the grub version to check against.

We specifically can't do that in grub-install, since grub-install may be used for a lot of stuff other than installing stuff to the ESP. Hence the previous approach checked it in update-grub.

I don't see why grub-pc should not fail due to secure boot if it's on an EFI system in secure boot mode.