On Wed, 2017-11-22 at 12:49 +0100, Ansgar Burchardt wrote: > Hi, > > how are kernel modules supposed to be signed? I looked at the > src:linux-signed_5 source package and it calls a program from > linux-kbuild-${version} (/usr/lib/linux-kbuild-*/scripts/sign-file). > > Does this mean that the system signing kernel modules has to execute > binaries from the upload to generate the signatures? linux-kbuild-* is > built from src:linux just like the kernel modules to be signed. This program doesn't change often, so it would not be necessary to extract it from the uploaded packages. (Also, I want to replace signing of in-tree modules with a Merkle hash, which would make this moot.) Ben. -- Ben Hutchings When in doubt, use brute force. - Ken Thompson
Attachment:
signature.asc
Description: This is a digitally signed message part