From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1732001-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by finch.gentoo.org (Postfix) with ESMTPS id 3DF341581EE
for <garchives@archives.gentoo.org>; Fri, 28 Mar 2025 09:24:09 +0000 (UTC)
Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
(Authenticated sender: relay-lists.gentoo.org@gentoo.org)
by smtp.gentoo.org (Postfix) with ESMTPSA id 1F7E5343169
for <garchives@archives.gentoo.org>; Fri, 28 Mar 2025 09:24:09 +0000 (UTC)
Received: from bobolink.gentoo.org (localhost [127.0.0.1])
by bobolink.gentoo.org (Postfix) with ESMTP id 0B2CC1104B0;
Fri, 28 Mar 2025 09:24:08 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by bobolink.gentoo.org (Postfix) with ESMTPS id 014881104B0
for <gentoo-commits@lists.gentoo.org>; Fri, 28 Mar 2025 09:24:07 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id AEF40343156
for <gentoo-commits@lists.gentoo.org>; Fri, 28 Mar 2025 09:24:07 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
by oystercatcher.gentoo.org (Postfix) with ESMTP id 160D6236F
for <gentoo-commits@lists.gentoo.org>; Fri, 28 Mar 2025 09:24:06 +0000 (UTC)
From: "Nowa Ammerlaan" <nowa@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Nowa Ammerlaan" <nowa@gentoo.org>
Message-ID: <1743153767.0ef4b71c4de1d7b9773d524d85b7eb97d3ccc883.nowa@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: eclass/
X-VCS-Repository: repo/gentoo
X-VCS-Files: eclass/kernel-build.eclass
X-VCS-Directories: eclass/
X-VCS-Committer: nowa
X-VCS-Committer-Name: Nowa Ammerlaan
X-VCS-Revision: 0ef4b71c4de1d7b9773d524d85b7eb97d3ccc883
X-VCS-Branch: master
Date: Fri, 28 Mar 2025 09:24:06 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: c247d9b0-0bfd-439e-9720-5d0df9a5fffb
X-Archives-Hash: be88f91a7477d3b64ecda44371b1eae1
commit: 0ef4b71c4de1d7b9773d524d85b7eb97d3ccc883
Author: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 25 18:41:07 2025 +0000
Commit: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
CommitDate: Fri Mar 28 09:22:47 2025 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ef4b71c
kernel-build.eclass: do not override MODULES_SIGN_KEY with temp key
The kernel build system expects the module signing key and
certificate in one file. In order to accommodate this we merge the
MODULES_SIGN_KEY and MODULES_SIGN_CERT into a temporary key in $T.
However, in doing so we override the MODULES_SIGN_KEY variable (but
not the MODULES_SIGN_CERT variable). This becomes a problem when
merging binpkgs because then the MODULES_SIGN_KEY variable points to
a temporary signing key that does not exist (whereas the untouched
MODULES_SIGN_CERT does exist). Usually this is not an issue except if
the MODULES_SIGN_KEY is to be used later in the binpkg merging process
such as is the case in, for example, the dkms installkernel hook.
Here we resolve this unfortunate situation by using a local variable
during the config merging process and not touching the original
MODULES_SIGN_KEY. Therefore, the MODULES_SIGN_KEY will now also
point us to an existing key if we are merging a binpkg of the kernel.
Signed-off-by: Nowa Ammerlaan <nowa <AT> gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/41286
Signed-off-by: Nowa Ammerlaan <nowa <AT> gentoo.org>
eclass/kernel-build.eclass | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 65433d9fc9c0..1d8c396b9590 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -741,18 +741,19 @@ kernel-build_merge_configs() {
fi
if [[ ${KERNEL_IUSE_MODULES_SIGN} ]] && use modules-sign; then
+ local modules_sign_key=${MODULES_SIGN_KEY}
if [[ -n ${MODULES_SIGN_KEY_CONTENTS} ]]; then
- (umask 066 && touch "${T}/kernel_key.pem" || die)
- echo "${MODULES_SIGN_KEY_CONTENTS}" > "${T}/kernel_key.pem" || die
+ modules_sign_key="${T}/kernel_key.pem"
+ (umask 066 && touch "${modules_sign_key}" || die)
+ echo "${MODULES_SIGN_KEY_CONTENTS}" > "${modules_sign_key}" || die
unset MODULES_SIGN_KEY_CONTENTS
- export MODULES_SIGN_KEY="${T}/kernel_key.pem"
fi
- if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then
- echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
+ if [[ ${modules_sign_key} == pkcs11:* || -r ${modules_sign_key} ]]; then
+ echo "CONFIG_MODULE_SIG_KEY=\"${modules_sign_key}\"" \
>> "${WORKDIR}/modules-sign-key.config"
merge_configs+=( "${WORKDIR}/modules-sign-key.config" )
- elif [[ -n ${MODULES_SIGN_KEY} ]]; then
- die "MODULES_SIGN_KEY=${MODULES_SIGN_KEY} not found or not readable!"
+ elif [[ -n ${modules_sign_key} ]]; then
+ die "MODULES_SIGN_KEY=${modules_sign_key} not found or not readable!"
fi
fi