pygoscelis: Bump to 6.13.6-T14s and place key out of build dir

Starting with 6.13.6-T14s, my kernel signing key will be placed outside the kernel build dir and thus not installed into the world-readable location `/usr/src/linux/certs`. It's configured by flags for portage in `/etc/portage/make.conf/MODULES_SIGN`: ``` MDOULES_SIGN_CERT=".../signing_cert.pem" MODULES_SIGN_HASH="sha3-512" MODULES_SIGN_KEY=".../signing_key.pem" ``` generated using this script: ``` #!/bin/bash set -uxa pipefail __VERSION__="2025-03-09" TODAY="$(date --utc +%Y-%m-%d)" SIGN_KVER="6.13.y" MY_PRIV_KEY_FILE="${TODAY}.signing_key.pem" MY_PUB_CERT_FILE="${TODAY}.signing_cert.pem" MY_OPENSSL_PARAMS=( req -new -sha512 -newkey rsa:4096 # don't encrypt the file -noenc # validity: 1024 years, given in days -days 374016 -x509 -keyout "${MY_PRIV_KEY_FILE}" -out "${MY_PUB_CERT_FILE}" # adopt to usage # keep umlauts in mind, the seem to break here... -subj "/C=DE/ST=Baden-Wuerttemberg/L=Karlsruhe/O=/OU=/CN=kernel module signing key (${TODAY}, ${SIGN_KVER})/" ) openssl "${MY_OPENSSL_PARAMS[@]}" openssl x509 -noout -text -in "${MY_PUB_CERT_FILE}" ``` This change brings the benefit that I can use binpkgs on my machine, do not need to delete my keys from world-readable `/usr/src/linux` anymore and can even think about distributing my kernel binary packages. One negative change is that I'll have to remember to roll-over the keys myself from time to time.
2025-03-13 23:24:21 +01:00 · 2025-03-13 23:24:21 +01:00 · aaba9fffbd
commit aaba9fffbd
parent ba47017a37
1 changed files with 2 additions and 2 deletions
--- a/4
+++ b/4
@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.13.5 Kernel Configuration
+# Linux/x86 6.13.6 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="x86_64-pc-linux-gnu-gcc (Gentoo Hardened 14.2.1_p20250301 p8) 14.2.1 20250301"
 CONFIG_CC_IS_GCC=y
@ -6784,7 +6784,7 @@ CONFIG_PKCS7_MESSAGE_PARSER=y
 #
 # Certificates for signature checking
 #
-CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
+CONFIG_MODULE_SIG_KEY="/var/tmp/portage/sys-kernel/gentoo-kernel-6.13.6/temp/kernel_key.pem"
 # CONFIG_MODULE_SIG_KEY_TYPE_RSA is not set
 CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
 CONFIG_SYSTEM_TRUSTED_KEYRING=y