[PATCH 2/3] Add a script to allow us to sign modules in modules-extra

[Josh Boyer]

---
 kernel.spec       |  4 +++-
 mod-extra-sign.sh | 40 ++++++++++++++++++++++++++++++++++++++++
 mod-extra.sh      | 14 ++++++++++++++
 3 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100755 mod-extra-sign.sh

diff --git a/kernel.spec b/kernel.spec
index f0b25d1..f9af46e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 2
+%global baserelease 3
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -564,6 +564,7 @@ Source11: genkey
 Source15: merge.pl
 Source16: mod-extra.list
 Source17: mod-extra.sh
+Source18: mod-extra-sign.sh
 
 Source19: Makefile.release
 Source20: Makefile.config
@@ -2266,6 +2267,7 @@ fi
 %changelog
 * Fri Sep 14 2012 Josh Boyer <jwboyer at redhat.com>
 - Move the modules-extra processing to a script
+- Add a script to allow us to sign modules in modules-extra
 
 * Fri Sep 14 2012 Dave Jones <davej at redhat.com>
 - Fix license tag. (rhbz 450492)
diff --git a/mod-extra-sign.sh b/mod-extra-sign.sh
new file mode 100755
index 0000000..57a0fb0
--- /dev/null
+++ b/mod-extra-sign.sh
@@ -0,0 +1,40 @@
+#! /bin/bash
+
+# We need to sign modules we've moved from <path>/kernel/ to <path>/extra/
+# during mod-extra processing by hand.  The 'modules_sign' Kbuild target can
+# "handle" out-of-tree modules, but it does that by not signing them.  Plus,
+# the modules we've moved aren't actually out-of-tree.  We've just shifted
+# them to a different location behind Kbuild's back because we are mean.
+
+# This essentially duplicates the 'modules_sign' Kbuild target and runs the
+# same commands for those modules.
+
+moddir=$1
+
+modules=`find $moddir -name *.ko`
+
+MODSECKEY="./modsign.sec"
+MODPUBKEY="./modsign.pub"
+KEYFLAGS="--no-default-keyring --secret-keyring ${MODSECKEY} --keyring ${MODPUBKEY} --no-default-keyring --homedir . --no-options --no-auto-check-trustdb --no-permission-warning"
+
+# We need to figure out which --digest-algo= option to pass.  Forutnately, we
+# can derive that from the config.  NOTE: if the config options change names
+# we need to rework this.
+
+DIGEST=`grep CONFIG_MODULE_SIG_.*=y .config | sed -e 's/CONFIG_MODULE_SIG_//' | sed -e 's/=y//'`
+
+for mod in $modules
+do
+    dir=`dirname $mod`
+    file=`basename $mod`
+
+    rm -f ${dir}/${file}.sig
+    gpg --batch --no-greeting ${KEYFLAGS} --digest-algo=${DIGEST} -b ${dir}/${file}
+    (
+      cat ${dir}/${file} ${dir}/${file}.sig &&
+      stat --printf \%-5s ${dir}/${file}.sig &&
+      echo -n "This Is A Crypto Signed Module"
+    ) >${dir}/${file}.signed
+    mv ${dir}/${file}.signed ${dir}/${file}
+    rm -f ${dir}/${file}.sig 
+done
diff --git a/mod-extra.sh b/mod-extra.sh
index 115950b..d121bd0 100755
--- a/mod-extra.sh
+++ b/mod-extra.sh
@@ -61,6 +61,20 @@ do
   mv $mod $newpath
 done
 
+popd
+
+# If we're signing modules, we can't leave the .mod files for the .ko files
+# we've moved in .tmp_versions/.  Remove them so the Kbuild 'modules_sign'
+# target doesn't try to sign a non-existent file.  This is kinda ugly, but
+# so is modules-extra.
+
+for mod in `cat ${Dir}/dep2.list`
+do
+  modfile=`basename $mod | sed -e 's/.ko/.mod/'`
+  rm .tmp_versions/$modfile
+done
+
+pushd $Dir
 rm modnames dep.list dep2.list req.list req2.list
 rm mod-extra.list mod-extra2.list mod-extra3.list
 popd
-- 
1.7.11.4