Re: Since 6.18.x make binrpm-pkg does not sign modules

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nicolas Schier <nsc@kernel.org>
To: Holger Kiehl <Holger.Kiehl@dwd.de>
Cc: linux-kernel <linux-kernel@vger.kernel.org>,
	Nathan Chancellor <nathan@kernel.org>,
	linux-kbuild@vger.kernel.org
Subject: Re: Since 6.18.x make binrpm-pkg does not sign modules
Date: Fri, 9 Jan 2026 22:06:39 +0100	[thread overview]
Message-ID: <aWFt34dkIvlu1EYI@derry.ads.avm.de> (raw)
In-Reply-To: <68c375f6-e07e-fec-434d-6a45a4f1390@praktifix.dwd.de>

On Fri, Jan 09, 2026 at 03:04:33PM +0100, Holger Kiehl wrote:
> Hello,
> 
> when building kernel with 'make binrpm-pkg' the modules in the
> /lib/modules directory of the rpm package are no longer signed
> although one sees the following during the build process:
> 
>    .
>    .
>    INSTALL /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
>    .
>    .
>    SIGN    /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko

thanks for your report; well, that's interesting.  The modules signed
during the package build preparations ("SIGN    .../rpmbuild/BUILD/...")
is significantly larger than the one in the build tree (as expected, as
the latter is unsigned); but the one that lands in the rpm package is
_smaller_ than the module in the build tree.

My experience with rpmbuild is limited, I need more time for
investigation.

Nathan, do you have more insights on the rpm build process?

Kind regards,
Nicolas



>    .
>    .
> 
> But when installing this RPM and check this it says:
> 
>    # modinfo /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
>    filename:       /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
>    alias:          net-pf-42
>    license:        GPL v2
>    description:    Qualcomm IPC-router driver
>    license:        Dual BSD/GPL
>    description:    Qualcomm IPC Router Nameservice
>    author:         Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
>    srcversion:     473C5AB47E04ECEA0106681
>    depends:        
>    intree:         Y
>    name:           qrtr
>    retpoline:      Y
>    vermagic:       6.18.4 SMP preempt mod_unload modversions
> 
> This happens (no signature) with all modules, qrtr.ko was just taken
> as an example.
> 
> Building the kernel via 'make && make modules_install && make install'
> the modules then do have a signature. Also with kernel 6.12.x the
> modules are signed when building with 'make binrpm-pkg'.
> 
> Config looks as follows:
> 
>    # grep CONFIG_MODULE_ .config
>    CONFIG_MODULE_SIG_FORMAT=y
>    CONFIG_MODULE_DEBUGFS=y
>    # CONFIG_MODULE_DEBUG is not set
>    # CONFIG_MODULE_FORCE_LOAD is not set
>    CONFIG_MODULE_UNLOAD=y
>    # CONFIG_MODULE_FORCE_UNLOAD is not set
>    CONFIG_MODULE_UNLOAD_TAINT_TRACKING=y
>    CONFIG_MODULE_SRCVERSION_ALL=y
>    CONFIG_MODULE_SIG=y
>    # CONFIG_MODULE_SIG_FORCE is not set
>    CONFIG_MODULE_SIG_ALL=y
>    # CONFIG_MODULE_SIG_SHA1 is not set
>    # CONFIG_MODULE_SIG_SHA256 is not set
>    # CONFIG_MODULE_SIG_SHA384 is not set
>    CONFIG_MODULE_SIG_SHA512=y
>    # CONFIG_MODULE_SIG_SHA3_256 is not set
>    # CONFIG_MODULE_SIG_SHA3_384 is not set
>    # CONFIG_MODULE_SIG_SHA3_512 is not set
>    CONFIG_MODULE_SIG_HASH="sha512"
>    # CONFIG_MODULE_COMPRESS is not set
>    # CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
>    CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
>    CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
>    # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
> 
> What am I missing?
> 
> Regards,
> Holger

-- 
Nicolas

next prev parent reply	other threads:[~2026-01-09 21:06 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-09 14:04 Since 6.18.x make binrpm-pkg does not sign modules Holger Kiehl
2026-01-09 21:06 ` Nicolas Schier [this message]
2026-01-10 11:43   ` Holger Kiehl
2026-01-10 21:34     ` Nicolas Schier
2026-01-11 17:41       ` Holger Kiehl
2026-01-15  8:30         ` Nicolas Schier
2026-01-20  0:04         ` Nathan Chancellor
2026-01-20 23:21           ` Holger Kiehl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aWFt34dkIvlu1EYI@derry.ads.avm.de \
    --to=nsc@kernel.org \
    --cc=Holger.Kiehl@dwd.de \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nathan@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.