[linux] 01/02: linux-source: Fix up module signing configuration in included kernel config files

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sun Apr 24 22:53:19 UTC 2016


This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit 35602a868b282db3c5ea4a338675ebec24a8b38c
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sun Apr 24 23:37:43 2016 +0200

    linux-source: Fix up module signing configuration in included kernel config files
    
    Our signing certificate isn't included in the source tarball and would
    be pointless to include in custom kernels.  Custom kernels also won't
    have a separate signing stage.  So remove our settings for
    CONFIG_MODULE_SIG_ALL, CONFIG_MODULE_SIG_KEY and
    CONFIG_SYSTEM_TRUSTED_KEYS.  This should cause custom kernels based on
    the included configs to follow the upstream default for signing, which
    is to use a new key pair for each build.
---
 debian/changelog  | 2 ++
 debian/rules.real | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 85dbd83..6d57ed1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -119,6 +119,8 @@ linux (4.5.2-1) UNRELEASED; urgency=medium
     SND_SOC_INTEL_SKL_RT286_MACH, SND_SOC_INTEL_SKL_NAU88L25_SSM4567_MACH,
     SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH as modules
   * module: Invalidate signatures on force-loaded modules
+  * linux-source: Fix up module signing configuration in included kernel
+    config files
 
   [ Aurelien Jarno ]
   * [mips*] Emulate unaligned LDXC1 and SDXC1 instructions.
diff --git a/debian/rules.real b/debian/rules.real
index c9b44a2..b1b13b6 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -471,8 +471,10 @@ install-source: $(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).ta
 	dh_testroot
 	dh_installdirs /usr/src/linux-config-$(UPSTREAMVERSION)
 	dh_install '$^' /usr/src
+# Include our kernel config files, but with the module signing
+# configuration fixed to work for custom kernels.
 	for triplet in $(ALL_TRIPLETS); do \
-	  xz -c $(BUILD_DIR)/build_$$triplet/.config >debian/$(PACKAGE_NAME)/usr/src/linux-config-$(UPSTREAMVERSION)/config.$$triplet.xz; \
+	  sed '/CONFIG_\(MODULE_SIG_\(ALL\|KEY\)\|SYSTEM_TRUSTED_KEYS\)[ =]/d' $(BUILD_DIR)/build_$$triplet/.config | xz -c >debian/$(PACKAGE_NAME)/usr/src/linux-config-$(UPSTREAMVERSION)/config.$$triplet.xz; \
 	done
 # We don't want to recompress, but -Znone is not compatible with older
 # tools and is currently rejected by dak.  -Zgzip -z0 (uncompressed

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git



More information about the Kernel-svn-changes mailing list