aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBenjamin Sherman <[email protected]>2024-01-12 14:33:41 -0600
committerGitHub <[email protected]>2024-01-12 12:33:41 -0800
commit363368c67045657b012a2756f54b4c04de01e4ef (patch)
treeb9d084b3cb89faa7d37b27b936a08cd53ffee7b8
parent5a703d1368bf85a6e665f62011e257b3b526c97c (diff)
fix: preserve linux kmod signature in zfs-kmod rpm spec
This change provides rpm spec macros to sign the zfs and spl kmods as the final step after the %install scriptlet. This is needed since the find-debuginfo.sh script strips out debug symbols plus signatures. Kernel module signing only occurs when the required files are present as typically required in the Linux source tree: - certs/signing_key.pem - certs/signing_key.x509 The method for overriding the default __spec_install_post macro is inspired by (and largely copied from) the Fedora kernel.spec. Reviewed-by: Tony Hutter <[email protected]> Reviewed-by: Tino Reichardt <[email protected]> Signed-off-by: Benjamin Sherman <[email protected]> Closes #15744
-rw-r--r--rpm/generic/zfs-kmod.spec.in24
-rw-r--r--rpm/redhat/zfs-kmod.spec.in24
2 files changed, 48 insertions, 0 deletions
diff --git a/rpm/generic/zfs-kmod.spec.in b/rpm/generic/zfs-kmod.spec.in
index 3c73e2ff2..4cc075585 100644
--- a/rpm/generic/zfs-kmod.spec.in
+++ b/rpm/generic/zfs-kmod.spec.in
@@ -150,6 +150,30 @@ for kernel_version in %{?kernel_versions}; do
done
+# Module signing (modsign)
+#
+# This must be run _after_ find-debuginfo.sh runs, otherwise that will strip
+# the signature off of the modules.
+# (Based on Fedora's kernel.spec workaround)
+%define __modsign_install_post \
+ sign_pem="%{ksrc}/certs/signing_key.pem"; \
+ sign_x509="%{ksrc}/certs/signing_key.x509"; \
+ if [ -f "${sign_x509}" ]\
+ then \
+ echo "Signing kernel modules ..."; \
+ for kmod in $(find ${RPM_BUILD_ROOT}%{kmodinstdir_prefix}/*/extra/ -name \*.ko); do \
+ %{ksrc}/scripts/sign-file sha256 ${sign_pem} ${sign_x509} ${kmod}; \
+ done \
+ fi \
+%{nil}
+
+# hack to ensure signing happens after find-debuginfo.sh runs
+%define __spec_install_post \
+ %{?__debug_package:%{__debug_install_post}}\
+ %{__arch_install_post}\
+ %{__os_install_post}\
+ %{__modsign_install_post}
+
%install
rm -rf ${RPM_BUILD_ROOT}
diff --git a/rpm/redhat/zfs-kmod.spec.in b/rpm/redhat/zfs-kmod.spec.in
index f59551c0b..9c836786b 100644
--- a/rpm/redhat/zfs-kmod.spec.in
+++ b/rpm/redhat/zfs-kmod.spec.in
@@ -72,6 +72,30 @@ fi
%{?kernel_llvm}
make %{?_smp_mflags}
+# Module signing (modsign)
+#
+# This must be run _after_ find-debuginfo.sh runs, otherwise that will strip
+# the signature off of the modules.
+# (Based on Fedora's kernel.spec workaround)
+%define __modsign_install_post \
+ sign_pem="%{ksrc}/certs/signing_key.pem"; \
+ sign_x509="%{ksrc}/certs/signing_key.x509"; \
+ if [ -f "${sign_x509}" ]\
+ then \
+ echo "Signing kernel modules ..."; \
+ for kmod in $(find %{buildroot}/lib/modules/%{kverrel}/extra/ -name \*.ko); do \
+ %{ksrc}/scripts/sign-file sha256 ${sign_pem} ${sign_x509} ${kmod}; \
+ done \
+ fi \
+%{nil}
+
+# hack to ensure signing happens after find-debuginfo.sh runs
+%define __spec_install_post \
+ %{?__debug_package:%{__debug_install_post}}\
+ %{__arch_install_post}\
+ %{__os_install_post}\
+ %{__modsign_install_post}
+
%install
make install \
DESTDIR=${RPM_BUILD_ROOT} \