[OS-BUILD PATCH] redhat: use centos x509.genkey file if building under centos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Herton R. Krzesinski <herton@xxxxxxxxxx>

redhat: use centos x509.genkey file if building under centos

Upstream Status: RHEL only

When doing modinfo against a kernel built under centos, it'll show the
signer as Red Hat Enterprise Linux kernel. To avoid this, switch the
module signing to use a centos x509.genkey file provided by Brian
Stinson.

This was requested for centos-stream-9 in BZ 2029952.

v2: fix build issue due empty if/then clause

Signed-off-by: Herton R. Krzesinski <herton@xxxxxxxxxx>

diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100755
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -777,6 +777,8 @@ Source37: filter-aarch64.sh.rhel
 Source38: filter-ppc64le.sh.rhel
 Source39: filter-s390x.sh.rhel
 Source40: filter-modules.sh.rhel
+
+Source41: x509.genkey.centos
 %endif
 
 %if 0%{?include_fedora}
@@ -1499,6 +1501,18 @@ done
 cp %{SOURCE82} .
 RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh %{primary_target}
 
+# We may want to override files from the primary target in case of building
+# against a flavour of it (eg. centos not rhel), thus override it here if
+# necessary
+if [ "%{primary_target}" == "rhel" ]; then
+%if 0%{?centos}
+  echo "Updating scripts/sources to centos version"
+  RPM_SOURCE_DIR=$RPM_SOURCE_DIR ./update_scripts.sh centos
+%else
+  echo "Not updating scripts/sources to centos version"
+%endif
+fi
+
 # end of kernel config
 %endif
 
diff --git a/redhat/rhel_files/x509.genkey.centos b/redhat/rhel_files/x509.genkey.centos
new file mode 100644
index blahblah..blahblah 100644
--- /dev/null
+++ b/redhat/rhel_files/x509.genkey.centos
@@ -0,0 +1,16 @@
+[ req ]
+default_bits = 3072
+distinguished_name = req_distinguished_name
+prompt = no
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = The CentOS Project
+CN = CentOS Stream kernel signing key
+emailAddress = security@xxxxxxxxxx
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1588
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux