From: Herton R. Krzesinski <herton@xxxxxxxxxx> redhat: use centos x509.genkey file if building under centos Upstream Status: RHEL only When doing modinfo against a kernel built under centos, it'll show the signer as Red Hat Enterprise Linux kernel. To avoid this, switch the module signing to use a centos x509.genkey file provided by Brian Stinson. This was requested for centos-stream-9 in BZ 2029952. v2: fix build issue due empty if/then clause Signed-off-by: Herton R. Krzesinski <herton@xxxxxxxxxx> diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100755 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -777,6 +777,8 @@ Source37: filter-aarch64.sh.rhel Source38: filter-ppc64le.sh.rhel Source39: filter-s390x.sh.rhel Source40: filter-modules.sh.rhel + +Source41: x509.genkey.centos %endif %if 0%{?include_fedora} @@ -1499,6 +1501,18 @@ done cp %{SOURCE82} . RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh %{primary_target} +# We may want to override files from the primary target in case of building +# against a flavour of it (eg. centos not rhel), thus override it here if +# necessary +if [ "%{primary_target}" == "rhel" ]; then +%if 0%{?centos} + echo "Updating scripts/sources to centos version" + RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh centos +%else + echo "Not updating scripts/sources to centos version" +%endif +fi + # end of kernel config %endif diff --git a/redhat/rhel_files/x509.genkey.centos b/redhat/rhel_files/x509.genkey.centos new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/rhel_files/x509.genkey.centos @@ -0,0 +1,16 @@ +[ req ] +default_bits = 3072 +distinguished_name = req_distinguished_name +prompt = no +x509_extensions = myexts + +[ req_distinguished_name ] +O = The CentOS Project +CN = CentOS Stream kernel signing key +emailAddress = security@xxxxxxxxxx + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1588 _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure