From: Shawn Doherty on gitlab.com Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3715
JIRA: https://issues.redhat.com/browse/RHEL-78812 Upstream Status: RHEL-only Enable the configuration to add an extra certificate to the kernel\ keyring later. This is intended for atomic images (e.g, ostree), that\ are target specific, to sign their modules when composing an image for\ that target using an existing kernel RPM. Disable kernel signing, as the signature would be invalidated by adding\ extra certificates at image composition. The build generated key used to sign the modules will be in the keyring,\ so images using packages can still use: `dnf install _kernel-or-module-rpm`\ and enforce signature verification. Atomic images signing their modules\ at composition will add an extra certificate, re-sign the modules and\ potentially wipe or invalidate the existing build key. Signed-off-by: Shawn Doherty [email protected] --- redhat/configs/rhel/automotive/generic/CONFIG_MODULE_SIG_ALL | 1 + redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE | 1 + redhat/configs/rhel/automotive/generic/CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE | 1 + redhat/kernel.spec.template | 25 ++++++---- 4 files changed, 18 insertions(+), 10 deletions(-) -- _______________________________________________ kernel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
