[kernel] sign all modules with the extras signing script

Kyle McMartin kyle at fedoraproject.org
Fri Jan 25 20:33:50 UTC 2013 

commit d0a8cf569b30a0a9318aa47d59405efe5afb519a
Author: Kyle McMartin <kmcmarti at redhat.com>
Date:   Fri Jan 25 13:53:02 2013 -0500

    sign all modules with the extras signing script

 kernel.spec                      |   22 +++++++++++-----------
 mod-extra-sign.sh => mod-sign.sh |   10 +++++-----
 2 files changed, 16 insertions(+), 16 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 25c8820..935f119 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -556,7 +556,8 @@ Source11: x509.genkey
 Source15: merge.pl
 Source16: mod-extra.list
 Source17: mod-extra.sh
-Source18: mod-extra-sign.sh
+Source18: mod-sign.sh
+%define modsign_cmd %{SOURCE18}
 
 Source19: Makefile.release
 Source20: Makefile.config
@@ -1866,8 +1867,7 @@ find Documentation -type d | xargs chmod u+w
 # could be because of that.  2) We restore the .tmp_versions/ directory from
 # the one we saved off in BuildKernel above.  This is to make sure we're
 # signing the modules we actually built/installed in that flavour.  3) We
-# grab the arch and invoke 'make modules_sign' and the mod-extra-sign.sh
-# commands to actually sign the modules.
+# grab the arch and invoke mod-sign.sh command to actually sign the modules.
 #
 # We have to do all of those things _after_ find-debuginfo runs, otherwise
 # that will strip the signature off of the modules.
@@ -1880,8 +1880,7 @@ find Documentation -type d | xargs chmod u+w
       mv .tmp_versions.sign.PAE .tmp_versions \
       mv signing_key.priv.sign.PAE signing_key.priv \
       mv signing_key.x509.sign.PAE signing_key.x509 \
-      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAE \
-      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/extra/ \
+      %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/ \
     fi \
     if [ "%{with_debug}" != "0" ]; then \
       Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-debug.config | cut -b 3-` \
@@ -1889,8 +1888,7 @@ find Documentation -type d | xargs chmod u+w
       mv .tmp_versions.sign.debug .tmp_versions \
       mv signing_key.priv.sign.debug signing_key.priv \
       mv signing_key.x509.sign.debug signing_key.x509 \
-      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.debug \
-      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/extra/ \
+      %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/ \
     fi \
     if [ "%{with_pae_debug}" != "0" ]; then \
       Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}-PAEdebug.config | cut -b 3-` \
@@ -1898,8 +1896,7 @@ find Documentation -type d | xargs chmod u+w
       mv .tmp_versions.sign.PAEdebug .tmp_versions \
       mv signing_key.priv.sign.PAEdebug signing_key.priv \
       mv signing_key.x509.sign.PAEdebug signing_key.x509 \
-      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL}.PAEdebug \
-      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/extra/ \
+      %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/ \
     fi \
     if [ "%{with_up}" != "0" ]; then \
       Arch=`head -1 configs/kernel-%{version}-%{_target_cpu}.config | cut -b 3-` \
@@ -1907,8 +1904,7 @@ find Documentation -type d | xargs chmod u+w
       mv .tmp_versions.sign .tmp_versions \
       mv signing_key.priv.sign signing_key.priv \
       mv signing_key.x509.sign signing_key.x509 \
-      make -s ARCH=$Arch V=1 INSTALL_MOD_PATH=$RPM_BUILD_ROOT modules_sign KERNELRELEASE=%{KVERREL} \
-      %{SOURCE18} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/extra/ \
+      %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
     fi \
   fi \
 %{nil}
@@ -2313,6 +2309,10 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Fri Jan 25 2013 Kyle McMartin <kmcmarti at redhat.com>
+- Sign all modules with the mod-extra-sign.sh script, ensures nothing gets
+  missed because of .config differences between invocations of BuildKernel.
+
 * Fri Jan 25 2013 Justin M. Forbes <jforbes at redhat.com>
 - Turn off THP for 32bit
 
diff --git a/mod-extra-sign.sh b/mod-sign.sh
similarity index 56%
rename from mod-extra-sign.sh
rename to mod-sign.sh
index 9b24a40..cae2592 100755
--- a/mod-extra-sign.sh
+++ b/mod-sign.sh
@@ -1,10 +1,10 @@
 #! /bin/bash
 
-# We need to sign modules we've moved from <path>/kernel/ to <path>/extra/
-# during mod-extra processing by hand.  The 'modules_sign' Kbuild target can
-# "handle" out-of-tree modules, but it does that by not signing them.  Plus,
-# the modules we've moved aren't actually out-of-tree.  We've just shifted
-# them to a different location behind Kbuild's back because we are mean.
+# The modules_sign target checks for corresponding .o files for every .ko that
+# is signed. This doesn't work for package builds which re-use the same build
+# directory for every flavour, and the .config may change between flavours.
+# So instead of using this script to just sign lib/modules/$KernelVer/extra,
+# sign all .ko in the buildroot.
 
 # This essentially duplicates the 'modules_sign' Kbuild target and runs the
 # same commands for those modules.

More information about the scm-commits mailing list