Annnnnnd I just realized this patch is incorrect. Comments on the concept are still welcome however. On Thu, 2015-04-09 at 17:51 -0400, Abelardo Ricart III wrote: > The module-signing.txt documentation states that the kernel will use an > existing > x.509 key pair for module signing should they exist in the root of the source > tree. > However, user provided signing keys are overwritten during build if the last- > modified > times on the key pair don't align with what make expects. This patch > explicitly checks > for the existence of the signing key files, skipping key generation should > they exist. > > Signed-off-by: Abelardo Ricart III <aricart@xxxxxxxxxx> > --- > > diff --git a/kernel/Makefile b/kernel/Makefile > index 1408b33..6b8f292 100644 > --- a/kernel/Makefile > +++ b/kernel/Makefile > @@ -168,6 +168,9 @@ ifndef CONFIG_MODULE_SIG_HASH > $(error Could not determine digest type to use from kernel config) > endif > > +ifneq ("$(wildcard $(srctree)/signing_key.priv)","") > +ifneq ("$(wildcard $(srctree)/signing_key.x509)","") > +$(warning *** X.509 module signing key pair not found in root of source tree > ***) > signing_key.priv signing_key.x509: x509.genkey > @echo "###" > @echo "### Now generating an X.509 key pair to be used for signing > modules." > @@ -184,6 +187,8 @@ signing_key.priv signing_key.x509: x509.genkey > @echo "###" > @echo "### Key pair generated." > @echo "###" > +endif > +endif > > x509.genkey: > @echo Generating X.509 key generation config -- To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html