On Mon, Sep 09, 2019 at 04:46:38PM +0100, Steve McIntyre wrote: > On Mon, Sep 09, 2019 at 04:35:44PM +0100, Steve McIntyre wrote: > >On Wed, Sep 04, 2019 at 03:47:35PM +0300, Dmitry Eremin-Solenikov wrote: > >>Could you please provide kmodsign tool like Ubuntu package does, so that > >>we can sign Linux kernel modules with custom keys. > > > >ACK, that would be a good thing to have. > > > >Steve - would you be happy to push the ubuntu patches up into Debian? > > > >Probably worth us talking to the original kmodsign authors (David > >Howells and David Woodhouse) and the sbsigntool maintainer (James > >Bottomley) about maybe integrating things upstream too. I'll try to > >start a conversation there... > > Hmmm, hang on - it's just the "sign-file" program from the kernel > tree, renamed as "kmodsign" for some reason. Steve: the bug at > > https://bugs.launchpad.net/bugs/1526959 > > named in the patches doesn't seem all that relevant - could you > enlighten us please? :-)
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1579766 is a more relevant bug report. This was for signing things outside of the context of a kernel build, and Launchpad does that on a specially-secured signing service that ensures that keys are encrypted at rest and such. If memory serves, I asked for this to be added to sbsigntool because the alternative was that we'd have to chase kernel versions: sign-file is packaged as /usr/lib/linux-kbuild-$version/scripts/sign-file in the linux-kbuild-$version package, but that's really a pretty annoying thing for a supposedly non-kernel-version-dependent service to have to depend on! dak has a similar requirement, and it seems that they've just ended up with a dependency on "linux-kbuild-5.10 | linux-kbuild-4.19" that presumably they bump from time to time. Ugh. Now I'm no longer involved with Launchpad, but I have a pretty similar third instance of this requirement in debusine, and I'd really rather not perpetuate the same horribleness there. Is there any chance that these Ubuntu patches could be merged? Thanks, -- Colin Watson (he/him) [cjwat...@debian.org]