On Wed, 2017-11-22 at 12:49 +0100, Ansgar Burchardt wrote:
> Hi,
>
> how are kernel modules supposed to be signed? I looked at the
> src:linux-signed_5 source package and it calls a program from
> linux-kbuild-${version} (/usr/lib/linux-kbuild-*/scripts/sign-file).
>
> Does this mean that the system signing kernel modules has to execute
> binaries from the upload to generate the signatures? linux-kbuild-* is
> built from src:linux just like the kernel modules to be signed.
This program doesn't change often, so it would not be necessary to
extract it from the uploaded packages.
(Also, I want to replace signing of in-tree modules with a Merkle hash,
which would make this moot.)
Ben.
--
Ben Hutchings
When in doubt, use brute force. - Ken Thompson
Attachment:
signature.asc
Description: This is a digitally signed message part