[kernel/f19] Fix module signing so secure boot works again

[Justin M. Forbes]

commit 7a2a6ee340e4c800acf18be5b8187c5dfa186f6b
Author: Justin M. Forbes <jforbes at redhat.com>
Date:   Tue Feb 25 15:09:13 2014 -0600

     Fix module signing so secure boot works again

 kernel.spec |   11 +++++++----
 mod-sign.sh |   22 +++++++++++++++-------
 2 files changed, 22 insertions(+), 11 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index e56ac0e..47c7ce3 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 100
+%global baserelease 101
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -1908,13 +1908,13 @@ find Documentation -type d | xargs chmod u+w
 %define __modsign_install_post \
   if [ "%{signmodules}" -eq "1" ]; then \
     if [ "%{with_pae}" -ne "0" ]; then \
-      %{modsign_cmd} signing_key.priv.sign.%{pae} signing_key.x509.sign+%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}/ \
+      %{modsign_cmd} signing_key.priv.sign.%{pae} signing_key.x509.sign.%{pae} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}/ \
     fi \
     if [ "%{with_debug}" -ne "0" ]; then \
-      %{modsign_cmd} signing_key.priv.sign.debug signing_key.x509.sign+debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/ \
+      %{modsign_cmd} signing_key.priv.sign.debug signing_key.x509.sign.debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/ \
     fi \
     if [ "%{with_pae_debug}" -ne "0" ]; then \
-      %{modsign_cmd} signing_key.priv.sign.%{pae}debug signing_key.x509.sign+%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}debug/ \
+      %{modsign_cmd} signing_key.priv.sign.%{pae}debug signing_key.x509.sign.%{pae}debug $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}debug/ \
     fi \
     if [ "%{with_up}" -ne "0" ]; then \
       %{modsign_cmd} signing_key.priv.sign signing_key.x509.sign $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \
@@ -2305,6 +2305,9 @@ fi
 # and build.
 
 %changelog
+* Tue Feb 25 2015 Justin M. Forbes <jforbes at fedoraproject.org> - 3.13.5-101
+* Fix module signing so secure boot works again
+
 * Tue Feb 25 2014 Josh Boyer <jwboyer at fedoraproject.org>
 - Fix mounting issues on cifs (rhbz 1068862)
 
diff --git a/mod-sign.sh b/mod-sign.sh
index 9d95d48..5081e77 100755
--- a/mod-sign.sh
+++ b/mod-sign.sh
@@ -9,20 +9,28 @@
 # This essentially duplicates the 'modules_sign' Kbuild target and runs the
 # same commands for those modules.
 
-moddir=$1
+MODSECKEY=$1
+MODPUBKEY=$2
 
-modules=`find $moddir -name *.ko`
+moddir=$3
 
-MODSECKEY="./signing_key.priv"
-MODPUBKEY="./signing_key.x509"
+modules=`find $moddir -name *.ko`
 
 for mod in $modules
 do
     dir=`dirname $mod`
     file=`basename $mod`
 
-    ./scripts/sign-file sha256 ${MODSECKEY} ${MODPUBKEY} ${dir}/${file} \
-       ${dir}/${file}.signed
-    mv ${dir}/${file}.signed ${dir}/${file}
+    ./scripts/sign-file sha256 ${MODSECKEY} ${MODPUBKEY} ${dir}/${file}
     rm -f ${dir}/${file}.{sig,dig}
 done
+
+RANDOMMOD=$(find $moddir -type f -name '*.ko' | sort -R | head -n 1)
+if [ "~Module signature appended~" != "$(tail -c 28 $RANDOMMOD)" ]; then
+    echo "*****************************"
+    echo "*** Modules are unsigned! ***"
+    echo "*****************************"
+    exit 1
+fi
+
+exit 0