Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> When it happens, I can do a rebuild, and the build will say
>
> X.509 certificate list changed
>
> which is kind of odd, since the list should *always* be just that
> single key for me (ie "./signing_key.509").
Did you by any chance set aside a build tree that went wrong? If so, could
you have a look to see what's in:
<builddir>/kernel/.x509.list
<builddir>/kernel/x509_certificate_list (note this is binary)
<builddir>/x509.genkey
and make sure that:
<builddir>/signing_key.priv
<builddir>/signing_key.x509
both exist. I wonder if the problem might perhaps be due to one of
signing_key.priv or signing_key.x509 getting removed somehow - but not both.
Make seems a bit weird on targets that produce two files, one of which isn't
depended on (it might remove it under some circumstances, I think).
Btw, do you use O=<builddir> when you're building? That causes a certain
amount of pain to get right because:
(1) the auto-generated keys have to be placed into the build dir, not the
source dir;
(2) we still need to scrape extra X.509 certs from the source dir; and
(3) we don't want to see the autogenerated X.509 certificate twice if the
build dir is the same as the source dir.
Actually, we could simplify the makefile a bit and waive (3) if we weeded out
duplicate X.509 certs by X.509 parameter value rather than by filename before
adding them into the kernel.
> (Side note: the HHGTTG references are cute, but I suspect we should
> rename the key so that it just says something boring like "build-time
> autogenerated kernel key" instead. Just so that the error messages are
> a bit more readable to people who aren't kernel engineers)
Awww...
My main point was to try and encourage distributions to supply an x509.genkey
with fields filled in with appropriate info. I guess that's probably achieved
by now, so I could make it something else. It has to be specified by an
X.400/X.500 DN, though, so maybe:
@echo >>x509.genkey "O = Your company name"
@echo >>x509.genkey "CN = Build time autogenerated kernel key"
@echo >>x509.genkey "emailAddress = you@your.company"
I would really like to leave O, CN and emailAddress in here because these are
the fields that x509_fabricate_name() uses in the kernel.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
