[CentOS-devel] signing of openvswitch.ko with kernel signing key

Tue Jan 15 14:38:12 UTC 2019
Karanbir Singh <kbsingh at centos.org>

On 15/01/2019 14:27, Maheshwari, Shagun wrote:
> Hi,
> 
>  
> 
> Latest CentOS kernel comes with openvswitch-2.0.0 drivers, but for an
> application, I needed openvswitch-2.9.2. I am trying to get my
> openvswitch.ko (from openvswitch-kmod-2.9.2-1.el7.centos.x86_64.rpm ) to
> get signed by the kernel module signing key. To achieve this I included
>  below line to my spec file:
> 
>  
> 
>   mv signing_key.x509.sign.debug signing_key.x509 \
> 
>    %{modsign_cmd} ~/home/nupur/openvswitch/*.ko
> 
>    %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVRA}.debug || exit 1 \
> 
>   fi \
> 
>     if [ "%{with_default}" -ne "0" ]; then \
> 
>  
> 
> But the build is failing. Please suggest , if it is feasible to achieve
> this. Or is this the right thing to do to sign third-party module with
> centos signing key.
> 

We dont/wont sign an external build with the kernel sign key ( once the
trust path is established, we dont preserve it even )

regards


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20190115/8580c821/attachment-0008.sig>