Am Donnerstag, 9. April 2020, 16:41:17 CEST schrieb Hans-Peter Jansen:
Section: Signing EFI binaries/kernel modules for EFI Secure Boot and below: out of my capabilities.
and seems to be defunct as well. :| Attempt to build kernel-default from Kernel:stable for 15.{1,2} and TW, here are the relevant parts to pesign and co: [ 146s] ### Now generating an X.509 key pair to be used for signing modules. [ 146s] ### [ 146s] ### If this takes a long time, you might wish to run rngd in the [ 146s] ### background to keep the supply of entropy topped up. It [ 146s] ### needs to be run as root, and uses a hardware random [ 146s] ### number generator if one is available. [ 146s] ### [ 146s] Generating a RSA private key [ 146s] ................................................................................ ++++ [ 146s] .......++++ [ 146s] writing new private key to 'certs/signing_key.pem' [ 146s] ----- [ 146s] ### [ 146s] ### Key pair generated. [ 146s] ### [ 146s] EXTRACT_CERTS certs/signing_key.pem [ 146s] AS certs/system_certificates.o [ 5533s] + cp -p arch/x86/boot/bzImage /home/abuild/rpmbuild/BUILDROOT/kernel- default-5.6.2-2.3.x86_64/boot/vmlinuz-5.6.2-2-default [ 5533s] + image=vmlinuz [ 5533s] + BRP_PESIGN_FILES= [ 5533s] + BRP_PESIGN_FILES=/boot/vmlinuz-5.6.2-2-default [ 5533s] + BRP_PESIGN_FILES='/boot/vmlinuz-5.6.2-2-default *.ko' [ 5533s] + export BRP_PESIGN_FILES [ 5533s] + export BRP_PESIGN_COMPRESS_MODULE=xz [ 5533s] + BRP_PESIGN_COMPRESS_MODULE=xz [ 5533s] + test -x /usr/lib/rpm/pesign/gen-hmac [ 5533s] + /usr/lib/rpm/pesign/gen-hmac -r /home/abuild/rpmbuild/BUILDROOT/ kernel-default-5.6.2-2.3.x86_64 /boot/vmlinuz-5.6.2-2-default [ 5533s] + certs=() [ 5533s] + test y = y [ 5533s] + for f in /home/abuild/rpmbuild/SOURCES/*.crt [ 5533s] + test -s '/home/abuild/rpmbuild/SOURCES/*.crt' [ 5533s] + continue [ 6084s] calling /usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux [ 6084s] xz /home/abuild/rpmbuild/BUILDROOT/kernel-default-5.6.2-2.3.x86_64/ boot/vmlinux-5.6.2-2-default [ 6115s] calling /usr/lib/rpm/brp-suse.d/brp-99-pesign [ 6116s] No buildservice signing certificate [ 6116s] Creating /home/abuild/rpmbuild/OTHER/kernel-default.cpio.rsasign [ 7459s] build: extracting built packages... [ 7476s] RPMS/x86_64/kernel-default-devel-5.6.2-2.3.x86_64.rpm [ 7476s] RPMS/x86_64/kernel-default-livepatch-devel-5.6.2-2.3.x86_64.rpm [ 7476s] RPMS/x86_64/kernel-default-debuginfo-5.6.2-2.3.x86_64.rpm [ 7476s] RPMS/x86_64/kernel-default-devel-debuginfo-5.6.2-2.3.x86_64.rpm [ 7476s] RPMS/x86_64/kernel-default-debugsource-5.6.2-2.3.x86_64.rpm [ 7476s] RPMS/x86_64/kernel-default-5.6.2-2.3.x86_64.rpm [ 7476s] SRPMS/kernel-default-5.6.2-2.3.nosrc.rpm [ 7476s] OTHER/kernel-default.cpio.rsasign [ 7476s] OTHER/rpmlint.log [ 7476s] OTHER/make-stderr.log [ 7476s] OTHER/pesign-repackage.spec [ 7476s] OTHER/_statistics [ 7476s] OTHER/kernel-source.rpmlintrc Need an RSA key for openssl signing, please create a new key Hmm, what's wrong with: gpg2 --homedir /srv/obs/gnupg --list-keys /srv/obs/gnupg/pubring.kbx -------------------------- pub rsa2048 2020-04-08 [SC] [expires: 2030-04-06] 5CA8A94E1B707B8D20D762417EE02744756FF7C9 uid [ultimate] Hans-Peter Jansen (LISA-OBS) <hp@lisa-gmbh.de> sub rsa2048 2020-04-08 [E] [expires: 2030-04-06] sub dsa2048 2020-04-08 [S] [expires: 2030-04-06] sub elg2048 2020-04-08 [E] [expires: 2030-04-06] I've noted a deviation to the default generated key, that reads: pub rsa2048 2020-04-08 [SCEA] or just some openssl vs. gpg2 impedance mismatch? Any kind soul out there, who could shed some light into this dark corner? Thanks in advance, Pete -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org