Re: Since 6.18.x make binrpm-pkg does not sign modules

[Nicolas Schier <nsc@kernel.org>]

On Sat, Jan 10, 2026 at 12:43:26PM +0100, Holger Kiehl wrote:
> On Fri, 9 Jan 2026, Nicolas Schier wrote:
> 
> > On Fri, Jan 09, 2026 at 03:04:33PM +0100, Holger Kiehl wrote:
> > > Hello,
> > > 
> > > when building kernel with 'make binrpm-pkg' the modules in the
> > > /lib/modules directory of the rpm package are no longer signed
> > > although one sees the following during the build process:
> > > 
> > >    .
> > >    .
> > >    INSTALL /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> > >    .
> > >    .
> > >    SIGN    /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> > 
> > thanks for your report; well, that's interesting.  The modules signed
> > during the package build preparations ("SIGN    .../rpmbuild/BUILD/...")
> > is significantly larger than the one in the build tree (as expected, as
> > the latter is unsigned); but the one that lands in the rpm package is
> > _smaller_ than the module in the build tree.
> > 
> Reading the comment in scripts/package/kernel.spec
> 
>    # later, we make all modules executable so that find-debuginfo.sh strips
>    # them up. but they don't actually need to be executable, so remove the
>    # executable bit, taking care to do it _after_ find-debuginfo.sh has run
> 
> I would think that find-debuginfo.sh also strips the signature of the
> modules.

As the signature is just appended and not part of the actual ELF file,
that makes sense -- and signature would have become invalid due to the
stripping.

> As a quick test I replaced scripts/package/kernel.spec and
> scripts/package/mkspec in the 6.18.4 tree with those from 6.12.64 and
> then did a 'make binrpm-pkg'. Then the signature of the modules in
> the rpm package are not removed.

Thanks for the further debugging!
> 
> Looking back, it looks like this change was introduced with 6.15-rc1:
> 
> https://github.com/torvalds/linux/commit/a7c699d090a1f3795c3271c2b399230e182db06e
>    or
> https://lkml.org/lkml/2025/3/31/1313
> 
> The module signatures are needed if you run the kernel in lockdown mode.
> The kernel refuses to load unsigned modules.

Sure, signed modules should be supported by *rpm-plg targets.

A simple solution might be to call modules_sign target after the
find-debuginfo.sh run; but commit 16c36f8864e3 spunds to me as if we
should rather do something similiar as for the Debian packages:
modules_install with INSTALL_MOD_STRIP=1 and then install only the debug
infos manually.

Does that make sense?

Kind regards
Nicolas