Otherwise SecureBoot signatures may be stripped too.
We used to exclude shared libraries from this strip as they were
supposed to be covered by another brp script (brp-strip-shared), however
it turned out the latter was never really used, so we removed the
exclusion in commit 0ab151ab138fd4fb6d3176fd0270d9cc6f4623f3.
As it turns out, that was a little too ambitious, since we may now
inadvertently strip SecureBoot signatures from kernel modules too,
provided that they're made during the build, prior to the invocation of
brp-strip.
Note that this regression currently does *not* affect the following two
cases on Fedora/RHEL systems with redhat-rpm-config installed:
- in-tree modules; these are built from kernel.spec which already
contains a hack ensuring that module signing only happens *after*
any stripping (see %__modsign_install_post in kernel.spec)
- out-of-tree modules built with debuginfo enabled; this is because
brp-strip is only called when %debug_package is set to %{nil}
Any other combinations may be affected, depending on the macros and
.spec files used, so let's fix this by effectively "reverting"
said
commit for .ko files only.
Fixes: rhbz#1967291
You can view, comment on, or merge this pull request online at:
https://github.com/rpm-software-management/rpm/pull/1744
-- Commit Summary --
* Don't brp-strip .ko files
-- File Changes --
M scripts/brp-strip (2)
-- Patch Links --
https://github.com/rpm-software-management/rpm/pull/1744.patch
https://github.com/rpm-software-management/rpm/pull/1744.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1744
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
