From: Herton R. Krzesinski <herton@xxxxxxxxxx>
redhat: add DUP and kpatch certificates to system trusted keys for RHEL build
We were not including yet the DUP and kpatch additional certificates in the
build process for RHEL. Do it by creating the required pem file and setting
the related kernel config option.
Signed-off-by: Herton R. Krzesinski <herton@xxxxxxxxxx>
diff a/redhat/kernel.spec.template b/redhat/kernel.spec.template
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -719,6 +719,9 @@ Source56: update_scripts.sh
Source54: mod-internal.list
+Source100: rheldup3.x509
+Source101: rhelkpatch1.x509
+
Source200: check-kabi
Source201: Module.kabi_aarch64
@@ -1323,6 +1326,18 @@ do
done
%endif
+# Add DUP and kpatch certificates to system trusted keys for RHEL
+%if 0%{?rhel}
+%if %{signkernel}%{signmodules}
+openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
+openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
+cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
+for i in *.config; do
+ sed -i 's@CONFIG_SYSTEM_TRUSTED_KEYS=""@CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem"@' $i
+done
+%endif
+%endif
+
cp %{SOURCE52} .
OPTS=""
%if %{with_configchecks}
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/882
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
