Am Donnerstag, 9. April 2020, 16:41:17 CEST schrieb Hans-Peter Jansen:
Section: Signing EFI binaries/kernel modules for EFI Secure Boot and below: out of my capabilities.
and seems to be defunct as well. :|
Attempt to build kernel-default from Kernel:stable for 15.{1,2} and TW, here
are the relevant parts to pesign and co:
[ 146s] ### Now generating an X.509 key pair to be used for signing modules.
[ 146s] ###
[ 146s] ### If this takes a long time, you might wish to run rngd in the
[ 146s] ### background to keep the supply of entropy topped up. It
[ 146s] ### needs to be run as root, and uses a hardware random
[ 146s] ### number generator if one is available.
[ 146s] ###
[ 146s] Generating a RSA private key
[ 146s]
................................................................................
++++
[ 146s] .......++++
[ 146s] writing new private key to 'certs/signing_key.pem'
[ 146s] -----
[ 146s] ###
[ 146s] ### Key pair generated.
[ 146s] ###
[ 146s] EXTRACT_CERTS certs/signing_key.pem
[ 146s] AS certs/system_certificates.o
[ 5533s] + cp -p arch/x86/boot/bzImage /home/abuild/rpmbuild/BUILDROOT/kernel-
default-5.6.2-2.3.x86_64/boot/vmlinuz-5.6.2-2-default
[ 5533s] + image=vmlinuz
[ 5533s] + BRP_PESIGN_FILES=
[ 5533s] + BRP_PESIGN_FILES=/boot/vmlinuz-5.6.2-2-default
[ 5533s] + BRP_PESIGN_FILES='/boot/vmlinuz-5.6.2-2-default *.ko'
[ 5533s] + export BRP_PESIGN_FILES
[ 5533s] + export BRP_PESIGN_COMPRESS_MODULE=xz
[ 5533s] + BRP_PESIGN_COMPRESS_MODULE=xz
[ 5533s] + test -x /usr/lib/rpm/pesign/gen-hmac
[ 5533s] + /usr/lib/rpm/pesign/gen-hmac -r /home/abuild/rpmbuild/BUILDROOT/
kernel-default-5.6.2-2.3.x86_64 /boot/vmlinuz-5.6.2-2-default
[ 5533s] + certs=()
[ 5533s] + test y = y
[ 5533s] + for f in /home/abuild/rpmbuild/SOURCES/*.crt
[ 5533s] + test -s '/home/abuild/rpmbuild/SOURCES/*.crt'
[ 5533s] + continue
[ 6084s] calling /usr/lib/rpm/brp-suse.d/brp-99-compress-vmlinux
[ 6084s] xz /home/abuild/rpmbuild/BUILDROOT/kernel-default-5.6.2-2.3.x86_64/
boot/vmlinux-5.6.2-2-default
[ 6115s] calling /usr/lib/rpm/brp-suse.d/brp-99-pesign
[ 6116s] No buildservice signing certificate
[ 6116s] Creating /home/abuild/rpmbuild/OTHER/kernel-default.cpio.rsasign
[ 7459s] build: extracting built packages...
[ 7476s] RPMS/x86_64/kernel-default-devel-5.6.2-2.3.x86_64.rpm
[ 7476s] RPMS/x86_64/kernel-default-livepatch-devel-5.6.2-2.3.x86_64.rpm
[ 7476s] RPMS/x86_64/kernel-default-debuginfo-5.6.2-2.3.x86_64.rpm
[ 7476s] RPMS/x86_64/kernel-default-devel-debuginfo-5.6.2-2.3.x86_64.rpm
[ 7476s] RPMS/x86_64/kernel-default-debugsource-5.6.2-2.3.x86_64.rpm
[ 7476s] RPMS/x86_64/kernel-default-5.6.2-2.3.x86_64.rpm
[ 7476s] SRPMS/kernel-default-5.6.2-2.3.nosrc.rpm
[ 7476s] OTHER/kernel-default.cpio.rsasign
[ 7476s] OTHER/rpmlint.log
[ 7476s] OTHER/make-stderr.log
[ 7476s] OTHER/pesign-repackage.spec
[ 7476s] OTHER/_statistics
[ 7476s] OTHER/kernel-source.rpmlintrc
Need an RSA key for openssl signing, please create a new key
Hmm, what's wrong with:
gpg2 --homedir /srv/obs/gnupg --list-keys
/srv/obs/gnupg/pubring.kbx
--------------------------
pub rsa2048 2020-04-08 [SC] [expires: 2030-04-06]
5CA8A94E1B707B8D20D762417EE02744756FF7C9
uid [ultimate] Hans-Peter Jansen (LISA-OBS)