mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2024-12-25 02:49:32 +03:00
fix: preserve linux kmod signature in zfs-kmod rpm spec
This change provides rpm spec macros to sign the zfs and spl kmods as the final step after the %install scriptlet. This is needed since the find-debuginfo.sh script strips out debug symbols plus signatures. Kernel module signing only occurs when the required files are present as typically required in the Linux source tree: - certs/signing_key.pem - certs/signing_key.x509 The method for overriding the default __spec_install_post macro is inspired by (and largely copied from) the Fedora kernel.spec. Reviewed-by: Tony Hutter <hutter2@llnl.gov> Reviewed-by: Tino Reichardt <milky-zfs@mcmilk.de> Signed-off-by: Benjamin Sherman <benjamin@holyarmy.org> Closes #15744
This commit is contained in:
parent
4db88c37cc
commit
509526ad21
@ -150,6 +150,30 @@ for kernel_version in %{?kernel_versions}; do
|
|||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
|
# Module signing (modsign)
|
||||||
|
#
|
||||||
|
# This must be run _after_ find-debuginfo.sh runs, otherwise that will strip
|
||||||
|
# the signature off of the modules.
|
||||||
|
# (Based on Fedora's kernel.spec workaround)
|
||||||
|
%define __modsign_install_post \
|
||||||
|
sign_pem="%{ksrc}/certs/signing_key.pem"; \
|
||||||
|
sign_x509="%{ksrc}/certs/signing_key.x509"; \
|
||||||
|
if [ -f "${sign_x509}" ]\
|
||||||
|
then \
|
||||||
|
echo "Signing kernel modules ..."; \
|
||||||
|
for kmod in $(find ${RPM_BUILD_ROOT}%{kmodinstdir_prefix}/*/extra/ -name \*.ko); do \
|
||||||
|
%{ksrc}/scripts/sign-file sha256 ${sign_pem} ${sign_x509} ${kmod}; \
|
||||||
|
done \
|
||||||
|
fi \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
# hack to ensure signing happens after find-debuginfo.sh runs
|
||||||
|
%define __spec_install_post \
|
||||||
|
%{?__debug_package:%{__debug_install_post}}\
|
||||||
|
%{__arch_install_post}\
|
||||||
|
%{__os_install_post}\
|
||||||
|
%{__modsign_install_post}
|
||||||
|
|
||||||
%install
|
%install
|
||||||
rm -rf ${RPM_BUILD_ROOT}
|
rm -rf ${RPM_BUILD_ROOT}
|
||||||
|
|
||||||
|
@ -72,6 +72,30 @@ fi
|
|||||||
%{?kernel_llvm}
|
%{?kernel_llvm}
|
||||||
make %{?_smp_mflags}
|
make %{?_smp_mflags}
|
||||||
|
|
||||||
|
# Module signing (modsign)
|
||||||
|
#
|
||||||
|
# This must be run _after_ find-debuginfo.sh runs, otherwise that will strip
|
||||||
|
# the signature off of the modules.
|
||||||
|
# (Based on Fedora's kernel.spec workaround)
|
||||||
|
%define __modsign_install_post \
|
||||||
|
sign_pem="%{ksrc}/certs/signing_key.pem"; \
|
||||||
|
sign_x509="%{ksrc}/certs/signing_key.x509"; \
|
||||||
|
if [ -f "${sign_x509}" ]\
|
||||||
|
then \
|
||||||
|
echo "Signing kernel modules ..."; \
|
||||||
|
for kmod in $(find %{buildroot}/lib/modules/%{kverrel}/extra/ -name \*.ko); do \
|
||||||
|
%{ksrc}/scripts/sign-file sha256 ${sign_pem} ${sign_x509} ${kmod}; \
|
||||||
|
done \
|
||||||
|
fi \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
# hack to ensure signing happens after find-debuginfo.sh runs
|
||||||
|
%define __spec_install_post \
|
||||||
|
%{?__debug_package:%{__debug_install_post}}\
|
||||||
|
%{__arch_install_post}\
|
||||||
|
%{__os_install_post}\
|
||||||
|
%{__modsign_install_post}
|
||||||
|
|
||||||
%install
|
%install
|
||||||
make install \
|
make install \
|
||||||
DESTDIR=${RPM_BUILD_ROOT} \
|
DESTDIR=${RPM_BUILD_ROOT} \
|
||||||
|
Loading…
Reference in New Issue
Block a user