On Saturday, October 15, 2022 12:07:40 AM CDT Sharpened Blade via users wrote:
I am building a kernel from the fedora `kernel.spec` file and SRPM.
It works
as good as the official kernel, but nothing in it is signed. I know that I
can sign the kernel RPM package, but what about the kernel itself (for
secure boot). The Fedora kernel is signed on a separate system, but I can
not find any docs for it. I know that I cant use Fedora's keys, but what
about signing it with my keys, then adding those keys to the shim.
I am trying to make it so that a user starting on a fresh install can
use
the kernel by adding the public keys to the shim, then installing the
kernel RPM. I also want the modules to be signed with my key (I don't care
if it is the same key that used for the rest of the kernel). I do not mean
signing the RPM packages, but the binaries that are installed from the RPM
package. I also do not want to have to signed the installed binaries with a
per install key locally.
tl;dr: I want to make kernel RPM package that is exactly the same as
the
Fedora package, but I compile it, and it uses my signing keys. I also want
to be able to distribute this in the same way as the Fedora package, but
with the user adding the key to the shim.
Take a look at:
*
https://jwboyer.livejournal.com/46149.html
*
https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/mod-sign.sh