Since 6.18.x make binrpm-pkg does not sign modules

Since 6.18.x make binrpm-pkg does not sign modules

[Holger Kiehl]

Hello,

when building kernel with 'make binrpm-pkg' the modules in the
/lib/modules directory of the rpm package are no longer signed
although one sees the following during the build process:

   .
   .
   INSTALL /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
   .
   .
   SIGN    /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
   .
   .

But when installing this RPM and check this it says:

   # modinfo /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
   filename:       /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
   alias:          net-pf-42
   license:        GPL v2
   description:    Qualcomm IPC-router driver
   license:        Dual BSD/GPL
   description:    Qualcomm IPC Router Nameservice
   author:         Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
   srcversion:     473C5AB47E04ECEA0106681
   depends:        
   intree:         Y
   name:           qrtr
   retpoline:      Y
   vermagic:       6.18.4 SMP preempt mod_unload modversions

This happens (no signature) with all modules, qrtr.ko was just taken
as an example.

Building the kernel via 'make && make modules_install && make install'
the modules then do have a signature. Also with kernel 6.12.x the
modules are signed when building with 'make binrpm-pkg'.

Config looks as follows:

   # grep CONFIG_MODULE_ .config
   CONFIG_MODULE_SIG_FORMAT=y
   CONFIG_MODULE_DEBUGFS=y
   # CONFIG_MODULE_DEBUG is not set
   # CONFIG_MODULE_FORCE_LOAD is not set
   CONFIG_MODULE_UNLOAD=y
   # CONFIG_MODULE_FORCE_UNLOAD is not set
   CONFIG_MODULE_UNLOAD_TAINT_TRACKING=y
   CONFIG_MODULE_SRCVERSION_ALL=y
   CONFIG_MODULE_SIG=y
   # CONFIG_MODULE_SIG_FORCE is not set
   CONFIG_MODULE_SIG_ALL=y
   # CONFIG_MODULE_SIG_SHA1 is not set
   # CONFIG_MODULE_SIG_SHA256 is not set
   # CONFIG_MODULE_SIG_SHA384 is not set
   CONFIG_MODULE_SIG_SHA512=y
   # CONFIG_MODULE_SIG_SHA3_256 is not set
   # CONFIG_MODULE_SIG_SHA3_384 is not set
   # CONFIG_MODULE_SIG_SHA3_512 is not set
   CONFIG_MODULE_SIG_HASH="sha512"
   # CONFIG_MODULE_COMPRESS is not set
   # CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
   CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
   CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
   # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set

What am I missing?

Regards,
Holger

Re: Since 6.18.x make binrpm-pkg does not sign modules

[Nicolas Schier]

On Fri, Jan 09, 2026 at 03:04:33PM +0100, Holger Kiehl wrote:
> Hello,
> 
> when building kernel with 'make binrpm-pkg' the modules in the
> /lib/modules directory of the rpm package are no longer signed
> although one sees the following during the build process:
> 
>    .
>    .
>    INSTALL /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
>    .
>    .
>    SIGN    /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko

thanks for your report; well, that's interesting.  The modules signed
during the package build preparations ("SIGN    .../rpmbuild/BUILD/...")
is significantly larger than the one in the build tree (as expected, as
the latter is unsigned); but the one that lands in the rpm package is
_smaller_ than the module in the build tree.

My experience with rpmbuild is limited, I need more time for
investigation.

Nathan, do you have more insights on the rpm build process?

Kind regards,
Nicolas



>    .
>    .
> 
> But when installing this RPM and check this it says:
> 
>    # modinfo /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
>    filename:       /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
>    alias:          net-pf-42
>    license:        GPL v2
>    description:    Qualcomm IPC-router driver
>    license:        Dual BSD/GPL
>    description:    Qualcomm IPC Router Nameservice
>    author:         Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
>    srcversion:     473C5AB47E04ECEA0106681
>    depends:        
>    intree:         Y
>    name:           qrtr
>    retpoline:      Y
>    vermagic:       6.18.4 SMP preempt mod_unload modversions
> 
> This happens (no signature) with all modules, qrtr.ko was just taken
> as an example.
> 
> Building the kernel via 'make && make modules_install && make install'
> the modules then do have a signature. Also with kernel 6.12.x the
> modules are signed when building with 'make binrpm-pkg'.
> 
> Config looks as follows:
> 
>    # grep CONFIG_MODULE_ .config
>    CONFIG_MODULE_SIG_FORMAT=y
>    CONFIG_MODULE_DEBUGFS=y
>    # CONFIG_MODULE_DEBUG is not set
>    # CONFIG_MODULE_FORCE_LOAD is not set
>    CONFIG_MODULE_UNLOAD=y
>    # CONFIG_MODULE_FORCE_UNLOAD is not set
>    CONFIG_MODULE_UNLOAD_TAINT_TRACKING=y
>    CONFIG_MODULE_SRCVERSION_ALL=y
>    CONFIG_MODULE_SIG=y
>    # CONFIG_MODULE_SIG_FORCE is not set
>    CONFIG_MODULE_SIG_ALL=y
>    # CONFIG_MODULE_SIG_SHA1 is not set
>    # CONFIG_MODULE_SIG_SHA256 is not set
>    # CONFIG_MODULE_SIG_SHA384 is not set
>    CONFIG_MODULE_SIG_SHA512=y
>    # CONFIG_MODULE_SIG_SHA3_256 is not set
>    # CONFIG_MODULE_SIG_SHA3_384 is not set
>    # CONFIG_MODULE_SIG_SHA3_512 is not set
>    CONFIG_MODULE_SIG_HASH="sha512"
>    # CONFIG_MODULE_COMPRESS is not set
>    # CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
>    CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
>    CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
>    # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
> 
> What am I missing?
> 
> Regards,
> Holger

-- 
Nicolas

Re: Since 6.18.x make binrpm-pkg does not sign modules

[Holger Kiehl]

On Fri, 9 Jan 2026, Nicolas Schier wrote:

> On Fri, Jan 09, 2026 at 03:04:33PM +0100, Holger Kiehl wrote:
> > Hello,
> > 
> > when building kernel with 'make binrpm-pkg' the modules in the
> > /lib/modules directory of the rpm package are no longer signed
> > although one sees the following during the build process:
> > 
> >    .
> >    .
> >    INSTALL /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> >    .
> >    .
> >    SIGN    /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> 
> thanks for your report; well, that's interesting.  The modules signed
> during the package build preparations ("SIGN    .../rpmbuild/BUILD/...")
> is significantly larger than the one in the build tree (as expected, as
> the latter is unsigned); but the one that lands in the rpm package is
> _smaller_ than the module in the build tree.
> 
Reading the comment in scripts/package/kernel.spec

   # later, we make all modules executable so that find-debuginfo.sh strips
   # them up. but they don't actually need to be executable, so remove the
   # executable bit, taking care to do it _after_ find-debuginfo.sh has run

I would think that find-debuginfo.sh also strips the signature of the
modules. As a quick test I replaced scripts/package/kernel.spec and
scripts/package/mkspec in the 6.18.4 tree with those from 6.12.64 and
then did a 'make binrpm-pkg'. Then the signature of the modules in
the rpm package are not removed.

Looking back, it looks like this change was introduced with 6.15-rc1:

https://github.com/torvalds/linux/commit/a7c699d090a1f3795c3271c2b399230e182db06e
   or
https://lkml.org/lkml/2025/3/31/1313

The module signatures are needed if you run the kernel in lockdown mode.
The kernel refuses to load unsigned modules.

Regards,
Holger

> My experience with rpmbuild is limited, I need more time for
> investigation.
> 
> Nathan, do you have more insights on the rpm build process?
> 
> Kind regards,
> Nicolas
> 
> 
> 
> >    .
> >    .
> > 
> > But when installing this RPM and check this it says:
> > 
> >    # modinfo /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> >    filename:       /lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> >    alias:          net-pf-42
> >    license:        GPL v2
> >    description:    Qualcomm IPC-router driver
> >    license:        Dual BSD/GPL
> >    description:    Qualcomm IPC Router Nameservice
> >    author:         Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
> >    srcversion:     473C5AB47E04ECEA0106681
> >    depends:        
> >    intree:         Y
> >    name:           qrtr
> >    retpoline:      Y
> >    vermagic:       6.18.4 SMP preempt mod_unload modversions
> > 
> > This happens (no signature) with all modules, qrtr.ko was just taken
> > as an example.
> > 
> > Building the kernel via 'make && make modules_install && make install'
> > the modules then do have a signature. Also with kernel 6.12.x the
> > modules are signed when building with 'make binrpm-pkg'.
> > 
> > Config looks as follows:
> > 
> >    # grep CONFIG_MODULE_ .config
> >    CONFIG_MODULE_SIG_FORMAT=y
> >    CONFIG_MODULE_DEBUGFS=y
> >    # CONFIG_MODULE_DEBUG is not set
> >    # CONFIG_MODULE_FORCE_LOAD is not set
> >    CONFIG_MODULE_UNLOAD=y
> >    # CONFIG_MODULE_FORCE_UNLOAD is not set
> >    CONFIG_MODULE_UNLOAD_TAINT_TRACKING=y
> >    CONFIG_MODULE_SRCVERSION_ALL=y
> >    CONFIG_MODULE_SIG=y
> >    # CONFIG_MODULE_SIG_FORCE is not set
> >    CONFIG_MODULE_SIG_ALL=y
> >    # CONFIG_MODULE_SIG_SHA1 is not set
> >    # CONFIG_MODULE_SIG_SHA256 is not set
> >    # CONFIG_MODULE_SIG_SHA384 is not set
> >    CONFIG_MODULE_SIG_SHA512=y
> >    # CONFIG_MODULE_SIG_SHA3_256 is not set
> >    # CONFIG_MODULE_SIG_SHA3_384 is not set
> >    # CONFIG_MODULE_SIG_SHA3_512 is not set
> >    CONFIG_MODULE_SIG_HASH="sha512"
> >    # CONFIG_MODULE_COMPRESS is not set
> >    # CONFIG_MODULE_ALLOW_MISSING_NAMESPACE_IMPORTS is not set
> >    CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
> >    CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
> >    # CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
> > 
> > What am I missing?
> > 
> > Regards,
> > Holger
> 
> -- 
> Nicolas
> 

Re: Since 6.18.x make binrpm-pkg does not sign modules

[Nicolas Schier]

On Sat, Jan 10, 2026 at 12:43:26PM +0100, Holger Kiehl wrote:
> On Fri, 9 Jan 2026, Nicolas Schier wrote:
> 
> > On Fri, Jan 09, 2026 at 03:04:33PM +0100, Holger Kiehl wrote:
> > > Hello,
> > > 
> > > when building kernel with 'make binrpm-pkg' the modules in the
> > > /lib/modules directory of the rpm package are no longer signed
> > > although one sees the following during the build process:
> > > 
> > >    .
> > >    .
> > >    INSTALL /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> > >    .
> > >    .
> > >    SIGN    /usr/src/kernels/linux-6.18.4/rpmbuild/BUILD/kernel-6.18.4-build/BUILDROOT/lib/modules/6.18.4/kernel/net/qrtr/qrtr.ko
> > 
> > thanks for your report; well, that's interesting.  The modules signed
> > during the package build preparations ("SIGN    .../rpmbuild/BUILD/...")
> > is significantly larger than the one in the build tree (as expected, as
> > the latter is unsigned); but the one that lands in the rpm package is
> > _smaller_ than the module in the build tree.
> > 
> Reading the comment in scripts/package/kernel.spec
> 
>    # later, we make all modules executable so that find-debuginfo.sh strips
>    # them up. but they don't actually need to be executable, so remove the
>    # executable bit, taking care to do it _after_ find-debuginfo.sh has run
> 
> I would think that find-debuginfo.sh also strips the signature of the
> modules.

As the signature is just appended and not part of the actual ELF file,
that makes sense -- and signature would have become invalid due to the
stripping.

> As a quick test I replaced scripts/package/kernel.spec and
> scripts/package/mkspec in the 6.18.4 tree with those from 6.12.64 and
> then did a 'make binrpm-pkg'. Then the signature of the modules in
> the rpm package are not removed.

Thanks for the further debugging!
> 
> Looking back, it looks like this change was introduced with 6.15-rc1:
> 
> https://github.com/torvalds/linux/commit/a7c699d090a1f3795c3271c2b399230e182db06e
>    or
> https://lkml.org/lkml/2025/3/31/1313
> 
> The module signatures are needed if you run the kernel in lockdown mode.
> The kernel refuses to load unsigned modules.

Sure, signed modules should be supported by *rpm-plg targets.

A simple solution might be to call modules_sign target after the
find-debuginfo.sh run; but commit 16c36f8864e3 spunds to me as if we
should rather do something similiar as for the Debian packages:
modules_install with INSTALL_MOD_STRIP=1 and then install only the debug
infos manually.

Does that make sense?

Kind regards
Nicolas

Re: Since 6.18.x make binrpm-pkg does not sign modules

[Holger Kiehl]

On Sat, 10 Jan 2026, Nicolas Schier wrote:

> A simple solution might be to call modules_sign target after the
> find-debuginfo.sh run; but commit 16c36f8864e3 spunds to me as if we
> should rather do something similiar as for the Debian packages:
> modules_install with INSTALL_MOD_STRIP=1 and then install only the debug
> infos manually.
> 
> Does that make sense?
> 
I am not a kernel developer and my knowledge in this area is very
limited. Did try your suggestion to call modules_install with
INSTALL_MOD_STRIP=1, but still the signature was removed in the
RPM. Removing the 'chmod u+x', so find-debuginfo.sh does not strip
them, did not help either. But, most properly, I am still missing
something.

Kind regards,
Holger

Re: Since 6.18.x make binrpm-pkg does not sign modules

[Nicolas Schier]

On Sun, Jan 11, 2026 at 06:41:39PM +0100, Holger Kiehl wrote:
> On Sat, 10 Jan 2026, Nicolas Schier wrote:
> 
> > A simple solution might be to call modules_sign target after the
> > find-debuginfo.sh run; but commit 16c36f8864e3 spunds to me as if we
> > should rather do something similiar as for the Debian packages:
> > modules_install with INSTALL_MOD_STRIP=1 and then install only the debug
> > infos manually.
> > 
> > Does that make sense?
> > 
> I am not a kernel developer and my knowledge in this area is very
> limited. Did try your suggestion to call modules_install with
> INSTALL_MOD_STRIP=1, but still the signature was removed in the
> RPM. Removing the 'chmod u+x', so find-debuginfo.sh does not strip
> them, did not help either. But, most properly, I am still missing
> something.

I am going to have a closer look at that, but that will take time.

A possible work-around might be to enable CONFIG_MODULE_COMPRESS and
CONFIG_MODULE_COMPRESS_ALL, which prevents find-debuginfo.sh from
stripping (but you won't get debug modules, too).

Kind regards,
Nicolas

Re: Since 6.18.x make binrpm-pkg does not sign modules

[Nathan Chancellor]

On Sun, Jan 11, 2026 at 06:41:39PM +0100, Holger Kiehl wrote:
> On Sat, 10 Jan 2026, Nicolas Schier wrote:
> 
> > A simple solution might be to call modules_sign target after the
> > find-debuginfo.sh run; but commit 16c36f8864e3 spunds to me as if we
> > should rather do something similiar as for the Debian packages:
> > modules_install with INSTALL_MOD_STRIP=1 and then install only the debug
> > infos manually.
> > 
> > Does that make sense?
> > 
> I am not a kernel developer and my knowledge in this area is very
> limited. Did try your suggestion to call modules_install with
> INSTALL_MOD_STRIP=1, but still the signature was removed in the
> RPM. Removing the 'chmod u+x', so find-debuginfo.sh does not strip
> them, did not help either. But, most properly, I am still missing
> something.

I think one of the items added to __spec_install_post by commit
a7c699d090a1 ("kbuild: rpm-pkg: build a debuginfo RPM") ends up
stripping the modules unconditionally, not just when the debuginfo
package is built, as this reproduces for me with your configuration
snippet from upthread and x86_64_defconfig, which does not have debug
information enabled.

I emulated commit 16c36f8864e3 ("kbuild: deb-pkg: use build ID instead
of debug link for dbg package") for rpm-pkg, which appears to result in
a functionally equivalent standalone debuginfo package (but I did not
actually test) while fixing module signing for me. Could you give it a
test?

diff --git a/scripts/package/kernel.spec b/scripts/package/kernel.spec
index 98f206cb7c60..0f1c8de1bd95 100644
--- a/scripts/package/kernel.spec
+++ b/scripts/package/kernel.spec
@@ -2,6 +2,8 @@
 %{!?_arch: %define _arch dummy}
 %{!?make: %define make make}
 %define makeflags %{?_smp_mflags} ARCH=%{ARCH}
+%define __spec_install_post /usr/lib/rpm/brp-compress || :
+%define debug_package %{nil}
 
 Name: kernel
 Summary: The Linux Kernel
@@ -46,34 +48,12 @@ against the %{version} kernel package.
 %endif
 
 %if %{with_debuginfo}
-# list of debuginfo-related options taken from distribution kernel.spec
-# files
-%undefine _include_minidebuginfo
-%undefine _find_debuginfo_dwz_opts
-%undefine _unique_build_ids
-%undefine _unique_debug_names
-%undefine _unique_debug_srcs
-%undefine _debugsource_packages
-%undefine _debuginfo_subpackages
-%global _find_debuginfo_opts -r
-%global _missing_build_ids_terminate_build 1
-%global _no_recompute_build_ids 1
-%{debug_package}
+%package debuginfo
+Summary: Debug information package for the Linux kernel
+%description debuginfo
+This package provides debug information for the kernel image and modules from the
+%{version} package.
 %endif
-# some (but not all) versions of rpmbuild emit %%debug_package with
-# %%install. since we've already emitted it manually, that would cause
-# a package redefinition error. ensure that doesn't happen
-%define debug_package %{nil}
-
-# later, we make all modules executable so that find-debuginfo.sh strips
-# them up. but they don't actually need to be executable, so remove the
-# executable bit, taking care to do it _after_ find-debuginfo.sh has run
-%define __spec_install_post \
-	%{?__debug_package:%{__debug_install_post}} \
-	%{__arch_install_post} \
-	%{__os_install_post} \
-	find %{buildroot}/lib/modules/%{KERNELRELEASE} -name "*.ko" -type f \\\
-		| xargs --no-run-if-empty chmod u-x
 
 %prep
 %setup -q -n linux
@@ -87,7 +67,7 @@ patch -p1 < %{SOURCE2}
 mkdir -p %{buildroot}/lib/modules/%{KERNELRELEASE}
 cp $(%{make} %{makeflags} -s image_name) %{buildroot}/lib/modules/%{KERNELRELEASE}/vmlinuz
 # DEPMOD=true makes depmod no-op. We do not package depmod-generated files.
-%{make} %{makeflags} INSTALL_MOD_PATH=%{buildroot} DEPMOD=true modules_install
+%{make} %{makeflags} INSTALL_MOD_PATH=%{buildroot} INSTALL_MOD_STRIP=1 DEPMOD=true modules_install
 %{make} %{makeflags} INSTALL_HDR_PATH=%{buildroot}/usr headers_install
 cp System.map %{buildroot}/lib/modules/%{KERNELRELEASE}
 cp .config %{buildroot}/lib/modules/%{KERNELRELEASE}/config
@@ -118,22 +98,31 @@ ln -fns /usr/src/kernels/%{KERNELRELEASE} %{buildroot}/lib/modules/%{KERNELRELEA
 	echo "%exclude /lib/modules/%{KERNELRELEASE}/build"
 } > %{buildroot}/kernel.list
 
-# make modules executable so that find-debuginfo.sh strips them. this
-# will be undone later in %%__spec_install_post
-find %{buildroot}/lib/modules/%{KERNELRELEASE} -name "*.ko" -type f \
-	| xargs --no-run-if-empty chmod u+x
-
 %if %{with_debuginfo}
 # copying vmlinux directly to the debug directory means it will not get
 # stripped (but its source paths will still be collected + fixed up)
 mkdir -p %{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE}
 cp vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE}
+
+echo /usr/lib/debug/lib/modules/%{KERNELRELEASE}/vmlinux > %{buildroot}/debuginfo.list
+
+while read -r mod; do
+	mod="${mod%.o}.ko"
+	dbg="%{buildroot}/usr/lib/debug/lib/modules/%{KERNELRELEASE}/kernel/${mod}"
+	buildid=$("${READELF}" -n "${mod}" | sed -n 's@^.*Build ID: \(..\)\(.*\)@\1/\2@p')
+	link="%{buildroot}/usr/lib/debug/.build-id/${buildid}.debug"
+
+	mkdir -p "${dbg%/*}" "${link%/*}"
+	"${OBJCOPY}" --only-keep-debug "${mod}" "${dbg}"
+	ln -sf --relative "${dbg}" "${link}"
+
+	echo "${dbg#%{buildroot}}" >> %{buildroot}/debuginfo.list
+	echo "${link#%{buildroot}}" >> %{buildroot}/debuginfo.list
+done < modules.order
 %endif
 
 %clean
 rm -rf %{buildroot}
-rm -f debugfiles.list debuglinks.list debugsourcefiles.list debugsources.list \
-	elfbins.list
 
 %post
 if [ -x /usr/bin/kernel-install ]; then
@@ -172,3 +161,9 @@ fi
 /usr/src/kernels/%{KERNELRELEASE}
 /lib/modules/%{KERNELRELEASE}/build
 %endif
+
+%if %{with_debuginfo}
+%files -f %{buildroot}/debuginfo.list debuginfo
+%defattr (-, root, root)
+%exclude /debuginfo.list
+%endif

Re: Since 6.18.x make binrpm-pkg does not sign modules

[Holger Kiehl]

On Mon, 19 Jan 2026, Nathan Chancellor wrote:

> On Sun, Jan 11, 2026 at 06:41:39PM +0100, Holger Kiehl wrote:
> > On Sat, 10 Jan 2026, Nicolas Schier wrote:
> > 
> > > A simple solution might be to call modules_sign target after the
> > > find-debuginfo.sh run; but commit 16c36f8864e3 spunds to me as if we
> > > should rather do something similiar as for the Debian packages:
> > > modules_install with INSTALL_MOD_STRIP=1 and then install only the debug
> > > infos manually.
> > > 
> > > Does that make sense?
> > > 
> > I am not a kernel developer and my knowledge in this area is very
> > limited. Did try your suggestion to call modules_install with
> > INSTALL_MOD_STRIP=1, but still the signature was removed in the
> > RPM. Removing the 'chmod u+x', so find-debuginfo.sh does not strip
> > them, did not help either. But, most properly, I am still missing
> > something.
> 
> I think one of the items added to __spec_install_post by commit
> a7c699d090a1 ("kbuild: rpm-pkg: build a debuginfo RPM") ends up
> stripping the modules unconditionally, not just when the debuginfo
> package is built, as this reproduces for me with your configuration
> snippet from upthread and x86_64_defconfig, which does not have debug
> information enabled.
> 
> I emulated commit 16c36f8864e3 ("kbuild: deb-pkg: use build ID instead
> of debug link for dbg package") for rpm-pkg, which appears to result in
> a functionally equivalent standalone debuginfo package (but I did not
> actually test) while fixing module signing for me. Could you give it a
> test?
>
Thanks for the patch! Can confirm with the patch applied, the modules
are now signed in the rpm package. But I also did not test the debuginfo
part.

Regards,
Holger