Re: Since 6.18.x make binrpm-pkg does not sign modules

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Nicolas Schier <nsc@kernel.org>
To: Holger Kiehl <Holger.Kiehl@dwd.de>
Cc: linux-kernel <linux-kernel@vger.kernel.org>,
	Nathan Chancellor <nathan@kernel.org>,
	linux-kbuild@vger.kernel.org
Subject: Re: Since 6.18.x make binrpm-pkg does not sign modules
Date: Fri, 9 Jan 2026 22:06:39 +0100	[thread overview]
Message-ID: <aWFt34dkIvlu1EYI@derry.ads.avm.de> (raw)
In-Reply-To: <68c375f6-e07e-fec-434d-6a45a4f1390@praktifix.dwd.de>

On Fri, Jan 09, 2026 at 03:04:33PM +0100, Holger Kiehl wrote:
> Hello,
> 
> when building kernel with 'make binrpm-pkg' the modules in the
> /lib/modules directory of the rpm package are no longer signed
> although one sees the following during the build process:
> 
>    .
>    .
>    INSTALL /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
>    .
>    .
>    SIGN    /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko

thanks for your report; well, that's interesting.  The modules signed
during the package build preparations ("SIGN    .../rpmbuild/BUILD/...")
is significantly larger than the one in the build tree (as expected, as
the latter is unsigned); but the one that lands in the rpm package is
_smaller_ than the module in the build tree.

My experience with rpmbuild is limited, I need more time for
investigation.

Nathan, do you have more insights on the rpm build process?

Kind regards,
Nicolas



>    .
>    .
> 
> But when installing this RPM and check this it says:
> 
>    # modinfo /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
>    filename:       /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
>    alias:          net-pf-42
>    license:        GPL v2
>    description:    Qualcomm IPC-router driver
>    license:        Dual BSD/GPL
>    description:    Qualcomm IPC Router Nameservice
>    author:         Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
>    srcversion:     473C5AB47E04ECEA0106681
>    depends:        
>    intree:         Y
>    name:           qrtr
>    retpoline:      Y
>    vermagic:       6.18.4 SMP preempt mod_unload modversions
> 
> This happens (no signature) with all modules, qrtr.ko was just taken
> as an example.
> 
> Building the kernel via 'make && make modules_install && make install'
> the modules then do have a signature. Also with kernel 6.12.x the
> modules are signed when building with 'make binrpm-pkg'.
> 
> Config looks as follows:
> 
>    # grep CONFIG_MODULE_ .config
>    CONFIG_MODULE_SIG_FORMAT=y
>    CONFIG_MODULE_DEBUGFS=y
>    # CONFIG_MODULE_DEBUG is not set
>    # CONFIG_MODULE_FORCE_LOAD is not set
>    CONFIG_MODULE_UNLOAD=y
>    # CONFIG_MODULE_FORCE_UNLOAD is not set
>    CONFIG_MODULE_UNLOAD_TAINT_TRACKING=y
>    CONFIG_MODULE_SRCVERSION_ALL=y
>    CONFIG_MODULE_SIG=y
>    # CONFIG_MODULE_SIG_FORCE is not set
>    CONFIG_MODULE_SIG_ALL=y
>    # CONFIG_MODULE_SIG_SHA1 is not set
>    # CONFIG_MODULE_SIG_SHA256 is not set
>    # CONFIG_MODULE_SIG_SHA384 is not set
>    CONFIG_MODULE_SIG_SHA512=y
>    # CONFIG_MODULE_SIG_SHA3_256 is not set
>    # CONFIG_MODULE_SIG_SHA3_384 is not set
>    # CONFIG_MODULE_SIG_SHA3_512 is not set
>    CONFIG_MODULE_SIG_HASH="sha512"
>    # CONFIG_MODULE_COMPRESS is not set
>    # CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
>    CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
>    CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
>    # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
> 
> What am I missing?
> 
> Regards,
> Holger

-- 
Nicolas

next prev parent reply	other threads:[~2026-01-09 21:06 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-09 14:04 Since 6.18.x make binrpm-pkg does not sign modules Holger Kiehl
2026-01-09 21:06 ` Nicolas Schier [this message]
2026-01-10 11:43   ` Holger Kiehl
2026-01-10 21:34     ` Nicolas Schier
2026-01-11 17:41       ` Holger Kiehl
2026-01-15  8:30         ` Nicolas Schier
2026-01-20  0:04         ` Nathan Chancellor
2026-01-20 23:21           ` Holger Kiehl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aWFt34dkIvlu1EYI@derry.ads.avm.de \
    --to=nsc@kernel.org \
    --cc=Holger.Kiehl@dwd.de \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nathan@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox