From: Shawn Doherty <sdoherty@xxxxxxxxxx> redhat: spec: prepare to defer signing to image composition JIRA: https://issues.redhat.com/browse/RHEL-78808 commit 61c4a40f36a672cdd3be48dcfef63f1a9db5e379 Author: Eric Chanudet <echanude@xxxxxxxxxx> Date: Wed Jun 5 09:24:14 2024 -0400 redhat: spec: prepare to defer signing to image composition JIRA: https://issues.redhat.com/browse/RHEL-53349 Upstream Status: RHEL-only Automotive only change. Set the rpmbuildopts disable kernel signing as the signature would be invalidated by adding extra certificates for modules signed at image composition. Enable the configuration to add an extra certificate to the kernel keyring later. This is intended for atomic images (e.g, ostree), that are target specific, to sign their modules when composing an image for that target using an existing kernel RPM. The build generated key used to sign the modules will be in the keyring, so images using packages can still use: dnf install <kernel-or-module-rpm> and enforce signature verification. Atomic images signing their modules at composition will add an extra certificate, re-sign the modules and potentially wipe or invalidate the existing build key. Signed-off-by: Eric Chanudet <echanude@xxxxxxxxxx> Signed-off-by: Shawn Doherty <sdoherty@xxxxxxxxxx> diff --git a/redhat/configs/rhel/automotive/generic/CONFIG_MODULE_SIG_ALL b/redhat/configs/rhel/automotive/generic/CONFIG_MODULE_SIG_ALL new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/configs/rhel/automotive/generic/CONFIG_MODULE_SIG_ALL @@ -0,0 +1 @@ +# CONFIG_MODULE_SIG_ALL is not set diff --git a/redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE b/redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE @@ -0,0 +1 @@ +CONFIG_SYSTEM_EXTRA_CERTIFICATE=y diff --git a/redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE b/redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE new file mode 100644 index blahblah..blahblah 100644 --- /dev/null +++ b/redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE @@ -0,0 +1 @@ +CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100644 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -469,6 +469,8 @@ Summary: The Linux kernel %define with_kernel_abi_stablelists 0 %define with_kabidw_base 0 %define with_ipaclones 0 +%define signkernel 0 +%define signmodules 1 %endif -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3715 -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
