On Thu, 29 Oct 2020 12:13:03 -0500
Richard Shaw <hobbes1069(a)gmail.com> wrote:
On Sun, Oct 25, 2020 at 3:50 PM stan via devel <
devel(a)lists.fedoraproject.org> wrote:
> Convert the private key and pem certificate to a pk12
structure.
> openssl pkcs12 -export -out kernel_key.p12 -inkey public_key.pem -in
> xyz_cert.x509.pem
>
Ok, you lost me right here. There is no file xyz_cert.x509.pem file
to be used with "-in"...
From my history, it appears that the actual command I used was this:
openssl pkcs12 -export -inkey private_key2.priv -in public_key2.pem -name kernel_cert -out
kernel_cert2.p12
So, I actually replaced the xyz_cert.x509.pem with public_key2.pem
It was probably my second try, thus the 2, as it took me some trial and
error to work this out. Thus, you should use the version of keys from
your first two commands.
While I'm typing, these are the commands I actually use to sign a
kernel. You'll need them once the keys are all distributed properly.
Depending on how you build the kernel, the redhat-testing-key might
already have signed it, and if you don't have that installed, the
kernel won't boot. I have to remove it. Actually, the kernels have
been signed twice lately with that test key, so I have to remove both
of them.
pesign -S -i /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64
pesign -r -u 0 -i /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64 -o
/boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned
pesign -r -u 0 -i /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned -o
/boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned2
pesign -S -i /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned2
pesign --certdir /etc/pki/pesign --certificate kernel_cert --in
/boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned2 --out
/boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.signed --sign
pesign -S -i /boot/vmlinuz-5.9.1-300.20201025.fc31.x86_64.signed
ls -nZ
cp vmlinuz-5.9.1-300.20201025.fc31.x86_64.signed vmlinuz-5.9.1-300.20201025.fc31.x86_64
ls -nZ
rm vmlinuz-5.9.1-300.20201025.fc31.x86_64.signed
vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned
vmlinuz-5.9.1-300.20201025.fc31.x86_64.unsigned2