Re: Problem signing custom kernel package

On Sun, 25 Oct 2020 06:20:16 -0500 Richard Shaw <hobbes1069(a)gmail.com&gt; wrote: It's been a while since I did this, so it might have changed, but these are the steps I went through to create the signing keys. It should at least give you some hints, if nothing else. A lot of work. The configuration file needed for openssl to create the keys. cat configuration_file.config """ [ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] O = Organization CN = Organization signing key emailAddress = E-mail address [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid """ Creating the public and private key. openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config ./configuration_file.config -outform DER -out public_key.der -keyout private_key.priv alternate form, haven't tried yet openssl req -new -x509 -newkey rsa:2048 -sha256 -keyout key.asc -out cert.pem -nodes -days 666 -subj "/CN=$USER/" Telling mok that on next boot, use root password to import key into its database. mokutil -P --import public_key.der Converting der to pem using openssl. openssl x509 -inform DER -in public_key.der -outform PEM -out public_key.pem Convert the private key and pem certificate to a pk12 structure. openssl pkcs12 -export -out kernel_key.p12 -inkey public_key.pem -in xyz_cert.x509.pem # openssl pkcs12 -export -inkey private_key.priv -in public_key.pem -name kernel_cert -out kernel_cert.p12 Enter Export Password: Verifying - Enter Export Password: # Import pkcs12 file into pesign db # pk12util -i kernel_cert.p12 -d /etc/pki/pesign Enter password for PKCS12 file: pk12util: no nickname for cert in PKCS12 file. pk12util: using nickname: Organization signing key - Organization pk12util: PKCS12 IMPORT SUCCESSFUL